基于shenzhi-wang/Llama3.1-8B-Chinese-Chat 微调的 EZ Poc Yaml 模型。
Example:
Just Prompt
Below is an instruction that describes a task, paired with an input that provides further context. Write a response that appropriately completes the request.
### Instruction:
将以下自然语言描述准确翻译为有效的YAML文档。确保正确表示结构、键值对、列表和缩进。输出应清晰、有序,并保持原始描述的完整性。注意数据类型和层次结构的准确表示。level默认为0,finger默认为`EZEZ`,注意变量设定为`set`关键字。仅输出YAML文档:
### Input:
漏洞名为test,定义一个变量`r1`,其值为32个随机小写字母。第一步为请求路径/path.txt,判断状态码为200,并且响应体包含"banana"。第二步请求路径为/wordpress/login.php,设置请求头`Content-Type`为application/json,请求内容为`{"type":"user","name":"{{r1}}","roles":["_admin"],"roles":[],"password":"fVyuyAECgYEAhgJzkPO1sTV1Dvs5bvls4tyVAsLy2I7wHKWJvJdDUpox2TnCMFT9"}`,判断响应状态码为201,并且响应体中包含r1。
### Response:
name: poc-yaml-test
level: 0
finger: |
finger.name.lcontains("EZEZ")
set:
r1: randomLowercase(32)
rules:
- method: GET
path: /path.txt
expression: |
response.status == 200 && response.body.bcontains(b"banana")
- method: POST
path: /wordpress/login.php
headers:
Content-Type: application/json
body: '{"type":"user","name":"{{r1}}","roles":["_admin"],"roles":[],"password":"fVyuyAECgYEAhgJzkPO1sTV1Dvs5bvls4tyVAsLy2I7wHKWJvJdDUpox2TnCMFT9"}}'
expression: |
response.status == 201 && response.body.bcontains(bytes(r1))
detail:
author: ezez
<|eot_id|>
Prompt & RAG
Below is an instruction that describes a task, paired with an input that provides further context. Write a response that appropriately completes the request.
### Instruction:
根据EZ-Yaml指南,将以下自然语言描述<$input>准确翻译为有效的YAML文档,level默认为0,finger默认为`EZEZ`,仅当**需要时**才能使用`set`字段定义变量。仅输出YAML文档:
---
EZ-Yaml指南:
```
**set** 字段:当需要时,在发送请求前预设的一些变量,通常用于生成若干个随机数变量。
可借助反连平台编写POC(dnslog),例如: reverse.wait(5) 表示监测反连平台5秒内是否有收到数据。如果5秒内,反连平台收到符合要求的请求,则reverse.wait(5)返回true,漏洞存在;如果5秒内反连平台没有收到请求,则reverse.wait(5)返回false,漏洞不存在。
编写规则可以参考:
set:
reverse: newReverse()
reverseURL: reverse.url
reverseDNS: reverse.dns
body: |
exec=curl%20{{reverseURL}};
expression: reverse.wait(5)
search: <input\stype="hidden"\sname="(?P<token>\S{32})"
**search**:使用正则表达式提取响应中的内容并赋值给变量。**在这个POC中比较特殊的一点是,第二个请求需要依赖第一个请求响应内容中的Token,可在第一个请求中使用search字段匹配出该Token,?P<token>表示将匹配结果赋值于token变量。这样,在第二个请求中我们就可以直接使用{{{{token}}}}来引用第一个请求匹配出的Token结果了。**
**detail** 该字段类似于注释,默认作者为ez。
```
---
将自然语言描述<$input>准确翻译为有效的YAML文档,level默认为0,finger默认为`EZEZ`,注意`set`字段定义变量。仅输出YAML文档:
### Input:
漏洞名为test。第一步为POST请求,路径为/ping.php,请求内容为`username=123`,使用使用正则表达式`"data":"(?P<data>.+?)"`进行内容提取`data`,判断状态码为200,并且反连平台在5秒内收到请求,第二步请求路径为/wordpress/login.php,设置请求头`Content-Type`为application/json,请求内容为`{"type":"user","name":"admin","roles":["_admin"],"roles":[],"password":"123"}`,判断响应状态码为201,并且响应体中包含r1和data。
### Response:
name: poc-yaml-test
level: 0
finger: |
finger.name.lcontains("EZEZ")
set:
reverse: newReverse()
reverseURL: reverse.url
reverseDNS: reverse.dns
rules:
- method: POST
path: /ping.php
body: username=123
search: '"data":"(?P<data>.+?)"'
expression: |
response.status == 200 && reverse.wait(5)
- method: POST
path: /wordpress/login.php
headers:
Content-Type: application/json
body: '{"type":"user","name":"admin","roles":["_admin"],"roles":[],"password":"123"}'
expression: |
response.status == 201 && response.body.bcontains(bytes(r1)) && response.body.bcontains(bytes(data))
detail:
author: ezez
<|eot_id|>
ollama Modelfile
FROM unsloth_Q4_K_M.gguf
TEMPLATE """Below are some instructions that describe some tasks. Write responses that appropriately complete each request.{{ if .Prompt }}
### Instruction:
{{ .Prompt }}
{{ end }}### Response:
{{ .Response }}<|end_of_text|>"""
PARAMETER stop "<|start_header_id|>"
PARAMETER stop "<|eot_id|>"
PARAMETER stop "<|end_header_id|>"
PARAMETER stop "<|end_of_text|>"
PARAMETER stop "<|reserved_special_token_"
- Downloads last month
- 5
Hardware compatibility
Log In to add your hardware
4-bit
8-bit
16-bit
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support