Merge branch 'master' of https://github.com/LubyRuffy/GobyVuls

ActiveMQ/CVE-2016-3088/README.md

@@ -0,0 +1,11 @@
+# CVE-2016-3088 ActiveMQ Arbitrary File Write Vulnerability
+
+The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request. Therefore, we can write a file and then move it to any directory, thereby causing arbitrary file writing vulnerability.
+
+**Affected version**: Apache ActiveMQ 5.x - 5.13.x
+
+**[FOFA](https://fofa.so/result?qbase64=YXBwPSJBcGFjaGUtQWN0aXZlTVEi) query rule**: app="Apache-ActiveMQ"
+
+# Demo
+
+![](CVE-2016-3088.gif)

Citrix/CVE-2019-19781/README.md

@@ -0,0 +1,17 @@
+# CVE-2019-19781 Citrix ADC Remote Code Execution Vulnerability
+
+An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
+
+**Affected version**: 10.5, 11.1, 12.0, 12.1, 13.0
+
+**[FOFA](https://fofa.so/result?qbase64=YXBwPSJDaXRyaXgtQURDIg%3D%3D) query rule**: app="Citrix-ADC"
+
+# Demo
+
+![](CVE-2019-19781_start.jpg)
+
+![](CVE-2019-19781_scan.jpg)
+
+![](CVE-2019-19781_verify.jpg)
+
+![](CVE-2019-19781_cmd.jpg)

Drupal/CVE-2018-7600/README.md

@@ -0,0 +1,13 @@
+# CVE-2018-7600 Drupal Remote Code Execution Vulnerability
+
+Drupal is an open source content management framework (CMF) written in PHP. It consists of a content management system (CMS) and a PHP development framework.
+
+Drupal had insufficient input sanitation on Form API (FAPI) AJAX requests. As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication. By exploiting this vulnerability an attacker would have been able to carry out a full site takeover of any Drupal customer.
+
+**Affected version**: Drupal 6 - 8
+
+**[FOFA](https://fofa.so/result?qbase64=YXBwPSJEcnVwYWwi) query rule**: app="Drupal"
+
+# Demo
+
+![](CVE-2018-7600.gif)

Jenkins/CVE-2017-1000353/README.md

@@ -0,0 +1,10 @@
+# CVE-2018-1000353 Jenkins Remote Code Execution Vulnerability
+
+An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blacklist-based protection mechanism.
+
+**[FOFA](https://fofa.so/result?qbase64=YXBwPSJKZW5raW5zIg%3D%3D) query rule**: app="Jenkins"
+
+# Demo
+
+![](jenkins_CVE-2018-1000353.gif)
+

Jenkins/CVE-2018-1000861/README.md

@@ -0,0 +1,11 @@
+# CVE-2018-1000861 Jenkins Remote Code Execution Vulnerability
+
+A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
+
+**Affected version**: 2.153 and earlier, LTS 2.138.3 and earlier
+
+**[FOFA](https://fofa.so/result?qbase64=YXBwPSJKZW5raW5zIg%3D%3D) query rule**: app="Jenkins"
+
+# Demo
+
+![](jenkins_CVE-2018-1000861.gif)

Mobotix/Mobotix_default_account/README.md

@@ -0,0 +1,15 @@
+# Mobotix default account
+
+Attackers can easily obtain default passwords and identify internet-connected target systems. Passwords can be found in product documentation and compiled lists available on the internet. An attacker with knowledge of the password and network access to a system can log in, usually with root or administrative privileges. Further consequences depend on the type and use of the compromised system.
+
+**[FOFA](https://fofa.so/result?qbase64=YXBwPSJNb2JvdGl4LUNhbWVyYSI%3D) query rule**: app="Mobotix-Camera"
+
+# Demo
+
+![](mobotix_default_account_start.jpg)
+
+![](mobotix_default_account_scan.jpg)
+
+![](mobotix_default_account_verify.jpg)
+
+![](mobotix_default_account_cmd.jpg)

README.md

@@ -13,4 +13,8 @@ Download goby from [release page](https://github.com/gobysec/Goby/releases), and
 ![goby explotation](./imgs/opensmtpd_rce_CVE-2020-7247.png "goby explotation")
 
 ## Contributing
-Pull Requests and contributions to this project are encouraged and greatly welcomed! The goby project always needs new vulnerabilities, and needs talented developers (such as yourself!) to submit fixes for the existing demos when they break.
+Pull Requests and contributions to this project are encouraged and greatly welcomed! The goby project always needs new vulnerabilities, and needs talented developers (such as yourself!) to submit fixes for the existing demos when they break.
+
+## Download
+
+You can go to the official website to download [Goby](https://gobies.org/ "Goby").

Struts2/S2-016(CVE-2013-2251)/README.md

@@ -0,0 +1,11 @@
+# S2-016 (CVE-2013-2251) Remote Code Execution Vulnerability
+
+Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
+
+**Affected Version**: Apache Struts2 2.0.0 - 2.3.15
+
+**[FOFA](https://fofa.so/result?qbase64=YXBwPSJTdHJ1dHMyIg%3D%3D) query rule**: app="Struts2"
+
+# Demo
+
+![](S2-016.gif)

Struts2/S2-046(CVE-2017-5638)/README.md

@@ -0,0 +1,12 @@
+# S2-046 (CVE-2017-5638) Remote Code Execution Vulnerability
+
+The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
+
+**Affected version**: Apache Struts2 2.3.5 - 2.3.31 and 2.5.x - 2.5.10
+
+**[FOFA](https://fofa.so/result?qbase64=YXBwPSJTdHJ1dHMyIg%3D%3D) query rule**: app="Struts2"
+
+# Demo
+
+![](S2-046.gif)
+

