diff --git a/WebScan/pocs/druid-monitor-unauth.yml b/WebScan/pocs/druid-monitor-unauth.yml index 15d2adb..c820311 100644 --- a/WebScan/pocs/druid-monitor-unauth.yml +++ b/WebScan/pocs/druid-monitor-unauth.yml @@ -1,10 +1,11 @@ name: poc-yaml-druid-monitor-unauth rules: - method: GET - path: /druid/index.html + path: /druid/index.html expression: | response.status == 200 && response.body.bcontains(b"Druid Stat Index") && response.body.bcontains(b"DruidVersion") && response.body.bcontains(b"DruidDrivers") detail: author: met7or links: - https://github.com/alibaba/druid + - http://43.130.61.224:8088/druid/index.html diff --git a/WebScan/pocs/druid-monitor-weakpass.yml b/WebScan/pocs/druid-monitor-weakpass.yml new file mode 100644 index 0000000..caa9d00 --- /dev/null +++ b/WebScan/pocs/druid-monitor-weakpass.yml @@ -0,0 +1,34 @@ +name: poc-yaml-druid-monitor-weakpass +sets: + weakpass: + - loginUsername=admin&loginPassword=admin + - loginUsername=ry&loginPassword=123456 + - loginUsername=admin&loginPassword=123456 + - loginUsername=ruoyi&loginPassword=admin123 + - loginUsername=dy&loginPassword=123456 + - loginUsername=ruoyi&loginPassword=123456 + - loginUsername=dy&loginPassword=admin123 + - loginUsername=druid&loginPassword=druid + - loginUsername=admin&loginPassword=admin123 + uri: + - / + - /api/ + - /admin/ + - /admin-api/ + - /prod-api/ + - /jeecg-boot/ + - /dev-api/ + - /system/ + - /webpage/system/ +rules: + - method: POST + # path: /druid/datasource.json + path: "{{uri}}druid/datasource.json" + body: "{{weakpass}}" + expression: | + response.status == 200 && response.body.bcontains(b"FilterClassNames") && response.body.bcontains(b"com.alibaba.druid") +detail: + author: rootmog + links: + - https://github.com/alibaba/druid + - http://39.108.94.156:8086/druid/index.html(admin/123456)\ \ No newline at end of file diff --git a/WebScan/pocs/inspur-cwbase.yml b/WebScan/pocs/inspur-cwbase.yml new file mode 100644 index 0000000..6c3479b --- /dev/null +++ b/WebScan/pocs/inspur-cwbase.yml @@ -0,0 +1,12 @@ +name: poc-yaml-inspur-cwbase +rules: + - method: GET + path: /cwbase/ + follow_redirects: true + expression: | + response.body.bcontains(bytes("weblogin/index.aspx")) +detail: + author: liuy + info: inspur-cwbase + links: + - https://blog.csdn.net/zzxx191z/article/details/140689290 diff --git a/WebScan/pocs/swagger-ui-unauth.yml b/WebScan/pocs/swagger-ui-unauth.yml index 42826ae..1034e6f 100644 --- a/WebScan/pocs/swagger-ui-unauth.yml +++ b/WebScan/pocs/swagger-ui-unauth.yml @@ -10,6 +10,13 @@ sets: - actuator/swagger-ui.html - libs/swagger-ui.html - template/swagger-ui.html + - v2/api-docs + - v3/api-docs + - prod-api/v2/api-docs + - prod-api/v3/api-docs + - swagger/docs/v1 + - swagger-resources + - prod-api/swagger-resources - api_docs - api/docs/ - api/index.html @@ -23,8 +30,10 @@ rules: - method: GET path: /{{path}} expression: | - response.status == 200 && (response.body.bcontains(b"Swagger UI") || response.body.bcontains(b"swagger-ui.min.js")|| response.body.bcontains(b'swagger:') || response.body.bcontains(b'swagger:') || response.body.bcontains(b'Swagger 2.0') || response.body.bcontains(b"\"swagger\":") ) + response.status == 200 && (response.body.bcontains(b"Swagger UI") || response.body.bcontains(b"swagger-ui.min.js")|| response.body.bcontains(b'swagger:') || response.body.bcontains(b'swagger:') || response.body.bcontains(b'Swagger 2.0') || response.body.bcontains(b"\"openapi\":") || response.body.bcontains(b"\"swagger\":") || response.body.bcontains(b"\"swaggerVersion\":")) detail: author: AgeloVito links: - https://blog.csdn.net/u012206617/article/details/109107210 + - https://aqsys.tapig.com/stage-api/swagger-resources + - http://39.98.195.144:8043/swagger/ui/index(http://39.98.195.144:8043/swagger/docs/v1) diff --git a/WebScan/pocs/ueditor-cnvd-2017-20077-file-upload.yml b/WebScan/pocs/ueditor-cnvd-2017-20077-file-upload.yml index 19b9ba6..1299eb7 100644 --- a/WebScan/pocs/ueditor-cnvd-2017-20077-file-upload.yml +++ b/WebScan/pocs/ueditor-cnvd-2017-20077-file-upload.yml @@ -1,7 +1,32 @@ name: poc-yaml-ueditor-cnvd-2017-20077-file-upload +sets: + uri: + - / + - /content/ + - /Content/plugins/ + - /Content/js/ + - /Utility/ + - /js/ + - /plugins/ + - /scripts/ + - /Scripts/ + - /WebComm/CommScripts/ + - /static/ + edit: + - ueditor + - Ueditor + - editor + - ueditor1_4_3_3 + - ueditor1_4_3_3-utf8-net/utf8-net + net: + - /net/ + - / + controller: + - controller.ashx? + - "?" rules: - method: GET - path: /ueditor/net/controller.ashx?action=catchimage&encode=utf-8 + path: "{{uri}}{{edit}}{{net}}{{controller}}ccc=test&action=catchimage&encode=utf-8" headers: Accept-Encoding: 'deflate' follow_redirects: false @@ -13,5 +38,6 @@ detail: links: - https://zhuanlan.zhihu.com/p/85265552 - https://www.freebuf.com/vuls/181814.html + - http://123.57.69.82:20000/Utility/UEditor/net?action=catchimage exploit: >- http://localhost/ueditor/net/controller.ashx?action=catchimage&encode=utf-8