ThinkPHP/ThinkPHP2.1_RCE/README.md

@@ -0,0 +1,19 @@
+# ThinkPHP 2.1 Remote Code Execution Vulnerability
+
+ThinkPHP was born in 2006, is a open source PHP development framework, which draws on the Action object of the Struts framework, and also uses the object-oriented development structure and MVC model. ThinkPHP can run on operating systems such as Windows and Linux. It supports multiple databases such as MySql, Sqlite, and PostgreSQL, and PDO extensions. It is a cross-platform, cross-version, and easy-to-use PHP framework.
+
+In ThinkPHP version 2.1, `/e` pattern of `preg_replace` is used to match routes:
+
+```php
+$res = preg_replace('@(\w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2";', implode($depr,$paths));
+```
+
+This is a very dangerous parameter. If this parameter is used, the second parameter of `preg_replace` will be executed as PHP code.
+
+**Affected version**: ThinkPHP 2.1
+
+**[FOFA](https://fofa.so/result?qbase64=YXBwPSJUaGlua1BIUCI%3D) query rule**: app="ThinkPHP"
+
+# Demo
+
+![](thinkphp_2.1.gif)

ThinkPHP/ThinkPHP2.1_RCE/README.zh_CN.md

@@ -0,0 +1,19 @@
+# ThinkPHP 2.1 远程代码执行
+
+ThinkPHP 诞生于 2006 年，是一个国产开源的 PHP 开发框架，其借鉴了 Struts 框架的 Action 对象，同时也使用面向对象的开发结构和 MVC 模式。ThinkPHP 可在 Windows 和 Linux 等操作系统运行，支持 MySql、Sqlite 和 PostgreSQL 等多种数据库以及 PDO 扩展，是一款跨平台，跨版本以及简单易用的 PHP 框架。
+
+ThinkPHP 2.1 版本中，使用 `preg_replace` 的 `/e` 模式匹配路由：
+
+```php
+$res = preg_replace('@(\w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2";', implode($depr,$paths));
+```
+
+这是个非常危险的参数，如果用了这个参数，`preg_replace` 的第二个参数就会被当做 PHP 代码执行。
+
+**影响版本**：ThinkPHP 2.1
+
+**[FOFA](https://fofa.so/result?qbase64=YXBwPSJUaGlua1BIUCI%3D) 查询规则**：app="ThinkPHP"
+
+# Demo
+
+![](thinkphp_2.1.gif)

ThinkPHP/ThinkPHP5_RCE/README.md

@@ -0,0 +1,13 @@
+# ThinkPHP 5.x Remote Code Execution Vulnerability
+
+ThinkPHP was born in 2006, is a open source PHP development framework, which draws on the Action object of the Struts framework, and also uses the object-oriented development structure and MVC model. ThinkPHP can run on operating systems such as Windows and Linux. It supports multiple databases such as MySql, Sqlite, and PostgreSQL, and PDO extensions. It is a cross-platform, cross-version, and easy-to-use PHP framework.
+
+In ThinkPHP 5, because the framework does not perform sufficient detection on the controller name, it will lead to remote code execution without enabling mandatory routing.
+
+**Affected version**: ThinkPHP 5.x
+
+**[FOFA](https://fofa.so/result?qbase64=YXBwPSJUaGlua1BIUCI%3D) query rule**: app="ThinkPHP"
+
+# Demo
+
+![](thinkphp_5.gif)

ThinkPHP/ThinkPHP5_RCE/README.zh_CN.md

@@ -0,0 +1,13 @@
+# ThinkPHP 5.x 远程代码执行漏洞
+
+ThinkPHP 诞生于 2006 年，是一个国产开源的 PHP 开发框架，其借鉴了 Struts 框架的 Action 对象，同时也使用面向对象的开发结构和 MVC 模式。ThinkPHP 可在 Windows 和 Linux 等操作系统运行，支持 MySQL、Sqlite 和 PostgreSQL 等多种数据库以及 PDO 扩展，是一款跨平台、跨版本以及简单易用的 PHP 框架。
+
+在 ThinkPHP 5 中，由于框架对控制器名没有进行足够的检测，会导致在没有开启强制路由的情况下的远程代码执行漏洞。
+
+**影响版本**：ThinkPHP 5.x
+
+**[FOFA](https://fofa.so/result?qbase64=YXBwPSJUaGlua1BIUCI%3D) 查询规则**：app="ThinkPHP"
+
+# Demo
+
+![](thinkphp_5.gif)

WebLogic/CVE-2020-2551/README.md

@@ -0,0 +1,11 @@
+# CVE-2020-2551 WebLogic IIOP Remote Code Execution Vulnerability
+
+Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. 
+
+**Affected version**: weblogic_server:10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
+
+**[FOFA](https://fofa.so/result?qbase64=YXBwPSJCRUEtV2ViTG9naWMtU2VydmVyIg%3D%3D) query rule**: app="BEA-WebLogic-Server"
+
+# Demo
+
+![](CVE-2020-2551.gif)

WebLogic/CVE-2020-2555/README.md

@@ -0,0 +1,11 @@
+# CVE-2020-2555 WebLogic ReflectionExtractor Remote Code Execution Vulnerability
+
+Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.17, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence.
+
+**Affected version**: Oracle Coherence 3.7.1.17, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
+
+**[FOFA](https://fofa.so/result?qbase64=YXBwPSJCRUEtV2ViTG9naWMtU2VydmVyIg%3D%3D) query rule**: app="BEA-WebLogic-Server"
+
+# Demo
+
+![](CVE-2020-2555.gif)